PRIVACY POLICY
Effective Date: May 25, 2026
Current Version: https://dpfoffservice.com/legal/confidential
Applicable to: Business clients, authorized representatives, and commercial contacts of TENCAR sp. z o.o.
1. INTRODUCTION & SCOPE
This Privacy Policy ("Policy") governs the collection, processing, storage, and transfer of personal data in connection with the B2B digital file processing services provided by TENCAR sp. z o.o. via https://dpfoffservice.com (the "Service"). This Policy is an integral part of the Terms & Conditions for Business Services (Distance Agreement) and applies exclusively to business-to-business transactions, professional commercial users, and authorized representatives of commercial entities. It does not apply to private consumers or retail end-users.
By registering, uploading data, confirming payment, or using the Service, you acknowledge that you have read, understood, and accepted this Policy.
2. DATA CONTROLLER
Controller: TENCAR sp. z o.o.
Registered Address: ul. Straganińska 20-22/35, 80-837 Gdańsk, Poland
Legal Registration: KRS 0001139253 | NIP 5833524161 | REGON 540221770
Email for Data Protection Inquiries: privacy@dpfoffservice.com
Regulatory Authority: President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych – UODO), Poland.
3. CATEGORIES OF PERSONAL DATA PROCESSED
TENCAR processes only the personal data strictly necessary for B2B service provision, commercial verification, and statutory compliance. Categories include:
Identity & Contact Data: Full name, professional title, corporate email, telephone number, company name, registered address.
Business & Tax Identifiers: VAT/NIP/REGON/ABN, EU VIES validation results, national business registry data, tax status, and commercial declaration submissions.
Account & Authentication Data: Login credentials, session tokens, IP addresses, browser/device fingerprints, MFA/2FA logs.
Technical & File Metadata: ECU file identifiers (size, format, hash/checksum, processing timestamps), upload/download logs, API response data, and server request logs.
Financial & Invoicing Data: Invoice numbers, billing addresses, payment authorization references, VAT validation responses, and transaction records (processed exclusively via PCI-DSS compliant payment gateways; no card data is stored locally).
Verification & Compliance Data: Automated business registry API responses, anti-fraud checks, contractual declarations, and audit trails required for commercial verification.
Note: Raw automotive ECU files/dumps are typically non-personal technical data. However, associated account metadata, processing logs, and verification data are classified as personal data under GDPR.
4. PURPOSES & LAWFUL BASIS FOR PROCESSING
Processing is conducted exclusively for the following purposes, in compliance with the GDPR:
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Account registration, B2B verification, and commercial status validation | Art. 6(1)(c) – Legal obligation; Art. 6(1)(b) – Contract performance |
| Automated file processing, analysis, and result delivery | Art. 6(1)(b) – Contract performance |
| Invoice generation, tax compliance, and VAT validation | Art. 6(1)(c) – Legal obligation (fiscal/accounting law) |
| Payment processing & fraud prevention | Art. 6(1)(b) & Art. 6(1)(f) – Contract & legitimate interest |
| IT security, infrastructure monitoring, and access control | Art. 6(1)(f) – Legitimate interest |
| Statistical analysis, service optimization, and reporting (anonymized) | Art. 6(1)(f) – Legitimate interest |
| Regulatory reporting, legal claims, and compliance audits | Art. 6(1)(c) & Art. 6(1)(e) – Legal obligation & public interest |
TENCAR does not use personal data for targeted advertising, consumer profiling, or commercial marketing.
5. DATA RETENTION PERIODS
Data is retained only as long as necessary for the stated purposes or required by law:
Unpaid Processing Results & Temporary Session Data: Automatically and permanently deleted after 7 calendar days from processing completion.
Paid Order Data & Invoicing Records: Retained in accordance with applicable Polish fiscal and accounting legislation (typically 5–10 years), after which data is anonymized or securely erased.
Account & Identity Data: Retained for the duration of the commercial relationship plus statutory limitation periods, or until deletion request is processed (subject to legal retention overrides).
Technical & Security Logs: Retained up to 24 months for incident investigation and infrastructure optimization, then anonymized. Retention schedules align with internal data governance protocols and may be adjusted prospectively upon legal or operational necessity.
6. DATA SHARING & INTERNATIONAL TRANSFERS
6.1. Third-Party Processors
TENCAR engages strictly vetted service providers bound by GDPR Article 28 (Data Processing Agreements). Processors include:
Cloud infrastructure & hosting providers
PCI-DSS compliant payment gateways & financial institutions
EU VIES, national tax registries, and business verification API providers
Legal, accounting, and IT support partners
Personal data is disclosed only to the extent necessary for service delivery, statutory compliance, or payment processing.
6.2. International Data Transfers
Where data is transferred outside the European Economic Area (EEA), TENCAR implements appropriate safeguards per GDPR Chapter V, including:
EU Standard Contractual Clauses (SCCs)
UK International Data Transfer Agreement (IDTA)
Adequacy decisions by the European Commission Clients are responsible for ensuring compliance regarding any personal data contained within uploaded files, as stipulated in Section 9.4 of the Terms & Conditions.
6.3. Legal Disclosure
Data may be disclosed if required by court order, tax authority request, law enforcement, or to protect TENCAR's legal rights and prevent fraud.
7. DATA SUBJECT RIGHTS
Under the GDPR, data subjects (including natural persons acting on behalf of a commercial entity) have the right to:
Access, rectify, or request restriction of processing
Request erasure (subject to statutory retention obligations)
Data portability
Object to processing based on legitimate interests
Withdraw consent (where applicable)
To exercise these rights, contact privacy@dpfoffservice.com. Verification of commercial authority and identity may be required. TENCAR will respond within one month, extendable by two months for complex requests. The right to lodge a complaint with the UODO remains unaffected.
8. SECURITY MEASURES
TENCAR implements organizational and technical measures commensurate with GDPR Article 32 requirements:
TLS 1.2+ encryption in transit; AES-256 encryption at rest
Role-based access control (RBAC) and multi-factor authentication for administrative access
Regular vulnerability assessments, penetration testing, and backup integrity verification
Network segmentation, WAF, DDoS protection, and intrusion detection/prevention systems
Secure payment processing via certified third-party gateways; no raw payment credentials are stored on TENCAR servers
Incident response protocols aligned with GDPR Article 33/34 breach notification requirements
9. COOKIES & AUTOMATED TECHNOLOGIES
Essential Cookies: Required for authentication, session management, security, and core Service functionality.
Analytical Cookies: Anonymized usage statistics to optimize performance and UX. No individual tracking or cross-site profiling.
Configuration: Users may manage cookie preferences via browser settings or the Service interface. Disabling essential cookies may impair Service functionality.
TENCAR does not use retargeting, advertising cookies, or third-party marketing trackers.
10. AMENDMENTS TO THIS POLICY
TENCAR reserves the right to update this Policy to reflect legal, technical, or operational changes. Updated versions will be published at https://dpfoffservice.com/legal/confidential with a revised effective date. Continued use of the Service after publication constitutes acceptance. Substantive changes affecting lawful basis or data categories will be communicated via account notification or email.
11. CONTACT & COMPLIANCE
For data protection inquiries, DPO contacts, or compliance requests: Email: privacy@dpfoffservice.com
Postal: TENCAR sp. z o.o. | ul. Straganińska 20-22/35 | 80-837 Gdańsk, Poland
Regulatory: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland
This Policy should be read in conjunction with the Terms & Conditions for Business Services (Distance Agreement). Where inconsistencies arise, the Terms & Conditions shall govern commercial obligations, while this Policy governs data processing practices.
Document Version: 1.0
Last Updated: May 25, 2026
Compliance Framework: GDPR (2016/679), Polish Personal Data Protection Act, ePrivacy Directive, PCI-DSS v4.0, EU SCCs (2021/914)