Privacy Policy
Last updated: 22 June 2026
1. Who we are (Data Controller)
CommonSpecs is operated by YNOTS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (“YNOTS”, “we”, “us”), a limited liability company incorporated in Poland and entered in the Register of Entrepreneurs of the National Court Register:
- Registered seat: ul. Rakowicka 10B, 31-511 Kraków, Poland
- KRS: 0001191921 (District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division)
- NIP (Tax ID): 6751818253
- REGON: 542604468
- Email: contact@ynots.ai
- Phone: +48 690 354 418
YNOTS is the controller of the personal data described in this Policy within the meaning of Regulation (EU) 2016/679 (the GDPR). We have not appointed a Data Protection Officer; data-protection questions go to contact@ynots.ai.
2. Scope
This Policy explains how we process personal data when you visit commonspecs.com, create an account, use the CommonSpecs API or MCP server, or otherwise interact with the CommonSpecs service (the “Service”). It does not cover third-party websites or services we link to.
3. What we collect, why, and on what legal basis
| Data | Examples | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | name, email, organisation, password (hashed) | create and manage your account, authenticate you | Art. 6(1)(b) — performance of a contract |
| API credentials & usage | API tokens, request logs, endpoints called, volume, timestamps, IP | provide the API, enforce rate limits/quotas, secure the Service, bill metered usage | Art. 6(1)(b); Art. 6(1)(f) — legitimate interest in security and abuse prevention |
| Billing data | plan tier, transaction records, billing contact | process payments for paid tiers, meet accounting obligations | Art. 6(1)(b); Art. 6(1)(c) — legal obligation |
| Contributed content | product specifications, sources and corrections you submit, tied to your account and reputation score | operate the shared specification database and reputation system | Art. 6(1)(b); Art. 6(1)(f) — legitimate interest in data quality |
| Communications | emails and support requests | respond to and document support | Art. 6(1)(f) — legitimate interest in support |
| Website usage (cookieless) | aggregate metrics (page views, referrers, performance) — no cookies, no visitor identification | understand traffic in aggregate; keep the site secure | Art. 6(1)(f) — legitimate interest |
We do not use cookies, and we do not run cross-site tracking, advertising, or profiling. Aggregate website usage is measured without cookies and without identifying you (see Section 4). We do not knowingly collect special-category data and ask you not to submit it.
4. Cookies and analytics
We do not use cookies. Sign-in state is kept in your browser’s local storage (not cookies), and we set no advertising, analytics, or tracking cookies — so no cookie-consent banner is needed.
We measure aggregate traffic with Cloudflare Web Analytics, which is cookieless and does not fingerprint or identify individual visitors — it reports only anonymous, aggregate metrics (page views, referrers, performance).
Our security provider, Cloudflare, may set a single strictly necessary cookie only if you are shown a security challenge; this is exempt from consent and is never used to track you.
5. Who we share data with (processors & sub-processors)
We do not sell personal data. We share it only with service providers acting on our instructions under data-processing agreements:
- Google Cloud Platform (Cloud Run, Cloud SQL/PostgreSQL, Vertex AI) — hosting, database, and AI-assisted specification processing.
- Cloudflare — edge delivery, DNS, security/DDoS protection, and cookieless aggregate web analytics.
- Stripe — payment processing for paid tiers (card data is handled by Stripe; we do not store full card numbers).
- Resend — sending account and service (transactional) emails.
We may also disclose data where required by law or to protect our rights.
6. International transfers
Some providers process data outside the European Economic Area (e.g. in the United States). Where that happens, transfers are safeguarded by the European Commission’s Standard Contractual Clauses and, where applicable, the provider’s certification under the EU–U.S. Data Privacy Framework, together with supplementary measures as needed.
7. How long we keep data
- Account & contributed content: for the life of your account and up to 90 days after closure, unless we must keep specific records longer.
- Billing records: for the period required by Polish tax and accounting law (generally 5 years from the end of the relevant year).
- Logs: up to 12 months.
8. Your rights
Under the GDPR you have the right to: access your data; rectify it; erase it; restrict or object to processing; data portability; and, where processing rests on consent, to withdraw consent at any time without affecting prior processing. To exercise any right, email contact@ynots.ai.
You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — uodo.gov.pl.
9. Security
We apply appropriate technical and organisational measures — encryption in transit, hashed credentials, access controls, and provider-side protections — to safeguard personal data. No method of transmission or storage is completely secure.
10. Children
The Service is intended for businesses and professionals and is not directed to children under 16. We do not knowingly process children’s data.
11. Changes
We may update this Policy; we will post the revised version here and update the “Last updated” date. Material changes will be communicated by reasonable means.
12. Contact
Questions or requests: contact@ynots.ai / +48 690 354 418 / YNOTS sp. z o.o. (KRS 0001191921).