Privacy Policy — Tollentrio

1. Controller

The controller responsible for the processing of your personal data on this website is:

Entrio sp. z o.o.
ul. Zagórna 28, 37-420 Kopki, Poland
Email: help@tollentrio.com
Phone: +48 880 685 468

For questions about data protection, please contact us at the email address above.

1.2. We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under Art. 37 GDPR. For all data protection inquiries, please contact us at help@tollentrio.com.

2. Data we collect

We only collect personal data that is necessary for the specific purposes described in this Privacy Policy.

2.1. Data you provide during checkout

First and last name
Email address
Phone number
Billing address (street, city, postal code, country)
Vehicle registration number (number plate)
Country of vehicle registration
Vehicle type/category

2.2. Automatically collected data

IP address
Browser type and version
Operating system
Date and time of access
Pages visited and referrer URL
Device information

2.3. Payment data

Payment information (card numbers, bank details) is processed exclusively by our third-party payment providers and is never stored on our servers.

3. Purpose & legal basis

We process your personal data for the following purposes and on the following legal bases (GDPR):

Purpose	Legal basis
Order fulfilment (e-vignette registration)	Art. 6(1)(b) GDPR – performance of contract
Sending order confirmation & e-vignette by email/SMS	Art. 6(1)(b) GDPR – performance of contract
Payment processing	Art. 6(1)(b) GDPR – performance of contract
Compliance with tax and accounting obligations	Art. 6(1)(c) GDPR – legal obligation
Customer support & communication	Art. 6(1)(f) GDPR – legitimate interest
Website analytics and improvement	Art. 6(1)(a) GDPR – consent
Fraud prevention	Art. 6(1)(f) GDPR – legitimate interest

3.2. Where processing is based on our legitimate interest (Art. 6(1)(f) GDPR), such interest includes ensuring the security of our website, preventing fraud, improving our services, and maintaining efficient customer support. We have assessed that these interests are not overridden by the fundamental rights and freedoms of users.

4. Data sharing & recipients

Your data may be shared with the following categories of recipients, solely for the purposes described above:

National toll authorities — vehicle registration data is transmitted to the relevant toll authority of the destination country to register the e-vignette;
Payment service providers — payment data is transmitted to our secure payment processor for transaction handling;
Email/SMS service providers — your contact details are shared with our communications provider to deliver order confirmations;
Hosting providers — data is stored on servers operated by our hosting provider;
Tax advisors/accountants — order and invoice data may be shared to comply with statutory obligations.

We do not sell, rent or trade your personal data to third parties for marketing purposes.

5. Data retention

We retain your personal data only as long as necessary for the purposes for which it was collected:

Order data: retained for the period required by tax and commercial law (typically 5–10 years depending on jurisdiction);
Customer-support correspondence: retained for up to 3 years after the last interaction;
Website analytics data: anonymised or deleted after 26 months;
Cookies: see section 8 below.

6. Your rights (GDPR)

Under the GDPR you have the following rights:

Right of access (Art. 15 GDPR) — request a copy of your personal data;
Right to rectification (Art. 16 GDPR) — request correction of inaccurate data;
Right to erasure (Art. 17 GDPR) — request deletion of your data, subject to statutory retention requirements;
Right to restriction of processing (Art. 18 GDPR);
Right to data portability (Art. 20 GDPR) — request your data in a structured, commonly used, machine-readable format;
Right to object (Art. 21 GDPR) — object to processing based on legitimate interest;
Right to withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time without affecting the lawfulness of previous processing.

To exercise any of these rights, please contact us at help@tollentrio.com. We will respond within 30 days. You also have the right to lodge a complaint with the competent supervisory authority in your country of residence.

6.2. We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

7. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

SSL/TLS encryption for all data transferred between your browser and our servers;
Encrypted database storage;
Access controls and authentication for internal systems;
Regular security audits and updates.

8. Cookies

Our website uses cookies — small text files stored on your device — to ensure proper operation and improve your user experience.

8.1. Necessary cookies

These cookies are essential for the website to function (e.g. session management, cart). They do not require consent.

8.2. Analytics cookies

We may use analytics tools (e.g. Google Analytics) to understand how visitors use our website. These cookies are only set with your consent.

8.3. Marketing cookies

We may use third-party marketing cookies (e.g. Google Ads, Facebook) to show relevant adverts. These cookies are only set with your explicit consent. Disabling cookies may affect the functionality of our website.

8.4. Consent management (CookieYes)

We use CookieYes by Adzapier LLC to manage your cookie preferences in line with the GDPR and the ePrivacy Directive. On your first visit a consent banner is shown, allowing you to accept, reject or customise non-essential cookies. You can change or withdraw your consent at any time via the cookie icon in the corner of the page. More information: cookieyes.com. You may withdraw or modify your cookie consent at any time via the cookie settings tool available on our website. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Server log files

When you access our website, your browser automatically transmits technical information which we store in server log files. This includes:

Browser type and version;
Operating system used;
Referrer URL (the page you came from);
Date and time of the server request;
Your device's IP address (anonymised where technically possible).

This data is generally not combined with other personal data and there is no intention to do so. Processing is based on Art. 6(1)(f) GDPR to protect our legitimate interest in the stability, security and functionality of our website. Log files are automatically deleted after 30 days, unless required to investigate a security incident.

10. Hosting and infrastructure

10.1. Supabase (database & authentication)

Our application backend runs on Supabase (Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992). Supabase stores order data, customer data and authentication information on servers located in the EU (eu-central). Processing is governed by a data processing agreement (DPA) under Art. 28 GDPR. More info: supabase.com/privacy.

10.2. Cloudflare (CDN, DDoS protection)

We use Cloudflare (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA) as a content delivery network and for DDoS protection. Cloudflare processes technical data such as IP addresses in server logs. Cloudflare may process data on servers located outside the EU, including in the United States. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). International transfers are safeguarded by EU Standard Contractual Clauses. Privacy policy: cloudflare.com/privacypolicy.

11. Web analytics & advertising tools

11.1. Google Analytics 4

Our website uses Google Analytics 4, a web analytics service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies that allow analysis of how our website is used. The information generated by the cookies is generally transmitted to a Google server and stored there.

IP anonymisation: we have enabled IP anonymisation. Your IP address is truncated by Google within the EU/EEA member states before transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

Retention: data associated with cookies, user IDs or advertising IDs is anonymised or deleted after 14 months.

Legal basis: your consent given via the cookie banner (Art. 6(1)(a) GDPR). You can withdraw your consent at any time via the cookie icon. More info: policies.google.com/privacy.

11.2. Google Tag Manager

Our website uses Google Tag Manager to manage marketing and analytics tags. Google Tag Manager itself does not set cookies or collect personal data — it only fires other tags which may collect data. If you have declined consent at cookie or domain level, this applies to all tags managed via Google Tag Manager.

11.3. Google Ads & Conversion Tracking

We use Google Ads (Google Ireland Ltd) including conversion tracking to measure the effectiveness of our ad campaigns. When you click an ad served by Google, a cookie is set on your device (valid for 30 days). This cookie is not used to personally identify you. We learn the total number of users who clicked our ad and were redirected to a page with a conversion tracking tag, but receive no information that personally identifies users. Legal basis: consent (Art. 6(1)(a) GDPR). Information: policies.google.com/technologies/ads.

11.4. Meta Pixel (Facebook)

We may use the Meta Pixel (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland) to measure the effectiveness of ads on Facebook and Instagram and to show interest-based ads to users who have visited our website (retargeting). The pixel may transmit data to Meta servers in the USA. Legal basis: consent (Art. 6(1)(a) GDPR). More info: facebook.com/privacy/policy.

11.5. Microsoft Advertising (Bing Ads)

We may use Microsoft Advertising (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) for advertising and conversion tracking. Categories of processed data may include: browser language, clicked ads, IP address, Microsoft Click ID, page title, referrer URL and device information. Legal basis: consent (Art. 6(1)(a) GDPR).

11.6. Where applicable, we may act as a joint controller with certain providers (e.g., Meta Platforms Ireland Ltd.) in accordance with Art. 26 GDPR for data collected via tracking technologies. Further details are available in the respective provider's privacy policies.

12. Payment service providers

12.1. Stripe

For card and wallet payments we use Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland). When you pay by card, your payment data (card number, CVC, expiry date, billing data) is collected and processed exclusively by Stripe — we never see or store your full card number. Legal basis: Art. 6(1)(b) GDPR (performance of contract). Privacy policy: stripe.com/privacy.

12.2. Local payment gateways

For regional payment methods (e.g. BLIK, Apple Pay, Google Pay) we may route the transaction through additional certified payment providers. In every case, payment data is processed exclusively by the payment provider, never by us. We only receive a transaction confirmation (success/failure, amount, transaction ID).

13. Order fulfilment & national toll authorities

To register your e-vignette we transmit strictly necessary data — vehicle plate, country of registration, vehicle category and validity period — to the relevant national toll authority of the destination country. Recipients by country:

Hungary: Nemzeti Mobilfizetési Zrt., Kapás utca 6–12, 1027 Budapest, Hungary;
Czechia: Státní fond dopravní infrastruktury (SFDI), Sokolovská 1955/278, 190 00 Praha 9;
Slovakia: Národná diaľničná spoločnosť, a. s. (NDS), Dúbravská cesta 14, 841 04 Bratislava;
Slovenia: DARS d. d., Ulica XIV. divizije 4, 3000 Celje;
Bulgaria: National Toll Committee (Toll BG), Sofia;
Romania: Compania Națională de Administrare a Infrastructurii Rutiere (CNAIR), Bd. Dinicu Golescu 38, București;
Switzerland: Federal Office for Customs and Border Security (BAZG), Bern;
Moldova: Vama Moldovei (Customs Service of the Republic of Moldova), Chișinău.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Without this transfer the e-vignette cannot be registered.

14. Email & SMS delivery

14.1. Transactional emails

Order confirmations and e-vignette PDFs are sent through a transactional email service (Resend / Supabase SMTP). Your email address and order data are processed only for the purpose of delivery. Legal basis: Art. 6(1)(b) GDPR.

14.2. SMS notifications

If you opt in to SMS delivery (additional fee), your phone number and the message content are transmitted to our SMS provider. The provider may process and route the message via partner carriers worldwide. Legal basis: Art. 6(1)(a) GDPR (your explicit consent at checkout). The phone number is retained only as long as necessary for order fulfilment and statutory retention periods.

15. CRM & internal tools

We use Zoho CRM (Zoho Corporation B.V., Beneluxlaan 4B, 3527 HT Utrecht, Netherlands) to manage customer orders, support correspondence and accounting workflows. Data stored: name, email, phone, billing data, order summary. EU data residency. Legal basis: Art. 6(1)(b) and (f) GDPR. Privacy policy: zoho.com/privacy. Internal operational notifications are sent via secure internal communication tools. These notifications do not contain full personal data and are limited to order ID, country, and transaction status.

16. Exchange-rate data (NBP)

To convert prices into your local currency we use the exchange rates from the public API of the National Bank of Poland (NBP). No personal data is sent to NBP — only an anonymous request for the current rate table. Cache: 4 hours.

17. International data transfers

Your data may be transferred to countries outside the European Economic Area (EEA) where our service providers are located (e.g. USA: Stripe, Google, Meta, Microsoft, Cloudflare). In every case we rely on one of the following safeguards:

EU Standard Contractual Clauses (SCCs) of the European Commission;
Adequacy decisions of the European Commission (e.g. EU–U.S. Data Privacy Framework);
Binding Corporate Rules (BCRs) of the recipient.

Despite these safeguards, we cannot entirely rule out that authorities of the recipient country may access transferred data without effective legal remedies for you. By consenting to non-essential cookies, you also consent to such transfers within the meaning of Art. 49(1)(a) GDPR.

18. Data breach notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it and, where required, inform affected individuals without undue delay.

19. Changes to this Policy

We may update this Privacy Policy from time to time. The updated version will be published on this page with the date of last revision. We recommend reviewing this page regularly.

20. Contact

For questions about data protection, please contact us at help@tollentrio.com.