← Back to home

Privacy Policy

Last updated: March 26, 2026

1. Data Controller

The controller of personal data processed within the EASF (European Accident Statement Form) service available at easf.eu is:

AXG Sp. z o.o.
ul. Graniczna 29
40-017 Katowice, Poland
Registered with the District Court for Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register
KRS: 0000563458
Tax ID: 9542756130
REGON: 361793430
Share capital: 5 000,00 PLN
Verify in KRS ↗

Contact for personal data protection matters: info@easf.eu

2. Scope of Data Processing

We process the following categories of personal data within the service:

a) Data from the road accident statement form:

  • Driver identity data (first name, last name, date of birth, driving licence number)
  • Contact data (email address, phone number, home address)
  • Vehicle data (make, model, registration number, VIN number)
  • Insurance data (policy number, insurer name, green card number)
  • Road accident data (date, time, place, region, country, circumstances, damage)
  • Witness data (first and last name, contact details)
  • Electronic signature
  • Accident scene sketch
  • Vehicle impact point on diagram
  • Accident scene photographs (up to 6 per side, up to 12 in total)
  • Photographs of documents (driving licence, vehicle registration certificate, insurance policy or Green Card) - only when the User chooses the optional document scanning feature; processed transiently to read out the data and never stored by the Service

b) Contact form data:

  • First and last name
  • Email address
  • Message content

c) Automatically collected data:

  • IP address
  • Browser identifier (user agent)
  • Country (based on Cloudflare IP geolocation)
  • Timestamps (first and last access dates)

d) Saved profile data (optional, only with your consent):

  • Driver details (first name, surname, date of birth, address, driving licence number and category, licence validity, telephone number)
  • Vehicle details (make, model, registration number, country of registration)
  • Insurance details (insurer name and address, policy number)
  • Vehicle owner details - stored only where the owner is a legal person, or where the owner is the driver themselves

3. Purpose and Legal Basis of Processing

We process personal data for the following purposes:

  • Provision of the service - preparation of a joint road accident statement and generation of a PDF document - legal basis: necessity for the performance of a contract for the provision of an electronic service (Art. 6(1)(b) GDPR)
  • Sending the PDF document to the email addresses provided by both participants - legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR)
  • Real-time data synchronization between both accident participants - legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR)
  • Handling contact form enquiries - legal basis: legitimate interest of the controller consisting in communication with users (Art. 6(1)(f) GDPR)
  • Ensuring security and proper operation of the service (technical logs, IP addresses) - legal basis: legitimate interest of the controller (Art. 6(1)(f) GDPR)
  • Statistical traffic analysis (optional, after consent given via the cookie banner) - legal basis: user consent (Art. 6(1)(a) GDPR)
  • Saving your driver and vehicle details to your account so that they can pre-fill your next accident statement - legal basis: user consent (Art. 6(1)(a) GDPR), given by ticking an optional box; it may be withdrawn at any time
  • Automatic reading of data from a document photograph in order to pre-fill the accident statement form (optional document scanning feature) - legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR); the feature is used solely at the User's initiative and the photograph is processed only for this one-time purpose

4. Data Retention Period

Personal data is retained for the following periods:

  • Completed session data (accident statement form) - retained for a maximum of 12 months from the date of session completion, after which it is permanently deleted
  • Incomplete session data - automatically deleted after 90 days of inactivity
  • Accident scene photographs - stored as part of the session data in the Cloudflare D1 database and subject to the same retention periods as above
  • Generated PDF documents - not stored on the server after being sent to the participants' email addresses
  • Contact form data - retained for a maximum of 6 months from the date of resolution of the enquiry
  • Technical logs - maximum 30 days
  • Saved profile data - retained until the user deletes it in the My account section (withdrawal of consent); it is not subject to the 12-month retention period for session data
  • Document photographs (document scanning feature) - not stored by the Service: processed transiently in server memory only for the duration of the reading; the AI provider deletes them automatically within up to 30 days

You may request the deletion of your data at any time by contacting the controller at info@easf.eu.

5. Data Recipients and International Transfers

Personal data may be transferred to the following recipients:

  • Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) - hosting (Cloudflare Pages), database (Cloudflare D1, location: EU), photo storage (Cloudflare R2), real-time processing (Cloudflare Workers and Durable Objects). Cloudflare holds ISO 27001, ISO 27018, and ISO 27701 certifications.
  • Resend, Inc. (USA) - email delivery service provider; receives the participants' email addresses and the PDF document containing both parties' data as an attachment.
  • Trustpilot A/S (Pilestræde 58, 1112 Copenhagen, Denmark) - review platform; used solely to invite the User to review the Service. Receives the User's name, email address, and session reference number. It does not receive the PDF document or any accident data. Processing takes place within the EU/EEA.
  • Anthropic, PBC (548 Market St PMB 90375, San Francisco, CA 94104, USA) - AI service provider (Claude API); used only when the User actively chooses an AI-based feature: (a) the optional document scanning feature - receives the photograph of a document taken by the User (driving licence, vehicle registration certificate, insurance policy or Green Card) for a one-time automated reading of the data into the form; the photograph is never stored by the Service and is deleted by the provider automatically within up to 30 days, and it is not used to train AI models; (b) paid AI-based add-on services (e.g. AI Damage Estimate) - receives uploaded accident photographs for automated damage analysis. Certified under the EU-US Data Privacy Framework.
  • OpenAI, L.L.C. (3180 18th Street, San Francisco, CA 94110, USA) - AI service provider (GPT API); may be used as an alternative or complementary AI provider for paid AI-based add-on services. Receives uploaded accident photographs for automated damage analysis. Certified under the EU-US Data Privacy Framework.
  • The other road accident participant - to the extent necessary to prepare the joint statement. Each party can see the other party's form completion progress and connection status (online/offline) in real time. The generated PDF contains both parties' data.

Data transfers to entities based in the USA (Cloudflare, Resend, and - solely for the AI-based features chosen by the User - Anthropic and OpenAI) are carried out on the basis of the EU-US Data Privacy Framework (DPF) pursuant to European Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 (adequacy decision). All listed recipients are certified under the DPF. Additionally, Standard Contractual Clauses (SCCs) pursuant to European Commission Implementing Decision 2021/914 of 4 June 2021 are in place as a supplementary safeguard, along with additional technical measures (encryption in transit and at rest).

6. User Rights

Under the GDPR, you have the following rights:

  • Right of access to data (Art. 15 GDPR)
  • Right to rectification of data (Art. 16 GDPR)
  • Right to erasure of data - "right to be forgotten" (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Right to withdraw consent at any time - without affecting the lawfulness of processing carried out prior to withdrawal (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority - President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl

To exercise any of the above rights, please contact us at info@easf.eu.

7. Cookies and Tracking Technologies

The service uses the following types of cookies:

  • Necessary (no consent required): administrator session authentication cookie (admin_auth, HttpOnly, Secure, SameSite=Strict, 24-hour validity). Cookie consent preference is stored in the browser's local storage (localStorage).
  • Analytics (consent required): Google Analytics - if enabled, sets _ga, _gat, _gid cookies for traffic analysis. IP addresses are anonymized (anonymize_ip: true).
  • Advertising (consent required): Google Ads - if enabled, sets _gcl_au, _gcl_aw cookies for conversion tracking.

Consent for analytics and advertising cookies is collected via a banner on first visit. You can change your preferences at any time. For detailed information, please see our Cookie Policy.

8. Data Security

We apply appropriate technical and organizational measures to ensure the security of personal data, including:

  • Encryption of all connections (HTTPS/TLS)
  • Encryption of real-time data transmission (WebSocket over TLS)
  • Restricted access to personal data (password-protected admin panel)
  • Data stored in encrypted Cloudflare D1 database (location: EU)
  • Client-side photo compression and validation before upload

The service operates on the infrastructure of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare holds ISO 27001, ISO 27018, and ISO 27701 certifications, ensuring the highest standards of information security, protection of personal data in public cloud environments, and privacy management.

9. Automated Decision-Making

The service does not use automated decision-making or profiling within the meaning of Art. 22 GDPR. No decisions concerning users are made solely by automated means. The optional document scanning feature only suggests values for the form fields; the User reviews and may amend every value before signing the statement - no decision concerning the User is made by automated means.

10. Obligation to Provide Data

Providing personal data in the road accident statement form is voluntary but necessary to generate the PDF statement document. Failure to provide the required data will prevent the preparation of the statement and the use of the service.

Providing data in the contact form is voluntary but necessary to respond to the enquiry.

11. Contact

For matters concerning the protection of personal data, please contact us:

  • Email: info@easf.eu
  • Contact form available at easf.eu/contact
  • By post: AXG Sp. z o.o., ul. Graniczna 29, 40-017 Katowice, Poland

12. Changes to Privacy Policy

We reserve the right to make changes to this Privacy Policy for important reasons, including changes in legislation, changes in the scope of data processing, or changes required for security reasons. Users will be informed of any material changes through a notice displayed on the Service's website at least 14 days before the new Policy takes effect. Where changes involve new purposes of processing or a change in the legal basis, fresh consent will be obtained where required by applicable law.