Privacy Policy
Last updated: 3 June 2026
1. Data Controller
The data controller responsible for the personal data described in this policy is:
- Hicham Benkaihoul, operating as “KSeF Guard Engineering” — an individual sole operator (not a registered company)
- Based in Algeria, working remotely (no public business premises)
- Contact: [email protected]
Given the small scale of our processing, we have not appointed a Data Protection Officer. Data-protection questions are handled directly by the controller at the email above.
2. Data Processing
KSeF Guard is an offline-first desktop application. The core functionality (XML validation) runs entirely on your local machine — we never upload, store, or transmit your invoices or their contents to our servers. The only personal data we process is the limited information needed to sell, license, and maintain the software, described in the sections below.
3. Legal Basis for Processing
We rely on the following legal bases under Article 6(1) of the GDPR:
- Performance of a contract (Art. 6(1)(b)) — verifying your license key and subscription tier so we can deliver the licensed software you purchased.
- Legitimate interests (Art. 6(1)(f)) — preventing license fraud and abuse, providing automatic update checks, and keeping our website and license service secure (security logging). We do not use your data for profiling or advertising.
- Payments — billing and payment data are processed by DodoPayments as Merchant of Record under their own terms and privacy policy (see section 10).
4. License Activation
When you activate a license, the following information is transmitted over a secure (HTTPS) connection to verify license validity:
- License key
- Anonymous machine fingerprint (a one-way hash that cannot be reversed to identify your hardware)
- IP address (for rate limiting and fraud prevention)
This data is processed solely for license verification and is not used for any other purpose.
5. Cookies
The KSeF Guard website does not use cookies for tracking or advertising. We do not use any third-party analytics services. The only cookies that may be set are essential for website functionality (e.g., language preference).
6. Local Data Storage
The desktop application stores the following data locally on your machine for operational purposes:
- usage.json — Tracks daily validation counts for Free-tier quota enforcement. Contains: install ID (random UUID), machine ID hash (SHA-256), daily counters, and timestamps. No invoice content is stored.
- audit.log — Records license API interactions (activation, validation, deactivation). Contains: timestamp, action type, license key prefix (first 4 characters only), machine ID hash, result, and tier. Entries older than 90 days are automatically deleted during log rotation. Maximum file size: 10 MB.
- license.bin — Encrypted license state for offline validation of your subscription tier.
All files are stored in %AppData%\ksef-guard\ (Windows) or ~/.local/share/ksef-guard/ (Linux). You can delete these files at any time, or use the CLI command ksef-guard --erase-all-data to remove all local data.
7. Analytics
The desktop application does not transmit telemetry, usage statistics, or invoice data to external servers. Remote communications are limited to license verification (see section 4), payment processing via DodoPayments, and automatic update checks. The only data we collect server-side are standard web server logs for website visitors (IP address, user agent, referring page). These logs are retained for 30 days and used exclusively for security monitoring and debugging.
8. Data Retention
License activation data is retained for the duration of your active subscription plus 30 days. Web server logs are retained for 30 days. Local audit log entries are retained for 90 days. Upon request, we will delete all personal data associated with your account within 30 days.
9. Your Rights (GDPR)
If you are located in the European Economic Area, you have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data
- Right to restriction of processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to the processing of your personal data
To exercise any of these rights, contact us at [email protected].
You also have the right to lodge a complaint with a data protection supervisory authority. In Poland, this is the President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO — uodo.gov.pl). If you are in another EEA country, you may contact your local supervisory authority.
10. Third-Party Services
Our order process is conducted by DodoPayments, which acts as Merchant of Record for all orders. DodoPayments handles payment processing, invoicing, and customer service related to purchases. Their privacy policy governs the data collected during the purchase process.
11. Contact
For data protection inquiries, contact us at [email protected]. As the data controller is established outside the European Economic Area (in Algeria), please direct all privacy requests to this address.