Privacy Policy

Last updated: May 30, 2026

1. Who we are

Superextra is operated by PP2 Studio sp. z o.o., a company registered in Poland (ul. Żywiczna 9, 81-604 Gdynia; KRS 0001182088; NIP 5862419337). PP2 Studio sp. z o.o. is the data controller for personal data processed through the Superextra website and platform (collectively, the "Service"). Full company details are in our Legal Notice.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Polish law. For any privacy question, contact us at privacy@superextra.ai.

2. Information we collect

Information you provide

  • Account information — name, email address, company name, and role when you request access or create an account.
  • Communications — any information you include when you contact us by email or through the website.
  • Payment information — billing details processed by our payment provider. We do not store full payment card numbers.

Information collected automatically

  • Usage data — pages viewed, features used, time spent, and interactions within the Service.
  • Device & browser data — IP address, browser type, operating system, device identifiers, and referring URLs.
  • Cookies & similar technologies — see Section 7.

3. How we use your information, and our legal bases

Under the GDPR, we rely on the following legal bases (Article 6):

  • To provide and maintain the Service, manage your account, and process your access request — performance of a contract with you or steps taken at your request before entering a contract (Art. 6(1)(b)).
  • To send transactional emails (confirmations, security alerts) — performance of a contract (Art. 6(1)(b)).
  • To analyse usage, improve features, and keep the Service secure and free of fraud — our legitimate interests in operating and improving the Service (Art. 6(1)(f)).
  • To send marketing communications — your consent, which you can withdraw at any time (Art. 6(1)(a)).
  • To comply with legal obligations (e.g. tax and accounting) — compliance with a legal obligation (Art. 6(1)(c)).

4. Chat conversations

When you use the Superextra chat (research conversations with our AI agent), each chat is given a unique URL. A few things about how chats are stored and shared are worth calling out:

  • Every question you ask and every answer you receive is durably stored in the cloud until you delete the chat. This includes the sources the agent returned and the activity summary for each turn.
  • Anyone with the chat URL can read it and continue the conversation. Treat chat URLs like sensitive document links — if the URL is shared, so is the chat.
  • Only the person who originally created a chat can delete it. Other people with the URL cannot delete your chats.
  • Anonymous browser identifiers are stored alongside chats. We record the anonymous identifier of the original creator and the anonymous identifiers of every browser that has contributed a message to the chat. These are not personally identifying on their own, but they are readable by anyone with the chat URL.
  • Operational activity events (e.g., per-turn search/tool activity) are retained for debugging and reliability, are set to expire after 180 days, and then become eligible for automatic deletion. The question, answer, and source list for each turn are retained for as long as the chat exists.

5. How we share your information

We do not sell your personal data. We share it only with service providers who process it on our behalf as processors under a data processing agreement, and only as needed to run the Service:

  • Google Cloud / Vertex AI — hosting and AI processing of the agent.
  • Firebase (Google) — website hosting, authentication, and database.
  • Stripe — payment processing.
  • Resend — delivery of transactional and intake email.
  • ElevenLabs — speech-to-text and text-to-speech for optional voice features.

We may also disclose data where required by law, regulation, or valid legal process, or in connection with a merger, acquisition, or sale of assets.

6. Data retention

We keep personal data for as long as your account is active or as needed to provide the Service. We retain data longer only where necessary to comply with legal obligations (such as tax and accounting rules), resolve disputes, and enforce our agreements. When data is no longer needed, we securely delete or anonymize it.

7. Cookies and similar technologies

We use:

  • Essential cookies and local storage — required for the Service to function (e.g., authentication, security, and remembering preferences such as your theme and language).
  • Analytics cookies — to understand how visitors use the website so we can improve it. You can block or delete cookies through your browser settings; disabling essential cookies may affect how the Service works.

8. Data security

We implement industry-standard technical and organizational measures to protect personal data, including encryption in transit (TLS) and at rest and access controls. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. International transfers

Some of our providers process data outside the European Economic Area, including in the United States. Where that happens, we rely on appropriate safeguards under the GDPR — primarily the European Commission's Standard Contractual Clauses, and adequacy decisions where they apply — to protect your data.

10. Your rights

Under the GDPR, you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion ("right to be forgotten");
  • object to or request restriction of certain processing;
  • data portability — receive your data in a structured, machine-readable format;
  • withdraw consent at any time, where processing is based on consent.

To exercise these rights, contact us at privacy@superextra.ai. We will respond within one month, as required by the GDPR.

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Polish Personal Data Protection Office (Urząd Ochrony Danych Osobowych), ul. Stanisława Moniuszki 1A, 00-014 Warszawa, Poland — and you may also complain to the authority in your country of residence.

11. Children's privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If we learn we have collected data from a child, we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date, and will notify you of material changes. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact us

If you have questions about this Privacy Policy, please contact us at:

PP2 Studio sp. z o.o.
ul. Żywiczna 9, 81-604 Gdynia, Poland
Email: privacy@superextra.ai

endepl