← Back to home

Privacy Policy

Last updated: 3/18/2026

1. Data Controller

The controller of personal data processed within the EASF (European Accident Statement Form) service available at easf.eu is:

AXG
ul. Graniczna 29
40-017 Katowice, Poland
Tax ID: 9542462380
REGON: 241606204
Verify in CEIDG ↗

Contact for personal data protection matters: info@easf.eu

2. Scope of Data Processing

We process the following categories of personal data within the service:

a) Data from the road accident statement form:

  • Driver identity data (first name, last name, date of birth, driving licence number)
  • Contact data (email address, phone number, home address)
  • Vehicle data (make, model, registration number, VIN number)
  • Insurance data (policy number, insurer name, green card number)
  • Road accident data (date, time, place, region, country, circumstances, damage)
  • Witness data (first and last name, contact details)
  • Electronic signature
  • Accident scene sketch
  • Vehicle impact point on diagram
  • Accident scene photographs (up to 6 per side, up to 12 in total)

b) Contact form data:

  • First and last name
  • Email address
  • Message content

c) Automatically collected data:

  • IP address
  • Browser identifier (user agent)
  • Country (based on Cloudflare IP geolocation)
  • Timestamps (first and last access dates)

3. Purpose and Legal Basis of Processing

We process personal data for the following purposes:

  • Provision of the service - preparation of a joint road accident statement and generation of a PDF document - legal basis: necessity for the performance of a contract for the provision of an electronic service (Art. 6(1)(b) GDPR)
  • Sending the PDF document to the email addresses provided by both participants - legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR)
  • Real-time data synchronization between both accident participants - legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR)
  • Handling contact form enquiries - legal basis: legitimate interest of the controller consisting in communication with users (Art. 6(1)(f) GDPR)
  • Ensuring security and proper operation of the service (technical logs, IP addresses) - legal basis: legitimate interest of the controller (Art. 6(1)(f) GDPR)
  • Statistical traffic analysis (optional, after consent given via the cookie banner) - legal basis: user consent (Art. 6(1)(a) GDPR)

4. Data Retention Period

Personal data is retained for the following periods:

  • Working session data (accident statement form) - retained until deleted by the administrator; incomplete sessions are periodically removed during administrative reviews
  • Accident scene photographs - stored in Cloudflare R2 until deleted by the administrator
  • Generated PDF documents - not stored on the server after being sent to the participants' email addresses
  • Contact form data - retained until the matter is resolved and deleted by the administrator
  • Technical logs - maximum 30 days

You may request the deletion of your data at any time by contacting the controller at info@easf.eu.

5. Data Recipients and International Transfers

Personal data may be transferred to the following recipients:

  • Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) - hosting (Cloudflare Pages), database (Cloudflare D1, location: EU), photo storage (Cloudflare R2), real-time processing (Cloudflare Workers and Durable Objects). Cloudflare holds ISO 27001, ISO 27018, and ISO 27701 certifications.
  • Resend, Inc. (USA) - email delivery service provider; receives the participants' email addresses and the PDF document containing both parties' data as an attachment.
  • The other road accident participant - to the extent necessary to prepare the joint statement. Each party can see the other party's form completion progress and connection status (online/offline) in real time. The generated PDF contains both parties' data.

Data transfers to entities based in the USA (Cloudflare, Resend) are carried out on the basis of Standard Contractual Clauses (SCCs) pursuant to European Commission Implementing Decision 2021/914 of 4 June 2021, supplemented by additional technical safeguards (encryption in transit and at rest).

6. User Rights

Under the GDPR, you have the following rights:

  • Right of access to data (Art. 15 GDPR)
  • Right to rectification of data (Art. 16 GDPR)
  • Right to erasure of data - "right to be forgotten" (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Right to withdraw consent at any time - without affecting the lawfulness of processing carried out prior to withdrawal (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority - President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl

To exercise any of the above rights, please contact us at info@easf.eu.

7. Cookies and Tracking Technologies

The service uses the following types of cookies:

  • Necessary (no consent required): administrator session authentication cookie (admin_auth, HttpOnly, Secure, SameSite=Strict, 24-hour validity). Cookie consent preference is stored in the browser's local storage (localStorage).
  • Analytics (consent required): Google Analytics - if enabled, sets _ga, _gat, _gid cookies for traffic analysis. IP addresses are anonymized (anonymize_ip: true).
  • Advertising (consent required): Google Ads - if enabled, sets _gcl_au, _gcl_aw cookies for conversion tracking.

Consent for analytics and advertising cookies is collected via a banner on first visit. You can change your preferences at any time. For detailed information, please see our Cookie Policy.

8. Data Security

We apply appropriate technical and organizational measures to ensure the security of personal data, including:

  • Encryption of all connections (HTTPS/TLS)
  • Encryption of real-time data transmission (WebSocket over TLS)
  • Restricted access to personal data (password-protected admin panel)
  • Data stored in encrypted Cloudflare D1 database (location: EU)
  • Client-side photo compression and validation before upload

The service operates on the infrastructure of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare holds ISO 27001, ISO 27018, and ISO 27701 certifications, ensuring the highest standards of information security, protection of personal data in public cloud environments, and privacy management.

9. Automated Decision-Making

The service does not use automated decision-making or profiling within the meaning of Art. 22 GDPR. No decisions concerning users are made solely by automated means.

10. Obligation to Provide Data

Providing personal data in the road accident statement form is voluntary but necessary to generate the PDF statement document. Failure to provide the required data will prevent the preparation of the statement and the use of the service.

Providing data in the contact form is voluntary but necessary to respond to the enquiry.

11. Contact

For matters concerning the protection of personal data, please contact us:

  • Email: info@easf.eu
  • Contact form available at easf.eu/contact
  • By post: AXG, ul. Graniczna 29, 40-017 Katowice, Poland

12. Changes to Privacy Policy

We reserve the right to make changes to this Privacy Policy. Users will be informed of any changes by updating the date at the top of the document. Continued use of the service after changes are made constitutes acceptance of the updated Policy.