// legal.privacy Version 1.0 · in force from 2026-05-10

Privacy
Policy.

We collect the minimum data needed to handle your conversation with us. Here you will find what, why, on what basis and for how long.

This English version is provided for convenience only. The Polish-language version of this document is the legally binding one.

// TL;DR
  • Controller: Haski Prosta Spółka Akcyjna, registered office in Poznań, Poland, KRS 0001240403, NIP 9721379253.
  • GDPR contact: tobiasz@haski.io
  • What we collect: data from the contact form, data from call bookings via Google Calendar, technical data (logs, cookies, with your consent).
  • Why: to respond to your enquiry, arrange a call, perform the contract and settle it in line with the law.
  • Do we sell data: no. We do not sell or rent personal data.
  • Your rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent, complaint to the President of the Personal Data Protection Office (PUODO).

Table of contents

  1. 1. Data controller
  2. 2. Where we get your data
  3. 3. Purposes, legal bases, retention
  4. 4. Who we share data with
  5. 5. Transfers outside the EEA
  6. 6. Your rights
  7. 7. Cookies
  8. 8. Profiling and automated decisions
  9. 9. Data security
  10. 10. Complaint to PUODO
  11. 11. Changes to the policy

1. Data controller

The controller of your personal data is:

Haski Prosta Spółka Akcyjna
registered office in Poznań, Poland
KRS 0001240403
NIP 9721379253
contact: tobiasz@haski.io

We have not appointed a data protection officer (DPO), as the regulations do not require one in our situation (Article 37 GDPR). For all matters relating to data protection, write to: tobiasz@haski.io.

2. Where we get your data

Your data reaches us mainly from you. The specific sources are:

  • Contact form / e-mail / phone: when you write or call us with an enquiry.
  • Booking a slot (Google Calendar): when you arrange a call via the Google form on our site.
  • Technical data: IP address, browser identifier, server logs, cookie identifiers (subject to your consent for non-essential cookies).
  • Contract performance: data provided in the course of delivering a project (contact details of the client team, invoicing details).
  • Public sources (business contact): if we reach out to you with a B2B cooperation proposal, we may use publicly available sources: KRS, CEIDG, GUS, LinkedIn, company websites. In our first communication we inform you of the source and purpose (Article 14 GDPR).

The scope of data is minimal: first and last name, e-mail address, optionally phone, company name and job title, and the content of your message. For settlements we additionally collect invoicing details (NIP, address). We do not collect special categories of data (health, political views, religion, etc.).

3. Purposes, legal bases, retention periods

Each processing operation has a defined purpose, legal basis and period. The map is below.

Purpose Legal basis Period
Responding to a request for a quote / business contact. Article 6(1)(b) GDPR (steps towards entering into a contract) or (f) (legitimate interest in conducting commercial correspondence). Up to 24 months from the last contact, where no contract was concluded.
Booking and holding a consultation call. Article 6(1)(b) GDPR (action at your request before entering into a contract). Up to 3 years from the call (limitation period for business claims, Article 118 of the Polish Civil Code).
Performing a client contract (delivery of the implementation, support, invoicing). Article 6(1)(b) GDPR (contract). Until the end of the contract plus the limitation period for claims (usually 3 years, Article 118 of the Polish Civil Code), with a buffer of up to 6 years.
Tax and accounting settlements (invoices, VAT records, KSeF). Article 6(1)(c) GDPR in conjunction with the Polish Accounting Act and Tax Ordinance. 5 years counted from the end of the calendar year in which the tax payment deadline fell.
Direct marketing to existing clients (information about our services). Article 6(1)(f) GDPR (legitimate interest, recital 47 GDPR). Until an objection is raised or the cooperation ends.
B2B contact in response to a public enquiry or via professional networks (LinkedIn) in order to propose a call. Article 6(1)(f) GDPR (legitimate interest in developing commercial relationships with company representatives). You may object at any time. Up to 12 months from the first contact or until an objection is raised.
Keeping the site secure (server logs, anti-spam, protection against abuse). Article 6(1)(f) GDPR (legitimate interest in system security). Up to 12 months.
Pursuing or defending against claims. Article 6(1)(f) GDPR. Until the end of the limitation period for claims plus a 1-year buffer.
Non-essential cookies (analytics, marketing). Article 6(1)(a) GDPR (consent) plus Article 398 of the Polish Electronic Communications Law. Until consent is withdrawn or the lifetime of the specific cookie expires (usually no longer than 13 months).

Providing data is voluntary but necessary to handle your enquiry, conclude a contract or issue an invoice. Without the data we will be unable to act in these cases.

4. Who we share data with

We do not sell your data. We may entrust it to entities that support us in running the business, always under a data processing agreement (Article 28 GDPR):

  • Server and technical maintenance providers: application and mail servers
  • Google Workspace providers: Google Ireland Limited (Gmail, Calendar, Drive, Meet).
  • Providers of automation and CRM tools: for handling leads and communication (the list is updated if a provider changes).
  • Accounting office and providers of accounting and KSeF systems: for tax settlements and invoicing.
  • Law firm and debt collection: where it becomes necessary to pursue claims.
  • Public authorities: only where an obligation arises from the law (e.g. the tax office, ZUS, courts).

Each provider is vetted for GDPR compliance and required to apply appropriate safeguards.

5. Transfers outside the European Economic Area

Some providers (in particular Google) may process data in the United States. In such cases we apply the safeguard mechanisms required by the GDPR:

  • The European Commission decision of 10 July 2023 finding an adequate level of protection in the USA for entities participating in the EU-U.S. Data Privacy Framework (DPF).
  • The EU Commission Standard Contractual Clauses (SCC) of 4 June 2021 as an additional basis for the transfer.

You can obtain a copy of the safeguards by writing to tobiasz@haski.io.

6. Your rights

In connection with the processing of your data, you have the following rights:

  • Access to data: you can ask what data we hold about you and receive a copy of it (Article 15).
  • Rectification: we correct inaccurate data or complete incomplete data (Article 16).
  • Erasure: the “right to be forgotten” (Article 17). It may be limited where we are obliged to retain the data (e.g. invoices, 5 years).
  • Restriction of processing: e.g. while the accuracy of the data is being verified (Article 18).
  • Data portability: where processing is based on consent or a contract and is carried out by automated means (Article 20).
  • Objection: to processing based on legitimate interest. Against direct marketing the objection is absolute: we stop the processing without any further assessment (Article 21).
  • Not being subject to automated decisions, including profiling (Article 22).
  • Withdrawal of consent: at any time, without affecting the lawfulness of processing carried out beforehand.

To exercise any of these rights, simply e-mail tobiasz@haski.io. We respond without undue delay, within one month at the latest (Article 12(3)). In complex cases the deadline may be extended by a further two months; we will then tell you within the first month, together with the reasons.

Exercising your rights is free of charge. We may request additional information if we have reasonable doubts about the identity of the person making the request.

7. Cookies and similar technologies

Cookies are small files saved by the browser. We use four categories:

  • Essential: responsible for the site working and for session security. They do not require consent, but you can block them in your browser settings (the site may then not work properly).
  • Functional: remember your preferences (e.g. hiding the cookie banner). They require consent.
  • Analytics: help us understand how you use the site (aggregated statistics). They require consent.
  • Marketing: used to tailor adverts and measure their effectiveness. They require consent.

You give consent to cookies other than essential ones in the banner on your first visit. You can withdraw or change it at any time by clicking the “Cookie settings” link available in the site footer.

Legal basis: Article 6(1)(a) GDPR and Article 398 of the Act of 12 July 2024, the Electronic Communications Law.

You can also manage cookies directly in your browser settings: Chrome, Firefox, Edge, Safari.

8. Profiling and automated decisions

We do not take decisions about you based solely on automated processing (including profiling) that would produce legal effects or similarly significantly affect you (Article 22 GDPR).

9. Data security

We apply technical and organisational security measures appropriate to the risk (Article 32 GDPR): encryption in transit (TLS), access control and logging, backups, password policies, separation of access within the team, and data processing agreements with providers.

In the event of a personal data breach that may result in a high risk to your rights, we will notify you without undue delay (Article 34 GDPR) and inform the President of the Personal Data Protection Office (UODO) within 72 hours (Article 33 GDPR).

10. Complaint to the supervisory authority

If you consider that we are processing your data unlawfully, you have the right to lodge a complaint with:

President of the Personal Data Protection Office
ul. Stawki 2
00-193 Warsaw
uodo.gov.pl

11. Changes to the privacy policy

We update the policy when our processes, tools or the law change. We will give reasonable advance notice of material changes, by way of a notice on the home page and, where possible, by e-mail.

Current version: 1.0, in force from 10 May 2026. We archive earlier versions.