Privacy Policy - Studio Kozubek

In short: We collect only the data necessary to respond to your enquiry, prepare a quote and perform a potential contract. We do not sell your data, we do not use it to train AI models and we do not send unsolicited marketing. You have the right at any time to request access to, rectification or erasure of your data.

1. Data Controller

The controller of your personal data is:

Łukasz Kozubek
ul. Łąkowa 18b, 47-415 Ponięcice, Poland
NIP (Tax ID): 6391803691, REGON: 241395380, EORI: PL639180369100000
Correspondence address: ul. Królewska 50 lok 3, 47-400 Racibórz, Poland
Tel.: +48 883 363 477
General email: kontakt@studiokozubek.pl
Data protection email: rodo@studiokozubek.pl

For matters concerning personal data, please contact us at rodo@studiokozubek.pl or by post to the correspondence address.

2. What data we collect

Depending on how you use our website, we process the following categories of data:

2.1. Data from the quote form and contact forms

Company tax ID (NIP, 10 digits)
Company name
Email address
Phone number (optional)
City (optional)
Information about the planned project (type of service, budget, deadline, description)

2.2. Data from the conversational assistant (chat)

Content of messages you enter in the chat window
Session identifier (random string, stored in your browser)
Summary of the conversation and recommendations (for the purpose of recognising a returning user)

2.3. Technical data

IP address (to prevent abuse and limit the number of requests)
Information about the browser and operating system (user agent)
Date and time of the visit

2.4. Data verified externally

VAT status of the company on the White List of Taxpayers (public data from the register maintained by the Polish Ministry of Finance, retrieved based on the NIP number you provide)

Please do not provide sensitive data in the forms or in the chat (e.g. information on health, ethnic origin, political or religious views, biometric data). This information is not needed by us to prepare a quote.

3. Purposes and legal bases of processing

Purpose of processing	Legal basis
Responding to an enquiry, preparing a quote and sales contact	Art. 6(1)(b) GDPR (steps prior to entering into a contract)
Performance of a concluded contract	Art. 6(1)(b) GDPR
Issuing invoices, tax and accounting settlements	Art. 6(1)(c) GDPR (legal obligation - Polish Accounting Act, Polish VAT Act)
Verification of the counterparty's VAT status on the White List (due diligence)	Art. 6(1)(c) GDPR (Art. 96b of the Polish VAT Act)
Website security, abuse prevention, request rate limiting	Art. 6(1)(f) GDPR (legitimate interest)
Ensuring the operation of the chat and the "welcome back" feature	Art. 6(1)(f) GDPR (legitimate interest - customer service)
Website traffic analytics (Google Analytics)	Art. 6(1)(a) GDPR (consent given in the cookie banner)
Measuring advertising effectiveness, remarketing (Google Ads, Google Tag Manager)	Art. 6(1)(a) GDPR (consent given in the cookie banner)
Direct marketing of our own services to existing clients	Art. 6(1)(f) GDPR (legitimate interest)
Establishment or defence of legal claims	Art. 6(1)(f) GDPR

4. Data retention period

Enquiries and quotes without contract conclusion - 18 months from the last contact.
Client data after contract conclusion - for the duration of the contract and 6 years after its termination (accounting and tax requirement).
Invoices and accounting documents - 5 years counted from the end of the tax year in which the tax obligation arose.
Chat conversations - 6 months (if you did not leave contact details) or 18 months (if you left NIP/email).
Technical logs and IP address data - 30 days.
NIP verification data (White List) - 5 years (Polish VAT Act requirement).
Complaints and complaint correspondence - 3 years from the end of the proceedings.
Data processed on the basis of consent - until consent is withdrawn.

After the retention period has expired, the data is automatically deleted or anonymised.

5. Data recipients and processors

Your data may be entrusted to the following categories of entities with which we have concluded data processing agreements (DPA) compliant with Art. 28 GDPR:

Hosting infrastructure and network security provider - servers located in the European Union, with data regionalisation mechanisms.
Database provider - data stored in data centres located within the European Union (Frankfurt / Ireland).
Artificial intelligence service providers (large language models, LLMs) - for the operation of the conversational assistant (chat) and the recommendation builder, we use various language model providers, selected depending on the type of query and quality requirements. Depending on the scenario, your query may be forwarded to one of the following providers:
- OpenAI, L.L.C. (USA) - processing based on the EU-US Data Privacy Framework,
- Anthropic, PBC (USA) - processing based on the EU-US Data Privacy Framework,
- Google LLC (USA) - processing based on the EU-US Data Privacy Framework,
- xAI Corp. (USA) - processing based on the Standard Contractual Clauses (SCC) in accordance with European Commission Implementing Decision 2021/914.
The content sent to the above providers is used solely for the purpose of generating a response and is not used to train AI models (this option is disabled in the API configuration). With each provider we have concluded a data processing agreement (DPA) compliant with Art. 28 GDPR.
Transactional email delivery service provider - for the purpose of sending confirmations and replies to enquiries.
Google Ireland Limited / Google LLC - provider of analytics services (Google Analytics 4), tag management (Google Tag Manager) and advertising services (Google Ads). The data is loaded only after your consent given in the cookie banner. Transfer basis: EU-US Data Privacy Framework. We use Google Consent Mode v2, the IP anonymization feature and a limited data retention period in GA4.
Polish Ministry of Finance - within the publicly available API of the VAT Taxpayer Register, solely for the purpose of verifying NIP status.
Accounting office and legal advisors - to the extent necessary for settlements and legal services.
State authorities - solely on the basis of applicable legal provisions.

A full, up-to-date list of data processors (sub-processors) is available on request at rodo@studiokozubek.pl.

6. Transfer of data outside the European Economic Area

Some of our technology providers are based outside the EEA (in particular in the USA). In such a case, the transfer of data takes place on the basis of:

A European Commission decision finding an adequate level of protection (EU-US Data Privacy Framework), if the provider is certified under the DPF,
Standard Contractual Clauses adopted by the European Commission (SCC),
Additional technical and organisational measures (encryption, pseudonymisation, minimisation of the scope of data).

7. AI assistant and profiling

Our website runs a conversational assistant (chat) and a recommendation builder based on artificial intelligence models. We inform you that:

You are talking to a computer system, not a human. This fact is clearly indicated in the interface.
The system analyses the content of your queries in order to tailor service recommendations (profiling within the meaning of Art. 4(4) GDPR).
We do not take any decisions regarding you in a fully automated manner (within the meaning of Art. 22 GDPR). The final decision on the terms of cooperation, price and scope of work is always made by a human.
The content you enter in the chat remains your property. We do not use it to train AI models and we do not share it with third parties beyond the purpose of generating a response.

8. Your rights

In connection with the processing of your data, you have the following rights:

Right of access to your data and to obtain a copy thereof (Art. 15 GDPR),
Right to rectification of inaccurate or incomplete data (Art. 16 GDPR),
Right to erasure of data ("right to be forgotten", Art. 17 GDPR),
Right to restriction of processing (Art. 18 GDPR),
Right to data portability (Art. 20 GDPR),
Right to object to processing based on legitimate interest, including objection to direct marketing (Art. 21 GDPR),
Right to withdraw consent at any time, if the processing is based on consent (this does not affect the lawfulness of processing prior to withdrawal),
Right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

To exercise the above rights, write to us at rodo@studiokozubek.pl. We respond within no more than 30 days.

9. Voluntary nature of providing data

Providing data is voluntary, but may be necessary to:

Receive a response to an enquiry (without an email address we cannot reply),
Prepare a quote (without the NIP and company name we cannot verify VAT status),
Conclude and perform a contract (the data is required by the provisions of accounting law).

10. Cookies and similar technologies

Information about cookies and data stored in the browser's local storage (localStorage) can be found in a separate document: Cookie and local storage Policy.

11. Data security

We apply technical and organisational measures appropriate to the risk, including:

Encryption of data transmission using the HTTPS protocol (TLS 1.2+),
Restricting data access to authorised persons,
Abuse prevention mechanisms (rate limiting, anti-bot honeypot),
Regular software updates and backups,
Data processing agreements (DPA) with all technology providers.

12. Changes to the privacy policy

The privacy policy may be updated in connection with changes in the law, changes in our services or changes among our providers. We inform about material changes on the home page or by email (if we have your address). The date of the last update is shown at the top of the document.

Do you have questions about the processing of your data? Write to rodo@studiokozubek.pl - we will reply within 30 days (usually much faster).