Privacy Policy

This Privacy Policy sets out the rules for the processing of personal data in connection with the use of the Service and the Services provided under the Specteron brand, in particular in connection with visiting the website, creating and operating an Account, using a Workspace, Trial, paid Plans, Add-ons, Integrations, Widget, Knowledge Base, Desktop Application, Marketplace and contact with the Service Provider.

This Privacy Policy applies to personal data processed by the Service Provider as the controller and also, to the appropriate extent, to cases in which the Service Provider processes personal data on behalf of the User as a processor, where this follows from the nature of the Service or separate arrangements of the Parties.

This Privacy Policy is informative in nature and is intended to fulfil obligations related to the protection of personal data, in particular towards persons using the Service, Users, customers, persons contacting the Service Provider and other persons whose data may be processed in connection with Specteron's activities.

This Privacy Policy covers personal data processed in connection with:

1. 1)

   using the public parts of the Service,

2. 2)

   submitting contact forms, inquiries, requests and messages,

3. 3)

   Account registration and login,

4. 4)

   using the Workspace and team functions,

5. 5)

   activation of the Trial, paid Plans, Add-ons and billing,

6. 6)

   using the Desktop Application, Integrations, API, webhooks and other technical functions,

7. 7)

   using AI features, the Knowledge Base and User Content,

8. 8)

   support, complaints, security, analytics and communication.

This Privacy Policy does not replace contractual terms regarding data processing concluded with business customers, in particular data processing agreements, Data Processing Addenda, enterprise terms or other documents governing the roles and obligations of the Parties with respect to data entrusted by the User.

To the extent that the Service Provider makes a separate Cookie Policy available, that document supplements this Privacy Policy with respect to cookies, similar technologies, online identifiers, analytics and browser and device settings.

Any capitalised terms that are not defined otherwise in this Privacy Policy have the meaning given to them in the Specteron Terms of Service.

Use of the Service and the Services may involve the processing of personal data in different legal roles and for different purposes, depending on the nature of the relationship with the Service Provider, the scope of the functions used, the User's status and the manner in which the Service is used.

If you have questions regarding this Privacy Policy, the rules of data processing or the exercise of rights related to personal data protection, you should contact the Service Provider using the contact details indicated in this document.

Before production publication, this Privacy Policy must be completed with the final identifying details of the controller, contact addresses, possible details of the data protection officer, the effective date and the names of the final infrastructure, payment and external service providers, if they are to be indicated individually.

The controller of the personal data processed in connection with the use of the Service and Specteron Services is:

[FULL COMPANY NAME / FIRST AND LAST NAME OF THE SOLE TRADER]

conducting business under the business name / company:

[LEGAL FORM]

with its registered office / place of business at:

[ADDRESS]

entered in:

[CEIDG / KRS]

under number:

[CEIDG OR KRS NUMBER]

Tax ID: [TAX ID]

REGON: [REGON – if applicable]

hereinafter referred to as the "Controller".

The Controller decides on the purposes and means of the processing of personal data to the extent that it acts as the controller, in particular in connection with operating the Service, maintaining Accounts, providing Services, billing, own marketing, security and contact with Users.

In specific cases, the Controller may process personal data not as a controller but as a processor acting on behalf of the User, in particular when the User uses the Service to process the data of its own customers, employees, contractors or other third parties. In such a case, detailed processing rules may result from a separate agreement, Data Processing Addendum, enterprise terms or another appropriate document.

If the Controller appoints a data protection officer, information about this together with contact details will be made available in the Service, in the Privacy Policy or in another appropriate manner.

Until the data referred to in paragraph 1 is completed, this section must be completed before the production publication of the Privacy Policy and before the Services are provided in the final commercial model.

The Controller may be contacted in matters related to personal data protection at the following e-mail address: [PRIVACY E-MAIL ADDRESS].

Correspondence relating to the protection of personal data may be sent to:

[CORRESPONDENCE ADDRESS].

If the Controller appoints a data protection officer, contact with that officer will be possible using the contact details indicated in the Service or in this Privacy Policy.

The Controller may provide separate contact addresses for technical support, billing, complaints, security reports or legal notices, but requests and questions related to personal data protection should be sent to the contact details indicated in this section unless the Controller indicates otherwise.

The contact details indicated in this section must be completed before the production publication of this document.

The Controller obtains personal data directly from the data subjects and also, to the extent permitted by law, indirectly from Users, team members, cooperating entities, payment operators, external service providers, Integrations and other sources related to the use of the Service and the Services.

The scope of the processed data depends on the type of relationship with the Controller, the scope of the function used, the method of contact, the User's status, the type of active Service and the purpose of the processing.

The Controller may process, in particular, the following categories of data:

1. 1)

   identification data, such as first name, last name, company name, position, user identifier, Workspace or organisation name,

2. 2)

   contact data, such as e-mail address, phone number, correspondence address and business contact details,

3. 3)

   registration and authentication data, such as login, password hash, data related to login, password reset, 2FA, SSO, session identifiers, authorisation tokens or information about e-mail address verification,

4. 4)

   billing and transaction data, such as invoice details, entity data, payment identifiers, information about the plan, subscription status, billing history and payments,

5. 5)

   technical and operational data, such as IP address, device identifiers, operating system, browser type, application identifiers, event logs, diagnostic data, configuration information, access time, errors and activity in the Service,

6. 6)

   communication data, such as the content of messages sent via the contact form, e-mail, support, complaints, security reports or other communication channels,

7. 7)

   organisational and operational data related to the Workspace, team members, roles, permissions, environment configuration, user actions and activity history,

8. 8)

   data related to User Content, the Knowledge Base, files, integrations, API, webhooks and other materials processed within the Service, to the extent that they constitute personal data,

9. 9)

   marketing data, communication preferences, information about campaign activity, consents and interest in the offer, if the User has given consent or the Controller acts on the basis of a legitimate interest in accordance with the law,

10. 10)

    data obtained from payment providers, analytics tools, security providers, Integrations and other technology partners, to the extent necessary to provide, bill, secure or develop the Services.

Personal data may come in particular from the following sources:

1. 1)

   forms available in the Service,

2. 2)

   the Account registration and login process,

3. 3)

   Workspace configuration and invitations to the team,

4. 4)

   activation of the Trial, Plans, Add-ons and billing,

5. 5)

   communication with the Controller,

6. 6)

   use of the Service, Desktop Application, Integrations, API, webhooks, Widget and other technical functions,

7. 7)

   actions undertaken by the User within the Account and the Workspace,

8. 8)

   technology partners and payment operators, where this is necessary for the performance of the Service.

The Controller may also obtain data from Users who add other persons to the Workspace, provide contact data of persons responsible for cooperation, designate team administrators, send data to support or enter data while using the Service. In such a case, the Controller assumes that the User has an appropriate basis for providing the data.

As a rule, the Controller does not expect the transfer of special categories of personal data or data relating to criminal convictions and offences unless this is expressly agreed, legally permitted and covered by appropriate safeguards.

The Controller may process the personal data of the following categories of persons:

1. 1)

   visitors to the Service,

2. 2)

   persons contacting the Controller via the contact form, e-mail, phone or other communication channels,

3. 3)

   persons creating an Account or starting a Trial,

4. 4)

   Users using paid Plans, Add-ons or Custom Services,

5. 5)

   team members, Workspace administrators, operators, co-workers and other persons invited to the Workspace,

6. 6)

   persons representing customers, contractors or business partners,

7. 7)

   persons using the Desktop Application, Widget, Integrations, API, webhooks or other technical functions,

8. 8)

   persons whose data has been entered into the Service by the User, to the extent that the Controller acts as the controller or processor, depending on the nature of the given relationship,

9. 9)

   persons submitting complaints, security reports, personal data requests or other legal requests,

10. 10)

    newsletter subscribers or recipients of marketing communications, if such functionalities are used.

The scope of the processed data, the purposes of the processing and the Controller's role may differ depending on the category of the person whose data is concerned, the type of relationship with the Controller and the scope of the function or Service used.

The Controller processes personal data only to the extent that there is an appropriate legal basis and a legitimate purpose for the processing.

Personal data may be processed by the Controller in particular for the following purposes:

1. 1)

   concluding and performing the Agreement, providing the Services, maintaining the Account, Workspace, Trial, Subscription, Add-ons, Integrations, Desktop Application and other functions, on the basis of Article 6(1)(b) GDPR,

2. 2)

   taking actions before concluding the Agreement at the request of the data subject, in particular responding to an inquiry, preparing an offer, providing a product demonstration or commercial contact, on the basis of Article 6(1)(b) or Article 6(1)(f) GDPR, depending on the nature of the relationship,

3. 3)

   fulfilling legal obligations incumbent on the Controller, in particular in the fields of accounting, taxation, handling personal data requests, security and compliance with the law, on the basis of Article 6(1)(c) GDPR,

4. 4)

   ensuring the security of the Service and the Services, preventing abuse, detecting incidents, protecting against unauthorised access, keeping security logs, managing sessions and authentication, on the basis of Article 6(1)(f) GDPR,

5. 5)

   handling contact, requests, support, complaints, claims, defence against claims and pursuing claims, on the basis of Article 6(1)(b), (c) or (f) GDPR, depending on the nature of the matter,

6. 6)

   conducting analyses, statistics, improving the Services, product development, maintaining quality of operation and optimising functions, on the basis of Article 6(1)(f) GDPR,

7. 7)

   conducting marketing of the Controller's own products and services, sending commercial information, newsletters or promotional communications, on the basis of Article 6(1)(a) or (f) GDPR, taking into account specific provisions relating to electronic communication,

8. 8)

   carrying out payments, billing, issuing accounting documents, handling subscriptions and preventing payment abuse, on the basis of Article 6(1)(b), (c) and (f) GDPR,

9. 9)

   fulfilling obligations arising from agreements concluded with business customers, including data processing agreements or enterprise terms, on the basis of Article 6(1)(b), (c) or (f) GDPR and, in the scope of processing on behalf of the customer, in accordance with Article 28 GDPR,

10. 10)

    managing business relations, cooperation, development of the partner network, organisation of implementation projects and Custom Services, on the basis of Article 6(1)(b) or (f) GDPR.

If the processing is based on consent, the data subject may withdraw that consent at any time, without affecting the lawfulness of processing carried out before the consent was withdrawn.

Where the Controller processes data on the basis of legitimate interest, that interest consists in particular in operating and developing the business, ensuring security, handling communication, pursuing claims, defending against claims, carrying out its own marketing, improving the Services and ensuring the stability of the provision of digital services.

Providing personal data may be a condition for concluding the Agreement, creating an Account, using specific functions, making a payment, receiving an answer to an inquiry or carrying out other activities related to the Service. Failure to provide the data may make it impossible to carry out those activities in whole or in part.

In connection with Account registration, login, identity verification and Account management, the Controller processes the personal data necessary to create, maintain and secure the Account.

The scope of the data processed for this purpose may include in particular:

1. 1)

   first name and last name or the User's name,

2. 2)

   e-mail address,

3. 3)

   password in a technically secured form,

4. 4)

   account and session identifiers,

5. 5)

   information about e-mail address verification,

6. 6)

   data regarding login, password reset, two-factor authentication, SSO, device and security activity,

7. 7)

   data related to profile configuration and user preferences.

This data is processed for the purpose of:

1. 1)

   creating and maintaining the Account,

2. 2)

   enabling login and authentication,

3. 3)

   ensuring Account security and preventing abuse,

4. 4)

   handling password reset, e-mail verification and access recovery,

5. 5)

   performing the Agreement for the provision of Services and servicing the User within the Account.

The legal basis for the processing of data in connection with the Account is in particular Article 6(1)(b) GDPR and, with regard to security logs, abuse prevention and protection of the Services, also Article 6(1)(f) GDPR.

Providing the data required during registration is voluntary, but necessary to create an Account and use the functions available after login.

Data related to the Account is stored for the period during which the Account is maintained and, after its deletion, for the period necessary to fulfil legal obligations, billing, security, complaint handling or defence against claims.

In connection with the creation and operation of the Workspace, the Controller processes personal data concerning Workspace owners, administrators, team members, operators, persons invited to the Workspace and other persons associated with the organisation using the Services.

The scope of the data processed for this purpose may include in particular:

1. 1)

   first name and last name,

2. 2)

   business or other e-mail address,

3. 3)

   the name of the organisation, Workspace or team,

4. 4)

   the role, permissions and scope of access,

5. 5)

   information about an invitation to the Workspace and its acceptance or rejection,

6. 6)

   information about user activity in the Workspace, history of actions, configuration, security and administration of the environment.

This data is processed for the purpose of:

1. 1)

   enabling teamwork,

2. 2)

   managing access, roles and permissions,

3. 3)

   carrying out organisational and administrative functionalities,

4. 4)

   ensuring the security of the Workspace and accountability of users' actions,

5. 5)

   performing the Agreement with the customer using the Services in the team or organisational model.

The legal basis for the processing of the data is Article 6(1)(b) GDPR and, where appropriate, also Article 6(1)(f) GDPR, consisting in ensuring security, organising teamwork, supporting cooperation and defending against abuse.

If the data of team members has been provided by a business customer or the Workspace owner, the Controller assumes that the entity providing the data has an appropriate basis for making it available and has fulfilled the required information obligations towards those persons.

Organisational data and team member data are stored for the duration of the Workspace and, after its closure, for the period necessary for billing, security, compliance with legal obligations and defence against claims.

In connection with handling paid Plans, a Trial converting into a paid plan, Add-ons, Custom Services, invoices, settlements and preventing payment abuse, the Controller processes the personal data necessary to perform payments and accounting and tax obligations.

The scope of the data processed for this purpose may include in particular:

1. 1)

   first name and last name or company name,

2. 2)

   billing address,

3. 3)

   Tax ID, invoice data and accounting data,

4. 4)

   the e-mail address assigned to the payment,

5. 5)

   information about the Plan, Add-ons, payment history, billing dates, subscription status and billing events,

6. 6)

   transaction identifiers, customer identifiers in the payment operator's system and other data provided by the payment operator to the extent necessary for billing, handling the subscription or clarifying a payment dispute.

Payment-related data is processed for the purpose of:

1. 1)

   carrying out payments and billing,

2. 2)

   issuing accounting documents,

3. 3)

   handling the Subscription and its renewals,

4. 4)

   preventing fraud and payment abuse,

5. 5)

   pursuing receivables and handling payment disputes.

The legal basis for the processing of the data in this respect is Article 6(1)(b), (c) and (f) GDPR.

Payments may be handled by external payment and billing operators. The Controller does not store full payment instrument data if the handling of such data is carried out directly by a specialised operator.

Billing and accounting data is stored for the period required by tax and accounting law and for the period necessary to defend against claims and pursue claims.

When contacting the Controller through the contact form, e-mail, phone, chat, lead forms or other communication channels, the Controller processes the personal data necessary to handle the inquiry, respond to the message or continue communication.

The scope of the data processed for this purpose may include in particular:

1. 1)

   first name and last name,

2. 2)

   e-mail address,

3. 3)

   phone number,

4. 4)

   company name,

5. 5)

   the content of the message, inquiry, request or correspondence,

6. 6)

   other data voluntarily provided by the person contacting the Controller.

This data is processed for the purpose of:

1. 1)

   replying to the inquiry,

2. 2)

   conducting communication before the conclusion of the Agreement or during cooperation,

3. 3)

   handling commercial, technical, organisational or legal requests,

4. 4)

   archiving correspondence and demonstrating the course of communication,

5. 5)

   protecting against abuse and ensuring communication security.

The legal basis for the processing of the data in this respect is Article 6(1)(b) GDPR if the contact concerns the conclusion or performance of the Agreement, or Article 6(1)(f) GDPR if the contact concerns other matters and consists in handling communication and the Controller's legitimate interest.

Providing data in the contact form or in a message is voluntary, but may be necessary to receive a response or take further action related to the inquiry.

Data related to communication is stored for the period necessary to handle the contact, carry out further cooperation, archive, defend against claims or fulfil legal obligations, depending on the nature of the matter.

In connection with technical support, service requests, complaints, post-sales contact, onboarding, consultations and other activities related to the performance of the Agreement, the Controller processes the personal data necessary to properly service the User.

The scope of the data processed for this purpose may include in particular:

1. 1)

   first name and last name,

2. 2)

   e-mail address,

3. 3)

   phone number,

4. 4)

   company or Workspace name,

5. 5)

   data identifying the Account, request, subscription or case,

6. 6)

   the content of the request, message, complaint, bug report or other communication,

7. 7)

   information about the course of the contact, actions taken by support, case history, request status and related technical logs or operational data.

This data is processed for the purpose of:

1. 1)

   providing technical or organisational support,

2. 2)

   examining complaints and requests,

3. 3)

   contacting the User after purchase or during the use of the Service,

4. 4)

   maintaining service quality and documenting the course of cooperation,

5. 5)

   pursuing claims or defending against claims.

The legal basis for the processing of the data in this respect is Article 6(1)(b) GDPR and, where appropriate, also Article 6(1)(c) and (f) GDPR.

Data related to support, complaints and post-sales contact is stored for the period necessary to handle the case and then for the period required for evidential purposes, billing, security, defence against claims or compliance with legal obligations.

In connection with the use of the Knowledge Base, file uploads, creation of knowledge bases, adding sources, importing data, configuring User Content and using other functions requiring materials to be entered into the Service, the Controller may process personal data contained in such content, if it constitutes personal data.

The scope of the processed data depends on the type of materials added by the User and may include all personal data contained in documents, files, knowledge sources, text content, descriptions, prompts, configurations, messages, forms, notes or other materials processed within the Service.

This data is processed for the purpose of:

1. 1)

   providing the Knowledge Base functions and other Service functions,

2. 2)

   storing, indexing, searching, analysing and organising content,

3. 3)

   powering Bots, automations, AI responses, workflows or other functions dependent on input data,

4. 4)

   maintaining the security, integrity and quality of operation of the Service,

5. 5)

   performing the Agreement with the User.

The legal basis for the processing of the data by the Controller in its own name is Article 6(1)(b) and (f) GDPR and, to the extent that the Controller processes such data on behalf of a business customer as a processor, the processing takes place in accordance with Article 28 GDPR and the relevant arrangements of the Parties.

As a rule, the Controller does not perform substantive verification of content entered by the User and is not responsible for its compliance with the law, the rights of third parties or business adequacy, unless it has expressly accepted such an obligation in a separate Agreement.

The User should independently assess what data and materials are entered into the Service, taking into account the principles of data minimisation, confidentiality, legal obligations and the risks associated with the processing of such content.

Data contained in the Knowledge Base and other materials entered into the Service is stored for the period of using the given function or until it is deleted by the User, subject to periods necessary for backups, security, billing, technical retention, defence against claims or legal obligations.

If the User enters into the Service the personal data of other persons, in particular its own customers, employees, co-workers, contractors or other third parties, the User is responsible for the compliance of such action with the law and for having an appropriate legal basis for the transfer and processing of such data.

To the extent that third-party data is processed by the Controller on behalf of the User, the Controller may act as a processor, and the detailed rules of such processing may result from a separate agreement, DPA, enterprise terms or another appropriate document.

The Controller may receive third-party data from the User in connection with:

1. 1)

   use of the Workspace and team functions,

2. 2)

   communication with the User's end customers,

3. 3)

   configuration of the Widget, forms, leads, requests or messages,

4. 4)

   data imports, integrations, API, webhooks or synchronisation with external systems,

5. 5)

   adding content to the Knowledge Base or other data sources.

The Controller is not obliged to independently verify whether the User has a legal basis for transferring third-party data unless such an obligation follows from mandatory provisions of law.

In the event of receiving credible information about unlawful processing of third-party data, the Controller may take appropriate protective actions, including restricting the processing, requesting explanations, deleting specific content or applying measures provided for in the Terms of Service.

Selected Specteron functions use AI technologies, automations, content classification, semantic search, contextual analysis, workflow rules, recommendation mechanisms or other algorithm-assisted functions.

The use of such functions may involve the processing of input data, content, messages, documents, prompts, metadata, technical data and other information necessary for the operation of the given function.

This data is processed for the purpose of:

1. 1)

   generating a response, recommendation, classification, summary, automation or another output of the function,

2. 2)

   ensuring the operation of AI and algorithm-assisted functions,

3. 3)

   improving the quality, security, stability and control of the Service,

4. 4)

   performing the Agreement and developing Specteron functions.

The legal basis for the processing of the data by the Controller in this respect is Article 6(1)(b) and (f) GDPR and, where appropriate, when the Controller acts on behalf of a customer, Article 28 GDPR and the relevant arrangements of the Parties.

The Controller does not use personal data to make decisions concerning the data subject that are based solely on automated processing and produce legal effects concerning that person or similarly significantly affect that person, unless explicitly indicated otherwise and there is an appropriate legal basis for this.

Data processed within AI functions may be entrusted or disclosed to providers of models, infrastructure or other services supporting the operation of such functions, solely to the extent necessary to achieve the purpose and with appropriate legal and organisational safeguards.

Due to the nature of AI functions, the Controller recommends that Users do not enter data into such functions where its processing is not necessary and exercise particular caution when using confidential data and data with an increased level of risk.

In connection with the use of the Service and the Services, the Controller may process technical data, operational data, logs, online identifiers, device data, IP address, browser data, operating system data, session information, cookies, local storage and similar technologies.

This data is processed in particular for the purpose of:

1. 1)

   ensuring the proper operation of the Service and the Services,

2. 2)

   maintaining sessions and authentication,

3. 3)

   ensuring security and detecting incidents,

4. 4)

   carrying out statistics, analyses and performance measurement of the services,

5. 5)

   remembering user preferences,

6. 6)

   diagnosing errors and technical problems,

7. 7)

   improving functions, performance and user experience.

The legal basis for the processing of technical data is Article 6(1)(b) or (f) GDPR, depending on the nature of the given technology and the purpose of processing, and in the case of technologies requiring consent, also the consent expressed in accordance with the applicable provisions.

Detailed information regarding the types of cookies and similar technologies used, the basis for their use, their retention periods and how they are managed should be specified in a separate Cookie Policy or in a consent management tool, if one is used.

Technical and security logs may include in particular information about the time of access, IP address, type of request, session identifiers, errors, login attempts, user actions, system events and environment configuration.

Technical data and logs are stored for the period necessary to ensure operation, security, analytics, accountability, defence against claims or compliance with legal obligations.

In connection with the use of the Desktop Application, the Controller may process technical and operational data related to the device, system environment, application configuration, user session, security and communication between the application and Specteron's infrastructure.

The scope of the processed data may include in particular:

1. 1)

   device identifiers or application instance identifiers,

2. 2)

   the operating system and its version,

3. 3)

   information about the application version,

4. 4)

   IP address and connection data,

5. 5)

   error logs, diagnostic messages and technical events,

6. 6)

   information about configuration, authorisation, session and security.

This data is processed for the purpose of:

1. 1)

   enabling the Desktop Application to operate,

2. 2)

   handling login and security,

3. 3)

   detecting errors, incidents and technical problems,

4. 4)

   maintaining compatibility, performance and quality of operation of the application,

5. 5)

   performing the Agreement and supporting the user of the application.

The legal basis for the processing of the data in this respect is Article 6(1)(b) and (f) GDPR.

Technical data related to the Desktop Application is stored for the period necessary to achieve the above purposes, taking into account periods for security, log retention, error handling and defence against claims.

The use of Integrations, API, webhooks and third-party services associated with Specteron may involve the processing of personal data necessary to establish the connection, authorise, exchange data, synchronise, operate functions and secure communication.

The scope of the data processed for this purpose may include in particular:

1. 1)

   identification data of the user or organisation,

2. 2)

   authorisation data, connection identifiers and tokens,

3. 3)

   configuration data,

4. 4)

   metadata regarding information exchange,

5. 5)

   data transferred within a specific Integration, webhook or API call.

This data is processed for the purpose of:

1. 1)

   launching and maintaining Integrations,

2. 2)

   ensuring communication between Specteron and external services,

3. 3)

   performing functions requested by the User,

4. 4)

   ensuring security and accountability of connections,

5. 5)

   diagnosing errors and technical problems.

The legal basis for the processing of the data in this respect is Article 6(1)(b) and (f) GDPR and, in the scope of processing carried out on behalf of a business customer, also the relevant bases arising from the Controller-processor relationship.

The Controller is not responsible for the data processing rules applied by independent external service providers acting as separate controllers. In such cases, the privacy policies and terms of those entities apply.

If the User uses Integrations activated by the User, the User is responsible for assessing the appropriateness and lawfulness of linking data between Specteron and the given external service unless separate arrangements of the Parties provide otherwise.

The Controller may process personal data for the purposes of marketing its own products and services, sending commercial information, running a newsletter, promotional communications, remarketing, organising marketing campaigns, events, webinars, educational materials or building business relationships.

The scope of the data processed for this purpose may include in particular:

1. 1)

   first name and last name,

2. 2)

   e-mail address,

3. 3)

   phone number,

4. 4)

   company name,

5. 5)

   information about interest in the offer, contact history, marketing activity, communication preferences or the source of obtaining the contact.

This data is processed on the basis of Article 6(1)(a) or (f) GDPR, taking into account the applicable provisions regarding electronic communications, marketing consents and the sending of commercial information.

If marketing communication requires consent, granting it is voluntary and may be withdrawn at any time, without affecting the lawfulness of earlier processing.

The Controller may also conduct its own marketing towards current customers or persons remaining in a business relationship with it, if permitted by the applicable provisions and there is an appropriate legal basis.

Data processed for marketing purposes is stored until consent is withdrawn, an objection is raised, the purpose of processing ceases or the relationship with the Controller ends, depending on the legal basis and the nature of the activities.

Personal data may be disclosed to recipients only to the extent necessary to carry out the purposes described in this Privacy Policy and in accordance with applicable law.

Data recipients may include in particular:

1. 1)

   providers of hosting, server, cloud and backup infrastructure,

2. 2)

   providers of authentication, security, monitoring, analytics and event logging tools,

3. 3)

   operators of payments, billing, invoicing and settlement systems,

4. 4)

   providers of e-mail, communication, support, CRM, form and marketing tools,

5. 5)

   providers of AI models, language processing, search or automation services,

6. 6)

   technology partners handling Integrations, API, webhooks and external services,

7. 7)

   subcontractors, legal advisers, accountants, auditors or other service providers supporting the Controller's business,

8. 8)

   public authorities or other authorised entities where disclosure is required by law.

Where a data recipient acts on behalf of the Controller as a processor, the Controller takes steps to ensure that such entity processes the data lawfully, on the basis of an appropriate agreement and with appropriate security measures.

The current list of recipient categories may be expanded as Specteron develops, the infrastructure changes or the way the Services are provided changes, while maintaining compliance with this Privacy Policy and applicable law.

In connection with the use of infrastructure providers, payment tools, analytics tools, AI services, communication services or other technological solutions, personal data may be transferred outside the European Economic Area if this is necessary to carry out the purposes of the processing.

Where data is transferred outside the European Economic Area, the Controller applies appropriate safeguards required by applicable law, in particular:

1. 1)

   adequacy decisions,

2. 2)

   standard contractual clauses,

3. 3)

   other transfer mechanisms permitted by law.

The data subject may obtain information about the safeguards applied with respect to transfers of data outside the European Economic Area by contacting the Controller using the details indicated in this Privacy Policy.

The Controller seeks to limit transfers of data outside the European Economic Area to cases justified from a functional, business or technical perspective and to apply solutions ensuring the highest possible level of data protection.

The Controller stores personal data for no longer than is necessary to achieve the purposes for which the data was collected, unless a longer retention period results from applicable law, security requirements, the need to defend against claims or the pursuit of claims.

The retention period depends in particular on the type of relationship with the Controller, the category of data, the purpose of processing, the legal basis and the nature of the Service used.

Data related to the Account, Workspace, Subscription, Add-ons, Trial and the use of the Services is generally stored for the duration of the Agreement or the maintenance of the Account and, after its end, for the period necessary for:

1. 1)

   billing,

2. 2)

   compliance with legal obligations,

3. 3)

   complaint handling,

4. 4)

   ensuring security,

5. 5)

   defence against claims or the pursuit of claims.

Billing, accounting and tax data is stored for the period required by tax and accounting regulations and the rules on the limitation of claims.

Data related to contact forms, inquiries, support, complaints and communication is stored for the period necessary to handle the matter and later for the period necessary for archiving, defence against claims or compliance with legal obligations.

Data processed on the basis of consent is stored until the consent is withdrawn or until the purpose of processing ceases, unless further processing is permissible on another legal basis.

Data processed on the basis of the Controller's legitimate interest is stored until an effective objection is raised or that interest ceases, unless further processing is permissible due to overriding legitimate grounds or the need to establish, pursue or defend claims.

Technical data, security logs, diagnostic data and analytical data are stored for the period necessary to ensure security, stability, accountability of operation of the Services, incident detection, error analysis and the development of functionalities.

Data contained in User Content, the Knowledge Base, files, integrations and other materials entered into the Service is stored for the period of using the given function or until it is deleted by the User, subject to periods resulting from backups, technical retention, security, legal obligations or separate arrangements of the Parties.

After the relevant retention period expires, the data is deleted, anonymised or subjected to other operations limiting the possibility of identifying the person, unless further retention is required or permitted by law.

The data subject has, within the limits laid down by applicable law, the following rights:

1. 1)

   the right of access to personal data,

2. 2)

   the right to rectify personal data,

3. 3)

   the right to erase personal data,

4. 4)

   the right to restrict processing,

5. 5)

   the right to data portability,

6. 6)

   the right to object to processing,

7. 7)

   the right to withdraw consent at any time if processing is based on consent,

8. 8)

   the right to lodge a complaint with the President of the Personal Data Protection Office.

The right to withdraw consent does not affect the lawfulness of processing carried out before its withdrawal.

A request concerning the exercise of rights may be sent to the Controller using the contact details indicated in this Privacy Policy.

The Controller may ask for additional information necessary to confirm the identity of the person submitting the request if this is necessary for the proper execution of the request and the protection of personal data.

The exercise of rights may be subject to limitations resulting from applicable law, in particular where further processing of data is necessary to fulfil a legal obligation, establish, pursue or defend claims, ensure security or protect the rights of other persons.

If the Controller processes personal data solely as a processor acting on behalf of a business customer, the request concerning the data may be forwarded to the relevant controller or carried out in cooperation with that controller, depending on the nature of the relationship and the applicable law.

The Controller may use automation, classification, analytics, recommendation, semantic search, rule-based mechanisms or AI functions supporting the operation of the Service and the Services.

As a rule, the Controller does not make decisions concerning data subjects that are based solely on automated processing and produce legal effects concerning them or similarly significantly affect them, unless:

1. 1)

   this is permitted by applicable law,

2. 2)

   it is necessary to conclude or perform the Agreement,

3. 3)

   the data subject has given explicit consent,

and appropriate measures to protect that person's rights and freedoms have been ensured.

If a specific Specteron function involves profiling or automated support of certain processes, the Controller seeks to ensure that the scope of such processing is adequate, proportionate and consistent with the purpose of the function.

AI functions and automations used in Specteron are, as a rule, intended to support processes, generate content, classify, search, organise information or improve the operation of the Service and should not be treated as an independent basis for making decisions with significant effects for natural persons without appropriate human oversight.

If the nature of a given function requires providing additional information about the logic of the automated processing, its significance and the envisaged consequences, such information will be made available to an appropriate extent with that function, in the documentation or in a message addressed to the User.

The Controller applies appropriate technical and organisational measures aimed at protecting personal data against loss, destruction, unauthorised disclosure, modification, unauthorised access or other unlawful processing.

Data protection measures are selected taking into account the nature, scope, context and purposes of the processing, the risk of infringement of the rights or freedoms of data subjects, the state of technical knowledge and the cost of implementation.

The Controller may use in particular measures such as:

1. 1)

   access control to systems and data,

2. 2)

   encryption of data transmission,

3. 3)

   user authentication and session management,

4. 4)

   event monitoring and logging mechanisms,

5. 5)

   backups and measures ensuring business continuity,

6. 6)

   limiting the scope of access to data according to roles and need-to-know,

7. 7)

   procedures for responding to incidents and security breaches.

Despite the use of appropriate security measures, use of the Internet and digital services is never completely risk-free. The Controller recommends that Users apply their own security measures, including strong passwords, 2FA, up-to-date software and a secure working environment.

In the event of finding a personal data breach, the Controller will take actions required by applicable law, including, if necessary, making appropriate notifications and reports.

As a rule, the Specteron Service and Services are not directed to children or persons under 18 years of age, unless the nature of a given function or a separate offer indicates otherwise.

The Controller does not intend to knowingly collect the personal data of children without an appropriate legal basis, including, where required by law, without the consent or authorisation of a legal representative.

If the Controller receives credible information that the data of a minor has been obtained in breach of the law or without the required basis, the Controller may take appropriate actions, including deleting such data, restricting its processing or requesting additional explanations.

Persons who believe that a child or a minor has provided the Controller with personal data unlawfully should contact the Controller using the details indicated in this Privacy Policy.

The Controller may amend this Privacy Policy for important reasons, in particular in the event of:

1. 1)

   a change in the law or the manner of its interpretation,

2. 2)

   a change in the operation of the Service or the Services,

3. 3)

   implementation of new functions, technologies, Integrations, analytics tools or AI models,

4. 4)

   a change in the service providers used in providing the Services,

5. 5)

   the need to clarify the content of the Privacy Policy.

The Controller may inform about changes to the Privacy Policy by publishing a new version of the document in the Service, a notice in the user panel, an e-mail or another customary communication channel.

The new version of the Privacy Policy applies from the date indicated in its content, subject to the fact that changes resulting solely from a legal obligation, technical matters or changes beneficial to data subjects may apply from the date of publication or another date required by law.

In the event of significant changes relating to the scope, purposes or legal bases of data processing, the Controller will take appropriate information measures adequate to the nature of the relationship with the data subjects.

This Privacy Policy applies to the processing of personal data related to the Specteron Service and Services, unless a separate document governing data protection matters has been published or agreed for a specific function, offer, Integration, marketplace, enterprise service or legal relationship.

In matters not regulated by this Privacy Policy, the relevant provisions of generally applicable law apply, in particular the GDPR, the Act on the Protection of Personal Data and other legal acts concerning privacy, electronic communications and digital services.

If any provision of this Privacy Policy proves invalid, ineffective or unenforceable, this does not affect the validity of the remaining provisions, unless the circumstances indicate that without that provision the document would not have been adopted.

This Privacy Policy is drawn up in Polish. The Controller may also make foreign-language versions available, however, in the event of interpretative discrepancies, unless mandatory provisions of law provide otherwise, the Polish version prevails.

This Privacy Policy enters into force on: [EFFECTIVE DATE].

Before production publication, this Privacy Policy requires completion in particular with:

1. 1)

   the Controller's full details,

2. 2)

   the final contact details for privacy matters,

3. 3)

   the effective date,

4. 4)

   references to the final Cookie Policy, Terms of Service, DPA and other accompanying documents,

5. 5)

   final information about providers and data transfers, if the Controller decides to indicate them in more detail.