Privacy Policy

How we collect, use, and protect your personal data under GDPR/RODO

This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR/RODO) and applicable Polish data protection laws.

2. Personal Data We Collect

We collect and process the following types of personal data:

2.1 Account Information
  • First name and last name
  • Email address
  • Company affiliation
  • Job role/position
  • Account credentials (encrypted password)
2.2 Feedback and Assessment Data
  • Peer feedback comments and ratings
  • Performance assessment scores
  • Campaign participation records
  • Timestamps of feedback submissions
2.3 Technical Data
  • IP address
  • Browser type and version
  • Device information
  • Login timestamps and activity logs
  • Cookies (see Section 10)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds (GDPR Article 6):

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the peer feedback service you've signed up for
  • Consent (Art. 6(1)(a)): Where you've explicitly consented, such as for marketing communications
  • Legitimate Interests (Art. 6(1)(f)): For platform security, fraud prevention, and service improvement
  • Legal Obligation (Art. 6(1)(c)): When required by law, such as tax or accounting obligations

4. How We Use Your Personal Data

We use your personal data for the following purposes:

  • Service Provision: To create and manage your account, facilitate peer feedback, and generate performance reports
  • Communication: To send service-related notifications, campaign invitations, and respond to your inquiries
  • Security: To protect against fraud, unauthorized access, and abuse of the platform
  • Analytics: To understand usage patterns and improve service quality (using anonymized/aggregated data)
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with:

  • Your Company: Feedback and assessment data is accessible to authorized administrators within your organization
  • Service Providers: Third-party providers who assist with hosting, email delivery, and analytics (bound by data processing agreements)
  • Legal Authorities: When required by law, court order, or to protect our legal rights

All third-party processors are contractually obligated to protect your data in accordance with GDPR requirements.

6. International Data Transfers

Your personal data is stored on servers located in [Specify: EU/EEA or specific country]. If we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Transfers to countries with adequacy decisions
  • Other legally recognized transfer mechanisms

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account Data: Retained while your account is active and for 12 months after account termination (unless you request earlier deletion)
  • Feedback Data: Retained for 24 months after campaign completion for analytics and historical purposes
  • Financial Records: Retained for 5 years as required by Polish tax law
  • Security Logs: Retained for 12 months for security and abuse prevention

After the retention period, personal data is securely deleted or anonymized.

8. Your Rights Under GDPR/RODO

You have the following rights regarding your personal data:

8.1 Right to Access (Article 15)

You can request a copy of all personal data we hold about you, including information about how it's processed.

8.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

Note: We may retain certain data if required by law or for legitimate business purposes (e.g., financial records, security logs).

8.4 Right to Restriction of Processing (Article 18)

You can request limitation of data processing in certain circumstances, such as while we verify data accuracy.

8.5 Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used format and transmit it to another controller.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority:

President of the Personal Data Protection Office (UODO)
Address: ul. Stawki 2, 00-193 Warsaw, Poland
Website: uodo.gov.pl

How to Exercise Your Rights

To exercise any of these rights, please contact us through our contact page or email us directly. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: Data in transit (HTTPS/TLS) and at rest (database encryption)
  • Access Controls: Role-based access and multi-factor authentication for administrators
  • Regular Security Audits: Vulnerability assessments and penetration testing
  • Employee Training: Staff trained on data protection and security best practices
  • Secure Hosting: Servers in secure, certified data centers
  • Backup and Recovery: Regular encrypted backups with disaster recovery procedures

In the event of a data breach affecting your personal data, we will notify you and the supervisory authority within 72 hours as required by GDPR.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential Cookies: Required for login, session management, and security (cannot be disabled)
  • Analytics Cookies: To understand usage patterns and improve our service (can be disabled)
  • Preference Cookies: To remember your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may impact platform functionality.

11. Children's Privacy

Our service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we've collected data from a child, we will delete it promptly.

12. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics performed use aggregated, anonymized data and do not result in automated decisions about individuals.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on the platform
  • Updating the "Last Updated" date below

For significant changes affecting your rights or how we process your data, we will seek your explicit consent where required by law.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

For urgent security concerns, please contact us immediately.

Last updated: February 13, 2026