§1. Data controller
The controller of your personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) is Pol-Med Sp. z o.o., with its registered office at ul. Leśna 38, 86-031 Osielsko, Poland, NIP 9671167341, REGON 093140846, BDO 000638650.
You can contact the Controller about any matter concerning the processing of personal data: by email at biuro@pol-med.tech, by phone at +48 525 000 260 (8:00–16:00), or in writing at the registered office address.
The Company has not appointed a Data Protection Officer — it is not required to do so under Article 37 GDPR. All data protection inquiries are handled directly by the Controller.
§2. What data we collect
Data submitted via contact forms: first and last name, company name, email address, phone number, message content, and inquiry-specific parameters (educational station type, UCO collection location, tool category, etc.). Required fields are clearly marked — others are optional.
Technical data automatically logged by the server: IP address, timestamp, browser type, operating system, country (derived from IP), and the requested URL. Logs are used for security, diagnostics, and traffic analysis.
The Site does not use cookies for user tracking. Vercel Analytics — the analytics tool used by the Company — operates in a cookieless mode and does not build user profiles. The only local data stored in your browser are: (a) a sessionStorage entry under the key `pmv4-preloaded` used to show the welcome animation once per session, and (b) a localStorage entry storing your theme preference (light/dark/system). Neither entry is transmitted to the server.
§3. Purpose and legal basis of processing
Data submitted via contact forms is processed for: (a) responding to the inquiry and preparing a commercial offer — legal basis: Article 6(1)(b) GDPR (steps taken to enter into a contract at the request of the data subject); (b) conducting commercial correspondence and maintaining the business relationship — legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller in developing its business).
Server logs are processed to ensure the security of the Site and to detect abuse — legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller in protecting its infrastructure and limiting spam).
The GDPR checkbox on the contact forms confirms that you have read this Privacy Policy. It is not a separate marketing consent — the Company does not send automated newsletters or promotional materials without an explicit, separate request.
§4. Data retention period
Data submitted in commercial inquiries is retained for 24 months from the last contact — this period reflects the typical investment cycle in our B2B segment (funding application preparation → project delivery). After this period the data is deleted or anonymised.
If a contract is concluded, data is retained for the duration of the contract and for 6 years thereafter — this period derives from Polish tax legislation (Article 86 § 1 of the Tax Ordinance) and the Accounting Act.
Server logs are retained for 90 days and automatically deleted thereafter. Longer retention occurs only in case of an active security incident or a request from a competent authority.
§5. Data recipients — processors
The Company entrusts the processing of personal data to the following entities (processors) on the basis of data processing agreements concluded in accordance with Article 28 GDPR:
Vercel Inc. (USA) — the Site's hosting provider. Data is stored in Vercel infrastructure within European regions. Vercel participates in the Data Privacy Framework (DPF) which provides an adequate level of protection for data transferred to the United States.
Resend Inc. (USA) — provider of transactional email delivery. Resend processes data solely for the purpose of delivering messages originating from the contact forms. Resend also participates in the DPF programme.
Data may also be disclosed to competent public authorities (law enforcement, courts, tax authorities) upon their written, justified request, to the extent required by law. The Company does not sell, rent, or disclose personal data for marketing purposes to third parties.
§6. Data subject rights
In accordance with Articles 15–22 GDPR, you have the right to: access your data and receive a copy of it, rectify (correct) inaccurate data, erase your data (the "right to be forgotten"), restrict processing, and port your data to another controller in a structured, commonly used format.
You also have the right to object to processing based on the Controller's legitimate interest (Article 21 GDPR) and the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
To exercise any of the above rights, contact the Controller at biuro@pol-med.tech. We respond without undue delay and no later than within one month of receiving the request (Article 12(3) GDPR).
You also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warszawa, Poland, www.uodo.gov.pl) if you believe that the processing of your personal data violates the GDPR.