Privacy Policy
Last updated: 2026-05-18
Note: The legally binding version is the Polish-language policy at /pl/polityka-prywatnosci. This English version is a courtesy translation for international visitors.
1. Data Controller
Studio Kreatywne Mateusz Pawluk NIP (Polish tax ID): 8393015674 Mosty, Poland Contact: kontakt@pawlukstudio.pl
Sole proprietorship registered in CEIDG (Polish Central Business Registry). The pawlukstudio.pl brand is the personal layer of this business (operator's portfolio + contact). All GDPR obligations rest with Studio Kreatywne Mateusz Pawluk.
No Data Protection Officer (DPO) appointed โ contact for data protection matters: kontakt@pawlukstudio.pl.
2. What data we collect
2.1. Contact form (footer)
- Name โ to personalize replies
- Email โ to reply
- Message content โ to understand your inquiry
Purpose: answering your inquiry, potential collaboration. Legal basis: GDPR art. 6(1)(b) (pre-contractual measures) + art. 6(1)(f) (legitimate interest). Retention: up to 24 months from last contact (5 years if a contract is signed โ Polish Accounting Act).
2.2. AI estimation calculator (/estimate)
When you fill the calculator: project description, industry, type, features โ sent to Google Gemini API (gemini-3-flash-preview) to generate an estimate.
When you book a follow-up call: name, email, phone + full estimate breakdown โ sent to operator via Discord webhook.
Purpose: estimate generation, post-estimate contact. Legal basis: GDPR art. 6(1)(b). Retention: unbooked estimates not stored; booked ones up to 24 months in operator's Discord. Note: Google Gemini API has its own prompt processing policy. Anonymize sensitive data in project descriptions.
2.3. Analytics (3 layers)
a) Umami v3 (self-hosted) โ cookieless, anonymous, no consent required. Legal basis: GDPR art. 6(1)(f).
b) Google Analytics 4 (G-0PX8PYM46H) โ cookies, consent required (via Cookiebot). Legal basis: GDPR art. 6(1)(a).
c) ContentSquare โ qualitative analytics (heatmaps, session replays). Consent required.
Withdraw consent: cookie icon in footer โ "Change consents".
2.4. Server logs (Vercel)
Standard hosting logs: IP, user-agent, timestamp, URL. Retention up to 30 days.
3. Data recipients
| Recipient | Purpose | Location | Transfer basis |
|---|---|---|---|
| Vercel Inc. | Hosting, server logs | USA | SCC, Vercel DPA |
| Discord Inc. | Form notifications | USA | SCC, Discord Privacy |
| Sanity.io | CMS for blog | USA | SCC |
| Google LLC | Gemini API, GA4 | USA | SCC |
| Cybot A/S (Cookiebot) | CMP | Denmark (EU) | n/a (EU) |
| ContentSquare | Qualitative analytics | France (EU) | n/a (EU) |
| Umami (self-hosted) | Analytics | USA (Vercel) | as Vercel |
We do not sell, exchange or share data with marketers or data brokers.
4. Your rights (GDPR art. 15-22)
- Access (art. 15)
- Rectification (art. 16)
- Erasure (art. 17)
- Restriction of processing (art. 18)
- Portability (art. 20)
- Objection to legitimate-interest processing (art. 21)
- Withdraw consent anytime
- Complaint to Polish DPA (Prezes UODO, uodo.gov.pl)
Contact: kontakt@pawlukstudio.pl. Response within 30 days.
5. Cookies
Details: Cookies Policy.
6. Security
HTTPS (TLS 1.3, Vercel-managed cert), strong passwords + 2FA, no DB persistence for form data (Discord notifications only), regular dependency updates.
7. Changes
Last updated at top. Material changes notified via banner.