Privacy Policy

§ 1. General Information

1. This Privacy Policy (hereinafter: the "Policy") sets out the rules for processing personal data and other information in connection with the use of the website available at https://syntropicsignal.ai (hereinafter: the "Website") operated by VECTORLENS Sp. z o.o. with its registered office in Poland, entered in the Register of Entrepreneurs of the National Court Register under KRS number 0001190119, NIP 0001190119, e-mail: hello@syntropicsignal.ai (hereinafter: the "Controller").
2. The Website is an informational and contact interface presenting the Controller's services. The Website does not offer any online product or software service; its primary function is to provide information and to enable visitors to contact the Controller, including through an embedded third-party scheduling widget.
3. The Controller processes personal data in accordance with applicable provisions of law, in particular:
   • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR");
   • the Polish Act on the Protection of Personal Data of 10 May 2018;
   • the Polish Act on the Provision of Services by Electronic Means of 18 July 2002;
   • the Polish Telecommunications Law of 16 July 2004 (Articles 173 and 174);
   • Directive 2002/58/EC of the European Parliament and of the Council (the "ePrivacy Directive").

§ 2. Categories of Processed Data

1. Data provided voluntarily in connection with enquiries and booking — including, in particular, given name, family name, e-mail address, telephone number (if provided), and the content of the message or scheduling form submitted by the data subject.
2. Data collected automatically in server logs — including IP address, user agent string, request timestamp, URL of the resource requested, and HTTP referrer.
3. Data collected by means of cookies and similar technologies — as described in detail in the Cookie Policy, which forms an integral part of this Policy.
4. Aggregated analytical data — collected by means of a privacy-preserving, cookieless analytics tool, without the use of profiling and without the collection of personally identifiable information.

§ 3. Purposes and Legal Bases of Processing

1. Responding to enquiries and handling discovery-call bookings — on the basis of Article 6(1)(b) GDPR (steps taken at the data subject's request prior to entering into a contract) and Article 6(1)(f) GDPR (the Controller's legitimate interest in responding to enquiries and maintaining business communication).
2. Ensuring the technical operation, security, and integrity of the Website, including abuse prevention and troubleshooting — on the basis of Article 6(1)(f) GDPR (legitimate interest).
3. Compliance with legal obligations imposed on the Controller, including retention of accounting and tax records — on the basis of Article 6(1)(c) GDPR.
4. Aggregated statistical analysis of Website traffic by means of a privacy-preserving, cookieless analytics tool — on the basis of Article 6(1)(f) GDPR (the Controller's legitimate interest in measuring the performance and usage of the Website, where such processing does not involve cookies, profiling, or the identification of individual data subjects).

§ 4. Recipients of Data

1. Personal data may be disclosed to the following categories of recipients, acting either as independent controllers or as processors acting on the Controller's behalf:
   • providers of hosting, cloud infrastructure, and IT maintenance services engaged by the Controller;
   • Calendly LLC (United States) — in respect of data provided through the scheduling widget embedded on the Website, where Calendly acts as a processor on the Controller's behalf;
   • Cloudflare, Inc. (United States) — in respect of technical data processed in connection with the provision of content delivery, security, and privacy-preserving analytics services for the Website, where Cloudflare acts as a processor on the Controller's behalf;
   • public authorities and bodies entitled to receive such data on the basis of generally applicable provisions of law.
2. The Controller does not sell personal data and does not disclose it to parties other than those listed above.

§ 5. Transfers of Data Outside the European Economic Area

1. Personal data may be transferred to third countries, in particular to the United States, exclusively where one of the following safeguards applies:
   • an adequacy decision issued by the European Commission pursuant to Article 45 GDPR (including, where applicable, the EU–U.S. Data Privacy Framework);
   • standard contractual clauses approved by the European Commission pursuant to Article 46(2)(c) GDPR;
   • other appropriate safeguards within the meaning of Article 46 GDPR.
2. In respect of transfers to the United States, the Controller relies primarily on the certification of recipients under the EU–U.S. Data Privacy Framework or on equivalent mechanisms ensuring an adequate level of protection.

§ 6. Retention Periods

1. Data provided in connection with enquiries and scheduling is retained for the period necessary to handle the enquiry and for a reasonable period thereafter for the purpose of maintaining business correspondence, and in any event for no longer than 24 months from the date of last contact, unless further retention is required by applicable law.
2. Server log data is retained for a period not exceeding 30 days, subject to extension where necessary for the investigation of security incidents.
3. Data processed on the basis of consent is retained until consent is withdrawn or the purpose of processing ceases to apply, whichever is earlier.
4. Accounting and tax records are retained for the periods prescribed by the applicable provisions of Polish tax law.

§ 7. Rights of Data Subjects

1. The data subject has the right:
   • to access their personal data and to obtain a copy thereof (Article 15 GDPR);
   • to request rectification of inaccurate data or completion of incomplete data (Article 16 GDPR);
   • to request erasure of personal data (Article 17 GDPR);
   • to request restriction of processing (Article 18 GDPR);
   • to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller (Article 20 GDPR);
   • to object, on grounds relating to the data subject's particular situation, to processing based on legitimate interest (Article 21 GDPR);
   • to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (Article 7(3) GDPR).
2. To exercise any of the rights referred to above, the data subject may contact the Controller at hello@syntropicsignal.ai.
3. The data subject has the right to lodge a complaint with a supervisory authority, in particular the Polish President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), or with the supervisory authority competent for the data subject's place of habitual residence, place of work, or place of the alleged infringement.

§ 8. Voluntariness of Providing Data

1. Provision of personal data is voluntary. Refusal to provide data necessary for responding to an enquiry or for arranging a scheduled call may, however, prevent the Controller from handling such a request.

§ 9. Automated Decision-Making and Profiling

1. The Controller does not carry out decision-making that is based solely on automated processing, including profiling, that produces legal effects concerning the data subject or similarly significantly affects the data subject within the meaning of Article 22 GDPR.

§ 10. Security of Processing

1. The Controller applies technical and organisational measures appropriate to the risks associated with the processing of personal data, within the meaning of Article 32 GDPR, including encryption of data in transit, access controls, logging, back-ups, and ongoing monitoring of the Controller's infrastructure.

§ 11. Amendments to the Policy

1. The Controller reserves the right to amend this Policy, in particular in the event of changes in applicable law, changes in the Controller's infrastructure or the services it uses, or guidance issued by competent supervisory authorities.
2. The effective date of each version of the Policy shall be indicated at the top of this document.

§ 12. Contact

1. In all matters relating to the protection of personal data, the data subject may contact the Controller in writing at its registered address or by e-mail at hello@syntropicsignal.ai.