Privacy Policy
Last Updated: April 11, 2026 · Effective Date: April 11, 2026 · Version 2026.1
1. Who We Are — Data Controller
The controller of your personal data within the meaning of Article 4(7) GDPR is:
2. Personal Data We Collect
2.1 Data You Provide Directly
- Contact and enquiry data: name, email address, company name, and any information you include in messages sent to us via the contact form or by email.
- Account data (if applicable): username, email address, password hash, and account preferences.
- Commercial correspondence: content of emails and messages exchanged in the course of business negotiations or support.
2.2 Data Collected Automatically
- Technical data: IP address (anonymized or pseudonymized where technically feasible), browser type and version, operating system, device type, screen resolution, referring URL.
- Usage data: pages visited, time spent on pages, clicks, scroll depth, and navigation paths — collected via analytics tools only with your consent.
- Log data: server access logs retained for security and fraud prevention purposes.
2.3 Data We Do Not Collect
We do not intentionally collect special categories of personal data (Article 9 GDPR), including data concerning health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or data concerning sexual orientation. Please do not send us such data unless explicitly requested.
3. Purposes and Legal Bases for Processing
Under Article 13(1)(c) GDPR, we are required to inform you of the specific purpose and legal basis for each processing activity. The table below sets out our processing activities in full:
| Purpose | Data categories | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Responding to enquiries and providing support | Contact data, correspondence content | Art. 6(1)(b) & (f) |
| Providing and maintaining the Service | Account data, technical data, usage data | Art. 6(1)(b) |
| Website analytics and performance monitoring | Usage data, technical data, cookie identifiers | Art. 6(1)(a) — consent |
| Security, fraud prevention, and abuse detection | IP address (pseudonymized), log data | Art. 6(1)(f) — legitimate interest |
| Compliance with legal obligations | Any data necessary to comply with applicable law | Art. 6(1)(c) |
| Direct marketing communications | Name, email address | Art. 6(1)(a) — consent |
| Sending transactional and service notifications | Name, email address, account data | Art. 6(1)(b) |
3.1 Legitimate Interests Assessment
Where we rely on Article 6(1)(f) GDPR (legitimate interests), we have determined that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time — see Section 7 below.
3.2 Withdrawal of Consent
Where processing is based on your consent (Article 6(1)(a) GDPR), you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact us at legal@cardiac-purr.com or use the preference centre in our Cookie Policy page.
4. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). Where personal data is transferred to third countries, we ensure an adequate level of protection through one or more of the following mechanisms:
- EU–US Data Privacy Framework (DPF): The adequacy decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v. Commission). An appeal has been filed before the CJEU on 31 October 2025 and remains pending. The DPF adequacy decision remains fully operative during appeal proceedings. We maintain Standard Contractual Clauses as a parallel safeguard for all US transfers.
- Standard Contractual Clauses (SCCs): European Commission Decision 2021/914 of 4 June 2021 — Module 2 (controller to processor) or Module 1 (controller to controller) as applicable.
- Transfer Impact Assessments (TIAs) are conducted for all third-country transfers in accordance with EDPB Recommendations 01/2020.
5. Recipients of Personal Data
We do not sell your personal data. We share personal data only with:
5.1 Service Providers (Data Processors)
We engage the following categories of processors who act under our instructions and are bound by data processing agreements pursuant to Article 28 GDPR:
- Hosting and infrastructure providers — for website hosting and storage
- Analytics providers (Google Analytics 4) — for website analytics, subject to your consent
- CDN and security providers (Cloudflare) — for content delivery and DDoS protection
- Email and communication providers — for transactional and support communications
- Payment processors (Stripe) — for processing payments, where applicable
6. Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with Article 5(1)(e) GDPR (storage limitation principle):
- Contact and enquiry data: 3 years from the date of last communication, unless a contractual relationship arises.
- Account data: Duration of the account plus 2 years after account deletion.
- Analytics data: Maximum 14 months (Google Analytics 4 retention setting).
- Security logs: Maximum 12 months from the date of the logged event.
- Financial and invoicing records: 5 years from the end of the tax year.
- Consent records: 3 years from the date on which consent was collected.
7. Your Rights as a Data Subject
Under Articles 15–22 GDPR and Polish data protection law, you have the following rights. All requests must be directed to legal@cardiac-purr.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with prior notification — Article 12(3) GDPR).
Obtain confirmation of whether we process your data and receive a copy of that data.
Request correction of inaccurate personal data or completion of incomplete data.
Request deletion of your personal data. This right was an EDPB 2025 coordinated enforcement priority.
Request that we restrict processing while accuracy is contested or an objection is pending.
Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
Object at any time to processing based on legitimate interests or for direct marketing purposes.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. For full details of the cookies we use, the legal basis for each, and how to manage your preferences, please refer to our Cookie Policy.
Essential cookies are placed without consent on the basis of Article 5(3) of the ePrivacy Directive (strictly necessary exception). All other cookies require your prior, freely given, specific, informed, and unambiguous consent.
9. Children's Privacy
Our Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe we have collected data from a child under 16, please contact us at legal@cardiac-purr.com.
10. Security Measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:
- Encryption of data in transit using TLS 1.3
- Encryption of data at rest using AES-256 where applicable
- Pseudonymization and access control policies
- Regular security assessments and penetration testing
- Staff data protection training
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our processing activities, applicable law, or regulatory guidance. The “Last Updated” date at the top of this page indicates when the Policy was last revised.
We will notify you of material changes by email (where we hold your email address) or by a prominent notice on our website at least 30 days before the changes take effect.
12. Contact Us
For any questions, requests, or complaints regarding this Privacy Policy or our processing of your personal data, please contact our Data Protection Officer:
If you are not satisfied with our response, you have the right to lodge a complaint with the Polish supervisory authority UODO (uodo.gov.pl) or with the supervisory authority of your country of habitual residence.