Privacy Policy
Last updated: May 14, 2026. Version 2.1.
1. Data Controller
The controller of your personal data is:
Viking Potatoes sp. z o.o.
ul. Krypska 25/9, 04-082 Warszawa, Poland
KRS: 0000648228 | NIP: 5862312148
Email: ratunku@chcedointernetu.pl
Tel.: +48 732 067 200
The Controller has not appointed a Data Protection Officer, as there is no obligation under Art. 37 of the GDPR (the Controller is not a public authority, does not carry out large-scale monitoring, nor does it process special categories of data on a large scale). For all matters related to personal data protection, please contact us at: ratunku@chcedointernetu.pl.
2. Legal Basis
We process personal data in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR)
- Polish Act of 18 July 2002 on the Provision of Electronic Services
- Polish Act of 16 July 2004 - Telecommunications Law (Art. 173 - cookies)
3. Purposes and Legal Bases of Data Processing
| Processing Purpose | Legal Basis | Retention Period |
|---|---|---|
| Contact form - responding to inquiries, preparing quotations | Art. 6(1)(b) GDPR (steps prior to entering into a contract) or Art. 6(1)(f) (legitimate interest - responding to an inquiry) | Until the end of correspondence, max. 3 years from last contact |
| Project brief - analyzing client needs, preparing an offer | Art. 6(1)(b) GDPR (steps prior to entering into a contract) | Until the end of the proposal process or 1 year from brief submission |
| Website assessment quiz - needs diagnosis, service suggestions | Art. 6(1)(f) GDPR (legitimate interest - direct marketing) | Until cookie expiration or 1 year |
| Free GEO audit - analysis of website visibility in AI search engines (ChatGPT, Perplexity, Gemini). This service uses a double opt-in mechanism - full audit results are made available only after confirming your email address by clicking a verification link. We only accept business email addresses (not gmail, wp.pl, etc.). Temporary email addresses (tempmail) are automatically rejected. | Art. 6(1)(a) GDPR (consent - email address confirmation via verification link) and Art. 6(1)(f) (legitimate interest - diagnosing client needs) | Audit results and sharing link: 30 days. Email address: until consent withdrawal or 2 years from last contact. Anonymous data (results without email): 1 year |
| Web analytics - website traffic analysis, improving service quality | Art. 6(1)(f) GDPR (legitimate interest) - only after consent for analytical cookies is given | Until cookie expiration (max. 26 months for Google Analytics) |
| Marketing - remarketing, measuring campaign effectiveness | Art. 6(1)(a) GDPR (consent given by accepting marketing cookies) | Until cookie expiration or consent withdrawal |
| Contract performance - providing services, issuing invoices | Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) (legal obligation - tax regulations) | Duration of the contract + 5 years (tax regulations) or until claims become time-barred |
4. What Data We Collect
Depending on the method of contact, we collect:
- Contact form: name, email address, phone number (optional), message content
- Project brief: company name, contact person, email, phone, project description, budget, attachments
- Quiz: answers to questions, assessment result, email (if provided)
- GEO audit (free tool): URL of the analyzed website, audit results (AI visibility scoring), business email address (required to unlock full results). We use a double opt-in mechanism - full results are made available only after confirming the email address by clicking a verification link sent to the provided address. We only accept business email addresses. We verify domain existence (MX record check). The IP address is hashed (SHA-256) and stored in irreversible form. The results link expires after 30 days
- Automatically: IP address, browser type, operating system, visit time, visited pages (server logs and analytical cookies)
4a. Data Source
We obtain personal data exclusively directly from the data subjects - via the contact form, project brief, quiz, GEO audit, email correspondence, or phone calls. We do not obtain personal data from other sources.
5. Data Recipients
Your data may be transferred to the following categories of recipients:
| Recipient | Purpose | Transfer Outside EEA |
|---|---|---|
| Cloudflare, Inc. (USA) | Website hosting (Workers), CDN, attack protection, CAPTCHA verification (Turnstile), file storage (R2) | Yes - USA, based on Standard Contractual Clauses (SCC) and Cloudflare Data Processing Addendum |
| Google LLC (USA) | Analytics (Google Analytics 4), advertising (Google Ads), Google Consent Mode v2 | Yes - USA, based on Data Privacy Framework (DPF) and SCC |
| Microsoft Corporation (USA) | User behavior analytics (Microsoft Clarity) - heatmaps, session recordings, click and scroll analysis | Yes - USA, based on Microsoft Data Processing Addendum and SCC |
| Resend, Inc. (USA) | Sending email notifications from contact forms, auto-replies, and verification emails from the GEO audit tool (double opt-in) | Yes - USA, based on SCC |
We do not sell personal data to third parties. We only transfer data to the extent necessary to fulfill the purposes listed above.
6. Cookies
The website uses cookies. Before saving analytical and marketing cookies on your device, we display a consent banner compliant with Consent Mode v2 requirements.
Cookie Categories
| Category | Name | Purpose | Expires |
|---|---|---|---|
| Necessary (always active) | cc_cookie | Storing your cookie preferences | 1 year |
astro-session | Admin session (administrators only) | Session | |
| Analytical (require consent) | _ga | Google Analytics - unique user identification | 2 years |
_gid | Google Analytics - daily user identification | 24 hours | |
_clck | Microsoft Clarity - user identification, heatmaps and session recordings | 1 year | |
_clsk | Microsoft Clarity - maintaining analytics session | 1 day | |
| Marketing (require consent) | _fbp | Facebook Pixel - browser identification for ads | 3 months |
_fbc | Facebook - ad click tracking | 3 months | |
_gcl_au | Google Ads - ad conversion tracking | 90 days |
You can change your cookie settings at any time by clicking the Cookie settings button in the page footer or by changing your browser settings. Deleting analytical and marketing cookies does not affect the website's functionality.
7. Google Consent Mode v2
We use Google Consent Mode v2, which ensures that Google Analytics and Google Ads respect your cookie choices. By default, all consents are set to denied - only after your active consent do we change them to granted.
8. Data Security
- The connection to the website is encrypted using SSL/TLS protocol
- Form data is stored in a Cloudflare D1 database with at-rest encryption
- Files attached to briefs are stored in Cloudflare R2 with access control
- Form verification is performed using Cloudflare Turnstile (invisible CAPTCHA, without collecting personal data)
- Access to the admin panel is secured with passkey authentication (WebAuthn)
9. Your Rights
Under the GDPR, you have the following rights:
- Right of access to your data (Art. 15 GDPR)
- Right to rectification of inaccurate data (Art. 16)
- Right to erasure - "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing based on legitimate interest (Art. 21)
- Right to withdraw consent at any time - without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3))
- Right to lodge a complaint with the supervisory authority - Prezes Urzedu Ochrony Danych Osobowych (ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl)
To exercise your rights, please write to us at ratunku@chcedointernetu.pl. We will respond within 30 days.
10. Profiling
As part of analytical and marketing services (Google Analytics 4, Microsoft Clarity, Meta Pixel), we collect data about on-site behavior, location, and device type. This data is purely statistical and is used to optimize the Website and advertising campaigns.
We do not make decisions based solely on automated processing, including profiling, that would produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).
11. Policy Changes
We reserve the right to update this privacy policy. We will notify you of significant changes through the website. We recommend regularly reviewing the contents of this policy.