Privacy Policy

Privacy Policy

Last updated: 12 June 2026. Version 2.2.

1. Data Controller

The controller of your personal data is:

Viking Potatoes sp. z o.o., ul. Krypska 25/9, 04-082 Warsaw, Poland (registered office). Operational office: ul. Gdańska 39/45, 84-230 Rumia, Poland. KRS 0000648228 | NIP 5862312148 | REGON 365907852. Email: ratunku@chcedointernetu.pl . Phone: +48 732 067 200.

The controller has not appointed a Data Protection Officer, as there is no obligation under Article 37 GDPR (the controller is not a public authority, does not carry out large-scale monitoring, and does not process special categories of data on a large scale). For all matters regarding personal data, please contact us at ratunku@chcedointernetu.pl.

2. Legal basis

We process personal data in accordance with:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

The Polish Act of 18 July 2002 on the provision of electronic services.

The Polish Electronic Communications Law (Act of 12 July 2024) - regulation of cookies (replaced the Telecommunications Law repealed on 10 November 2024).

The Polish Act of 10 May 2018 on personal data protection (national supplement to GDPR).

3. Purposes and legal grounds for processing

Contact form - responding to enquiries, preparing quotes - Article 6(1)(b) GDPR (pre-contractual steps) or (f) (legitimate interest - replying to enquiries). Retention: until correspondence is concluded, max. 3 years from the last contact.

Project brief - analysis of client needs, preparation of offer - Article 6(1)(b) GDPR (pre-contractual steps). Retention: until the offering process is completed or 1 year from brief submission.

Site quiz - needs diagnosis, proposal of services - Article 6(1)(f) GDPR (legitimate interest - direct marketing). Retention: until cookie expiry or 1 year.

Free GEO audit - analysis of the site’s visibility in AI search engines (ChatGPT, Perplexity, Gemini). Uses double opt-in - full audit results are provided only after confirming the email address via a verification link. Only business email addresses are accepted (no gmail, wp.pl, etc.). Temporary addresses (tempmail) are automatically rejected. Article 6(1)(a) GDPR (consent - email confirmation via verification link) and (f) (legitimate interest - client needs diagnosis). Retention: audit results and sharing link: 30 days; email address: until consent withdrawal or 2 years from last contact; anonymous data (results without email): 1 year.

Web analytics - traffic analysis and quality improvement - Article 6(1)(f) GDPR (legitimate interest) - only after consent for analytical cookies. Retention: until cookie expiry (max. 26 months for Google Analytics).

Marketing - remarketing, measuring campaign effectiveness - Article 6(1)(a) GDPR (consent expressed by accepting marketing cookies). Retention: until cookie expiry or consent withdrawal.

Performance of a contract - delivery of services, issuing invoices - Article 6(1)(b) GDPR (performance of a contract) and (c) (legal obligation - tax law). Retention: for the duration of the contract + 5 years (tax law) or until claims are time-barred.

4. Data we collect

Depending on the form of contact we collect:

Contact form: name, email address, phone number (optional), message content.

Project brief: company name, contact person, email, phone, project description, budget, attachments (files provided by the User - if they contain personal data of third parties, e.g. photos of employees, client documents - they are processed solely for the purpose of preparing the quote and offering the service, on the basis of the controller’s legitimate interest in preparing an offer, Article 6(1)(f) GDPR; returned or deleted after the quote within 12 months).

Quiz: answers, score, email (if provided).

GEO audit (free tool): URL of the analysed site, audit results (AI visibility scoring), business email address (required to unlock full results). We apply a double opt-in mechanism - full results are delivered only after confirming the email address via a verification link. We only accept business email addresses. We verify domain existence (MX record check). The IP address is pseudonymised using the SHA-256 hash function. The results link expires after 30 days.

Automatically: IP address, browser type, operating system, visit time, visited subpages (server logs and analytical cookies).

4a. Source of data

We obtain personal data exclusively directly from the persons concerned - via the contact form, project brief, quiz, GEO audit, email correspondence or phone calls. We do not obtain personal data from other sources.

5. Data recipients

Your data may be transferred to the following categories of recipients:

Cloudflare, Inc. (USA) - site hosting (Workers), CDN, attack protection, CAPTCHA verification (Turnstile), file storage (R2). Transfer outside the EEA: yes - USA, on the basis of the Data Privacy Framework (DPF) and standard contractual clauses (SCC) and the Cloudflare Data Processing Addendum.

Google LLC (USA) - analytics (Google Analytics 4), ads (Google Ads), Google Consent Mode v2. Transfer outside the EEA: yes - USA, on the basis of the Data Privacy Framework (DPF) and SCC.

Microsoft Corporation (USA) - user behaviour analytics (Microsoft Clarity) - heatmaps, session recordings, click and scroll analysis. Transfer outside the EEA: yes - USA, on the basis of the Data Privacy Framework (DPF) and Microsoft Data Processing Addendum and SCC.

Meta Platforms Ireland Ltd. (Ireland) with transfer to Meta Platforms, Inc. (USA) - Facebook Pixel - remarketing, measurement of Meta Ads campaign conversions, ad targeting. Transfer outside the EEA: yes - USA, Meta Platforms, Inc. is an active participant of the Data Privacy Framework (DPF).

Resend, Inc. (USA) - sending of notification emails from contact forms, auto-responses and verification emails from the GEO audit tool (double opt-in). Transfer outside the EEA: yes - USA, on the basis of standard contractual clauses (SCC).

We do not sell personal data to third parties. We transfer data only to the extent necessary to achieve the listed purposes.

5a. Entrusting of processing in paid services

In the course of providing paid services (in particular: creation and operation of websites, online stores, running Google Ads and Meta Ads campaigns, marketing automation), the Controller may process personal data on behalf of and for the Client (Client’s clients, Client’s newsletter subscribers, leads from Client’s ad campaigns, etc.).

Such processing takes place exclusively on the basis of a separate data processing agreement concluded pursuant to Article 28 GDPR, which sets out:

the subject matter and duration of the processing;

the nature and purpose of the processing;

the type of personal data and categories of data subjects;

the obligations and rights of the Client as controller and of Viking Potatoes sp. z o.o. as processor;

the conditions of sub-processing, confidentiality rules and technical and organisational security measures;

the rules of assistance to the controller in fulfilling data subject rights;

the rules for deletion or return of data after the service ends.

A template data processing agreement is available on request sent to ratunku@chcedointernetu.pl .

This Privacy Policy does not govern data processing within such services - the rules are set out in the data processing agreement and in the privacy policy of the Client as controller.

6. Cookies

The site uses cookies. Before saving analytical and marketing cookies on your device, we display a consent banner compliant with Consent Mode v2 requirements. Details are provided in the Cookie Policy .

7. Google Consent Mode v2

We apply Google Consent Mode v2, which ensures that Google Analytics and Google Ads respect your cookie choices. By default all consents are set to denied - only after your active consent are they switched to granted.

8. Data security

Connection to the site is encrypted using SSL/TLS.

Data from forms is stored in a Cloudflare D1 database with at-rest encryption.

Files attached to briefs are stored in Cloudflare R2 with access control.

Form verification uses Cloudflare Turnstile (invisible CAPTCHA, without collecting personal data).

Access to the admin panel is secured with passkey authentication (WebAuthn).

9. Your rights

Under GDPR you have the following rights:

Right of access to your data (Article 15 GDPR).

Right to rectification of inaccurate data (Article 16).

Right to erasure - "right to be forgotten" (Article 17).

Right to restriction of processing (Article 18).

Right to data portability (Article 20).

Right to object to processing based on legitimate interest (Article 21).

Right to withdraw consent at any time - without affecting the lawfulness of processing performed before withdrawal (Article 7(3)).

Right to lodge a complaint with the supervisory authority - the President of the Polish Personal Data Protection Office ( uodo.gov.pl , ul. Stawki 2, 00-193 Warsaw).

To exercise your rights, write to us at ratunku@chcedointernetu.pl . We will respond within 30 days.

Identity verification of the applicant: in order to ensure data security and prevent unauthorised access, the Controller may request additional information necessary to confirm the identity of the person submitting the request (Article 12(6) GDPR). Data used for verification is not used for other purposes and is deleted immediately after the verification is completed.

10. Profiling

Within analytics and marketing services (Google Analytics 4, Microsoft Clarity, Meta Pixel) we collect data on behaviour on the site, location and device type. This data is exclusively statistical and serves to optimise the Site and advertising campaigns.

We do not make decisions based solely on automated processing, including profiling, which would have legal effects concerning you or significantly affect you in a similar way (Article 22 GDPR).

11. Changes to this policy

We reserve the right to update this Privacy Policy. We will inform of material changes via the website. We recommend reviewing the policy periodically.

12. Version history

Version 2.2 (12 June 2026): added REGON; added Meta Platforms among data recipients (Facebook Pixel); added section 5a on entrusting of processing (Article 28 GDPR); updated legal basis for cookies (PKE replaced the Telecommunications Law); updated Data Privacy Framework for Cloudflare, Microsoft and Meta; clarified IP pseudonymisation in the GEO audit; added operational office in Rumia; clarified handling of brief attachments; added information about identity verification of the applicant (Article 12(6) GDPR).

Version 2.1 (14 May 2026): previous version.