Privacy Policy

The controller of your personal data is RunProven AI Sp. z o.o., with its registered office at [registered street & number], [postal code] [city], Poland. Registered in the National Court Register (KRS) under number [KRS pending], NIP [NIP pending], REGON [REGON pending], share capital [share capital PLN] PLN.

For all data-protection matters you may contact us at [email protected]. We have not appointed a Data Protection Officer as we are not required to do so under Art. 37 GDPR; privacy enquiries are handled directly by the controller.

Contact form: full name, email, company name, your inquiry, how you heard about us, source/UTM parameters, referrer URL, submission timestamp.

Newsletter & lead-magnet: email address, first name (optional), locale, explicit consent flag and timestamp.

Technical data: IP address (ephemeral, used for security and to derive approximate country), browser user-agent, pages viewed (via Plausible — cookieless, aggregated).

With your explicit consent: advertising-platform identifiers set by Google Ads, LinkedIn Insight Tag, and Meta Pixel for conversion measurement.

(a) To respond to your contact-form enquiry and take pre-contractual steps at your request — Art. 6(1)(b).

(b) To send the newsletter or requested lead-magnet materials — Art. 6(1)(a) consent.

(c) To operate, secure, and analyse our website (cookieless analytics, request logs) — Art. 6(1)(f) legitimate interest in running a functional, safe website.

(d) To comply with accounting and tax law obligations once you become a client — Art. 6(1)(c).

(e) To measure advertising performance via advertising cookies — Art. 6(1)(a) consent, captured through our cookie banner.

Contact-form submissions: 24 months from last interaction, then deleted or anonymised.

Newsletter subscribers: until consent is withdrawn (unsubscribe) plus 30 days for purging.

Lead-magnet sign-ups: 24 months from last interaction.

Accounting records for paying clients: 5 years from end of tax year (Polish Accounting Act).

Web server & security logs: 90 days.

Cookie consent records: 12 months, then the banner is shown again.

We share personal data only with the processors listed below, each bound by a data-processing agreement (GDPR Art. 28). We do not sell personal data.

• Railway Corporation — Website hosting (Next.js application, serverless compute) (EU region (target: eu-west)). Privacy policy: https://railway.com/legal/privacy • Cloudflare, Inc. — DNS, CDN, TLS termination, DDoS protection (Global (EU edge for EU visitors)). Privacy policy: https://www.cloudflare.com/privacypolicy/ • Sendinblue SAS (Brevo) — Transactional email & newsletter delivery (European Union (France)). Privacy policy: https://www.brevo.com/legal/termsofuse/#annex • Attio Ltd. — Customer relationship management (CRM) for lead tracking (United Kingdom (UK adequacy decision)). Privacy policy: https://attio.com/legal/privacy-policy • Plausible Insights OÜ — Cookieless, privacy-friendly website analytics (European Union (Estonia / Germany)). Privacy policy: https://plausible.io/privacy • Google Ireland Ltd. (Google Ads) — Advertising measurement (loaded only with consent) (European Union (Ireland) / USA (SCCs + DPF)). Privacy policy: https://policies.google.com/privacy • LinkedIn Ireland Unlimited Company — LinkedIn Insight Tag — ad conversion (loaded only with consent) (European Union (Ireland) / USA (SCCs + DPF)). Privacy policy: https://www.linkedin.com/legal/privacy-policy • Meta Platforms Ireland Ltd. — Meta Pixel — ad measurement (loaded only with consent) (European Union (Ireland) / USA (SCCs + DPF)). Privacy policy: https://www.facebook.com/privacy/policy/

Where a processor is outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework or an adequacy decision (UK).

You have the right to: access your data, rectify it, erase it, restrict processing, object to processing based on legitimate interest, withdraw consent at any time, receive your data in a portable format, and not be subject to solely automated decision-making.

To exercise any of these rights, email [email protected]. We respond within 30 days.

You also have the right to lodge a complaint with the Polish supervisory authority — Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl.

Strictly necessary: a localStorage entry `rp_cookie_consent` that remembers your consent choice. No third-party cookies until you accept.

Analytics: Plausible is used without cookies and without processing personal data — it is loaded regardless of consent.

Marketing (consent-only): Google Ads, LinkedIn Insight Tag, and Meta Pixel. These are loaded only after you click "Accept All" in the cookie banner.

See our Cookie Policy for the full list.

Traffic is TLS-encrypted (HTTPS). Access to submission data is restricted to authorised personnel. We follow reasonable technical and organisational measures under GDPR Art. 32, including principle of least privilege, logged access, and regular review of processors.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.

Our services are directed at businesses. We do not knowingly collect personal data from anyone under 16.

We may update this Privacy Policy. Material changes will be notified on the website and, for newsletter subscribers, by email. The "Last updated" date at the top reflects the current version.