The data controller responsible for your personal data is:
Serhii Koval, conducting sole proprietorship business (jednoosobowa działalność gospodarcza) under the firm name "Serhii Koval, Zghraia Software" (hereinafter "Zghraia"), registered in the Central Register and Information on Economic Activity (CEIDG) of the Republic of Poland.
This Privacy Policy describes how we process personal data in connection with:
the websites zghraia.com and its subdomains, including platabymono.zghraia.com;
commercial relationships with our business clients and counterparties (contract performance, invoicing, business correspondence);
communications through our official email addresses (admin@zghraia.com, skoval@zghraia.com).
It applies to all data subjects whose personal data we process — including visitors to our websites, newsletter subscribers, business clients, contact persons of corporate clients, vendors, and other counterparties.
3. Categories of Personal Data and Legal Basis
3.1. Website visitors and newsletter subscribers
Email address — when you voluntarily subscribe to our newsletter or waiting list via the subscription form. Legal basis: your consent (Art. 6(1)(a) GDPR).
Analytics data — anonymized usage data collected via Google Analytics 4, including page views, session duration, approximate geographic location, device type, and browser. Legal basis: legitimate interest in measuring and improving website performance (Art. 6(1)(f) GDPR).
Server logs — IP addresses and request metadata collected automatically by Cloudflare for security and performance. Legal basis: legitimate interest in network and information security (Art. 6(1)(f) GDPR; Recital 49).
3.2. Business clients and counterparties
When you engage us for services, request a quote, sign a contract, or otherwise enter into a commercial relationship with us, we process:
Banking and payment details, including IBAN, SWIFT/BIC, and account holder information;
Project documentation, scope of services, contract terms;
Issued and received invoices, accounting documents, and proof of payment;
Content of email and other business correspondence.
Legal bases:
Art. 6(1)(b) GDPR — performance of a contract to which the data subject is a party, or pre-contractual steps at the data subject's request;
Art. 6(1)(c) GDPR — compliance with legal obligations to which we are subject, in particular the Polish Act on Value Added Tax (Ustawa o VAT), the Accounting Act (Ustawa o rachunkowości), the Tax Ordinance (Ordynacja podatkowa), and anti-money-laundering regulations;
Art. 6(1)(f) GDPR — legitimate interest in establishing, exercising, or defending legal claims and in maintaining business relationships.
3.3. Contact persons of corporate clients
For contact persons employed by or representing our corporate clients and counterparties, we process:
Full name and job title or function;
Work email address and phone number;
Content of business communications.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in conducting business communications with our corporate counterparty.
3.4. Special categories of data
We do not process special categories of personal data (Art. 9 GDPR) or data relating to criminal convictions and offences (Art. 10 GDPR).
4. Cookies
Our websites use a limited number of cookies:
Cookie
Provider
Purpose
Duration
_ga, _ga_*
Google Analytics
Distinguish unique visitors, track sessions
Up to 2 years
__cf_bm
Cloudflare
Bot management and security
30 minutes
We do not use advertising cookies or tracking pixels.
5. Recipients of Data
Your personal data may be disclosed to the following categories of recipients, strictly to the extent necessary for the relevant processing purpose:
IT and online service providers — Mailchimp (The Rocket Science Group LLC), Google LLC (Google Analytics, Google Workspace), Cloudflare, Inc. — providing email, analytics, hosting, and security services.
Polish National Revenue Administration (Krajowa Administracja Skarbowa) — for the purposes of statutory reporting (JPK_V7, JPK_FA) and tax inspections.
External accounting and bookkeeping providers — where engaged to handle our accounting obligations.
Banks and payment service providers — primarily Revolut Bank UAB (Vilnius, Lithuania), and correspondent banks for international transfers — for processing incoming and outgoing payments.
Legal, tax, and professional advisors — bound by professional confidentiality, where engaged.
Competent public authorities — upon lawful request and to the extent required by applicable law.
6. Data Retention
Email subscribers: until you unsubscribe or request deletion.
Analytics data: retained by Google Analytics for 14 months, then automatically deleted.
Server logs: retained by Cloudflare for a limited period in accordance with their retention policy.
Invoices, accounting documents, and tax records: 5 years from the end of the calendar year in which the related tax obligation arose, in accordance with Art. 70 § 1 of the Polish Tax Ordinance and Art. 112 of the Polish VAT Act.
Contracts and contract-related correspondence: up to 6 years from the end of the contractual relationship, corresponding to the general statute of limitations for civil claims (Art. 118 of the Polish Civil Code).
General business correspondence: up to 3 years after the end of the business relationship, unless a longer retention period is required by law.
Data processed based on consent: until the consent is withdrawn.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15) — request a copy of the data we hold about you.
Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
Right to erasure (Art. 17) — request deletion of your personal data.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
Right to object (Art. 21) — object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)) — withdraw your consent at any time (e.g., by unsubscribing from our mailing list); this does not affect the lawfulness of processing prior to withdrawal.
Note: The right to erasure may be limited where we are legally required to retain data — in particular, invoice and tax records must be kept for the statutory period (5 years from the end of the issuance year). In such cases, we will continue to store the data only for the legally required purpose and restrict any further processing.
To exercise any of these rights, contact us at admin@zghraia.com. We will respond within 30 days (or up to 90 days for complex requests, with prior notice).
You also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (Prezes UODO) in Poland — at uodo.gov.pl, or with the supervisory authority of your country of residence.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
HTTPS/TLS encryption on all our websites;
Cloudflare security features (DDoS protection, Web Application Firewall);
Encryption of sensitive data at rest where stored on our infrastructure;
Access controls and authentication requirements for all systems handling personal data;
Use of reputable third-party providers with adequate security certifications.
9. International Data Transfers
Some processing may involve transfers of personal data outside the European Economic Area (EEA):
Transfers to service providers in third countries (e.g., Mailchimp, Google in the United States): protected by Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary technical and organizational measures, in accordance with Chapter V GDPR.
Transfers in connection with business relationships with clients and counterparties in non-EEA countries (including Ukraine, the United Kingdom, the United States, and others): based on Art. 49(1)(b) GDPR — transfers necessary for the performance of a contract concluded with the data subject — or, where applicable, on the data subject's explicit consent (Art. 49(1)(a) GDPR).
10. Automated Decision-Making and Profiling
We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR).
11. Source of Data
We primarily collect personal data directly from data subjects. In limited cases, we may obtain contact information of corporate representatives from:
public business registers (CEIDG, KRS, EDR, and equivalents);
publicly available company websites and professional networks (e.g., LinkedIn);
mutual business contacts and introductions.
In such cases, we comply with our information obligation under Art. 14 GDPR by providing this Privacy Policy at the earliest reasonable opportunity, no later than one month after obtaining the data or at the first communication with the data subject.
12. Data Protection Officer
Based on the nature, scope, and purposes of our processing activities, we are not required to appoint a Data Protection Officer under Art. 37 GDPR. For all data protection matters and any of the requests described in section 7, please contact us at admin@zghraia.com.
13. Children's Privacy
Our websites and services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at admin@zghraia.com and we will take appropriate steps to remove such data.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities or in applicable law. The current version is always available on this page, with the "Last updated" date at the top. Material changes will be communicated by appropriate means (e.g., notice on our website or direct communication to affected data subjects).
15. Contact
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us: