Privacy Policy
Information about personal data processing
1. General provisions
1.1. This privacy policy is for informational purposes, which means it is not a source of obligations for visitors to the website nunu-software.pl (hereinafter referred to as the "Website"). The privacy policy primarily contains rules regarding the processing of personal data by the Controller, including the grounds, purposes, and scope of personal data processing, the rights of data subjects, as well as information about the use of cookies and security tools.
1.2. The controller of personal data collected through the Website is Nunu Software Michał Hepner based in Wrocław, Poland (address: ul. Siemianowicka 7/25, 52-007 Wrocław); Tax ID (NIP): 5732882640; email address: [email protected] — hereinafter referred to as the "Controller".
1.3. Personal data is processed by the Controller in accordance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) — hereinafter referred to as "GDPR".
1.4. Use of the Website is voluntary. Providing personal data by a person using the Website is also voluntary, with the reservation that failure to provide the data required in the contact form will prevent submitting an inquiry and receiving a response from the Controller.
1.5. The Controller takes special care to protect the interests of persons whose personal data it processes, and in particular ensures that the data collected is: (1) processed lawfully; (2) collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which it is processed; (4) stored in a form that permits identification of data subjects for no longer than necessary to achieve the processing purpose; and (5) processed in a manner that ensures appropriate security of personal data.
2. Legal basis for data processing
2.1. The Controller is entitled to process personal data when at least one of the following conditions is met:
- (1) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- (2) processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
- (3) processing is necessary for compliance with a legal obligation to which the Controller is subject;
- (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
2.2. Processing of personal data by the Controller requires at least one of the grounds indicated in point 2.1 to be met. Specific grounds for processing personal data of Website users are indicated in the next section of this privacy policy.
3. Purpose, legal basis, and retention period
3.1. In each case, the purpose, legal basis, and retention period for personal data processing by the Controller results from the actions taken by the person using the Website.
3.2. The Controller may process personal data for the following purposes, on the following legal grounds, and for the indicated periods:
| Processing purpose | Legal basis | Retention period |
|---|---|---|
| Responding to an inquiry submitted via the contact form or email, including taking steps prior to entering into a contract | Art. 6(1)(a) GDPR (consent) — given when submitting the contact form Art. 6(1)(b) GDPR (performance of a contract) — when the inquiry concerns steps prior to entering into a contract |
Until the correspondence is completed and the purpose for which the data was collected is fulfilled, no longer than 2 years from the last contact. In case of consent withdrawal — until the moment of withdrawal. |
| Performance of a contract for the provision of services, or taking steps at the request of the data subject prior to entering into a contract | Art. 6(1)(b) GDPR (performance of a contract) | For the period necessary for the performance, termination, or other expiration of the concluded contract. |
| Maintaining accounting records | Art. 6(1)(c) GDPR in conjunction with Art. 74(2) of the Polish Accounting Act — processing is necessary for compliance with a legal obligation | 5 years, counting from the beginning of the year following the financial year to which the data relates. |
| Establishing, pursuing, or defending claims that the Controller may raise or that may be raised against the Controller | Art. 6(1)(f) GDPR (legitimate interest of the controller) | For the duration of the legitimate interest, but no longer than the limitation period for claims (the basic limitation period is 6 years, and for claims related to business activity — 3 years). |
| Use of the Website and ensuring its proper functioning, including security | Art. 6(1)(f) GDPR (legitimate interest of the controller) — consisting in operating and maintaining the Website | Technical data (server logs): up to 12 months. |
| Website usage statistics — analyzing Website traffic and user interactions (visited pages, button clicks, contact form submission, language version change) to improve its functionality and content | Art. 6(1)(f) GDPR (legitimate interest of the controller) — consisting in understanding the activity of Website users. Statistical cookies are stored only after consent is given via the cookie banner (Art. 6(1)(a) GDPR). Event tracking (e.g., form submission) is performed only after consent to statistical cookies is given. | Until an objection is raised. Statistical cookies: up to 2 years. |
4. Data recipients
4.1. For the proper functioning of the Website, it is necessary for the Controller to use the services of external entities. The Controller only uses the services of processors who provide sufficient guarantees of implementing appropriate technical and organizational measures so that processing meets the requirements of the GDPR and protects the rights of data subjects.
4.2. The Controller transfers data only when it is necessary for the realization of a given processing purpose and only to the extent necessary for its realization.
4.3. Personal data of Website users may be transferred to the following categories of recipients:
- Infrastructure and security providers — entities providing hosting, content delivery network (CDN), attack protection, and form security (CAPTCHA). Technical data (IP address, browser information) is processed to the extent necessary for providing these services. The Website server is located in the EU. For providers outside the European Economic Area, data transfer is based on appropriate safeguards (Data Privacy Framework, standard contractual clauses).
- Communication service providers — entities enabling the delivery of notifications about messages submitted through the contact form. Data is processed in the EU region.
- Consent management tool provider — entity providing a cookie consent management solution (cookie banner). Processes data about given consents.
- Analytics service providers — entities providing tools for analyzing Website traffic. Statistical data is processed only after consent to statistical cookies is given. The provider participates in the Data Privacy Framework (EU-U.S.).
- Accounting, legal, and advisory service providers — to the extent necessary for the Controller to fulfill its legal obligations.
4.4. We do not sell personal data to third parties.
5. Profiling
5.1. The Controller does not make automated decisions regarding persons using the Website, including decisions resulting from profiling within the meaning of Art. 22(1) and (4) of the GDPR.
6. Rights of the data subject
6.1. Right of access, rectification, restriction, erasure, or portability — the data subject has the right to request from the Controller access to their personal data, rectification, erasure ("right to be forgotten"), or restriction of processing, as well as the right to data portability. Detailed conditions for exercising these rights are set out in Articles 15–21 of the GDPR.
6.2. Right to withdraw consent at any time — a person whose data is processed on the basis of consent (Art. 6(1)(a) GDPR) has the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority — a person whose data is processed by the Controller has the right to lodge a complaint with the supervisory authority in the manner and procedure specified in the GDPR and Polish law. The supervisory authority in Poland is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
6.4. Right to object — the data subject has the right to object at any time — on grounds relating to their particular situation — to processing of personal data concerning them based on Art. 6(1)(f) GDPR (legitimate interest of the controller). The Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
6.5. To exercise the above rights, please contact the Controller by sending a message to the email address: [email protected] or via the contact form available on the Website.
7. Cookies
7.1. Cookies are small text files sent by the server and stored on the device of the person visiting the Website (e.g., on a computer hard drive or smartphone memory).
7.2. The Controller provides a cookie management tool on the Website (provided by Cookiebot/Cybot A/S), available upon the first visit to the Website in the form of an information banner. The tool allows checking what cookies are or may be stored when using the Website, as well as selecting and subsequently changing the scope of cookie usage. Cookie settings can be changed at any time by clicking on the cookie management icon available on the Website.
7.3. Cookies used on the Website can be divided into the following categories:
Essential cookies (strictly necessary)
Ensure basic Website functionality and do not require user consent. They cannot be disabled.
| Cookie name | Provider | Purpose | Retention period |
|---|---|---|---|
__cf_bm |
Cloudflare | Distinguishing humans from bots to protect the Website. Automatically set server-side by Cloudflare infrastructure. | 30 minutes |
cf_clearance |
Cloudflare | Confirmation that the visitor has passed Cloudflare security verification. Set server-side. | Up to 30 minutes |
_cfuvid |
Cloudflare | Identifying individual visitors for rate limiting purposes. Set server-side. | Browser session |
CookieConsent |
Cookiebot (Cybot A/S) | Storing information about the user's consent to the use of individual categories of cookies. | 12 months |
Cloudflare Turnstile (CAPTCHA)
The contact page uses Cloudflare Turnstile — a verification mechanism that protects the form against automated (spam) message submissions. Turnstile may store cookies on the .cloudflare.com domain (third-party cookies) necessary to perform the verification. The Turnstile script is loaded exclusively on the contact form page.
Statistical cookies
Require user consent ("Statistics" category in the cookie banner). Used for analyzing Website traffic and tracking user interactions (e.g., button clicks, contact form submission, language change). Statistical cookies are set by Google Analytics 4. A detailed list of statistical cookies is available in the cookie banner on the Website.
7.4. Regardless of the cookie management tool available on the Website, each user can also manage cookies through their web browser settings — including restricting or completely disabling the ability to store cookies. Disabling essential cookies may affect the proper functioning of the Website.
7.5. Detailed information about managing cookies is available in the web browser settings:
8. Data collected by the Website
8.1. As part of the Website's operation, the Controller may collect the following data:
Contact form
Data voluntarily provided by the user:
- Email address or phone number (one of the two, required)
- Full name (optional)
- Company name (optional)
- Message content (optional)
Technical data
Data collected automatically when using the Website:
- IP address
- Browser type and version
- Operating system
- Date and time of access
- Referring page address (referer)
Technical data is collected automatically by the server (server logs) and Cloudflare infrastructure and is used to ensure security and proper functioning of the Website.
9. Final provisions
9.1. The Website may contain links to other websites. The Controller recommends that when navigating to other websites, you review the privacy policy applicable there. This privacy policy applies only to the Controller's Website.
9.2. The Controller reserves the right to make changes to this privacy policy. The Controller will inform about significant changes on the Website.
9.3. In matters not regulated by this privacy policy, the provisions of the GDPR and other applicable provisions of Polish law shall apply.
Last updated: February 2026