Kuliberda LabsKuliberda Labs

Legal

Privacy policy

What data I collect on the site, why I collect it and how long I keep it.

Privacy Policy

Last updated: 21 March 2026

1. Data Controller

The Data Controller of your personal data is Kuliberda Labs Dawid Kuliberda, with its registered office in Krakow, Poland, Tax Identification Number (NIP) registration pending, entered in the Central Register and Information on Economic Activity (CEIDG).

Contact on data protection matters: dawid@kuliberda.ai

The Data Controller has not appointed a Data Protection Officer (DPO), as the conditions set out in Article 37 of the GDPR do not apply. For matters relating to personal data, you may contact the Data Controller directly at the e-mail address above.

2. What data we collect and why

| Purpose of processing | Scope of data | Legal basis | Retention period | |---|---|---|---| | Responding to an inquiry submitted via the contact form | Name, e-mail address, company name, description of the issue | Art. 6(1)(b) GDPR — pre-contractual measures | Until the conclusion of discussions, or until it becomes clear that no cooperation will be established, but no longer than 12 months from the last contact | | AI audit form | Name, e-mail address, company name, industry, team size, website URL, description of the business problem | Art. 6(1)(b) GDPR — pre-contractual measures | As above | | Service delivery (after a contract has been concluded) | Identification data, contact data, billing data, project correspondence | Art. 6(1)(b) GDPR — performance of a contract | Duration of the contract + 6 years (limitation period for civil claims, Art. 118 of the Polish Civil Code) | | Accounting and tax documentation | Data from VAT invoices | Art. 6(1)(c) GDPR — legal obligation (Polish Tax Ordinance, Accounting Act) | 5 years from the end of the tax year in which the invoice was issued | | Protection against form abuse (anti-spam) | IP address, submission timestamp | Art. 6(1)(f) GDPR — legitimate interest (IT security) | Maximum 30 days | | Website traffic analytics (Plausible) | Anonymous data — no personal data | No GDPR legal basis required (anonymised data) | Aggregated statistics without personal data |

Your data is not used for:

  • training AI models,
  • marketing profiling,
  • selling data to third parties,
  • automated decision-making (Art. 22 GDPR).

3. Data recipients

Your data may be disclosed to the following categories of recipients, solely to the extent necessary for the provision of services:

| Recipient | Role | Registered office | Transfer basis | |---|---|---|---| | Cloudflare, Inc. | Website hosting (Cloudflare Workers) | USA | Cloudflare Data Processing Addendum + Standard Contractual Clauses (SCCs) | | Resend, Inc. | Processing of e-mail messages from the contact form | USA | Resend DPA + Standard Contractual Clauses (SCCs) | | Plausible Insights OÜ | Traffic analytics (privacy-first, anonymised data) | Estonia (EU) | Anonymised data — no transfer of personal data | | E-mail service provider | Client correspondence | EU | Data Processing Agreement | | Accounting firm | Accounting services | Poland | Data Processing Agreement |

Personal data is not sold to third parties.

Transfer of data outside the European Economic Area

In connection with the use of services provided by Cloudflare and Resend (entities established in the USA), your data may be transferred to the United States. Such transfers are carried out on the basis of:

  • the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) — for providers certified under the DPF, and
  • Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) — as a supplementary safeguard mechanism.

The Data Controller has conducted a Transfer Impact Assessment in accordance with the EDPB guidelines following the CJEU judgment in Case C-311/18 (Schrems II).

4. Cookies and analytics

The website uses Plausible Analytics — a privacy-first analytics tool that:

  • does not use cookies,
  • does not track users across websites,
  • does not collect personal data,
  • does not create user profiles,
  • stores data on servers within the European Union.

The website does not use tracking, marketing, or analytical cookies that require consent. For this reason, no cookie banner is displayed on the website.

The website may use strictly necessary technical cookies required for the proper functioning of the service (e.g. session cookies). These cookies do not require consent pursuant to Art. 173(3) of the Polish Telecommunications Act.

If tools that use cookies requiring consent are introduced on the website in the future, this privacy policy and the consent management mechanism will be updated accordingly prior to their implementation.

5. AI audit form — technical details

The AI audit form on the website is protected by an anti-spam mechanism (rate limiting). As part of this mechanism, the following data is temporarily stored:

  • IP address,
  • form submission timestamp.

This data is used solely for the purpose of protection against abuse and is automatically deleted after a maximum of 30 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest — IT security).

6. Your rights

Under the GDPR, you have the right to:

| Right | Legal basis | How to exercise | |---|---|---| | Access to your data | Art. 15 GDPR | E-mail to dawid@kuliberda.ai | | Rectification of inaccurate data | Art. 16 GDPR | E-mail to dawid@kuliberda.ai | | Erasure of data ("right to be forgotten") | Art. 17 GDPR | E-mail to dawid@kuliberda.ai | | Restriction of processing | Art. 18 GDPR | E-mail to dawid@kuliberda.ai | | Portability of data in a structured format | Art. 20 GDPR | E-mail to dawid@kuliberda.ai | | Objection to processing based on Art. 6(1)(f) | Art. 21 GDPR | E-mail to dawid@kuliberda.ai |

Your request will be responded to without undue delay, and no later than 30 days from the date of receipt. In the case of complex requests, this period may be extended by a further 2 months, of which you will be informed.

The exercise of your rights is free of charge. In the case of manifestly unfounded or excessive requests, a reasonable fee may be charged or the request may be refused (Art. 12(5) GDPR).

You also have the right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

7. Voluntary provision of data

Providing data in the forms on the website is voluntary but necessary in order to:

  • receive a response to your inquiry (contact form),
  • receive recommendations as part of the AI audit (audit form).

Without providing basic contact details (name, e-mail address), it will not be possible to process your inquiry.

The provision of data for the purpose of service delivery (after a contract has been concluded) is a contractual requirement — without it, the service cannot be performed. The provision of data for invoicing purposes is a statutory requirement.

8. Automated decision-making

No automated decision-making or profiling within the meaning of Art. 22 GDPR is carried out. All decisions regarding cooperation are made personally.

9. Data security

The data protection measures applied include, in particular:

  • encryption of data in transit (HTTPS/TLS),
  • restriction of data access to authorised persons only,
  • use of service providers holding appropriate security certifications,
  • regular security reviews.

10. Changes to this privacy policy

This privacy policy may be updated in the event of:

  • changes to the manner in which data is processed,
  • implementation of new tools or data processors,
  • changes in applicable law.

Significant changes will be communicated via a notice on the website. The current version of this privacy policy is always available at kuliberda.ai/privacy.

This policy complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data.

Privacy policy | Kuliberda Labs