This is an informational English translation. In the event of any discrepancy, the Polish version is legally binding. View the Polish version

Privacy Policy

Effective from: 19 March 2026

§ 1. Data Controller

The controller of personal data is ZYNQ sp. z o.o. with its registered office in Tychy, ul. Estetyczna 4, 43-100 Tychy, entered into the register of entrepreneurs of the National Court Register kept by the District Court Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register, under KRS number: 0000804450, NIP (Tax ID): 6462979033, REGON: 384394091, share capital: PLN 5,000 (hereinafter: the “Controller”).

Contact regarding personal data protection: kontakt@zynq.pl

§ 2. Purposes and legal bases of processing

The Controller processes personal data for the following purposes:

Processing purposeLegal basisRetention period
Performance of the service agreement (maintaining the Account, handling the Organization, managing orders, invoices, products)Art. 6(1)(b) GDPR - performance of a contractFor the term of the agreement + 3 years (limitation of claims)
Issuing and storing invoices and accounting documentsArt. 6(1)(c) GDPR - legal obligation (tax regulations)5 years from the end of the tax year in which the document was issued
Integration with the National e-Invoicing System (KSeF)Art. 6(1)(c) GDPR - legal obligationIn accordance with KSeF regulations
Ensuring the security of the Platform (login logs, audit logs, abuse detection)Art. 6(1)(f) GDPR - legitimate interestLogin logs: 6 months. Audit logs: 2 years
Platform usage analytics (statistics, PageView)Art. 6(1)(a) GDPR - consent (analytics cookies)12 months from the moment of collection
Handling support requestsArt. 6(1)(b) GDPR - performance of a contractFor the term of the agreement + 1 year
Settlement of subscription paymentsArt. 6(1)(b) GDPR - performance of a contractFor the term of the subscription + 5 years (tax regulations)
Error monitoring (Sentry)Art. 6(1)(f) GDPR - legitimate interest90 days (in accordance with Sentry's retention policy)

§ 3. Categories of processed data

Data of Platform Users

  • Identification data: full name, e-mail address
  • Authentication data: password (stored in encrypted form - bcrypt)
  • Company data: company name, NIP, REGON, registered office address, phone number
  • Technical data: IP address, session identifier, browser type (User-Agent), date and time of login
  • Billing data: Stripe customer identifier, subscription plan

Data of Users' customers (buyers)

As part of providing the Service, the Platform processes the personal data of Users' customers (buyers), imported from commercial platforms (Allegro, Amazon, Etsy, Erli, Empik) or entered manually. In this respect:

  • The Controller processes this data as a Processor on behalf of the User, who is the Controller of this data.
  • Scope of data: full name / company name, delivery address, e-mail address, phone number, NIP (optional), invoice data.
  • The rules for processing this data are set out in the Data Processing Agreement (DPA) concluded with the User.

§ 4. Recipients of data

Personal data may be transferred to the following categories of recipients:

RecipientPurposeLocation
Stripe, Inc.Handling subscription paymentsUSA (on the basis of standard contractual clauses - SCCs)
Allegro sp. z o.o.Synchronization of orders, offers, shipments (on the User's behalf)Poland / EEA
Amazon Services EuropeSynchronization of orders, offers, prices (on the User's behalf)EEA / USA (on the basis of SCCs)
Etsy, Inc. / Etsy Ireland UCSynchronization of orders (receipts, including buyer_email), listings, and stock levels (on the User's behalf)EEA / USA (on the basis of SCCs)
Erli sp. z o.o.Synchronization of orders (on the User's behalf)Poland
InPost S.A., DPD Polska sp. z o.o., DHL ExpressCreating shipments, generating labels (on the User's behalf)Poland / EEA
Functional Software, Inc. (Sentry)Monitoring errors and application stabilityUSA (on the basis of SCCs)
Google Ireland Limited / Google LLCAnalytics of the marketing website usage (Google Analytics 4, Google Tag Manager) - solely after consent to analytical cookies has been givenIreland / EEA; USA (on the basis of SCCs)
Hetzner Online GmbHHosting of servers and the databaseGermany / EEA
National e-Invoicing System (KSeF)Submission of electronic invoices (on the User's behalf)Poland

§ 5. Transfer of data outside the EEA

Personal data may be transferred to recipients in the United States (Stripe, Sentry, Amazon, Etsy, Google) solely on the basis of standard contractual clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection of personal data.

§ 6. Rights of data subjects

Under RODO (GDPR), you have the following rights:

  1. Right of access to data (Art. 15) - the ability to obtain information about the processed data.
  2. Right to rectification (Art. 16) - the ability to correct inaccurate data.
  3. Right to erasure (Art. 17) - the ability to request the deletion of data, subject to legal obligations (e.g. retention of invoices for 5 years).
  4. Right to restriction of processing (Art. 18) - the ability to request restriction of processing in specific situations.
  5. Right to data portability (Art. 20) - the ability to receive data in a structured format (JSON/CSV).
  6. Right to object (Art. 21) - the ability to object to processing based on a legitimate interest.
  7. Right to withdraw consent (Art. 7(3)) - at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise the above rights, please contact us at: kontakt@zynq.pl. Requests will be processed within 30 days.

§ 7. Right to lodge a complaint

The data subject has the right to lodge a complaint with the supervisory authority - the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

§ 8. Obligation to provide data

  1. Providing identification and contact data (e-mail, first name) is voluntary but necessary to create an Account and use the Service.
  2. Providing company data (NIP, address) is required to configure the Organization and issue documents.
  3. Failure to provide the required data makes it impossible to use the relevant functions of the Platform.

§ 9. Automated decision-making

The Platform enables the configuration of automation (e.g. automatic issuing of invoices, creating shipments, changing order statuses). This automation operates solely on the basis of rules configured by the User and does not constitute automated decision-making within the meaning of Art. 22 GDPR, as it does not produce legal effects concerning data subjects, nor does it affect them in a similarly significant manner without the User's involvement.

§ 10. Data security

The Controller applies appropriate technical and organizational measures to ensure the protection of the processed personal data, including:

  • encryption of passwords with the bcrypt algorithm,
  • encryption of sensitive data (OAuth tokens, SMTP passwords) with the AES-256-GCM algorithm,
  • communication exclusively via the HTTPS protocol (HSTS),
  • protection against XSS, clickjacking, and MIME sniffing attacks,
  • rate limiting,
  • logging of security events (login logs, audit logs),
  • automatic logout after a period of inactivity (configurable, 30 minutes by default),
  • isolation of data between Organizations (multi-tenancy).

§ 11. Amendments to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy. Users will be notified of material changes by electronic means at least 14 days in advance.

Controller: ZYNQ sp. z o.o. · NIP: 6462979033 · REGON: 384394091 · KRS: 0000804450

ul. Estetyczna 4, 43-100 Tychy · District Court Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register · Share capital: PLN 5,000

E-mail: kontakt@zynq.pl