Privacy Policy
Effective from: 19 March 2026
§ 1. Data Controller
The controller of personal data is ZYNQ sp. z o.o. with its registered office in Tychy, ul. Estetyczna 4, 43-100 Tychy, entered into the register of entrepreneurs of the National Court Register kept by the District Court Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register, under KRS number: 0000804450, NIP (Tax ID): 6462979033, REGON: 384394091, share capital: PLN 5,000 (hereinafter: the “Controller”).
Contact regarding personal data protection: kontakt@zynq.pl
§ 2. Purposes and legal bases of processing
The Controller processes personal data for the following purposes:
| Processing purpose | Legal basis | Retention period |
|---|---|---|
| Performance of the service agreement (maintaining the Account, handling the Organization, managing orders, invoices, products) | Art. 6(1)(b) GDPR - performance of a contract | For the term of the agreement + 3 years (limitation of claims) |
| Issuing and storing invoices and accounting documents | Art. 6(1)(c) GDPR - legal obligation (tax regulations) | 5 years from the end of the tax year in which the document was issued |
| Integration with the National e-Invoicing System (KSeF) | Art. 6(1)(c) GDPR - legal obligation | In accordance with KSeF regulations |
| Ensuring the security of the Platform (login logs, audit logs, abuse detection) | Art. 6(1)(f) GDPR - legitimate interest | Login logs: 6 months. Audit logs: 2 years |
| Platform usage analytics (statistics, PageView) | Art. 6(1)(a) GDPR - consent (analytics cookies) | 12 months from the moment of collection |
| Handling support requests | Art. 6(1)(b) GDPR - performance of a contract | For the term of the agreement + 1 year |
| Settlement of subscription payments | Art. 6(1)(b) GDPR - performance of a contract | For the term of the subscription + 5 years (tax regulations) |
| Error monitoring (Sentry) | Art. 6(1)(f) GDPR - legitimate interest | 90 days (in accordance with Sentry's retention policy) |
§ 3. Categories of processed data
Data of Platform Users
- Identification data: full name, e-mail address
- Authentication data: password (stored in encrypted form - bcrypt)
- Company data: company name, NIP, REGON, registered office address, phone number
- Technical data: IP address, session identifier, browser type (User-Agent), date and time of login
- Billing data: Stripe customer identifier, subscription plan
Data of Users' customers (buyers)
As part of providing the Service, the Platform processes the personal data of Users' customers (buyers), imported from commercial platforms (Allegro, Amazon, Etsy, Erli, Empik) or entered manually. In this respect:
- The Controller processes this data as a Processor on behalf of the User, who is the Controller of this data.
- Scope of data: full name / company name, delivery address, e-mail address, phone number, NIP (optional), invoice data.
- The rules for processing this data are set out in the Data Processing Agreement (DPA) concluded with the User.
§ 4. Recipients of data
Personal data may be transferred to the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Handling subscription payments | USA (on the basis of standard contractual clauses - SCCs) |
| Allegro sp. z o.o. | Synchronization of orders, offers, shipments (on the User's behalf) | Poland / EEA |
| Amazon Services Europe | Synchronization of orders, offers, prices (on the User's behalf) | EEA / USA (on the basis of SCCs) |
| Etsy, Inc. / Etsy Ireland UC | Synchronization of orders (receipts, including buyer_email), listings, and stock levels (on the User's behalf) | EEA / USA (on the basis of SCCs) |
| Erli sp. z o.o. | Synchronization of orders (on the User's behalf) | Poland |
| InPost S.A., DPD Polska sp. z o.o., DHL Express | Creating shipments, generating labels (on the User's behalf) | Poland / EEA |
| Functional Software, Inc. (Sentry) | Monitoring errors and application stability | USA (on the basis of SCCs) |
| Google Ireland Limited / Google LLC | Analytics of the marketing website usage (Google Analytics 4, Google Tag Manager) - solely after consent to analytical cookies has been given | Ireland / EEA; USA (on the basis of SCCs) |
| Hetzner Online GmbH | Hosting of servers and the database | Germany / EEA |
| National e-Invoicing System (KSeF) | Submission of electronic invoices (on the User's behalf) | Poland |
§ 5. Transfer of data outside the EEA
Personal data may be transferred to recipients in the United States (Stripe, Sentry, Amazon, Etsy, Google) solely on the basis of standard contractual clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection of personal data.
§ 6. Rights of data subjects
Under RODO (GDPR), you have the following rights:
- Right of access to data (Art. 15) - the ability to obtain information about the processed data.
- Right to rectification (Art. 16) - the ability to correct inaccurate data.
- Right to erasure (Art. 17) - the ability to request the deletion of data, subject to legal obligations (e.g. retention of invoices for 5 years).
- Right to restriction of processing (Art. 18) - the ability to request restriction of processing in specific situations.
- Right to data portability (Art. 20) - the ability to receive data in a structured format (JSON/CSV).
- Right to object (Art. 21) - the ability to object to processing based on a legitimate interest.
- Right to withdraw consent (Art. 7(3)) - at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise the above rights, please contact us at: kontakt@zynq.pl. Requests will be processed within 30 days.
§ 7. Right to lodge a complaint
The data subject has the right to lodge a complaint with the supervisory authority - the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
§ 8. Obligation to provide data
- Providing identification and contact data (e-mail, first name) is voluntary but necessary to create an Account and use the Service.
- Providing company data (NIP, address) is required to configure the Organization and issue documents.
- Failure to provide the required data makes it impossible to use the relevant functions of the Platform.
§ 9. Automated decision-making
The Platform enables the configuration of automation (e.g. automatic issuing of invoices, creating shipments, changing order statuses). This automation operates solely on the basis of rules configured by the User and does not constitute automated decision-making within the meaning of Art. 22 GDPR, as it does not produce legal effects concerning data subjects, nor does it affect them in a similarly significant manner without the User's involvement.
§ 10. Data security
The Controller applies appropriate technical and organizational measures to ensure the protection of the processed personal data, including:
- encryption of passwords with the bcrypt algorithm,
- encryption of sensitive data (OAuth tokens, SMTP passwords) with the AES-256-GCM algorithm,
- communication exclusively via the HTTPS protocol (HSTS),
- protection against XSS, clickjacking, and MIME sniffing attacks,
- rate limiting,
- logging of security events (login logs, audit logs),
- automatic logout after a period of inactivity (configurable, 30 minutes by default),
- isolation of data between Organizations (multi-tenancy).
§ 11. Amendments to the Privacy Policy
The Controller reserves the right to amend this Privacy Policy. Users will be notified of material changes by electronic means at least 14 days in advance.
Controller: ZYNQ sp. z o.o. · NIP: 6462979033 · REGON: 384394091 · KRS: 0000804450
ul. Estetyczna 4, 43-100 Tychy · District Court Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register · Share capital: PLN 5,000
E-mail: kontakt@zynq.pl