PRIVACY POLICY

Preamble

This Privacy Policy describes the rules for processing information about you, including personal data and cookies. This Privacy Policy should be read together with the Terms of Service of persate.com, in particular with respect to definitions. This Privacy Policy also governs the rules for data processing within the AI Assistant Service and the Legislative Monitoring Service.

§ 1. General Information

1. The service provider is: PERSATE simple joint-stock company (prosta spółka akcyjna) with its registered office in Sochaczew, address: ul. Warszawska 62 lok. 4, 96-500 Sochaczew, entered into the register of entrepreneurs maintained by the District Court for Łódź-Śródmieście in Łódź, XX Commercial Division of the National Court Register under KRS number: 0001205038, NIP: 8371886321, REGON: 543232081.
2. The Provider is the Controller of personal data with respect to data voluntarily provided by Users when visiting the service, creating an Account, using services, or participating in various informational activities conducted by the Provider (e.g., newsletters). Where the User uses the AI Assistant Service and provides the Service with personal data of third parties stored in external cloud data services or directly uploads such data to the Service, the Provider acts as a data processor within the meaning of Article 28 GDPR, while the User remains the controller of such data.
3. Data provided by Users for the purpose of using the services is used in the process of launching and providing those services. This primarily includes: a) technical launch of services, b) registration and management of the User Account, c) notification of planned technical work and failures, d) notification of significant configuration changes, e) notification of changes to terms and policies, f) provision of technical support, including responses to User inquiries, g) clarifications regarding billing, h) direct commercial contact – if requested by the User ("Book a Demo"), i) sending product information by e-mail and other communication channels – if the User has consented to such forms of contact, j) provision of the AI Assistant Service, including access to files and data of the User stored in external cloud data services connected by the User to the Service, and to files and data uploaded by the User directly to the Service, k) provision of the Legislative Monitoring Service, including delivery of legislative notifications to the e-mail address or other communication channel indicated by the User.
4. The Service collects information about Users and their behaviour in the following ways: a) through data voluntarily entered in forms, which is entered into the Provider's systems, b) through use of the Provider's services, c) through storage of cookie files ("cookies") on end devices, d) through storage of technical information in http server logs and other network services and applications of the Provider (system logs).

§ 2. Detailed Information on Personal Data Processing

1. Personal data processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as ("GDPR"), taking into account the provisions of the Act on electronic services and other universally applicable laws.
2. Personal data controller: a) The Provider is the controller of personal data. b) Controller contact details: ul. Warszawska 62 lok. 4, 96-500 Sochaczew, e-mail: mbednarczyk@persate.com.
3. Providing personal data is voluntary; however, the Provider informs that unless otherwise indicated in the content of individual forms (e.g., that providing data is optional), the Provider's services cannot be used anonymously or under a pseudonym. Accordingly, refusal to provide data may result in refusal to conclude an agreement and provide the ordered service.
4. Categories of processed data, purposes and legal bases: a) Registration and management of the User Account, including designation of the Account Administrator and management of sub-accounts: i. Scope of data: first and last name/company name, e-mail address, password (stored in encrypted form), authentication credentials of an external identity provider (Google, Microsoft) – if the User uses external login, first and last name and e-mail address of the Account Administrator and persons granted access to sub-accounts, and any other data provided by the User. ii. Purpose: conclusion and performance of services, in particular the Account Service Agreement or Premium Service Agreement. iii. Legal basis: Article 6(1)(b) GDPR – performance of a contract. iv. Retention period: for the duration of the Account Service Agreement, and after its termination for the period necessary to handle any complaints or pursue/defend claims, but no longer than the expiry of the limitation period. b) AI Assistant Service – integration with external cloud data services/data uploaded directly to the Service: i. Scope of data: authorization tokens enabling access to resources and data in external cloud data services designated by the User (in particular Google Drive, Microsoft OneDrive), file metadata (names, dates, types, sizes), file content – solely to the extent necessary for the execution of a specific User query to the AI Assistant. ii. Purpose: provision of the AI Assistant Service consisting of intelligent search, categorization and analysis of the User's files. iii. Legal basis: Article 6(1)(b) GDPR – performance of a contract. iv. Retention period: tokens are invalidated immediately upon disconnection of the integration by the User or upon deletion of the Account. v. Special information: The Provider does not process the User's data from external cloud data services/files uploaded directly to the Service for purposes other than providing the AI Assistant Service to the given User, in particular does not use them for marketing purposes and does not share them with third parties without separate, explicit consent of the User, except in cases arising from mandatory applicable law. c) Legislative Monitoring Service: i. Scope of data: e-mail address or other contact details indicated by the User as the notification delivery channel (e.g., messenger identifier), configuration of Monitoring Topics and Key Phrases defined by the User. ii. Purpose: provision of the Legislative Monitoring Service, i.e., automatic tracking of selected legislative topics and delivery of legislative event notifications to the User, including in particular those resulting from AI analysis of sessions of the Polish Sejm and Senate. iii. Legal basis: Article 6(1)(b) GDPR – performance of a contract. iv. Retention period: for the duration of the Premium Service. Configuration of Monitoring Topics and Key Phrases is deleted immediately upon the User's withdrawal from the Legislative Monitoring Service or upon deletion of the Account. d) Handling "Book a Demo": i. Scope of data: e-mail address, message content. ii. Purpose: taking action at the request of the person before possible conclusion of a contract, commercial contact. iii. Legal basis: Article 6(1)(f) GDPR – legitimate interest, i.e., handling commercial correspondence. iv. Retention period: for the duration of correspondence and until expiry of the limitation period for any claims. e) Handling complaints and technical support: i. Scope of data: first and last name/company name, e-mail address, description of the reported problem, technical logs necessary for its diagnosis. ii. Purpose: handling complaints and providing technical support. iii. Legal basis: Article 6(1)(b) GDPR – performance of a contract; Article 6(1)(c) GDPR – compliance with a legal obligation. iv. Retention period: for the duration of the complaint handling process and until expiry of the limitation period for claims. f) Analytics and service quality improvement: i. Scope of data: anonymized data about the use of the Service (application events, navigation paths, session time), IP address (truncated). ii. Purpose: analysis and improvement of the Service's functionality and services. iii. Legal basis: Article 6(1)(f) GDPR – the Provider's legitimate interest in improving the quality of services offered. iv. Retention period: until effective objection is raised or the processing purpose ceases, but no longer than 24 months. g) Establishment, pursuit or defence of claims: i. Scope of data: all data necessary for the fulfilment of this purpose, in particular data from Account history and correspondence. ii. Purpose: legal protection of the Provider. iii. Legal basis: Article 6(1)(f) GDPR – the Provider's legitimate interest. iv. Retention period: until expiry of the limitation period for claims.
5. In certain situations, the Provider as the controller of personal data has the right to transfer personal data to other recipients if this is necessary for the performance of the concluded contract or fulfilment of obligations resting on the Controller. This applies in particular to the following categories of recipients: a) authorized employees and associates of the Controller who use the data to perform services, b) providers of external authentication services (Google, Microsoft) – for login processing, c) operators of external cloud data services (in particular Google – Google Drive, Microsoft – OneDrive) – solely to the extent necessary for authorization and access to the User's resources within the AI Assistant Service, d) providers of artificial intelligence models and infrastructure – to the extent necessary for generating AI Assistant responses and for analysis of legislative content within the Legislative Monitoring Service. The Provider ensures that these entities are obligated to process data solely on documented instructions from the Provider and apply adequate data protection measures, e) law firms – in particular for the purpose of pursuing or defending claims, f) public authorities – solely on the basis and to the extent arising from applicable law.
6. Users' personal data may be transferred outside the European Economic Area (EEA) only in connection with the use of services from providers who apply standard contractual clauses approved by the European Commission (Article 46(2)(c) GDPR) or other approved transfer mechanisms ensuring an adequate level of data protection. This applies in particular to providers of external login services (Google, Microsoft).
7. The Controller does not use automated decision-making, including profiling referred to in Article 22(1) and (4) GDPR, with respect to personal data processed through the Service.
8. Where a User using the AI Assistant Service is the controller of personal data of third parties contained in resources stored in external cloud data services/files uploaded by the User directly to the Service (e.g., data of clients, employees, contractors), the Provider processes such data solely as a data processor within the meaning of Article 28 GDPR. In such case: a) The User is obligated to ensure an appropriate legal basis for processing personal data of third parties through the Service before granting the Service access to these resources, b) the detailed terms of data processing entrustment, including the Provider's obligations and guarantees as a data processor, are set out in a separate Data Processing Agreement concluded with the User upon request or automatically available as an annex to the Premium Service terms, c) The Provider processes personal data of third parties solely on documented instructions from the User (as controller), solely to the extent and for the purpose necessary for the provision of the AI Assistant Service, and ensures that persons authorised to process such data have committed to maintaining confidentiality.
9. When the User designates an Account Administrator and grants access to sub-accounts to specific persons/groups of persons, the User acts as the controller of personal data of those persons within the meaning of Article 4(7) GDPR. The User is obligated to: a) ensure an appropriate legal basis for processing personal data of the Account Administrator and sub-account users before granting them access to the Account through the Service, b) fulfil the information obligation referred to in Article 13 GDPR towards those persons in relation to the processing of their data by the Provider in connection with use of the account/sub-accounts assigned to them, c) not share with the Service personal data of persons for whom the User does not have an appropriate legal basis.

§ 3. User Rights

1. Each User has the following rights: a) Right of access (Article 15 GDPR) – to obtain confirmation as to whether data is being processed, and if so – to access it and obtain a copy. b) Right to rectification (Article 16 GDPR) – to request correction of inaccurate data or completion of incomplete data. c) Right to erasure (Article 17 GDPR) – to request deletion of data when it is no longer necessary for the purposes for which it was collected, when consent has been withdrawn, or when data was processed unlawfully. d) Right to restriction of processing (Article 18 GDPR) – to request suspension of processing in cases specified in the GDPR. e) Right to data portability (Article 20 GDPR) – to receive data in a structured, commonly used, machine-readable format (applies to data processed on the basis of consent or contract in an automated manner). f) Right to object (Article 21 GDPR) – against processing based on the legitimate interest of the Controller, including profiling. The right to object cannot be exercised where there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the User, in particular for the establishment, exercise or defence of claims. g) Right to withdraw consent – at any time, without affecting the lawfulness of processing carried out before its withdrawal. h) Right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stanisława Moniuszki 1A, 00-014 Warsaw; www.uodo.gov.pl), if the User considers that the processing violates GDPR provisions.
2. To exercise the above rights, please contact the Controller at the e-mail address indicated in § 2(2)(b). The Controller shall handle the request without undue delay, no later than within one month of receiving it. This period may in justified cases be extended by a further two months, of which the Controller shall inform the User (Article 12(3) GDPR).

§ 4. Information in Forms

1. The Service collects information voluntarily provided by the User, including personal data, if provided.
2. The Service may save information about connection parameters (timestamp, IP address).
3. Data provided in a form is processed for the purpose arising from the function of the specific form – e.g., for handling a service demonstration request or Account creation. In each case, the context and description of the form clearly indicates its purpose.

§ 5. Administrator Logs

Information about User behaviour in the Service may be subject to logging. Such data is used solely for the purposes of Service administration and technical diagnostics.

§ 6. Information About Cookies

1. The Service uses cookies.
2. Cookies are IT data, in particular text files, which are stored on the User's end device and are intended for use with the Service's websites. Cookies usually contain the name of the website from which they originate, the storage time on the end device, and a unique number.
3. The entity placing cookies on the User's end device and accessing them is the Provider.
4. Cookies are used for the following purposes: a) maintaining the User's session (after logging in), so that the User does not need to re-enter authentication data on each sub-page of the Service, b) remembering User preferences and application settings, c) analytics and statistics on Service usage – solely after obtaining the User's consent.
5. The Service uses two main types of cookies: "session" cookies and "persistent" cookies. Session cookies are temporary files stored on the User's end device until logging out, leaving the website, or closing the browser. Persistent cookies are stored on the User's end device for the time specified in the cookie parameters or until deleted by the User.
6. Installation of non-essential cookies (in particular analytical and marketing cookies) on the User's end device occurs only after the User has given consent via the cookie banner displayed during the first visit to the Service.
7. Cookies placed on the User's end device may also be used by entities cooperating with the Provider.

§ 7. Managing Cookies

1. If the User does not wish to receive cookies, they may change their browser settings. We note that disabling cookies essential for authentication, security and user preference maintenance processes may make using the Service difficult or, in extreme cases, impossible.
2. To manage cookie settings, select from the list below the web browser you use and follow the instructions: a) Edge (https://support.microsoft.com/en-us/microsoft-edge/view-and-delete-browser-history-in-microsoft-edge-00cf7943-a9e1-975a-a33d-ac10ce454ca4), b) Chrome (https://support.google.com/chrome/answer/95647?hl=en), c) Safari (https://support.apple.com/en-gb/guide/safari/sfri11471/mac), d) Firefox (https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox), e) Opera (https://help.opera.com/en/latest/web-preferences/#cookies); Mobile devices: a) Android (Google Chrome) (https://support.google.com/chrome/answer/95647?hl=en), b) Safari (iOS) (https://support.apple.com/en-us/105082).

§ 8. Final Provisions

1. Polish law governs this Privacy Policy.
2. Disputes between the Provider and the User shall be resolved by the court competent for the registered office of the Provider. Where the User is also a Consumer, all disputes shall be resolved by the common courts competent in accordance with the provisions of the Code of Civil Procedure.
3. Matters not regulated by this Privacy Policy shall be governed by the provisions of the Civil Code, the GDPR, and other mandatory applicable provisions of Polish law.
4. This Privacy Policy is effective from 25 March 2026.