Version 5.2 · Effective date:
How Hej Bóbr processes requests, accounts, publication data, communication, analytics, and customer-site data.
Controller
The controller of personal data of users of Hej Bóbr is Seidr sp. z o.o., ul. Marsz. Józefa Piłsudskiego 74 / 320, 50-020 Wrocław, KRS 0001189184, NIP 8971958342, REGON 542481853, share capital PLN 5,000, registration court: Sąd Rejonowy dla Wrocławia-Fabrycznej we Wrocławiu, VI Wydział Gospodarczy Krajowego Rejestru Sądowego. Privacy contact: gdpr@hejbobr.pl.
When we process data
- when you visit the website or submit a form
- when you create an account or use AI, hosting, publication, or form features
- when you make payments, contact us, or submit a complaint
- when you visit a customer website hosted on our infrastructure
Categories of data
- identification and contact data
- registration, billing, and subscription-status data
- account, settings, activity, and security data
- project content, graphics, logos, briefs, and AI instructions
- messages, support tickets, and marketing data
- technical data such as IP address, browser, operating system, and logs
Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| accounts, requests, and services | contract or pre-contractual steps |
| payments, invoices, and accounting | legal obligation and contract |
| support, complaints, and security | contract, legal obligation, or legitimate interest |
| analytics, marketing, and non-essential cookies | freely given, informed consent collected through the cookie banner only (Art. 6(1)(a) GDPR) |
| claims and data-protection compliance | legitimate interest or legal obligation |
Controller and processor roles
For user data, account data, payments, support, marketing, and security, we act as controller. For third-party data collected through customer websites, such as contact-form leads, we usually act as processor on behalf of the customer.
The customer is responsible for its own legal basis, notices, consents, and privacy policy for website visitors. Processing on behalf of a customer is governed by the Data Processing Agreement.
AI and input data
AI features may process briefs, website content, business information, sample text, and other materials provided by the user. Users should not input sensitive data, children data, trade secrets, or third-party personal data without an appropriate legal basis.
Artificial intelligence (AI) and confidentiality
We use AI models solely through the official, commercial application programming interfaces (APIs) of their providers. We do not use public, consumer versions of AI tools to process Customer materials.
We guarantee that data sent to AI models in connection with providing the Service, in particular briefs, business descriptions, website content, and instructions, is not used by external providers (e.g. OpenAI) to train their public models. Processing takes place on commercial API terms, in Zero Data Retention mode or on equivalent contractual terms that exclude training models on the input data and provide that such data is not retained after the request beyond what is necessary to provide the Service.
Recipients
The current list of main providers is available in the Subprocessor List.
- hosting, database, infrastructure, security, and email providers
- payment operators, in particular Stripe
- analytics, AI, and content-processing providers
- accountants, lawyers, advisers, and public authorities where required
- customers, where the data relates to their own websites and forms
Transfers outside the EEA
Some providers may process data outside the European Economic Area. Where required, we use appropriate safeguards, including standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms.
Retention
- account data - for the agreement term and limitation period for claims
- billing data - for the period required by tax and accounting law
- support data - for request handling and possible claim defence
- security logs - for the period needed to keep the service secure
- marketing data - until consent is withdrawn or an objection is effective
- customer data processed as processor - according to the customer instructions and DPA
Your rights
You may request access, rectification, erasure, restriction, portability, objection, consent withdrawal, and may lodge a complaint with the Polish data protection authority. To exercise rights, contact gdpr@hejbobr.pl.
Security and changes
We use technical and organisational measures appropriate to risk, including access control, encrypted transmission, administrative restrictions, backups, security monitoring, and incident response procedures.
We may update this Privacy Policy when services, tools, or law change. We will notify material changes in the service or by email.