Your data is safe with us

The controller of your personal data is EPKO Spółka z ograniczoną odpowiedzialnością (EPKO sp. z o.o.), a Polish limited liability company based at ul. Podleśna 2, 05-270 Marki, Poland. The company is registered in the Register of Entrepreneurs of the National Court Register, kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, under KRS number 0000908693, NIP: 1251720637, REGON: 389307530, share capital: PLN 6,300.00 (fully paid up). We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so. Direct all data protection inquiries to the address below. • Email: biuro@epko.tech • Correspondence address: ul. Podleśna 2, 05-270 Marki, Poland

We only process data that is necessary for a specific purpose. This is a summary. The full list, including data collected automatically (IP, browser, UTM parameters, A/B test variant), is in our Privacy Policy. Providing data is voluntary, though for the contact form and contract execution it is required so we can handle your request or deliver the service (Art. 13(2)(e) GDPR). Analytical and marketing cookies are entirely voluntary. You can use the site without accepting them. • Contact form (name, email, subject, message) based on contract performance or pre-contractual actions (Art. 6(1)(b) GDPR). Retained until the correspondence ends, then up to 6 months. • Contract execution (company and contact details, tax ID, invoice details) based on contract performance (Art. 6(1)(b) GDPR). Retained for the contract duration + 6 years (statute of limitations for civil claims). • Tax and accounting obligations (invoices, settlement documents) based on legal obligation (Art. 6(1)(c) GDPR). Retained for 5 years from the end of the financial year. • Website security and defense of legal claims based on legitimate interest (Art. 6(1)(f) GDPR). • Analytical and marketing cookies based on your consent (Art. 6(1)(a) GDPR). Details in our Cookie Policy.

We process data in accordance with GDPR principles: • Lawfulness: we process data solely based on legal grounds specified in Art. 6 GDPR. • Data minimization: we collect only the data that is truly necessary. • Purpose limitation: data is processed only for specified, clear purposes. • Storage limitation: we delete data once the processing purpose is fulfilled. • Integrity and confidentiality: we use encryption and access control.

We use trusted data processors that we carefully select. The full list is in our Privacy Policy. In short: • Hosting: dedicated server in Finland (EU). • Database and contact form messages: Supabase Inc. (US-based, data stored in the EU region, Frankfurt). Transfer outside the EEA safeguarded by Standard Contractual Clauses (SCC). • Published content (blog, projects, team): Sanity Inc. (US / Norway). Transfer safeguarded by SCC. • Transactional email delivery (lead notifications): Resend Inc. (USA). Transfer safeguarded by SCC. • Privacy-friendly analytics (cookieless, on our server): Umami Software Inc. as software vendor; aggregated data remains in the EU. • Analytics and marketing, only with your consent: Google LLC (Analytics, Ads; transfer DPF + SCC), Meta Platforms Ireland Ltd (Pixel, Conversions API; EU, global infrastructure under DPF + SCC), TikTok Technology Ltd (Ireland, global infrastructure under SCC). • Lead automation: a self-hosted n8n instance (software by n8n GmbH, Berlin) running on our server in Finland. Data does not leave the EEA; n8n GmbH does not receive data. • Accounting firm and payment providers, to the extent required for invoicing.

Under the GDPR, you have a number of rights. We fulfill them without undue delay, within 30 days of receiving your request at the latest. Contact us at biuro@epko.tech. • Right of access (Art. 15): you can ask what data we process about you. • Right to rectification (Art. 16): you can correct inaccurate or outdated data. • Right to erasure (Art. 17): you can request deletion of your data ("right to be forgotten"), unless we have a legal obligation to retain it. • Right to restriction of processing (Art. 18): you can pause data processing. • Right to data portability (Art. 20): you can receive your data in a machine-readable format (e.g., CSV, JSON). • Right to object (Art. 21): you can object to processing based on legitimate interest. • Right to withdraw consent (Art. 7(3)): if we process data based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing. • Right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, phone +48 22 531 03 00, https://uodo.gov.pl.

Your data is primarily stored on a dedicated server in Finland (European Union). Data processed by Supabase is stored in the EU region (Frankfurt). If a service requires transferring data to entities outside the EU/EEA, we do so only based on Standard Contractual Clauses (SCC) approved by the European Commission or an adequacy decision.

Data security is our specialty. We have implemented: • Encryption in transit (HTTPS/TLS) and at rest. • Access control: data is processed only by authorized personnel. • Row Level Security (RLS) in the database. • Security headers: Content-Security-Policy, HSTS, X-Frame-Options. • Regular security audits and dependency updates. • Monitoring, event logging, and threat detection. • Encrypted backups and a disaster recovery procedure.

In the event of a personal data breach: • We notify PUODO within 72 hours of detection (Art. 33 GDPR). • If the breach poses a high risk to your rights, we inform you without undue delay (Art. 34 GDPR). • We document every breach and take corrective action.

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (Art. 22 GDPR). Google Analytics, Facebook Pixel and TikTok Pixel may create behavioral profiles only after you have given consent and are not used to make decisions that affect you.

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you learn that a child has provided us with their data, please contact us and we will promptly delete it.

This page may be updated as laws or our procedures change. We will communicate significant changes on this page. Last updated: 2026-05-13.