Privacy Policy

The controller of your personal data is: EPKO Spółka z ograniczoną odpowiedzialnością (EPKO sp. z o.o.), a Polish limited liability company ul. Podleśna 2, 05-270 Marki, Poland KRS: 0000908693 (District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register) Tax ID (NIP): 1251720637 Statistical number (REGON): 389307530 Share capital: PLN 6,300.00 (fully paid up) Contact regarding personal data: Email: biuro@epko.tech We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so. Please direct all data protection inquiries to the email address above.

We only collect data that is necessary to provide our services and ensure the proper functioning of our website. Here is a complete list: 2.1. Data you provide voluntarily • First and last name • Email address • Phone number (optional) • Message subject • Message content in the contact form • Company name and position (if provided during collaboration) 2.2. Data collected automatically • IP address (anonymized in Google Analytics; held briefly in the contact form rate limiter; stored in the cookie consent log only as a SHA-256 hash with a server-side salt, with no way to recover the original IP) • Browser type and version • Operating system • Screen resolution • Language preferences • Pages you visit on our site • Time spent on pages • Referral source (how you found our site) • UTM campaign parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term): stored in browser sessionStorage, cleared when the tab closes • A/B test variant identifier (e.g., hero section version): stored in localStorage only after you grant functional cookie consent • Cookie consent identifier (consent_id): a random UUID generated in your browser when you first make a cookie decision. It lets us prove that we obtained your consent (GDPR Art. 7(1)). The identifier is not linked to any other data and does not identify you on its own. 2.3. Transaction data (during collaboration) • Order history and amounts • Payment dates • Invoice details (tax ID, company address) • Email correspondence history

Every data processing activity has a specific purpose and legal basis. Here is the full breakdown: 3.1. Contract performance or pre-contractual actions Legal basis: Art. 6(1)(b) GDPR • Responding to your contact form inquiry • Preparing and executing an offer or contract • Communication within an ongoing project • Payment processing and invoicing 3.2. Legal obligations Legal basis: Art. 6(1)(c) GDPR • Issuing and storing invoices (accounting regulations) • Tax settlements • Responding to requests from public authorities 3.3. Legitimate interests of the controller Legal basis: Art. 6(1)(f) GDPR Our legitimate interests are: • Customer service and follow-up communication in response to inquiries (business communication) • Establishing or defending against legal claims (e.g., project correspondence archive) • Ensuring website security, including limiting form abuse (IP-based rate limiting at 5 submissions per minute) • Internal lead-handling automation on our server in Finland (forwarding the contact form payload to our n8n instance for team notifications and classification) • Cookieless visit analytics (self-hosted Umami): counting page views, traffic sources and basic Core Web Vitals metrics without identifying individuals, without cookies, and without sending data to the software vendor • Maintaining a consent register (GDPR Art. 7(1)) to demonstrate that we obtained consent Before basing processing on Art. 6(1)(f) GDPR we carried out a legitimate-interest assessment (LIA) and concluded that our interest does not override your rights and freedoms. You can object at any time - see section 7.6. 3.4. Your consent Legal basis: Art. 6(1)(a) GDPR • Functional cookies (e.g., remembering A/B test variant) • Analytical cookies (Google Analytics) • Marketing cookies (Facebook Pixel, Google Ads, TikTok Pixel) • Sending hashed contact form data to the Meta Conversions API (only when you have granted marketing cookie consent) You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

Our website uses cookies and similar technologies. We use four categories of cookies: • Necessary (always active) - required for the website to function • Functional - remember your preferences (e.g., dark/light theme, A/B test variant assignment) • Analytical - help us understand how you use the site (Google Analytics with IP anonymization) • Marketing - enable personalized advertising (Facebook Pixel, Google Ads, TikTok Pixel) Analytical and marketing cookies only load after your explicit consent. We implement Google Consent Mode v2, which means all consent signals are set to "denied" by default. In addition to cookies, we use a cookieless analytics tool (Umami) self-hosted on our server in Finland. Umami does not write cookies to your browser, does not create cross-site identifiers, and does not perform browser fingerprinting. The Umami script reads only a single value from your browser's localStorage: the key "umami.disabled", which you set yourself if you wish to disable Umami on your device (opt-out mechanism). This key contains no identifier or other data; it is simply a flag of your preference and is not written by us. Server-side measurement relies on a short-lived anonymous hash of IP address, User-Agent and a daily salt; no persistent identifier is returned to your browser. Processing takes place on the basis of our legitimate interest (Art. 6(1)(f) GDPR). The mere read of the opt-out key from your terminal equipment is treated as strictly necessary to provide the service you explicitly requested (respecting your decision to disable Umami) - Art. 398(5)(2) of the Polish Electronic Communications Act of 12 July 2024 (formerly Art. 173(3)(2) of the Telecommunications Law, repealed in November 2024), implementing Art. 5(3) of the ePrivacy Directive. If you nevertheless want to block Umami entirely, set the "umami.disabled" key to "true" in your localStorage, or block the analytics.epko.tech domain in your browser or privacy extensions. You can change your preferences at any time using the "Manage cookies" button in the website footer.

Your data may be processed by trusted third parties we work with. Here is the complete list: 5.1. Hosting and infrastructure • Dedicated server in Finland (EU) - hosts the website, the n8n instance, and the Umami analytics instance. Data on this layer never leaves the European Economic Area. • Self-hosted Umami analytics (software by Umami Software, Inc., USA) - runs under our own domain analytics.epko.tech on our server in Finland. Counts anonymous page views and Core Web Vitals metrics. Does not use cookies, does not build profiles, and does not transmit data to the software vendor. Even so, the script loads only after you grant analytics consent (compliant with Art. 5(3) of the ePrivacy Directive). Legal basis: Art. 6(1)(a) GDPR (consent). 5.2. Analytics and marketing (only with your consent) • Google LLC (Google Analytics 4, Google Ads) - with IP anonymization. Transfer to the USA based on the Data Privacy Framework (European Commission decision of 10 July 2023) and the EU Standard Contractual Clauses. • Meta Platforms Ireland Ltd (Facebook Pixel and Conversions API) - controller in the EU/EEA; Meta's infrastructure may involve transfer to the USA, safeguarded by the Data Privacy Framework and SCC. For Facebook Pixel and Conversions API we act as joint controllers with Meta under the Meta Business Tools Terms (Art. 26 GDPR). Essence of the arrangement: EPKO is responsible for the lawful basis of collecting the data (your marketing-cookie consent) and for informing you of the processing; Meta is responsible for the security of processing within its own systems and for fulfilling data subject rights regarding data already held on its platform (Meta data subject rights contact: https://www.facebook.com/help/contact/540977946302970). We use two parallel event transmission channels: - Facebook Pixel (browser): technical visit and click data - Conversions API (server-to-server): after a contact form submission we send hashed (SHA-256) data to Meta: email address, phone number, first and last name, along with IP address and session identifier. Hashed data is used exclusively for conversion deduplication and attribution; Meta does not have access to the original values. Both channels share a common event identifier, so each event is counted only once. • TikTok Technology Ltd (TikTok Pixel) - controller in Ireland (EU), global infrastructure. Transfer outside the EEA safeguarded by SCC. • LinkedIn Ireland Unlimited Company (LinkedIn Insight Tag) - data controller for EU users, based in Dublin. Script loaded from snap.licdn.com. LinkedIn is an independent controller of its own cookies (e.g., li_*, bcookie, lidc, UserMatchHistory); transfer to the USA is safeguarded by Standard Contractual Clauses. 5.3. Business services • Supabase Inc. (incorporated in Delaware, USA) - database, authentication, storage of contact form messages, and the cookie consent register. Data is stored physically in the EU region (Frankfurt). Transfer outside the EEA is safeguarded by Standard Contractual Clauses (SCC) approved by the European Commission and by the Data Privacy Framework. • Sanity Inc. (USA / Norway) - headless CMS storing the content we publish on the site (blog articles, project descriptions, profiles of our team members). We do not store your data as a visitor in Sanity (it holds editorial content authored by our team, not data submitted by you). Transfer safeguarded by SCC and the Data Privacy Framework (for US operations). • Self-hosted n8n instance (software by n8n GmbH, Berlin, Germany) - automation platform running on our dedicated server in Finland (EU). After a contact form submission we forward a copy of the lead (full name, email, phone, company, subject, message content, source URL of the form, and the client IP address) to n8n for internal lead-handling automation (e.g., notifications, CRM integration, team tasks). The transmission is secured with an HMAC-SHA256 signature. Data does not leave the EEA and is not transferred to n8n GmbH as a processor; n8n GmbH is solely the software vendor. • Resend, Inc. (incorporated in Delaware, USA) - transactional email provider. We use Resend to send internal lead notifications (containing the data you submitted in the form) and replies to you from biuro@epko.tech. Transfer outside the EEA is safeguarded by Standard Contractual Clauses (SCC) approved by the European Commission. • Payment system providers (for invoicing, when you become our client) • Accounting firm (to the extent required by tax law; office in Poland) 5.4. Communication tools • The email providers mentioned above (Resend), plus the standard mail providers on both ends (yours and ours) as part of business correspondence. For entities outside the EU/EEA, we ensure an adequate level of data protection through: • European Commission adequacy decisions (e.g., the EU-U.S. Data Privacy Framework) • Standard Contractual Clauses (SCC) approved by the European Commission • Other legally permissible safeguards (Art. 46 GDPR) We never sell your data. We also do not share it with data brokers, third-party data marketplaces, or any other parties beyond those listed above.

We do not store data longer than necessary. Here are the specific retention periods: • Contact form data: up to 12 months after the last contact (in case the conversation continues) • Contract and project data: duration of the contract + 6 years (statute of limitations for civil claims) • Accounting documents and invoices: 5 years from the end of the financial year (accounting regulations) • Email correspondence: duration of business relationship + 3 years • Cookie preferences (localStorage): 30 days from your last decision, after which we will ask for your consent again • Consent identifier (consent_id, localStorage): until you clear your browser storage or click "reset" in the cookie settings • Server-side consent register (consent_logs): 5 years on the basis of the accountability principle (Art. 5(2) and Art. 7(1) GDPR) - long enough to demonstrate that valid consent was obtained if it is ever challenged. We store a salted SHA-256 hash of the IP address instead of the IP itself. • UTM parameters (sessionStorage): until the browser tab is closed • A/B test variant (localStorage): for the duration of the test or until you withdraw functional cookie consent • Analytics data (Google Analytics): up to 26 months (with IP anonymization) • Anonymous Umami data (on our server in Finland): up to 24 months in aggregated form; contains no personal data that could identify you • Marketing data (Facebook Pixel, TikTok Pixel): up to 13 months After these periods, data is permanently deleted or effectively anonymized.

Under the GDPR, you have a number of rights. We fulfill them without undue delay, within 30 days of receiving your request at the latest. 7.1. Right of access (Art. 15 GDPR) You can ask whether we process your data and request a copy of it. 7.2. Right to rectification (Art. 16 GDPR) If your data is inaccurate or incomplete, you have the right to correct it. 7.3. Right to erasure (Art. 17 GDPR) You can request the deletion of your data ("right to be forgotten"), unless we have a legal obligation to continue storing it. 7.4. Right to restriction of processing (Art. 18 GDPR) You can request restriction of data processing in certain situations. 7.5. Right to data portability (Art. 20 GDPR) You have the right to receive your data in a structured format (e.g., CSV, JSON) and transfer it to another controller. 7.6. Right to object (Art. 21 GDPR) You can object at any time to data processing based on legitimate interest (Art. 6(1)(f)). 7.7. Right to withdraw consent (Art. 7(3) GDPR) You can withdraw consent for cookies or other processing at any time. This does not affect the lawfulness of prior processing. 7.8. Right to lodge a complaint If you believe we process your data unlawfully, you have the right to lodge a complaint with: President of the Personal Data Protection Office (PUODO) ul. Stawki 2, 00-193 Warsaw, Poland Phone: +48 22 531 03 00 https://uodo.gov.pl To exercise any of the above rights, write to us at: biuro@epko.tech. We will respond as soon as possible.

We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you (Art. 22 GDPR). The marketing and analytics tools we use (Google Analytics, Facebook Pixel, TikTok Pixel, Google Ads) may create behavioral profiles based on your activity on our site. This happens only after you have granted consent for the relevant cookie categories. These profiles are used to measure campaign effectiveness and tailor advertising; they are not used to make decisions that would have legal effects on you or would similarly significantly affect you within the meaning of Art. 22 GDPR.

We take the security of your data seriously. We implement appropriate technical and organizational measures, including: • Data transmission encryption (SSL/TLS) • Dedicated server in Finland (EU) with controlled access • Regular software and dependency updates • Access control - personal data is processed only by authorized personnel • Encrypted backups • Security monitoring and event logging • Security headers (Content-Security-Policy, HSTS, X-Frame-Options) • IP anonymization in analytics tools If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the President of the Polish Personal Data Protection Office (UODO) without undue delay and, where feasible, not later than 72 hours after becoming aware of it (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay (Art. 34 GDPR).

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you learn that a child has provided us with their data, please contact us and we will promptly delete it.

Providing personal data is voluntary, but in some situations it is necessary for us to respond or to provide our services: • Contact form: full name, email address, and message content are required so that we can reply. Phone number and company name are optional. Without the required data we will not be able to contact you. • Service agreement: to enter into and perform a contract we need identification data (name or company name, tax ID, address) and contact data. Without this data we cannot conclude a contract or issue an invoice. • Analytical and marketing cookies: entirely optional. Lack of consent does not limit your access to the site and does not change its functionality. • Functional cookies (e.g., A/B test variant, theme): optional. Lack of consent means we will not remember your preferences between visits. Providing data for accounting purposes (invoicing) is required by law (the Polish Accounting Act, the VAT Act) and is mandatory once you become our client.

We may update this Privacy Policy to reflect changes in legislation or our services. We will inform you of significant changes through: • A clear notice on the website • An information banner on your first visit after changes • An email message (if you are our client) The date of the last update is always visible at the top of this page. We encourage you to check the Privacy Policy regularly.