Privacy Policy

Last updated:

1. Data Controller

The data controller for your personal data is:
ScudoAI sp. z o.o.
ul. Księcia Witolda 49/15, 50-202 Wrocław
KRS: 0001220084, NIP: 8982329578, REGON: 543869430
Email: privacy@scudoai.com

Due to the size of our organization, we have not appointed a dedicated Data Protection Officer (DPO). The data controller is directly responsible for data protection compliance. For all data protection matters, please contact us at: privacy@scudoai.com.

2. Categories of Personal Data

We may collect the following categories of personal data:

  • Contact information: name, email address, phone number, company name
  • Technical data: IP address, browser type, device information, pages visited
  • Communication data: content of messages you send us
  • Cookie data: information collected through cookies (see our Cookie Policy)

3. Purposes of Processing

We process your personal data for the following purposes:

  • To respond to inquiries (legal basis: legitimate interest, Art. 6(1)(f) GDPR)
  • To provide our services (legal basis: contract performance, Art. 6(1)(b) GDPR)
  • To improve our website through analytics (legal basis: consent, Art. 6(1)(a) GDPR)
  • To comply with legal obligations (legal basis: legal obligation, Art. 6(1)(c) GDPR)

4. Data Retention

We retain your personal data for the following periods:

  • Contact form data: 3 years from last contact
  • Contract-related data: Duration of contract + 6 years (legal requirement)
  • Analytics data: Configured retention in Google Analytics 4 (max 14 months)
  • Cookie consent records: 5 years

5. Your Rights

Under GDPR, you have the following rights:

  • Right of Access: You have the right to request a copy of your personal data.
  • Right to Rectification: You have the right to request correction of inaccurate personal data.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances.
  • Right to Restriction: You have the right to request restriction of processing of your personal data.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used format.
  • Right to Object: You have the right to object to processing of your personal data in certain circumstances.

Right to withdraw consent: Where we process your data based on your consent (Art. 6(1)(a) GDPR), you have the right to withdraw that consent at any time. Withdrawal is as simple as giving consent — you can update your cookie preferences via the cookie banner or contact us directly. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

To exercise these rights, contact us at: privacy@scudoai.com

6. Automated Decision-Making

Our AI solutions are designed to assist human decision-making, not replace it. We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals (Art. 22 GDPR).

Where our AI agents process data on your premises, all outputs serve as recommendations subject to human review and oversight. You retain full control over any decisions made based on AI-generated insights.

7. Third-Party Processors

We may share your data with the following categories of processors:

  • Google LLC - Google Tag Manager and Google Analytics for website analytics. GTM is loaded only after analytics consent; consent is required for any storage on or access to your terminal device under art. 397 of the Polish Electronic Communications Law (PKE) and the ePrivacy Directive 2002/58/EC.
  • Home.pl - Website hosting
  • GitLab Inc. - Code repository and CI/CD

International data transfers:

  • Google LLC (USA) — Data transferred under the EU-U.S. Data Privacy Framework (DPF) where Google's certification is current; Standard Contractual Clauses (SCCs) apply as a fallback.
  • GitLab Inc. (USA) — Data transferred under Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
  • Home.pl (Poland) — Data processed within the EU/EEA. No international transfer.

For US transfers, we conduct a Transfer Impact Assessment (Schrems II) and apply supplementary technical and contractual measures where appropriate. Current DPF certification status of each processor is documented in our processor list, available on request.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • SSL/TLS encryption for data in transit
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection

9. Right to Complain

Under Art. 77 GDPR, if you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. The Polish supervisory authority is:

President of the Personal Data Protection Office
ul. Stawki 2, 00-193 Warszawa
Website: https://uodo.gov.pl

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

For any questions about this Privacy Policy or your personal data, contact us at:

Email: privacy@scudoai.com
General inquiries: office@scudoai.com