Privacy Policy

1. Data Controller

The controller of personal data processed in connection with the operation of the ClearAIDesk.com service is NGITECH Sp. z o.o. with its registered office at al. Wiśniowa 36A/107B, 53-137 Wrocław, Poland, NIP: 8992894943, e-mail: office.pl@ngitech.org.

2. Role of the platform in data processing

ClearAIDesk.com is a SaaS platform intended for organizations. With regard to user account data, contact data, billing data, security and service support, NGITECH Sp. z o.o. acts as the data controller. With regard to content, data and materials entered into the organization workspace by the customer or its users, NGITECH Sp. z o.o. may act as a data processor acting on the customer’s instructions, in accordance with the agreement, the terms of service and the applicable data processing agreement.

3. Scope of processed data

• user account data, such as first name, last name, e-mail address, account identifiers, user role, security settings and login data
• data of the organization, customer representatives, administrators, team members, departments, assignments, permissions and contact details
• operational data entered into the system, including information about AI tools, policies, checklists, confirmations, tasks, publication settings, documents and activity history
• publication data related to the transparency page or other public modules managed by the customer
• billing, accounting and transaction data related to the use of paid platform functions
• communication data, including the content of requests, e-mail correspondence, sales inquiries, technical support requests and complaints
• technical and security data, such as IP address, session identifiers, system logs, device and browser information, security events, login time and activity in the system
• data concerning consents, privacy preferences, cookie settings and account or organization configuration

4. Purposes and legal bases of processing

• creating and operating an account, providing access to the platform, maintaining the organization workspace and providing electronic services — Article 6(1)(b) GDPR
• servicing business customers, contacting representatives of organizations, managing commercial and operational relationships — Article 6(1)(f) GDPR
• fulfilling accounting, tax, bookkeeping, billing and documentation obligations — Article 6(1)(c) GDPR
• ensuring platform security, preventing abuse, detecting incidents, controlling access, logging events and protecting infrastructure — Article 6(1)(f) GDPR
• handling requests, complaints, inquiries, technical support and communication with users and customers — Article 6(1)(b) or Article 6(1)(f) GDPR
• establishing, pursuing or defending claims and documenting the performance of obligations — Article 6(1)(f) GDPR
• developing, maintaining, testing and improving the quality of the platform, including analysis of feature performance and error diagnostics — Article 6(1)(f) GDPR
• conducting analytics, statistical measurements, marketing communication and operating technologies requiring consent — Article 6(1)(a) GDPR

5. Source of data

Personal data is obtained directly from the user, from the organization that is the platform customer, from the administrators of that organization, from registration forms, account configuration, use of the system, correspondence, technical requests, payment processes, billing documents and actions performed within the platform.

6. Data entered by the customer

The customer decides on the scope of data, content and materials entered into the organization workspace. The customer is responsible for having an appropriate legal basis for their processing, for properly granting permissions to users, for ensuring that published content complies with law, and for not entering excessive, unauthorized, confidential or restricted data in a manner contrary to law, the agreement or the organization’s procedures.

7. Data recipients

Personal data may be disclosed or entrusted to entities supporting the operation of the platform and the controller’s business activities, in particular providers of hosting, cloud infrastructure, e-mail services, security, technical monitoring, analytics, payments, accounting, legal services, technical support, IT tools and communication services. Data is transferred only to the extent necessary to achieve specific purposes and on the basis of appropriate legal grounds or data processing agreements.

8. Transfers of data outside the EEA

Personal data may be transferred outside the European Economic Area in connection with the use of cloud infrastructure, technical tools, communication services, security, analytics, support or payment services. Data transfers are carried out using mechanisms required by the GDPR, in particular adequacy decisions, standard contractual clauses, additional organizational and technical safeguards or other legally permitted transfer bases.

9. Data retention period

• user account data and organizational data are stored for the period of use of the service and then for the time necessary for billing, handling claims, security, archiving and demonstrating proper performance of the agreement
• billing, accounting and tax data are stored for the period required by law
• technical data, system logs and security events are stored for the period justified by platform security, auditing, abuse detection, error diagnostics and defense of claims
• request, complaint and correspondence data are stored for the period necessary to handle the matter and for the limitation period of potential claims
• data processed on the basis of consent is stored until consent is withdrawn, the purpose of processing ceases or the period resulting from the settings of a given technology expires
• data entered by the customer into the organization workspace is stored in accordance with the duration of the service, account configuration, the agreement with the customer and the rules for deleting or exporting data after the end of cooperation

10. Rights of data subjects

• the right of access to personal data
• the right to obtain a copy of data
• the right to rectify inaccurate or incomplete data
• the right to erase data where the conditions provided by law are met
• the right to restrict processing
• the right to data portability to the extent provided by the GDPR
• the right to object to processing based on legitimate interest
• the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal
• the right to lodge a complaint with the President of the Personal Data Protection Office

11. Exercising rights in the organization environment

In the case of data processed in the organization workspace, requests concerning the rights of data subjects may require the involvement of the customer as the entity deciding on the purposes and scope of processing of such data. NGITECH Sp. z o.o. supports the customer in handling such requests to the extent resulting from the agreement, applicable law and the technical capabilities of the platform.

12. Voluntary provision of data

Providing data required to create an account, use the platform, support the organization, handle contact, billing and security is necessary to provide the service. Failure to provide required data may prevent account creation, use of selected functions, payment processing, request handling or performance of the agreement.

13. Automated decision-making

Personal data is not used to make decisions concerning users based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them. AI features available in the platform are auxiliary in nature and require supervision and decisions on the part of the organization.

14. Data published by the customer

The customer is responsible for content and data published through the transparency page or other public modules of the platform. The customer should publish only data whose disclosure complies with law, the scope of authorization, the organization’s rules and the rights of data subjects.

15. Data security

The controller applies appropriate technical and organizational measures to protect personal data, including authentication, authorization, access control, permission management, session security, backups, event monitoring, activity logging, limiting access to data and securing technical infrastructure.

16. Cookies and similar technologies

The service uses cookies, local storage and similar technologies to ensure the proper operation of the platform, security, session maintenance, remembering settings, analytics and handling functions requiring user consent. Detailed information is available in the Cookie Policy.

17. Changes to the Privacy Policy

The Privacy Policy is updated in the event of legal, technological, organizational or functional changes. The current version of the Privacy Policy is published in the ClearAIDesk.com service.

18. Privacy contact

In matters related to personal data protection, exercising the rights of data subjects and the rules of data processing, NGITECH Sp. z o.o. may be contacted at: office.pl@ngitech.org.