Privacy Policy

1. Data controller

The controller of your personal data is Chmielewscy Sp. z o.o., with its registered office in Olsztyn (10-691), ul. Edwarda Mroza 23a/43, Poland, Tax ID (NIP) 7393907337 (the “Controller", “we").

For any matter concerning personal data and the exercise of your rights, contact us at kuba@chmielewski.studio. We have not appointed a Data Protection Officer (DPO) — please direct correspondence to the address above.

2. What this policy covers

This policy covers two processing contexts on the site:

• Consultation booking — when you book a 30-minute online meeting through the form on the home page (the “Booking" section).
• Offer analytics — when you open an individual, password-protected commercial offer we have sent you; we measure interest in the offer in a pseudonymous way.

It also describes the processing of data in ordinary e-mail correspondence.

3. What data we process and why

Consultation booking. To arrange and confirm the meeting we process: your name, e-mail address, an optional note (the topic), your time zone and the selected slot. To protect the form against abuse we also process an irreversible hash of your IP address — we do not store the raw IP address.

After booking we create an event in the host calendar with a Google Meet link and send you a confirmation e-mail. We use the note solely to prepare for the conversation.

Offer analytics. When you open an offer sent to you, we store a pseudonymous session identifier (in your browser local storage), the country and a coarse browser/OS family, along with events such as “offer opened", “scrolled to section" and “calculator used". We do not collect the raw IP address or the full user-agent, and we do not store the numeric values you type into the interactive calculator. The sole purpose is to measure interest in our own offer.

Correspondence. If you e-mail us, we process the data contained in your message in order to respond and handle the matter.

4. Legal bases

We process data under the GDPR (Regulation (EU) 2016/679):

• Consultation booking — Art. 6(1)(b) (steps taken at your request prior to entering into a contract / arranging the meeting), (a) (your consent given via the checkbox), and (f) (our legitimate interest — form security and spam protection).
• Offer analytics — Art. 6(1)(a) (your consent given in the cookie banner). We start analytics only after you consent; without it we store no session identifier.
• Correspondence — Art. 6(1)(f) (handling your enquiry), or (b) where it concerns a contract.

5. Recipients (processors)

We use trusted providers that process data solely on our instructions, under data processing agreements:

We may also disclose data to entities authorised under applicable law.

6. Transfers outside the EEA

We store booking and analytics data in a database located in the European Union. Some providers (Google, Cloudflare, Vercel, Resend) are US entities that may process data outside the European Economic Area. This takes place on the basis of Standard Contractual Clauses (SCC) and/or Data Privacy Framework certification, ensuring an adequate level of protection. You can obtain a copy of the safeguards by writing to our contact address.

7. How long we keep data

• Bookings — contact data (name, e-mail, note) is deleted within 180 days after the meeting takes place or is cancelled. The event itself remains in the host calendar history.
• Offer analytics — events and pseudonymous data are deleted after 180 days (automatic clean-up).
• Correspondence — for as long as needed to handle the matter, and then for the limitation period of any potential claims.

8. Your rights

You have the right to: access your data and obtain a copy, rectification, erasure (the “right to be forgotten"), restriction of processing, data portability, and to object to processing based on legitimate interest.

Where processing is based on consent, you may withdraw it at any time — without affecting the lawfulness of processing carried out before the withdrawal.

To exercise your rights, write to kuba@chmielewski.studio. You also have the right to lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw — or the authority in your country of residence.

9. Whether providing data is required

Providing data in the booking form is voluntary but necessary to arrange the meeting — without your name, e-mail address and consent we cannot complete the booking. The note is optional. Offer analytics does not require you to provide any data.

10. No profiling or automated decisions

We do not take decisions producing legal effects concerning you based solely on automated processing, nor do we carry out profiling within the meaning of Art. 22 GDPR.

11. Cookies and browser storage

The site does not use third-party marketing or tracking cookies. We enable offer analytics (a pseudonymous session identifier in your browser local storage) only with your consent given in the cookie banner; you can change or withdraw it at any time. Cloudflare Turnstile may store a technical token needed to verify that a human is filling in the form (strictly necessary — works without consent); it is not used for tracking or profiling. See our cookie policy for the full list and how to manage it.

12. Security

We apply technical and organisational measures appropriate to the risk: transport encryption (HTTPS), data minimisation (e.g. storing an irreversible hash instead of the raw IP address), access restriction, and keeping keys and secrets server-side only.

13. Changes to this policy

We may update this policy when our processes or the law change. The current version is always available at this address, with the date of the latest update shown at the top of the page.