Last updated: 2026-05-16
Privacy policy
This Privacy Policy describes how the electronicsignature.pl website, operated by 2SECURE Sp. z o.o., processes users' personal data in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and the Polish Personal Data Protection Act of 10 May 2018.
[TODO: complete all placeholders below once company data is provided]
1. Data controller
The controller of your personal data is:
- 2SECURE Sp. z o.o.
- Registered address: [TODO: street, postal code, city]
- VAT ID (NIP): [TODO], KRS: [TODO], REGON: [TODO]
- Contact email: [email protected]
- Data Protection Officer: not appointed โ GDPR matters via the contact email above.
2. Categories of data processed
We process the following categories of personal data depending on how you interact with the service:
2.1. Data submitted through the contact form
- Email address (required)
- Full name (optional)
- Company name (optional)
- Phone number (optional)
- Message content
- IP address, browser identifier, page URL (automatic)
2.2. Data collected when ordering a service
- First name, last name, PESEL or passport number (for issuing the qualified certificate)
- Company data: name, VAT ID, KRS, registered address (for corporate signatures and seals)
- Billing address and VAT invoice details
- Video verification session recording (transferred to Certum)
- Payment and invoice history
2.3. Technical data (cookies, server logs)
See the Cookie Policy.
3. Purposes and legal bases of processing
| Purpose | GDPR legal basis | Retention |
|---|---|---|
| Service contract performance | Art. 6(1)(b) GDPR | Contract duration + 6 years (accounting) |
| Issuing VAT invoices | Art. 6(1)(c) GDPR (legal obligation โ Polish Tax Ordinance) | 6 years from end of tax year |
| Handling contact form inquiries | Art. 6(1)(f) GDPR (legitimate interest โ communication with prospects) | 24 months since last contact |
| Establishing and defending claims | Art. 6(1)(f) GDPR (legitimate interest) | Statute of limitations (3-6 years) |
| Marketing own services (newsletter) | Art. 6(1)(a) GDPR (consent) | Until consent is withdrawn |
| Audit and security (logs) | Art. 6(1)(f) GDPR (legitimate interest) | 365 days |
4. Data recipients (subprocessors)
We entrust processing to the following processors (Art. 28 GDPR):
- Asseco Data Systems S.A. (Certum) โ issuing the qualified certificate (country: Poland)
- OVH Sp. z o.o. โ infrastructure hosting (country: Poland / France, EU)
- Cloudflare, Inc. โ CDN, DNS, DDoS protection (country: USA โ transfer under SCC)
- Postmark / ActiveCampaign โ transactional email [TODO: pick provider]
- Fakturownia Sp. z o.o. โ VAT invoicing (country: Poland)
- Daily.co โ video verification platform (country: USA โ SCC)
- BLUE MEDIA S.A. (iMoje) โ online payment processor [TODO: confirm name and DPA reference]
We have signed a Data Processing Agreement (DPA) compliant with Art. 28 GDPR with each subprocessor. The full list is reviewed quarterly.
5. Your rights
Under GDPR you have the following rights:
- Right of access (Art. 15 GDPR) โ you may obtain a copy of your data.
- Right to rectification (Art. 16 GDPR) โ request correction of inaccurate data.
- Right to erasure (Art. 17 GDPR) โ subject to legal obligations (e.g. accounting retention).
- Right to restriction (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR) โ you will receive data in structured format (JSON / CSV).
- Right to object (Art. 21 GDPR) โ against processing on legitimate interest basis.
- Right to withdraw consent at any time (without affecting prior processing).
- Right to lodge a complaint with the President of the Personal Data Protection Office in Poland (uodo.gov.pl).
To exercise any of these rights, email [email protected] with "GDPR" in the subject. We respond within 30 days.
6. Transfers to third countries
Some subprocessors (Cloudflare, Daily.co) are based in the USA. Transfer is based on Standard Contractual Clauses (SCC) adopted by European Commission Decision 2021/914 of 4 June 2021. Daily.co additionally has EU-US Data Privacy Framework certification.
7. Profiling and automated decisions
We do not make automated decisions nor profile your data in a way producing legal effects under Art. 22 GDPR. The honey-pot in the contact form and rate-limiting are security mechanisms, not profiling.
8. Data security
We apply technical and organizational measures adequate to the risk:
- TLS 1.3 encryption for all connections
- Password hashing using Argon2id
- Mandatory 2FA for all administrators
- Encrypted backups, 30-day retention
- Audit logs for all admin panel operations
- Annual GDPR training for staff
9. Cookies
Cookie usage is described in the Cookie Policy.
10. Policy changes
This policy may be updated when laws, technology, or service scope changes. The last update date is shown at the top. Significant changes are communicated 14 days in advance by email and a website banner.
11. GDPR contact
All questions, requests, and complaints regarding data processing:
- Email: [email protected] (subject: "GDPR")
- Mail: 2SECURE Sp. z o.o., [TODO: registered address]