Privacy policy
Version 1.0 · Effective from 2026-05-08
This is an English-language summary. The legally binding version is the Polish version available at sneakersynergy.app/privacy. In case of discrepancy, the Polish version prevails.
1. Data controller
WRÓBLEWSKI INVESTMENTS Spółka z ograniczoną odpowiedzialnością
- Registered office: Zielona 34B, Skrbeńsko, 44-341 Gołkowice, Poland
- Tax ID (NIP): 6472612707
- Statistical ID (REGON): 541450566
- Court Register (KRS): 0001167365
- Contact: privacy@sneakersynergy.app
The controller of your personal data within the meaning of GDPR (Regulation (EU) 2016/679) is WRÓBLEWSKI INVESTMENTS sp. z o.o. (the "Controller" or "we"), operating the SaaS platform under the brand SneakerSynergy.
2. Data we process
- Account data: email, name, role (ADMIN/WORKER/SELLER), creation date, password hash (bcrypt).
- Company data: name, tax ID, address, contact details.
- Business data: orders, invoices, counterparty data, products, inventory transactions.
- Technical data: IP address, User-Agent, login and contract acceptance timestamps.
- System logs (audit log): action history (who/what/when) - retained 12 months.
- Cookies: only technical (session, CSRF). No marketing or analytics cookies.
- Payment data: not stored directly - processed by Stripe (PCI-DSS Level 1).
3. Purpose and legal basis
- SaaS service delivery - GDPR Art. 6(1)(b) (contract).
- Invoicing, tax records - GDPR Art. 6(1)(c) (legal obligation, Polish Accounting Act art. 74) - 5-year retention.
- Security, audit log, anti-fraud - GDPR Art. 6(1)(f) (legitimate interest).
- Transactional communication - GDPR Art. 6(1)(b).
- Marketing of own services (newsletter, if subscribed) - GDPR Art. 6(1)(a) (consent).
- Complaints handling, claims - GDPR Art. 6(1)(f) - 3 years (statute of limitations).
4. Your rights (GDPR Chapter III)
- Art. 15 - access (Settings → Privacy → Download my data, JSON format).
- Art. 16 - rectification.
- Art. 17 - erasure (right to be forgotten) - 30-day anonymization, tax data retained per law.
- Art. 18 - restriction of processing.
- Art. 20 - data portability (JSON export).
- Art. 21 - objection to processing based on legitimate interest.
- Art. 7(3) - withdrawal of consent.
- Complaint to supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
We respond to requests within 30 days (GDPR Art. 12(3)), with possible extension by 60 days in justified cases.
5. Recipients (data processors)
- Hetzner Online GmbH (Germany, EEA) - infrastructure hosting.
- Cloudflare, Inc. (USA) - CDN, DDoS protection (SCC).
- Stripe Payments Europe Ltd. (Ireland, EEA) - subscription payments.
- SendGrid (Twilio Inc.) / Postmark (USA) - transactional email.
- Sentry, Inc. (USA) - application error monitoring (anonymized).
- Baselinker sp. z o.o. (Poland) - sales integration (if used).
6. Transfers outside EEA
Some processors (Cloudflare, SendGrid, Sentry) are based outside the European Economic Area. Transfers rely on:
- Standard Contractual Clauses (SCC) per EU Commission Decision 2021/914.
- EU Commission adequacy decisions (e.g. EU-US Data Privacy Framework).
- Additional safeguards: at-rest encryption, in-transit encryption, access controls.
7. Security (GDPR Art. 32)
- Passwords hashed (bcrypt 12+ rounds), integration secrets encrypted with AES-256-GCM, per-organization HKDF key derivation.
- TLS 1.2+, HSTS, Let's Encrypt with auto-rotation.
- httpOnly + SameSite=Lax cookies, rate limiting on auth endpoints.
- CSP, X-Frame-Options DENY, Permissions-Policy, X-Content-Type-Options.
- Multi-tenant isolation via Prisma extension (per-organization scope).
- Daily backup, 30-day off-site retention.
- Audit log for critical operations.
- Incident notification within 72h (GDPR Art. 33).
8. Cookies
We use only strictly necessary technical cookies (session, CSRF). No marketing, analytics or tracking cookies. No consent banner is displayed since consent is not required (Polish Telecommunications Law art. 173(1)(2)).
9. Automated decision-making
We do not perform automated decision-making with legal effects (GDPR Art. 22) or profiling.
10. Children's data
The Service is not directed at persons under 16. We do not knowingly collect children's data.
11. Changes to this policy
We may update this policy. Material changes will be communicated by email at least 14 days before they take effect. The current version is always available at sneakersynergy.app/en/privacy.
12. Contact
Email: privacy@sneakersynergy.app
Mail: WRÓBLEWSKI INVESTMENTS sp. z o.o., Zielona 34B, Skrbeńsko, 44-341 Gołkowice, Poland