Legal

Privacy Policy

Last updated: 4 July 2026

1. General Provisions

  1. This Privacy Policy (the "Policy") sets out the rules for the processing of personal data of users (the "Users") of the website available at collabay.com (the "Site").
  2. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), the Polish Act of 10 May 2018 on the Protection of Personal Data, and other applicable provisions of law.
  3. This Policy fulfils the information obligations arising from Articles 13 and 14 of the GDPR.

2. Data Controller

  1. The controller of Users' personal data is the operator of the Collabay website, established in Poland (the "Controller").
  2. The Controller may be contacted in all matters concerning the processing of personal data at the following email address: contact@collabay.com.

3. Categories of Personal Data

  1. The Controller processes the following categories of personal data:
    1. waitlist data - the email address provided by the User;
    2. correspondence data - the content of messages submitted through the contact form or by email, together with the address from which they were sent;
    3. technical data - data transmitted automatically by the User's browser.
  2. The Controller does not request and does not intend to process special categories of personal data within the meaning of Article 9 of the GDPR. Users are requested not to provide such data.

4. Purposes and Legal Bases of Processing

  1. Personal data is processed for the following purposes and on the following legal bases:
    1. operation of the waitlist and delivery of information concerning the availability of the Collabay product - on the basis of the User's consent (Article 6(1)(a) of the GDPR);
    2. responding to enquiries submitted through the contact form or by email - on the basis of the Controller's legitimate interest in conducting correspondence (Article 6(1)(f) of the GDPR);
    3. ensuring the security of the Site, preventing abuse, and maintaining server logs - on the basis of the Controller's legitimate interest (Article 6(1)(f) of the GDPR);
    4. analysing aggregate Site usage for the purpose of improving the Site - on the basis of the Controller's legitimate interest (Article 6(1)(f) of the GDPR);
    5. fulfilment of legal obligations incumbent on the Controller (Article 6(1)(c) of the GDPR).

5. Voluntary Provision of Data

  1. The provision of personal data is voluntary and is not a statutory or contractual requirement.
  2. The provision of an email address is, however, necessary in order to use the waitlist service or to receive a response to an enquiry submitted through the contact form.

6. Recipients of Personal Data

  1. The Controller does not sell personal data.
  2. Personal data may be disclosed to entities processing data on behalf of the Controller pursuant to data processing agreements concluded in accordance with Article 28 of the GDPR, in particular:
    1. providers of website and email hosting services;
    2. the provider of the tool used to operate the waitlist and deliver email communications;
    3. providers of aggregate analytics services, where such services are used.
  3. Personal data may also be disclosed to competent public authorities where such disclosure is required by applicable law.

7. Transfers Outside the EEA

  1. Where personal data is transferred to entities established outside the European Economic Area, such transfer takes place on the basis of a European Commission adequacy decision or subject to appropriate safeguards within the meaning of Article 46 of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission.
  2. Information concerning the safeguards applied may be obtained by contacting the Controller at the address indicated in Section 2(2).

8. Data Retention Periods

  1. Waitlist data is processed until the User withdraws consent, and in any event no longer than 24 months from the last contact initiated by the Controller.
  2. Correspondence data is processed for the period necessary to handle the enquiry and, thereafter, for the period required for the establishment, exercise, or defence of legal claims.

9. Rights of Data Subjects

  1. Each User has the following rights under the GDPR:
    1. the right of access to their personal data and the right to obtain a copy thereof (Article 15);
    2. the right to rectification of inaccurate data (Article 16);
    3. the right to erasure (Article 17);
    4. the right to restriction of processing (Article 18);
    5. the right to data portability (Article 20);
    6. the right to object to processing based on legitimate interest (Article 21);
    7. the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (Article 7(3)).
  2. The rights referred to above may be exercised by contacting the Controller at the address indicated in Section 2(2). The Controller shall respond to a request without undue delay, and in any event within one month of its receipt, in accordance with Article 12(3) of the GDPR.

10. Cookies

  1. The Site uses only cookies that are strictly necessary for its proper functioning.
  2. Should the Controller introduce cookies that are not strictly necessary, including analytical or marketing cookies, they will be used only after obtaining the User's prior consent, and this Policy will be updated accordingly.

11. Final Provisions

  1. The Site is not directed at children. The Controller does not knowingly process personal data of persons under the age of 16.
  2. The Controller reserves the right to amend this Policy, in particular in the event of changes in applicable law or changes in the scope of processing. The current version of the Policy, together with its effective date, is published on the Site.
  3. In matters not regulated by this Policy, the provisions of the GDPR and applicable Polish law shall apply.