π§ Data Protection Contact: privacy@hubionis.com
π’ Data Controller: Cryptionis sp. z o.o., ul. Narwik 8/35, 01-471 Warsaw, Poland
π Tax ID (NIP): 5223241648 | KRS: 0001024788
The Data Controller within the meaning of Art. 4(7) GDPR is:
Cryptionis sp. z o.o.
ul. Narwik 8/35, 01-471 Warsaw, Poland
Tax ID (NIP): 5223241648 | KRS: 0001024788
Email: contact@hubionis.com
Phone: +48 22 XXX XX XX
Data Protection Officer (DPO):
Status: Not appointed (no obligation under Art. 37 GDPR)
Note: A DPO will be appointed if the platform exceeds 50,000 active users or processes sensitive data on a large scale.
Data Protection Contact:
π§ Email: privacy@hubionis.com
π¬ Mail: Cryptionis sp. z o.o., ul. Narwik 8/35, 01-471 Warsaw (marked "GDPR")
We DO NOT process sensitive data (racial, ethnic, political, religious, health, sexual orientation), unless a User voluntarily provides such information in their biography (in which case it constitutes explicit consent under Art. 9(2)(a) GDPR).
| Processing purpose | Legal basis | GDPR Article |
|---|---|---|
| Registration and account management | Contract performance (Terms) | Art. 6(1)(b) |
| Bookings and event participation | Contract performance | Art. 6(1)(b) |
| Payment processing | Contract performance + legal obligation (invoices) | Art. 6(1)(b) + (c) |
| Newsletter and marketing | Consent (can be withdrawn) | Art. 6(1)(a) |
| Push notifications | Consent (can be withdrawn) | Art. 6(1)(a) |
| Analytics and cookies (Google Analytics) | Consent (cookie banner) | Art. 6(1)(a) |
| Security (logs, fraud detection) | Legitimate interest of the Controller | Art. 6(1)(f) |
| Complaint handling and GDPR rights | Legal obligation + contract performance | Art. 6(1)(c) + (b) |
Personal data may be shared with the following processors (acting under Data Processing Agreement - DPA):
| Entity | Purpose | Location | DPA Status |
|---|---|---|---|
| Amazon Web Services (AWS) | Database hosting (PostgreSQL RDS), storage (S3) | πͺπΊ eu-central-1 (Frankfurt, Germany) | β Signed (AWS Customer Agreement) |
| Stripe | Payment processing | πΊπΈ USA (+ EU data residency) | β³ In progress (deadline: Feb 15, 2026) |
| SendGrid (Twilio) | Transactional and marketing emails | πΊπΈ USA | β Signed |
| Google Analytics | Traffic analytics (with cookie consent) | πΊπΈ USA | β οΈ Google Measurement Controller-Controller Data Protection Terms |
| OneSignal | Push notifications (with consent) | πΊπΈ USA | β³ Planned (Q2 2026) |
Some processors (Stripe, SendGrid, Google Analytics, OneSignal) are based in the USA. Data transfers are based on:
Note: Transfer to the USA involves risk of US security agency access to data (FISA, CLOUD Act). If you do not consent to the transfer, you may:
| Data category | Retention period | Legal basis |
|---|---|---|
| Account data (active) | Until account deletion by user | Contract performance (Art. 6(1)(b)) |
| Account data (after deletion) | 30 days (complete deletion) | Contract + right to be forgotten (Art. 17) |
| Booking history (anonymized) | 5 years (for accounting purposes) | Legal obligation (Accounting Act) |
| VAT invoices | 5 years | Legal obligation (Art. 6(1)(c) β tax ordinance) |
| Marketing consents (newsletter) | Until consent withdrawal | Consent (Art. 6(1)(a)) |
| Security logs (IP, user agent) | 12 months | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies (Google Analytics) | 14 months | Consent (Art. 6(1)(a)) |
| Complaints | 3 years (limitation of claims) | Legal obligation (Civil Code) |
You have the right to obtain confirmation of whether we process your data and receive a copy.
How to exercise:
You can correct inaccurate or incomplete data.
How to exercise:
You may request deletion of your data if:
How to exercise:
Exceptions: We cannot delete data if:
You may request "freezing" of your data (storage without processing) if:
How to exercise: Email: privacy@hubionis.com (processing: 30 days).
You may receive your data in a structured, commonly used, machine-readable format (JSON) and transmit it to another controller.
How to exercise: Dashboard β Settings β Privacy β Download My Data (JSON).
You may object to processing based on legitimate interest (Art. 6(1)(f)), e.g.:
How to exercise:
Note: Objection to processing based on contract (Art. 6(1)(b)) may result in inability to use the platform (e.g., you cannot opt out of storing your email, as it's necessary for login).
You may withdraw consent at any time for:
Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.
If you believe we process your data unlawfully, you may file a complaint with:
President of the Office for Personal Data Protection (UODO)
ul. Stawki 2, 00-193 Warsaw
π§ Email: kancelaria@uodo.gov.pl
π Online form: www.uodo.gov.pl
The Platform uses cookies to ensure proper operation and traffic analysis. Detailed information can be found in the Cookie Policy.
| Type | Purpose | Requires consent? |
|---|---|---|
| Necessary | Login, session, cart | β NO (Art. 6(1)(f) β legitimate interest) |
| Functional | Language, display preferences | β NO |
| Analytics | Google Analytics (statistics) | β YES (cookie banner) |
| Marketing | Remarketing (Google Ads, Facebook Pixel) | β YES |
The Platform requires users to be at least 13 years old (per Art. 8 GDPR β Poland lowered the limit to 13 years).
Persons aged 13-17 may use the platform with parental/guardian consent. Required actions:
The Controller reserves the right to update this Privacy Policy for important reasons (legal changes, new features, new processors).
We will notify Users of significant changes with 14 days' notice via:
π§ Email: privacy@hubionis.com
π¬ Mailing address: Cryptionis sp. z o.o., ul. Narwik 8/35, 01-471 Warsaw (marked "GDPR")
π Phone: +48 22 XXX XX XX (weekdays, 9:00-17:00)
β±οΈ Response time: Within 30 days (per Art. 12(3) GDPR)
For urgent matters (data breach, suspected account compromise):
π§ Email: security@hubionis.com (24-hour response)
Last updated: January 29, 2026
Document version: 1.0