/privacy-policy // GDPR compliance
Privacy Policy
Effective: 2026-05-26. Data controller: QA10 sp. z o.o., ul. Mariacka 37, 40-014 Katowice, Poland (KRS 0001232199).
This Privacy Policy sets out the rules for processing personal data of users of the qa10.io website by QA10 sp. z o.o. It implements the information obligation under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR").
1. Data Controller
The controller of your personal data is QA10 sp. z o.o., with registered office in Katowice, Poland, ul. Mariacka 37, 40-014 Katowice, registered in the Polish National Court Register (KRS) under number 0001232199, tax ID (NIP) 9542906279, statistical number (REGON) 544435060, share capital 5,000.00 PLN.
Contact: hello@qa10.io, phone +48 880 839 850.
2. Data Protection Officer
The Controller has not appointed a Data Protection Officer — the processing does not meet the criteria of Article 37(1) GDPR (no large-scale processing of special categories of data, no regular and systematic monitoring of data subjects on a large scale). For all matters concerning personal data processing, please contact the Controller directly at hello@qa10.io.
3. Scope and sources of data
The Controller processes personal data obtained directly from you — when you use the forms or calculator, subscribe to the newsletter, or contact us — as well as technical data associated with accessing the website (IP address, session identifier, browser metadata).
Categories of processed data include:
- identification and contact data: first and last name, email address, phone number, company name, role;
- company data: tax ID, industry classification (PKD), employee count, organization size;
- correspondence content and inquiries directed to the Controller;
- data entered into the ROI calculator (business process parameters — processed entirely on the user's device; transmitted to the Controller only upon submission of the lead form);
- technical data: IP address, browser identifier, timestamps, UTM parameters, session data.
4. Purposes and legal bases of processing
Every processing operation has a defined legal basis under Article 6(1) GDPR. The mapping of purposes, legal bases and retention periods is presented in the table below.
| Processing purpose | Legal basis | Retention period |
|---|---|---|
| Handling inquiries submitted via the contact form or email. | Art. 6(1)(f) GDPR — legitimate interest of the Controller in conducting business correspondence. | Up to 3 years from the last contact or until an effective objection is raised. |
| Conclusion and performance of service contracts (AIP Audit, Engineering Lab, Funding). | Art. 6(1)(b) GDPR — performance of a contract or steps prior to entering into a contract. | For the duration of the contract and until expiry of the limitation period for claims (up to 6 years under the Polish Civil Code). |
| Delivery of the PDF report (lead magnet) and Dig.IT educational series. | Art. 6(1)(a) GDPR — consent of the data subject. | Until withdrawal of consent, no longer than 3 years from the last interaction. |
| Direct marketing of the Controller's products and services by electronic means. | Art. 6(1)(a) GDPR and Art. 398(1) of the Polish Electronic Communications Law — consent. | Until withdrawal of consent. |
| Accounting and tax obligations (invoices, records). | Art. 6(1)(c) GDPR — legal obligation under the Polish Tax Ordinance, Accounting Act and VAT Act. | 5 years from the end of the calendar year in which the tax obligation arose. |
| Establishing, pursuing or defending against claims. | Art. 6(1)(f) GDPR — legitimate interest of the Controller. | Until expiry of the limitation period for claims (up to 6 years). |
| Website security and bot protection (Cloudflare Turnstile). | Art. 6(1)(f) GDPR — legitimate interest in securing the website. | 24 hours from verification (session token). |
| Visitor analytics (Plausible Analytics — without user identification). | Art. 6(1)(f) GDPR — legitimate interest; processing does not involve personal data within the meaning of Art. 4(1) GDPR. | Aggregated data retained indefinitely; no individual records. |
5. Voluntary nature of data provision
Providing personal data is voluntary but necessary to use specific functions of the website. Failure to provide data marked as required in the contact or lead form will prevent the Controller from handling your request or delivering the material. Where data is required to enter into a contract, provision is a condition of contract conclusion within the meaning of Art. 13(2)(e) GDPR.
6. Recipients — processors
Your personal data may be entrusted to service providers acting on behalf of the Controller, under data processing agreements compliant with Art. 28 GDPR.
Categories of recipients:
- Hosting and form processing: Vercel Inc. (USA) — application runtime, API endpoints.
- Bot protection and fallback hosting: Cloudflare, Inc. (USA) — Turnstile service, optional Cloudflare Pages.
- Analytics: Plausible Insights OÜ (Estonia, European Union) — analytics tool not processing personal data.
- AI services: Anthropic, PBC (USA) — processing of queries directed to Claude models for the Controller's product features.
- Cloud infrastructure: Amazon Web Services, Inc. (USA) — Bedrock compute for AI agents.
- Email and automation: SMTP and workflow providers (e.g. n8n webhooks).
- External advisors: accounting firm, tax advisors, law firms — for the performance of the Controller's legal obligations.
- Public authorities: solely within the scope and under applicable law (e.g. tax authorities, courts, social security).
The current list of processors is available on request, by contacting hello@qa10.io.
7. International transfers
Some recipients (Vercel, Cloudflare, Anthropic, AWS) are established in the United States. Transfers to these recipients take place based on:
- European Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection under the EU–US Data Privacy Framework — for providers certified under the DPF;
- standard contractual clauses (SCCs) adopted by Commission Decision (EU) 2021/914 — for non-DPF providers;
- additional technical and organizational measures resulting from a Transfer Impact Assessment.
A copy of the applied safeguards is available upon request at hello@qa10.io.
8. Automated decision-making and profiling
The Controller does not subject you to automated decisions within the meaning of Art. 22 GDPR — i.e. decisions producing legal effects or similarly significantly affecting you, taken solely on an automated basis.
The ROI calculator available at /en/kalkulator/ is an estimation tool based on the Activity-Based Costing methodology. Calculations are performed in your browser, and the result is informational only — it does not constitute a decision, a commercial offer or any obligation of the Controller.
9. Your rights
You have the following rights:
- access to your data and obtaining a copy (Art. 15 GDPR);
- rectification of inaccurate data or completion of incomplete data (Art. 16 GDPR);
- erasure — the "right to be forgotten" (Art. 17 GDPR);
- restriction of processing (Art. 18 GDPR);
- data portability (Art. 20 GDPR) — for data processed by automated means on the basis of consent or contract;
- objection to processing based on the Controller's legitimate interest, including direct marketing (Art. 21 GDPR);
- withdrawal of consent at any time — without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR);
- lodging a complaint with the supervisory authority — the President of the Personal Data Protection Office (Polish DPA), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
We respond to requests without undue delay, no later than 30 days from receipt. In justified cases, this period may be extended by a further 60 days, of which you will be informed (Art. 12(3) GDPR). Requests should be sent to hello@qa10.io.
10. Data security
The Controller applies technical and organizational measures appropriate to the identified risk, in accordance with Art. 32 GDPR. These include transport encryption (TLS 1.3), least-privilege access control, multi-factor authentication for authorized personnel, security event logging, regular backups and an incident management process.
11. Cookies and similar technologies
The use of cookies and similar technologies is described in a separate document: Cookie Policy. qa10.io does not use tracking or marketing cookies.
12. Changes to this Policy
The Controller reserves the right to update this Policy in the event of changes in applicable law, in processing practices or in the scope of services. We will notify significant changes by publishing an updated version on the website and, where required, through a direct communication to affected data subjects.
13. Contact
For all matters concerning personal data processing:
- email: hello@qa10.io
- phone: +48 880 839 850
- postal address: QA10 sp. z o.o., ul. Mariacka 37, 40-014 Katowice, Poland.