This Privacy Policy sets out the rules for processing the personal data of people who visit the website of the Flux service (the "Flux landing page") and who use the contact forms made available on it. The document is informational and does not impose any obligations on the persons to whom the data relates.
This Policy concerns only the Flux landing page (website) and the two forms made available on it. Data processing within the Flux application itself (after signing in) is governed by separate documents provided to account holders.
This English version is provided for convenience only. The Polish-language version of this Privacy Policy is the binding one, and in the event of any discrepancy the Polish version prevails.
Personal data is processed in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR),
- the Polish Act of 10 May 2018 on the Protection of Personal Data,
- the Polish Act of 18 July 2002 on the Provision of Services by Electronic Means,
- the Polish Act of 16 July 2004 — Telecommunications Law.
1. Data Controller
The controller of the personal data of people who visit the Flux landing page and use its forms is:
dushka sp. z o.o., with its registered office at [UZUPEŁNIJ: adres siedziby], entered in the Register of Entrepreneurs of the National Court Register under KRS number [UZUPEŁNIJ: KRS], holding tax identification number NIP [UZUPEŁNIJ: NIP] and statistical number REGON [UZUPEŁNIJ: REGON] (the "Controller").
Contacting the Controller on all matters relating to personal data:
- postal address: [UZUPEŁNIJ: adres siedziby],
- e-mail: [UZUPEŁNIJ: e-mail do kontaktu w sprawach danych osobowych],
- phone: [UZUPEŁNIJ: telefon].
The Controller has not appointed a Data Protection Officer. For all matters relating to the processing of personal data and the exercise of rights, please contact the Controller using the details above.
2. Purposes and Legal Bases of Processing
Personal data is processed depending on which features of the Flux landing page a visitor uses and which consents they give. The table below sets out the purposes of processing together with the legal bases and retention periods.
| Purpose of processing | Legal basis | Retention period |
|---|---|---|
| Handling an enquiry submitted through the contact form (providing a reply) | Art. 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interest — conducting correspondence) | up to 12 months from the last contact if no cooperation is established |
| Booking and handling an online call via the "Book a call" form | Art. 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract) | up to 12 months from the booked call if no cooperation is established |
| Analytics and traffic measurement on the Flux landing page (Vercel Analytics, Vercel Speed Insights) | Art. 6(1)(f) GDPR (legitimate interest — measuring reach and optimising the site) | aggregated, de-identified data; not stored in a form that allows identification of a person |
| Ensuring the security of the site and diagnosing and monitoring errors (server logs, Sentry) | Art. 6(1)(f) GDPR (legitimate interest — security and reliability of the site) | error-monitoring data retained for up to 90 days, then automatically deleted |
| Own marketing of the Flux service (presenting the offer in response to an enquiry) | Art. 6(1)(f) GDPR (legitimate interest of the Controller) | until an effective objection is raised |
| Establishing, pursuing or defending potential claims | Art. 6(1)(f) GDPR (legitimate interest of the Controller) | until the relevant limitation periods expire |
The Controller does not make decisions concerning visitors to the Flux landing page that are based solely on automated processing, including profiling, and that would produce legal effects or similarly significantly affect them (Art. 22 GDPR).
3. Data Collected Passively
Some data is collected automatically while using the Flux landing page, without the visitor having to take any action.
3.1 Server logs
The Flux landing page is hosted on the infrastructure of the provider Vercel. The servers automatically record technical information in their logs, which may include the IP address, browser type, operating system, time of the visit, and the address of the page from which the visitor was referred. This data is processed under Art. 6(1)(f) GDPR (legitimate interest — ensuring the security of the site and diagnosing errors) and is not used to identify individuals for marketing purposes.
3.2 Analytics — Vercel Analytics and Vercel Speed Insights
The Flux landing page uses Vercel Analytics and Vercel Speed Insights provided by Vercel Inc. These tools are used to collect anonymous usage statistics and to measure page-load performance. The information collected may include:
- page views and navigation patterns,
- device type (desktop, mobile, tablet),
- browser type,
- the country derived from the IP address (the IP address itself is not stored for this purpose),
- page-load performance metrics (including Core Web Vitals).
Vercel's analytics tools do not use cookies and do not track visitors across different websites. The data is aggregated and does not identify a specific person. The basis for processing is Art. 6(1)(f) GDPR (legitimate interest — measuring reach and optimising the site).
3.3 Error monitoring — Sentry
The Flux landing page uses Sentry, provided by Functional Software, Inc., to monitor errors and track performance in order to improve the reliability and quality of the site. The data collected may include:
- error messages and stack traces,
- the IP address (for rate limiting and geographic analysis),
- browser type, device information, and operating system,
- page-load times and interaction metrics.
Where the session-recording feature is active, recordings mask all text content and block media in order to protect sensitive information. The data is processed by Sentry within the European Union. The basis for processing is Art. 6(1)(f) GDPR (legitimate interest — security and reliability of the site). Error-monitoring data is retained for up to 90 days and then automatically deleted.
3.4 Fonts
The Flux landing page uses the Inter Tight typeface. The font files are downloaded when the site is built and served directly from the site's own infrastructure using the next/font mechanism, so when the site is displayed the visitor's IP address is not transmitted to external font providers, including Google Fonts. Using the fonts does not require consent.
4. Data Collected Actively
The Controller also processes data that a visitor provides themselves when using the forms made available on the Flux landing page. Providing the data is voluntary but necessary in order to handle the relevant request.
4.1 Contact form
- Scope of data: business e-mail address, business phone number, and the content of the message.
- Purpose: providing a reply to the enquiry addressed to the Controller and presenting information about the Flux service in response to that enquiry.
- Legal basis: Art. 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interest — conducting correspondence and own marketing).
- Retention period: up to 12 months from the last contact if no cooperation is established; if cooperation is established — for its duration and for the period necessary to establish, pursue or defend claims.
4.2 "Book a call" form
- Scope of data: business e-mail address, business phone number, additional information (provided optionally), and the preferred date and time of the call.
- Purpose: booking and conducting an online call concerning the Flux service, as well as sending a confirmation and a meeting link to the e-mail address provided.
- Legal basis: Art. 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract).
- Retention period: up to 12 months from the booked call if no cooperation is established; if cooperation is established — for its duration and for the period necessary to establish, pursue or defend claims.
In both forms, acceptance of this Privacy Policy is required before submission. Please do not include in the message content or the additional-information field any special categories of data (Art. 9 GDPR) or any data beyond what is necessary to handle the request.
5. Cookies
The Flux landing page uses cookies that are necessary for its operation (not requiring consent — Art. 173(3) of the Telecommunications Law) and — only after informed and voluntary consent is given (Art. 6(1)(a) GDPR) — statistics cookies of Google Analytics 4 and Microsoft Clarity.
Consent is managed in the banner shown on the first visit and can be changed or withdrawn at any time via the "Cookie settings" link in the site footer. Withdrawing consent is as easy as granting it; after withdrawal, statistics cookies are deleted and the analytics tools stop working. The consent decision is remembered for 12 months and applies across all sarnowski.dev subdomains. Proof of granting or withdrawing consent (date, policy version, selected categories, and a random pseudonymous consent identifier — no IP address) is recorded in accordance with Art. 7(1) GDPR.
List of cookies used:
| Name | Provider | Purpose | Category | Duration |
|---|---|---|---|---|
sd_consent | sarnowski.dev | remembers the cookie consent decision | necessary | 12 months |
NEXT_LOCALE | sarnowski.dev | remembers the selected language | necessary | session |
_ga, _ga_* | Google (GA4) | distinguishes users and sessions in statistics | statistics (with consent) | 2 years |
_clck | Microsoft Clarity | user identifier for behavior analysis | statistics (with consent) | 1 year |
_clsk | Microsoft Clarity | groups user activity into a single session | statistics (with consent) | 1 day |
Microsoft Clarity may additionally set CLID and MUID cookies on its own clarity.ms domain (third-party); after consent is withdrawn the tool is no longer loaded and these cookies are no longer transmitted. The Vercel analytics tools (Vercel Analytics, Speed Insights) rely on cookieless mechanisms and do not track visitors across websites. Cookie settings can also be managed from the settings of the web browser.
6. Recipients of Data, Processors and Transfers
To provide services connected with the operation of the Flux landing page, the Controller uses trusted providers acting as processors. With each of them the Controller concludes a data processing agreement compliant with Art. 28 GDPR.
| Entity | Role | Scope |
|---|---|---|
| Vercel Inc. | site hosting and analytics | maintaining the site, server logs, Vercel Analytics, Vercel Speed Insights |
| Functional Software, Inc. (Sentry) | error monitoring | recording and diagnosing errors and measuring performance |
| Resend | e-mail delivery | sending transactional messages, including confirmations of a booked call |
Data location. Data is processed within Poland and the European Economic Area (EEA). The Flux landing page is maintained in the Google Cloud infrastructure in the Warsaw region. Where a service provider processes data outside the EEA, the Controller ensures appropriate safeguards required by the GDPR (including standard contractual clauses approved by the European Commission). Each of the listed entities has its own privacy policy governing how it processes data.
7. Data Retention
Personal data is retained for the period necessary to achieve the purposes for which it was collected, after which it is deleted or anonymised. The specific retention periods are set out in the table in section 2 and in the descriptions of the individual forms:
- contact-form data — up to 12 months from the last contact if no cooperation is established,
- "Book a call" form data — up to 12 months from the booked call if no cooperation is established,
- error-monitoring data (Sentry) — up to 90 days,
- analytics data (Vercel) — in aggregated, de-identified form, with no personal data stored,
- data processed in connection with establishing, pursuing or defending claims — until the relevant limitation periods expire.
8. Rights of the Data Subject
In connection with the processing of personal data, you have the following rights:
- Right of access (Art. 15 GDPR) — the right to obtain confirmation as to whether your data is being processed and to obtain a copy of it.
- Right to rectification (Art. 16 GDPR) — the right to request the prompt rectification of inaccurate data and the completion of incomplete data.
- Right to erasure (Art. 17 GDPR, the "right to be forgotten") — the right to request the deletion of data where one of the grounds set out in the GDPR applies.
- Right to restriction of processing (Art. 18 GDPR) — the right to request the restriction of processing in the situations provided for by law.
- Right to data portability (Art. 20 GDPR) — the right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Art. 21 GDPR) — in particular to processing based on the Controller's legitimate interest, including for direct-marketing purposes, against which the objection is unconditional.
- Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before its withdrawal.
To exercise the above rights, please contact the Controller using the details given in section 1. Requests are handled without undue delay and no later than within one month of receipt, with the possibility of an extension by a further two months due to the complexity or number of requests — in which case you will be informed of the extension.
Right to lodge a complaint. You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland) — if you consider that the processing of your data infringes the GDPR.
9. Security
The Controller applies appropriate technical and organisational measures to ensure the security of personal data, proportionate to the risk and to the categories of data processed (Art. 32 GDPR). These measures include, among others, encryption of connections using the TLS protocol, access control based on the principle of least privilege, regular updates of the technology stack, and working only with trusted providers bound by data processing agreements.
10. Changes to the Privacy Policy
The Controller reserves the right to amend this Privacy Policy in the event of changes in the law, the development of the Flux landing page's functionality, or the introduction of new processing tools. The current version of the Policy is each time marked with the date of the last update shown at the beginning of the document. We encourage you to review the Policy periodically.
11. Contact
For all matters relating to the processing of personal data and the exercise of rights, please contact the Controller:
- dushka sp. z o.o.
- address: [UZUPEŁNIJ: adres siedziby],
- e-mail: [UZUPEŁNIJ: e-mail do kontaktu w sprawach danych osobowych],
- phone: [UZUPEŁNIJ: telefon].