Privacy Policy

1. Data controller

The controller of personal data is Decent Code Sp. z o.o., ul. Młynarska 29, 58-300 Wałbrzych, Poland (registered office address only, no on-site client service), NIP 886 301 65 19, REGON 388 952 820, KRS 0000904994, share capital PLN 10,000, e-mail: firma@decentcode.pl.

For all matters concerning personal data, you may contact us at firma@decentcode.pl.

2. Roles in data processing

Decent Code is the controller of data of website visitors, persons contacting us through forms, persons interested in the offer, Client representatives, system Users, persons using support, and data necessary for billing and contract handling.

For data entered into Legal Kanban by the Client to manage matters, serve law firm clients, handle documents, tasks, billing or the Client Portal, Decent Code generally acts as processor and the Client acts as controller. The rules for this processing are set out in the Data Processing Agreement.

3. Scope and purposes of processing

We process contact and identification data such as name and surname, e-mail address, phone number, organisation name, professional role, message content, billing data, user account data, technical identifiers, IP address, device information, system logs and cookie consent data.

We obtain data directly from the data subject, from the Client who indicates representatives, contact persons or Users, and automatically during website use within the scope of technical data and cookies.

We process data to handle enquiries, prepare offers, conclude and perform agreements, provide accounts, ensure system security, provide support, handle complaints, manage billing, pursue or defend claims, send service-related information and conduct website analytics after consent is obtained.

4. Legal bases

The legal basis for processing is Article 6(1)(b) GDPR where data is needed to conclude or perform an agreement, Article 6(1)(c) GDPR where processing results from legal obligations, in particular tax and accounting obligations, Article 6(1)(f) GDPR where processing is necessary for the Controller's legitimate interests, such as security, enquiry handling, service development, establishment or defence of claims and B2B contact, and Article 6(1)(a) GDPR where the user has given consent, for example to analytics cookies.

Marketing communication using e-mail, phone or similar means of communication is conducted only in accordance with the requirements of the Polish Electronic Communications Law and other applicable regulations.

If a user voluntarily provides special category data in a message to the Controller, it will be processed only to the extent necessary to handle the matter. Special category data entered by the Client into the system is covered by data processing entrustment rules.

5. Data recipients

Data recipients may include providers of cloud infrastructure and hosting, e-mail, security systems, analytics tools, form handling, invoicing and accounting, legal advisers, payment providers, technical support subcontractors and authorities authorised under law.

Only authorised persons bound by confidentiality receive access to data on the Controller's side.

6. Transfers outside the EEA

Client application data is processed in the European Economic Area unless the Client and the Service Provider agree otherwise or the transfer is required by configuration selected by the Client.

For analytics tools such as Google Analytics 4, data may be transferred outside the EEA. In such case, appropriate safeguards are applied, in particular standard contractual clauses, where required.

7. Retention period

Data related to the account and agreement performance is stored for the term of the agreement and then for the limitation period for claims or the period required by law. Billing data is stored for the period required by tax and accounting regulations, generally 5 years from the end of the year to which it relates.

Data from offer enquiries and forms is stored for the time needed to handle the enquiry and then for the period needed to demonstrate the course of correspondence or defend claims. Data processed on the basis of consent is stored until consent is withdrawn, and data processed for own marketing purposes until an objection is raised.

Technical and security logs are stored for the period needed to ensure security, diagnostics and accountability of system operation, unless longer storage is needed to explain an incident or pursue claims.

8. Rights of data subjects

The data subject has the right to access data, rectify data, erase data, restrict processing, data portability, object to processing based on legitimate interest and withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

If a request concerns data entered into the system by the Client as controller, Decent Code may forward the request to the Client or assist the Client in fulfilling it under the Data Processing Agreement.

The data subject has the right to lodge a complaint with the President of the Polish Personal Data Protection Office.

9. Security

We apply technical and organisational measures to protect data, including access control, authorisations, transmission encryption, backups, authentication mechanisms, security monitoring and limiting access to data to persons who need it to perform their tasks.

The Client is responsible for proper configuration of User permissions, selecting data entered into the system and using procedures consistent with professional secrecy and security rules applicable in the law firm.

10. Cookies

Information about cookies is available in the Cookie Policy.

11. Automated decisions

The Controller does not make decisions concerning persons based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them. Website analytics may include basic statistical analysis of user behaviour after consent to analytics cookies is obtained.

12. Changes to the Privacy Policy

The Privacy Policy may be updated due to changes in law, website functions, technology providers or data processing methods. The current version is published on the website.