Privacy Policy

Effective date: 11 May 2026 Last updated: 11 May 2026

This Privacy Policy describes how Coretheus Sp. z o.o. ("Coretheus", "we", "us", "our") collects, uses, and protects personal data when you visit our website at coretheus.com or otherwise interact with us. It is written in plain language and structured around the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Polish data protection law.

1. Data controller

The data controller of your personal data is:

Coretheus Sp. z o.o. Al. Marszałka Piłsudskiego 12 43-100 Tychy, Poland

KRS 0001185695 · NIP 6463022515 · REGON 542311737

For all matters related to this Privacy Policy and your data protection rights, contact us at: contact@coretheus.com

We have not appointed a Data Protection Officer (DPO), as Polish law does not require us to do so based on our processing activities. The email above is the official channel for all privacy inquiries.

2. What personal data we collect

We collect personal data in two ways: directly from you, and automatically when you use the website.

2.1 Data you provide directly

Contact form When you fill out the contact form on our website, we collect:

• Your name

• Your phone number

• Any additional information you choose to include in any free-text field

Email correspondence When you write to us directly (e.g., at contact@coretheus.com), we receive:

• Your email address

• Your name (if included in the signature or message)

• The content of your message, including any personal data you choose to share

During an engagement If we enter into a software development engagement with you or your organization, we may collect additional business information necessary for performing the contract: invoicing details, technical contact information, business representatives' names and roles, and similar.

2.2 Data collected automatically

When you visit the website, our hosting provider and certain technical components automatically log:

• IP address (in some cases truncated for privacy)

• Browser type and version

• Operating system and device type

• Referrer URL (the page that linked you to us, if any)

• Pages visited on our site and timestamps of visits

• Approximate geographic location derived from IP address (typically country or region)

This data is recorded in standard server logs.

2.3 What we do not collect

We do not knowingly collect:

• Special categories of personal data under Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation)

• Data related to criminal convictions or offences under Article 10 GDPR

• Payment card information through this website (we do not process card payments online)

• Personal data of minors under 16 years of age

If you are under 16, please do not provide personal data through this website.

3. Why we process your data and on what legal basis

We process personal data only for specified, explicit, and legitimate purposes, and only where a valid legal basis under Article 6 GDPR applies.

3.1 To respond to your inquiries

• Data: Name, phone number, content of your message

• Purpose: Responding to questions about our services, scheduling discovery calls, preparing proposals

• Legal basis: Article 6(1)(b) GDPR — taking steps at your request prior to entering into a contract; and Article 6(1)(f) GDPR — our legitimate interest in conducting business communications

3.2 To perform a contract

• Data: All data necessary to deliver our services to you or your organization

• Purpose: Performing software development, maintenance, and related services

• Legal basis: Article 6(1)(b) GDPR — performance of a contract to which you are a party

3.3 To comply with legal obligations

• Data: Invoicing, accounting, and contractual data subject to retention laws

• Purpose: Meeting our obligations under Polish tax law (Ordynacja podatkowa) and accounting law (Ustawa o rachunkowości), as well as responding to lawful requests from public authorities

• Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation

3.4 To maintain website security and stability

• Data: Server log data, IP address, technical metadata

• Purpose: Detecting and preventing abuse, ensuring service availability, debugging

• Legal basis: Article 6(1)(f) GDPR — our legitimate interest in operating a secure and reliable website

3.5 To analyze how the website is used (only if you consent)

• Data: Aggregated or pseudonymized usage data

• Purpose: Understanding which pages perform well, identifying technical issues, improving the site

• Legal basis: Article 6(1)(a) GDPR — your consent (granted through the cookie consent banner)

As of the date of this Policy, no analytics tracking is active on our website. If we add analytics in the future, you will be asked for consent through our cookie banner before any non-essential tracking begins.

4. Recipients of your data

We do not sell, rent, or trade your personal data. We share data only with the categories of recipients listed below, and only to the extent necessary for the stated purposes.

4.1 Service providers acting on our behalf (data processors)

These parties process data under written data processing agreements consistent with Article 28 GDPR.

Hosting provider

• Hostinger International Ltd. — headquartered at 61 Lordou Vironos Street, 6023 Larnaca, Cyprus

• Servers used to host our website are located within the European Union

• Hostinger processes server logs and provides hosting infrastructure

Form processing service

• Web3Forms (operated by Yardflex DWC LLC) — handles the submission of our contact form by forwarding form data to our email

• Web3Forms processes form submissions in transit but does not store them long-term

• More information: https://web3forms.com/privacy

Email service

• Google Workspace, operated by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland)

• Google Workspace processes the content of email correspondence sent to and from our addresses, including delivery, storage, spam filtering, and search functionality, on Google's infrastructure

• Google is established in the EEA. Google may, in the course of providing the service, transfer data to its global infrastructure, including locations outside the EEA. Such transfers are governed by Standard Contractual Clauses and Google's supplementary measures

• More information: https://workspace.google.com/terms/dpa_terms.html

Accounting and tax services

• Our Polish accounting firm processes invoicing and contractual data for tax and bookkeeping purposes, under a written data processing agreement consistent with Article 28 GDPR

4.2 Public authorities

We disclose personal data to public authorities (e.g., tax authorities, courts, law enforcement) only where required by law or in response to a lawful and binding request.

4.3 Professional advisors

In limited circumstances, we may share data with our legal counsel, auditors, or insurance providers, all of whom are bound by professional confidentiality obligations.

5. International data transfers

We strive to keep your personal data within the European Economic Area (EEA).

Where any service provider operates outside the EEA, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place. This means one of the following:

• A European Commission adequacy decision recognizing the destination country

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Other safeguards permitted under GDPR Articles 46-49

For details about a specific transfer or to request a copy of the applicable safeguards, contact us at contact@coretheus.com.

6. How long we retain your data

We retain personal data only as long as necessary for the purposes set out in this Policy. The main retention periods are:

Category Retention period Contact form submissions (no contract follows) Up to 3 years from last contact, then deleted Pre-contractual correspondence Up to 3 years from last contact, unless a contract follows Contractual data and correspondence Duration of the contract plus 5 years (Polish Accounting Act) Invoicing and tax records 5 years from the end of the calendar year in which the tax obligation arose (Ordynacja podatkowa) Server logs Up to 12 months Cookie consent records 12 months from the date of consent Records of withdrawn consents 1 year from withdrawal, for evidentiary purposes

After the applicable period, we securely delete or anonymize the data.

7. Your rights

Under GDPR, you have the following rights with respect to your personal data:

7.1 Right of access (Article 15)

You can ask whether we process your personal data and, if so, receive a copy of the data along with information about how we process it.

7.2 Right to rectification (Article 16)

You can ask us to correct inaccurate personal data or complete incomplete personal data.

7.3 Right to erasure ("right to be forgotten") (Article 17)

You can ask us to delete your personal data, subject to certain exceptions (for example, where we are required by law to retain it).

7.4 Right to restriction of processing (Article 18)

In certain situations, you can ask us to pause processing of your data while we investigate a request.

7.5 Right to data portability (Article 20)

Where processing is based on consent or a contract and is carried out by automated means, you can request that we provide your data in a structured, commonly used, machine-readable format, or transmit it to another controller.

7.6 Right to object (Article 21)

You can object to processing based on our legitimate interests (Article 6(1)(f) GDPR), including any profiling. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.7 Right to withdraw consent

Where processing is based on your consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.8 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the Polish data protection authority:

Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa, Poland Website: https://uodo.gov.pl

You may also lodge a complaint with the supervisory authority in your country of residence.

How to exercise your rights

Email us at contact@coretheus.com with your request. We will respond within one month of receipt. If your request is complex or you have submitted multiple requests, we may extend this period by up to two additional months, in which case we will notify you within the first month and explain the reason for the extension.

We may need to verify your identity before responding, particularly for requests involving sensitive data or potentially affecting third parties.

There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

8. Whether providing data is mandatory

Providing personal data through the contact form is voluntary. However, without your name and phone number, we cannot respond to your inquiry. Server-level data (IP address and similar) is collected automatically when you visit the site and is technically necessary to deliver the website to your browser.

If you enter into a contract with us, certain data is required by law (e.g., invoicing information for tax compliance) and other data is contractually necessary to deliver the services.

9. Automated decision-making and profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on you.

10. Security measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• HTTPS encryption for all website traffic

• Restricted access to personal data within our team on a need-to-know basis

• Written data processing agreements with all processors

• Regular review of security practices and access controls

• Selection of EU-based or GDPR-compliant service providers

No security measure is perfect. If you become aware of a vulnerability, please contact us at contact@coretheus.com.

11. Children's data

This website is not directed at individuals under 16 years of age. We do not knowingly collect personal data from minors. If you believe we may have inadvertently collected such data, please contact us and we will delete it promptly.

12. Cookies

Information on how we use cookies and similar technologies is set out in our separate Cookies Policy.

13. Links to third-party websites

Our website may contain links to external websites operated by third parties. We are not responsible for the privacy practices of those websites. We encourage you to review the privacy policies of any website you visit through our links.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the website or by email. We encourage you to review this Policy periodically.

15. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data:

Email: contact@coretheus.com

Postal address: Coretheus Sp. z o.o. Al. Marszałka Piłsudskiego 12 43-100 Tychy, Poland

HOME