PRIVACY POLICY
messageflow.com

At Vercom S.A., we care about your personal data and make every effort to reliably provide you with all information regarding how it is processed.

Below we explain how we process your personal data for the purpose of providing services to you via our websites available at: vercom.pl and messageflow.com (the “Websites” or each individually a “Website”) – however, this information applies only to situations in which you provide us with your personal data for purposes related to the use of our services.

If your data was not provided to us directly by you, but by a Client of whom you are a representative or a contact person, the source of your data is that Client. This Privacy Policy also constitutes the fulfillment of our information obligation towards such individuals. Detailed information on the purposes and legal grounds for processing your data can be found in section 2 below.

To the extent that you are only browsing the content of our Websites, we process your data for analytical, marketing, and security purposes. Detailed information about cookies can be found in our Cookie Policy, while the rules for processing this data and its transfer are described below.

Below we use the abbreviation “GDPR” (Polish: RODO), which shall be understood as: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Whenever we use the term “Agreement” (capitalized) in this Policy, it shall be understood as the Framework Agreement for the Provision of Electronic Services.

Whenever we use the term “Service” (capitalized) in this Policy, it shall be understood as the Service provided by us on the basis of the Agreement.

Whenever we use the term “Correspondence” (capitalized) in this Policy, it shall be understood as all communication directed to us or by us, including e-mails, chat messages, support system requests (tickets), and inquiries submitted via contact forms.

1. Data Controller

We are the controller of your personal data – “we” meaning VERCOM S.A. (joint-stock company) with its registered office in Poznań (61-569) at ul. Wierzbięcice 1B, whose registration files are kept by the District Court for Poznań – Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register, entered into the register of entrepreneurs of the National Court Register under KRS number: 0000535618, holding NIP (Tax Identification Number): 7811765125 and REGON (National Business Registry Number): 300061423, with a share capital of PLN 444,475.70, fully paid up.

General contact with the controller: e-mail: .

You can contact our Data Protection Officer regarding all matters concerning the protection of your personal data at the following e-mail address: .

2. For what purpose and on what legal basis do we process your personal data

We process your personal data for the following purposes:

  1. entering into and performing the Agreement – we process your personal data in order to enter into and perform the Agreement, on the basis of which we provide to you the Services specified in this Agreement, including in particular to:
    1. handle and communicate with you within the scope of the provided Services, including via the Customer Service Office, e-mail, telephone, chat, and the ticketing system;
    2. communicate with you on technical, billing, and organizational matters related to the performance of the Agreement;
    3. handle complaints and respond to your requests submitted in connection with the performance of the Agreement.

    The above also applies to representatives and contact persons of Clients (non-consumer entities, including public finance sector units and non-governmental organizations). If you are an employee, associate, or contact person of our Client, we process your data (name and surname, e-mail address, telephone number, position) in order to perform the Agreement.

  2. performing the Newsletter dispatch agreement – when you decide to subscribe to our Newsletter, we will process your personal data to perform the agreement for the provision of electronic services, the basis of which is the Newsletter Terms and Conditions; on the basis of the concluded agreement you will receive from us, cyclically and on the terms set out in the Newsletter Terms and Conditions, a Newsletter containing valuable information from the e-commerce world, as well as guides and invitations to webinars prepared by us;
  3. fulfilling legal obligations that apply to us as the controller of your personal data;
  4. analytical, marketing, and Website optimization purposes (carried out using the tools detailed in the Cookie Policy) – we will process your personal data regarding the way you use the Website using analytical tools to improve the proposed content, as well as to improve its operation and performance;
  5. direct marketing of our services – we will process your personal data for direct marketing purposes, but only if you consent to our use of telecommunications terminal equipment and automated calling systems for direct marketing purposes using the e-mail address or phone number provided by you, or both channels simultaneously (depending on your preferences); the above also applies to return contact in connection with your request for an offer – by sending us a request for an offer (inquiry), you consent to us contacting you for the direct marketing of our services to present our offer, using telecommunications terminal equipment and automated calling systems. You may withdraw this consent at any time (more in point 11);
  6. profiling for direct marketing purposes – if you consent to our use of telecommunications terminal equipment and automated calling systems for direct marketing purposes using the communication channel you provided (e-mail or telephone), your personal data will be profiled for direct marketing purposes. The profiling referred to here will allow us to provide you with content tailored to your needs. In any case, you may object to the profiling of your personal data for direct marketing purposes (more in point 7).
  7. for the purposes of pursuing our legitimate interests, which include:
    1. responding to an inquiry or Correspondence from individuals who are not our Clients – if you send us an inquiry via contact forms, chat, e-mail, or by phone, and you are neither our Client nor a Client’s contact person, we will process your personal data to respond to your submission, question, or contact request. We have a legitimate interest in this, as responding to Correspondence is the basis for building relationships with users and potential Clients;
    2. pursuing claims arising from our business activity or defending against claims that you may have against us, and which are related to the use of the Services provided via a given Website – only in justified cases;
    3. ensuring the security of services and fraud prevention – we have a legitimate interest in protecting our Websites and Clients against fraud attempts, spam, or automated attacks (e.g., bots). For this purpose, we may analyze technical data (such as IP address, device fingerprint, message headers), e-mail address, and communication content, using special automatic analysis tools to detect suspicious patterns, verify identity, and identify and mask improperly transmitted sensitive data;
    4. establishing and maintaining business relations – we process the personal data of potential clients and their representatives to establish business contacts, present our offer, and build commercial relationships. This data may include: name and surname, position, company name, e-mail address, phone number, and professional profile information. We obtain this data in particular through direct contact during industry events, referrals from our business partners, and publicly available professional sources, including professional networking platforms such as LinkedIn.
  8. supporting Customer service using artificial intelligence (AI) tools – to ensure faster and more effective servicing of your account, our team uses AI tools that support the analytics and categorization of Correspondence, drafting responses to inquiries, and document analysis. As part of processing using artificial intelligence:
    1. data may be transferred to external AI service providers indicated in point 4 of this Privacy Policy (including providers based outside the European Economic Area, subject to the transfer mechanisms described in point 4);
    2. neither we nor our AI tool providers use your data to train artificial intelligence models;
    3. the results of the AI tools’ analysis do not constitute an independent basis for making decisions that produce legal effects concerning you; they only support the assessment made by our employees (more in point 9);

The legal basis for processing your personal data is:

  1. regarding processing carried out for the purposes specified in points 1 and 2 above – Article 6(1)(b) of the GDPR, i.e., processing is necessary for the performance of a contract to which you are a party/representative, i.e., (i) the Agreement or (ii) the Newsletter dispatch agreement based on the Newsletter Terms and Conditions; and regarding contact persons and representatives of Clients who are not directly a party to the Agreement – Article 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of our legitimate interests;
  2. regarding processing carried out for the purpose specified in point 3 above – Article 6(1)(c) of the GDPR, i.e., processing is necessary for compliance with legal obligations to which we are subject as the controller of your personal data;
  3. regarding processing carried out for the purposes specified in points 4, 5, and 6 above – Article 6(1)(a) of the GDPR, i.e., your voluntary consent;
  4. regarding processing carried out for the purpose specified in point 7 above – Article 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of our legitimate interests described above;
  5. regarding processing carried out for the purpose specified in point 8 above – Article 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of our legitimate interests consisting of ensuring effective Customer service and efficient fulfillment of contractual obligations. Before implementing such processing, we conducted a balancing of interests test, in which we weighed our interest against your rights and freedoms, as well as a Data Protection Impact Assessment (DPIA). The results of these analyses are available upon request at: .

3. Who has access to your personal data – recipients

We will never sell, rent, or share your personal data with third parties for commercial purposes.

Access to your personal data is granted to our employees and associates involved in providing services to you, as well as those who assist you in all matters regarding which you contact us. For purposes related to the provision of services to you, telecommunications service providers may also have access to your personal data.

Access to your personal data, on the basis of entrustment of data processing, may also be granted to external entities that provide specific services to us, such as: IT services, hosting services, legal services, courier services, accounting services, providers of software supporting our business (invoicing systems, Client communication systems, etc.), as well as providers of risk analysis and fraud prevention services, and providers of analytical, marketing, and communication solutions.

In justified cases and within the limits of applicable law, public authorities may also have access to your personal data, including in particular: the President of the Personal Data Protection Office, the Tax Office, as well as the Police and the Public Prosecutor’s Office.

4. External tools, analytics, and data transfer

On our Websites, we use external tools that may collect information about your activity. Detailed information about individual cookies, their functions, and storage periods can be found in our Cookie Policy and in the consent management panel (CookieHub).

Below we indicate the categories of providers and selected examples of services we use. Using them involves sharing your data (e.g., IP address, device identifiers, communication content):

  1. infrastructure and hosting providers (e.g., Amazon Web Services – AWS S3, Beyond.pl, NTT Global Data Centers);
  2. providers of analytical, statistical, and advertising tools (e.g., Google Ireland Ltd. / Google LLC – Google Analytics 4, Google Ads);
  3. providers of artificial intelligence tools (e.g., Microsoft Corporation / Microsoft Ireland Operations Ltd. – Azure OpenAI Service, Google LLC – Vertex AI);
  4. communication and customer service tool providers (e.g., Intercom R&D Unlimited Company / Intercom Inc.);
  5. marketing and analytical tool providers (e.g., LinkedIn Ireland Unlimited Company – LinkedIn Insight Tag);
  6. technical service providers (e.g., Google Ireland Ltd. / Google LLC – Google Tag Manager, CookieHub, WPML, and other tools supporting the functionality of the Websites).

A full, up-to-date list of all entities processing data on our behalf, including the country of their registered office, the purpose of processing, and the data transfer mechanism, is available upon request. To obtain it, please contact our Data Protection Officer at the e-mail address: .

Transfer to third countries

Our use of the aforementioned tools and fraud prevention services may involve the transfer of your personal data to entities based outside the European Economic Area.

We ensure that these transfers take place based on legal mechanisms required by the GDPR:

  1. the European Commission adequacy decision of July 10, 2023, regarding the EU-U.S. Data Privacy Framework (DPF) – in the case of providers holding a DPF certification;
  2. Standard Contractual Clauses (SCC) approved by the European Commission;
  3. other transfer mechanisms permitted by the GDPR.

Detailed information on the transfer mechanism applied to each provider can be found on the list of data processors.

5. How long do we process your personal data

If you have entered into an Agreement with us, we process your personal data for the period necessary for its performance – i.e., for the duration of the Agreement. In any case, after the termination of the Agreement, we will process your personal data for the period necessary to fulfill legal obligations.

The retention periods for data collected by cookies can be found in our Cookie Policy.

So, how long is that?

The Accounting Act of September 29, 1994, obliges us to store your personal data for a period of 5 years from the beginning of the year following the financial year in which the Agreement was settled. This also applies to the Newsletter service.

Other personal data processing periods

In the event that we process your personal data in order to pursue our legitimate interests, the retention period for your personal data is, respectively:

  1. in the event that we process your personal data to respond to your inquiry sent to us via the contact form or chat available on the Website, or via e-mail/telephone directed to our contact address – for the time necessary to consider and respond to your submission;
  2. in the event that we process your personal data to respond to a complaint submitted by you – for the time necessary to conclude the complaint procedure, and after its conclusion, for a period of 1 year after the settlement of the complaint;
  3. in the event that we process your personal data for direct marketing purposes – solely until you withdraw your consent to marketing communication;
  4. in the event that we profile your personal data for direct marketing purposes – solely until you withdraw your consent to our use of telecommunications terminal equipment and automated calling systems for direct marketing purposes;
  5. in the event that we process your personal data in order to pursue claims related to our business activity or in order to defend against claims that you may have against us – for the limitation period of claims, and in the case of proceedings initiated to pursue or defend these claims, for the period necessary to conclude the proceedings and enforce the claims. In such a case, however, we will update the information obligation towards you, informing you that we process your personal data for this purpose;
  6. in the event that we process your personal data for analytical and marketing purposes carried out using cookies – for the periods defined in the parameters of individual cookies or until you delete them from your browser or change the settings in the consent management tool;
  7. in the event that we process your personal data in order to ensure the security of Services and prevent fraud – for the time necessary to verify the credibility of a given operation or registration, and in the event of detecting fraud or a violation of the law – for the limitation period of claims arising from this title;
  8. in the event that we process your personal data using artificial intelligence tools to support Customer service – data transferred to AI tools is processed to the extent and for the time necessary to perform a given operation (e.g., analyzing an inquiry or document). AI tool providers process this data in accordance with the terms of data processing entrustment agreements and may store it for a short period necessary to ensure the security of the service or fulfill separate legal obligations. AI analysis results, if stored by us as part of Customer service documentation, are subject to retention periods appropriate for the given purpose of processing;
  9. in the event that we process your personal data in order to establish and maintain business relations – for the period of conducting activities related to establishing cooperation, and then for a period of 3 years from the last contact, unless you object to the processing earlier.

6. Your rights in connection with the processing of your personal data

Under the terms specified in the GDPR, you may have the right to: (i) request access to your personal data from us, (ii) rectify your personal data, (iii) erase your personal data or (iv) restrict the processing of your personal data, or (v) object to the processing of your personal data, as well as (vi) transfer your personal data to another controller.

In order to exercise your right, please contact us at: .

7. You can object to the processing of your personal data

Yes, you can – but only when we process your personal data on the basis of Article 6(1)(f) of the GDPR.

You may object at any time, on grounds relating to your particular situation.

In the event that you object to the processing of your personal data based on the indicated legal grounds, we will no longer be allowed to process your personal data for the purposes covered by the objection, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

To submit an objection, write to us at: .

8. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, which in the territory of Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), www.uodo.gov.pl.

9. Automated decision-making and profiling

In principle, your personal data is not subject to automated decision-making that produces legal effects concerning you.

Fraud prevention (e-Hawk)

An exception is the processing of data to ensure the security of our services. We use tools (such as e-Hawk) that analyze data in real-time (e.g., IP address, device data, e-mail address) in order to automatically assess the risk of an operation and assign a “risk score” to it. Decisions made on this basis (e.g., temporary blocking of registration) are not fully automatic and are subject to verification by our employees.

Artificial intelligence tools

The use of AI tools described in section 2, point 8 of this Policy (analysis of Correspondence, document categorization) does not constitute automated decision-making within the meaning of Article 22 of the GDPR, nor a high-risk system within the meaning of Regulation 2024/1689 (AI Act). These tools serve a supporting function; the results of their analyses are always verified by trained employees. The results of the AI analysis do not constitute an independent basis for making decisions that produce legal effects concerning you, and their use does not involve assessing your personal traits.

10. Necessity to provide personal data

Providing your personal data is necessary to enter into the Agreement with us. Refusal to provide personal data will prevent you from using our Services. In the event that you submit a complaint or direct an inquiry to us, refusal to provide your personal data will make it impossible to consider your complaint or respond to your submission.

11. Consent to the use of telecommunications terminal equipment and automated calling systems for direct marketing purposes

In the event that you consent to marketing contact, you have the right to withdraw this consent at any time, which will not affect the lawfulness of activities undertaken before its withdrawal.

How can you withdraw your consent?

  1. Independently – via the Client Panel;
  2. Independently – via the unsubscribe link in each marketing message;
  3. By contacting Vercom electronically at the address: ;
  4. By changing the settings in our consent management tool (CookieHub) available on the Website.

This Privacy Policy is for informational purposes only, and its amendment does not constitute an amendment to the Agreement.