Privacy Policy

0. Use of Artificial Intelligence (AI Disclosure)

K0nsult uses Anthropic Claude (a large language model) to classify incoming messages, support users, and generate audit-related content. Any content produced by AI is labelled "🤖 AI-generated". A human supervises all AI output (human-in-the-loop): no decision affecting your rights is fully automated. AI is used as an assistive tool only; the final responsibility for every audit deliverable and every decision rests with a human auditor.

1. Data Controller

The data controller responsible for your personal data is:

• Entity: K0nsult Sp. z o.o.
• KRS: 0001239441  |  NIP: 5253089872  |  REGON: 544723272
• Registered office: ul. Aleja Solidarności 68/121, 00-240 Warsaw, Poland
• Contact: kontakt@k0nsult.cloud

2. What Data We Collect

2.1 Contact Form Data

When you submit our contact form, we collect:

• Your name
• Email address
• Company name (if provided)
• Message content

2.2 Usage Analytics (Server-Side, No Third-Party Tracking)

K0nsult uses server-side request logs only for usage analytics. No third-party analytics scripts, tracking pixels, or advertising cookies are used. Specifically, we record:

• Page URL — the path of the page requested
• Timestamp — date and time of the request (UTC)
• Referrer header — the URL of the page that linked to us, if present
• Anonymized IP address — last octet removed before storage (e.g., 192.168.1.xxx)

No cookies are set for analytics purposes. No third-party pixels (Google Analytics, Facebook Pixel, etc.) are loaded. If a privacy-friendly, cookie-free analytics tool is used in the future (e.g., Plausible.io — EU-hosted, no cookies, no cross-site tracking), this policy will be updated accordingly. This data cannot be used to identify individual users.

3. Purpose of Data Processing

We process your personal data for the following purposes:

• Responding to inquiries: To reply to messages submitted through our contact form and provide requested information about our services.
• Service improvement: To understand how our website is used and improve the user experience, based on anonymized server-side request logs (no cookies, no third-party tracking).

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

• Contact form: Art. 6(1)(f) GDPR (legitimate interest). We have a legitimate interest in responding to inquiries submitted through our contact form.
• Starter pack: Art. 6(1)(a) GDPR (consent). When you voluntarily submit your email to receive the Starter Pack, you consent to the processing of your personal data for that purpose.
• Newsletter: Art. 6(1)(a) GDPR (consent). When you subscribe to our newsletter, you consent to receiving periodic communications about AI governance.
• Server-side analytics logs: Art. 6(1)(f) GDPR (legitimate interest). We have a legitimate interest in collecting anonymized, server-side request logs to understand website usage and improve our services. No cookies are used for this purpose and no data is shared with third parties.

5. Data Retention

• Contact form data: 24 months from last contact. You may request deletion at any time.
• Anonymous analytics data: 12 months.

You may request deletion of your personal data at any time by contacting us at kontakt@k0nsult.cloud.

5a. Data Processed in the Free Pilot Audit

During the free pilot phase, when you request an independent audit of an AI system, we process the following categories of data:

• Technical data of the audited system — configuration, model details, logs, and other artefacts you provide for the audit
• Contact data of the requester — name, email, organisation
• Auditor notes — observations, findings, and assessments produced during the audit
• Feedback — comments you provide about the audit and the pilot programme

Legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures at your request).

Retention: Pilot audit records are retained for 7 years to satisfy audit documentation requirements (ISO 42001). After the pilot ends, data is anonymized and may be used for research and development. You may request deletion of your data at any time at kontakt@k0nsult.cloud.

6. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data ("right to be forgotten").
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to the processing of your personal data based on legitimate interest.
• Right to withdraw consent: You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at kontakt@k0nsult.cloud. We will respond within 30 days.

7. Cookies and Local Storage

We use only essential cookies and localStorage for the following purposes:

• Session management: To maintain your session state while using the website.
• User preferences: To remember your display preferences (e.g., theme settings) via localStorage.

We do not use:

• Google Analytics
• Facebook Pixel
• Any third-party tracking cookies
• Any advertising or marketing cookies

8. Sub-processors

We use the following sub-processors to provide our services:

• Fly.io — Hosting, Frankfurt, EU — all data
• Anthropic — AI inference (Claude), USA — prompts and responses (no training on customer data)
• Stripe — Payment processing, USA/EU — payment data
• LH.pl — SMTP/IMAP email, Poland — email headers and content
• Let's Encrypt — TLS certificates, USA — no personal data
• Plausible.io — Analytics, Germany, EU — anonymized data (status: optional / not currently active)

We do not sell, trade, or otherwise transfer your personal data to third parties for their own purposes. Your data is used solely by K0nsult CNC and the sub-processors listed above for the purposes described in this policy.

9. Data Location and Security

Your data is stored and processed within the European Union:

• Hosting location: Fly.io EU — Frankfurt, Germany (primary, 2 instances) + Amsterdam, Netherlands (1 instance). All data stored and processed within EU/EEA.
• Security measures: Data is transmitted via encrypted HTTPS connections. Access to personal data is restricted to authorized personnel only.

10. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Any updates will be posted on this page with a revised "Last updated" date. We encourage you to review this page periodically.

12. Supervisory Authority & Right to Complain

If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with the supervisory authority:

You may also lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

List of Data Sub-Processors

Sub-processor	Purpose	Location	Data / Certifications
Fly.io Inc.	Application and database hosting	Frankfurt, EU	All data; SOC2 Type II
Anthropic	AI inference (Claude)	USA	Prompts + responses; SOC2 Type II, no training on customer data
Stripe Inc.	Payment processing	USA/EU	Payment data; PCI DSS Level 1, SOC2
LH.pl	SMTP/IMAP email	Poland, EU	Email headers + content
Let's Encrypt	TLS certificates	USA	No personal data
Plausible.io	Analytics (optional / not currently active)	Germany, EU	Anonymized data; cookie-free

Data Protection Officer (DPO)

Contact for personal data protection matters: kontakt@k0nsult.cloud

Data Controller: K0nsult Sp. z o.o., KRS 0001239441, NIP 5253089872, ul. Aleja Solidarności 68/121, 00-240 Warsaw — kontakt@k0nsult.cloud

Data Deletion Request

Under Art. 17 GDPR, you have the right to request deletion of your personal data.

Email address associated with your data:
Submit deletion request

13. Contact

For any questions or requests regarding this Privacy Policy or your personal data, please contact:

14. Data Processing Agreement (DPA)

A Data Processing Agreement is available upon request for enterprise clients.

Current sub-processors:

• Fly.io — Application hosting and compute, Frankfurt, EU — all data
• Anthropic — AI inference (Claude), USA — prompts and responses (no training on customer data)
• Stripe — Payment processing, USA/EU — payment data
• LH.pl — SMTP/IMAP email, Poland — email headers and content
• Let's Encrypt — TLS certificates, USA — no personal data
• Plausible.io — Analytics, Germany, EU — anonymized data (optional / not currently active)

Sub-processor changes: Clients will be notified 30 days before any new sub-processor is added. Clients may object within 14 days.

DPA includes: Standard Contractual Clauses (SCCs), technical and organizational measures (TOMs), breach notification obligations.

15. Security Incident Response

K0nsult maintains a documented incident response procedure covering:

• 1. Detection — Automated monitoring and alerting for unauthorized access, data anomalies, and system integrity violations
• 2. Classification — Incidents classified as P1 (critical: data breach), P2 (high: service disruption), P3 (medium: anomaly), P4 (low: minor issue)
• 3. Containment — Immediate isolation of affected systems; all actions logged
• 4. Notification — P1/P2 incidents: affected parties notified within 72 hours per GDPR Art. 33. Supervisory authority (UODO) notified if required
• 5. Resolution — Root cause analysis, remediation, and post-incident review within 14 days
• 6. Documentation — Full incident report retained for 36 months