1. Who We Are — Data Controller
The controller of your personal data within the meaning of Article 4(7) GDPR is:
| Controller | 2info spółka z ograniczoną odpowiedzialnością (2info sp. z o.o.), trading as Cardiac Purr |
| Address | Grunwaldzka 10/1, 31-526 Kraków, Poland |
| legal@cardiac-purr.com | |
| Data Protection Officer | legal@cardiac-purr.com |
When we refer to "we", "us", or "our" in this Privacy Policy, we mean 2info sp. z o.o. trading as Cardiac Purr.
2. Personal Data We Collect
2.1 Data You Provide Directly
- Contact and enquiry data: name, email address, company name, and any information you include in messages sent to us via the contact form or by email.
- Account data (if applicable): username, email address, password hash, and account preferences.
- Commercial correspondence: content of emails and messages exchanged in the course of business negotiations or support.
2.2 Data Collected Automatically
- Technical data: IP address (anonymized or pseudonymized where technically feasible), browser type and version, operating system, device type, screen resolution, referring URL.
- Usage data: pages visited, time spent on pages, clicks, scroll depth, and navigation paths — collected via analytics tools only with your consent.
- Log data: server access logs retained for security and fraud prevention purposes.
- Cookie and tracker data: as described in our Cookie Policy.
2.3 Data We Do Not Collect
We do not intentionally collect special categories of personal data (Article 9 GDPR), including data concerning health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or data concerning sexual orientation. Please do not send us such data unless explicitly requested.
3. Purposes and Legal Bases for Processing
Under Article 13(1)(c) GDPR, we are required to inform you of the specific purpose and legal basis for each processing activity. The table below sets out our processing activities in full:
| Purpose | Data categories | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Responding to enquiries and providing support | Contact data, correspondence content | Art. 6(1)(b) — performance of a contract or pre-contractual steps; Art. 6(1)(f) — legitimate interest in responding to communications directed at us |
| Providing and maintaining the Service | Account data, technical data, usage data | Art. 6(1)(b) — performance of contract |
| Website analytics and performance monitoring | Usage data, technical data, cookie identifiers | Art. 6(1)(a) — consent (via cookie banner) |
| Security, fraud prevention, and abuse detection | IP address (pseudonymized), log data | Art. 6(1)(f) — legitimate interest in protecting the integrity of our systems and users |
| Compliance with legal obligations | Any data necessary to comply with applicable law | Art. 6(1)(c) — legal obligation |
| Direct marketing communications | Name, email address | Art. 6(1)(a) — consent; or Art. 6(1)(f) — legitimate interest for existing customers under the conditions of Article 10 of the Polish Act on Provision of Electronic Services |
| Sending transactional and service notifications | Name, email address, account data | Art. 6(1)(b) — performance of contract |
3.1 Legitimate Interests Assessment
Where we rely on Article 6(1)(f) GDPR (legitimate interests), we have determined that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time — see Section 7 below.
3.2 Withdrawal of Consent
Where processing is based on your consent (Article 6(1)(a) GDPR), you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact us at legal@cardiac-purr.com or use the preference centre in our Cookie Policy page.
4. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). Where personal data is transferred to third countries, we ensure an adequate level of protection through one or more of the following mechanisms:
- EU–US Data Privacy Framework (DPF): The adequacy decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v. Commission). An appeal has been filed before the Court of Justice of the European Union (CJEU) by the applicant on 31 October 2025 and remains pending. The DPF adequacy decision remains fully operative during appeal proceedings. We maintain Standard Contractual Clauses as a parallel safeguard for all US transfers.
- Standard Contractual Clauses (SCCs): European Commission Decision 2021/914 of 4 June 2021 — Module 2 (controller to processor) or Module 1 (controller to controller) as applicable.
- Transfer Impact Assessments (TIAs) are conducted for all third-country transfers in accordance with EDPB Recommendations 01/2020.
5. Recipients of Personal Data
We do not sell your personal data. We share personal data only with:
5.1 Service Providers (Data Processors)
We engage the following categories of processors who act under our instructions and are bound by data processing agreements pursuant to Article 28 GDPR:
- Hosting and infrastructure providers — for website hosting and storage
- Analytics providers (Google Analytics 4) — for website analytics, subject to your consent
- CDN and security providers (Cloudflare) — for content delivery and DDoS protection
- Email and communication providers — for transactional and support communications
- Payment processors (Stripe) — for processing payments, where applicable
A full list of current processors is available upon written request to legal@cardiac-purr.com.
5.2 Legal and Regulatory Disclosure
We may disclose personal data to public authorities, law enforcement, or courts where required by applicable law, a binding court order, or a legally enforceable administrative decision — including orders issued pursuant to Article 9 of the Digital Services Act. We will notify you of any such disclosure unless legally prohibited from doing so.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all assets of 2info sp. z o.o., personal data may be transferred to the acquiring entity, provided that the acquiring entity assumes our obligations under this Privacy Policy and applicable law.
6. Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with Article 5(1)(e) GDPR (storage limitation principle):
- Contact and enquiry data: 3 years from the date of last communication, unless a contractual relationship arises, in which case the applicable contractual limitation period applies (up to 6 years under Polish civil law).
- Account data: Duration of the account plus 2 years after account deletion, unless a longer retention is required by law.
- Analytics data: Maximum 14 months (Google Analytics 4 retention setting), after which data is aggregated and anonymized.
- Security logs: Maximum 12 months from the date of the logged event.
- Financial and invoicing records: 5 years from the end of the tax year in which the transaction occurred, pursuant to Polish tax law (Ordynacja podatkowa).
- Consent records: 3 years from the date on which consent was collected, or from its withdrawal, to enable us to demonstrate compliance with Article 7(1) GDPR.
Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymized.
7. Your Rights as a Data Subject
Under Articles 15–22 GDPR and Polish data protection law, you have the following rights. All requests must be directed to legal@cardiac-purr.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with prior notification — Article 12(3) GDPR).
Obtain confirmation of whether we process your data and receive a copy of that data, along with information about the purposes, categories, recipients, and retention periods.
Request correction of inaccurate personal data or completion of incomplete data without undue delay.
Request deletion of your personal data where the data is no longer necessary, consent is withdrawn, or processing is unlawful. Subject to exceptions under Article 17(3) GDPR. This right was an EDPB 2025 coordinated enforcement priority.
Request that we restrict processing (i.e., store but not use your data) while accuracy is contested, processing is unlawful, or an objection is pending.
Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
Object at any time to processing based on legitimate interests (Art. 6(1)(f)) or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds overriding your interests.
Not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in such processing.
Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal is as easy as giving consent.
7.1 Identity Verification
To protect your data, we may request reasonable verification of your identity before fulfilling a request. We will not request more information than necessary for this purpose (Article 12(6) GDPR).
7.2 Right to Lodge a Complaint
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with:
- UODO — Urząd Ochrony Danych Osobowych (Poland): ul. Stawki 2, 00-193 Warszawa; uodo.gov.pl
- The supervisory authority of your Member State of habitual residence, place of work, or the place of the alleged infringement (Article 77(1) GDPR).
Lodging a complaint with a supervisory authority does not affect your right to seek an effective judicial remedy (Article 79 GDPR).
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. For full details of the cookies we use, the legal basis for each, and how to manage your preferences, please refer to our Cookie Policy.
Essential cookies are placed without consent on the basis of Article 5(3) of the ePrivacy Directive (strictly necessary exception). All other cookies require your prior, freely given, specific, informed, and unambiguous consent.
9. Children's Privacy
Our Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe we have collected data from a child under 16, please contact us at legal@cardiac-purr.com.
In Poland, the age of digital consent under Article 8 GDPR is 16 years, as specified in Article 5 of the Polish Act of 10 May 2018 on Personal Data Protection.
10. Security Measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:
- Encryption of data in transit using TLS 1.3
- Encryption of data at rest using AES-256 where applicable
- Pseudonymization and access control policies
- Regular security assessments and penetration testing
- Staff data protection training
- Incident response and breach notification procedures (Articles 33–34 GDPR)
No method of electronic transmission or storage is completely secure. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our processing activities, applicable law, or regulatory guidance. The "Last Updated" date at the top of this page indicates when the Policy was last revised.
We will notify you of material changes by email (where we hold your email address) or by a prominent notice on our website at least 30 days before the changes take effect. We will not treat pending EU legislative proposals as if they are already in force; this Policy reflects only law currently in force as of its effective date.
Continued use of the Service after the effective date of any changes constitutes acceptance of the revised Policy, to the extent permitted by applicable law.
12. Contact Us
For any questions, requests, or complaints regarding this Privacy Policy or our processing of your personal data, please contact our Data Protection Officer:
| Data Controller & DPO | 2info sp. z o.o. (Cardiac Purr) |
| legal@cardiac-purr.com | |
| Postal address | Grunwaldzka 10/1, 31-526 Kraków, Poland |
| Response time | 30 days (extendable to 90 days for complex requests, with notification) |
If you are not satisfied with our response, you have the right to lodge a complaint with the Polish supervisory authority UODO (uodo.gov.pl) or with the supervisory authority of your country of habitual residence.