Przejdź do treści
ARDURA Lab
ARDURA Lab

Privacy Policy

Last updated: March 13, 2026

§ 1. Data Controller

The controller of personal data collected through the website arduralab.com (hereinafter: the “Website”) is ARDURA Lab, with its registered office in Warsaw, ul. Ząbkowska 31, 03-736 Warsaw, Poland, tax identification number (NIP): PL1132052589 (hereinafter: the “Controller”).

To contact the Controller regarding data protection matters:

§ 2. Scope of Data Collection

The Website collects personal data to a limited extent, solely for the purposes described in this Privacy Policy. The Website does not operate a user registration system.

2.1. Data collected automatically

The following data is collected automatically when you use the Website:

  • Device IP address
  • Browser type and version
  • Operating system
  • Screen resolution
  • Browser language
  • Referring source (referer)
  • Time spent on individual pages
  • Information about clicked links and pages viewed

2.2. Data collected via the contact form

The Website provides a contact form (on the /kontakt and /wycena pages) through which the Controller collects the following data voluntarily provided by the user: name or company name, email address, type of service, approximate budget, and project description. This data is sent to the Controller’s email address via the Resend service (Resend Inc., USA) on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).

2.3. Data collected via email correspondence

When contacting the Controller by email at [email protected], the Controller processes data voluntarily provided by the sender, in particular: first name, last name, email address, phone number, and the content of the message.

§ 3. Purposes and Legal Basis for Data Processing

Personal data is processed for the following purposes:

  1. Website traffic analysis and quality improvement — on the basis of the Controller’s legitimate interest (Art. 6(1)(f) GDPR) and the user’s consent to cookies (Art. 6(1)(a) GDPR).
  2. Responding to inquiries submitted by email — on the basis of the Controller’s legitimate interest in handling correspondence (Art. 6(1)(f) GDPR) or in order to take steps prior to entering into a contract (Art. 6(1)(b) GDPR).
  3. Contract performance — on the basis of necessity for the performance of a contract (Art. 6(1)(b) GDPR).
  4. Fulfilment of legal obligations, including tax and accounting obligations — on the basis of Art. 6(1)(c) GDPR.
  5. Establishment, exercise, or defence of legal claims — on the basis of the Controller’s legitimate interest (Art. 6(1)(f) GDPR).

§ 4. Cookies

4.1. What are cookies

Cookies are small text files stored on the user’s device while using the Website. They are used for the proper functioning of the site and for analysing how the Website is used.

4.2. Types of cookies used

The Website uses the following types of cookies:

  • Analytics cookies (Google Analytics 4) — used to collect anonymous statistical data about how the Website is used. They allow the analysis of website traffic, popular pages, traffic sources, and user behaviour. Data is processed by Google LLC (USA) on the basis of Standard Contractual Clauses.

4.3. Managing cookies

Users may change their browser settings regarding cookies at any time, including blocking their storage or deleting existing cookies. Instructions for managing cookies are available in the settings of your web browser.

Disabling analytics cookies does not affect the functioning of the Website but prevents the Controller from analysing how the site is used.

§ 5. Google Analytics 4

The Website uses the Google Analytics 4 service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics 4 collects data in anonymous mode, including:

  • Anonymised IP address
  • Session data (duration, pages viewed)
  • Device and browser data
  • Traffic source data
  • Events (clicks, page scrolling)

Google Analytics 4 does not collect data that would allow the direct identification of a user. IP addresses are anonymised. Data is retained for a period of 14 months.

For more information on how Google processes data: policies.google.com/privacy.

Users may opt out of Google Analytics by installing the browser add-on: tools.google.com/dlpage/gaoptout.

§ 6. Data Recipients

Personal data may be disclosed to the following categories of recipients:

  • Google LLC — in respect of analytics data (Google Analytics 4). Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
  • Resend Inc. — in respect of data submitted through the contact form (transactional email). Data transfers to the USA are carried out on the basis of Standard Contractual Clauses.
  • Hosting provider (Cloudflare Inc.) — to the extent necessary for the operation of the Website. Data transfers to the USA are carried out on the basis of Standard Contractual Clauses.
  • Public authorities — where disclosure is required by applicable law.

The Controller does not sell personal data to third parties, nor does it use such data for the direct marketing purposes of third parties.

§ 7. Data Retention Periods

  • Analytics data (GA4) — 14 months from the user’s last activity.
  • Email correspondence — for the period necessary to handle the inquiry, followed by the limitation period for potential claims (3 years from the end of correspondence).
  • Contract-related data — for the duration of the contract and 6 years after its termination (the limitation period for civil claims under Art. 118 of the Polish Civil Code).
  • Data required by law (e.g. tax records) — for the period required by the relevant legislation (5 tax years for accounting documentation).

§ 8. User Rights

Under the GDPR, users have the following rights in relation to their personal data:

  1. Right of access (Art. 15 GDPR) — the right to obtain information about the data being processed and to receive a copy thereof.
  2. Right to rectification (Art. 16 GDPR) — the right to have inaccurate data corrected or incomplete data supplemented.
  3. Right to erasure (Art. 17 GDPR) — the right to request the deletion of data where there is no legal basis for its further processing.
  4. Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of data processing in certain circumstances.
  5. Right to data portability (Art. 20 GDPR) — the right to receive data in a structured, commonly used, machine-readable format.
  6. Right to object (Art. 21 GDPR) — the right to object to the processing of data based on the Controller’s legitimate interest.
  7. Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, the user has the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

To exercise any of the above rights, please contact the Controller at: [email protected]. The Controller will respond without undue delay and no later than one month from the receipt of the request.

§ 9. Right to Lodge a Complaint

If a user believes that the processing of their personal data infringes the GDPR, they have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

§ 10. Data Security

The Controller implements appropriate technical and organisational measures to ensure the protection of personal data being processed, including in particular:

  • Encrypted connection (SSL/TLS certificate)
  • Regular software updates
  • Restricted data access limited to authorised personnel
  • Regular security procedure reviews

§ 11. Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy. The Controller will notify users of any significant changes by publishing an appropriate notice on the Website. The current version of the Privacy Policy is always available at: arduralab.com/en/privacy-policy.