Privacy notice

The data controller for personal data processed via this website is WAYF Digital sp. z o.o., registered at the address shown at the foot of this page. The GDPR contact for data-protection matters can be reached at the address revealed on click below.

This notice covers personal data WAYF processes through this website — what visitors send via the contact form, what the booking embed captures, what gets logged when you load a page, what the anti-spam check passes to Cloudflare.

It does NOT cover personal data WAYF processes as a data processor on behalf of a paying client during a delivery engagement. That processing is governed by a separate data processing agreement (DPA) signed at the start of the engagement, not by this page.

From the contact form at /contact — when you submit it: name, work email, the message you write, the NDA opt-in preference (a yes/no flag), and any file you choose to attach. The submission is delivered to the WAYF inbox via Resend and stored there for the duration set out in section 06.

From the Cloudflare Turnstile anti-spam check on the contact form: a challenge response token, your IP address, and the standard browser fingerprint Turnstile uses to score the request. The token is verified server-side and not retained.

From the cal.com booking embed at /contact#book-a-call — when you schedule a call: name, email, scheduled time, time zone, and any message you add in the cal.com form. Cal.com processes this on WAYF's behalf and the calendar event is delivered to the WAYF team's calendar.

From visiting this website (any page): anonymous traffic data — pages viewed, browser, country, referrer, request timing. No third-party advertising cookies, no behavioural profiling, no cross-site tracking.

Contact form data is used to read your message and reply to it. Legal basis: GDPR Art. 6(1)(b) (steps taken at the request of the data subject prior to entering into a contract) and Art. 6(1)(f) (legitimate interest in responding to inbound enquiries).

Turnstile data is used to block automated form abuse. Legal basis: Art. 6(1)(f) (legitimate interest in keeping the contact channel usable for humans).

Cal.com booking data is used to schedule, confirm, and run the booked call. Legal basis: Art. 6(1)(b) (the booking is the start of a possible engagement) and Art. 6(1)(f) (operating the scheduling channel).

Analytics data is used to understand how the site is used and to improve it. Legal basis: Art. 6(1)(f) (legitimate interest in operating and improving the website).

WAYF does not sell or rent personal data. Data is shared only with sub-processors that are necessary to operate the website and that have been reviewed for GDPR compliance.

Current sub-processors used by this website: Resend (delivers email notifications from the contact form, including any attachment), Cloudflare (hosts and serves this website, and runs the Turnstile anti-spam check on the contact form), Cal.com (handles the 25-minute call bookings made from /contact).

Engagement-specific sub-processors — used when WAYF is acting as a data processor under a signed contract with a client — are listed in the relevant DPA, not on this page.

Contact form messages: retained while the conversation is active and for up to 24 months afterwards, unless we agree differently with you in writing.

Files attached to a contact form submission: retained alongside the message they were sent with, on the same 24-month schedule. Deleted earlier on request.

Cal.com booking data: retained in the calendar for as long as the appointment is relevant (typically through the meeting and a short follow-up window).

Turnstile challenge data: not retained by WAYF; processed transiently by Cloudflare per their own retention schedule.

Analytics: retained in anonymous, aggregated form only.

Under GDPR (and the Polish RODO act that implements it) you have the right to access the personal data we hold about you (Art. 15), correct inaccurate data (Art. 16), erase data subject to legal retention obligations (Art. 17), restrict processing (Art. 18), receive your data in a portable format (Art. 20), object to processing based on legitimate interest (Art. 21), and withdraw consent where consent is the legal basis.

You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw.

Requests should be sent to the data-protection address revealed on click below. We reply within 30 days, as required by GDPR Art. 12(3).

This site uses a minimal first-party analytics setup that does not track individual visitors across sessions. No marketing or advertising cookies are set. If we add anything in the future that requires consent under ePrivacy rules, a cookie banner will appear before the relevant cookie is set.

Where a sub-processor (e.g. Resend, Cloudflare) processes data outside the European Economic Area, the transfer is covered by appropriate safeguards under GDPR Chapter V (Standard Contractual Clauses or equivalent). Details are available on request at the address revealed below.

WAYF may update this notice as the website evolves. The current version is always at this URL and the date at the top of the page is the date of the most recent change. Continuing to use the site after a change means you accept the updated notice.

For privacy or data-protection questions, write to the address revealed below, or use the form on the contact page.