en
Privacy Policy
1. General Information
This Privacy Policy describes how FlexiProject sp. z o.o. sp.k., with its registered office at Stefana Okrzei 1A St., 03-715 Warsaw, Poland, Tax ID (NIP): 5272942612, REGON: 387620990, entered into the Register of Entrepreneurs of the National Court Register under number KRS 0000871354 (hereinafter referred to as “FlexiProject” or the “Controller”), processes personal data.
This Policy applies to the processing of personal data of individuals who:
- visit our website available at https://flexi-project.com (the “Website”),
- contact us via contact form or by e-mail,
- subscribe to our newsletter,
- act as representatives of business partners or contractors,
- use the FlexiProject Application in either the Test Environment or Production (commercial) Environment,
- participate in events, conferences, or promotional activities organized by FlexiProject (e.g., contests, surveys, or contact forms during events).
The use of the Application is governed by the Terms of Use of the FlexiProject Application, available on our Website.
Depending on the relationship with the individual, FlexiProject may act as:
- the data controller, in particular with respect to contact details, newsletter subscriptions, and registration data of Application accounts;
- the data processor, with respect to personal data entered into the Application by Users acting on behalf of an Organization within the Production Environment, under a contract or the Terms of Use.
Business (B2B) Nature of the Service and Test Environment. FlexiProject’s services are business-to-business (B2B) in nature and are intended for Organizations. The Test Environment of the Application may be created individually for non-commercial purposes, for example, to explore or evaluate the system’s functionality. In such cases, FlexiProject acts solely as a neutral infrastructure provider and as the data controller only with respect to the personal data of the individual who creates the account. FlexiProject does not act as a data processor with regard to any data that may be entered into the Application for testing purposes.
Responsibility of the Test User. A User who creates a test account without formal authorization to act on behalf of an Organization does so on their own behalf. Such a User may have the technical capability to enter personal data of other individuals (e.g., employees, collaborators, or clients) into the Application, including uploading files or documents. In that case, the User bears full responsibility for the lawfulness of processing – they must ensure that they have an appropriate legal basis (e.g., consent or authorization), follow the data minimization principle, and provide adequate safeguards for such data. Special categories of personal data or data concerning criminal convictions and offences must not be entered into the Test Environment.
The detailed terms of electronic service provision and data processing arrangements are defined in the Terms of Use of the FlexiProject Application. This Privacy Policy is a supplementary document, and in the event of any discrepancies, the provisions of the Terms of Use shall prevail.
FlexiProject’s services are not directed to children under the age of 16, and we do not knowingly collect personal data from children.
2. Data Controller and Privacy Contact Information (the “Controller”)
The data controller of your personal data is FlexiProject sp. z o.o. sp.k., with its registered office at Stefana Okrzei 1A St., 03-715 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register under number KRS 0000871354, NIP (Tax ID): 5272942612, REGON: 387620990.
You can contact the Controller regarding any privacy or data protection matters:
- by mail: Stefana Okrzei 1A, 03-715 Warsaw, Poland
- by e-mail: privacy@flexi-project.com
- by phone: +48 506 048 770 (privacy and data protection contact)
3. Categories of Data Subjects, Scope of Data, and Sources of Data
FlexiProject processes personal data relating to various categories of individuals, depending on the purpose and nature of their interaction with us. The scope and source of data depend on how the individual uses our services.
3.1. Categories of data subjects whose personal data are processed:
- individuals visiting the Website,
- individuals contacting us via the contact form or by e-mail,
- individuals subscribing to the newsletter,
- individuals registering for and using the Test Environment,
- Users of the Production Environment (employees, contractors, or representatives of an Organization that is a Client),
- representatives of current and prospective business partners or contractors,
- individuals participating in events, conferences, or promotional activities.
3.2. Categories of Personal Data Processed:
| Category of Individuals | Scope of Data | Source of Data |
| Website visitors | IP address, device information, cookies (see Sections 7 and 10 of this Policy for details) | Collected automatically from the user’s device |
| Individuals contacting FlexiProject (e.g., via contact form or e-mail) | First and last name, business e-mail address, phone number, organization name, organization size, message content | Provided directly by the individual |
| Newsletter subscribers | E-mail address, first name (if provided), record of marketing consent (under PKE/Electronic Communications Act) | Provided directly by the individual |
| Users registering an Account in the Application | First and last name, e-mail address, organization name, phone number, organization size, number of planned users, interface language, IP address, encrypted password | Provided directly by the individual through the registration form |
| Users of the Test Environment | Registration data (name, e-mail, IP address, system activity); any personal data of other individuals entered for testing purposes by the User | Provided by the User who created the account |
| Users of the Production Environment | User registration data (name, e-mail, IP address, system activity); personal data of other individuals entered as part of the Organization’s operations | Provided by Users acting on behalf of the Client |
| Representatives of business partners (B2B) | Name, e-mail, phone number, job title, organization details | Provided by the individual, the Organization, or from public registers (e.g., KRS, CEIDG) |
| Participants in events, contests, or surveys | Name, e-mail address, organization name, contact details, survey responses, image (if applicable and based on consent) | Provided directly by the individual when participating in an event, contest, or survey |
For users and subscribers of electronic communications (e.g., newsletters, marketing campaigns, or business inquiries), FlexiProject may process information related to interactions with messages, such as the date of dispatch, message openings, link clicks, delivery status, and unsubscribe actions. This information is processed to analyze communication effectiveness and to maintain a record of marketing consents. Reporting data generated within mailing or CRM tools may be presented in an anonymized or aggregated form for statistical and analytical purposes.
4. Purposes, Legal Bases, and Retention Periods for Personal Data Processing
FlexiProject processes personal data depending on the context of the relationship with the user and the purpose for which the data were collected.
| Purpose of Processing | Legal Basis | Data Retention Period |
| Enabling contact via the contact form or e-mail; responding to inquiries | Article 6(1)(f) GDPR – legitimate interest of the Controller (handling inquiries and communication with individuals interested in our offer or cooperation) | Data are retained for the duration of the correspondence and for as long as necessary to secure potential claims or document the course of communication, no longer than 3 years after the end of contact, unless a longer period is required by law or justified by the Controller’s legitimate interest. |
| Newsletter registration and delivery | Article 6(1)(a) GDPR – consent | Until consent is withdrawn. |
| Creating and using the Test Environment | Article 6(1)(b) GDPR – performance of a contract (when the test account is created by a person acting on behalf of an Organization); Article 6(1)(f) GDPR – legitimate interest of the Controller (when the account is created individually) | Until the end of the test period; after that, data are retained for 90 days. Data export is possible only upon the User’s request. |
| Conversion of a test account into a paid account (Production Environment) | Article 6(1)(b) GDPR – performance of a contract | For the duration of the contract and in accordance with applicable legal obligations (e.g., tax regulations – up to 5 years). |
| Providing access to and use of the Application in the Production Environment (processor role for Client data) | Article 6(1)(b) GDPR – performance of a contract with the Client; Article 28 GDPR – data processing agreement | Until termination of the contract; after termination, data remain stored for 90 days, export is available upon the Client’s request; backup copies may exist for an additional 30 days, after which they are permanently deleted. |
| Ongoing cooperation with clients and partners (B2B contacts) | Article 6(1)(f) GDPR – legitimate interest of the Controller (business relationships) | For the duration of cooperation and up to 3 years after its termination. |
| Analytics, statistics, and system security (logs, cookies, activity monitoring) | Article 6(1)(f) GDPR – legitimate interest of the Controller | Web logs – up to 90 days; application and security logs – up to 12 months; analytics data (e.g., Google Analytics) – according to tool configuration and only after consent. |
| Establishing or defending legal claims | Article 6(1)(f) GDPR – legitimate interest of the Controller | Until the expiry of limitation periods for claims (generally 6 years). Evidence of consents (e.g., newsletter or cookies) is retained as necessary to demonstrate compliance (accountability), generally until the limitation period expires. |
| Organizing and managing events, contests, and promotional surveys | Article 6(1)(a) GDPR – consent; or Article 6(1)(f) GDPR – legitimate interest of the Controller (promotion of services and communication with participants) | Until the event ends or consent is withdrawn, no longer than 12 months. |
Regardless of the above retention periods, in the event of termination or expiry of a contract (e.g., the end of a test period or subscription), access to the environment is restricted. Data are retained for up to 90 days, and export is possible only upon the User’s or Client’s request. After this period, data are deleted, and backup copies may persist for a maximum of 30 additional days, after which they are overwritten and permanently deleted – in accordance with the procedure described in the Terms of Use.
Voluntary nature of data provision. Providing personal data for contact or newsletter purposes is voluntary but necessary to receive a response or newsletter. Account registration data are required to create an account and use the Application; failure to provide them will prevent the provision of services.
5. Recipients of Personal Data
Personal data may be disclosed to entities whose services FlexiProject uses in connection with the purposes described in this Privacy Policy. In particular, recipients of personal data may include:
- IT and infrastructure service providers (e.g., hosting, cloud computing, e-mail systems, and customer relationship management (CRM) systems),
- analytics service providers supporting website traffic analysis and statistical reporting (e.g., Google Analytics),
- external authentication (SSO) providers, where the User chooses such a login method (e.g., Google, Microsoft),
- electronic communication and marketing automation/e-mail service providers, solely to the extent necessary for message delivery and unsubscribe management,
- technical subcontractors involved in the maintenance and development of the Application (e.g., developers, system administrators),
- payment service providers, when the User activates a paid service (e.g., PayU S.A.),
- business and service partners, when the User’s inquiry relates to cooperation opportunities or technical support,
- entities authorized under applicable law, upon request from courts, law enforcement authorities, or supervisory bodies.
In the case of data processed by FlexiProject in the role of a data processor (e.g. data entered into the Application by the Client in the production environment), the recipients may only include entities acting on the documented instructions of the data controller (the Client) and subprocessors approved in accordance with the FlexiProject Application Terms of Use. The current list of subprocessors (indicating their data processing locations) constitutes Annex No. 1 to the Terms of Use and is publicly available on the FlexiProject website.
As a rule, personal data are not transferred outside the European Economic Area (EEA). If the use of certain services involves such a transfer, detailed information about recipients outside the EEA and the legal basis for the data transfer can be found in Section 8 of this Privacy Policy.
6. Rights of Data Subjects
Individuals whose personal data are processed by FlexiProject have the rights granted under the GDPR, in particular:
- Right of access (Article 15 GDPR) – to obtain information about the processing and a copy of the data;
- Right to rectification (Article 16 GDPR) – if the data are inaccurate or incomplete;
- Right to erasure (“right to be forgotten”, Article 17 GDPR) – in the cases provided for by law;
- Right to restriction of processing (Article 18 GDPR) – e.g. when you contest the accuracy of the data or have objected to the processing;
- Right to data portability (Article 20 GDPR) – with respect to data processed based on consent or a contract, by automated means;
- Right to object (Article 21 GDPR) – when data are processed on the basis of a legitimate interest;
- Right to withdraw consent – at any time, if the processing is based on consent (without affecting the lawfulness of processing before its withdrawal);
- Right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, Stanisława Moniuszki 1A, 00-014 Warsaw), if you consider that the processing of personal data infringes the GDPR.
In the case of marketing communications, FlexiProject complies with the provisions of the Act of 12 July 2024 – the Electronic Communications Law and the Act on the Provision of Electronic Services.
Marketing contact is made only on the basis of separately given consent, which you may withdraw at any time.
For the purpose of handling your request, we may ask you to provide additional information necessary to verify your identity.
Exercising Your Rights
To exercise your rights, you may contact the Controller:
- by e-mail: privacy@flexi-project.com
- by post: ul. Stefana Okrzei 1A, 03-715 Warsaw, Poland.
A response will be provided without undue delay and no later than within one month of receiving your request. In the case of particularly complex or numerous requests, this period may be extended by up to two additional months – in such a case, you will be informed of the reasons for the delay.
7. Cookies and Tracking Technologies
On the FlexiProject Website, we use cookies and similar technologies for technical, statistical, and – only with your consent – marketing purposes. You can give or refuse your consent in the cookie banner and change your preferences at any time using the “Manage consents” link available in the website footer. Detailed information on the categories of cookies, their functions, and storage periods can be found in Section 10 of this Privacy Policy.
The Application uses only technical cookies necessary to ensure system security and functionality (e.g. maintaining user sessions, authentication, saving interface preferences). These cookies are not used for marketing or analytics purposes.
8. Data Transfers Outside the EEA
8.1. Data Recipients
Access to your personal data is granted only to authorized employees or associates of FlexiProject, as well as to entities providing services to FlexiProject to the extent necessary to achieve the purposes described in this Privacy Policy. The recipients of data may include, in particular:
- cloud and IT service providers (e.g. Microsoft Azure, hosting systems, e-mail, and technical support);
- analytics providers (e.g. Google Analytics) – only based on the consents given in the cookie banner;
- payment operator (PayU S.A.) – in the case of activation of paid services;
- entities supporting customer service and system maintenance (e.g. helpdesk, CRM, e-mail);
- subprocessors listed in Annex No. 1 to the FlexiProject Application Terms of Use – the list is updated in accordance with the Terms and is publicly available on the FlexiProject website.
As a rule, personal data are not transferred outside the European Economic Area (EEA). If the use of certain services involves such a transfer, the rules described below apply.
8.2. Data Transfers Outside the EEA
If the processing of personal data involves transferring them to entities located outside the European Economic Area (EEA) (e.g. Google LLC – Google Analytics / Consent Mode v2, Microsoft Corporation – Azure Cloud services or SSO), each such transfer is carried out in compliance with Articles 45-47 of the GDPR, i.e. on the basis of:
- an adequacy decision issued by the European Commission, where applicable;
- standard contractual clauses (SCCs) approved by the European Commission;
- additional technical and organizational safeguards (e.g. encryption, pseudonymization, access restrictions).
FlexiProject does not use any social plugins, pixels, or social media components (such as Meta/Facebook, LinkedIn, or others).
Personal data are not transferred to third countries without ensuring an adequate level of protection in accordance with the GDPR.
9. Data Security
FlexiProject has implemented appropriate technical and organizational measures to ensure the security of personal data processing, in accordance with Articles 24, 25, and 32 of the GDPR.
These measures include, in particular:
- use of data transmission encryption (TLS) and data-at-rest encryption within the cloud environment;
- access control and user authentication mechanisms (login, password, MFA);
- limiting personnel access to the minimum necessary scope (principle of least privilege);
- regular creation and testing of data backups;
- system monitoring and maintenance of a security incident register;
- periodic testing, audits, and reviews of implemented security measures;
- cooperation only with processors and service providers that guarantee the application of adequate security measures (e.g. ISO 27001, SOC 2 certifications).
FlexiProject also provides staff training on personal data protection and information security.
In the event of a personal data breach, procedures for detection, reporting, and incident management are applied in accordance with GDPR requirements.
10. Cookies and Logs
The FlexiProject Website uses cookies and similar technologies (e.g. local storage, tags, scripts) that may be used to store information on your device or access such information. These technologies help ensure the proper functioning of the website, improve user experience, enable statistical analysis, and – only with your consent – support marketing activities.
User activity data (e.g. time of visit, subpages viewed, clicks, approximate location, device type, operating system, browser, device/client identifier – Client ID or User ID) are processed via Google Analytics, only after consent has been given for Statistical cookies.
10.1. Categories of Cookies
- Required – technically necessary for the operation of the Website and for providing a service explicitly requested by the user (e.g. maintaining a session, logging in, saving basic preferences). These cookies are always active and do not require consent.
- Preferences – remember selected settings (e.g. language, interface layout). Consent is required.
- Statistical (Analytical) – help create aggregate statistics on the use of the Website and improve its performance. Consent is required.
- Marketing – enable audience profiling, content personalization, and measurement of campaign effectiveness (ours and those of our partners). Consent is required.
10.2. Managing Consents
When you first visit the FlexiProject Website, a consent management banner is displayed, allowing you to accept all categories of cookies, reject them (except those that are strictly necessary), or configure your preferences individually. You can change your decisions at any time by using the “Manage consents” function. Consent is not required for Required cookies. However, disabling necessary cookies may prevent the use of certain essential website functions.
10.3. Consent Mode v2
We have implemented Google Consent Mode v2. This means that consent signals (including ad_storage, analytics_storage, ad_user_data, and ad_personalization) are automatically set according to your choices. If consent is not granted, the relevant tools operate in restricted mode (cookieless pings), and the data are not used for purposes for which you have not provided consent.
10.4. Server and Application Logs
For the purposes of security, accountability, and diagnostics (legitimate interest of the controller – Article 6(1)(f) GDPR), we maintain technical logs that may include: anonymized or truncated IP address, date and time, request address/endpoint, session or device identifier, browser/OS information (User-Agent), server response code, and error identifier.
- Retention period: web server logs are generally stored for up to 90 days; application and security logs for up to 12 months (longer only if necessary to establish, exercise, or defend legal claims, or to investigate an incident).
- Recipients: only authorized personnel and trusted hosting/cloud and security providers operating under data processing agreements.
11. Test Users – Data Entered into the Application
11.1. Creating a Test Account
Individuals who create a test account in the FlexiProject Application generally act on their own behalf.
In this respect, FlexiProject acts as the controller only for the registration data necessary to create and manage the account (e.g. first name, last name, e-mail address, IP address, and system activity data).
11.2. Entering Third-Party Data
A user of the test environment has the technical ability to enter personal data of other individuals (e.g. employees, contractors, clients) into the Application, including uploading files and documents.
In such cases, the User bears full responsibility for the lawfulness of processing such data – in particular, they should have an appropriate legal basis (e.g. consent or authorization) and ensure that the data are minimized and properly secured. FlexiProject does not act as a controller or a data processor with respect to such data and recommends using fictitious or anonymized data for testing purposes.
11.3. Prohibition on Entering Sensitive Data
You should not enter special categories of data (e.g. health data, beliefs, biometric data) or data relating to criminal convictions or offences into the test environment. FlexiProject does not provide or support the secure processing of such data within the test environment; we recommend using fictitious or anonymized data instead.
11.4. Conversion of the Test Environment into a Production Environment
If the User decides to activate a paid (subscription) account, the data collected in the test environment may be transferred to the production environment and further processed under the rules set out in the Terms of Use and the Data Processing Agreement. In such a case, FlexiProject acts as the data processor with respect to the data entered by the Client.
11.5. Retention of Test Data
After the test period ends, access to the environment becomes limited – the user will see only an information screen with the option to activate a paid account. Data are retained in the system for up to 90 days, but self-export is not possible. During this time, the user may contact FlexiProject to request data export or temporary access restoration to retrieve the data. After 90 days, the data are deleted, but may remain in backup copies for up to an additional 30 days, after which they are overwritten and permanently erased.
12. Plugins and External Login Providers
12.1. External Plugins and Content
The FlexiProject Website does not use any social media plugins or external components (e.g. maps, videos, chats, embedded forms). All contact forms operate within the FlexiProject website and do not result in the transfer of data to third parties. If external elements (e.g. map integrations or plugins) are implemented in the future, they will be activated only after obtaining your consent, e.g. through the cookie banner, and data will be shared only to the extent necessary for their functionality.
12.2. External Login (SSO)
The FlexiProject Application allows users to log in using external authentication providers (e.g. Google, Microsoft). In such cases, the respective provider transmits to FlexiProject only the basic information necessary to create or authenticate an account (e.g. first name, last name, e-mail address, user ID). The SSO providers (Google, Microsoft) act as independent data controllers of their own authentication systems and process personal data in accordance with their respective privacy policies.
The legal basis for processing is Article 6(1)(b) GDPR – processing necessary for the performance of a contract. Using external login is voluntary and serves as an alternative to password-based login within the Application. FlexiProject does not have access to passwords or other authentication data stored by the SSO providers.
12.3. Providers’ Privacy Policies
When using external login options, your data may be processed by third-party entities in accordance with their own data protection policies, in particular:
- Google LLC – https://policies.google.com/privacy;
- Microsoft Corporation – https://privacy.microsoft.com/;
We recommend reviewing the current privacy policies of these providers before using external login options.
13. Automated Decision-Making and Profiling
13.1. No Automated Legal Decisions
FlexiProject does not make decisions concerning users that produce legal effects or similarly significantly affect them, based solely on automated processing of personal data within the meaning of Article 22 of the GDPR.
13.2. Profiling for Analytical and Marketing Purposes
In a limited scope, and only after consent has been given for the relevant categories of cookies (e.g. statistical or marketing), profiling may take place, consisting of:
- analyzing the use of the Website and the Application (e.g. number of visits, time spent on the site, clicked elements);
- segmenting users for statistical and marketing purposes;
- tailoring advertising and communication content to user interests (e.g. displaying personalized ads in Google Ads after a previous visit to our Website).
FlexiProject does not use advertising tools or tracking pixels provided by Meta/Facebook, LinkedIn, or other social media platforms.
13.3. Voluntariness and Right to Object
Profiling is carried out only with your consent. You may refuse or withdraw your consent at any time using the “Manage consents” panel. You also have the right to object to profiling based on the Controller’s legitimate interest, if you believe that your rights and freedoms outweigh that interest.
14. Changes to the Privacy Policy
This Privacy Policy may be subject to changes, in particular due to modifications of the Application’s functionalities, amendments to legal regulations, or guidelines issued by supervisory authorities.
The current version of the Policy is always published on the FlexiProject website and applies from the date of its publication.
For Application Users, information about any changes to the Policy may be displayed within the system (e.g. during login or when creating a test account) to ensure the possibility of reviewing the updated version.
The system records the version number and effective date of the Policy accepted by the User when creating an account. Changes to the Policy do not require renewed confirmation from individuals who have previously reviewed it, unless the changes affect the way their personal data are processed.
FlexiProject informs that the list of entities processing personal data (subprocessors) used in the provision of Application services constitutes Annex No. 1 to the FlexiProject Application Terms of Use and is publicly available on the FlexiProject website. Updating this Policy does not require separate notification of changes to that list – information about subprocessors is provided in accordance with the rules set out in the Terms of Use.