Privacy Policy

Last updated: April 11, 2026

§ 1. Data Controller

1.1. The controller of personal data processed in connection with the use of the Runeo platform is Crevendo Łukasz Paradowski, registered at ul. Orężna 23, 05-500 Piaseczno, Poland, Tax ID (NIP): 1231577237 (hereinafter: the "Controller").

1.2. For all matters relating to the processing of personal data you may contact the Controller at: biuro@crevendo.pl.

§ 2. Scope of data collected

When using the Service, the Controller may process the following categories of personal data:

identification and contact data: first name, last name, email address, phone number, company data (name, tax ID, registered address);
login and authentication data: cryptographically hashed passwords, session tokens, IP address, login date and time;
operational data entered by the User: CRM contacts, customer and contractor data, orders, invoices, products, email message content;
technical data: browser type and version, operating system, screen resolution, device identifiers, cookies;
data about activity in the Service: pages viewed, time spent in the Application, clicks, login history.

§ 3. Purposes and legal basis of processing

Personal data is processed for the following purposes and on the following legal bases:

provision of the service and performance of the contract (Art. 6(1)(b) GDPR): Account registration, Organisation management, Application features;
fulfilment of legal obligations of the Controller (Art. 6(1)(c) GDPR): accounting records, invoicing, document archiving;
legitimate interests of the Controller (Art. 6(1)(f) GDPR): ensuring Service security, statistical analysis, establishment and defence of claims, handling enquiries;
User consent (Art. 6(1)(a) GDPR): analytics, marketing and functional cookies, commercial communications;
technical correctness (Art. 6(1)(f) GDPR): error diagnostics, performance monitoring, system event logging;
communication with the User (Art. 6(1)(b) and (f) GDPR): complaint handling, answering questions, system notifications.

§ 4. Retention period

4.1. Personal data is stored for as long as necessary to fulfil the purposes of processing: data related to the contract is processed for the duration of the agreement and afterwards for the period required by law (accounting records: 5 years, civil claims: up to 6 years). The User's operational data is deleted or anonymised after the cooperation ends, unless the law requires longer retention.

4.2. Data processed on the basis of consent is stored until the consent is withdrawn. Data processed to pursue a legitimate interest is stored until a successful objection is raised.

§ 5. Cookies

The Service uses cookies in the following categories:

Necessary (always active)

Includes: user session (PHPSESSID), language preference (ml_lang), colour theme (ml_theme), cookie consent record (ml_cookie_consent). These cookies are required for the proper functioning of the Service and do not require User consent.

Analytics

Used to collect anonymised data about how the Service is used. Requires User consent. Currently the Service does not use analytics cookies.

Marketing

Used to deliver personalised advertising content. Requires User consent. Currently the Service does not use marketing cookies.

Functional

Allow us to remember additional user preferences. Requires User consent. Currently the Service does not use functional cookies.

§ 6. User rights

Under GDPR the User has the following rights:

the right to access their personal data and to receive a copy (Art. 15 GDPR);
the right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
the right to erasure, the "right to be forgotten" (Art. 17 GDPR);
the right to restriction of processing (Art. 18 GDPR);
the right to data portability (Art. 20 GDPR);
the right to object to processing (Art. 21 GDPR).

The User also has the right to lodge a complaint with the supervisory authority, i.e. the President of the Polish Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

§ 7. Data recipients and processing agreements

7.1. Personal data may be entrusted to processors under data processing agreements, in particular: hosting and server service providers, email service providers, payment service providers, accounting service providers, analytics tool providers (with User consent). The Controller does not sell personal data to third parties.

7.2. To the extent that the User enters personal data of their customers or contractors into the Application, the Controller acts as a data processor within the meaning of Art. 28 GDPR.

§ 8. Transfers outside the EEA

Where providers based outside the European Economic Area are used (e.g. Google LLC), data may be transferred outside the EEA on the basis of Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) or other GDPR-compliant mechanisms ensuring an adequate level of data protection.

§ 9. Data security

The Controller applies appropriate technical and organisational measures to ensure the security of processed personal data, in particular: password encryption using cryptographic algorithms (bcrypt), encryption of sensitive data (AES), data transmission via TLS protocol, role- and permission-based access control, regular backups, security event monitoring and access logging.

§ 10. Changes to the Privacy Policy

10.1. The Controller reserves the right to update this Privacy Policy. Users will be informed of significant changes with adequate notice via the Service or by email.

10.2. Continued use of the Service after the changes take effect constitutes acceptance of the updated Privacy Policy.

Name	Purpose	Duration
PHPSESSID	User session	Until browser is closed
ml_lang	Language preference	1 year
ml_theme	Colour theme	1 year
ml_cookie_consent	Cookie consent	1 year