This Privacy Policy explains how Oleksandr Koniev Strataforge processes your personal data when you visit strataforge.co, contact us, use Strataforge Academy, or work with us through our client platform. It is written to satisfy the information duties under Article 13 of the GDPR (data collected from you) and Article 14 of the GDPR (data obtained from other sources), under Regulation (EU) 2016/679.

Oleksandr Koniev Strataforge is operated as a sole proprietorship (jednoosobowa dzialalnosc gospodarcza, JDG) registered in the Polish Central Register and Information on Economic Activity (CEIDG), with its seat in Warsaw, Poland, and registered for VAT. We act as the controller of your personal data within the meaning of the GDPR.

This Policy works alongside our Cookie Policy, Terms of Service, and, for business clients, our Data Processing Agreement and Subprocessors list.

1. Who we are

The controller of your personal data is Oleksandr Koniev Strataforge, Jednoosobowa działalność gospodarcza, with its registered seat in Warsaw, Poland, tax identification number 5214165020, statistical number 544734689, and address ul. Złota 75A lok. 7, 00-819 Warszawa.

For any privacy matter, including to exercise your rights, write to alex@strataforge.co.

We have not appointed a Data Protection Officer. Under Article 37(1) of the GDPR designation is mandatory only for public authorities, for large-scale regular and systematic monitoring as a core activity, or for large-scale processing of special-category data as a core activity. None of these apply at our current scale. We will re-assess this if our monitoring, profiling, or special-category processing materially changes.

2. What this Policy covers

This Policy covers personal data we process in connection with the public website strataforge.co, our contact and inquiry forms, Strataforge Academy, our authenticated client platform, the delivery of our services under client engagements, and our internal operations (such as vendor management) to the extent natural-person data is involved.

It does not cover how our clients handle the personal data of their own end users when they act as independent controllers, nor processing carried out by third parties whose websites we link to. Those are governed by the relevant third party's own policy.

3. Categories of personal data and where they come from

Depending on how you interact with us, we process the following categories of personal data:

• Identification and contact data: name, business email address, telephone number, company name, job title, postal address. Provided directly by you.
• Account data: username, hashed password, and session tokens. Generated by our authentication provider when you create an account.
• Content data: messages, briefs, files, and attachments you submit to us. Provided directly by you.
• Commercial data: company size, project scope, and indicative budget you include in an inquiry. Provided directly by you.
• Transaction data: invoicing details and a business VAT identification number, plus a payment-method reference. We never handle raw card numbers; card tokenisation occurs on the payment processor's side. Payment status comes from the processor.
• Technical data: IP address, User-Agent header, and browser language captured automatically when you visit the site.
• Communications: email correspondence and support-chat history generated through your interaction with us.

We do not intentionally process special categories of personal data within the meaning of Article 9 of the GDPR, such as health, biometric, or political data. If you submit such data unsolicited in a brief or attachment, we do not rely on it: in line with the data-minimisation principle in Article 5(1)(c) of the GDPR we isolate it, ask you to remove it, and return or delete it. We will not carry out any further processing unless and until a valid Article 9(2) exception (such as your explicit consent under Article 9(2)(a), or the establishment, exercise or defence of legal claims under Article 9(2)(f)) is confirmed for that specific case.

4. Why we process your data and on what legal basis

We treat each purpose separately and identify its own legal basis under Article 6(1) of the GDPR. We do not use legitimate interests as a catch-all fallback. Because we work mainly with businesses, we draw a line between people who are personally a party to a contract with us (a natural-person counterparty or a sole proprietor / JDG) and people who only appear in a business context (a company's representatives, employees, or contacts copied on correspondence). Contract necessity under Article 6(1)(b) applies only to the former; for the latter we rely on our legitimate interest under Article 6(1)(f).

• Handling your inquiry (contact and pre-account forms): Article 6(1)(b) of the GDPR where you contact us as a natural-person counterparty or sole proprietor, because processing is necessary to take steps at your request before entering into a contract; Article 6(1)(f) of the GDPR (our legitimate interest in responding to a business inquiry) where you write to us on behalf of a company. These forms are scoped to service inquiries only and are not a newsletter signup or a lead-harvesting tool.
• Creating and running your account on the client platform: Article 6(1)(b) of the GDPR where you hold the account in your own name; otherwise Article 6(1)(f) of the GDPR for individual users acting for a corporate account holder (performance and administration of the platform service).
• Delivering services under a Master Services Agreement or Statement of Work: Article 6(1)(b) of the GDPR only where the data subject is personally the counterparty (a natural person or a JDG), and Article 6(1)(f) of the GDPR (our legitimate interest in performing the engagement) for the representatives, employees and personnel of a corporate counterparty and for people whose data appears incidentally, for example a colleague copied on correspondence.
• Invoicing, accounting, and VAT: Article 6(1)(c) of the GDPR (compliance with our legal obligations under Polish tax and accounting law).
• Operating and securing the site: Article 6(1)(f) of the GDPR, our legitimate interest in serving content, detecting abuse, and investigating security incidents. Logs are short-lived and we do not profile visitors.
• Optional, privacy-friendly analytics: where used, Article 6(1)(f) of the GDPR, conditional on a completed legitimate-interests assessment; otherwise it is disabled.

Strataforge Academy. Where Strataforge Academy is offered, we process the account, content, and progress data needed to give you access to learning materials and to administer your participation, on the basis of Article 6(1)(b) of the GDPR (the Academy terms) or Article 6(1)(f) of the GDPR where a business sponsors your access. We do not score or profile Academy participants in a way that produces legal or similarly significant effects on you. If we ever introduce such scoring or profiling, we will update this Policy and put the relevant safeguards in place first.

Use of AI tools. Where we use third-party AI services (such as large-language-model providers) to help process content data you submit, those providers act as our processors under data processing agreements, and the relevant legal basis is the same as for the underlying purpose (contract performance or our legitimate interest). We do not use your content to train third-party models, and AI inference does not by itself produce legal or similarly significant decisions about you. Where the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) applies, we will meet the transparency duties under Article 50 of the EU AI Act, which apply from 2 August 2026: we will tell you when you are interacting directly with an AI system and we will mark AI-generated or AI-manipulated content as such.

We do not currently send outbound marketing communications. Before any such activity starts, we will identify and apply the correct legal basis under the Polish Electronic Communications Law of 12 July 2024 (PKE 2024, Dz.U. 2024 poz. 1221, in particular Articles 398 and 400), obtain prior consent where required, and provide a working objection and consent-withdrawal mechanism.

5. Data we receive from sources other than you

Sometimes we process personal data we did not obtain directly from you. In those cases we comply with the information duty under Article 14 of the GDPR and tell you the following.

• Whose data: representatives, employees and other personnel of our business clients and prospects; people copied on or mentioned in correspondence with us; and contacts at our vendors and suppliers.
• Categories: identification and contact data (name, business email, telephone number, company name, job title) and the content of the communications in which the data appears.
• Sources: your employer or the company you act for, the person who copied you on a message, our vendor's own records, or publicly available business sources such as company websites and professional directories. We will tell you on request whether your data came from a publicly accessible source.
• Payment status: where you pay us, we also receive your payment status and a payment-method reference from our payment processor, which acts as the source for that specific data.
• Purposes and legal bases: managing the client or vendor relationship and performing our engagements, on the basis of Article 6(1)(f) of the GDPR (our legitimate interest in running the business relationship) or Article 6(1)(c) of the GDPR where the law requires the processing.
• Recipients: the same processors and recipients described in the section on who we share data with.
• Retention: for the periods set out in the retention section, by reference to the relationship and the applicable limitation periods.

You have the same rights over this data as over data you give us directly (see your rights below), and you may lodge a complaint with the supervisory authority. To exercise any right, or to ask which source your data came from, write to alex@strataforge.co.

6. Whether you have to provide your data

Under Article 13(2)(e) and Article 14(2)(f) of the GDPR we tell you whether providing your data is required and what happens if you do not provide it.

• Inquiry forms: providing your data is voluntary, but without contact details we cannot respond to your inquiry.
• Account and platform: providing the data needed to create and run your account is a requirement for using the platform; without it we cannot set up or maintain the account.
• Service delivery: providing the data needed to perform an engagement is a contractual requirement; without it we cannot deliver the agreed services.
• Payments: providing payment and invoicing data is necessary to take payment and to issue a valid invoice.
• Invoicing and tax records: providing invoicing data is a statutory requirement under Polish tax and accounting law; without it we cannot lawfully issue or keep the required records.
• Optional fields: any field marked optional may be left blank with no consequence for the core service.

7. How long we keep your data

We keep personal data only as long as needed for the purpose it was collected for, or as required by law.

• Inquiry-form submissions: up to 12 months from your last substantive contact. If we provide no substantive response within 6 months, we delete or anonymise the data earlier. This interim period reflects a conservative B2B sales cycle and may be adjusted at a future revision.
• Account data: for the life of your account. After deletion, we erase or anonymise it within 30 days, except where we must retain it by law or to defend legal claims.
• Invoicing and tax records: 5 years counted from the end of the calendar year in which the time limit for payment of the tax expired (Article 86 paragraph 1 in conjunction with Article 70 paragraph 1 of the Tax Ordinance).
• Contract and claims-defence data: the term of the contract plus the applicable limitation period for claims, which under Article 118 of the Polish Civil Code is as a rule 3 years for claims connected with business activity and for periodic claims, and 6 years for other claims, unless a special rule provides otherwise.
• Server access logs: IP-level logs for 30 days unless needed for an ongoing incident investigation; aggregated metrics for up to 12 months.

8. Who we share your data with

We share personal data only where necessary: with the service providers (processors) that run our infrastructure, with public authorities where the law requires it, and with professional advisers under confidentiality. We do not sell personal data.

Our processors act on our documented instructions under data processing agreements that meet Article 28 of the GDPR. The current list of providers, their roles, and their processing locations is published in our Subprocessors list. Business clients can review the controller-to-processor terms in our Data Processing Agreement.

Some providers, such as our payment and infrastructure vendors, also act as independent controllers for their own fraud-prevention, security, and compliance purposes. That processing follows their own privacy policies and is not subject to our instructions; we will help you identify the right contact point on request.

9. International transfers

Some of our providers are based in or process data in the United States. Where personal data leaves the European Economic Area, we rely on the transfer safeguards in Chapter V of the GDPR, primarily the European Commission Standard Contractual Clauses (2021/914) under Article 46(2)(c) of the GDPR, together with the technical and organisational measures set out in each provider's data processing agreement.

Where a provider is certified under the EU-US Data Privacy Framework, we may also rely on that adequacy mechanism. We choose EU-region processing where a provider's plan makes it available. You can obtain a copy or relevant extract of the Standard Contractual Clauses or other safeguards for a specific processing activity, subject to lawful redactions to protect confidential or third-party information, and request details of any supplementary measures, by writing to alex@strataforge.co.

10. How we protect your data

In line with Article 32 of the GDPR, we apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2 or higher) and at rest, multi-factor authentication for privileged accounts, role-based access control, event logging and monitoring, incident-response procedures, vendor-side security commitments cascaded through our agreements, and regular review of these measures.

If a personal-data breach is likely to risk your rights and freedoms, we notify the President of the Personal Data Protection Office (UODO) without undue delay and, where feasible, within 72 hours (Article 33 of the GDPR). Where the breach is likely to result in a high risk to you, we also inform you without undue delay, subject to the exceptions in Article 34(3) of the GDPR.

11. Your data-protection rights

Under Articles 15 to 22 and Article 7(3) of the GDPR you have the right to:

• Access your personal data and obtain a copy (Article 15).
• Rectify inaccurate data (Article 16).
• Erase your data where no legal basis to keep it remains (Article 17).
• Restrict processing while a dispute is resolved (Article 18).
• Receive your data in a structured, commonly used, machine-readable format and have it ported (Article 20).
• Object to processing based on our legitimate interests (Article 21).
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22). We do not carry out such processing today; if we introduce it, we will update this Policy and implement the Article 22(3) safeguards first.
• Withdraw consent at any time, with effect for the future, where processing is based on consent (Article 7(3)).

To exercise any of these rights, email alex@strataforge.co. We respond to a verified request within one month (Article 12(3) of the GDPR), extendable by up to two further months for complex requests, in which case we will tell you.

12. Cookies and similar technologies

We keep our use of cookies and similar technologies minimal. Where consent is required for storing or accessing information on your device, we rely on the Polish Electronic Communications Law of 12 July 2024 (PKE 2024, Article 399) read together with the GDPR.

Full details of the cookies we set, their purposes, and how to control them are in our Cookie Policy.

13. Children

Our services are aimed at businesses, not children. We do not knowingly process the personal data of anyone under 16, which is the threshold under Article 8 of the GDPR as it applies in Poland (no lower national age was enacted).

If you believe a child has provided us with personal data, contact alex@strataforge.co and we will delete it after verification.

14. Complaints and how to reach us

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority, in particular in your country of habitual residence, place of work, or the place of the alleged infringement (Article 77(1) of the GDPR).

In Poland the competent authority is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

We would always prefer to resolve your concern directly first, so please reach us at alex@strataforge.co. We may amend this Policy from time to time; we will announce material changes on the site at least 14 days before they take effect, and the date above always reflects the latest revision.