§ P / Document

Privacy policy & GDPR

Last updated: 21 April 2026

This document describes how Boltcraft processes your personal data. It is compliant with the GDPR regulation - in particular article 13, which requires providing information to the person from whom data is collected. The document is written in plain language on purpose - if anything is unclear, write to [email protected]. In case of discrepancies between the Polish and English versions, the Polish version prevails.

1. Data controller

The controller of your personal data is:

  • PRIME-IT SOLUTIONS Marcin Grom - sole proprietorship (Polish JDG)
  • Polish tax ID (NIP): 578-276-10-80
  • Registered office: 05-270 Marki, Poland
  • General contact: [email protected]
  • Privacy matters: [email protected] (same address)

2. What data we collect

We collect only the data needed to provide our services:

  • From the contact form: name and company, email address, message content
  • From the chatbot: the conversation stays in your browser - it is only sent to us when at the end of the scenario you choose to leave your email
  • Automatically: IP address and Accept-Language header in server logs (up to 30 days, for security only)

3. Purposes and legal basis

We process your data for the following purposes and on the following legal bases:

  • Responding to your inquiry, preparing an offer, concluding and performing a contract - art. 6(1)(b) GDPR (contract or pre-contractual steps)
  • Maintaining the security of the service and protecting against abuse (rate limiting, server logs) - art. 6(1)(f) GDPR (legitimate interest of the controller)
  • Complying with obligations arising from Polish tax and accounting law (after a contract is concluded) - art. 6(1)(c) GDPR

4. Who we share data with

Your data may be transferred to the following processors:

  • SMTP provider - MxRoute (form email delivery) - EU-based server
  • VPS provider - site hosting in the European Union
  • Domain registrar and TLS certificate provider

No personal data is transferred outside the European Economic Area. We do not sell or share data for marketing purposes.

5. How long we keep data

  • Contact form: up to 24 months from the last contact, unless we enter into a contract
  • Contract-related data: 5 years from the end of the accounting year (Polish Accounting Act)
  • Server logs (IP, timestamp): 30 days

6. Your rights

You have the right to:

  • Access - know what data we process about you
  • Rectification - correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") - except for data we must retain by law
  • Restriction of processing - in specific cases
  • Data portability - receive your data in a structured format
  • Object - when the processing is based on legitimate interest
  • Lodge a complaint with the President of the Polish Data Protection Authority (uodo.gov.pl) - if you believe the processing violates the GDPR

To exercise any of these rights, write to [email protected]. We will respond within 30 days (up to 3 months in particularly complex cases, with justification).

7. Automated decision-making

We do not make decisions about you by fully automated means, and we do not profile you. The chatbot on the site is scripted - a predefined sequence of responses, not a machine-learning system. When we launch a real AI assistant based on Anthropic's Claude model, we will update this policy to add Anthropic as a processor and describe the scope of processing.

8. Cookies and analytics

On the public site we do not use cookies for tracking or advertising. Anonymous visit statistics are collected by Umami - an instance we self-host on our own server in the European Union; Umami does not use cookies, does not store IP addresses or any personal data (it uses a daily salted hash to distinguish unique visitors). Cookies may appear in the admin panel (/admin) to maintain the logged-in administrator's session - they are strictly technical and do not require consent.

9. Data security

  • Traffic protected by HTTPS (TLS 1.2+)
  • Passwords and secrets kept only on the server, outside version control
  • Admin account access via single-use email link (passwordless)
  • Regular updates of libraries and operating system

10. Policy changes

We may update this policy as the service evolves (e.g. when analytics or a real RAG chatbot are added). Material changes will be announced on the home page. The current version is always available at this address; the last-updated date is at the top of the document.

← Back to home
Privacy policy & GDPR - Boltcraft