Privacy Policy

For the purposes of this Privacy Policy, the following definitions apply: • Controller — Oleh Nikolaiev, sole proprietorship (JDG), Tax ID (NIP): 5252914050, REGON: 522456084, registered at ul. Skarbka z Gór 140D/23, 03-287 Warsaw, Poland. • Personal data — any information relating to an identified or identifiable natural person. • GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). • Website — the website available at olekflow.pl. • User — any natural person visiting the Website or using the Controller's services. • Services — services provided by the Controller electronically and business process automation services. • Processing — any operation or set of operations performed on personal data (collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, erasure or destruction).

The controller of your personal data is: Oleh Nikolaiev Sole Proprietorship (Jednoosobowa Działalność Gospodarcza) Tax ID (NIP): 5252914050 REGON: 522456084 Registered address: ul. Skarbka z Gór 140D/23, 03-287 Warsaw, Poland Contact for data protection matters: Email: olek@olekflow.pl Phone: +48 730 497 849 The Controller has not appointed a Data Protection Officer (DPO), as this is not required under Article 37 of the GDPR. For all matters relating to the processing of personal data, you may contact the Controller directly.

The Controller collects Users' personal data in the following ways: a) Call booking form (Cal.com) When booking a free introductory call or audit through the external Cal.com system, the User provides their data voluntarily. This data is transferred to the Controller for the purpose of scheduling and conducting the call. b) Email correspondence When contacting via email (olek@olekflow.pl), the Controller collects the data contained in the message and the sender's details (email address, name if provided). c) Audit meeting During the business process audit, the User may voluntarily provide additional information about their company, processes, and needs. This information is used solely for preparing the Automation Map and a tailored proposal. d) Social media When contacting via LinkedIn or Instagram, the Controller may receive data shared by the User on these platforms. e) Automatically collected data The Website uses Plausible Analytics — an analytics tool that does not collect personal data, does not use cookies, and is fully compliant with GDPR, ePrivacy, PECR, and CCPA. Plausible collects only anonymised statistical data (e.g., country, device type, traffic source).

Depending on how the User interacts with the Website and the Controller, the following categories of data may be processed: Identification data: • First and last name • Company name • Tax ID (NIP) — when issuing an invoice Contact data: • Email address • Phone number • Social media profile (LinkedIn, Instagram) User's company data (provided voluntarily): • Industry and type of business • Description of business processes • Information about tools and systems in use Billing data: • Invoice details (company name, Tax ID, address) • Payment history Technical data (anonymised, no personal identification): • Country of visit • Device and browser type • Traffic source • Pages visited

Personal data is processed for the following purposes and on the following legal bases: a) Provision of services and contract performance Purpose: Scheduling calls, conducting audits, preparing the Automation Map, implementing automation, after-sales support. Legal basis: Art. 6(1)(b) GDPR — processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. b) Contact and correspondence Purpose: Responding to messages, enquiries, and requests for proposals. Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the Controller in conducting correspondence related to business activities. c) Tax and accounting obligations Purpose: Issuing invoices, maintaining accounting records. Legal basis: Art. 6(1)(c) GDPR — processing is necessary for compliance with a legal obligation to which the Controller is subject (Polish Accounting Act, Tax Ordinance, VAT Act). d) Establishment, exercise, or defence of legal claims Purpose: Possible establishment, exercise, or defence of claims related to services provided. Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the Controller. e) Analytics and Website improvement Purpose: Traffic analysis, functionality improvement. Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the Controller. Note: Plausible Analytics does not process personal data, so this basis is provided for informational purposes.

Users' personal data may be disclosed to the following categories of recipients: a) Entities processing data on behalf of the Controller: • Cal.com, Inc. — online call booking system (processing booking form data) • Vercel, Inc. — Website hosting (server logs) • Plausible Insights OÜ — traffic analytics (does not process personal data) • Email service provider — correspondence handling b) Entities to which data may be disclosed under applicable law: • Tax authorities (National Revenue Administration) • Supervisory authorities (President of UODO — in the event of an audit) c) Entities providing services to the Controller: • Accounting firm — bookkeeping and tax services • Automation tool providers (within the scope of service delivery) A data processing agreement has been concluded with each entity processing data on behalf of the Controller, or the entity provides appropriate data protection guarantees.

Some processors used by the Controller are established outside the European Economic Area (EEA): • Cal.com, Inc. — United States. Data transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Art. 46(2)(c) GDPR. • Vercel, Inc. — United States. Data transfers are based on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework, in accordance with the European Commission's adequacy decision of 10 July 2023. Plausible Insights OÜ is based in Estonia (EEA) and does not process Users' personal data. The Controller takes all reasonable steps to ensure that data transfers to third countries are carried out with an adequate level of protection in accordance with GDPR requirements.

Personal data is stored for the period necessary to fulfil the purposes for which it was collected: • Call booking data — for 6 months from the date of the call, unless a contract is concluded (in which case the period below applies). • Contract-related data — for the duration of the contract and 3 years after its termination (limitation period for claims arising from service contracts under Art. 118 of the Polish Civil Code). • Billing data (invoices) — for 5 years from the end of the calendar year in which the tax payment was due (in accordance with Art. 70 § 1 of the Tax Ordinance and Art. 112 of the VAT Act). • Email correspondence data — for 12 months from the last message, unless the correspondence relates to contract performance. • Social media data — for the duration of the relationship or until the message is deleted by the User. After the expiry of the above periods, personal data is permanently deleted or anonymised.

Under the GDPR, you have the following rights: a) Right of access (Art. 15 GDPR) You have the right to obtain confirmation from the Controller as to whether your personal data is being processed and, where that is the case, access to the data and information about the purposes of processing, categories of data, recipients, and planned retention period. b) Right to rectification (Art. 16 GDPR) You have the right to request the prompt rectification of inaccurate personal data or the completion of incomplete data. c) Right to erasure — "right to be forgotten" (Art. 17 GDPR) You have the right to request the erasure of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing; the data has been unlawfully processed. d) Right to restriction of processing (Art. 18 GDPR) You have the right to request restriction of processing where: you contest the accuracy of the data; processing is unlawful but you oppose erasure; the Controller no longer needs the data but you require it for the establishment, exercise, or defence of legal claims. e) Right to data portability (Art. 20 GDPR) You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. f) Right to object (Art. 21 GDPR) You have the right to object at any time to processing based on the Controller's legitimate interest (Art. 6(1)(f) GDPR), including profiling. The Controller will cease processing unless it demonstrates compelling legitimate grounds. g) Right to withdraw consent (Art. 7(3) GDPR) Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. h) Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) (ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl) if you believe that data processing violates the GDPR. To exercise any of the above rights, contact the Controller: Email: olek@olekflow.pl The Controller will respond without undue delay, and no later than one month from receipt of the request.

Providing personal data is voluntary, but in some cases necessary: • Booking a call — providing your name and email address is required to schedule an appointment. Without this data, booking is not possible. • Entering into and performing a contract — providing identification and contact data is necessary for concluding a contract and delivering services. Refusal to provide data will prevent service delivery. • Issuing an invoice — providing billing data (company name, Tax ID, address) is a legal requirement under tax regulations. • Correspondence — providing an email address is necessary to receive a response. • Process audit — providing information about your company and processes is voluntary but necessary for preparing the Automation Map.

The Controller does not make decisions about Users based solely on automated processing, including profiling, that would produce legal effects or similarly significantly affect them within the meaning of Art. 22 GDPR. Plausible Analytics generates anonymised Website visit statistics; however, these do not allow identification of individual Users and do not constitute profiling within the meaning of the GDPR.

The Controller applies appropriate technical and organisational measures to ensure the protection of processed personal data, in particular: • Communication with the Website takes place via the HTTPS protocol (SSL/TLS encryption). • The Website is hosted on Vercel infrastructure, which provides data encryption at rest and in transit, automatic backups, and DDoS protection. • Access to personal data is limited to persons authorised by the Controller. • Email correspondence uses encrypted connections. • The Controller regularly reviews and updates security measures as needed. • Passwords and access credentials are stored in an encrypted manner. In the event of a personal data breach, the Controller will, without undue delay — where feasible, no later than 72 hours after becoming aware of the breach — notify the President of UODO, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller will promptly inform the affected data subjects.

The olekflow.pl website does not use cookies or any tracking technologies that would allow User identification. The Website uses Plausible Analytics (plausible.io) — an analytics tool fully compliant with the GDPR, which: • Does not use cookies • Does not collect personal data • Does not track Users across websites or sessions • Does not generate unique identifiers • Processes data exclusively within the European Union (servers in Germany) As a result, the Website does not need to display a cookie banner or obtain consent for analytics in accordance with the ePrivacy Directive. External services linked from the Website (Cal.com, LinkedIn, Instagram) may use their own cookies and tracking technologies. The Controller has no control over their operation — the data processing rules for these services are governed by their respective privacy policies.

In the course of operating the Website, the Controller uses the following external services and tools: a) Plausible Analytics (Plausible Insights OÜ, Estonia) Purpose: Website traffic analysis. Data scope: Anonymised statistical data (no personal data). Privacy policy: https://plausible.io/privacy b) Cal.com, Inc. (United States) Purpose: Booking system for introductory calls and audits. Data scope: Name, email address, optionally phone number and note. Privacy policy: https://cal.com/privacy c) Vercel, Inc. (United States) Purpose: Website hosting, content delivery (CDN). Data scope: Server logs (IP address, request headers — stored short-term). Privacy policy: https://vercel.com/legal/privacy-policy d) LinkedIn (LinkedIn Ireland Unlimited Company, Ireland) Purpose: Controller's social media profile, contact. Data scope: Data shared by the User on the platform. Privacy policy: https://www.linkedin.com/legal/privacy-policy e) Instagram (Meta Platforms Ireland Ltd., Ireland) Purpose: Controller's social media profile, contact. Data scope: Data shared by the User on the platform. Privacy policy: https://privacycenter.instagram.com/policy

The Website may contain links to external websites and services that are not controlled by the Controller. The Controller is not responsible for the privacy practices or content of external websites. Before providing personal data on an external website, it is recommended to review its privacy policy.

The Controller reserves the right to amend this Privacy Policy in order to adapt it to changes in legislation, changes in the manner of data processing, or changes in the functionality of the Website. Users will be informed of significant changes through: • Updating the "Last updated" date on this page • Displaying a notice in a prominent location on the Website (for material changes) Continued use of the Website after changes have been made constitutes acknowledgement of the updated Privacy Policy. It is recommended to review this Privacy Policy regularly.

For matters relating to personal data protection, the exercise of User rights, or questions about this Privacy Policy, please contact: Oleh Nikolaiev Email: olek@olekflow.pl Phone: +48 730 497 849 Correspondence address: ul. Skarbka z Gór 140D/23, 03-287 Warsaw, Poland Supervisory authority: President of the Personal Data Protection Office (PUODO) ul. Stawki 2, 00-193 Warsaw, Poland Phone: +48 22 531 03 00 Website: https://uodo.gov.pl