Privacy Policy

PackGuru Privacy Policy

Effective Date: October 4, 2025

1. General Provisions and Definitions

This Privacy Policy (hereinafter referred to as the "Policy") defines the rules for the processing and protection of personal data for which PackGuru sp. z o.o. (hereinafter referred to as "PackGuru" or the "Controller") is the Controller.

The purpose of the Policy is to inform Users about what personal data is collected, how it is used, and what rights Users have in connection with the processing of their data.

Terminology:

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Client: An entity (company) that has concluded a service agreement (ToS) with PackGuru.

User:

  • A Client's representative (e.g., employee, contractor) authorized to contact PackGuru or manage the Client's account.
  • A person visiting the website packguru.io (or other company website).
  • A person contacting PackGuru via contact forms or e-mail.

Personal Data: Any information about an identified or identifiable natural person.

Important Distinction (Controller vs. Processor):

This Policy applies exclusively to personal data for which PackGuru is the Controller (e.g., User contact details, Client billing data, data from contact forms). The rules for processing data that Clients input into our Service (e.g., video recordings, telemetry data), for which PackGuru acts as a Data Processor (Processor), are regulated in a separate document – the Data Processing Agreement (DPA), which is an appendix to the Terms of Service (ToS).

2. Data Controller

The Controller of your personal data is: PackGuru sp. z o.o.

Address: Julianowska 45, 05-500 Piaseczno

NIP (Tax ID): PL5272844424

KRS (National Court Register): 0000724744

In all matters related to the processing of personal data, you can contact us at the e-mail address: privacy@packguru.ai

3. Purposes, Legal Bases, and Scope of Data Processing

We process your personal data for the following purposes:

a) Conclusion and performance of the service agreement (ToS)

Purpose: Registration and management of the Client's account, provision of the Service, technical support, payment processing, and invoicing.

Scope of data: Client representative data (first name, last name, position), business contact details (e-mail, phone number), invoicing data.

Legal basis: Art. 6(1)(b) of the GDPR (necessity to perform a contract).

b) Handling inquiries (e.g., via contact form, e-mail)

Purpose: Responding to inquiries sent by potential or current Clients, presenting offers.

Scope of data: First name, last name, e-mail address, phone number, company name, content of the inquiry.

Legal basis: Art. 6(1)(f) of the GDPR (legitimate interest of the Controller, consisting of handling correspondence and building business relations).

c) Fulfilling legal obligations

Purpose: Fulfilling obligations arising from legal regulations, particularly tax and accounting laws (e.g., issuing and storing invoices).

Scope of data: Data necessary to issue accounting documents.

Legal basis: Art. 6(1)(c) of the GDPR (legal obligation incumbent on the Controller).

d) Marketing and newsletter dispatch

Purpose: Sending commercial information, information about new features, promotions, or industry events.

Scope of data: E-mail address, first name.

Legal basis: Art. 6(1)(a) of the GDPR (voluntary consent of the User). This consent can be withdrawn at any time.

e) Analysis and statistics (website-related)

Purpose: Improving the functioning of our website, traffic analysis, service optimization.

Scope of data: IP address (often anonymized), browser data, operating system data, cookies.

Legal basis: Art. 6(1)(f) of the GDPR (legitimate interest of the Controller, consisting of optimizing operations).

f) Establishment, exercise, or defense of legal claims

Purpose: Securing PackGuru's legal interests.

Scope of data: Data necessary to demonstrate the existence of a claim or defend rights.

Legal basis: Art. 6(1)(f) of the GDPR (legitimate interest of the Controller).

4. Data Recipients

To properly provide our services, your personal data may be transferred to trusted third parties (our subcontractors and service providers).

We transfer data only to those entities that guarantee the highest level of security and only to the necessary extent. These include:

  • Cloud infrastructure providers (e.g., Google Cloud Platform).
  • Providers of invoicing and accounting systems.
  • Providers of CRM and customer support systems.
  • Providers of marketing and analytics systems (e.g., Google Analytics).
  • Payment operators.
  • Law firms and advisory companies.

With each of these entities acting on our behalf, we have appropriate Data Processing Agreements (DPAs) ensuring compliance with the GDPR.

5. Data Transfer outside the European Economic Area (EEA)

Due to the use of global service providers (e.g., Google Cloud Platform), your personal data may be transferred to third countries (outside the EEA).

Such transfers are always carried out with the highest security guarantees, in particular, based on Standard Contractual Clauses (SCCs) approved by the European Commission, which ensure an adequate level of data protection.

6. Data Retention Period

We store your personal data only for as long as necessary to achieve the purposes for which they were collected:

Data related to the agreement (ToS): For the duration of the agreement and after its termination for the period necessary to pursue potential claims or as required by law (usually up to 6 years from the end of the year in which the agreement was terminated).

Accounting data (invoices): For the period required by accounting regulations (usually 5 years from the end of the calendar year in which the tax payment deadline expired).

Data from inquiries: For the time necessary to respond and close the matter.

Marketing data (consent): Until you withdraw your consent.

7. Rights of Data Subjects

In connection with the processing of your personal data by PackGuru, you have the following rights:

  • Right of access to data (Art. 15 GDPR).
  • Right to rectification (correction) of data (Art. 16 GDPR).
  • Right to erasure of data ("right to be forgotten") (Art. 17 GDPR) – unless we have an overriding legal obligation to store them (e.g., data on invoices).
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR) – for data processed based on a contract or consent.
  • Right to object (Art. 21 GDPR) – to the processing of data based on our legitimate interest (e.g., analytics).
  • Right to withdraw consent (Art. 7(3) GDPR) – if data is processed based on consent (e.g., marketing). Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
  • Right to lodge a complaint with a supervisory authority, i.e., the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

To exercise your rights, please contact us at: privacy@packguru.io

8. "Cookies" Policy

Our website (e.g., packguru.io) uses cookies to ensure its proper functioning and for analytical purposes.

We use the following types of cookies:

  • Necessary (technical): Required for the basic functioning of the service, e.g., maintaining a session.
  • Analytical: Used to collect anonymous statistics about how the site is used (e.g., Google Analytics), which helps us improve it.
  • Marketing: Used to personalize advertising and marketing activities (if applicable).

During your first visit to the site, a banner is displayed informing about the use of cookies, through which you can manage your consent for analytical or marketing cookies.

You can also manage cookie settings from your web browser.

9. Data Security

PackGuru prioritizes data security. We implement a range of advanced technical and organizational measures aimed at protecting personal data against loss, destruction, unauthorized access, or modification.

These measures include, among others, data encryption (both in transit and at rest), strict access control based on the principle of least privilege, and regular security audits.

Our detailed approach to security is described in the documentation provided to our B2B Clients (e.g., in the Cyber Security Policy).

10. Changes to the Privacy Policy

We reserve the right to make changes to this Privacy Policy if required by changes in law or modifications to our data processing procedures.

The current version of the Privacy Policy will always be available on our website.

Questions about privacy?

Contact us at privacy@packguru.ai for any questions regarding the processing of your personal data.