Privacy Policy

I. Personal data

We process Users’ personal data in collections depending on the purpose of data processing. We process this data only to the extent necessary to achieve the specified purpose. The purposes of data processing and their scope can be found in the table below.

CUSTOMER PERSONAL DATA

Scope of processed data	Purpose of processing	Legal basis
First and last name Company/organization name Address of registered office Phone number Email	Execution of sales contracts and provision of services offered by the Service Provider.	Article 6(1)(b) of the GDPR Article 6(1)(c) of the GDPR Article 6(1)(f) of the GDPR

Data sharing
Customers’ personal data may be transferred to entities cooperating with the controller for the purpose of performing the contract and providing services properly, in particular: courier, postal, logistics, accounting, legal, IT, and service companies.

If necessary, data may be disclosed to public authorities authorized to receive it under the law.

The data is not transferred outside the European Economic Area, unless this is due to the technical functioning of the IT tools used by the controller. In such a case, appropriate legal safeguards are applied, including standard contractual clauses.

Storage period
Customer data is stored for the duration of the contract and, after its termination, for the time required by law (e.g., 5 years for accounting records) or until the claims arising from the contract become time-barred.

Confidentiality recommendation

Customers are requested not to provide sensitive data (e.g. concerning health, political views, religious beliefs, or biometric data) in electronic correspondence or forms, unless it is necessary for the provision of the service and has been expressly agreed with the controller.

DATA OF PERSONS USING THE CONTACT FORM

Scope of processed data	Purpose of processing	Legal basis
First and last name Phone number Email	Enabling interested parties to contact the Service Provider regarding offered products and services, including responding to inquiries.	Article 6(1)(a) of the GDPR – applies only to marketing communications (checkbox) Article 6(1)(f) of the GDPR Article 6(1)(b) of the GDPR

Data sharing
Data from the contact form is not transferred to any third parties without explicit need. It may be entrusted to hosting providers, IT companies, and entities providing IT infrastructure maintenance services to the administrator.

Data is not transferred outside the European Economic Area, except in situations where the email or hosting systems used have servers outside the EEA. In such cases, appropriate legal safeguards (e.g., standard contractual clauses) are applied.

Storage period
Data from the contact form is stored until a response is provided and correspondence is completed, and then for no longer than 12 months for evidentiary purposes (e.g., to demonstrate the correctness of the handling of the inquiry).

In the case of consent-based marketing communications (if the checkbox has been selected), data is stored until consent is withdrawn; information about its withdrawal may be stored for up to 3 years for evidentiary purposes (to demonstrate compliance).

Confidentiality recommendation
Users of the contact form are asked to limit the scope of information provided to only that which is necessary to respond to the inquiry. Do not provide special categories of data (e.g., health data, biometric data, political opinions).

DATA OF PERSONS SUBSCRIBED TO THE NEWSLETTER

Scope of processed data	Purpose of processing	Legal basis
First name (optional) Email Information about the date of registration and confirmation of subscription Statistics on message opens and link clicks	Sending a newsletter containing information about products, services, promotions, events, or other marketing and educational content related to the administrator’s activities.	Article 6(1)(a) of the GDPR Article 10 of the Act on the provision of electronic services Article 172 of the Telecommunications Law

Data sharing
Providing data is voluntary, but necessary to receive the newsletter. Data may be transferred to entities handling the sending of e-mails (e.g., mailing system providers such as Mailchimp or other entities processing data on behalf of the controller).

Data may be transferred outside the European Economic Area if the mailing system provider’s servers are located outside the EEA. In this case, appropriate legal safeguards are applied, including standard contractual clauses.

Retention period
The data is stored until you withdraw your consent to receive the newsletter or object to the processing of your data for marketing purposes. Once you withdraw your consent, the data is deleted or anonymized, but the information about the withdrawal of consent may be stored for up to 3 years for evidence purposes (e.g., to demonstrate compliance with the GDPR).

Confidentiality recommendation
Subscribers are asked not to provide any personal data other than their email address and first name (if provided voluntarily) in their responses to the newsletter or in the registration form.

DATA OF PERSONS USING THE AI AGENT

Scope of processed data	Purpose of processing	Legal basis
Recording of conversations with the agent in text form Recording of conversations with the agent in audio form	Enabling people to interact with a virtual assistant (AI agent), including receiving queries and generating responses, ensuring security and improving service quality.	Article 6(1)(f) of the GDPR

Data sharing
Conversation data is transferred and processed by the technology provider ElevenLabs Inc., based in the United States (US). Data may be transferred outside the EEA in accordance with standard contractual clauses approved by the European Commission. Detailed information on data processing by the AI technology provider can be found in the ElevenLabs Privacy Policy. ElevenLabs acts as a processor on behalf of the Controller.

Retention period
Data from conversations is stored for no longer than 12 months, after which it is deleted or anonymized.

Confidentiality recommendation
Users are asked not to provide the AI agent with personal data or confidential information (e.g., financial, medical, or user account data).

DATA OF PERSONS USING THE CLOUD DATABASE SYSTEM (SAAS)

Scope of processed data	Purpose of processing	Legal basis
System user identification data (first name, last name, email address, login) Contact details (phone number, company/organization name) Data concerning activity in the system (access logs, data operations, login time) Data entered or generated when using SaaS services (measurement data, reports, device configurations)	Providing users with access to a database system operating in the SaaS model, enabling the use of system functions (e.g., collection, analysis, sharing of measurement data), maintaining continuity of operation and service security and technical and maintenance support.	Article 6(1)(b) of the GDPR Article 6(1)(c) of the GDPR Article 6(1)(f) of the GDPR

Data sharing
The data is stored and processed in a cloud system operating on the Google Cloud Platform (GCP) infrastructure, provided by Google Ireland Limited (for EU customers) and Google LLC (USA) for transfers outside the EEA.

Data may be stored in cloud regions located in the European Union, unless the user or administrator selects other data location settings.

Data may be transferred outside the European Economic Area within the GCP infrastructure. In such cases, appropriate legal safeguards are applied, in particular standard contractual clauses approved by the European Commission.

Data may also be entrusted to entities providing IT, service, and maintenance services for the SaaS system. Google (GCP) acts as a processor on behalf of the Administrator in accordance with a data processing agreement.

Storage period
The data is stored for the duration of use of the SaaS service and, after termination, for the period necessary to secure any claims or in accordance with legal provisions (e.g., limitation periods, accounting obligations, GxP, etc.).

Confidentiality recommendation
SaaS system users are requested to keep their access data (logins, passwords) confidential and not to enter personal or confidential data into the system that is not necessary for the system to function. The administrator ensures transmission encryption (TLS/HTTPS) and access control mechanisms in accordance with the requirements of the GDPR and GCP security principles.

In addition, the possible purposes of personal data processing are:

assessment and analysis of activity, including profiling (automated processing of personal data for the purpose of presenting tailored advertisements or market and statistical analyses),
fulfilling legal obligations arising from generally applicable laws, e.g., accounting, tax, etc.,
pursuing claims and responding to them.

We always inform you about the purposes of personal data processing before or at the time of collecting such data.

II. Basis and duration of personal data processing

The personal data administrator exercises special and due diligence to protect the rights of Users whose data is being processed, and in particular ensures that such data is:

processed lawfully, fairly, and transparently,
collected for legitimate purposes, which we inform you about when collecting the data,
not further processed in a manner incompatible with the purposes specified in the information obligation,
accurate and, where necessary, kept up to date,
factually correct and adequate in relation to the purposes for which they are processed,
adequately protected against unauthorized access, destruction, disclosure, and unlawful use,
stored in a form that allows for the identification of the persons to whom they relate, for no longer than is necessary to achieve the purpose of processing, which we inform you about before collecting personal data or during the process.

The personal data controller reserves the right to entrust the processing of Users’ personal data, which it administers, to other companies for the purpose of the proper performance by those companies of activities related to the administration, maintenance, and management of the Website, as well as the pursuit of claims and clarification of the circumstances of unauthorized use of services provided electronically.

In the case of data processed as part of the use of an AI agent, the storage period does not exceed 12 months, and the data is used solely for the purpose of improving the quality of service and system performance.

When collecting personal data, we always inform you about the legal basis for its processing. When we inform you about:

Article 6(1)(a) of the GDPR – this means that we process personal data on the basis of the consent received,
Article 6(1)(b) of the GDPR – this means that we process personal data because it is necessary for the performance of a contract or in order to take steps prior to entering into a contract, upon request,
Article 6(1)(c) of the GDPR – this means that we process personal data in order to comply with a legal obligation,
Article 6(1)(f) of the GDPR – this means that we process personal data for the purposes of our legitimate interests, which we always disclose.

We may also process personal data based on other specific regulations, such as the Electronic Services Act.

In the case of processing based on our legitimate interest, we carry out a balancing test. Information about the results of the test is available upon request.

Transfers to third countries. When transferring data outside the EEA (e.g., in connection with GCP, mailing tools, or ElevenLabs), we use Standard Contractual Clauses (SCC) and conduct a transfer impact assessment (TIA). Information about the safeguards used (e.g., a copy of the relevant SCC provisions) can be obtained by contacting us at info@blulog.eu. The information provided may be redacted in relation to trade secrets or technical safeguards.

The processing time for personal data depends on the basis and purpose of processing such data. Examples of personal data retention periods:

Personal data processed in connection with marketing activities will be processed until an objection to the processing of such data is received.
Personal data processed on the basis of consent to the processing of such data will be processed until such consent is withdrawn.
Personal data processed using cookies and similar technologies will be processed until these files are deleted using browser or device settings and until an objection to their processing is raised.
Personal data processed in connection with the implementation of applicable laws (e.g., for the purpose of issuing an invoice) will be processed within the time limit required by generally applicable accounting and tax laws.
Personal data related to the provision of services, including sales, will be stored until claims can be pursued against us or by us, i.e. in accordance with generally applicable limitation periods for claims.

As a rule, we obtain personal data directly from the User (e.g., through forms, correspondence, a SaaS account, or a conversation with an AI agent). In exceptional cases, we may receive data from third parties acting on our behalf or cooperating with us (e.g., B2B partners, payment/accounting/IT service providers, logistics operators). In such cases, we will inform you whether the data comes from publicly available sources and about the categories of data obtained in this way. We will provide this information no later than one month after obtaining the data, and if the data is used for contact purposes, during the first communication.

The contact details of persons on the Customer’s side may be provided by the Customer (e.g., supervisor/contract guardian) for the purpose of creating accounts and granting permissions in the SaaS system.

III. User rights

In connection with the processing of personal data, persons whose personal data we process have rights related to such processing. The possibility of exercising the following rights depends on the legal basis for the processing of personal data.

In the case of data processed by an AI agent, the exercise of certain rights (e.g., access, deletion) may be limited if the data has been anonymized and can no longer be attributed to a specific individual.

Data subjects may exercise their rights by contacting the Controller at the e-mail address info@blulog.eu or in writing to the address of the registered office of Blulog sp. z o.o. ul. Dąbrowskiego 334A, 60-406 Poznań, Poland. We respond to requests regarding the exercise of rights without undue delay, no later than within one month of receipt (the deadline may be extended in the cases provided for in Article 12(3) of the GDPR).

Right of access to data

The data subject is entitled to obtain confirmation from us as to whether personal data concerning him or her are being processed. If this is the case, he or she is entitled to access them and obtain additional information (including purposes, categories, recipients, retention, rights, source).

Upon receiving such a request, we are required to provide a copy of the personal data being processed. If such a request is received electronically and if we do not receive any other objection, we will also provide the information electronically.

Right to rectify data

The data subject has the right to request that we immediately rectify any personal data concerning him or her that is inaccurate. Taking into account the purposes of the processing, he or she has the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.

Right to be forgotten

The data subject has the right to request that we delete their personal data without delay. We are then obliged to delete the personal data without undue delay if one of the following circumstances applies:

consent to the processing of personal data has been withdrawn and there is no other basis for processing,
the individual has effectively objected to the processing,
the personal data has been processed unlawfully,
the personal data must be erased in order to comply with a legal obligation.

Right to restriction of processing

The data subject has the right to request that we restrict processing in the following cases:

the data subject contests the accuracy of the personal data – for a period enabling us to verify the accuracy of the data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
we no longer need the personal data for processing purposes, but it is needed by the data subject to establish, exercise, or defend legal claims;
the data subject has objected to the processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override those of the data subject.

Right to object

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on Article 6(1)(f) (legitimate interests of the controller), including profiling. In such a case, we may no longer process that personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Also, if the data subject objects to processing for direct marketing purposes (including profiling for marketing purposes), the personal data may no longer be processed for such purposes.

Right to withdraw consent

If processing is based on consent, it can be withdrawn at any time without affecting the lawfulness of the processing that took place before its withdrawal.

Right to data portability

The data subject has the right to receive their personal data in a structured, commonly used, machine-readable format and has the right to transmit those data to another controller if the processing is based on consent or a contract and is carried out by automated means.

Automated decisions, including profiling

The administrator does not make decisions regarding Users that have legal effects or similarly significantly affect them, based solely on automated data processing (including profiling).

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This right does not apply if the decision:

is necessary for the conclusion or performance of a contract between the data subject and us;
is permitted by Union law or the law of the Republic of Poland and which provides for appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject; or
is based on the explicit consent of the data subject.

Users have the right to control the processing of data concerning them contained in the Service Provider’s data files. This includes, in particular, the right to access and correct their data, as well as the right to request that their personal data be supplemented, updated, corrected, temporarily or permanently suspended from processing, or deleted if it is incomplete, outdated, untrue, or has been collected in violation of the law, or is no longer necessary for the purpose for which it was collected.

The use of an AI agent does not involve making decisions that have legal effects or similarly significantly affect Users, based solely on automated processing.

Right to lodge a complaint

The data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) if they believe that the processing of their personal data violates the provisions of the GDPR.

IV. System logs

These are internal event logs of the Website server, which automatically record page requests sent when Users visit its websites. System logs contain the page request sent by the User, the IP address, browser type, browser language, date and time of the request, and at least one cookie that can uniquely identify the User’s browser.

As part of the AI agent’s operation, technical data such as the conversation timestamp, IP address, and session ID are also stored to ensure the security and proper functioning of the service.

V. Cookies

These are small files containing a string of characters that are sent and stored on the end device (e.g., computer, laptop, tablet, smartphone) used by the User when visiting the Website. This information is sent to the clipboard of the browser used, which sends it back the next time the website is visited. Cookies contain information necessary for the proper use of the blulog.eu website. Most often, they contain the name of the website they come from, the time they are stored on the end device, and a unique number.

These files allow the User’s device to be recognized and the Website to be displayed in a manner tailored to the User’s individual expectations, making the use of the Website easier and more enjoyable. By saving these files on the User’s device, it is possible, among other things, to remember login details, maintain a session after logging in, or customize the website to the User’s preferences, such as content layout, language, or color.

With regard to cookies that are not required for the operation of the Website, the basis is consent (Article 6(1)(a) of the GDPR) and Article 173 of the Telecommunications Law; for cookies that are necessary, the basis is our legitimate interest in ensuring the functionality and security of the Website (Article 6(1)(f) of the GDPR).

We use, among others, necessary, analytical/statistical, and functional cookies. The storage period depends on the type of file.

You can learn more about the cookies we use in our Cookie Policy (EU) by clicking here.

VI. Data collection

The data collected in system logs is used by the Service Provider solely for the purpose of administering the Website. It is not transferred to third parties, except in the circumstances described in this document.

In connection with the use of the Website by Users, we may collect and record in server logs technical details regarding the manner of use of the services, requests sent by the User related to the provision of electronic services, IP address, and technical data about the operation of the Website in connection with the activities performed by the User, in particular information about the start, end, and scope of each use of a service provided electronically. We may also collect information for the purpose of storing it locally on the User’s device using the browser’s memory mechanism.

The data collected on the Website is stored on external secure and professional servers, based on agreements concluded by the Service Provider. The Service Provider takes appropriate precautions to protect Users’ personal data against unauthorized access, destruction, disclosure, and unlawful use. Only the Users themselves, the Service Provider, and the third parties indicated in this document are authorized to process the data of Website Users.

The data is processed using external IT infrastructure providers acting as processors on behalf of the Administrator.

Log data is used solely for security, diagnostic, and statistical purposes related to the functioning of the Website and is not used for automated decision-making regarding Users.

VII. Other

The Website may contain links to other websites. We are not responsible for the privacy policies of these websites. We recommend that you review the privacy policies of these websites when you visit them.

The Services are not directed at children under the age of 16 and we do not knowingly collect their data. The Service Provider reserves the right to change the Privacy Policy.

This Privacy Policy is effective as of April 20, 2018, and was last updated on November 27, 2025.