Privacy policy
Effective from: 2026-06-12
This policy explains how we collect, store, and use the personal data of people who join the Vorelo waitlist. It's written in plain language, but it covers everything applicable law (GDPR, the Polish Electronic Communications Law, and the Polish Act on Electronic Services) requires. The Service is not directed at users under 16 (GDPR Art. 8).
1. Data Controller
The Controller of your personal data is Kacper Stelmach — Net Solution (sole proprietorship registered with the Polish Central Register of Businesses, CEIDG), ul. Marii Curie-Skłodowskiej 11/1, 50-381 Wrocław, Poland, NIP 8982235877. For anything related to your data, contact: contact@vorelo.app.
2. Data protection contact
For any matter concerning your data — requests for access, deletion, rectification, withdrawing consent, complaints — write to contact@vorelo.app. We respond within 30 days (the deadline set by GDPR Art. 12(3)). In particularly complex cases the deadline may be extended by a further 2 months — if so, we'll let you know within the first 30 days.
3. What data we collect
We collect: your email address (as you type it into the form), the date and time of your consent, the wording of the consent shown to you at sign-up (for audit), the consent template version, an irreversible hash of the IP address the sign-up came from (we don't store the raw IP), your browser language, a truncated User-Agent fragment (first 200 characters), and which form the sign-up came from (hero / cta-bottom). We don't collect: first name, last name, phone number, postal address, payment data, or analytics/marketing cookies. Providing your email is voluntary; without it, you cannot join the waitlist.
4. Purposes of processing
We process the data for the following purposes: (a) to notify you about the Vorelo launch, the beta opening, and material changes to the project — only if you've consented; (b) form security — preventing spam, automated attacks, and abuse (honeypot, rate limiter, Turnstile); (c) to fulfill your requests under GDPR Arts. 15–22.
5. Legal basis
For purpose (a) — your voluntary, informed, and unambiguous consent (GDPR Art. 6(1)(a)) and Article 398 of the Polish Electronic Communications Law (consent to commercial information sent electronically). For purpose (b) — our legitimate interest in keeping the service secure and operating properly (GDPR Art. 6(1)(f)). For purpose (c) — compliance with a legal obligation to which the Controller is subject (GDPR Art. 6(1)(c)).
6. Retention period
We keep your email address for up to 24 months from the date of consent. The counter resets every time we send you a message from the system (so if you're in active communication you stay on the list). After 24 months with no message from us, the record is deleted automatically (a daily job runs at 03:00 UTC). Independently of this, you can request earlier deletion at any time — we'll remove the data within 7 days.
7. Recipients of the data
We share your data with the following processors: Microsoft Ireland Operations Ltd — hosting (Azure Static Web Apps, Functions, Table Storage, Application Insights) in the West Europe region; Cloudflare, Inc. — bot protection on the form (Turnstile). We have Data Processing Agreements (DPAs) in place with both, compliant with GDPR Art. 28. We don't share your data with marketing, analytics, or advertising companies.
8. Transfers outside the EEA
Microsoft — most of the data is processed within the EU Data Boundary (Ireland, the Netherlands, Austria). In limited support and security scenarios, Microsoft may transfer data to the United States under the EU-US Data Privacy Framework adequacy decision (Microsoft is on the certified list). Cloudflare — as a US company, processes data in the United States, also under the EU-US Data Privacy Framework (Cloudflare is certified). The European Commission's DPF decision (2023/1795) is available at eur-lex.europa.eu. Should the DPF adequacy decision ever be suspended or invalidated, transfers to the US will rely on the Standard Contractual Clauses (SCCs) provided for in our data processing agreements with Microsoft and Cloudflare.
9. Your rights
You have the right to: access your data (GDPR Art. 15), rectification (Art. 16), erasure (Art. 17, the "right to be forgotten"), restriction of processing (Art. 18), objection to processing (Art. 21), data portability (Art. 20), withdraw consent at any time (Art. 7(3) — without affecting the lawfulness of processing before withdrawal), and to lodge a complaint with a supervisory authority. Our lead authority is the Polish Data Protection Authority (UODO, uodo.gov.pl). If you reside in another EU Member State, you may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77(1)).
10. How to file a request
Email contact@vorelo.app with a subject line containing the word "GDPR" and the type of request, e.g., "GDPR: delete data" or "GDPR: access data." In the body, include the email address the request concerns. We respond within 30 days. For simple requests that concern only the email address, we don't require formal letters or ID checks (writing from the address itself is enough).
11. How to leave the list
Easiest route: email contact@vorelo.app with the subject line "Unsubscribe." We remove your address within 7 days and reply with a confirmation. Once we add a one-click "Unsubscribe" link to every message we send, that becomes the path. Until then, email is the only way.
13. Automated mechanisms
We use several automated form safeguards: a hidden honeypot field (if filled in, silent reject); a minimum fill-time check (under 2 seconds = bot); a rate limiter based on a hashed IP digest (5/min, 20/h, 50/day); a blocklist of disposable domains (e.g., mailinator); Cloudflare Turnstile (a challenge for suspicious sessions). None of these counts as "profiling" under GDPR Art. 22, because they don't produce legal effects concerning you and don't significantly affect you (worst case, you retry the sign-up).
14. Effective date and change history
Current version: 2026-06-12 (addition of the vorelo-lang key to the localStorage inventory, sentence on SCCs as a fallback transfer mechanism, editorial clean-up). Previous versions: 2026-05-14 (clarifications: voluntary nature of providing an email address, right to lodge a complaint with the authority in the country of habitual residence, age limit of 16 years, legal basis updated to Art. 398 of the Electronic Communications Law), 2026-04-23 (full policy, 14 sections), 2026-04-20 (first simplified version, 9 sections). Any material change to this policy will be announced to people on the waitlist by email at least 14 days in advance. During that window you can unsubscribe without consequence. This English translation is provided for convenience. The Polish version is the legally binding text in case of any discrepancy.