Privacy Policy

Descale Agency is a brand and trading name operated by Travomate Sp. z o.o., a limited liability company registered in Poland at ul. Nowogrodzka 31, 00-511 Warszawa, NIP 7011239205 (the “Controller”, “we”, “us” or “our”).

This Privacy Policy explains how we collect, use, share and protect your personal data when you visit our websites, contact us, or engage our marketing and IT services. We act as a data controller within the meaning of Article 4(7) of the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Polish Personal Data Protection Act of 10 May 2018 (Ustawa o ochronie danych osobowych).

We process the following categories of personal data:

• Identification & contact data: name, business email, phone number, company name, role.
• Engagement data: messages you send through forms, calendar bookings, project briefs, and call recordings (with consent).
• Technical data: IP address, device, browser, operating system, referrer, pages viewed, time on page, and similar telemetry collected via cookies and analytics.
• Marketing data: newsletter subscriptions, event registrations, communication preferences.
• Contractual & billing data: invoicing details, VAT IDs, bank or payment information when you become a client.

We do not knowingly collect special categories of personal data (Art. 9 GDPR) or data of children under 16.

We rely on the following legal bases under Article 6 GDPR:

• Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails, and call recordings.
• Contract performance (Art. 6(1)(b)): to respond to enquiries, deliver services, and invoice clients.
• Legal obligation (Art. 6(1)(c)): to comply with Polish accounting, tax (Ustawa o rachunkowości) and AML obligations.
• Legitimate interest (Art. 6(1)(f)): to operate, secure and improve our website, prevent fraud, and pursue lawful business interests, having balanced these against your rights.

Retention periods are limited to what is necessary for the purpose:

• Contact form submissions and pre-sales correspondence: up to 24 months after last contact.
• Client contracts and project deliverables: 10 years from end of engagement (Polish accounting and statute-of-limitations requirements).
• Accounting and invoicing records: 5 full calendar years from end of fiscal year (Art. 86 of the Polish Tax Ordinance / Ordynacja podatkowa).
• Marketing data: until you withdraw consent or object.
• Server logs and analytics: typically 14 months in pseudonymised form.

We share personal data only with carefully selected processors and recipients:

• Hosting & infrastructure: Amazon Web Services (EU regions), Cloudflare, Vercel, Google Cloud.
• Productivity & communication: Google Workspace, Slack, Notion, Linear, Calendly.
• Analytics & product: Google Analytics 4, Plausible, PostHog (with IP anonymisation).
• Email & CRM: HubSpot, Resend, Postmark.
• Payments & accounting: Stripe, our certified Polish accounting office, banks.
• Legal & advisors: lawyers, auditors, tax advisors bound by professional secrecy.
• Public authorities: when legally required (e.g. tax office, court order).

Where a recipient is located outside the European Economic Area, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures, and where applicable an adequacy decision.

You have the right to:

• Access your data (Art. 15) and receive a copy.
• Rectify inaccurate or incomplete data (Art. 16).
• Erasure / be forgotten (Art. 17), where applicable.
• Restrict processing (Art. 18).
• Data portability (Art. 20), receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interest, including profiling and direct marketing (Art. 21).
• Withdraw consent at any time without affecting prior lawful processing (Art. 7(3)).
• Lodge a complaint with the Polish Data Protection Authority, Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl.

To exercise any right, write to Info@travomate.com.pl. We respond within one month (Art. 12(3) GDPR).

We implement appropriate technical and organisational measures (Art. 32 GDPR) including encryption in transit (TLS 1.2+) and at rest, role-based access controls, hardened cloud configuration, background checks on staff, signed Data Processing Agreements with all sub-processors, regular penetration tests, and an incident response procedure aligned with the 72-hour breach notification requirement (Art. 33).

Some of our processors are based in the United States or the United Kingdom. Where the European Commission has issued an adequacy decision (e.g. UK, EU-US Data Privacy Framework), transfers rely on that decision. In all other cases, transfers are governed by the 2021 EU Standard Contractual Clauses with supplementary measures (encryption, pseudonymisation, transfer impact assessments).

Our use of cookies is described in our Cookie Policy. Non-essential cookies are loaded only after you provide consent through the cookie banner, in line with Article 173 of the Polish Telecommunications Law (Prawo telekomunicacyjne) and the EU ePrivacy Directive 2002/58/EC.

We may update this Privacy Policy to reflect changes in law or our practices. The effective date at the top of this page indicates when it was last revised. Material changes will be communicated by email or prominent website notice.