Privacy Policy.

1. Data Controller

The data controller responsible for your personal data is:

Cortallis Sp. z o.o.
Email: hello@crtagency.pl

We process personal data in a lawful, fair, and transparent manner and are accountable for compliance with applicable data protection laws.

2. Scope of Application

This Privacy Policy applies to:

• Visitors of the CRT Agency website
• Individuals submitting inquiries, messages, or project briefs
• Potential and existing clients of our services

It governs the collection, use, and storage of personal data obtained through all channels operated by CRT Agency.

3. Types of Personal Data Collected

We may collect and process the following categories of personal data:

a) Identification data:

• Name
• Company name

b) Contact data:

• Email address
• Phone number (optional)

c) Business-related data:

• Information submitted via forms or project briefs
• Project requirements, specifications, and supporting materials

d) Technical data (if applicable in the future):

• IP address
• Browser type and version
• Device information
• Cookies and analytics data

Sensitive data (e.g., health, political opinions, religion) are not collected intentionally.

4. Methods of Data Collection

Personal data are collected through:

• Forms on our website, including project briefs
• Direct communication via email
• Messaging platforms (e.g., Telegram, if implemented in the future)
• Future analytics or tracking tools (if introduced)

5. Purposes of Processing

We process personal data for the following purposes:

• Responding to inquiries and communication
• Preparing offers, quotes, and project proposals
• Delivering digital services and products
• Managing client relationships
• Improving our services, internal processes, and operations
• Ensuring security and preventing unauthorized access or fraud
• Marketing and business development (where applicable and permitted by law)

6. Legal Basis for Processing

Our processing of personal data is based on one or more of the following legal grounds under Article 6 GDPR:

• 6(1)(a) – Consent: for marketing communications or optional services
• 6(1)(b) – Performance of a contract: to provide the services requested
• 6(1)(c) – Legal obligation: where required by applicable law
• 6(1)(f) – Legitimate interest: for communication, business development, service improvement, and fraud prevention

7. Data Retention

We retain personal data:

• For the duration of ongoing communication or project cooperation
• Up to 12 months following the last interaction

Data may be retained longer if:

• Required by law
• Necessary to establish, exercise, or defend legal claims
• Justified by legitimate business interests

8. Data Sharing and Third Parties

We do not sell or rent personal data.

We may share personal data with:

• Hosting providers (e.g., Vercel)
• Database providers (e.g., Supabase)
• Email service providers
• IT infrastructure providers

All third-party providers are contractually bound to comply with GDPR and to implement appropriate technical and organizational safeguards.

9. International Data Transfers

If personal data are transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Use of providers compliant with EU data protection standards

10. Data Security

We implement technical and organizational measures to protect personal data, including:

• Restricted access to data
• Secure internal CRM system developed in-house
• Protection against unauthorized access, loss, or modification
• Regular monitoring and auditing of systems

However, no system can guarantee absolute security; therefore, we cannot guarantee complete protection against all risks.

11. Your Rights

Under GDPR, you have the following rights:

• Access your personal data
• Request rectification of inaccurate or incomplete data
• Request erasure of personal data (“right to be forgotten”)
• Request restriction of processing
• Object to processing
• Request data portability
• Withdraw consent at any time

You also have the right to lodge a complaint with the Supervisory Authority in Poland.

To exercise your rights, please contact: hello@crtagency.pl

12. Cookies and Tracking Technologies

We may use cookies and similar technologies in the future for:

• Website functionality
• Performance monitoring and analytics
• Service optimization

A dedicated Cookie Policy or banner will be provided when such technologies are implemented.

13. Marketing Communication

We may contact you with information about our services based on:

• Your explicit consent
• Our legitimate interest, where permitted by law

You may opt out of marketing communications at any time by contacting us or using provided unsubscribe mechanisms.

14. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for their privacy practices or content. Users are encouraged to review the privacy policies of any external websites.

15. Automated Decision-Making

CRT Agency does not use automated decision-making or profiling that produces legal effects or significantly affects users.

16. Changes to This Privacy Policy

We may update this Privacy Policy at any time. The revised version will be published on our website with the updated date.

We encourage users to periodically review this policy.

17. Contact

For any questions or concerns regarding this Privacy Policy or your personal data, please contact: hello@crtagency.pl