Skip to main content

Legal

Privacy & cookies

This notice describes how we handle personal data on this public website (informational pages, contact form UI, and technical delivery). The controller is established in Poland; EU GDPR and Polish law apply. This page is not a substitute for merchant agreements, payment processing disclosures, or counsel-approved policies for regulated services—align imprint and operational details with your final corporate setup.

Who is responsible?

The controller for this website (within the meaning of the GDPR) is the Polish legal entity named in our imprint, with contact details on that page and on our contact page. For privacy-specific enquiries, use those channels or a dedicated privacy inbox once published.

Scope: website vs payment services

When you use BergoPay payment or onboarding services as a merchant or partner, additional processing applies (contracts, KYC, transaction data, fraud prevention, scheme rules). That processing is governed by separate agreements and notices. This page focuses on visitors browsing this public marketing website only.

We only process personal data when a legal basis under the GDPR applies. For this website, the following are the ones you are most likely to encounter—described in everyday language, not as a substitute for legal advice.

  • Consent (Art. 6(1)(a) GDPR). Where we ask for optional tools—such as analytics, non-essential cookies, or third-party embeds (e.g. video or maps) that require consent under applicable law—you decide whether to agree. You can withdraw consent at any time (for example by clearing site data or using controls we provide). Withdrawing consent does not affect processing that was lawful before withdrawal.
  • Pre-contractual steps and contracts (Art. 6(1)(b) GDPR). When you contact us about our services, we process what you send us to respond, prepare an offer, or take steps before a contract. If a contract is concluded, related processing may continue on the same or other bases set out in that agreement.
  • Legitimate interests (Art. 6(1)(f) GDPR). We rely on this where necessary for running a secure, stable website: for example hosting and delivery, IT security, abuse prevention, and limited server logging. We balance our interests against your rights and use measures to minimise data use where we can.

Services and tools on this website

Below is a concise overview of what we use today, what data is typically involved, and the legal angle in plain terms (not legal advice). Your counsel should still validate bases, retention, and transfer mechanisms for your specific stack and Polish law practice.

Service / tool Purpose Typical data & GDPR framing (overview)
Web hosting & infrastructure Delivering the site over HTTPS, security, and stability. Hosting providers process data on our instructions as processors (see Processors below). Server and edge environments generate log files—see the dedicated section on server logs. Typical bases: legitimate interests (Art. 6(1)(f)) for security and abuse prevention, and where applicable contract (Art. 6(1)(b)) for providing the service. Default log retention is described under Retention (typically up to 14 days unless a longer period is justified for security).
Google Fonts (Google Ireland / Google LLC) Loading web fonts for typography (loaded from Google servers when the page is opened). Your browser may transmit your IP address to Google when font files are requested. This can involve a transfer outside the EU/EEA (including the United States); we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where required. Depending on setup and guidance, processing may be based on legitimate interests or consent. Self-hosting fonts avoids this external call if you want fewer third-party requests.
Cookie consent storage (browser localStorage) Remembering whether you chose “Essential only” or “Accept all” so the cookie banner does not reappear every visit. Stores a small string under the key bergopay_cookie_consent. This supports our consent / preference workflow for future optional tools. Clearing site data removes it and the banner will show again.
Contact form (this site) Handling sales and general enquiries about BergoPay. The purpose is to read and respond to your message, prepare information or offers, and follow up where appropriate. Legal bases are typically pre-contractual measures (Art. 6(1)(b)) when you ask about services, and legitimate interests (Art. 6(1)(f)) in managing routine business correspondence. Providing at least a workable email address and your message is necessary to process the request; other fields support context but may be optional depending on form design. In the current static demo, submissions are not transmitted to our systems—once connected, data will be processed as described here and in any CRM or mail integration we use.
Google Analytics (planned) Understanding traffic, funnels, and content performance. Not active yet. When enabled, GA typically uses cookies or similar technology and processes pseudonymous usage data. In the EU/EEA context this is usually done only after consent (Art. 6(1)(a))—for example after “Accept all” or a dedicated analytics opt-in. Data may be processed in the United States and other third countries; we use mechanisms such as SCCs and supplementary measures as required. Update this policy and your consent records before turning it on.
YouTube embeds (planned) Product, company, or explainer video in an embedded player (e.g. on marketing or help-style pages). Not active on this website today. If we add embedded YouTube videos or a YouTube player in the future, loading or playing the embed may cause personal data (such as IP address, device and browser information, and usage-related signals) to be transmitted to YouTube / Google. We would aim to use privacy-enhanced embedding or comparable measures where appropriate. Depending on the final implementation and applicable law, the player should only load after an appropriate consent signal where required. Data may be transferred outside the EU/EEA, including to the USA; we would rely on safeguards such as SCCs and supplementary measures as applicable. This policy and consent flows will be updated before any such embed goes live.
Google Maps / embedded map (planned) Showing company location or directions on the website. Not active on this website today. If we add an embedded Google Map in the future, loading the map may transmit personal data such as IP address, device and browser information, and technical request data to Google. Depending on the final setup and applicable law, the map should only load after an appropriate consent signal where required. Data may be transferred outside the EU/EEA, including to the USA; we would use mechanisms such as SCCs and supplementary measures as required. This policy and consent handling will be updated before activation.
Further cookies & tags (planned) e.g. preference cookies, remarketing, embedded media, or A/B testing. Not in use yet. Each tool should be listed here with purpose, duration, and provider before launch—including any future YouTube or Maps integrations if they set additional cookies or tags. Non-essential cookies and similar technologies should remain blocked until the user has consented in line with your banner configuration.

Server log files

When you use this website, the servers and edge infrastructure that deliver it automatically collect information in server log files. That typically includes:

  • the IP address of the requesting device,
  • date and time of the request,
  • the requested page or resource (URL),
  • HTTP status and transferred data volume where logged,
  • browser, operating system, and device type as communicated via user-agent strings (where applicable).

We use this information to ensure security, stability, and abuse prevention (for example investigating attacks or misconfiguration), and to keep hosting operations reliable. The legal basis is generally legitimate interests (Art. 6(1)(f) GDPR), balanced against your rights. Log data is not used for marketing profiling on this marketing site. Retention is described under Retention.

Cookies & the consent banner

Today this site does not actively use analytics or marketing cookies, Google Analytics, embedded YouTube players, or embedded Google Maps. We show a cookie banner so you can choose “Essential only” or “Accept all”. Your choice is stored locally and will guide how we load optional tools when we introduce them.

If we add measurement, third-party embedded content (such as video or maps), or similar services later, we will update this privacy policy and consent handling before activation. Optional third-party content and measurement tools should remain blocked until you have given the required consent where applicable law demands it—we will only load those resources after an appropriate signal (for example via “Accept all” or more granular controls if we add them).

  • Essential only: no optional analytics, marketing scripts, or third-party embeds that require consent (now or when added, unless you change preference).
  • Accept all: consent to optional measurement and similar third-party experiences we configure in the future, always subject to an updated policy and technical setup that matches what we actually deploy.

You can withdraw or change your choice by clearing site data for this domain or when we add a “Cookie settings” control. For the legal relationship between this notice and the banner, also read our terms once they cover the live service.

Planned embedded content (not currently active)

The following features are not live on this website at present. They are described so you know what we may add later, in the same transparent way as Google Analytics (planned) in the table above. We will update this page and consent mechanics before switching anything on.

YouTube embeds (planned)

We may embed YouTube videos in the future—for example product walkthroughs, company stories, or explainers. None of our pages load a YouTube player today. When an embed is used, opening or playing it can cause personal data (including IP address, device and browser data, and usage-related information) to be processed by YouTube / Google. Where technically sensible, we would favour privacy-enhanced embedding or similar approaches. Under the final setup and applicable law, the player should only initialise after an appropriate consent signal when consent is required. Processing may involve transfers outside the EU/EEA, including the United States; we would rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where needed.

Google Maps / embedded map (planned)

We may add an embedded Google Map in the future—for example to show our office location or simplify directions. No Google Map is embedded on this site today. Loading such a map typically sends personal data (such as IP address, device and browser information, and technical request metadata) to Google. Depending on configuration and law, the map should only load after an appropriate consent signal where required. Data may be transferred outside the EU/EEA, including the USA; we would use safeguards such as SCCs and supplementary measures as applicable.

Transfers outside the EU/EEA

Some tools we use are operated by companies that process data in third countries, meaning countries outside the European Union or the European Economic Area. A common example is the United States, where providers such as Google may maintain infrastructure—for example in connection with Google Fonts, or in the future Google Analytics, YouTube embeds, or Google Maps embeds if we enable them as described in this policy.

Where such a transfer does not benefit from an adequacy decision by the European Commission, we implement appropriate safeguards as required under Chapter V GDPR—typically the Standard Contractual Clauses (SCCs) approved by the Commission, together with supplementary technical and organisational measures where an assessment shows they are needed. You can request more information about these mechanisms via the contact details in our imprint or contact section, subject to business confidentiality.

Processors (Article 28 GDPR)

We work with carefully selected third-party service providers who process personal data on our behalf—for example hosting providers, infrastructure and security services (such as content delivery or protection against abuse, e.g. where Cloudflare or similar services are used), and, when activated, analytics, communication tools, or embedded content (such as video or maps) that we choose to enable. In GDPR terms, they act as processors where that role applies; we remain responsible for the processing as controller (unless a different role is expressly agreed in a specific context).

We conclude data processing agreements (DPAs) or equivalent contractual terms with processors where required, reflecting Article 28 GDPR: instructions in writing or documented form, confidentiality, security measures, subprocessors where permitted, assistance with data subject rights, deletion or return of data after the end of services, and audit cooperation as appropriate. An up-to-date list of main processors can be provided on request where we are not restricted from disclosure.

Data security

We take the protection of personal data seriously. We implement appropriate technical and organisational measures to safeguard information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access—including measures suited to a fintech-oriented risk profile for this website.

Examples include encryption in transit (HTTPS), access control and authentication for systems that hold data, separation of environments where proportionate, monitoring and logging for security incidents, and vendor due diligence. No online transmission is completely risk-free; we continually review our setup as threats and products evolve.

Your rights (GDPR overview)

Where the GDPR applies, you may have rights including access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. You may also withdraw consent where processing is consent-based, without affecting the lawfulness of processing before withdrawal. To exercise these rights in connection with this website, contact us using the details in our imprint or contact page. For payment or merchant services, use the channels set out in your agreement with us.

Right to lodge a complaint (Poland)

If you believe our processing infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. For processing by our Polish entity, the lead supervisory authority is:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2
00-193 Warsaw, Poland
https://uodo.gov.pl/

You may also have the right to contact another EU/EEA supervisory authority, for example in your country of residence, under applicable law.

Retention

We keep personal data only as long as needed for the purposes described. For this website, our default reference periods (which may be adjusted for legal claims or security incidents) are:

  • Server and access logs: typically up to 14 days, unless a longer period is temporarily required for security, abuse investigation, or legal obligations—after which logs are deleted or anonymised where feasible.
  • Contact form and enquiry data: typically up to 12 months after the last message in a thread, unless a business relationship or contract results and retention is governed by that relationship, or law requires longer storage (for example tax or commercial records).
  • Cookie consent choice in localStorage: stored until you clear site data for this domain or we change how preferences are stored and ask you to decide again.
  • Google Analytics (when enabled): retention will follow the settings we configure in the tool (for example event retention in GA4) and will be listed in an updated version of this policy before or at activation.

Updates to this notice

We may update this privacy policy from time to time—for example when we add tools (such as Google Analytics, YouTube embeds, or Google Maps), change processors, or when law or regulators expect clearer wording. The current version is always available on this page; the date of the latest meaningful revision may be shown in the imprint or here when you maintain a “last updated” field operationally.

For material changes—especially those affecting consent, new tracking, or third-party embeds—we will use reasonable means to draw attention to them (for example a notice on the site or, where we have your email and the change is relevant, an email). We will adjust this page before activating Google Analytics, YouTube or Maps embeds, or other non-essential cookies and similar technologies. Keep your imprint and contact details accurate. This text remains informational; qualified legal counsel should review it for your production environment.