1.1 Purpose of this Policy

This Privacy Policy explains how GeekCloud Sp. z o.o. ("we," "us," "our") collects, uses, stores, and protects personal data when you use Vort Cloud services in accordance with the General Data Protection Regulation (GDPR) and Polish data protection laws.

1.2 Data Controller

GeekCloud Sp. z o.o. acts as the data controller for personal data processed in connection with Vort Cloud services. For questions regarding data processing, contact us at gdpr@geekcloud.pl

1.3 Scope

This policy applies to personal data collected through our website, API, customer console, support channels, and all Vort Cloud services.

2.1 Account Registration Data

• Full name and contact information (email address, phone number)
• Company name and VAT number (for business accounts)
• Billing address and payment information
• Account credentials (encrypted passwords, API keys)

2.2 Service Usage Data

• Resource utilization metrics (CPU, memory, bandwidth, storage)
• API access logs and console activity
• Network traffic metadata (IP addresses, connection logs)
• Service configuration and deployment information

2.3 Technical and Security Data

• Device information and browser characteristics
• Security logs and access patterns
• SSH keys and security certificates
• Geolocation data based on IP address

2.4 Communication Data

• Support ticket content and correspondence
• Email communications and preferences
• Marketing communication consent records

2.5 Identity Verification Data

When required for enhanced security or compliance purposes, we may collect:

• Government-issued identification documents (ID card, passport, driver's license)
• Selfie photographs for identity verification
• Additional verification documents as required by law

3.1 Contract Performance (Article 6(1)(b) GDPR)

Processing necessary for service provision, account management, billing, and technical support.

3.2 Legal Obligation (Article 6(1)(c) GDPR)

Processing required for VAT compliance, anti-money laundering regulations, and law enforcement cooperation.

3.3 Legitimate Interest (Article 6(1)(f) GDPR)

Network security monitoring, fraud prevention, service optimization, and direct marketing to existing customers.

3.4 Consent (Article 6(1)(a) GDPR)

Optional marketing communications, cookies for analytics, and identity verification when not legally required.

4.1 When Verification is Required

We may request identity verification in the following circumstances:

• High-value service subscriptions or unusual payment patterns
• Suspected fraudulent activity or security concerns
• Compliance with anti-money laundering (AML) regulations
• Access to specialized services requiring enhanced security
• Legal or regulatory requirements

4.2 Verification Process

Identity verification is conducted through Stripe Identity, which processes:

• Government-issued photo identification (front and back)
• Real-time selfie photograph for biometric comparison
• Document authenticity and tampering detection
• Facial recognition matching between ID and selfie

4.3 Data Storage and Security

Verification data is stored securely and:

• Encrypted in transit and at rest using industry-standard protocols
• Stored only for verification purposes and compliance requirements
• Accessed only by authorized personnel for verification or support
• Retained according to legal requirements (typically 5 years for AML compliance)
• Shared with Stripe Identity service under our Data Processing Agreement

4.4 Verification Results

We store only the verification outcome (verified/not verified) and required compliance data. Original images may be retained for the minimum period required by applicable laws.

5.1 Payment Processing

Stripe processes payment data and identity verification under our Data Processing Agreement. Data is transferred to the US with appropriate safeguards (Standard Contractual Clauses).

5.2 Infrastructure Providers

EU-based data center providers process technical data necessary for service delivery under strict data processing agreements.

5.3 Legal Disclosure

We may disclose personal data to law enforcement or regulatory authorities when required by Polish or EU law, court orders, or European Investigation Orders.

5.4 No Commercial Sharing

We do not sell, rent, or commercially share personal data with third parties for marketing purposes.

6.1 Account Data

Retained for the duration of the customer relationship plus 30 days for data recovery, then permanently deleted unless legal retention requirements apply.

6.2 Billing and Tax Records

Retained for 5 years as required by Polish accounting and tax laws.

6.3 Identity Verification Data

Retained for 5 years from verification date as required by anti-money laundering regulations, then securely deleted.

6.4 Technical Logs

Security and access logs retained for 12 months for security monitoring and troubleshooting purposes.

6.5 Marketing Data

Retained until consent is withdrawn or for 3 years from last engagement, whichever is sooner.

7.1 Right of Access (Article 15)

Request confirmation of data processing and obtain copies of your personal data.

7.2 Right to Rectification (Article 16)

Correct inaccurate personal data and complete incomplete data.

7.3 Right to Erasure (Article 17)

Request deletion of personal data where legally permissible (subject to legal retention requirements).

7.4 Right to Restrict Processing (Article 18)

Limit processing in specific circumstances while maintaining data storage.

7.5 Right to Data Portability (Article 20)

Receive personal data in a machine-readable format for transfer to another provider.

7.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

7.7 Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects.

7.8 Exercising Your Rights

Contact gdpr@geekcloud.pl to exercise any of these rights. We will respond within 30 days and may request verification of identity before processing requests.

8.1 EU Data Processing

Primary data processing occurs within the European Union to minimize international transfers.

8.2 Third Country Transfers

When transfers to third countries are necessary (e.g., Stripe services), we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Additional technical and organizational safeguards

9.1 Technical Safeguards

• End-to-end encryption for data in transit (TLS 1.3)
• AES-256 encryption for data at rest
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• Network segmentation and intrusion detection

9.2 Organizational Measures

• Role-based access controls with need-to-know principles
• Regular security training for all personnel
• Incident response procedures and breach notification protocols
• Data processing agreements with all third-party processors

9.3 Breach Notification

We will notify the appropriate supervisory authority within 72 hours of becoming aware of a personal data breach and inform affected data subjects when required by law.

10.1 Essential Cookies

Necessary for website functionality, user authentication, and security. These cookies do not require consent.

10.2 Analytics Cookies

Used to understand website usage patterns and improve user experience. These require your consent and can be disabled through cookie preferences.

10.3 Marketing Cookies

Used for targeted advertising and measuring campaign effectiveness. These require explicit consent and can be withdrawn at any time.

11.1 Data Protection Contact

For privacy-related questions or to exercise your rights:

• Email: gdpr@geekcloud.pl
• Post: GeekCloud Sp. z o.o., Melchiora Wańkowicza 2/1, 40-384, Katowice, Poland
• Subject line: "GDPR Data Subject Request"

11.2 Supervisory Authority

You have the right to lodge a complaint with the Polish data protection authority:

• Urząd Ochrony Danych Osobowych (UODO)
• ul. Stawki 2, 00-193 Warsaw, Poland
• Website: https://uodo.gov.pl