§ 1. Data Controller

The Controller has not appointed a Data Protection Officer. For all matters regarding personal data processing, please contact the Controller directly at the above email address or by post to the firm's registered address.

§ 2. Scope and Purposes of Processing

2.1. Contact Form

Data scope: name, email address, company name (optional), message content.

• Purpose: responding to inquiries, preparing preliminary service offers
• Legal basis: Art. 6(1)(b) GDPR — steps taken prior to entering into a contract; Art. 6(1)(f) GDPR — legitimate interest in handling correspondence
• Retention period: until correspondence is concluded, then 3 years from last contact (limitation period)

2.2. Legal Services

Data scope: identification data, contact details, company data, case-related data.

• Purpose: performance of a legal services agreement
• Legal basis: Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(c) GDPR — legal obligations (tax and accounting regulations)
• Retention period: duration of the agreement, then as required by file archiving regulations (10 years) and tax regulations (5 years)

2.3. Cookies and Analytics

Data scope: IP address, device identifiers, session data, pages viewed.

• Purpose: ensuring website functionality (technical cookies), traffic analysis and optimization (analytical cookies)
• Legal basis: Art. 6(1)(f) GDPR — legitimate interest (essential cookies); Art. 6(1)(a) GDPR — consent (analytical cookies)
• Retention period: as per individual cookie settings (details in § 6)

§ 3. Data Recipients

Personal data may be shared with the following categories of recipients:

• Formspree, Inc. (San Francisco, USA) — contact form processing; data transferred based on Standard Contractual Clauses (SCCs)
• Hosting provider — to the extent necessary for website maintenance
• Google LLC — if Google Analytics is implemented (only with user consent); transfer based on EU-US Data Privacy Framework
• Accounting firm — to the extent necessary for bookkeeping and tax settlements
• Public authorities — where disclosure is required by mandatory law

The Controller does not sell personal data or share it with third parties for marketing purposes.

§ 4. Third-Country Transfers

Due to the use of Formspree, contact form data may be transferred to the United States. The transfer is based on Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision 2021/914. The Controller has conducted a Transfer Impact Assessment (TIA) and implemented supplementary measures, including TLS encryption and data minimization.

§ 5. Data Subject Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR) — obtain information about processed data and a copy thereof
• Right to rectification (Art. 16 GDPR) — request correction of inaccurate or incomplete data
• Right to erasure (Art. 17 GDPR) — request deletion when processing is no longer necessary
• Right to restriction (Art. 18 GDPR) — request suspension of data operations
• Right to portability (Art. 20 GDPR) — receive data in a machine-readable format
• Right to object (Art. 21 GDPR) — object to processing based on legitimate interest
• Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise these rights, please contact: pk@harbor.legal. The Controller will respond without undue delay, within 30 days of receiving the request.

You also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl).

§ 6. Cookies

6.1. Essential (Technical) Cookies

Required for proper website operation. No user consent needed.

• harbor_cookies — remembers cookie notice acceptance; expires: 1 year

6.2. Analytical Cookies

Installed only after user consent. Used to analyze website usage for optimization purposes.

6.3. Managing Cookies

You can change cookie settings in your browser at any time, including blocking or deleting cookies. Blocking essential cookies may affect website functionality.

§ 7. Data Security

The Controller implements appropriate technical and organizational measures, including TLS encryption, access controls, regular security reviews, data minimization, and attorney-client privilege for data obtained in the course of legal services.

§ 8. Voluntary Provision of Data

Providing personal data is voluntary but necessary to use the contact form or conclude a legal services agreement.

§ 9. Automated Decision-Making

The Controller does not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

§ 10. Changes to This Policy

The Controller reserves the right to update this privacy policy. Users will be informed of material changes via a notice on the website. The current version is always available at www.harbor.legal/privacy-policy.