Privacy Policy

Last updated: 2026-04-14

1. Data Controller

The controller of your personal data is ESKOM AI Sp. z o.o. with its registered office in Warsaw, ul. Zimna 2/24, 00-138 Warsaw, Poland, entered in the National Court Register (KRS) under number 0001163211, Tax ID (NIP): 5253040096, REGON: 541241644. Contact the controller: contact@eskom.ai.

2. Data Protection Contact

For matters relating to the protection of personal data, you can contact the person responsible for data protection:

Email: iod@eskom.ai
Address: ESKOM AI Sp. z o.o., ul. Zimna 2/24, 00-138 Warsaw, Poland

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes:

  • 1.
    Responding to inquiries submitted via the contact form — based on the legitimate interest of the controller (Art. 6(1)(f) GDPR).
  • 2.
    Performance of a service agreement or taking steps prior to entering into a contract — based on Art. 6(1)(b) GDPR.
  • 3.
    Compliance with legal obligations, in particular tax and accounting obligations — based on Art. 6(1)(c) GDPR.
  • 4.
    Direct marketing of our own products and services — based on the legitimate interest of the controller (Art. 6(1)(f) GDPR).
  • 5.
    Establishing, pursuing, or defending against claims — based on the legitimate interest of the controller (Art. 6(1)(f) GDPR).
  • 6.
    Provision of AI services (data processing by artificial intelligence models) — based on contract performance (Art. 6(1)(b) GDPR) or consent (Art. 6(1)(a) GDPR).
  • 7.
    Website traffic analysis and functionality improvement — based on consent (Art. 6(1)(a) GDPR) expressed by accepting analytics cookies.

4. Categories of Data

We process the following categories of data:

  • 1.
    Identification data: first name, last name, company name
  • 2.
    Contact data: email address, phone number, correspondence address
  • 3.
    Technical data: IP address, device identifier, browser data
  • 4.
    Form data: inquiry content, preferences
  • 5.
    Transaction data: order history, payment data (processed by Stripe)
  • 6.
    Cookie data: session identifiers, preferences, analytics data (Google Analytics)
  • 7.
    Data processed by AI: content of prompts and queries directed to our AI products (may contain personal data entered by the user)

5. Data Recipients — Providers and Sub-processors

Your personal data may be disclosed to the following categories of recipients:

  • 1.
    Infrastructure and hosting providers:
    • 1.1. Hetzner Online GmbH (Germany, EU) — server hosting
    • 1.2. Verda Cloud OY (Finland, EU) — GPU infrastructure
  • 2.
    AI service providers (prompt processing):
    • 2.1. Anthropic PBC (USA) — Claude API — zero-retention policy (data is not stored after processing)
    • 2.2. OpenAI Inc. (USA) — GPT API — zero-retention policy
    • 2.3. DeepL SE (Germany, EU) — NLP translations
  • 3.
    Business service providers:
    • 3.1. Microsoft Corporation (USA/EU) — email, authentication (Microsoft 365, EU Data Boundary)
    • 3.2. Google LLC (USA) — Gmail, Drive, Calendar (Google Workspace)
    • 3.3. Atlassian Pty Ltd (Australia) — project management (Jira)
    • 3.4. GitHub Inc. (USA) — code repository, CI/CD
  • 4.
    Payment service providers:
    • 4.1. Stripe, Inc. (USA/Ireland) — online payment processing (PCI DSS Level 1)
    • 4.2. Revolut Ltd (UK/Lithuania) — financial services
  • 5.
    Network service providers:
    • 5.1. Tailscale Inc. (USA/Canada) — VPN (connection metadata only)
  • 6.
    Analytics tool providers:
    • 6.1. Google LLC — Google Analytics 4 (with user consent)
    • 6.2. Microsoft Corporation — Microsoft Clarity (with user consent)
  • 7.
    Other categories:
    • 7.1. Law firms and advisors — to the extent necessary
    • 7.2. Public authorities — under applicable law

6. Transfers of Data to Third Countries

Some of our providers are based outside the European Economic Area (EEA). Data transfers to third countries are carried out on the basis of:

  • 1.
    Adequacy decisions:
    • 1.1. USA — EU-US Data Privacy Framework (European Commission decision of 10 July 2023) — applies to: Microsoft, Google, GitHub, Anthropic, OpenAI, Stripe, Tailscale
    • 1.2. United Kingdom — adequacy decision (28 June 2021, extended) — applies to: Revolut
  • 2.
    Standard Contractual Clauses (SCCs):
    • 2.1. European Commission, Decision 2021/914 — applied as additional safeguard with providers: Google, Stripe, Atlassian, Tailscale, Anthropic, OpenAI
  • 3.
    Data processed exclusively within the EEA:
    • 3.1. Hetzner (Germany), Verda Cloud (Finland), DeepL (Germany)

Details of the transfer mechanisms for each provider are available upon request at iod@eskom.ai.

7. Data Retention Periods

  • 1.
    Contact form data: up to 12 months from last contact
  • 2.
    Client data (contracts): for the duration of the contract + 5 years after the end of the year in which the contract expired (tax obligation)
  • 3.
    Employee data: 10 years (tax and social security obligations)
  • 4.
    Marketing data: until an objection is raised
  • 5.
    Analytics data (cookies): up to 14 months (Google Analytics) or until consent is withdrawn
  • 6.
    AI system data: in accordance with provider zero-retention policies (Anthropic, OpenAI — no storage after processing)
  • 7.
    Payment data: in accordance with PCI DSS requirements and tax regulations (5 years)
  • 8.
    System logs: 365 days
  • 9.
    Billing data: 5 years (tax obligation)

8. Data Subject Rights

You have the following rights:

  • 1.
    Right of access (Art. 15 GDPR) — you may obtain information as to whether we process your data, and receive a copy of that data.
  • 2.
    Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate data.
  • 3.
    Right to erasure (Art. 17 GDPR, "right to be forgotten") — you may request deletion of data when there is no basis for further processing.
  • 4.
    Right to restriction of processing (Art. 18 GDPR) — you may request restriction of processing in certain circumstances.
  • 5.
    Right to data portability (Art. 20 GDPR) — you may receive your data in a structured format.
  • 6.
    Right to object (Art. 21 GDPR) — you may object to processing based on legitimate interest, including direct marketing.
  • 7.
    Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise the above rights, please contact: iod@eskom.ai. We respond within 30 days of receiving the request.

9. Automated Decision-Making

Our AI products may assist in decision-making; however:

  • 1.
    No ESKOM.AI product makes fully automated decisions that produce legal effects concerning natural persons (Art. 22 GDPR).
  • 2.
    AI models are a supporting tool — the final decision rests with a human.
  • 3.
    Users have the right to human intervention, to express their point of view, and to contest decisions assisted by AI.

10. Supervisory Authority

You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).

11. Cookies

Our website uses cookies. Detailed information can be found in the Cookie Policy.

12. Voluntariness of Data Provision

Providing personal data is voluntary but necessary for the stated purposes. Failure to provide data will prevent us from responding to your inquiry, entering into a contract, or providing certain functionalities.

13. Changes to the Privacy Policy

We reserve the right to update this policy. We will inform you of significant changes by posting a notice on the website. The date of the last update is always displayed at the beginning of the document.