Privacy Policy

The data controller for your personal data is BuildFlow Angelika Kotarba, ul. 1 Maja 13/1, 78-100 Kolobrzeg, Poland, NIP: 6711821792, REGON: 364919712, operating under the trade name Whispr at whispr.marketing (referred to below as “we”, “us”, or “Whispr”).

We have not appointed a Data Protection Officer (no statutory obligation under Art. 37 GDPR applies to our scale of processing). For all data-protection enquiries, contact us at: hello@whispr.marketing.

whispr.marketing is a software-house marketing website. We process the following categories of data:

2.1 Contact form

When you complete the contact form on the site or book a call through Calendly, we collect: your name, email address, company name (optional), and the content of your message. This data is used solely to respond to your enquiry and potentially establish a working relationship.

2.2 Analytics data

We use Google Analytics 4 with Consent Mode v2 active. With your consent, we collect anonymised data about how you use the site (pages visited, time on page, country, device type, traffic source). IP addresses are masked. We do not collect data that identifies you personally through analytics.

2.3 Calendly booking data

If you book a call through Calendly, that platform processes your name, email address, and chosen meeting slot in accordance with the Calendly Privacy Policy. Whispr receives an email notification containing the booking details.

2.4 Technical data (server logs)

Our hosting infrastructure (Vercel) may automatically log IP addresses, HTTP headers, and API call data for security and diagnostic purposes. Logs are retained by Vercel in accordance with their policy.

• Performance of a contract or pre-contractual steps (Art. 6(1)(b) GDPR) - responding to enquiries and engaging in project work.
• Legitimate interests of the controller (Art. 6(1)(f) GDPR) - website security, fraud prevention, direct marketing of our own services to people who have voluntarily contacted us.
• Your consent (Art. 6(1)(a) GDPR) - Google Analytics 4 measurement (Consent Mode v2); you may withdraw consent at any time via the cookie banner or by contacting us.
• Legal obligation (Art. 6(1)(c) GDPR) - retention of accounting records and correspondence for the periods required by law.

We use the following service providers:

All processors located outside the European Economic Area process data under Standard Contractual Clauses (SCCs) approved by the European Commission, or another appropriate transfer mechanism providing an adequate level of protection under GDPR.

We use the following categories of cookies:

• Strictly necessary - required for the site to function (technical, session). These cannot be opted out of.
• Analytics - Google Analytics 4 with Consent Mode v2. Activated only with your consent via the cookie banner. You may withdraw consent at any time.

We do not use third-party marketing cookies or retargeting pixels.

• Contact-form correspondence - for as long as necessary to handle the enquiry and any resulting engagement, then until the limitation period for claims expires (maximum 3 years from the last contact, or longer where required by law).
• Contractual and accounting records - for the period required by Polish accounting and tax law (generally 5 years from the end of the financial year in which the tax obligation arose).
• Google Analytics data - in accordance with the data-retention settings in GA4 (14 months from the event by default).
• Server logs (Vercel) - in accordance with Vercel's log-retention policy.

Under Arts. 15-22 GDPR you have the following rights:

• Right of access - request information about what personal data we hold about you.
• Right to rectification - request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) - request deletion of your data, subject to legal retention obligations.
• Right to restriction of processing - request that we limit how we use your data.
• Right to data portability - receive your data in a structured, commonly used, machine-readable format.
• Right to object - object to processing based on our legitimate interests.
• Right to withdraw consent - at any time, without affecting the lawfulness of processing carried out before withdrawal.

Please send requests to hello@whispr.marketing. We will respond without undue delay and no later than 30 days from receipt of the request (extendable by a further 2 months in complex cases).

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a data-protection supervisory authority. The authority for our data controller is the President of the Polish Personal Data Protection Office (PUODO / UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl. EU residents may also contact the supervisory authority in their country of residence.

We implement appropriate technical and organisational measures to protect your data: TLS/HTTPS encryption for all connections, least-privilege access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we do, however, take all reasonable steps to protect your personal data.

We may update this Privacy Policy from time to time. The date of the most recent update is shown at the top of this page. For material changes, we will provide notice on the site or by email where we have an existing or recent correspondence relationship with you.