Privacy Policy
Last updated: April 17, 2026
1. Data Controller
The controller of your personal data is Ingenios Sp. z o.o. with its registered office in Warsaw:
- Address: ul. Nowogrodzka 31/413, 00-511 Warsaw, Poland
- KRS: 0000924926
- NIP: 7011054210
- Email: kontakt@ingenios.pl
2. Data We Collect
Data provided voluntarily:
- Full name
- Email address
- Phone number
- Company name and project description (via contact form)
Data collected automatically:
- IP address
- Browser and operating system type
- Website activity data (only after consent to analytics cookies)
3. Purposes and Legal Bases
| Purpose | Legal Basis (GDPR) | Retention |
|---|---|---|
| Responding to contact form inquiries | Art. 6(1)(b) — pre-contractual actions | Up to 12 months |
| Contract fulfillment | Art. 6(1)(b) — contract performance | Duration + 5 years |
| Web analytics (Google Analytics) | Art. 6(1)(a) — user consent | Up to 14 months |
| Marketing (Meta Pixel) | Art. 6(1)(a) — user consent | Until consent withdrawal |
| Website security | Art. 6(1)(f) — legitimate interest | Up to 30 days |
4. Data Recipients
- Google Ireland Limited — Google Analytics 4 (with consent)
- Meta Platforms Ireland Limited — Meta Pixel (with consent)
- Hetzner Online GmbH — application hosting (Germany, Falkenstein, ISO 27001)
- Amazon Web Services EMEA SARL — object storage for files (eu-central-1, Frankfurt, Germany)
- CloudFlare, Inc. — DNS management and DDoS protection
- OpenAI, L.L.C. — large language models (LLM) for AI features — only for users of the Ingenios app, see section 6
- Anthropic, PBC — alternative LLM provider (Claude), see section 6
- Slack Technologies LLC (Salesforce) — internal communications tool; contact-form content (name, e-mail, phone, request description) is forwarded to our private Slack channel to handle the inquiry. Data is processed under Standard Contractual Clauses (SCC).
5. Data Transfers Outside the EEA
Some of our providers (Google, Meta) may process data outside the EEA based on the European Commission's adequacy decision (EU-U.S. Data Privacy Framework) and Standard Contractual Clauses (SCCs).
6. Ingenios Application — Gmail and Google Drive Integration
This section applies to users of the Ingenios (SaaS) application who connect their Google accounts to sync Gmail and Google Drive with the application.
6.1 Google data we access
After you grant consent on the Google OAuth authorization screen, the application accesses:
Gmail:
- Message metadata (sender, recipient, subject, date, thread, labels)
- Message content (plain text and HTML body)
- Attachments
- Permission to send messages on your behalf (only upon your action in the app)
Google Drive:
- File metadata (name, type, modification date, owner, folder structure)
- File content — read-only (scope:
drive.readonly,drive.metadata.readonly)
We request only the minimum scopes required to deliver the specific application features chosen by the user.
6.2 How we use the data
Gmail:
- Displaying messages in the Inbox module of the application
- Linking messages to leads, contacts and companies in the CRM module
- Sending replies and new messages on your behalf — only after your action
- AI features: automatic message summary, draft reply generation, extracting data from attachments — only when the user activates AI features
Google Drive:
- Indexing files for in-app search
- Linking files to clients and deals in CRM
- AI features: document content analysis, data extraction, semantic search — only when the user activates AI features
We do NOT use Google data for:
- Displaying advertisements
- Training our own or any third-party AI/ML models
- Selling or leasing to external parties
- Any purpose other than delivering the app features chosen by the user
6.3 Data sharing (sub-processors)
Gmail and Google Drive data is shared only with the following sub-processors:
- OpenAI, L.L.C. (USA) — large language model provider for AI features. Gmail message content and Google Drive file content is sent to the OpenAI API only when the user activates AI features (e.g. summarization, reply drafting, document analysis). OpenAI does not use this data to train models (per OpenAI API Data Usage Policy for business customers).
- Anthropic, PBC (USA) — alternative LLM provider (Claude models), subject to future deployment. Same terms as OpenAI — data is not used to train models.
- Hetzner Online GmbH (Germany) — server infrastructure (Falkenstein, EU). Data stored encrypted.
- Amazon Web Services EMEA SARL (eu-central-1, Frankfurt, Germany) — object storage for files. Data stored encrypted (SSE).
We do not sell Google data, nor do we share it with advertisers or any other third parties.
6.4 Security and storage
- OAuth tokens (access_token, refresh_token) are symmetrically encrypted (AES) in the database using a dedicated encryption key.
- All data transmission uses TLS 1.2+ (HTTPS).
- Each customer (tenant) has an isolated database schema — one customer's data is physically separated from others' (schema-per-tenant).
- Data access requires JWT authentication and role-based access control (RBAC).
- Infrastructure in the EU region (Germany) — GDPR compliant.
6.5 Data retention and deletion
- Google data is stored for as long as your Google account remains connected to your Ingenios account.
- You can disconnect your Google account at any time in Settings → Integrations — this immediately revokes the OAuth token and stops synchronization.
- Data synced from Gmail and Drive is deleted within 30 days after disconnection.
- You can also revoke consent directly in your Google account at any time: myaccount.google.com/permissions.
- To request deletion of all account data, use the in-app feature (Settings → Account → Delete data) or email kontakt@ingenios.pl. A 14-day grace period applies after the request, after which data is permanently deleted.
6.6 Limited Use compliance (Google API Services User Data Policy)
Ingenios's use and transfer of any information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We do not use Gmail or Drive data to serve advertisements.
- We do not process Gmail or Drive data for purposes other than delivering app features chosen by the user.
- We do not share Gmail or Drive data with third parties other than the sub-processors listed in section 6.3.
- We do not use Gmail or Drive data to train AI/ML models (ours or any third party's).
- We do not allow humans to read user data, except where required by law or with the user's explicit consent for technical support.
Ingenios's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7. Your Rights
- Right of access — obtain information about processed data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your data
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to withdraw consent — at any time
Contact: kontakt@ingenios.pl
You also have the right to lodge a complaint with the President of UODO (Polish Data Protection Authority): ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
8. Cookies
| Type | Purpose | Consent Required |
|---|---|---|
| Necessary | Proper website functioning | No |
| Analytics | Google Analytics 4 | Yes |
| Marketing | Meta Pixel | Yes |
9. Changes to This Policy
We reserve the right to update this policy. The current version is always available at ingenios.pl/polityka-prywatnosci/.