Privacy Policy
Last updated: 17 June 2026 · Version 1.0 · Includes GDPR (RODO) information
1. Two roles: controller vs processor
This Policy explains how EpicCRM handles personal data in two distinct situations:
- As a controller — for personal data of our website visitors, account holders and Users (e.g. registration, billing, support). This Policy governs that processing.
- As a processor — for personal data that you, our Customer, load into the Service about your contacts. There, you are the controller and we process the data on your instructions under our Data Processing Agreement (DPA).
2. Who is the controller
The controller of personal data described in section 1 (first bullet) is Web Systems, a sole proprietorship registered in Poland (CEIDG), with its registered office at ul. Dąbrowskiego 249/23, 93-231 Łódź, Poland, Tax ID (NIP) 7292462454.
Contact for privacy matters: [email protected]. We have not appointed a separate Data Protection Officer; privacy enquiries are handled at this address.
3. What data we collect
| Category | Examples |
|---|---|
| Account & identity | Name, email, password (hashed), organization name, role, plan. |
| Billing | Subscription, seats, plan, and payment metadata. Card data is handled by Stripe — we do not store full card numbers. |
| Usage & technical | Log data, IP address, browser/device info, session identifiers, actions in the app. |
| Support & communications | Messages you send us, support tickets, email correspondence. |
| Marketing (optional) | If you opt in, your email may be added to our email-marketing list (Mailcraft). |
| Integration tokens | If you connect an external calendar (Google/Apple/CalDAV), we store access tokens or credentials encrypted at rest, used only to import your events. |
4. Purposes & legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the Service, manage your account and Organization | Performance of a contract — Art. 6(1)(b) |
| Billing, invoicing, tax records | Contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c) |
| Security, fraud prevention, service improvement, analytics in aggregate | Legitimate interests — Art. 6(1)(f) |
| Support and responding to enquiries | Contract / legitimate interests — Art. 6(1)(b)/(f) |
| Marketing emails (newsletter) | Consent — Art. 6(1)(a); you may withdraw at any time |
| Connecting external calendars | Consent / contract — Art. 6(1)(a)/(b); initiated by you |
| Complying with the law, defending legal claims | Legal obligation / legitimate interests — Art. 6(1)(c)/(f) |
5. Recipients & subprocessors
We share personal data only as needed to run the Service, with vetted providers acting under contract. Our principal subprocessors:
| Provider | Purpose | Location |
|---|---|---|
| Our hosting provider (servers at Hetzner) | Application & database hosting | EU (Germany) |
| Stripe | Payment processing | EU / USA (SCCs) |
| Cloudflare | CDN, DNS, security for the website | EU / global (SCCs) |
| Google (Calendar API) | Importing your calendar events — only if you connect it | EU / USA (SCCs) |
| Apple / other CalDAV servers | Importing your calendar events — only if you connect it | Per provider |
| Mailcraft (email marketing) | Sending newsletters — only if you opt in | EU |
| Email/SMTP provider | Transactional email (invites, password reset, notifications) | EU |
An up-to-date list of subprocessors is available on request at [email protected]. We may also disclose data where required by law.
6. International transfers
Our infrastructure is located in the European Union. Where a provider processes data outside the European Economic Area (e.g. some Stripe, Google or Cloudflare operations in the USA), the transfer is safeguarded by the European Commission’s Standard Contractual Clauses and/or adequacy mechanisms.
7. Retention
- Account data — kept while your account is active and deleted or anonymized within a reasonable period after closure (typically up to 90 days), unless a longer period is required by law.
- Billing/tax records — kept for the period required by tax and accounting law (in Poland, generally 5 years).
- Support correspondence — kept as long as needed to handle the matter and any related claims.
- Marketing — until you withdraw consent or unsubscribe.
- Integration tokens — kept until you disconnect the integration or delete the account.
8. Your rights (GDPR Art. 15–22)
Subject to the conditions in the GDPR, you have the right to: access your data; rectification; erasure (“right to be forgotten”); restriction of processing; data portability; objection to processing based on legitimate interests; and to withdraw consent at any time (without affecting prior processing). You also have the right not to be subject to solely automated decisions producing legal effects — we do not carry out such decision-making.
To exercise your rights, email [email protected]. We may need to verify your identity. If your request concerns data we process on behalf of a Customer (as processor), we will refer you to that Customer (the controller).
9. Cookies
Our website and app use cookies and similar technologies. Details, categories and how to manage them are in our Cookie Policy.
10. Security
We apply appropriate technical and organizational measures, including encryption in transit (HTTPS), encryption at rest for sensitive secrets such as calendar tokens, hashed passwords, access controls and per-organization data isolation. No method of transmission or storage is 100% secure, but we work to protect your data and to notify you and the supervisory authority of breaches where legally required.
11. Children
The Service is intended for business use and not directed at children. We do not knowingly collect personal data from children under 16.
12. Changes
We may update this Policy. The current version is always posted here with its “last updated” date; we will notify you of material changes.
13. Contact & complaints
ul. Dąbrowskiego 249/23, 93-231 Łódź, Poland · NIP 7292462454
Email: [email protected]
You have the right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl.