Privacy Policy

1. Data Controller

The data controller responsible for your personal data is DP Vision, a company registered in Poznan, Poland, operating under the trade name dp.vision.

Registered address: Poznan, Poland
Email: hello@dpvision.pl
Website: dpvision.agency (transitioning to dp.vision)

For all data protection inquiries, including exercising your rights under the GDPR or other applicable data protection laws, please contact us at hello@dpvision.pl.

2. Categories of Personal Data We Collect

Depending on how you interact with dp.vision, we may collect and process the following categories of personal data:

2.1 Information you provide directly

• Identity data: your full name, job title, and company name, as provided through our contact forms, emails, or during onboarding.
• Contact data: your email address, phone number, and business address.
• Project data: briefs, brand assets, content, files, and other materials you upload through our client portal or send via email for the purpose of project delivery.
• Communication data: the content of messages you send us through forms, email, or the client portal.
• Scheduling data: your name, email, and chosen time slot when you book a call via Calendly.

2.2 Information collected during payment

• Payment data: billing name, billing address, and transaction details. Payment card numbers are processed directly by Stripe and are never stored on our servers. We receive only a confirmation of payment, last four digits of the card, and transaction ID.

2.3 Information collected through the client portal

• Account data: your email address used for magic link authentication via Supabase Auth.
• Uploaded files: briefs, brand assets, reference materials, and deliverables stored in Supabase Storage.

2.4 Information collected automatically

• Usage data: IP address (anonymized), browser type and version, operating system, device type, pages visited, time spent on pages, referral source, and click patterns.
• Cookie data: identifiers set by cookies and similar technologies (see Section 9).

3. Purposes of Processing

We process your personal data for the following specific purposes:

• Service delivery: to perform the services you have engaged us for, including brand design, web development, AI video production, AI training, and automation consulting.
• Payment processing: to collect payments via Stripe, issue invoices, and manage financial records as required by Polish tax law.
• Client portal access: to authenticate your identity via magic link, provide secure access to project files, and enable file upload and download.
• Communication: to respond to your inquiries, send project updates, share deliverables for review, and coordinate scheduling.
• Analytics: to understand how visitors use our website so we can improve its design and content.
• Legal compliance: to comply with applicable laws, including tax reporting, record-keeping obligations, and responding to lawful requests from authorities.

We do not send unsolicited marketing emails. Project-related communications are limited to the scope of your engagement with us.

4. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR): processing necessary to deliver the services you purchased, manage your client portal account, process payments, and communicate about your project.
• Legitimate interest (Article 6(1)(f) GDPR): processing necessary for website analytics and improvement, fraud prevention, and enforcing our terms of service. Our legitimate interest does not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a) GDPR): for non-essential cookies (analytics, marketing). You can withdraw consent at any time through your cookie preferences or by contacting us.
• Legal obligation (Article 6(1)(c) GDPR): for retaining financial records as required by Polish tax law (Ordynacja podatkowa) and responding to lawful requests from supervisory authorities.

5. Data Processors and Sub-Processors

We use the following third-party services to deliver our services. Each acts as a data processor under our instructions and is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards:

• Stripe (Stripe, Inc., San Francisco, USA) — payment processing. Stripe processes your payment card data, billing information, and transaction details. Stripe is PCI DSS Level 1 certified.
  stripe.com/privacy
• Supabase (Supabase, Inc., San Francisco, USA) — authentication (magic link), database, and file storage for the client portal. Supabase stores your email address, account data, and uploaded project files.
  supabase.com/privacy
• Resend (Resend, Inc., San Francisco, USA) — transactional email delivery. Resend processes your email address and name to deliver project-related emails on our behalf.
  resend.com/legal/privacy-policy
• Calendly (Calendly, LLC, Atlanta, USA) — appointment scheduling. Calendly processes your name, email, and selected time slot when you book a discovery call.
  calendly.com/privacy
• Google Analytics (Google LLC, Mountain View, USA) — website analytics. Google Analytics collects anonymized usage data including pages visited, session duration, and referral source. IP anonymization is enabled.
  policies.google.com/privacy

We do not sell, rent, or trade your personal data to any third party. We share only the minimum data necessary for each processor to perform its function.

6. International Data Transfers

DP Vision is based in Poland (EU/EEA). However, several of our data processors are located in the United States. When your personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• EU-U.S. Data Privacy Framework: where applicable, our US-based processors (Stripe, Supabase, Google) participate in or are certified under the EU-U.S. Data Privacy Framework.
• Standard Contractual Clauses (SCCs): where the Data Privacy Framework does not apply, transfers are governed by the European Commission's Standard Contractual Clauses, which provide contractual guarantees that your data receives an adequate level of protection.

You may request a copy of the safeguards in place by contacting us at hello@dpvision.pl.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods:

• Project data (briefs, deliverables, communications): 3 years after project completion, to allow for follow-up work, warranty claims, and legal compliance.
• Client portal account data: maintained for the duration of the project plus 90 days. After that period, account data is deleted unless you request earlier deletion or continued access.
• Financial records (invoices, payment confirmations): 5 years as required by Polish tax law (Ordynacja podatkowa, Art. 86).
• Analytics data: 26 months (Google Analytics default with our configuration).
• Contact form submissions: 24 months from the date of submission, unless a project relationship is established.
• Cookie data: varies by cookie type (see Section 9).

When retention periods expire, personal data is securely deleted or anonymized. You can request earlier deletion at any time (see Section 8).

8. Your Rights as a Data Subject

Under the GDPR and applicable data protection laws, you have the following rights:

• Right of access (Art. 15 GDPR) — you can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16 GDPR) — you can ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) — you can ask us to delete your personal data ("right to be forgotten"), subject to our legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR) — you can ask us to restrict how we process your data in certain circumstances.
• Right to data portability (Art. 20 GDPR) — you can request your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
• Right to object (Art. 21 GDPR) — you can object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent — where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint — you have the right to lodge a complaint with the Polish Data Protection Authority (UODO) or the supervisory authority in your country of residence (see Section 16).

To exercise any of these rights, email us at hello@dpvision.pl. We will verify your identity and respond within 30 days. If your request is complex, we may extend this by an additional 60 days with prior notice. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

9. Cookies and Tracking Technologies

Our website uses cookies — small text files stored on your device — to provide functionality and understand usage patterns. We categorize cookies as follows:

9.1 Strictly necessary cookies

Required for the website to function. These cannot be disabled. They include cookies for cookie consent preferences and basic site functionality. No personal data is collected beyond what is technically necessary.

9.2 Analytics cookies

Used to understand how visitors interact with our website. We use Google Analytics with IP anonymization enabled. These cookies are only set if you consent via our cookie banner. Data collected includes pages visited, session duration, bounce rate, and approximate geographic location (country/city level).

9.3 Marketing cookies

Used to measure the effectiveness of our advertising and to deliver relevant content. These are only set with your explicit consent.

You can manage your cookie preferences at any time through the cookie settings accessible via the cookie banner on our website, or by adjusting your browser settings. Note that disabling certain cookies may affect website functionality.

10. Use of AI Tools in Service Delivery

dp.vision is an AI-native studio. We use artificial intelligence tools as part of our production workflow to deliver services including brand design, video production, and automation consulting. The AI tools we use include, but are not limited to:

• Language models: Claude (Anthropic), GPT-4o (OpenAI) — for content drafting, strategy analysis, and code assistance.
• Image generation: Midjourney — for visual concept exploration and asset creation.
• Video generation: Runway, Sora (OpenAI), Kling, Higgsfield — for AI video production.

Important disclosures:

• Project briefs and client materials may be processed through AI tools as part of our workflow. We do not upload sensitive personal data (such as payment information or personal identification numbers) to AI tools.
• All AI-generated output is reviewed, refined, and approved by our human team before delivery. No automated decision-making with legal or similarly significant effects is performed without human oversight.
• We select AI tools that offer appropriate data handling practices, including options for data not being used for model training where available.

If you have concerns about AI processing of your project materials, please raise them before project commencement. We can discuss alternative workflows on a case-by-case basis.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at rest: client files stored in Supabase Storage are encrypted at rest.
• Access controls: access to personal data is restricted to team members who need it for their role. Client portal access is authenticated via magic link (passwordless).
• Secure payment processing: Stripe handles all payment data and is PCI DSS Level 1 certified. We never see or store your full card number.
• Regular review: we periodically review our data processing practices and the security measures of our sub-processors.

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability, please notify us immediately at hello@dpvision.pl.

12. Children's Data

Our services are directed at businesses and professionals. We do not knowingly collect personal data from children under the age of 16. If you believe that a child under 16 has provided us with personal data, please contact us at hello@dpvision.pl and we will promptly delete such data.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

13.1 Categories of personal information collected

In the preceding 12 months, we may have collected the following categories of personal information as defined by the CCPA:

• Identifiers: name, email address, IP address.
• Commercial information: records of services purchased, project details, payment history.
• Internet or electronic network activity: browsing history on our website, interactions with our site.
• Professional or employment-related information: job title, company name (when provided).

13.2 Your California rights

• Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to delete: you may request deletion of your personal information, subject to certain exceptions.
• Right to correct: you may request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at hello@dpvision.pl. We will verify your identity before processing your request.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how websites should respond to DNT signals. Our website respects your cookie consent preferences as set through our cookie banner. If you have not consented to analytics cookies, no tracking cookies are set regardless of your DNT setting.

15. Asia-Pacific Privacy Compliance

We serve clients globally, including in the Asia-Pacific region. While our primary compliance framework is the EU GDPR, we are aware of regional data protection laws including Singapore's Personal Data Protection Act (PDPA), Thailand's PDPA, and China's Personal Information Protection Law (PIPL). If you are located in the Asia-Pacific region, the rights described in Section 8 of this policy are available to you. If your local law provides additional rights, please contact us at hello@dpvision.pl so we can address your specific requirements.

16. Supervisory Authority

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. For our purposes, the lead supervisory authority is:

Urzad Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl
Phone: +48 22 531 03 00

If you reside in another EU/EEA member state, you may also lodge a complaint with your local data protection authority.

17. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• The "Last updated" date at the top of this page will be revised.
• For material changes (e.g., new categories of data collected, new processors, changes to your rights), we will notify active clients via email at least 14 days before the changes take effect.
• For minor changes (e.g., clarifications, formatting), we will update this page without separate notice.

We encourage you to review this policy periodically.

18. Contact

If you have questions about this privacy policy, want to exercise your data subject rights, or have concerns about our data practices, contact us at:

DP Vision (dp.vision)
Email: hello@dpvision.pl
Poznan, Poland

We aim to respond to all privacy-related inquiries within 30 days.