PRIVACY POLICY

Last Updated: June 10, 2026

At GoPublica, we are committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, store, and share personal data in connection with our SaaS platform, in compliance with the General Data Protection Regulation (GDPR / RODO) and applicable Polish law.

1. DATA CONTROLLER

The Data Controller responsible for your personal data is:

GoPublica Andrii Knapp NIP: 6772525332 Republic of Poland Email: support@gopublica.com

For any data protection inquiries, please contact us at the email above.

2. ROLES IN DATA PROCESSING (GDPR / RODO)

GoPublica as a Data Controller: We control the personal data of our registered Merchants (you), including your name, email address, business details, billing information, and IP address. We collect this data to provide you with access to our platform, process subscription fees, and deliver customer support.

GoPublica as a Data Processor: When your end-customers (e.g., restaurant guests, salon clients) submit booking information through your GoPublica-powered widget or storefront, you act as the Data Controller for their personal data. GoPublica acts solely as a Data Processor, storing and processing that data strictly on your behalf and according to your instructions. You bear full responsibility as the Data Controller for ensuring a legal basis for processing your customers' data and for meeting all applicable GDPR obligations toward them, including providing appropriate privacy notices.

3. WHAT DATA WE COLLECT

Data you provide directly:

  • Full name and business name
  • Email address
  • NIP / VAT number (if applicable)
  • Payment card details (processed and stored exclusively by Stripe — we do not store raw card data)
  • Business address and contact information

Data collected automatically:

  • IP address and browser/device information
  • Usage data and activity logs within the Admin Panel
  • Cookie identifiers and session tokens

Data of your end-customers (processed on your behalf):

  • Names, phone numbers, and email addresses submitted via booking forms
  • Reservation details (date, time, service, party size)
  • Any additional fields you configure in your booking widget

4. LEGAL BASIS FOR PROCESSING

We process personal data on the following legal bases under GDPR Article 6:

  • Article 6(1)(b) — Performance of a Contract: Processing your account data, billing information, and usage data to provide the platform and fulfill our contractual obligations to you.
  • Article 6(1)(c) — Legal Obligation: Retaining invoicing and transaction records as required by Polish tax and accounting law.
  • Article 6(1)(f) — Legitimate Interests: Monitoring platform security, preventing fraud, and improving platform performance.
  • Article 6(1)(a) — Consent: Using Google Analytics cookies for website analytics, where you have given consent via our cookie banner.

5. DATA STORAGE AND INFRASTRUCTURE

5.1. Our core backend server infrastructure is hosted on Hetzner (Germany, European Union).

5.2. All database storage is powered by MongoDB Atlas, deployed on Amazon Web Services (AWS) data centers located in Frankfurt, Germany (EU-West-1), ensuring that your data and your customers' data remain within the European Union.

5.3. Client-facing storefronts, booking widgets, and front-end assets are deployed via Vercel. Please note that Vercel, Inc. is a company headquartered in the United States. GoPublica relies on Vercel's compliance with Standard Contractual Clauses (SCCs) approved by the European Commission for any personal data that may transit through Vercel's global CDN network. Vercel's data processing terms can be reviewed at vercel.com/legal/dpa.

6. THIRD-PARTY SUBPROCESSORS

To operate our platform, GoPublica shares limited personal data with the following trusted subprocessors:

| Subprocessor | Purpose | Data Location | |---|---|---| | Stripe, Inc. / Stripe Payments Europe Ltd | Payment processing and billing | EU / US (SCCs) | | EmailJS Ltd | Transactional email delivery (booking confirmations, system alerts) | EU / US (SCCs) | | Vercel, Inc. | Frontend hosting and global CDN delivery | EU / US (SCCs) | | MongoDB Atlas (AWS Frankfurt) | Database storage | Germany (EU) | | Hetzner Online GmbH | Backend server infrastructure | Germany (EU) | | Google LLC (Google Analytics) | Website traffic analytics | EU / US (SCCs) |

We do not sell your personal data or your customers' personal data to any third party.

7. INTERNATIONAL DATA TRANSFERS

Some of our subprocessors (Stripe, EmailJS, Vercel, Google Analytics) are headquartered outside the European Economic Area, including in the United States. For all such transfers, GoPublica ensures that appropriate safeguards are in place, specifically Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46(2)(c). These contractual safeguards ensure that your personal data receives an equivalent level of protection to that afforded within the EU.

8. DATA RETENTION

Merchant account data: We retain your personal data for the duration of your active subscription. If your account is canceled or permanently terminated, we will retain your data for a period of 60 days to allow for potential account reactivation, after which it will be permanently deleted from our active systems, unless longer retention is required by applicable law (e.g., Polish tax and accounting regulations, which may require retention of financial records for up to 5 years).

End-customer booking data: Stored and retained according to your configuration as the Data Controller. Upon account termination, this data is deleted alongside your Merchant account data within the same 60-day window.

9. YOUR GDPR RIGHTS

As a data subject under the GDPR, you have the following rights regarding your personal data:

  • Right of Access: The right to request a copy of the personal data we hold about you.
  • Right to Rectification: The right to request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): The right to request deletion of your personal data, subject to our legal retention obligations.
  • Right to Restriction: The right to request that we limit the processing of your personal data in certain circumstances.
  • Right to Data Portability: The right to receive your data in a structured, machine-readable format.
  • Right to Object: The right to object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@gopublica.com. We will respond within 30 days as required by GDPR Article 12.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Polish supervisory authority:

Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warsaw, Poland Website: uodo.gov.pl Email: kancelaria@uodo.gov.pl

10. COOKIES

Essential cookies: We use strictly necessary cookies to manage your login session and Admin Panel authentication. These cookies are required for the platform to function and cannot be disabled.

Analytics cookies (Google Analytics): We use Google Analytics to understand general website usage patterns (e.g., page visits, traffic sources). These cookies are only activated after you accept them via our cookie consent banner. You may withdraw your consent at any time by updating your cookie preferences or by using Google's opt-out tool at tools.google.com/dlpage/gaoptout.

We do not use cookies for advertising or tracking across third-party websites.

11. SECURITY

GoPublica implements industry-standard technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These include encrypted data transmission (HTTPS/TLS), access controls, and regular security monitoring. However, no method of transmission over the internet or electronic storage is 100% secure, and GoPublica cannot guarantee absolute data security.

12. UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time. If changes are material, we will notify you via email or through a notice in your Admin Panel at least 14 days before the changes take effect. The most current version will always be available on our website.

GoPublica Andrii Knapp | NIP: 6772525332 | support@gopublica.com | Poland