Privacy Policy
Last updated: May 8, 2026
§ 1. Data Controller
The controller of personal data collected through the website arduralab.com (hereinafter: the “Website”) is ARDURA Services Sp. z o.o. (operating under the brand ARDURA Lab), with its registered office in Warsaw, ul. Ząbkowska 31, 03-736 Warsaw, Poland, tax identification number (NIP): PL5342508572 (hereinafter: the “Controller”).
The Controller has not appointed a Data Protection Officer (DPO). All matters related to the processing of personal data should be addressed directly to the Controller using the contact details below.
To contact the Controller regarding data protection matters:
- Email: biuro@ardura.pl
- Phone: +48 791 494 006
- Postal address: ul. Ząbkowska 31, 03-736 Warsaw, Poland
§ 2. Scope of Data Collection
The Website collects personal data to a limited extent, solely for the purposes described in this Privacy Policy. The Website does not operate a user registration system.
2.1. Data collected automatically
The following data is collected automatically when you use the Website:
- Device IP address
- Browser type and version
- Operating system
- Screen resolution
- Browser language
- Referring source (referer)
- Time spent on individual pages
- Information about clicked links and pages viewed
2.2. Data collected via the contact form
The Website provides a contact form (on the /en/contact and /en/get-a-quote pages) through which the Controller collects the following data voluntarily provided by the user: name or company name, email address, type of service, approximate budget, and project description. This data is sent to the Controller’s email address via the Resend service (Resend Inc., USA) on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
2.3. Data collected via email correspondence
When contacting the Controller by email at biuro@ardura.pl, the Controller processes data voluntarily provided by the sender, in particular: first name, last name, email address, phone number, and the content of the message.
§ 3. Purposes and Legal Basis for Data Processing
Personal data is processed for the following purposes:
- Website traffic analysis and quality improvement — on the basis of the Controller’s legitimate interest (Art. 6(1)(f) GDPR) and the user’s consent to cookies (Art. 6(1)(a) GDPR).
- Responding to inquiries submitted by email — on the basis of the Controller’s legitimate interest in handling correspondence (Art. 6(1)(f) GDPR) or in order to take steps prior to entering into a contract (Art. 6(1)(b) GDPR).
- Contract performance — on the basis of necessity for the performance of a contract (Art. 6(1)(b) GDPR).
- Fulfilment of legal obligations, including tax and accounting obligations — on the basis of Art. 6(1)(c) GDPR.
- Establishment, exercise, or defence of legal claims — on the basis of the Controller’s legitimate interest (Art. 6(1)(f) GDPR).
§ 4. Cookies
4.1. What are cookies
Cookies are small text files stored on the user’s device while using the Website. They are used for the proper functioning of the site and for analysing how the Website is used.
4.2. Categories of cookies used
The Website uses the following categories of cookies:
- Necessary cookies — required for the Website to operate (language preferences, session, remembering consent choices). Do not require user consent (Art. 173(3) of the Polish Telecommunications Act).
- Analytics cookies (Google Analytics 4) — anonymous traffic statistics, traffic sources, popular pages, user behaviour. Require consent. Data is processed by Google LLC (USA) on the basis of Standard Contractual Clauses.
- Marketing cookies (Google Ads / Consent Mode v2) — ad personalisation, campaign measurement, retargeting. Require consent. Cover the signals
ad_storage,ad_user_data,ad_personalization.
Detailed list of cookies used on the Website:
| Name | Provider | Purpose | Duration | Category |
|---|---|---|---|---|
cookie-consent | Website (localStorage) | Stores user consent choices | 365 days | Necessary |
_ga | Google Analytics 4 | Anonymous user identifier | 2 years | Analytics |
_ga_<ID> | Google Analytics 4 | GA4 session state | 2 years | Analytics |
_gid | Google Analytics | User identifier (24h) | 24 hours | Analytics |
NID, IDE, _gcl_au | Google LLC | Google Ads personalisation, conversion measurement | up to 13 months | Marketing |
4.3. Managing cookies and withdrawing consent
Users have three ways to manage cookies:
- “Manage consent” link in the Website footer — at any time you can open the consent panel and change your choices (analytics / marketing) or reject all optional cookies. Withdrawing consent is as easy as giving it (Art. 7(3) GDPR).
- Browser settings — you can block cookie storage or delete already stored cookies. Instructions are available in your browser’s help.
- Google Analytics opt-out browser add-on — tools.google.com/dlpage/gaoptout.
Consent choices are stored for 365 days — after this period the Website will ask you to renew your consent. Disabling analytics and marketing cookies does not affect the core functionality of the Website.
4.4. Google Consent Mode v2
The Website implements Google Consent Mode v2. By default, all consent signals (analytics_storage, ad_storage, ad_user_data,ad_personalization) are set to denied before any Google scripts load. Signals are updated to granted only after the user gives explicit consent in the cookie panel.
§ 5. Google Analytics 4
The Website uses the Google Analytics 4 service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics 4 collects data in anonymous mode, including:
- Anonymised IP address
- Session data (duration, pages viewed)
- Device and browser data
- Traffic source data
- Events (clicks, page scrolling)
Google Analytics 4 does not collect data that would allow the direct identification of a user. IP addresses are anonymised. Data is retained for a period of 14 months.
For more information on how Google processes data: policies.google.com/privacy.
Users may opt out of Google Analytics by installing the browser add-on: tools.google.com/dlpage/gaoptout.
§ 6. Data Recipients
Personal data may be disclosed to the following categories of recipients:
- Google LLC — in respect of analytics data (Google Analytics 4). Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).
- Resend Inc. — in respect of data submitted through the contact form (transactional email). Data transfers to the USA are carried out on the basis of Standard Contractual Clauses.
- Hosting provider (Cloudflare Inc.) — to the extent necessary for the operation of the Website. Data transfers to the USA are carried out on the basis of Standard Contractual Clauses.
- Public authorities — where disclosure is required by applicable law.
The Controller does not sell personal data to third parties, nor does it use such data for the direct marketing purposes of third parties.
§ 7. Data Retention Periods
- Analytics data (GA4) — 14 months from the user’s last activity.
- Email correspondence — for the period necessary to handle the inquiry, followed by the limitation period for potential claims (3 years from the end of correspondence).
- Contract-related data — for the duration of the contract and 6 years after its termination (the limitation period for civil claims under Art. 118 of the Polish Civil Code).
- Data required by law (e.g. tax records) — for the period required by the relevant legislation (5 tax years for accounting documentation).
§ 8. User Rights
Under the GDPR, users have the following rights in relation to their personal data:
- Right of access (Art. 15 GDPR) — the right to obtain information about the data being processed and to receive a copy thereof.
- Right to rectification (Art. 16 GDPR) — the right to have inaccurate data corrected or incomplete data supplemented.
- Right to erasure (Art. 17 GDPR) — the right to request the deletion of data where there is no legal basis for its further processing.
- Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of data processing in certain circumstances.
- Right to data portability (Art. 20 GDPR) — the right to receive data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) — the right to object to the processing of data based on the Controller’s legitimate interest.
- Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, the user has the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. Cookie consent can be changed or withdrawn at any time using the “Manage consent” link in the Website footer.
To exercise any of the above rights, please contact the Controller at: biuro@ardura.pl. The Controller will respond without undue delay and no later than one month from the receipt of the request.
§ 9. Right to Lodge a Complaint
If a user believes that the processing of their personal data infringes the GDPR, they have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.
§ 10. Data Security
The Controller implements appropriate technical and organisational measures to ensure the protection of personal data being processed, including in particular:
- Encrypted connection (SSL/TLS certificate)
- Regular software updates
- Restricted data access limited to authorised personnel
- Regular security procedure reviews
§ 11. Changes to the Privacy Policy
The Controller reserves the right to amend this Privacy Policy. The Controller will notify users of any significant changes by publishing an appropriate notice on the Website. The current version of the Privacy Policy is always available at: arduralab.com/en/privacy-policy.