Privacy

Privacy Policy.

Last updated: 3 July 2026. This document describes what personal data we process in connection with this website, on what legal basis, and what rights you have under the GDPR (Regulation (EU) 2016/679).

1. Data controller

The controller of personal data processed in connection with this website is:
[TO BE COMPLETED: full name / company name, registered address, tax ID] — these details will be added as soon as the business operated under the Greyfield Partners name is formally registered. Until then, any data protection matters can be directed to the address in section 2.

2. Contact on data protection matters

For any question regarding the processing of your personal data, contact us at: bartoszilski@greyfieldpartners.eu.

3. What data we process and why

We only collect personal data when you provide it to us directly, through the contact form on the Contact page. The form collects: name, company, role (optional), email address, subject, and message.

We process this data in order to:

  • respond to your inquiry and take steps towards a possible engagement — legal basis: Article 6(1)(b) GDPR (pre-contractual steps taken at your request);
  • establish, exercise, or defend legal claims related to the correspondence, if needed — legal basis: Article 6(1)(f) GDPR (our legitimate interest).

The site has no other mechanism for collecting personal data — we do not operate user accounts, we do not run a newsletter sign-up form, and downloading our published PDF reports requires no personal data.

4. Recipients of data

Only personnel responsible for correspondence at Greyfield Partners have access to messages submitted through the contact form. In addition, due to how the site operates, data may be processed by the following third-party technical service providers:

  • FormSubmit (Devro LABS) — the third-party form processor that forwards submitted messages to our email address. Per this provider's publicly available privacy policy, data submitted through the form is not used for any purpose other than that forwarding. The provider does not publicly specify its jurisdiction or explicitly confirm a GDPR transfer-compliance mechanism — should this prove necessary, we will replace this mechanism with one offering clearly confirmed GDPR safeguards;
  • Cloudflare, Inc. — our hosting and CDN infrastructure provider. Cloudflare may process visitor IP addresses to ensure the security and availability of the service, subject to its own privacy policy and the standard contractual clauses (SCCs) it applies in its data processing agreements.

Beyond the parties listed above, we do not share personal data with any other third party, unless required to do so by applicable law (e.g. at the request of a competent authority).

5. Data retention

Data submitted through the contact form is retained for as long as necessary to respond and continue any related correspondence, and thereafter for no more than 3 years from the end of that correspondence, for evidentiary and record-keeping purposes, unless a longer retention period is required by law (e.g. tax or accounting rules, should the correspondence lead to an engagement).

6. Cookies and analytics

This website does not use cookies for analytics, statistics, or marketing purposes. We do not use Google Analytics, advertising pixels, or any other tracking tools. The only cookies that may be set during your visit are technical cookies related to security and service availability, set by our infrastructure provider (Cloudflare) — these are not used to identify or profile visitors.

7. Transfers outside the European Economic Area

Our technical infrastructure providers (Cloudflare and our contact-form processor) may process data on servers or infrastructure located outside the European Economic Area (EEA), including in the United States. Where this occurs, the transfer relies on GDPR-compliant safeguards under Chapter V GDPR, in particular the Standard Contractual Clauses (SCCs) approved by the European Commission, to the extent applied by the relevant provider.

8. Automated decision-making

We do not use automated decision-making, including profiling, on personal data submitted through this website.

9. Your rights

In connection with the processing of your personal data, you have the right to:

  • access your personal data and receive a copy of it;
  • rectify (correct) your data;
  • erasure of your data ("right to be forgotten"), to the extent provided by law;
  • restrict processing of your data;
  • object to processing based on our legitimate interest;
  • data portability, to the extent processing is automated and based on consent or contract;
  • lodge a complaint with a supervisory authority — in Poland, this is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

To exercise any of the rights above, contact us at the address given in section 2.

10. Voluntary provision of data

Providing personal data through the contact form is entirely voluntary, but necessary for us to respond to your inquiry. Not providing the required data (name, company, email address, and message) will prevent us from replying.

11. Changes to this policy

This privacy policy may be updated periodically, in particular in connection with changes in the law, the scope of our services, or the technical tools we use. The current version is always available at this address, together with the last-updated date shown at the top of the document.