Privacy Policy — OneDoc

1. Data Controller

The controller of your personal data is SSZZ Łukasz Herok, with its registered office in Wilamowice 43-430, ul. Rekracyjna 7a , Poland (hereinafter: the "Controller"), the owner and operator of the OneDoc application.

For any data protection matters, you may contact the Controller:

• by email: rodo@onedoc.pl
• by post: Wilamowice 43-430, ul. Rekracyjna 7a, Poland

2. Data We Collect

In connection with your use of the App, we may collect the following personal data:

• identification data: name, email address;
• contact details provided during registration or when contacting us;
• technical data: IP address, device type, operating system, browser;
• analytics data: in-app activity, clicks, session duration;
• files and documents uploaded by the user to the App.

3. Purposes and Legal Bases for Processing

• Provision of services and commercial transactions and related activities (Art. 6(1)(b) GDPR);
• Compliance with legal obligations, e.g. tax and accounting regulations (Art. 6(1)(c) GDPR);
• Legitimate interests of the Controller — analytics, App improvement, correspondence handling, asserting legal claims (Art. 6(1)(f) GDPR);
• Marketing of own products and services — only on the basis of separately given consent (Art. 6(1)(a) GDPR).

4. Data Sharing and Processing

Personal data entrusted to the Controller is not disclosed, sold, or lent to third parties without the explicit consent of the data subject — except where required by applicable law.

To the extent necessary for service delivery, data may be shared exclusively with:

• authorised employees and associates of the Controller who need access to the data to carry out their duties;
• data processors (sub-contractors) acting on behalf of the Controller, such as hosting and cloud service providers — on the basis of data processing agreements.

5. International Data Transfers

Where services of providers outside the European Economic Area are used, data may be transferred to third countries only with appropriate safeguards in place, in particular on the basis of Standard Contractual Clauses approved by the European Commission.

6. Retention Periods

• data related to service delivery — for the duration of the contract and the legally required period thereafter (e.g. 5 years for tax records);
• account data — for the duration of App use and 3 years after account deletion;
• user files and documents — until deleted by the user or upon account closure;
• data processed on the basis of consent — until consent is withdrawn.

7. Your Rights

You have the right to: access your data and receive a copy, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to withdraw consent at any time — without affecting the lawfulness of processing carried out prior to withdrawal.

All of the above rights may be exercised by contacting the Controller by post or email at the address indicated in section 1.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, Warsaw, Poland — if you consider that the processing of your personal data infringes the GDPR of 27 April 2016.

9. Cookies

The App and associated websites may use cookies and similar technologies for technical and analytical purposes. You can manage cookies through your browser or device settings.

10. Policy Updates

The Controller reserves the right to update this Policy. Any material changes will be communicated to users with adequate notice — by email or via an in-app notification.

11. Additional Provisions for US Residents

This section applies to residents of US states with applicable privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in Virginia, Colorado, Texas, and other states.

Categories of personal information collected (last 12 months)

• Identifiers — name, email address, IP address;
• Commercial information — service subscription and transaction records;
• Internet or network activity — browsing behaviour within the App, click data, session duration;
• Inferences — usage patterns drawn from the above categories.

We do not sell or share your personal information

OneDoc does not sell your personal information to third parties and does not share it for cross-context behavioural advertising purposes, as defined under CCPA/CPRA. You therefore have an automatic "Do Not Sell or Share My Personal Information" protection — no opt-out action is required.

Your rights as a US resident

Depending on your state of residence, you may have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected about you;
• Delete — request deletion of your personal information, subject to certain exceptions;
• Correct — request correction of inaccurate personal information;
• Opt out — opt out of any future sale or sharing of personal information (not currently applicable, as we do not sell data);
• Limit use of sensitive data — request that we limit the use or disclosure of sensitive personal information;
• Non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

How to submit a request

To exercise any of the above rights, contact us at rodo@onedoc.pl with the subject line "US Privacy Request". We will respond within 45 days as required by CCPA (extendable by a further 45 days where reasonably necessary). We may need to verify your identity before processing your request.

Authorised agents

California residents may designate an authorised agent to submit requests on their behalf. We may require proof of the agent's authority and verification of your identity.

Financial incentives

We do not offer any financial incentives in exchange for the collection, sale, or retention of personal information.