Privacy Policy (Buildo sp. z o.o.)

Service / App: Ebuildo / Osiolek (the "App")

Last updated: 14 January 2026

This Privacy Policy explains how BUILDO Limited Liability Company (spółka z ograniczoną odpowiedzialnością) ("Buildo", "we", "us", "our") processes personal data when you use the App and related services.

1. Data Controller and Contact Details

Data Controller:
BUILDO Limited Liability Company (spółka z ograniczoną odpowiedzialnością) ("Buildo sp. z o.o.")

Registered address: ul. Witkowska 82A, 62-200 Gniezno, Poland

Tax ID (NIP): 7842549374

Business Registry (REGON): 542640547

National Court Register (KRS): 0001192606

D-U-N-S (Dun & Bradstreet): 665879153

Email (privacy matters): support@ebuildo.pl

For questions about this Policy or to exercise your rights, contact us at support@ebuildo.pl.

2. What Data We Collect

2.1 Data you provide (Account and Orders)

We may collect:

Email address (required) – to create and manage your account and communicate with you.
Full name (optional) – to improve order handling.
Delivery address (optional) – to simplify future orders.
Phone number (optional) – for delivery-related contact.
Password – stored only in hashed form (not readable by us).

2.2 Data collected automatically (Logs and Device Data)

We may collect:

User identifier – a unique technical ID assigned to your account.
Device information – device model and operating system version (for diagnostics and troubleshooting).
Push notification token – an anonymous device token enabling push notifications if you consent.
System logs – IP address, date/time of connection and security logs, stored for 30–90 days for security and abuse prevention.

2.3 Location data

GPS location (on demand): we use your location only when you search for the nearest warehouse (or similar nearby service functionality).
No location history: we do not store a history of your movements.

2.4 Purchase and usage data

Order history – purchased items, amounts, dates and order metadata.
Cart data – items in your cart (stored temporarily).

2.5 Analytics and diagnostics

Usage statistics – anonymised or aggregated data about visited screens and used functions to improve the App.
Error reports – technical information sent when the App crashes or malfunctions to help us fix issues.

3. Why We Process Your Data (Purposes)

We process personal data to:

Provide the service – create your account, enable ordering, and handle orders.
Enable functionality – e.g., showing nearby warehouses based on location (only when you use that function).
Communicate with you – order updates via email and (if enabled) push notifications.
Ensure security – detect abuse, protect accounts, maintain system integrity.
Improve the App – understand how users interact with features to enhance usability and performance.
Meet legal obligations – maintain sales and accounting documentation where required by law.

4. Legal Bases (GDPR)

Depending on the context, we process data based on:

Performance of a contract (Art. 6(1)(b) GDPR) – account creation, order processing, service delivery.
Legal obligation (Art. 6(1)(c) GDPR) – accounting, tax and statutory documentation.
Legitimate interests (Art. 6(1)(f) GDPR) – security, fraud prevention, service stability, limited logging, internal analytics where appropriate.
Consent (Art. 6(1)(a) GDPR) – push notifications and optional permissions such as location access.

You can withdraw consent at any time (see Section 9).

5. Integrations and Third-Party Service Providers

We use trusted providers to operate the App:

5.1 Google (Sign-in and Maps)

Sign-in with Google (optional): you may log in using your Google account.
Google Maps: used to display warehouse locations and map-based features.

5.2 Apple (Sign-in)

Sign-in with Apple (optional): you may log in using your Apple account, including Apple's option to hide your email address.

5.3 Amazon Web Services (AWS)

AWS is used as a primary infrastructure provider (e.g., servers, databases and hosting) and provides high standards of physical and logical security.

International transfers: Some providers may process data outside the European Economic Area (EEA). Where applicable, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and additional measures consistent with GDPR.

6. How We Share Data

We do not sell your personal data. We may share data only:

With processors (service providers) supporting infrastructure, maps, authentication, notifications, diagnostics and analytics.
If required by law or binding requests by public authorities.
To protect rights, security and prevent fraud or abuse.

Access is limited to authorised systems and personnel on a need-to-know basis.

7. Security Measures

We apply technical and organisational measures appropriate to the risk, including:

Encryption in transit: data sent between the App and our servers is encrypted (e.g., TLS).
Encryption at rest: data stored in databases/servers is encrypted at rest.
Access controls: restricted access for authorised personnel and systems only.
Log minimisation: logs containing personal data are retained for 30–90 days, then deleted or anonymised where feasible.

8. Data Retention

We retain data only as long as needed:

Account data: for the duration of your account and as necessary for service provision.
Order and transaction data: for the period required by accounting/tax laws and to handle complaints and claims.
Security logs (including IP): 30–90 days, unless longer retention is required for incident handling or legal claims.
Cart data: temporarily, typically until purchase completion or cart expiration.

Retention periods may differ if legally required or necessary to establish, exercise or defend legal claims.

9. Your Rights

Subject to GDPR and applicable laws, you have the right to:

Access your personal data and obtain a copy.
Rectification of inaccurate or incomplete data.
Erasure ("right to be forgotten") in certain cases.
Restriction of processing in certain cases.
Data portability (for data processed based on consent or contract by automated means).
Object to processing based on legitimate interests.
Withdraw consent at any time (does not affect processing before withdrawal).

Managing permissions

You can disable push notifications and location access at any time in your device settings.

Account deletion

You may request deletion of your account and personal data by contacting us at: support@ebuildo.pl
(If an in-app deletion function is available, you may also use that option.)

10. Complaints (Supervisory Authority)

If you believe your data protection rights have been infringed, you may lodge a complaint with your supervisory authority.
In Poland, this is the President of the Personal Data Protection Office (UODO).

11. Children

The App is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child provided us data, contact us at support@ebuildo.pl and we will take appropriate steps.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will be made available in the App and/or on our website, with the "Last updated" date revised accordingly.