Privacy Policy

§1 General Provisions

1. This Privacy Policy ("Policy") describes how WEBSOMNIA Juliusz Michajłow ("Company," "we," "us," or "our"), collects, uses, processes, and protects personal data of users of the wingman.pm platform and related services.

2. The Company acts as the Data Controller within the meaning of Regulation (EU) 2016/679 ("GDPR").

3. We are committed to protecting your privacy and ensuring the security of your personal data in accordance with applicable data protection laws, including the GDPR and Polish data protection legislation.

4. Juliusz Michajłow is designated as the contact person for data protection matters. For any privacy-related inquiries, please contact us at hello@wingman.pm.

§2 Definitions

For the purposes of this Policy, the following definitions apply:

• Data Controller - WEBSOMNIA Juliusz Michajłow, which determines the purposes and means of processing personal data.
• User - any natural person who uses the wingman.pm platform or related services.
• Personal Data - any information relating to an identified or identifiable natural person as defined in the GDPR.
• GDPR - Regulation (EU) 2016/679 on the protection of personal data.
• Service - the wingman.pm AI-assisted product management platform and all related services.
• Platform - the wingman.pm website and application accessible at wingman.pm.

§3 What Data We Collect

We collect and process the following categories of personal data:

3.1 Basic Personal Data

• Name and surname
• Email address
• Phone number
• Company name and position (for business accounts)

3.2 Account Data

• Login credentials (username, encrypted password)
• Account preferences and settings
• Subscription information and plan details
• Token usage and allocation data

3.3 Usage Data

• Feedback and content uploaded to the platform
• Integration data from connected services (for a complete list of integrations, see wingman.pm/legal/integrations)
• Activity logs and platform usage statistics
• Generated documents and reports

3.4 Technical Data

• IP addresses and location data
• Browser type, version, and settings
• Device information and operating system
• Cookies and similar tracking technologies

3.5 Payment Data

• Billing information processed via PayPro S.A. (Przelewy24)
• Transaction history and payment records
• Invoice details for tax and accounting purposes

§4 Purpose and Legal Basis of Processing

We process your personal data for the following purposes and legal bases:

4.1 Service Provision (Article 6(1)(b) GDPR)

Processing necessary for the performance of the contract or to take steps at your request prior to entering into a contract, including account creation, service delivery, customer support, and platform functionality.

4.2 Legal Obligations (Article 6(1)(c) GDPR)

Processing required to comply with legal obligations, including tax record keeping, invoicing requirements under Polish law, and regulatory compliance.

4.3 Marketing Communications (Article 6(1)(a) GDPR)

Processing based on your consent for marketing communications, product updates, newsletters, and promotional materials. You may withdraw consent at any time.

4.4 Security and Fraud Prevention (Article 6(1)(f) GDPR)

Processing based on our legitimate interest in protecting the platform, preventing fraud, ensuring security, and protecting the rights and interests of our users.

4.5 AI Processing (Article 6(1)(b) and 6(1)(f) GDPR)

Processing of user content through third-party AI services is necessary for the performance of the contract and based on our legitimate interest in delivering the core functionality of the Platform. The use of your data for AI model training by third-party providers is governed by their respective terms and conditions. For details on AI providers used, see wingman.pm/legal/ai-models.

§5 Data Retention Periods

We retain your personal data for the following periods:

• Active accounts: For the duration of the service relationship
• Financial and invoicing records: 5 years from the end of the calendar year in which the transaction occurred (as required by Polish tax law), or longer where required by specific legal provisions
• Marketing consents: Until consent is withdrawn or the purpose is no longer valid
• Technical logs: 12 months from creation
• Inactive accounts: We may delete accounts inactive for extended periods after providing reasonable notice
• Post-termination: User data is deleted within 30 days of account termination, unless legal retention requirements apply

§6 Sharing Personal Data

We may share your personal data with third-party processors under appropriate Data Processing Agreements. Personal data may be processed in the European Union and the United States.

All processors are bound by Data Processing Agreements ensuring appropriate data protection standards. For international transfers outside the EU/EEA, we use Standard Contractual Clauses approved by the European Commission or rely on adequacy decisions where applicable.

We do not sell, rent, or otherwise commercialize your personal data to third parties.

§7 User Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15): Obtain confirmation and information about the processing of your personal data.
• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Article 18): Limit the processing of your personal data.
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used format.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent for consent-based processing at any time.
• Right to Lodge a Complaint: File a complaint with the Polish supervisory authority (UODO).

To exercise these rights, please contact us using the information provided in Section 11. We will respond without undue delay and in any event within one month.

§8 Data Security

We implement appropriate technical and organizational measures to ensure data security, including:

• Encryption: SSL/TLS for data in transit and encryption at rest for stored data.
• Access Controls: Role-based access controls and principle of least privilege.
• Security Monitoring: Regular security audits, vulnerability scans, and security assessments.
• Staff Training: Regular training of personnel on data protection practices.
• Incident Response: Established procedures for data breach detection and response.
• Data Breach Notification: We will notify supervisory authorities within 72 hours of becoming aware of a data breach where required by law.

§9 Cookies

Our platform uses cookies and similar tracking technologies to enhance user experience, provide platform functionality, and analyze usage patterns. Cookies are categorized as strictly necessary, functional, analytics, and marketing.

We use a cookie consent banner to obtain your consent before setting non-essential cookies. For detailed information about our cookie usage, including how to manage cookie preferences, please refer to our Cookie Policy.

§10 Changes to Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Material changes will be communicated through:

• Email notification to registered users at least 30 days before changes take effect
• Prominent notice on our platform
• Updated version date at the top of this policy

Continued use of our services after changes become effective constitutes acceptance of the updated policy.

§11 Contact