Documents
Privacy Policy
Version 1.0 · In force since: 1 June 2026
01Personal data controller
The controller of your personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: the „GDPR") is:
Custom Service (Exportsy brand), ul. Bielska 107, 32-652 Bukowice
NIP: 5492373228, REGON: 52825056700000
E-mail: kontakt@exportsy.pl
The controller operates the Restrikt service, available at sankcje.exportsy.pl (hereinafter: the „Service"), which is an informational tool for checking whether a product CN code is subject to EU sanctions.
02Contact details for GDPR matters
For all matters concerning the processing of personal data and the exercise of your rights, you can contact the controller at email: kontakt@exportsy.pl.
The controller has not appointed a Data Protection Officer (DPO), as it is not obliged to do so under Article 37 of the GDPR.
03Scope of data collected
3.1 Sign-up for materials and updates (email form)
The email address provided in the form to sign up for materials and updates concerning EU sanctions and changes in the regulations. Providing the address is voluntary but necessary to receive the material and messages.
3.2 Use of the Service
IP address, browser type and version (user-agent), entry source (UTM parameters), date and time of the request. This data is collected automatically and serves to ensure security, limit abuse (request limit) and analyse traffic for statistical purposes.
3.3 Email contact
Data provided voluntarily in the content of a message sent to the contact address (e.g. name, company name, content of the enquiry) for the purpose of responding.
04Purposes and legal bases of processing
| Purpose of processing | Legal basis |
|---|---|
| Sending materials and updates about EU sanctions and regulations | Art. 6(1)(a) GDPR (consent) |
| Responding to an enquiry sent by email | Art. 6(1)(f) GDPR (legitimate interest) |
| Ensuring the security of the Service and limiting abuse | Art. 6(1)(f) GDPR (legitimate interest) |
| Statistics and improvement of the Service | Art. 6(1)(f) GDPR (legitimate interest) |
| Pursuit of or defence against claims | Art. 6(1)(f) GDPR (legitimate interest) |
05Data retention period
| Data category | Retention period |
|---|---|
| Email address (sign-up for materials and updates) | Until consent is withdrawn (unsubscribed) |
| Technical data (IP, user-agent, logs) | Up to 12 months |
| Email correspondence | 12 months from the last contact |
06Data recipients (processors)
| Recipient | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting of the Service, CDN | USA (SCC) |
| Supabase Inc. | Database (storage of sign-ups and logs) | EU, Frankfurt (EEA) |
| Resend (Plus Five Five, Inc.) | Sending email messages | USA (SCC) |
| MailerLite (UAB MailerLite) | Handling sign-ups and sending materials and updates | EU, Lithuania (EEA) |
With each processor, the controller has concluded a data processing agreement compliant with Article 28 of the GDPR.
07Data transfer outside the EEA
In connection with the use of providers based in the USA (Vercel, Resend), data may be transferred outside the European Economic Area. The transfer takes place on the basis of Standard Contractual Clauses (SCC) approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, ensuring an adequate level of data protection.
08Rights of data subjects
Under the GDPR you have the following rights:
- Right of access to data (Article 15 GDPR).
- Right to rectification of data (Article 16 GDPR).
- Right to erasure of data, the „right to be forgotten" (Article 17 GDPR).
- Right to restriction of processing (Article 18 GDPR).
- Right to portability of data (Article 20 GDPR).
- Right to object to processing based on a legitimate interest (Article 21 GDPR).
- Withdrawal of consent at any time, without affecting the lawfulness of processing prior to withdrawal (Article 7(3) GDPR). Consent can be withdrawn by clicking the „unsubscribe" link in any message or by writing to the contact address.
- Complaint to the PUODO (ul. Stawki 2, 00-193 Warsaw, the Polish data protection authority), if the processing infringes the GDPR (Article 77 GDPR).
09Cookies
The Service uses only cookies necessary for its proper operation (session maintenance, security). The Service does not use analytical, marketing or profiling cookies and does not use tracking or advertising tools.
Necessary cookies do not require consent. The User can manage cookies at any time at the level of the web browser.
10Data security
The controller applies appropriate technical and organisational measures protecting data against unauthorised access, loss or disclosure, including encryption of transmission (SSL/TLS), access control and storage of the database within the EEA.
11Changes to the Privacy Policy
The controller reserves the right to amend this Policy. The current version is always available at sankcje.exportsy.pl/polityka-prywatnosci.