Privacy Policy

1. Data Controller

The controller of your personal data within the meaning of Regulation (EU) 2016/679 (GDPR) is:

Please direct all questions regarding personal data processing, exercise of user rights and security incidents to the above email address.

2. What data we process

We process the following categories of data within the platform:

• Account data: email address, name (if provided), company/organization name (for organizers), phone number (optional), website URL (optional)
• Authentication data: Firebase UID (Google Firebase Auth identifier), session tokens, last login time
• Event data: titles, descriptions, locations, dates, attendee lists (for organizers)
• Business card and contact data: data voluntarily provided in digital business cards, list of contacts exchanged at events
• Event photos and likeness: photographs taken by participants using the "disposable camera" module. Photos may contain likenesses of persons present at the event — details in section 3.
• Technical data: browser information, operating system, anonymized IP address (via Cloudflare), session timestamps
• Analytics data: only after cookie consent — see section 8
• Data from publicly available sources: names of business groups, descriptions of networking events and meetings obtained from publicly available websites and social media. We do not collect personal data (names, surnames, email addresses, phone numbers, photos) from external sources. Group information profiles contain only organization names and paraphrased descriptions of their activities. Legal basis: Art. 6(1)(f) GDPR (legitimate interest — informing about available networking groups). Any authorized representative of an organization may claim a profile or request its removal.

Age limit

The NetworkingPortal platform is intended exclusively for adults (18 years or older). We do not knowingly collect data from persons below this age limit. If we learn that a minor's data has been submitted without parental or legal guardian consent, we will promptly delete it.

3. Likeness in event photos

The "disposable camera" module allows event participants to take photos, which are then shared in the event gallery. Photos may contain likenesses of other persons present at the event, therefore the following rules apply:

• Uploading user's responsibility: the user who takes or uploads a photo declares that they have consent from persons visible in the photograph for processing their likeness within the platform in accordance with this policy and Article 81 of the Copyright and Related Rights Act.
• Legal basis for likeness processing: Article 6(1)(f) GDPR — legitimate interest of the controller and event participants in documenting the networking meeting.
• Informing participants: organizers are required to inform event participants about the possibility of photos being taken before the event starts (e.g., in the event terms or during check-in).
• Right to likeness removal: any person depicted in a photo (even if not a registered platform user) has the right to request removal of their likeness from the gallery by sending a message to networkingportalpl@gmail.com. Requests are fulfilled without undue delay, no later than 7 days from receipt.
• Objection to processing: pursuant to Article 21 GDPR, a person whose likeness appears in a photo may object to processing, which results in deletion of the photograph.

4. Legal basis and purposes of processing

• Article 6(1)(b) GDPR — performance of contract (provision of platform services: registration, login, event creation, business card exchange, transactional emails such as magic links and event notifications)
• Article 6(1)(f) GDPR — legitimate interest of the controller, in particular:
  • ensuring platform security and preventing abuse
  • basic traffic statistics and aggregated usage metrics
  • documenting networking events through photos ("disposable camera" module — see section 3)
  • informing registered MVP testers about new platform functionalities (in closed beta phase, within the legitimate interest of product development)
  • suggesting business contacts and content personalization within the networking service
• Article 6(1)(a) GDPR — user consent (Google Analytics, potential marketing newsletter after beta exit — exclusively after explicit opt-in, revocable at any time)
• Article 6(1)(c) GDPR — legal obligation (data retention for accounting purposes, if applicable)

Automated decision-making and profiling

The platform may in the future offer features suggesting business contacts based on your industry, position or event history (so-called warm path / matchmaking). Such suggestions are purely advisory — they constitute content personalization within the provided service and do not produce any legal effects or significantly affect your situation within the meaning of Article 22 GDPR. You can disable personalization at any time in your account settings or object to the controller's address.

5. Data recipients (processors)

We use the following infrastructure and service providers who process personal data on our behalf based on data processing agreements:

• Google Cloud Platform (Google Ireland Limited, IE) — Cloud Run hosting, Cloud SQL database, Cloud Storage. Regions: Poland (europe-central2) and Germany (europe-west3).
• Firebase Authentication (Google Ireland Limited, IE) — user authentication, magic links. Data may be transferred to the USA based on Standard Contractual Clauses (SCC).
• Cloudflare (Cloudflare Inc., USA) — CDN, DDoS protection, WAF. IP address anonymization.
• Resend (Resend Inc., USA) — email delivery (magic links, transactional notifications). Data transferred to the USA based on SCC.
• Google Analytics 4 (Google Ireland Limited, IE) — anonymized traffic statistics, only after consent. Consent Mode v2: no advertising data. IP anonymized.

6. Data retention period

• Account data: for the duration of the account. After deletion — soft delete (30 days) followed by permanent deletion from the active database.
• Event data and photos: for the duration of the organizer's account or until event deletion.
• Technical logs: 30 days.
• Google Analytics data: 14 months (default GA4 period).
• Backups: data may be present in automatic Cloud SQL database backups for up to 30 days after deletion from the active database. Data in backups is not actively processed — it serves only for system recovery in case of failure. After the backup retention period expires, they are automatically deleted.
• Business group information profiles: profiles containing publicly available information (group name, description, meeting dates) stored indefinitely or until claimed by an authorized representative. A profile can be removed upon request — processed within 24 hours of receiving a report at networkingportalpl@gmail.com.
• MVP data: in the test version, data may be deleted by the operator at any time, also without notice, as part of development work.

7. Your rights (GDPR Articles 15-22)

In connection with data processing, you have the right to:

• Access to your data (Article 15)
• Rectification of inaccurate data (Article 16)
• Erasure of your data — "right to be forgotten" (Article 17)
• Restriction of processing (Article 18)
• Data portability in a structured, commonly used, machine-readable format (e.g., JSON) — Article 20
• Objection to processing (Article 21)
• Withdrawal of consent at any time (e.g., via the cookie banner at the bottom of the page)
• Filing a complaint with the supervisory authority — President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl

To exercise any of the above rights, write to networkingportalpl@gmail.com. You will receive a response within 30 days.

8. Cookies and Google Analytics

We use the following types of cookies:

• Essential (technical): user session, language preferences, CSRF security token. No consent required.
• Analytics (Google Analytics 4): only after consent via cookie banner. Configuration:
  • Consent Mode v2
  • IP address anonymization
  • Disabled advertising data (ad_storage = denied)
  • No ad personalization

You can withdraw consent at any time by deleting cookies in your browser or contacting the administrator.

9. Data security

• Encrypted HTTPS connections (TLS 1.3) on all endpoints
• Passwords are never logged or transmitted in plain text
• Authentication via Firebase Auth (Google) — industry standard
• Cloud SQL databases with private network (Cloud SQL Auth Proxy), no public access
• PII masking in logs (emails, phone numbers, IPs never appear in application logs)
• Rate limiting and anti-scraping protection

10. Data transfer to third countries

Some services (Firebase, Google Analytics, Cloudflare, Resend) may transfer data to the USA. Transfer is based on:

• EU-US Data Privacy Framework (DPF) — Google LLC (including Firebase and Google Analytics) and Cloudflare Inc. are certified entities under the DPF, which means an adequate level of data protection recognized by the European Commission in decision 2023/1795.
• Standard Contractual Clauses (SCC) approved by the European Commission — for providers not covered by the DPF (e.g., Resend Inc., if it does not hold DPF certification at the time of transfer).
• Additional technical measures: encryption in transit (TLS 1.3) and at rest (AES-256), IP address anonymization, data minimization.

List of DPF certified entities available at dataprivacyframework.gov/list.

11. Warm Path — connection graph and recommendations

privacy.s11Text

12. Private events and groups

privacy.s12Text

networkingportalpl@gmail.com