Privacy and Cookies Policy (GDPR)

This document details the rules for processing personal data and using cookies within the digital systems of C-ICAS Group. We ensure full transparency in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Data Controller

The controller of your personal data is:
C-ICAS Sp. z o.o.
ul. Jana Skrzetuskiego 23A, 05-080 Lipków, Poland
Tax ID (NIP): 1182226755, REGON: 389515180, KRS: 0000912380
E-mail: biuro@c-icas.gg | Tel.: +48 453 045 800

2. Data Categories, Purposes, and Legal Basis

We process data for strictly defined purposes:

A. Quoting and Service Provision (Including Calculator & PDF)

• Scope: First and last name / Company name, e-mail, investment data, project address (if provided).
• Purpose: Generating an automated estimate, sending a PDF quote, and contacting you to negotiate/conclude a contract.
• Legal basis: Art. 6(1)(b) GDPR (steps taken prior to entering into a contract).

B. Artificial Intelligence (Gemini AI Assistant)

• Scope: Message content, uploaded files (e.g., site photos), session history.
• Purpose: Providing answers to technical questions, consulting, and visual project estimation based on provided photos.
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest) and Art. 6(1)(a) GDPR (consent through initiating the chat).
• Important: The system utilizes Google Gemini technology. Users are prohibited from providing sensitive personal data in the AI chat (e.g., exact home addresses, ID numbers). Content (including uploaded photos) is analyzed automatically and may be subject to Google LLC's retention policies. Chat logs are archived on our secure servers (SharePoint) for analytical purposes.

C. Recruitment and HR

• Scope: Name, phone, e-mail, CV, skills information.
• Purpose: Conducting the recruitment process for a selected position.
• Legal basis: Art. 6(1)(b) GDPR.
• Retention: Based on the option selected in the application form:
  - Current recruitment: data deleted within 6 months.
  - Future recruitments (requires separate consent): data retained up to 24 months.

D. Bookings, Calendar, and Video Assistant

• Purpose: Scheduling technical meetings and providing remote video consulting.
• Legal basis: Art. 6(1)(b) GDPR. Video calls are intended for real-time problem-solving and are not recorded without prior, explicit consent.

E. Online Payments

• Purpose: Processing electronic payments (BLIK, transfers, cards).
• Legal basis: Art. 6(1)(b) and (c) GDPR. Data is shared with certified payment operators.

3. Data Recipients and Transfer outside the EEA

Your data may be shared with our cooperating entities (data processors):

• Cloud infrastructure providers: Microsoft Corporation (SharePoint environment - AI logs, documents, CVs), Netlify (hosting).
• AI service providers: Google LLC (Gemini chat operations).
• Payment gateway operators and accounting offices.

Due to the use of Netlify and Google services, data may be transferred to the USA. This occurs based on the Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC) ensuring a level of protection required by the EU.

4. Publication of Images (Portfolio and Employees)

Photos of completed projects (Before/After) published in our Portfolio, where elements identifying a natural person are visible, are processed based on consent (Art. 6(1)(a) GDPR). The image and profiles of our employees in the "About Us" section are published based on their voluntary consent.

5. Data Subject Rights

• Right of access and to obtain a copy of the data.
• Right to rectification, erasure ("right to be forgotten"), or restriction of processing.
• Right to data portability.
• Right to object to processing (including AI profiling/marketing).
• Right to withdraw consent at any time.
• Right to lodge a complaint with a supervisory authority.

6. Cookies and Tracking Technologies

The website uses cookies managed via a built-in preference panel (Cookie Banner). Cookie categories:

• Necessary: Session maintenance, security, cart state (cannot be disabled).
• Analytics: Tools helping to understand website usage, activated only after consent.
• Marketing: Conversion tracking and ad matching, activated only after consent.

Cookie consents are stored in the user's browser for a maximum of 6 months, after which the system will request renewed preferences.