freecap.ai

Data Protection Notice

  1. DATA CONTROLLER

The controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 (GDPR) is:

FREECAP spółka z ograniczoną odpowiedzialnością
ul. Domaniewska 52, 02-672 Warsaw, Poland
NIP: 526 282 58 33

Contact regarding data protection matters:
e-mail: info@freecap.ai

  1. PURPOSES AND LEGAL BASES OF PROCESSING

Personal data are processed for the purposes related to the distribution of credit insurance products within the European Union, including Top-Up credit insurance.

  1. a) performance of contracts and pre-contractual activities (Article 6(1)(b) GDPR);
  2. b) compliance with legal obligations (Article 6(1)(c) GDPR), including AML, insurance law and supervisory reporting to KNF and FSMA;
  3. c) legitimate interests (Article 6(1)(f) GDPR) – fraud prevention, credit risk assessment and internal risk management. Legitimate interests have been assessed against the rights and freedoms of data subjects and have been deemed not to override those rights.
  4. d) consent (Article 6(1)(a) GDPR) – marketing communications and newsletters.

     3. CATEGORIES OF PERSONAL DATA

Identification and contact data of directors, beneficial owners and representatives;
financial, credit and transaction data of buyers;
invoice and policy-related data.

Provision of personal data is a contractual and/or statutory requirement. Failure to provide such data may result in inability to conclude or perform an insurance distribution agreement.

  1. RECIPIENTS OF PERSONAL DATA

Personal data may be disclosed to the following categories of recipients:
– KUKE S.A., acting as insurance underwriter;
– credit reference agencies and information providers established in the European Union;
– competent supervisory and public authorities, including KNF and FSMA.

Personal data may also be disclosed to entities providing services to the controller, acting as processors or independent controllers, in particular:
– IT service providers, including hosting, cloud computing, system maintenance and technical support providers;
– legal advisors and law firms;
– auditors, consultants and advisory firms, including financial, tax and compliance advisors;
– accounting and bookkeeping service providers,
to the extent necessary for the performance of such services and subject to appropriate contractual safeguards.

No transfers outside the EU/EEA are envisaged. Should such transfers occur, appropriate safeguards under Chapter V GDPR shall apply.

  1. DATA RETENTION PERIODS

Personal data shall be retained for the following periods:

– insurance quotations: up to 5 years,
counted from the end of the calendar year in which the quotation was issued or the quotation process was definitively closed;

– insurance policies, invoices and contractual documentation: up to 10 years,
counted from the end of the calendar year in which the insurance contract expired or was otherwise terminated;

– complaints and related documentation: up to 10 years,
counted from the end of the calendar year in which the complaint procedure was finally concluded,

unless a longer retention period is required by applicable law.

Where personal data are processed for the purpose of establishing, exercising or defending legal claims, such data may be retained until the expiry of the applicable limitation periods.

Upon expiry of retention periods, personal data shall be deleted or irreversibly anonymized.

  1. RIGHTS OF DATA SUBJECTS

Data subjects have the rights provided for in Articles 15–22 GDPR, including the right of access to personal data, rectification, erasure, restriction of processing, data portability and the right to object to processing.

Where personal data are processed on the basis of Article 6(1)(f) GDPR, the data subject has the right to object at any time, on grounds relating to their particular situation, to such processing.

The right to erasure shall not apply where processing is necessary for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.

The right to data portability applies only to personal data processed on the basis of consent or a contract and carried out by automated means.

The controller does not carry out automated decision-making, including profiling, within the meaning of Article 22 GDPR.

Where processing is based on consent, consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Requests relating to the exercise of rights may be submitted to: info@freecap.ai

Data subjects also have the right to lodge a complaint with a supervisory authority, in particular:
– the President of the Personal Data Protection Office (PUODO) in Poland;
– the Belgian Data Protection Authority (APD).

  1. SECURITY OF PROCESSING

Appropriate technical and organizational measures are applied, including ISO 27001 alignment, TLS 1.3 encryption, access controls and annual penetration testing.

Personal data breaches are notified in accordance with Article 33 GDPR.

Version 17.02.2026