freecap.ai

Privacy Policy

 

FREECAP spółka z ograniczoną odpowiedzialnością

This Privacy Policy describes the principles of processing personal data by FREECAP spółka z ograniczoną odpowiedzialnością in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – “GDPR”).

  1. Data Controller

The controller of personal data within the meaning of Article 4(7) GDPR is:

FREECAP spółka z ograniczoną odpowiedzialnością
ul. Domaniewska 52
02-672 Warsaw, Poland
NIP: 526 282 58 33

Contact regarding data protection matters:
e-mail: info@freecap.ai

  1. Purposes and Legal Bases of Processing

Personal data are processed for purposes related to the distribution of credit insurance products within the European Union, including Top-Up credit insurance.

Personal data are processed on the following legal bases:

  1. a) Performance of contracts and pre-contractual activities
    (Article 6(1)(b) GDPR).
  2. b) Compliance with legal obligations to which the controller is subject, including obligations arising from anti-money laundering regulations (AML), insurance law, and supervisory reporting to competent authorities, including KNF and FSMA
    (Article 6(1)(c) GDPR).
  3. c) Legitimate interests of the controller
    (Article 6(1)(f) GDPR), including fraud prevention, credit risk assessment, and internal risk management.
    The legitimate interests have been assessed against the rights and freedoms of data subjects and have been deemed not to override those rights.
  4. d) Consent
    (Article 6(1)(a) GDPR), in particular for marketing communications and newsletters.
  5. Categories of Personal Data

The controller processes in particular the following categories of personal data:

  • identification and contact data of directors, beneficial owners and authorised representatives;
  • financial, credit and transaction data of buyers;
  • invoice and policy-related data.

Provision of personal data constitutes a contractual and/or statutory requirement.
Failure to provide such data may result in the inability to conclude or perform an insurance distribution agreement.

  1. Recipients of Personal Data

Personal data may be disclosed to the following categories of recipients:

  • KUKE S.A., acting as insurance underwriter;
  • credit reference agencies and information providers established in the European Union;
  • competent supervisory and public authorities, including KNF and FSMA.

Personal data may also be disclosed to entities providing services to the controller, acting as processors or independent controllers, in particular:

  • IT service providers, including hosting, cloud computing, system maintenance, and technical support providers;
  • legal advisors and law firms;
  • auditors, consultants, and advisory firms, including financial, tax and compliance advisors;
  • accounting and bookkeeping service providers,

to the extent necessary for the performance of such services and subject to appropriate contractual safeguards.

No transfers of personal data outside the EU/EEA are envisaged.
Should such transfers occur, appropriate safeguards in accordance with Chapter V GDPR shall apply.

 

  1. Data Retention Periods

Personal data shall be retained for the following periods:

  • Insurance quotations – up to 5 years, counted from the end of the calendar year in which the quotation was issued or the quotation process was definitively closed;
  • Insurance policies, invoices, and contractual documentation – up to 10 years, counted from the end of the calendar year in which the insurance contract expired or was otherwise terminated;
  • Complaints and related documentation – up to 10 years, counted from the end of the calendar year in which the complaint procedure was finally concluded,

unless a longer retention period is required by applicable law.

Where personal data are processed for the purpose of establishing, exercising, or defending legal claims, such data may be retained until the expiry of the applicable statutory limitation periods.

Upon expiry of the applicable retention periods, personal data shall be deleted or irreversibly anonymised.

  1. Rights of Data Subjects

Data subjects have the rights provided for in Articles 15–22 GDPR, including:

  • the right of access to personal data;
  • the right to rectification;
  • the right to erasure;
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object to processing.

Where personal data are processed on the basis of Article 6(1)(f) GDPR, the data subject has the right to object at any time, on grounds relating to their particular situation, to such processing.

The right to erasure shall not apply where processing is necessary for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defence of legal claims.

The right to data portability applies only to personal data processed on the basis of consent or a contract and carried out by automated means.

The controller does not carry out automated decision-making, including profiling, within the meaning of Article 22 GDPR.

Where processing is based on consent, consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Requests relating to the exercise of data subject rights may be submitted to:
info@freecap.ai

Data subjects have the right to lodge a complaint with a supervisory authority, in particular:

  • the President of the Personal Data Protection Office (PUODO) in Poland;
  • the Belgian Data Protection Authority (APD).
  1. Security of Processing

The controller applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • alignment with ISO 27001 standards;
  • TLS 1.3 encryption;
  • access control mechanisms;
  • annual penetration testing.

Personal data breaches are notified in accordance with Article 33 GDPR.

Version 17.02.2026