Privacy Policy
LEGAFLOW
Compliance Platform for Content Creator Agencies
Privacy Policy
Protection of Personal Data
Version 1.0
Effective Date: 15 April 2026 | Last Updated: 15 April 2026
| PUBLISHER OMAZEO SP. Z O.O. Plac Bankowy 2, 00-095 Warszawa, Poland KRS: 0000879770 | NIP: 7842524687 | REGON: 387980205 Share capital: 20,000 PLN (fully paid-up) |
|---|
1. Identity of the Controller and Nature of the Platform
1.1. Publisher and Data Controller
This Privacy Policy (the "Policy") is issued by OMAZEO SP. Z O.O., a limited liability company incorporated under the laws of the Republic of Poland, registered with the Polish National Court Register (KRS) under number 0000879770, bearing tax identification number NIP 7842524687, statistical number REGON 387980205, having a share capital of twenty thousand Polish złoty (20,000 PLN) fully paid-up, and with its registered office at Plac Bankowy 2, 00-095 Warszawa, Poland (the "Company", "LegaFlow", "we", "us", "our"). The Company acts as Controller of Personal Data within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") for the Processing activities described in this Policy, except where expressly indicated otherwise.
1.2. Nature of the Platform
LegaFlow is a proprietary technology solution operated as software-as-a-service (SaaS). The platform is designed exclusively for business users — namely, Agencies that manage Content Creators operating on third-party monetization platforms. The platform automates the deployment of structured compliance questionnaires, collects and analyses the responses of enrolled Content Creators, computes algorithmic risk indicators, aggregates such indicators into Agency-level dashboards operating on a strict privacy-by-design principle, produces exportable PDF Compliance Reports, maintains tamper-evident append-only audit trails, and administers the discretionary Legal Defense Assistance Program.
LegaFlow is a business-to-business (B2B) service. Only Agencies are subscribers to the platform; Agencies must be duly registered professional operators (see the Terms of Service, Section 4.1). Content Creators are not customers of the Company and do not pay the Company; they are enrolled by Agencies as end-users and interact with the platform through accounts provisioned by, or on behalf of, the Agencies. This Policy nonetheless describes the rights of Content Creators, of Agency users, and of all other individuals whose Personal Data is Processed by the Company.
1.3. Scope
This Policy applies to the Processing of Personal Data in connection with: (i) the legaflow.io website and all subdomains operated by the Company; (ii) the LegaFlow platform and all related services; (iii) commercial prospecting and sales interactions; (iv) customer support and account management; (v) the discretionary Legal Defense Assistance Program; and (vi) the Company's internal operations, to the extent Personal Data is Processed.
1.4. Applicable Law
As a Controller established in Poland, the Company is subject as a matter of primary law to: the GDPR; the Polish Act on the Protection of Personal Data of 10 May 2018 (Dz. U. 2018 poz. 1000, as amended); the Polish Act on Electronic Services of 18 July 2002; the Polish Telecommunications Law and the Electronic Communications Law of 12 July 2024; and the guidance of the President of the Polish Personal Data Protection Office (Urząd Ochrony Danych Osobowych, "UODO"). Where the Company offers services to, or monitors the behaviour of, Data Subjects in other jurisdictions, the Company additionally complies with the applicable law of those jurisdictions (see Sections 12 to 15).
2. Allocation of Roles under Data-Protection Law
The Company's role under data-protection law varies according to the nature of the Processing activity. This Section describes the allocation of roles.
2.1. Company as Controller
The Company acts as Controller in respect of:
- Account and billing data of Agency users (name, business email, role, login credentials, payment-method identifier);
- Website analytics data collected on legaflow.io (limited to privacy-preserving analytics — see the Cookie Policy);
- Business-development data relating to prospective customers;
- Data Processed to comply with the Company's own legal obligations (accounting, tax, anti-money-laundering, sanctions screening, security-incident reporting, KYB data concerning Agencies);
- Personal Data of Content Creators Processed in connection with the Legal Defense Assistance Program when the Company actually funds legal defense (intake, conflict checks, funding decisions, clawback and subrogation records).
2.2. Company as Joint Controller with the Agency
The Company and each Agency act as Joint Controllers within the meaning of Article 26 GDPR in respect of:
- Identity verification of Content Creators through Veriff (the fact of enrollment, verification outcome, age confirmation, sanctions screening);
- Survey design, deployment frequency, and the algorithmic parameters that produce the Risk Score — the Company designs the methodology; the Agency determines when and to which Content Creators Surveys are deployed.
A Joint-Controller Arrangement is incorporated by reference into the Data Processing Agreement ("DPA") concluded between the Company and each Agency. The DPA allocates responsibility for providing information to Content Creators, for handling their rights requests, and for cooperating with supervisory authorities. The essence of the arrangement is made available to Content Creators upon request to dpo@legaflow.io.
2.3. Company as Processor on behalf of the Agency
The Company acts as Processor within the meaning of Article 28 GDPR on behalf of the Agency in respect of:
- Survey responses submitted by Content Creators to questions deployed by the Agency;
- Documents uploaded by the Agency (contracts, policies, notices, correspondence) for contract analysis or storage;
- Internal compliance notes, tags, and annotations entered by Agency users;
- Communications exchanged through the platform's messaging features.
The Agency is the Controller of such data. The Company Processes it solely according to the Agency's documented instructions and the DPA concluded with the Agency. Content Creators who wish to exercise rights in respect of such data should in principle contact their Agency first; the Company will support the Agency in handling such requests and will not unilaterally disclose, modify, or erase such data without the Agency's instruction, except where required by law.
2.4. Relationship with Content Creators
The Company has no direct contractual relationship with individual Content Creators. Each Content Creator is engaged by, and contractually bound to, an Agency. Content Creators do not pay the Company. Nevertheless, certain Processing activities affect Content Creators directly, and Content Creators therefore benefit from the rights set out in this Policy in addition to any rights under their contract with the Agency. Content Creators may contact the Company directly at dpo@legaflow.io to exercise those rights.
3. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person.
"Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed to uniquely identify a person, health data, and data concerning a natural person's sex life or sexual orientation.
"Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
"Controller" means the natural or legal person who determines the purposes and means of Processing.
"Processor" means the natural or legal person who Processes Personal Data on behalf of the Controller.
"Joint Controllers" means two or more Controllers that jointly determine the purposes and means of Processing.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Agency" means any legal entity or duly registered sole trader subscribing to the LegaFlow platform.
"Content Creator" means any adult natural person engaged by an Agency and enrolled by that Agency on the LegaFlow platform.
"KYB" means Know-Your-Business, the identity-assurance process conducted on Agencies.
"KYC" means Know-Your-Customer, the identity-assurance process conducted on Content Creators via Veriff.
"Risk Score" means the 0-to-100 algorithmic indicator produced by the platform on the basis of Survey responses.
"Survey" means a structured questionnaire administered through the platform to Content Creators.
"Compliance Report" means a structured PDF document produced by the platform summarising the compliance posture of an Agency.
4. Categories of Personal Data Processed
4.1. Agency Users — KYB Data
In connection with the onboarding, registration, and ongoing monitoring of Agencies, the Company processes KYB data, which may include: full legal business name; legal form; commercial register number; tax identification number; statistical numbers; registered address; country of operation; proof of ultimate beneficial ownership (names, dates of birth, nationality of natural persons holding 25% or more); corporate documents (extracts, articles of association, declarations of authorised representatives); tax-residency confirmations; sanctions-list screening results. In addition, for each Agency user account: full name; business email; business phone number; job title; login credentials (hashed and salted); session tokens; authentication logs; device and browser metadata; IP address; communications with support; billing information (company name, VAT number, registered address, payment-method identifier). Full payment-card numbers are never stored by the Company; they are tokenised by Stripe.
4.2. Content Creators — KYC and Survey Data
The following categories of Personal Data relating to Content Creators are Processed through the platform:
- KYC identification data (via Veriff): full legal name; date of birth; nationality; government-issued identity document; identity-document photograph; live-capture facial image for Veriff biometric matching; sanctions-list and PEP-screening results;
- Contact data: professional email address; professional phone number;
- Engagement data: stage name or pseudonym; Third-Party Monetization Platforms used; platform handles; date of engagement by the Agency; written contract between Creator and Agency (uploaded by the Agency);
- Survey-response data: free-text and structured responses concerning working conditions, ongoing consent, mental and physical wellbeing, satisfaction with the Agency, and any reported incidents;
- Derived data: Risk Score, trend indicators, alert triggers, review states;
- Audit data: timestamped log of each Survey deployment, submission, consultation, report generation, and dashboard action, with SHA-256 hashing for tamper-evidence;
- LDA intake data (where applicable): facts of the dispute, counterparty identity, timelines, documents, conflict-check information, funding decisions, clawback and subrogation records.
4.3. Special Categories of Personal Data
Because the platform operates in the adult-content sector, Survey responses and uploaded documents may contain Special Categories of Personal Data — in particular data concerning sex life or sexual orientation, health data (including mental health), and biometric data (Veriff). The Company applies the enhanced safeguards required by Article 9 GDPR. Special-Category data is Processed exclusively on the basis of: (a) explicit consent obtained by the Agency from the Content Creator at enrollment and renewed through periodic Surveys (Article 9(2)(a) GDPR); or (b) establishment, exercise, or defense of legal claims (Article 9(2)(f) GDPR) in the context of the Legal Defense Assistance Program. Content Creators may withdraw consent at any time by contacting their Agency or by writing to dpo@legaflow.io. Withdrawal does not affect the lawfulness of Processing carried out before withdrawal, and does not affect Processing based on a different lawful ground (such as the defense of legal claims).
4.4. Website Visitors
IP address (truncated for analytics); browser type; operating system; referrer URL; pages visited; duration; language; preference cookies. The Company uses privacy-preserving self-hosted analytics with IP truncation. The Company does not deploy advertising pixels from Meta, Google Ads, TikTok, LinkedIn, or similar networks. See the Cookie Policy for details.
4.5. Business Contacts
Full name; business email; business phone number; employer; job title; correspondence history; contract and invoice data.
5. Purposes of Processing and Legal Bases
The Company Processes Personal Data only for specific, explicit, and legitimate purposes, and only on the basis of a valid legal ground under Articles 6 and, where applicable, 9 GDPR.
| Purpose | Categories | Legal Basis | Retention |
|---|---|---|---|
| Provision of the platform to Agencies | Agency user data, Creator data uploaded by Agency | Contract (Art. 6(1)(b)) with Agency | Duration of subscription + 5 years |
| KYB verification of Agencies | Corporate docs, UBO data, sanctions screening | Contract + legal obligation (AML, sanctions) | 5 years after end of relationship |
| KYC identity verification via Veriff | Biometric, ID document, age check | Consent (Art. 9(2)(a)) + legal obligation (age) | 5 years from verification |
| Periodic Surveys and Risk Scoring | Survey responses, derived indicators | Consent (Art. 9(2)(a)) for special-category content; legitimate interest (Art. 6(1)(f)) for non-special content | 5 years from Survey |
| Tamper-evident audit logs | Hashed event metadata | Legal obligation + legitimate interest (evidentiary integrity) | 5 years minimum |
| Billing, accounting, tax (incl. VAT) | Agency billing data, invoices | Legal obligation (Art. 6(1)(c)) — Polish Accounting Act of 29 Sept. 1994 | 10 years |
| Customer support | Correspondence, account metadata | Contract + legitimate interest | 3 years from closure |
| Fraud prevention and security | Logs, IP, device metadata | Legitimate interest (Art. 6(1)(f)) — information security | 12 months; longer if incident |
| Sales and prospecting | Business contact data | Legitimate interest; consent for email marketing where required | 3 years from last contact |
| LDA Program administration | Creator/Agency dispute data | Legitimate interest + consent + establishment of legal claims (Art. 9(2)(f)) | 10 years |
| Compliance with legal obligations | Varies | Legal obligation (Art. 6(1)(c)) | As required by law |
6. Sources of Personal Data
The Company obtains Personal Data from the following sources:
- Directly from Agency users when they create accounts, subscribe, use the platform, or contact support;
- Directly from Content Creators when they complete the Veriff KYC flow and submit Surveys;
- From Agencies, when they upload contracts or enroll Creators;
- From Veriff OÜ (KYC outcomes and screening signals);
- From Stripe (payment-method tokens, payment status, fraud signals);
- From public registries, credit bureaus, and sanctions lists (for KYB and sanctions-screening purposes);
- From the Company's security telemetry (authentication logs, anomaly alerts);
- From business contacts who voluntarily provide their data through forms, email, or events.
7. Automated Decision-Making and the Risk Score
7.1. Nature of the Risk Score
The platform computes an algorithmic Risk Score (0 to 100) for each enrolled Content Creator on the basis of Survey responses, submission cadence, Veriff outcomes, and documentary inputs provided by the Agency. The Risk Score is used to produce compliance alerts and to populate the Agency's dashboard. It is an internal decision-support indicator; it does not, by itself, determine any outcome external to the platform.
7.2. Article 22 GDPR Safeguards
The Risk Score is not a fully automated decision producing legal or similarly significant effects on the Content Creator within the meaning of Article 22(1) GDPR. It is reviewed by the Agency (and, in certain cases, by the Company's compliance team) before any consequential action is taken. Where a Risk Score (or any other automated output) might contribute to a decision producing legal or similarly significant effects on a Data Subject — for example, suspension of enrollment, LDA-Program disqualification, or reporting to authorities — the Data Subject has the right to: (a) obtain human intervention by writing to dpo@legaflow.io; (b) express their point of view; and (c) contest the decision. The Company does not use the Risk Score as the sole basis for any decision producing legal or similarly significant effects on a Content Creator.
8. Recipients and Subprocessors
8.1. Internal Recipients
Personal Data is accessible internally only to authorised personnel of the Company (compliance, engineering, legal, support, security, finance) on a need-to-know basis, subject to contractual and statutory confidentiality obligations and to role-based access controls.
8.2. Subprocessors
The Company engages the following categories of Subprocessors, each bound by a written data-processing agreement incorporating the obligations required by Article 28 GDPR and, where applicable, the EU Standard Contractual Clauses or the UK International Data Transfer Agreement.
| Subprocessor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Veriff OÜ | KYC identity verification, age confirmation, sanctions screening | Estonia (EU) | EU — no additional mechanism required |
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Payment processing, tokenisation, billing, fraud detection | Ireland (EU), United States | EU SCCs + Supplementary Measures; UK IDTA |
| Supabase Inc. | Managed database (PostgreSQL), authentication, object storage | EEA (EU region) | EU SCCs where applicable |
| Vercel Inc. | Frontend hosting, edge compute, content delivery | Global edge with EU data residency | EU SCCs + Supplementary Measures |
| Resend | Transactional and notification email | EU | EU region; SCCs for any US fallback |
| Specialist counsel and partner law firms | Legal defense under the LDA Program, regulatory advice | Country of matter | Case-by-case; professional secrecy |
The current list of Subprocessors is published at legaflow.io/subprocessors. Agencies may subscribe to notification of new Subprocessors with a thirty (30) day objection period.
8.3. Third Parties
Personal Data may also be disclosed to: (a) the Agency that enrolled the Content Creator, for purposes of the Agency's own compliance management; (b) competent authorities, courts, regulators, and tax authorities, where required by law or in response to a valid order; (c) professional advisors (lawyers, auditors, accountants) bound by professional secrecy; (d) successors in the context of a merger, acquisition, or reorganisation, subject to equivalent protections; and (e) other parties with the Data Subject's documented consent.
8.4. No Sale, No Share, No Targeted Advertising
The Company does not sell Personal Data, does not rent Personal Data, does not trade Personal Data for monetary or other valuable consideration, and does not share Personal Data for cross-context behavioural advertising. The Company does not use Personal Data to build advertising audiences, does not synchronise Personal Data with advertising platforms, and does not permit Subprocessors to use Personal Data for their own purposes.
9. International Data Transfers
The Company Processes Personal Data primarily within the European Economic Area. Where Personal Data is transferred to a country outside the EEA that is not the subject of an adequacy decision of the European Commission, the Company relies on one of the following safeguards pursuant to Chapter V GDPR:
- European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), supplemented by appropriate technical and organisational measures;
- United Kingdom International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs;
- Binding Corporate Rules of the recipient, where applicable;
- Explicit consent of the Data Subject for occasional, non-systematic transfers, where permitted under Article 49 GDPR;
- Establishment, exercise, or defense of legal claims (Article 49(1)(e) GDPR) in the context of the LDA Program.
A copy of the safeguards applicable to any specific transfer may be obtained by writing to dpo@legaflow.io.
10. Data Retention
Personal Data is retained only for as long as necessary for the purposes for which it was collected, and in accordance with the retention periods set out in the table in Section 5. The main periods are:
- Account data of Agency users: duration of the Subscription plus five (5) years from termination, for evidentiary and contractual-claim purposes under Polish civil law;
- KYB records: five (5) years after the end of the business relationship, in line with AML recommendations;
- Veriff KYC records: five (5) years from verification;
- Survey responses and Risk-Score data: five (5) years from each Survey;
- Tamper-evident audit logs: minimum five (5) years, extendable to ten (10) years in the event of active dispute, investigation, or regulatory request;
- Billing and accounting records: ten (10) years (Polish Accounting Act of 29 September 1994 and tax-administration requirements);
- LDA-Program records: ten (10) years from case closure, consistent with statute-of-limitation periods for professional-liability claims;
- Marketing and prospect data: three (3) years from last interaction or until withdrawal of consent, whichever is earlier;
- Security logs: twelve (12) months for routine events; longer where an incident is under investigation.
Upon expiry of the applicable retention period, Personal Data is deleted, anonymised, or archived in restricted-access cold storage for the strict duration of any residual legal obligation.
11. Data Subject Rights
Data Subjects in the European Economic Area, the United Kingdom, and Switzerland have the following rights under the GDPR, the UK GDPR, and the Swiss FADP respectively. The Company will honour verifiable requests within one (1) month of receipt, extendable by two (2) further months where necessary taking into account the complexity and number of requests (Article 12(3) GDPR):
(a) Right of access (Article 15 GDPR) — to obtain confirmation of Processing and a copy of the data;
(b) Right to rectification (Article 16) — to have inaccurate or incomplete data corrected;
(c) Right to erasure / "right to be forgotten" (Article 17) — subject to legal retention obligations;
(d) Right to restriction of Processing (Article 18);
(e) Right to data portability (Article 20) — to receive data in a structured, machine-readable format;
(f) Right to object (Article 21), including an absolute right to object to Processing for direct-marketing purposes;
(g) Right not to be subject to solely automated decisions (Article 22);
(h) Right to withdraw consent at any time where Processing is based on consent (Article 7(3));
(i) Right to lodge a complaint with a supervisory authority (Article 77 GDPR; Article 15 UK GDPR); see Section 17.
Requests should be addressed to dpo@legaflow.io with information sufficient to verify the requester's identity. Where the request relates to data Processed by the Company as a Processor on behalf of an Agency, the Company will forward the request to the Agency and support its handling.
12. Additional Information for Poland and the European Economic Area
As a Controller established in Warsaw, Poland, the Company is subject to the supervision of the President of the Polish Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, "UODO"). Data Subjects located in Poland or in any other EEA Member State may exercise their GDPR rights by writing to dpo@legaflow.io and may, at any time and without prejudice to any other administrative or judicial remedy, lodge a complaint with the UODO or with the supervisory authority of their Member State of habitual residence, place of work, or alleged infringement (Article 77 GDPR).
The Company has voluntarily designated a Data Protection Officer (DPO) within the meaning of Articles 37 to 39 GDPR. The DPO may be contacted at dpo@legaflow.io or by post to OMAZEO SP. Z O.O., Plac Bankowy 2, 00-095 Warszawa, Poland, for the attention of the DPO.
The Company complies with the Polish Act on the Protection of Personal Data of 10 May 2018 and with the guidance of the UODO, including on the Processing of biometric data, the documentation of consent, and the management of data breaches.
13. Additional Information for United Kingdom Residents
For Data Subjects located in the United Kingdom, the Company complies with the UK GDPR and the UK Data Protection Act 2018. Complaints may be lodged with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF, ico.org.uk. Where required by Article 27 UK GDPR, the Company has appointed a UK representative whose contact details are published at legaflow.io/legal/representatives.
14. Additional Information for California Residents
This Section supplements the Policy and applies to Personal Information of California residents within the meaning of the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
14.1. Categories Collected and Sources
In the preceding twelve (12) months, the Company has collected the following categories of Personal Information: identifiers; commercial information; internet or other electronic network activity; geolocation (approximate); professional information; sensitive Personal Information (for Content Creators: government identifiers, biometric identifiers via Veriff, data concerning sex life or sexual orientation). Sources and purposes are described in Sections 5 and 6.
14.2. No Sale, No Share, No Targeted Advertising
The Company does not sell Personal Information and does not share Personal Information for cross-context behavioural advertising within the meaning of the CPRA. The Company honours the Global Privacy Control (GPC) signal.
14.3. Rights of California Residents
California residents have the rights to: (a) know what Personal Information is collected, used, disclosed, and sold/shared; (b) delete Personal Information, subject to statutory exceptions; (c) correct inaccurate Personal Information; (d) opt out of sale or sharing (not applicable — the Company does neither); (e) limit use and disclosure of sensitive Personal Information; (f) non-discrimination for exercising CPRA rights; and (g) portability. To exercise these rights, California residents may write to dpo@legaflow.io or use the "Do Not Sell or Share My Personal Information" link on legaflow.io (included for transparency even though the Company does not sell or share). Authorised agents may submit requests with written authorisation.
15. Additional Information for Other Jurisdictions
15.1. Brazil (LGPD)
For Data Subjects located in Brazil, the Company complies with the Brazilian Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018). Personal Data is Processed on the bases set out in Article 7 LGPD (for non-sensitive data) and Article 11 LGPD (for sensitive data). Data subjects have the rights set out in Article 18 LGPD (confirmation, access, correction, anonymisation, portability, deletion, information on sharing, information on consent, revocation of consent). Requests should be addressed to dpo@legaflow.io. The Company has designated an Encarregado de Dados (dpo@legaflow.io) within the meaning of Article 41 LGPD. Complaints may be lodged with the Autoridade Nacional de Proteção de Dados (ANPD, gov.br/anpd).
15.2. Switzerland (nFADP)
For Data Subjects located in Switzerland, the Company complies with the revised Federal Act on Data Protection (nFADP), in force since 1 September 2023. Data Subjects have rights of access, rectification, erasure, and objection equivalent to those set out in Section 11. Complaints may be lodged with the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Berne.
15.3. Other Jurisdictions
Where applicable, the Company complies with additional data-protection laws of jurisdictions in which its services are offered (including, without limitation, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, the Canadian PIPEDA, the Australian Privacy Act 1988). Specific information and additional rights are made available on request to dpo@legaflow.io.
16. Security Measures
The Company implements technical and organisational measures appropriate to the risks presented by Processing, within the meaning of Article 32 GDPR, including:
- AES-256 encryption of Personal Data at rest and TLS 1.2+ encryption in transit;
- Role-based access control based on the principle of least privilege;
- Multi-factor authentication for all privileged accounts;
- Append-only audit logs with SHA-256 hashing and periodic integrity verification;
- Tenant isolation between Agencies;
- Regular vulnerability scanning and penetration testing by independent third parties;
- Secure software-development lifecycle with code review, static analysis, and dependency monitoring;
- Incident-response plan with 24/7 on-call coverage and defined escalation paths;
- Background checks, confidentiality undertakings, and data-protection training for personnel;
- Business-continuity and disaster-recovery testing at least annually;
- Vendor-risk assessment before engagement and periodic reassessment.
No security measure is perfect. The Company makes no guarantee of absolute security and expressly disclaims any such guarantee.
17. Data-Breach Notification
In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of Data Subjects, the Company will:
- Notify the competent supervisory authority (as a matter of primary law, the UODO) without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach (Article 33 GDPR);
- Notify affected Agencies within seventy-two (72) hours of becoming aware of a breach affecting their data;
- Communicate the breach to Data Subjects where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR);
- Document all breaches, remedial measures taken, and lessons learned.
18. Supervisory Authorities
Data Subjects have the right to lodge a complaint with the competent supervisory authority, in particular:
- Poland (primary): Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl;
- European Economic Area: the supervisory authority of the Data Subject's Member State of habitual residence, place of work, or alleged infringement;
- United Kingdom: Information Commissioner's Office (ICO), ico.org.uk;
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd;
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch;
- California: California Privacy Protection Agency (CPPA), cppa.ca.gov.
19. Amendments
The Company may amend this Policy from time to time to reflect changes in law, technology, or business practice. Material amendments will be notified to Agencies by email and posted on the platform and the legaflow.io website at least thirty (30) days before they take effect, except where earlier entry into force is required by law. The date of the most recent version is indicated at the top of this document. Continued use of the platform after the effective date of an amendment constitutes acceptance of the amended Policy.
20. Contact
Questions, requests, or complaints concerning this Policy or the Processing of Personal Data should be addressed to:
- All enquiries (general, support, sales): contact@legaflow.io
- Data protection, Data Protection Officer, and GDPR rights requests: dpo@legaflow.io
- Post: OMAZEO SP. Z O.O., Plac Bankowy 2, 00-095 Warszawa, Poland
21. Acknowledgement and Governing Law
By creating an account, using the LegaFlow platform, subscribing to LegaFlow services, or otherwise providing Personal Data to OMAZEO SP. Z O.O., the Data Subject acknowledges having read and understood this Privacy Policy. Where applicable, separate explicit consents are collected through the account-creation flow, the Veriff verification flow, and the Survey deployment flow; such consents may be withdrawn at any time by contacting dpo@legaflow.io.
This Privacy Policy is governed by Polish law and is drafted in English. Where the Company publishes translations, the English version prevails in the event of any discrepancy. Mandatory provisions of the data-protection law applicable to a Data Subject's habitual residence remain unaffected.