Privacy Policy

1. Data Controller

The data controller is ONLY Marketing, Sky Tower, ul. Powstańców Śląskich 95, 53-332 Wrocław, Polska. Polish Tax ID (NIP): {{NIP}}. REGON: {{REGON}}. {{KRS lub CEIDG}}.

For data protection requests: hello@onlymarketing.ai.

2. What data we process

We collect only the data you submit voluntarily and the minimum technical information needed to operate the service.

Data you submit through the booking widget or the chatbot:

• full name
• email address
• phone number
• company name
• industry
• description of your current marketing situation and goals (if provided)
• preferred call time

Technical data collected automatically:

• IP address (kept short-term for abuse rate limiting)
• browser type and operating system (User-Agent)
• timestamp of the interaction
• chatbot session identifier (stored locally in your browser)

3. Purposes and legal basis

We process your data for the following purposes on the following legal bases:

• Booking and conducting your call with Aleksandra — Art. 6(1)(b) GDPR (steps prior to entering a contract).
• Sending booking confirmation, calendar invite (.ics), and reminders — Art. 6(1)(b) GDPR.
• Lead qualification by the AI chatbot and follow-up — Art. 6(1)(f) GDPR (legitimate interest — customer acquisition).
• Notifying our sales team about new leads — Art. 6(1)(f) GDPR (legitimate interest — handling business inquiries).
• Abuse rate limiting and service security — Art. 6(1)(f) GDPR (legitimate interest — protecting infrastructure).
• Compliance with legal obligations (accounting, tax) — Art. 6(1)(c) GDPR.

4. Sub-processors

We use trusted vendors who process your data only on our behalf and under data processing agreements per Art. 28 GDPR:

• Vercel Inc. (USA) — hosting and serverless infrastructure. Technical data (IP, User-Agent) processed during page loads.
• Supabase Inc. (USA) — database for bookings, leads, and chatbot conversations. EU storage region.
• Resend Inc. (USA) — transactional email delivery (confirmations, notifications).
• Anthropic PBC (USA) — Claude language model used by the chatbot. Chat messages are sent to the Anthropic API to generate replies. Anthropic does not use this data for model training under our business agreement.
• Google LLC (USA/Ireland) — Google Calendar and Google Meet. Booked slots are created on Aleksandra's calendar; attendees see meeting details in their own calendar.

Transfers to third countries (USA) are made under European Commission Standard Contractual Clauses (SCC) and, for Google, additionally under the EU-U.S. Data Privacy Framework.

5. Cookies and local storage

The site does not use tracking, marketing, or third-party analytics cookies. We do not use Google Analytics, Meta Pixel, Hotjar, or similar tools.

We use only functional local-storage mechanisms required for the chatbot to work:

• `om_chatbot_session` — random chatbot session identifier so the conversation continues across page reloads.
• `om_chatbot_autoopen` — flag that limits the chatbot auto-open to once per session.

These are stored in your browser, not on our servers. You can delete them at any time via your browser settings.

6. Retention

Lead data — kept for up to 24 months from the last contact, unless you object earlier or request deletion.

Confirmed booking records — retained per Polish accounting and tax law (up to 5 years from the end of the fiscal year).

Technical logs (IP, User-Agent) — up to 30 days.

Chatbot conversations — up to 90 days from the last message.

7. Your rights

Under GDPR you have the right to:

• access your data (Art. 15),
• rectification of inaccurate or incomplete data (Art. 16),
• erasure — "right to be forgotten" (Art. 17),
• restriction of processing (Art. 18),
• data portability (Art. 20),
• object to processing based on legitimate interest (Art. 21),
• lodge a complaint with the Polish Data Protection Authority UODO (uodo.gov.pl) or the supervisory authority in your country of residence.

To exercise any of these rights, email us at hello@onlymarketing.ai. We respond within 30 days.

8. Security

We apply technical and organizational measures appropriate to the risk:

• TLS/HTTPS encrypted connections,
• access tokens and API keys stored encrypted with the hosting provider,
• data minimization — we only collect what we genuinely need,
• rate limits to protect against abuse,
• database access on a least-privilege basis.

9. Changes to this policy

We may update this policy when our process, technology, or applicable law changes. Each update is dated at the top. For material changes we will notify you by email if you are in our contact database.