Privacy Policy

This Privacy Policy describes how Nimbus Riders sp. z o.o. (“Company”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you use the WebSpeaker website and services.

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”), we inform you that:

1. Personal Data Controller

The controller of your personal data is Nimbus Riders sp. z o.o. based in Gdańsk, ul. Jana Heweliusza 11/811, entered into the register of entrepreneurs kept by the District Court Gdańsk Północ in Gdańsk, 7th Commercial Division of the National Court Register under KRS number 0001108119, NIP 5833510199 (hereinafter referred to as the “Company”).

2. Personal Data We Collect

The types of personal data we collect depend on how you interact with our Website and Service.

2.1 Information You Provide to Us

When you register for an account, subscribe to our Service, or contact us, you may provide us with:

Account information: name, surname, email address, company name, job title, country;
Billing information: billing address, VAT number, payment method details (processed by our payment processor);
Communication data: content of messages you send to us via support channels, email, or other means;
Profile information: avatar, preferences, and settings you configure in your account.

2.2 Information We Collect Automatically

As you use our Website and Service, we automatically collect certain information:

Log data: Internet Protocol (IP) address, internet service provider (ISP), browser type and version, operating system, date and time of requests, pages viewed, and how you interact with our Service;
Usage data: features you use, actions you take, API calls made, search queries performed, configurations applied, and patterns of usage;
Device data: device type, screen resolution, browser type, operating system, and unique device identifiers;
Cookie data: we use cookies and similar technologies to operate our Website and improve your experience (see Section 7 for details).

2.3 Information from Third Parties

We may receive personal data about you from third-party sources:

Authentication providers: if you log in using a third-party service (such as Google or GitHub), we receive your name and email address from that service;
Payment processors: we receive confirmation of payment status from Paddle or other payment processors (we do not receive or store your full credit card numbers).

3. Subscriber Data and End User Data

When providing our Service, we process two distinct categories of data:

3.1 Subscriber Personal Data

Personal data of our Subscribers (businesses or individuals who register for our Service) is processed by us as a data controller. This Privacy Policy applies to such processing.

3.2 Data Processed on Behalf of Subscribers

When Subscribers use our Service to index their websites or provide search and chatbot functionality to their end users, we may process personal data contained in:

Indexed Content: content from Subscriber’s websites that is crawled and indexed by our Service;
End User Queries: search queries and chatbot conversations submitted by Subscriber’s end users.

For this data, we act as a data processor on behalf of the Subscriber (who is the data controller). Processing is governed by our Data Processing Addendum (DPA) available at https://webspeaker.pro/dpa. If you are an end user of a Subscriber’s website, please contact that Subscriber directly for information about how they process your personal data.

4. AI and LLM Data Processing

Our Service includes AI-powered features, including conversational chatbot capabilities. This section explains how data is processed in connection with these features.

4.1 What Data is Processed by AI

When AI features are used, the following data may be processed:

Search queries and chatbot messages submitted by end users;
Indexed Content relevant to responding to queries;
Conversation context necessary to provide coherent responses.

4.2 Third-Party AI Providers

We use third-party AI providers to power our AI features, including but not limited to:

OpenAI (OpenAI, L.L.C., USA) - https://openai.com/privacy
Anthropic (Anthropic, PBC, USA) - https://www.anthropic.com/privacy

When AI features are used, relevant data is transmitted to these providers for processing. These providers:

Process data according to their own privacy policies and terms of service;
Are contractually bound to maintain appropriate security measures;
May be located outside the European Economic Area (see Section 9 for transfer safeguards).

4.3 Data Retention and Training by AI Providers

Our contracts with AI providers specify that:

Data is used only to provide the requested AI functionality;
We have opted out of providing customer data for AI model training with all our AI service providers (OpenAI, Anthropic);
Your data is not used to train, improve, or fine-tune AI models;
Data is retained by AI providers only for abuse monitoring purposes, typically for 30 days or less, and then automatically deleted;
AI providers process data solely through API calls in accordance with their enterprise data processing terms.

4.4 Prohibited Data Categories

You must not submit to the Service, and we do not intentionally collect, the following categories of sensitive data:

Government-issued identification numbers (SSN, passport, national ID card numbers);
Payment card numbers, bank account details, or financial credentials;
Health, medical, or genetic information;
Biometric data for identification purposes;
Passwords, security credentials, or authentication tokens;
Precise geolocation data;
Special categories of personal data under GDPR Article 9 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation);
Data relating to criminal convictions or offenses.

If you inadvertently submit such data, please contact us immediately at privacy@webspeaker.pro for removal.

4.5 AI Processing Transparency

In accordance with Article 50 of Regulation (EU) 2024/1689 (EU AI Act), we want you to understand that:

AI-generated responses are created by automated systems without human intervention;
Our chatbot and AI-powered features are powered by artificial intelligence;
End users are shown AI transparency notices at chat start and response labels (AI-generated vs. human support) as part of compliance and transparency obligations;
We do not use AI to make legal or similarly significant decisions about individuals;
You can contact us to learn more about how specific AI features process data.

5. How We Use Personal Data

We use personal data for the following purposes:

5.1 To Provide and Maintain the Service

Creating and managing your account;
Providing access to the Service and its features;
Processing transactions and sending related information;
Providing customer support and responding to inquiries.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

5.2 To Improve and Develop the Service

Analyzing usage patterns to improve functionality;
Developing new features and services;
Conducting research and analytics;
Testing and troubleshooting.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) - improving our Service.

5.3 To Communicate with You

Sending service-related notices (updates, security alerts, support messages);
Sending newsletters and marketing communications (with your consent);
Responding to your comments, questions, and requests.

Legal basis: Performance of a contract, legitimate interests, or consent, depending on the communication type.

5.4 For Security and Fraud Prevention

Protecting against unauthorized access, fraud, and abuse;
Monitoring for security threats;
Enforcing our Terms and Conditions.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) - security of our Service; legal obligation where applicable.

5.5 To Comply with Legal Obligations

Complying with applicable laws and regulations;
Responding to legal requests and preventing harm;
Maintaining records as required by law.

Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

6. Legal Basis for Processing

Under GDPR, we process personal data based on the following legal grounds:

Purpose	Legal Basis	GDPR Article
Providing the Service	Performance of a contract	Art. 6(1)(b)
Account management	Performance of a contract	Art. 6(1)(b)
Billing and payments	Performance of a contract	Art. 6(1)(b)
Service improvement	Legitimate interests	Art. 6(1)(f)
Analytics	Legitimate interests	Art. 6(1)(f)
Security monitoring	Legitimate interests	Art. 6(1)(f)
Marketing communications	Consent	Art. 6(1)(a)
Legal compliance	Legal obligation	Art. 6(1)(c)
Tax and accounting records	Legal obligation	Art. 6(1)(c)

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

7. Cookies and Tracking Technologies

7.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help the website remember your preferences and understand how you use the site.

7.2 Cookies We Use

We use the following types of cookies:

Type	Purpose	Duration
Essential cookies	Required for the Website to function (authentication, security)	Session or up to 1 year
Functional cookies	Enable optional embedded communication tools (support chat widget)	Up to 1 year
Analytics cookies	Help us understand product usage and improve the Website (via PostHog)	Up to 2 years

7.3 Third-Party Cookies

Some cookies are placed by third-party services we use:

PostHog: product analytics (https://posthog.com/privacy)
WebSpeaker support chat widget: embedded support chat functionality loaded by default; telemetry/profiling preferences are passed from your cookie choices

When you first visit our Website, we display a cookie consent banner that allows you to:

Accept all cookies;
Reject non-essential cookies;
Customize your cookie preferences.

Essential cookies are set automatically as they are necessary for the Website to function. Analytics and optional functionality cookies are only set after you provide consent.

You can change your cookie preferences at any time by clicking the “Cookie Settings” link in the footer of our Website.

7.5 Managing Cookies

You can also control cookies through your browser settings. Most browsers allow you to:

View what cookies are stored and delete them individually;
Block third-party cookies;
Block cookies from specific sites;
Block all cookies;
Delete all cookies when you close the browser.

Please note that blocking essential cookies may affect the functionality of our Website.

Instructions for managing cookies in common browsers:

Google Chrome: https://support.google.com/chrome/answer/95647
Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
Microsoft Edge: https://support.microsoft.com/en-us/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d
Safari: https://support.apple.com/en-bh/guide/safari/sfri11471/mac

We may share your personal data with the following categories of recipients:

8.1 Service Providers and Sub-Processors

We engage third-party service providers (sub-processors) to perform functions on our behalf, including cloud infrastructure, payment processing, customer support, analytics, error tracking, and AI services.

A complete and current list of sub-processors is available at https://webspeaker.pro/sub-processors. We will update this list when we engage new sub-processors and notify Subscribers in accordance with our Data Processing Addendum.

These service providers are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.

8.2 Legal Requirements

We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government requests).

8.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Website of any change in ownership.

We may share your personal data with other parties when you give us explicit consent to do so.

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where some of our service providers, including AI providers, are located).

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers;
Adequacy decisions: Where applicable, we rely on adequacy decisions by the European Commission;
Additional safeguards: We implement supplementary measures where necessary to ensure the level of protection required by GDPR.

For more information about the safeguards we use for specific transfers, please contact us using the details in Section 16.

10. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Data Category	Retention Period
Account information	Duration of account + 6 years after deletion
Billing records	10 years (legal requirement for accounting)
Usage logs	12 months
Chatbot conversation logs	90 days
System and security logs	180 days
Support communications	3 years after resolution
Analytics data	26 months (aggregated/anonymized after)
Marketing consent records	Duration of consent + 3 years
Indexed Content (Subscriber Data)	Available for export for at least 30 days after termination; deleted within 90 days or earlier upon request (see DPA)
Backups	90 days (rolling)

After the retention period expires, personal data is securely deleted or anonymized.

The 6-year retention period for account information corresponds to the general limitation period for claims under Polish law, allowing us to establish, exercise, or defend legal claims if necessary.

11. Data Security

We maintain administrative, physical, and technical safeguards designed to protect personal data from unauthorized access, disclosure, alteration, and destruction.

Our security measures include:

Encryption of data in transit (TLS) and at rest;
Access controls and authentication mechanisms;
Regular security assessments and monitoring;
Employee training on data protection;
Incident response procedures.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

If you discover or suspect a security breach, please contact us immediately at security@webspeaker.pro.

Under GDPR, you have the following rights regarding your personal data:

12.1 Right of Access (Art. 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, access to the data and information about the processing.

12.2 Right to Rectification (Art. 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

12.3 Right to Erasure (“Right to be Forgotten”) (Art. 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

12.4 Right to Restriction of Processing (Art. 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

12.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

12.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests. If you object, we will no longer process your personal data unless we demonstrate compelling legitimate grounds that override your interests.

Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

12.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@webspeaker.pro
Postal address: Nimbus Riders sp. z o.o., ul. Jana Heweliusza 11/811, 80-890 Gdańsk, Poland

We will respond to your request within one month. This period may be extended by two further months if necessary, taking into account the complexity and number of requests.

We may need to verify your identity before processing your request.

12.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2
00-193 Warsaw, Poland
https://uodo.gov.pl

13. Automated Decision-Making and Profiling

13.1 AI Processing

Our Service uses AI and machine learning to provide search and chatbot functionality. This processing:

Generates responses to user queries based on indexed content;
Does not result in decisions that produce legal effects or similarly significantly affect individuals;
Is not used for profiling that would have legal or similarly significant effects.

13.2 Your Rights

Under Art. 22 GDPR, you have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

Since our AI processing does not produce such effects, Art. 22 does not apply. However, if you have concerns about how AI features process your data, please contact us.

14. Children’s Privacy

Our Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@webspeaker.pro. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information.

15. California Privacy Rights (CCPA/CPRA)

This section applies to California residents and supplements the information contained in this Privacy Policy.

15.1 Your California Privacy Rights

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information:

Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, as well as the categories of sources, purposes of collection, and categories of third parties with whom we share personal information.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

15.2 We Do Not Sell Your Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months and do not have plans to sell personal information in the future.

We do not “share” personal information for cross-context behavioral advertising purposes as defined under CPRA.

15.3 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

Category	Examples	Collected
Identifiers	Name, email, IP address	Yes
Commercial information	Subscription history, transaction records	Yes
Internet activity	Browsing history, search queries, interactions with Service	Yes
Geolocation data	Approximate location based on IP address	Yes
Professional information	Company name, job title	Yes
Inferences	Preferences, characteristics derived from above	Yes

15.4 How to Exercise Your Rights

To exercise your California privacy rights, please contact us at:

Email: privacy@webspeaker.pro
Online: Through your account settings

We will verify your identity before processing your request. We will respond to verifiable requests within 45 days, which may be extended by an additional 45 days when reasonably necessary.

You may designate an authorized agent to make a request on your behalf. To do so, you must provide the authorized agent with written permission and verify your identity with us.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons.

If we make material changes, we will notify you by:

Posting the updated Privacy Policy on our Website;
Sending an email to registered users at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

The “Last updated” date at the bottom of this Privacy Policy indicates when it was last revised.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email:
privacy@webspeaker.pro

Postal address:
Nimbus Riders sp. z o.o.
ul. Jana Heweliusza 11/811
80-890 Gdańsk, Poland

For security-related matters:
security@webspeaker.pro

For legal matters:
legal@webspeaker.pro

We aim to respond to all inquiries within 14 days.

This document is available in Polish upon request. In case of any discrepancies between language versions, the English version shall prevail for Subscribers outside of Poland.

Document version

1.0 of 01 January 2026