Privacy policy
Effective Date: JANUARY 1, 2026
1. Introduction
This Privacy Policy details how the Innovation Lab’s PARSANKI application („the App,” „we,” „us,” „our”) collects, uses, protects, and shares your personal data. We are committed to protecting your privacy and handling your data in a transparent and secure manner, in full compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
This document is designed to help you understand what data we collect, why we collect it, and what your rights are concerning your personal information. By using the Innovation Lab’s PARSANKI application, you acknowledge that you have read and understood this Privacy Policy.
2. Who We Are: Data Controller and Contact Details
Under the GDPR, the „Data Controller” is the entity responsible for determining the purposes and means of processing personal data. It is important for you to know who is accountable for protecting your information.
For the Innovation Lab’s PARSANKI application, the Data Controller is:
- Data Controller: Innovation Lab Sp. z o.o., KRS: 0000721626
- Address: Jana Pawła 43A/37B, 01-001 Warszawa, Poland
- Privacy-Related Inquiries: parsanki@innovationlab.pl
Data Protection Officer (DPO)
Innovation Lab Sp. z o.o. has appointed a Data Protection Officer, as required by GDPR, to oversee compliance with data protection obligations. For any inquiries regarding your personal data, please contact: dpo@innovationlab.pl
This policy will now detail the specific categories of personal data we collect and the purposes for which we process it.
3. What Personal Data We Collect
To provide the full functionality of the App, we need to collect various types of personal data. We are committed to the principle of data minimization, meaning we only collect information that is necessary to deliver our services and fulfill the purposes described in this policy.
The personal data we collect is grouped into the following categories:
- Account and Identity Data
This includes the information you provide to create and secure your account, such as your email address and password. We may also collect your phone number to facilitate security features like SMS verification.
- Profile and Demographic Data
To personalize your experience, you may choose to provide additional information, including your full name, date of birth, gender, postal address, preferred language, and a profile photo.
- Communications Data
This category includes data generated when you interact with support or use communication features within the App:
- Real-time chat messages and media exchanged with care coordinators.
- Information you submit as part of requests, support tickets, and bug reports, including free-text descriptions and any attachments.
- AI-Assisted Data Entry
To make data entry faster and more convenient, we offer AI-powered features. Data processed by these tools includes:
- Audio recordings, which are transcribed into structured data (e.g. content data entry readings).
- Photographs shared within application, which are processed using Optical Character Recognition (OCR) to extract readings.
Such data is processed only with your explicit consent and deleted immediately after processing.
- Technical and Usage Data
To ensure the App’s security, stability, and functionality, we automatically collect technical information, including:
- Device identifiers and push notification tokens (e.g., Firebase Cloud Messaging tokens).
- Diagnostic data, such as your device model, operating system version, app version, and crash stack traces.
- This data is essential for us to provide you with a reliable and feature-rich App.
The next section explains exactly why we use it.
4. How and Why We Use Your Personal Data (Purposes and Legal Bases)
Under GDPR, every data processing activity must be justified by a specific purpose and a valid legal basis. The table below outlines our processing activities, the types of data involved, and the legal justification for each.
Purpose of Processing | Data Categories Involved | Legal Basis (GDPR) |
To Create and Manage Your Account | Account and Identity Data, Technical and Usage Data | Art. 6(1)(b): Performance of a contract with you. |
To Enable Communication and Support | Account and Identity Data, Profile Data, Communications Data | Art. 6(1)(b): Performance of a contract (to provide support features). For chat: Art. 9(2)(a): Your explicit consent. |
To Manage Requests and Document Signing | Account and Identity Data, Profile Data, Communications Data | Art. 6(1)(b): Performance of a contract (to fulfill your requests). |
To Send Reminders and Notifications | Account and Identity Data, Technical and Usage Data | Art. 6(1)(f): Our legitimate interest to help you adhere to routines you have configured. |
To Ensure Security and App Stability | Technical and Usage Data, Communications Data (bug reports) | Art. 6(1)(f): Our legitimate interest in maintaining the security, stability, and functionality of our service. |
To Share Announcements and Content | Account and Identity Data | Art. 6(1)(b): Performance of a contract (to provide informational updates related to the service). |
Our Legitimate Interests
When we rely on „Legitimate Interest” as a legal basis, it means we have a compelling business reason to process your data. In these cases, we have carefully assessed that such interests do not override your fundamental rights and freedoms. Our legitimate interests include maintaining the App’s stability and providing helpful reminders for configured routines.
Your Obligation to Provide Data
Providing some personal data is a contractual requirement. Some data (such as your email and password) are mandatory to create and secure your account. Without providing this data, we cannot provide access to the App. Any other data provided by you is optional.
We will now explain how we share this data with trusted partners to deliver our services.
5. Who We Share Your Data With (Recipients and Processors)
We do not sell your personal data to third parties. To deliver our services, we share data with trusted third-party service providers who act on our behalf and under our strict instructions to help deliver the App’s functionality. These partners act as „processors” on our behalf and are contractually bound by Data Processing Agreements (DPAs) that require them to protect your data and only use it as we instruct.
We engage the following categories of processors:
- Cloud Hosting Providers: All user data, including personal data, is stored on secure servers to power the App. Our backend infrastructure is hosted by DigitalOcean.
- Communication Service Providers: To enable real-time messaging, we rely on specialized partners. We use Twilio to power our in-app chat functionality.
- Notification and Analytics Providers: To keep you informed and improve our App, we use services for notifications and diagnostics. We use Google Firebase for sending push notifications and for collecting anonymized crash reports to improve app stability.
As some of these service providers operate globally, this may require transferring your data internationally.
6. International Data Transfers
Some of the service providers mentioned in the previous section are based outside the European Economic Area (EEA). As a result, your personal data may be transferred to, and processed in, countries such as the United States.
We ensure that all international data transfers are conducted in full compliance with GDPR. If such a transfer occurs, it is protected by Standard Contractual Clauses (SCCs) or participation in the EU–US Data Privacy Framework to ensure data protection equivalent to EU standards. You may contact us for additional information about these safeguards.
You can request more information about the safeguards we have in place for international data transfers by contacting us.
Next, we will explain how long we store your data.
7. How Long We Keep Your Data (Data Retention)
We adhere to the GDPR’s principle of „storage limitation,” which means we keep your personal data only for as long as necessary to fulfill the purposes for which it was collected. Our retention periods vary depending on the type of data:
- Account Data: We retain your account profile for as long as your account remains active. After account deletion, this data may be retained in secure, isolated backups for up to 12 months for the sole purpose of establishing, exercising, or defending legal claims.
- Technical Data: Push notification tokens are deleted upon logout. Crash logs and diagnostic data are retained for up to 12 months for security and debugging purposes.
- Communication Data: Chat history is retained as per your account’s active status. Bug reports and associated data are retained for up to 12 months after the issue is resolved.
The following section outlines the rights you have over the data we retain.
8. Your Data Protection Rights
Under GDPR, you have specific rights over your personal data. We are committed to upholding these rights and have established processes to help you exercise them.
- The Right to Access: You can request a copy of the personal data we hold about you.
- The Right to Rectification: You can request that we correct any data you believe is inaccurate or complete any data you believe is incomplete.
- The Right to Erasure (’Right to be Forgotten’): You can request the deletion of your personal data under certain conditions.
- The Right to Restrict Processing: You can request that we temporarily halt the processing of your personal data in specific circumstances.
- The Right to Data Portability: You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where our processing is based on your consent or on a contract and is carried out by automated means.
- The Right to Object: You have the right to object to our processing of your personal data where we rely on our legitimate interests as the legal basis.
- The Right to Withdraw Consent: For any data processing that relies on your consent (such as the processing of your personal data), you have the right to withdraw that consent at any time. Please note that withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal. Doing so may result in you being unable to use certain features of the App.
- The Right to Lodge a Complaint: You have the right to file a complaint with a data protection authority if you believe that our processing of your personal data infringes data protection laws.
To exercise any of these rights, please contact us at the email address provided in Section 2.
9. Automated Decision-Making and Profiling
The App does not use automated decision-making that produces legal or similarly significant effects on you.
The AI-powered transcription and OCR features are designed purely as assistive tools to make data entry faster and easier. We do not use this technology to take any decisions automatically.
To protect your data, we implement robust security measures, which are described next.
10. Data Security
We are committed to protecting your personal data from unauthorized access, alteration, disclosure, or destruction. We implement a combination of appropriate technical and organizational measures to safeguard your information.
These measures include:
- Encryption: We use HTTPS to encrypt data in transit between the App and our servers. Sensitive information such as authentication tokens is stored using strong encryption on your device.
- Access Controls: Access to personal data is strictly limited to authorized personnel and service providers who require it to perform their duties and are bound by confidentiality obligations.
- Secure Storage: Other than encrypted authentication tokens and limited temporary technical cache necessary for the App to function, we do not intentionally store your personal data permanently on your device.
If you have concerns about our data handling practices, you also have the right to contact a supervisory authority.
11. Lodging a Complaint with a Supervisory Authority
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.
In Poland, the relevant authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych – UODO). You can also lodge a complaint with the data protection authority in your EU member state of residence or work.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons.
If we make material changes, such as collecting new types of personal data or using it for new purposes, we will notify you in advance through the App or by other means, where legally required. The latest version of the policy will always be available within the App.