Privacy Policy

1. Data Controller

The data controller is NIHILI PSA (a Polish simple joint-stock company) with its registered office in Warsaw, ul. Piękna 49, 00-672 Warsaw, Poland, NIP 7011316302, KRS 0001244757.

For all matters concerning the protection of personal data, you can contact us at: mail@nihili.com.

2. Data We Process

Depending on how you use the service, we process the following categories of data:

• ·Partner inquiries (financing-partner form): full name, email, phone, company name, planned investment amount, preferred location, message content.
• ·Land submissions for NIHILI OH: full name, email, phone, parcel number, area, city, geographic coordinates, description and uploaded photos.
• ·Waitlist sign-ups (audio): email address and language preference.
• ·NIHILI OH session bookings: full name, email, phone, selected slot details and payment transaction identifiers.
• ·Partner account (partner panel): email address (passwordless login via magic link) and data arising from the signed contract: identification data, address, national ID or tax number, contract financial data.
• ·Technical data: IP address and browser information — processed only as necessary for security, abuse prevention and the correct operation of the service.

3. Purposes and Legal Bases

• ·Handling partner inquiries and land submissions — based on your consent (Art. 6(1)(a) GDPR) and our legitimate interest in conducting correspondence (Art. 6(1)(f) GDPR).
• ·Waitlist — based on consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.
• ·Bookings and payments — to perform a contract (Art. 6(1)(b) GDPR) and to comply with tax and accounting obligations (Art. 6(1)(c) GDPR).
• ·Partner account and contract — to perform a contract (Art. 6(1)(b) GDPR) and to comply with legal obligations of the controller (Art. 6(1)(c) GDPR).
• ·Security, abuse prevention and technical logs — based on the controller’s legitimate interest (Art. 6(1)(f) GDPR).

4. Recipients and Processors

We entrust data processing to trusted service providers who act on our behalf under data processing agreements, only to the extent necessary to provide their services:

• ·Supabase — database hosting, authentication and file storage.
• ·Vercel — application hosting and delivery.
• ·Stripe — payment processing for bookings (Stripe acts as an independent controller for transaction data required by law).
• ·Resend — sending emails (confirmations, sign-in links).
• ·Bunny CDN — delivery of static assets (graphics, logos).
• ·Legal advisors, notaries and accounting service providers — to the extent necessary to conclude and service partner contracts.

5. Transfers Outside the EEA

Some of our providers (e.g. Vercel, Stripe, Resend) may process data on servers located outside the European Economic Area, in particular in the United States. In such cases, transfers are based on Standard Contractual Clauses approved by the European Commission or other mechanisms ensuring an adequate level of protection, in accordance with Chapter V of the GDPR.

6. Retention Periods

• ·Partner inquiries — up to 24 months from the last contact, unless a contract is concluded.
• ·Land submissions — up to 12 months, unless the submission leads to further cooperation.
• ·Waitlist — until consent is withdrawn or the service launches and the purpose ceases.
• ·Booking and payment data — for the period required by tax and accounting law (generally 5 years from the end of the year in which the tax obligation arose).
• ·Partner contract data — for the duration of the contract and the limitation period for potential claims.
• ·Technical logs — for the period necessary to ensure security, generally no longer than 12 months.

7. Your Rights

In connection with the processing of your data, you have the following rights:

• ·the right to access your data and obtain a copy;
• ·the right to rectification (correction) of your data;
• ·the right to erasure (“right to be forgotten”);
• ·the right to restriction of processing;
• ·the right to data portability;
• ·the right to object to processing based on legitimate interest;
• ·the right to withdraw consent at any time — without affecting the lawfulness of processing carried out before its withdrawal;
• ·the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland).

8. Cookies and Browser Storage

The service does not use cookies for marketing or analytics purposes. We use only your browser’s local storage (localStorage) to remember your display preferences — the selected colour scheme and language. This data remains on your device and is not sent to our servers. To maintain a logged-in user session, we use strictly necessary cookies required for sign-in to function.

9. Automated Decision-Making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

10. Changes to This Policy

We may update this Privacy Policy. The current version is always available on the service, together with the date of the last update indicated above. In the event of material changes, we will inform you in an appropriate manner.

11. Contact

For matters concerning the protection of personal data, please contact us at: mail@nihili.com.