Skip to content
Privacy

Privacy policy

Data controller, purposes and legal bases of processing, recipients, transfers outside the EEA, retention period, your rights under the GDPR, and cookie information.

Last updated · 17 June 2026

01

Data controller

The controller responsible for your personal data (within the meaning of Article 4(7) of the General Data Protection Regulation, "GDPR") is GMAC, registered office at Makowa 7, 66-431 Janczewo, Poland, Polish tax identification number (NIP) PL5992961187.

We can be reached at and operate the websites gmac.pl and g-mac.eu.

We have not appointed a Data Protection Officer (DPO). The appointment of a DPO is not mandatory for a controller of our scale and the nature of processing we carry out. If you have any question about how we handle your data, please contact us directly at .

02

Data we collect and why

We only collect personal data that you voluntarily provide through the contact form on this website. Specifically, when you get in touch we collect: your name and surname, your e-mail address, an optional field describing the area you are interested in, and the content of your message.

We process this data for the sole purpose of replying to your enquiry, handling the request you initiated, and conducting the related B2B commercial communication (for example, sending an offer or answering a question about our services). Your message is delivered to our company mailbox at and is not stored in any database.

The table below summarises each purpose, the data involved, and the legal basis on which we rely.

PurposeDataLegal basis
Replying to your enquiry, handling your request, and related B2B commercial communication Name and surname, e-mail, area of interest (optional), message content GDPR Art. 6(1)(f) — legitimate interests
E-mail delivery (delivering our reply) Name and surname, e-mail, message content (transmitted to the delivery provider) GDPR Art. 6(1)(f) — legitimate interests
Abuse protection (rate limiting, anti-spam) md5(IP) hash — anonymised, retained temporarily (1 hour) GDPR Art. 6(1)(f) — legitimate interests
03

Legal basis

We process the personal data submitted through the contact form on the basis of Article 6(1)(f) of the GDPR — our legitimate interests in responding to an enquiry that you yourself initiated and in conducting B2B commercial communication with prospective clients. We do not rely on consent (Article 6(1)(a)), and we do not ask you to tick a consent box.

Our legitimate-interest assessment, in brief: the interest pursued is answering the enquiry you directed to us; processing is necessary because there is no less intrusive way to reply without the contact details you provided; and the balance favours processing because you initiated the contact and can reasonably expect a response.

Providing your data is voluntary, but it is necessary for us to be able to reply. If you do not provide the required fields (name, e-mail, message), we will not be able to respond to your enquiry.

We do not carry out profiling and we do not engage in any form of automated decision-making, including decisions producing legal or similarly significant effects concerning you (Article 13(2)(f) GDPR).

04

Who we share data with

Your data is shared only with the recipients strictly necessary to deliver and process your message. We do not sell, rent, or trade your personal data, and we do not share it for any purpose other than handling your enquiry.

To enable e-mail delivery, your message is transmitted through Resend Inc. (api.resend.com), which acts as a processor on our behalf under Article 28 GDPR and provides the e-mail sending infrastructure. Your message is then delivered to our company mailbox at (sender noreply@g-mac.eu, reply-to set to your e-mail address).

The website itself is hosted on a shared hosting environment provided by KRU (https://www.kru.pl), which acts as a processor for the sole purpose of making the site available and routing the form submission.

  • Resend Inc. (Resend) — e-mail delivery provider acting as a processor; receives the form data solely to transmit the e-mail on our behalf.
  • KRU (https://www.kru.pl) — hosting provider acting as a processor; provides the infrastructure on which this website and the contact form run.
05

Data transfers outside the EEA

When you submit the contact form, the data we collect (your name, e-mail, and message content) is transmitted to Resend Inc., which is established in the United States. This constitutes a transfer of personal data outside the European Economic Area (EEA).

This transfer takes place under the EU-U.S. Data Privacy Framework (DPF). Resend Inc. is certified under the DPF, and the transfer is therefore covered by the European Commission's adequacy decision (Implementing Decision (EU) 2023/1795). You can verify Resend's certification status at https://www.dataprivacyframework.gov/list.

Apart from the transfer to Resend described above, no other transfer of your personal data to a third country takes place. The hosting provider KRU (https://www.kru.pl) processes data within the scope of making the website available and does not transfer your form data outside the EEA beyond what is required for that purpose.

06

How long we keep data

Because your message is delivered to our company mailbox and is not stored in any database, retention is governed by how long we keep the message in that mailbox. We do not retain your data for longer than is necessary for the purpose for which it was collected.

We keep messages resulting in ongoing contact for up to 2 years from your last contact with us, after which they are deleted from the mailbox. If you do not respond to our reply and the exchange does not continue, we keep the message for up to 6 months and then delete it.

After the applicable retention period expires, your data is permanently removed from the mailbox and is not retained in any other form.

  • Up to 2 years from the last contact — for messages that lead to ongoing correspondence.
  • Up to 6 months — for messages that receive no reply and do not result in further contact.
07

Your rights

Under the GDPR you have a number of rights regarding the personal data we hold about you. You can exercise any of these rights, free of charge, by contacting us at . We will respond in accordance with the time limits set out in the GDPR.

If you believe that our processing of your data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority competent for us — the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, PUODO), ul. Stawki 2, 00-193 Warszawa, Poland — or with any other competent supervisory authority. Further information is available at https://uodo.gov.pl.

  • Right of access — to obtain confirmation that we process your data and a copy of it (Article 15).
  • Right to rectification — to have any inaccurate or incomplete data corrected (Article 16).
  • Right to erasure — to have your data deleted in the circumstances set out in Article 17.
  • Right to restriction of processing — to limit how we process your data in the circumstances set out in Article 18.
  • Right to data portability — to receive your data in a structured, commonly used format and to transmit it to another controller where technically feasible (Article 20).
  • Right to object — to object to the processing of your data on grounds relating to your particular situation, including processing based on legitimate interests (Article 21).
  • Right to lodge a complaint with the PUODO or another competent supervisory authority.
08

Cookies and local storage

We do not use advertising cookies, analytics cookies, tracking cookies, social-media cookies, or any other cookies or technologies that would monitor your behaviour across this website or other sites. We do not use Google Analytics, Meta Pixel, Hotjar, Google Tag Manager, or any similar service. All fonts and images are self-hosted, and the website makes no automatic requests to third parties on load.

Because we do not place any non-essential cookies or similar tracking technologies, no consent banner is required or displayed on this website.

The only mechanism we use is a browser preference stored in your browser's local storage under the key "gmac-theme", which remembers whether you have selected the dark or light theme. This is not an HTTP cookie, it contains no personal data, it is entirely voluntary, and it never leaves your device. If you prefer not to keep it, you can remove it at any time by clearing this website's data in your browser settings (for example, "Clear site data" or "Clear browsing data" in your browser's privacy options).

09

Security

We take appropriate technical and organisational measures to protect the personal data we process. This website is served over HTTPS, which encrypts the connection between your browser and our server, including any data you submit through the contact form.

Access to the mailbox that receives your messages is restricted to authorised persons within our organisation on a strict need-to-know basis, and we maintain internal procedures governing how enquiries are handled and how long they are retained.

The contact form is also protected against abuse by anti-spam mechanisms (a honeypot field, a submission-time check, and rate limiting) that do not collect personal data — the rate-limiting mechanism stores only an anonymised hash of the IP address and a timestamp, and these records are automatically deleted after one hour.

10

Contact

For any question, request, or complaint regarding the protection of your personal data, or to exercise any of your rights under the GDPR, please contact us at . We will do our best to respond promptly and in accordance with the law.