Personal Data Controller and Data Protection Officer Semly.ai

  1. The Personal Data Controller is Droplo Spółka z ograniczoną odpowiedzialnością, headquartered at Uczniowska 16, 58-306 Wałbrzych, Poland (NIP 8863009117, REGON 383546529), registered with the District Court of Wrocław-Fabryczna, 9th Commercial Division of the National Court Register, under KRS number 0000789369 (hereinafter referred to as the “Controller” or “Semly”).
  2. We have appointed a Data Protection Officer (DPO), Mr. Paweł Kobierzewski, who can be contacted by email at iod@semly.ai or by mail at Uczniowska 16, 58-306 Wałbrzych, Poland.

Purpose and Legal Basis for Processing Personal Data

We process your personal data for the following purposes and on the following legal bases:

  1. Contract Performance: To provide the Semly.ai service (including, but not limited to, account creation and management, verification of data, and payment handling). The legal basis is the performance of the contract to which you are a party (Article 6(1)(b) of the GDPR) and compliance with legal obligations in the field of accounting and financial reporting (Article 6(1)(c) of the GDPR).
  2. Platform Security and Development: To collect information necessary for ensuring the security of information systems and the proper functioning and development of the Platform (such as system logs used for diagnostics and testing new features). The legal basis for this processing is the legitimate interests of the Controller (Article 6(1)(f) of the GDPR).
  3. Claims Handling: To establish, assert, or defend any claims that may arise from the use of our services. The legal basis is the legitimate interests of the Controller (Article 6(1)(f) of the GDPR).
  4. Communication: To communicate with you regarding service updates, changes to the Terms and Conditions or Privacy Policy, and to respond to your technical inquiries. The legal basis is the legitimate interests of the Controller (Article 6(1)(f) of the GDPR).
  5. Marketing: To profile customers for marketing purposes in order to better tailor the Semly.ai offering, and to process your data for direct marketing. The legal basis is the legitimate interests of the Controller (Article 6(1)(f) of the GDPR).
  6. Consent-Based Processing: If you have given your separate consent, we will use your contact data to send newsletters. The use of cookies and similar technologies on our Platform is also based on your consent (Article 6(1)(a) of the GDPR).

Scope of Personal Data Processing

We collect and process the following categories of personal data:

  1. Account Registration and Management: Identification data (first name, last name, tax identification number (NIP), REGON), contact details (email address, telephone number), company information (company name, address, website), and billing data, including transaction history. We also process metadata such as your IP address and login times.
  2. Platform Support: Your email address provided through the Platform’s chat is used to respond to your inquiries, handle support tickets, and provide feedback.
  3. Product Data: Information about your products from your data feed (such as names, descriptions, technical parameters, and other product details). If your feed contains personal data of natural-person manufacturers, we process it in accordance with GDPR.
  4. Traffic Analysis: IP addresses of users redirected from our AI models to your online store, collected solely for the purpose of analyzing traffic and usage statistics of the service.
  5. Mandatory Data: Providing these data is necessary to conclude and settle the contract for the services and to comply with our legal obligations. Other data (e.g. for newsletter subscriptions) are provided voluntarily.

Rights of Data Subjects

You have the following rights with regard to your personal data processed by the Controller:

  1. Data Portability: the right to transmit the Personal Data provided to the Controller and processed by automated means, where such processing is based on consent or on a contract, for example to another controller.
  2. Access: The right to access your personal data.
  3. Rectification and Restriction: The right to request the correction or completion of your personal data, or to restrict their processing.
  4. Withdrawal of Consent: The right to withdraw any consent you have given to us at any time; withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
  5. Objection: The right to object to the processing of your personal data for reasons arising from your particular situation when the processing is based on our legitimate interests or those of a third party (including for direct marketing purposes).
  6. Complaint: The right to lodge a complaint with a supervisory authority (in Poland, the President of the Personal Data Protection Office, Urząd Ochrony Danych Osobowych, Stawki 2, 00-193 Warsaw, Poland) if you believe that processing of your personal data violates applicable data protection laws.

If your personal data is processed based on your consent, you may withdraw your consent at any time by contacting the Controller in writing at the above address or via email at hello@semly.ai

Data Retention Period

We retain personal data for the period necessary to fulfill the purposes for which they were collected or until the following conditions are met, whichever occurs first:

  1. The legal obligation requiring us to process your data ceases to apply.
  2. In the context of marketing activities, until you object to the processing of your data for marketing purposes.
  3. If the processing is based on your consent, until you withdraw that consent.
  4. Until the expiration of the statute of limitations for any claims arising from our cooperation.
  5. If required by other laws to continue processing, until that requirement lapses.

We may retain data longer to pursue or defend against possible claims (in particular until the expiration of the applicable statute of limitations). In all cases, we apply the longest retention period required by law.

Disclosure of Personal Data:

  1. Your personal data will only be transferred or disclosed for the purposes described in this Privacy Policy. We work with trusted third parties to provide our services.
  2. We may disclose your data to the following categories of recipients:
    a) hosting service providers who supply servers for data storage.
    b) providers of marketing and analytics tools (unless you have effectively objected, e.g. by disabling cookies in your browser).
    c) providers of email sending services.
    d) persons providing services to us under civil law contracts, where data transfer is necessary for the performance of those services.
    e) internet service providers (e.g., Google services).
    f) providers of customer relationship management (CRM) software.
    g) providers of telephony services for customer support.
    h) payment platform providers (e.g., Stripe, PayU S.A.).
    i) invoicing and accounting software providers.
    j) accounting and bookkeeping service providers.
    k) domain name registrars.
    l) providers of additional services used by the Controller (such as SSL certificate authorities and legal advisors).
    m) couriers and postal service providers for delivery of correspondence.
  3. When using tools provided by third parties (e.g. Google) data may be transferred outside the European Economic Area (EEA), in particular to the United States. We ensure that any such transfer is based on standard contractual clauses approved by the European Commission, and we assess the level of data protection afforded by the recipient in advance. In the case of data transfers to the USA, we transfer data only to entities certified under the EU–US Data Privacy Framework (a list of certified entities is available at https://www.dataprivacyframework.gov/list.
  4. Additionally, we may disclose data to technical service providers acting on our behalf (e.g. AWS Europe in Ireland, PayU S.A. in Warsaw, Google Ireland). Personal data may also be provided to public authorities if required by law. Transfers of data outside the EEA are always based on standard contractual clauses approved by the European Commission.

Data Security

  1. We have implemented appropriate technical and organizational measures to ensure the security of the personal data processed, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to individuals. These measures aim to protect your data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. We do not disclose specifics of these measures, as doing so could weaken their effectiveness.
  2. In particular, we use the following security measures to prevent unauthorized access to or modification of personal data transmitted electronically: a) protection of our data stores against unauthorized access.
    b) use of SSL/TLS certificates on the Platform where personal data are transmitted.
    c) encryption of data used for authenticating access to the administration panel and the website.
    d) requiring an individual login and password to access the administration panel.

Automated Decision-Making

The Controller does not carry out any automated decision-making, including profiling, under Article 22(1) and (4) GDPR.

Changes to the Privacy Policy

  1. We review this Privacy Policy on an ongoing basis and update it as needed.
  2. The current version of the Policy has been in effect since 2025-08-01

Cookies Policy

We attach particular importance to respecting the privacy of visitors to our websites. To ensure the proper functioning of the Platform and provide services at the highest level, Semly uses so-called “cookies” (small data files stored on user devices). This Cookies Policy applies to Semly’s websites, to branded pages on third-party platforms (such as Facebook or Google) and applications provided or used through such sites or platforms, which are operated by or on behalf of Droplo Sp. z o.o. and/or whose operator is Droplo Spółka z ograniczoną odpowiedzialnością.

Our sites use a Consent Management Platform (CMP) to help you manage your cookie preferences. Through the CMP you can:

  1. Obtain detailed information about the cookies used on the Site and our trusted partners.
  2. Give or withdraw consent to the use of optional cookies by Semly and our trusted partners.
  3. Change your cookie settings at any time.

What are cookies?
Cookies are information files (particularly text files) stored on user devices when they browse websites. They allow the site to recognize a user’s device and properly display the website tailored to their preferences. Cookies typically contain the name of the website they come from, their storage duration on the device, and a unique identifier.

Purpose of cookies:
Cookies are used to tailor website content to user preferences, facilitate website usage, and optimize the performance of the site. They are also used for creating statistics (excluding personal user identification) to improve the site’s structure and content.

Types of cookies we use:
On Semly’s websites and services, two types of cookies are used:

  1. Persistent cookies: These remain on the user’s device for a period specified in the cookie parameters, unless manually deleted.
  2. Session cookies: These are temporary cookies that remain on the user’s device until the browser is closed or the user logs out.
  3. Cookies used by integrated partners (e.g. social media widgets, analytics) are subject to those partners’ privacy policies (e.g. Google’s policy).

Do cookies contain personal data?
Cookies used by Semly do not store any personal data by themselves.

Purpose of Semly’s own cookies:
We use our own cookies for purposes including:

  1. User login and authentication on our websites.
  2. Maintaining user sessions after login.
  3. Proper functioning and configuration of selected website features.
  4. Correct operation of affiliate programs and verification of user referral sources.
  5. Collecting anonymous statistical data.
  6. Optimizing the structure and content of our sites and services.
  7. Customizing content of our sites to user preferences.
  8. Gathering information on how users navigate our sites.
  9. Delivering advertising content tailored to users’ interests.
  10. Ensuring users’ safety when using our services.

External cookies:
We use third-party cookies for:

  1. Collecting anonymous statistical data via external analytics tools (e.g. Google Analytics).
  2. Displaying advertising materials (e.g. Google Ads, Meta Ads, TikTok Ads, YouTube Ads) tailored to user preferences.
  3. Integrating our websites with social media platforms (e.g. Facebook, YouTube, Linkedin, X, TikTok, Instagram).
  4. Enabling communication between Semly and users and providing information about our services (e.g. Gleap Chat).

Managing cookies:
You can configure your web browser to delete or block cookies. However, because some cookies are essential for the functioning of the Site, blocking or deleting them may cause some services to not function properly or at all. Detailed instructions on managing cookies are available in your browser settings. Further information on managing cookies is also provided by browser vendors.