Data Processing

Otack Pages — operated by Goup Space Sp. z o. o.

Effective date: 2026-05-29

1. Parties and auto-conclusion

Processor: Goup Space Sp. z o. o., ul. Hoża 86/210, 00-682 Warszawa, Poland; KRS 0000932799; REGON 520583134; NIP 7011061440; info@otack.eu.

Controller: the natural person or legal entity holding an Account on the Platform and publishing one or more Generated Sites that collect visitor data via forms.

This Agreement is automatically concluded upon the Controller's acceptance of the Terms of Service. It implements GDPR Art. 28(3) and forms an integral part of the Terms of Service.

2. Subject matter, nature and purpose

The Processor collects, stores, and retransmits (e-mail or Telegram notification to the Controller, dashboard display) personal data submitted by end-visitors via forms on the Controller's Generated Sites, solely to enable the Controller to receive and manage inquiries and leads from those visitors.

3. Types of personal data and categories of data subjects

Data subjects: visitors of the Controller's Generated Sites who submit forms.

Personal data: fields chosen by the Controller (typically name, e-mail, phone, message, business name, custom fields) and technical metadata (IP address, submission timestamp, page URL).

4. Duration and retention

This Agreement runs for as long as the Controller's Account is active and at least one Generated Site is published. Retention periods for form submission data are as set out in the Privacy Policy §7, which is the single source of truth for all retention periods.

5. Processor obligations (GDPR Art. 28(3)(a)–(h))

(a) Instructions — The Processor processes personal data only on the Controller's documented instructions. The Controller's form configuration (fields, recipient, integrations) constitutes those instructions. The Processor notifies the Controller if it considers any instruction infringes the GDPR.

(b) Confidentiality — All persons authorised to process the data are bound by confidentiality obligations or statutory duty of confidentiality.

(c) Security — The Processor applies technical and organisational measures under GDPR Art. 32 as described on the Security page.

(d) Sub-processors — The current sub-processor list is published in the Privacy Policy §5, which is the single source of truth. Changes are notified at least 30 days in advance. The Controller may object within that window; if unresolved, the Controller may terminate by deleting the affected Generated Site or Account. The Processor remains fully liable for sub-processor performance.

(e) Data-subject rights — The Processor assists the Controller in responding to data-subject requests under GDPR Arts. 15–22. Requests received by the Processor concerning the Controller's data are forwarded to the Controller without undue delay.

(f) Compliance assistance — The Processor assists the Controller with obligations under GDPR Arts. 32–36 (security, breach notification, DPIA, prior consultation) to the extent the Processor holds relevant information.

(g) Deletion or return — On termination the Processor, at the Controller's choice, deletes or returns all personal data within 30 days and deletes existing copies, unless law requires storage. The Controller may request a JSON export before deletion.

(h) Audit — The Processor makes available all information necessary to demonstrate compliance with Art. 28 and cooperates with audits conducted by the Controller or a mandated auditor, on at least 30 days' advance notice, during business hours, in a manner that does not unreasonably disrupt operations.

6. Sub-processors and international transfers

The current sub-processor list and all applicable transfer safeguards (SCCs, EU-US DPF, Art. 49(1)(a) consent) are published in the Privacy Policy §5 and §6. Those sections are incorporated into this Agreement by reference and constitute the Processor's disclosure under Art. 28(3)(d). Copies of safeguard instruments are available on request at info@otack.eu.

7. Personal data breach notification

On becoming aware of a breach affecting data processed under this Agreement, the Processor notifies the Controller without undue delay and within 72 hours, including: nature of the breach, categories and approximate number of data subjects and records, likely consequences, and measures taken or proposed. The Controller is responsible for notifying the supervisory authority and data subjects under GDPR Arts. 33 and 34.

8. Liability

The Processor's liability is governed by the Terms of Service. Nothing excludes or limits liability that cannot be excluded under mandatory EU or Polish law, including GDPR Art. 82. Apportionment where both parties contributed to damage is determined under Art. 82(5).

9. Governing law and contact

This Agreement is governed by Polish law and the GDPR. Complaints may be lodged with Prezes UODO, Warsaw: https://uodo.gov.pl.

Processor contact: Goup Space Sp. z o. o., ul. Hoża 86/210, 00-682 Warszawa; info@otack.eu.

The English version is the master version. In case of any conflict between translations, the English version prevails, subject to mandatory provisions of the law applicable to the User's place of residence.

Goup Space Sp. z o. o. · ul. Hoża 86/210, 00-682 Warszawa · KRS: 0000932799 · info@otack.eu · /dpa