Policy

Privacy Policy.

Last updated: 2026-05-13

This document explains how Scaling Labs (the brand operated by Business Scaling Solutions) processes personal data - whose data, for what purpose, on which legal basis, and what rights you have. We follow the GDPR and applicable Polish law. Thirteen sections, plain language, clickable links - no legalese theatre.

§1. Definitions

To keep the rest of this document unambiguous, we use the following terms:

Scaling Labs / we / the Controller - the brand operated by Business Scaling Solutions (VAT ID: PL9223060966), seated at Grochowska 217/15, 04-077 Warszawa, Poland. Acts as the data controller within the meaning of Article 4(7) GDPR.
Site - the website at scaling-labs.co including all subpages and associated tooling (e.g. contact form, Calendly widget).
User / You - anyone visiting the Site, submitting the contact form, booking a call via Calendly, or receiving an email from us as part of our B2B outreach.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the General Data Protection Regulation).
Personal data - any information relating to an identified or identifiable natural person (Article 4(1) GDPR).
Processing - any operation performed on personal data: collection, recording, storage, modification, disclosure, erasure, etc. (Article 4(2) GDPR).
Cookies - small text files placed by your browser on your device when visiting the Site. They allow the device to be recognised on subsequent visits.
Consent - a freely given, informed, unambiguous indication of will expressed through a specific action (e.g. clicking the „Accept” button in the cookie banner).
Processor - an external service provider that processes personal data on our behalf under a Data Processing Agreement (DPA).
DPF (EU-US Data Privacy Framework) - European Commission adequacy decision of 10 July 2023 recognising an adequate level of data protection for certified US recipients.
SCC (Standard Contractual Clauses) - standard data transfer terms approved by the European Commission as a basis for transfers outside the European Economic Area.
UODO - the Polish data protection authority (President of the Personal Data Protection Office, uodo.gov.pl).

§2. Data controller

The controller of your personal data is:

Business Scaling Solutions
Grochowska 217/15, 04-077 Warszawa, Poland
VAT ID: PL9223060966
Contact: contact@scaling-labs.co

The Scaling Labs brand is operated by Business Scaling Solutions. Throughout this document we use „Scaling Labs”, „we”, and „the Controller” interchangeably. We have not appointed a Data Protection Officer (this is not required in our case), but every request reaches the decision-maker directly.

§3. Processing purposes and legal bases

We process personal data for the following purposes:

Following up after a contact form submission or a Calendly booking - basis: Article 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering a contract).
B2B outreach to decision-makers in companies within our target market - basis: Article 6(1)(f) GDPR (legitimate interest in acquiring business clients).
Site analytics and UX optimisation - basis: Article 6(1)(f) GDPR (legitimate interest) for cookieless analytics; Article 6(1)(a) GDPR (consent) for analytics cookies (Google Analytics).
Issuing and storing accounting records for clients - basis: Article 6(1)(c) GDPR (legal obligation) in connection with the Polish Accounting Act.
Defence against potential claims - basis: Article 6(1)(f) GDPR.

§4. What data we collect

Directly from you (forms, emails, calls):

First and last name, business email, company name, role, phone number.
Message content and information you share during a strategy call or demo.

Automatically during your visit (technical data, mostly anonymised):

Anonymised device IP address.
Browser type and version.
Operating system (e.g. Windows, macOS, iOS, Android, Linux).
Screen resolution and device time zone.
Browser language.
Approximate location (country, city - derived solely from the IP address).
Referrer URL (e.g. linkedin.com, google.com).
Pages visited, time spent on each, and navigation path.
Session identifiers (only in analytics cookies - set only after consent).

From lawful public sources (for B2B outreach):

Business contact data from LinkedIn, company websites, Polish business registries (CEIDG, KRS), and public B2B databases (Apollo, ZoomInfo, Ocean.io). Strictly business data - no private records.

§5. How long we retain data

Contact form and outreach data - up to 24 months from the last contact, unless a working relationship begins.
Client data covered by a signed contract - for the duration of the contract plus 5 years (Polish Accounting Act and Tax Ordinance obligations).
Cookieless analytics data (Vercel Analytics) - aggregated, up to 12 months.
Google Analytics cookies - up to 14 months.
Your cookie decision (stored in browser localStorage) - until you withdraw it or clear browser data.
Opt-out requests and erasure records (outreach suppression list) - indefinite, because this is the only way to ensure we never contact you again.

§6. Who we share data with

We use trusted technology providers (processors) who handle data on our behalf. Each has a Data Processing Agreement (DPA) in place:

Site infrastructure and analytics - Vercel Inc. (USA, hosting + Vercel Analytics) and Google LLC (USA, Google Analytics 4 - only with your consent). Both covered by the EU-US Data Privacy Framework.
Communication and scheduling - Google Workspace (mailbox contact@scaling-labs.co) and Calendly LLC (USA). Both under the EU-US Data Privacy Framework.
B2B prospecting tools (CRM, contact enrichment, email verification, outreach automation) - including Apollo.io, Clay, Instantly.ai, Million Verifier, Bouncer. All under signed DPAs and Standard Contractual Clauses.
External accounting partner - only as required for bookkeeping.
Public authorities - when legally required.

An up-to-date list of processors is available on request at contact@scaling-labs.co. We do not sell your data and we do not share it for advertising.

§7. International data transfers

Some of our processors (Vercel, Google, Calendly) are based in the USA. For those transfers we rely on:

EU-US Data Privacy Framework (DPF) - for certified recipients.
Standard Contractual Clauses (SCCs) approved by the European Commission - where DPF certification does not apply.
Additional technical and organisational measures - encryption in transit and at rest, access control under the principle of least privilege.

§8. Your rights

At any time you have the following rights:

Right of access (Article 15 GDPR) - you may request a copy of your data.
Right to rectification (Article 16 GDPR) - when data is inaccurate or incomplete.
Right to erasure (right to be forgotten, Article 17 GDPR).
Right to restriction of processing (Article 18 GDPR).
Right to data portability (Article 20 GDPR) - in a structured, commonly used, machine-readable format.
Right to object to processing based on legitimate interest (Article 21 GDPR) - including our B2B outreach. Upon receiving your objection we stop contacting you and add you to a suppression list.
Right to withdraw consent - where processing is based on consent (e.g. analytics cookies). Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to lodge a complaint with the President of the Personal Data Protection Office (uodo.gov.pl) if you believe we process your data unlawfully.

To exercise any of these rights, email contact@scaling-labs.co. We respond within 30 days - usually sooner.

§9. Cookies and similar technologies

We categorise cookies in three ways - by lifetime, origin, and purpose.

By lifetime:

Session cookies - deleted automatically when you close the browser.
Persistent cookies - stored for longer until they expire or you delete them manually.

By origin:

First-party cookies - set directly by our Site (scaling-labs.co).
Third-party cookies - set by our processors; currently only Google Analytics, and only after you provide consent.

By purpose:

Strictly necessary - required for the Site to function (e.g. storing your cookie decision in localStorage). Basis: our legitimate interest; no consent required.
Cookieless analytics (Vercel Analytics, Speed Insights) - count visits without setting cookies or identifying individual users. Basis: legitimate interest (Article 6(1)(f) GDPR).
Cookie-based analytics (Google Analytics 4) - sets `_ga` and `_ga_*` client identifiers. Loads ONLY after you provide consent via the banner. Basis: consent (Article 6(1)(a) GDPR and Article 173 of the Polish Telecommunications Act). Lifetime: up to 14 months.

You can change your cookie decision at any time - the footer has a „Cookie settings” link that re-opens the banner.

Independently of our banner, you can manage cookies directly in your browser. Vendor instructions:

Restricting cookies may affect some Site functionality.

§10. Polish-law legal basis

Beyond GDPR, our operations are also governed by Polish national law:

Act of 10 May 2018 on Personal Data Protection (Dz.U. 2018 poz. 1000) - the Polish national supplement to the GDPR, including procedures before the data protection authority (UODO).
Telecommunications Act of 16 July 2004 (Dz.U. 2004 nr 171 poz. 1800, as amended), in particular Article 173 - requirements for cookies and similar technologies.
Act of 18 July 2002 on Providing Services by Electronic Means (Dz.U. 2002 nr 144 poz. 1204, as amended) - rules for online services.
Accounting Act of 29 September 1994 (Dz.U. 1994 nr 121 poz. 591, as amended) - retention obligations for accounting documents.

§11. Data security

We apply appropriate technical and organisational measures, including:

Encrypted connections (HTTPS / TLS) across the Site.
Multi-factor authentication (MFA) on all corporate accounts.
Access control following the principle of least privilege.
Regular backups and tested recovery procedures.
Data Processing Agreements (DPAs) with every processor.
Ongoing software updates and vulnerability monitoring.

§12. Changes to this policy

We may update this policy - for example after adding a new analytics tool, changing a processor, or in response to regulatory changes. Every material change is reflected in the „Last updated” field at the top of this Site.

If a change requires new consent (e.g. adding a new cookie category), we will ask for it again via the banner. The current version of the policy applies from the date shown at the top.

§13. Contact

Questions about data processing, rights requests, incident reports - direct them to:

contact@scaling-labs.co
Business Scaling Solutions, Grochowska 217/15, 04-077 Warszawa

The standard response time is up to 30 days from receipt (Article 12(3) GDPR). In practice we respond faster.