Privacy Policy

Effective date: April 20, 2026.

This policy explains how Inuits Sp. z o.o. ("Inuits", "We", "Controller") collects, uses, and protects personal data in connection with the inuits.it website (the "Service"), our contact with you, and our use of cookies and analogous technologies. Questions: hello@inuits.it.

1. Who we are

The controller of your personal data is Inuits spółka z ograniczoną odpowiedzialnością with its registered seat in Kraków (ul. Krupnicza 5/1, 31-123 Kraków, Poland). Inuits is entered in the registry of entrepreneurs of the National Court Register by the District Court for Kraków-Śródmieście, XI Commercial Department of the National Court Register under number 0000792510, having Tax Identification Number 6762567702 and Statistical Number 383659794. Inuits is also entered in the National Register of Employment Agencies (KRAZ) under number 35420.

In all matters regarding personal-data protection you can contact the Controller at hello@inuits.it.

This privacy policy applies to the processing of your personal data in relation to:

1. your visit to inuits.it (the "Service");
2. our cooperation with you as our client;
3. our cooperation with you as an employee of our client;
4. our marketing activities;
5. your contact with us in any way;
6. your visits to our social-media profiles;
7. our use of cookies and analogous technologies.

2. How and why we process your personal data

Visitors of the Service

We process technical operational data: IP address, request date and time, software and device parameters, and the pages visited. This data is used to diagnose issues and to improve performance and security. Legal basis: Article 6(1)(f) GDPR — legitimate interest in operating, maintaining, and improving the Service.

Contact with the Controller

When you contact us, you provide the personal data contained in your message (or shared during a call). Providing this data is voluntary but necessary to contact us. Legal basis: Article 6(1)(f) GDPR — legitimate interest in answering your questions and the possibility of cooperation.

Our clients

If you are our client, we process your personal data to fulfil the contract with you and to comply with our legal and tax obligations. Legal basis: Article 6(1)(b) and Article 6(1)(c) GDPR.

Employees of our clients

We process your data to fulfil the contract with our client. Legal basis: Article 6(1)(f) GDPR — legitimate interests pursued by the Controller or a third party. We assume in good faith that our client has informed you that your data is shared with us for this purpose.

Marketing

After obtaining separate consent we may process your personal data to present commercial, advertising, promotional, and marketing information about Inuits by e-mail or phone. Legal basis: Article 6(1)(a) GDPR. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

3. Third-party processors

We rely on the following external processors to run the Service. All are bound by written data-processing agreements and GDPR-compliant safeguards.

• Resend (resend.com) — transactional e-mail delivery (contact form, career form, gigs-interest form, lead-magnet capture). Hosted in the United States; data processed under EU Standard Contractual Clauses.
• Sanity (sanity.io) — blog content management and image CDN. EU-region dataset.
• Vercel (vercel.com) — Service hosting and edge delivery. Global CDN.
• Google — Tag Manager, Google Analytics 4, Google Ads. Data flows rely on the EU–U.S. Data Privacy Framework.
• Umami (self-hosted at analytics.fossaert.be) — cookieless aggregate analytics (visit counts, referrers).
• CookieYes — consent banner and Google Consent Mode v2 management.
• YouTube (youtube-nocookie.com) — privacy-enhanced video embeds. Cookies set only when the user starts playback.
• Slack — fallback notification channel for forms when e-mail delivery fails.
• Ahrefs — SEO performance attribution. Loaded via Google Tag Manager, gated on analytics consent.

We do not use HubSpot, LinkedIn Insight Tag, Meta Pixel, Hotjar, or Microsoft Clarity.

4. Cookies overview

We use cookies and analogous technologies (localStorage, sessionStorage) in four categories: Necessary (always on), Functional, Analytics, and Advertising. Necessary and Functional items operate under legitimate interest (Art. 6(1)(f) GDPR). Analytics and Advertising items load only after you grant the corresponding consent via the CookieYes banner, or after you re-open the banner using the "Cookie preferences" link in the site footer.

Umami is a cookieless aggregate-analytics server hosted on our own infrastructure. Because it sets no cookies, creates no cross-site identifier, and only produces aggregate statistics (IP-address-based visit counts), we rely on Art. 6(1)(f) GDPR legitimate interest for Umami and do not gate it behind the consent banner. This is aligned with CNIL guidance on cookieless analytics and the EDPB's position on strictly server-side audience measurement.

The full inventory is in section 4a.

4a. Full cookie inventory

Name	Category	Provider	Purpose	Expiry
cky-consent	Necessary	CookieYes (first-party)	Stores the user's consent decision across categories.	1 year
i18n_locale	Necessary	Inuits.it (first-party)	Remembers the user's selected site language.	Session
__vdpl	Necessary	Vercel (first-party)	Vercel Skew Protection — pins the browser to the specific deployment it loaded from, preventing asset version mismatches during rolling redeployments. Set automatically by the hosting platform; contains no personal identifiers.	Session
UTM params (sessionStorage)	Functional	Inuits.it (first-party)	First-touch attribution forwarded to the form handlers; not a cookie.	Session
availability-dismissed:* (localStorage)	Functional	Inuits.it (first-party)	Remembers that the visitor dismissed the Q2-availability pill on TaaS / Nearshoring.	Persistent
Umami site identifier	Legitimate interest	Umami (self-hosted at analytics.fossaert.be)	Cookieless aggregate page-view analytics. No cross-site tracking, no client-side storage. Loaded without consent under GDPR Art. 6(1)(f).	N/A
_ga, _ga_<container-id>	Analytics	Google Analytics 4 (via GTM)	Distinguishes visitors and sessions for aggregate reporting. Loaded only after analytics consent.	2 years
_gid	Analytics	Google Analytics 4 (via GTM)	Distinguishes individual sessions. Loaded only after analytics consent.	24 hours
Ahrefs site analytics	Analytics	Ahrefs (via GTM)	Visit attribution for SEO performance. Gated on analytics consent at the GTM container level.	Session
_gcl_au	Advertising	Google Ads (via GTM)	Conversion attribution for Google Ads campaigns. Loaded only after advertising consent.	90 days
NID, IDE, DoubleClick	Advertising	Google / DoubleClick (via GTM)	Ad personalisation and frequency capping. Loaded only after advertising + ad-personalisation consent.	Up to 13 months
YouTube (youtube-nocookie.com)	Functional	YouTube (Google)	Privacy-enhanced video embed on the careers page. Sets cookies only if the user presses play.	On play only
Sanity CDN (cdn.sanity.io)	—	Sanity	Delivers blog post images. No tracking cookies.	N/A
CookieYes CDN	Necessary	CookieYes	Loads the consent banner script. Sets only cky-consent.	N/A

5. Google Consent Mode v2

We implement Google Consent Mode v2. Before you interact with the CookieYes banner, all consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage) default to denied. Google receives only anonymised, aggregated modelling pings that do not set identifiers on your device. We honour the browser's Do-Not-Track header and the Global Privacy Control (GPC) signal: when either is enabled we treat analytics and advertising consent as implicitly denied regardless of banner state.

6. Your rights under the GDPR

If the GDPR applies to you, you have the following rights at any time:

• Access to your personal data and information about its processing (Art. 15).
• Rectification of inaccurate or incomplete data (Art. 16).
• Erasure (the "right to be forgotten", Art. 17).
• Restriction of processing (Art. 18).
• Data portability — receipt of your data in a structured, machine-readable format (Art. 20).
• Objection to processing on legitimate-interest or direct-marketing grounds (Art. 21).
• Withdrawal of consent at any time, without affecting the lawfulness of processing before withdrawal.
• Lodging a complaint with a supervisory authority. In Poland: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-913 Warsaw, kancelaria@uodo.gov.pl.

To exercise any of these rights, contact us at hello@inuits.it.

7. Retention periods

Visitors of the Service

Server-log data: up to 12 months, then deleted or anonymised. Cookies and analogous technologies: see the per-item expiry in section 4a.

Contact and correspondence

Messages received via forms, e-mail, or phone are retained as long as needed to answer and, where justified, for the applicable limitation period for claims under Polish and EU law.

Clients and employees of clients

Personal data processed under a contract: for the duration of the contract and, where the claim-limitation period is longer, until the end of that limitation period.

Marketing

Data processed on the basis of consent: until you withdraw consent. Data processed on the basis of legitimate interest for direct marketing: until you object.

Social-media profile visitors

Aggregate statistics from our profiles are retained as long as the underlying social-network platform allows. The platform owners apply their own retention schedules to the underlying raw data.

8. International transfers

Some processors are located outside the European Economic Area (EEA). Where this is the case, we rely on the legal instruments foreseen by Chapter V of the GDPR:

• Sanity — EU-region datasets; transfers stay within the EEA.
• Resend — data is processed in the United States under EU Standard Contractual Clauses (2021/914) plus supplementary measures.
• Google (GTM, GA4, Ads, DoubleClick) — transfers are covered by the EU–U.S. Data Privacy Framework adequacy decision (2023).
• Vercel — global CDN; data-processing agreement and EU SCCs in place.

Where no adequacy decision or adequate guarantees exist, we rely on the exceptions in Art. 49 GDPR and inform you accordingly. We take reasonable measures to ensure an adequate level of data protection in each case.

9. Changes to this policy

We may update this privacy policy to reflect changes in our operations, technology choices, or applicable law. The current version is always available at inuits.it/privacy-policy. Material changes will be announced on the site and, where appropriate, via e-mail to registered contacts.

10. Contact

Inuits Sp. z o.o. — ul. Krupnicza 5/1, 31-123 Kraków, Poland — hello@inuits.it.