Privacy Policy & Cookies
Updated: 2026-03-07
1. Data Controller
The data controller for your personal data is Adrian — HedgeLab / NairdaWeb, operating the service at hedgelab.eu.
Privacy-related contact: support@hedgelab.eu
2. What Data We Process and Why
User Account
- Data: name, email address, password (hashed), optionally: company, phone, country.
- Purpose: fulfilling the contract — providing access to the client panel (projects, tickets, documents).
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
- Retention: for the duration of the account + 30 days after deletion.
Chat Messages
- Data: message content, timestamp, user identifier.
- Purpose: customer support and technical assistance.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
- Retention: 90 days from the date sent, then permanently deleted.
- Note: chat runs on our own server (Soketi/WebSocket) — no data is shared with third parties.
Tickets and Project Documents
- Data: ticket content, attachments, change history.
- Purpose: project delivery and ticket handling.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
- Retention: 12 months after project completion.
Contact Form
- Data: name, email address, message content.
- Purpose: responding to your enquiry (initiated by you).
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest — responding to a user-initiated enquiry).
- Retention: 12 months from the date of contact.
Server Logs
- Data: IP address, request timestamp, browser type, visited page.
- Purpose: service security, error diagnostics.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest — security).
- Retention: 30 days.
3. Cookies
hedgelab.eu uses two categories of cookies:
Strictly necessary cookies (always active)
Do not require your consent (Art. 5(3) ePrivacy Directive — exemption for cookies essential to providing the electronic service).
| Name | Type | Purpose | Duration |
|---|---|---|---|
laravel_session | session | PHP session management (CSRF, app state) | Until browser is closed |
auth_token | persistent | Authenticating a logged-in user | 7 days |
csrf_token | persistent | CSRF attack protection | 7 days |
Analytics cookies (require consent)
Used only after you give your consent via the banner on the site.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
_ga | Google Analytics 4 | Distinguishing users | 2 years |
_ga_VDBJ31RK2Q | Google Analytics 4 | Storing session state | 2 years |
Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw consent at any time by deleting cookies in your browser settings or refreshing the page — the banner will appear again.
Google Analytics collects anonymised traffic data (visit counts, sources, time on page). Data may be transferred to Google servers outside the EEA under Standard Contractual Clauses (Art. 46 GDPR).
4. Data Transfers
Your data is not sold or shared with third parties for commercial purposes. Data may be disclosed to:
- hosting infrastructure providers (VPS server in the EU) — under a data processing agreement,
- public authorities only when required by law.
We do not transfer data outside the European Economic Area, except for Google Analytics data — which may be processed by Google LLC on servers outside the EEA under Standard Contractual Clauses (only if you have given consent).
5. Your Rights
Under GDPR you have the right to:
- Access — obtain a copy of the data we process (Art. 15).
- Rectification — correct inaccurate data (Art. 16).
- Erasure — request deletion of your data (Art. 17).
- Restriction — request restriction of processing (Art. 18).
- Portability — receive your data in a machine-readable format (Art. 20).
- Objection — object to processing based on legitimate interest (Art. 21).
To exercise your rights, contact us: support@hedgelab.eu
6. Right to Lodge a Complaint
If you believe the processing of your data violates GDPR, you have the right to lodge a complaint with the supervisory authority:
Urząd Ochrony Danych Osobowych (UODO) — Polish Data Protection Authority ul. Stawki 2, 00-193 Warsaw, Poland uodo.gov.pl · tel. +48 606 950 000
7. Security
We apply technical and organisational data protection measures: TLS/HTTPS encryption, password hashing, CSRF protection, HTTP security headers (CSP, HSTS, X-Frame-Options).
8. Changes to This Policy
We will notify you of significant changes by updating the date at the top of this page.