Effective Date: October 29, 2025 Last Updated: October 29, 2025
1. Purpose
This policy defines how long Quesma retains personal data and the procedures for deleting data when it is no longer needed or when requested by data subjects.
This policy supports our compliance with:
- General Data Protection Regulation (GDPR)
- Polish data protection laws
- Vendor requirements and questionnaires
2. Scope
This policy applies to all personal data collected through:
- Website (quesma.com)
- Newsletter subscriptions
- Business contacts and vendor relationships
- Any future product or service offerings
3. Data Retention Periods
We retain personal data only as long as necessary for the purposes it was collected. Below are our standard retention periods:
3.1 Website Analytics Data
Data Type: Anonymous visitor analytics (Google Analytics) Retention Period: 26 months Reason: Google Analytics standard retention policy Deletion: Automatic deletion by Google after 26 months
Details:
- Page views, sessions, anonymized IP addresses
- Browser and device information
- Geographic data (city/country level)
- No personally identifiable information stored
3.2 Newsletter Subscriber Data
Data Type: Email addresses from newsletter signups Retention Period: Until unsubscribe Reason: Ongoing communication and consent-based relationship Deletion: Immediate upon unsubscribe or deletion request
Details:
- Email address
- Subscription date and timestamp
- Email engagement data (opens, clicks)
- Managed through Mailchimp
3.3 Website Access Logs
Data Type: Server logs with IP addresses and requests Retention Period: 30 days Reason: Security monitoring and troubleshooting Deletion: Automatic deletion after 30 days
Details:
- IP addresses
- Request timestamps
- HTTP requests and responses
- Error logs
3.4 Contact Form Inquiries
Data Type: Email communications sent to [email protected] Retention Period: 2 years from last contact Reason: Business relationship and customer service Deletion: Manual deletion after 2 years of inactivity
Details:
- Name and email address
- Message content
- Follow-up communications
- Stored in Google Workspace
3.5 Business Contacts and Vendor Data
Data Type: Employee contacts from partners, vendors, pilots (e.g., Anthropic) Retention Period: Duration of business relationship + 1 year Reason: Business operations and potential future engagement Deletion: Manual deletion 1 year after relationship ends
Details:
- Names, email addresses, job titles
- Meeting notes and communications
- Stored in Google Workspace and Slack
3.6 User Preferences
Data Type: Theme preferences (dark/light mode) Retention Period: Indefinite (browser local storage) Reason: User convenience Deletion: User can clear browser storage at any time
Details:
- Stored locally in user’s browser
- No server-side retention
- Not personally identifiable
4. Data Deletion Procedures
4.1 Automatic Deletion
The following data is deleted automatically:
- Google Analytics: Auto-deleted after 26 months
- Website logs: Auto-deleted after 30 days
- Newsletter: Auto-deleted upon unsubscribe (via Mailchimp)
No manual intervention required.
4.2 Manual Deletion on Request
When a data subject requests deletion (Right to be Forgotten under GDPR):
Process:
- Request received at [email protected]
- Identity verification (confirm email ownership or provide identifying details)
- Deletion within 30 days of verified request
- Confirmation sent to requester. We send a deletion confirmation to the requester and keep an entry in our privacy log; related Mailchimp/Google Workspace audit evidence is available on request.
What we delete:
- Newsletter email address (if subscribed)
- Contact form communications (if present)
- Any business contact information (if applicable)
What we cannot delete:
- Anonymous analytics data (already anonymized, cannot identify individual)
- Legal or regulatory required records (e.g., financial records)
- Aggregated data that no longer contains personal information
4.3 Deletion After Retention Period
At the end of each retention period, data is reviewed and deleted:
Quarterly Review Process:
- Review contact form inquiries older than 2 years
- Review business contacts for inactive relationships
- Delete data that has exceeded retention periods
- Document deletions in internal log
Responsible Party: Data Protection Officer (Jacek Migdal, [email protected])
5. Exceptions to Deletion
We may retain data beyond standard periods if:
- Legal obligation: Required by law, regulation, or legal proceedings
- Legitimate interest: Necessary for legal claims or defense
- Consent: Data subject explicitly consents to extended retention
In these cases, we will:
- Document the reason for extended retention
- Review retention periodically
- Delete as soon as the reason no longer applies
6. Third-Party Data Processors
We use third-party services that have their own retention policies:
| Service | Data Retained | Their Retention Policy |
|---|---|---|
| Google Analytics | Anonymous analytics | 26 months (configurable) |
| Cloudflare | Request logs, security data | Minimal, per their policy |
| Mailchimp | Email addresses, engagement | Until account deletion |
| Google Workspace | Email, documents | Until manual deletion |
We cannot control third-party deletion timelines beyond our own account settings, but we select vendors with GDPR-compliant retention practices.
7. Data Subject Requests
Data subjects can request information about or deletion of their data by contacting:
Email: [email protected] Response Time: Within 30 days (GDPR requirement)
Request Types:
- Access: “What data do you have about me?”
- Deletion: “Delete all my data”
- Correction: “Update my information”
- Objection: “Stop processing my data for [purpose]”
See our Data Subject Request (DSR) Procedure for full process details.
8. Data Breach and Retention
In the event of a data breach:
- We retain breach investigation records for 3 years
- Required for regulatory compliance and legal defense
- See Data Breach Notification Procedure for details
9. Policy Review and Updates
Review Frequency: Annually or when business practices change Responsible Party: Data Protection Officer (Jacek Migdal) Last Review: October 29, 2025
Changes to this policy will be documented and communicated to:
- Internal team members
- Affected data subjects (if material changes)
- Updated on website privacy policy
10. Compliance and Auditing
Internal Audit:
- Annual review of retained data
- Verify deletion procedures are followed
- Document compliance for GDPR requirements
Records:
- Deletion requests logged and tracked
- Retention period reviews documented
- Available for supervisory authority inspection
11. Contact
For questions about data retention or deletion:
Data Protection Officer: Jacek Migdal, CEO Email: [email protected] Company: Quesma Poland Sp. z o.o. Address: ul. Lindleya 16, 02-013 Warszawa, Poland
Summary Table: Quick Reference
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Google Analytics | 26 months | Automatic |
| Newsletter emails | Until unsubscribe | Automatic (Mailchimp) |
| Website logs | 30 days | Automatic |
| Contact inquiries | 2 years | Manual review |
| Business contacts | Relationship + 1 year | Manual review |
| Theme preferences | Indefinite (local) | User clears browser |