Mezantic Privacy Policy
Version: 1.0 Effective date: 2026-05-15
§ 1. Introduction
This Privacy Policy (the "Policy") explains how Mezantic collects, uses, stores, and shares personal data when you use the Mezantic website and application (the "Service").
Throughout this Policy, "GDPR" means Regulation (EU) 2016/679 and, where applicable, its equivalent as retained in UK law by the European Union (Withdrawal) Act 2018 together with the Data Protection Act 2018 ("UK GDPR"). References to the GDPR apply equally to both unless the context requires otherwise.
This Policy is a standalone English-language document prepared for English-speaking users of the Service. A parallel Polish-language version (Polityka prywatności) is maintained in substantive alignment and updated simultaneously. See § 19 for the language note.
§ 2. Data Controller
The data controller is:
SONATE sp. z o.o. ul. Gospodarcza 26, 20-213 Lublin KRS: 0001162191 | NIP: 9462751627 | REGON: 541212186
(hereinafter: "Controller", "we", "us", "our")
We have not appointed a Data Protection Officer. For all data protection matters, contact us at hello@mezantic.com or at our registered address.
This Policy covers personal data processed through: mezantic.com.
§ 3. Definitions
- Service — the Mezantic website and web application for creating, publishing, and managing electronic forms.
- Operator — a registered user who creates and publishes forms using a Mezantic account. Mezantic is designed for business users; see the Terms of Service for details.
- Respondent — a natural person completing a published Operator form via a public link.
- Visitor — a person browsing the Mezantic marketing pages before creating an account.
- AI Features — generative AI functionality within the Service, including PDF-to-Form conversion and Prompt-to-Form generation.
- Operator Content — questions, descriptions, settings, and files (including PDFs) uploaded by the Operator to build a form.
- Responses — data submitted by a Respondent in answer to a published form.
- EEA — the European Economic Area.
- DPF — the EU-U.S. Data Privacy Framework, established by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023.
- 2021 SCCs — the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
§ 4. Scope of this Policy
We process personal data in two contexts:
a) Controller — where we determine the purposes and means of processing ourselves. This covers Operator account management, billing, Service security, product analytics, and legal obligations.
b) Processor — where we process personal data on behalf of and on the Operator's instructions. This covers Operator Content, Responses, and any technical metadata associated with public-form submissions. In this context the Operator is the controller; Mezantic acts under a separate Data Processing Agreement (DPA) in accordance with Article 28 GDPR.
This Policy does not govern the content of Operator forms. The Operator, as controller of Respondent data, has its own Articles 13 and 14 GDPR obligations. Mezantic provides tools but does not fulfil the Operator's information duties.
§ 5. Purposes and Legal Bases
| # | Purpose | Legal basis | Who it concerns |
|---|---|---|---|
| 1 | Account creation and management; authentication; Service access | Art. 6(1)(b) GDPR — performance of contract | Operator |
| 2 | Payment processing; invoicing; tax and accounting records, including transmission to the Polish National e-Invoicing System (KSeF) where applicable | Art. 6(1)(b) and 6(1)(c) GDPR — contract performance and legal obligation | Operator |
| 3 | AI Features (PDF conversion, form generation) | Art. 6(1)(b) GDPR — performance of contract | Operator |
| 4 | Security event logging; error monitoring (Sentry); abuse prevention | Art. 6(1)(f) GDPR — legitimate interest in Service security and stability | Operator, Respondent (incidentally) |
| 5 | Operating public forms — receiving Responses, validation, abuse protection | Art. 28 GDPR (processor role for Response content and associated technical metadata); Art. 32 GDPR (technical and organisational measures, including request-rate limiting and abuse prevention) | Respondent |
| 6 | Product analytics (PostHog EU) — consent only | Art. 6(1)(a) GDPR — consent | Operator, Visitor |
| 7 | Marketing and campaign measurement (Google Analytics 4, Consent Mode v2) — consent only | Art. 6(1)(a) GDPR — consent | Visitor, Operator |
| 8 | Transactional email (confirmations, invoices, security alerts) | Art. 6(1)(b), 6(1)(c) and 6(1)(f) GDPR | Operator |
| 9 | Fulfilling data subject rights; handling complaints | Art. 6(1)(c) GDPR | All |
| 10 | Recording consent choices, public legal version/effective-date baselines, account creation timestamps, and billing/payment evidence (accountability records) | Art. 6(1)(c) and 6(1)(f) GDPR | Operator |
| 11 | Establishing or defending legal claims; co-operation with authorities | Art. 6(1)(f) GDPR | All |
| 12 | Anonymised cross-customer aggregate analytics for Service improvement (aggregated usage metadata only — not the content of Responses — in a form not allowing identification under Recital 26 GDPR) | Art. 6(1)(f) GDPR — legitimate interest | Mezantic (controller) |
§ 6. Data We Process
Operator (registered user):
- name (if provided), email address, OAuth identifier
- hashed password, session identifiers
- company name, tax number, billing country and address (after billing setup)
- payment processor customer ID, payment history, invoice numbers
- IP address, device identifier, browser data, interface language
- usage data: forms created, responses collected, AI Feature usage, activity timestamps
- correspondence content
Respondent:
- data entered into the form — as determined by the Operator; processed on the Operator's behalf
- IP address and User-Agent — only where the Operator has enabled technical-metadata collection in the form's publishing settings
- submission timestamp
Visitor:
- IP address, device identifier, browser data
- activity data (with consent): analytics events, clickstream, traffic source
§ 7. AI Features
7.1. Our AI Features use models provided by Google Ireland Limited (with Google LLC as sub-processor).
7.2. Operator Content submitted to AI Features (PDFs, text prompts, generated output) is transmitted to Google solely to execute the requested AI task.
7.3. We do not use Operator Content or Responses to train AI models.
7.4. PDF files are deleted from our infrastructure shortly after the AI task completes, is cancelled, or fails. AI task metadata may be retained longer for cost control and abuse prevention.
7.5. By submitting files to AI Features, the Operator confirms they have an appropriate legal basis to process any personal data contained in those files.
§ 8. Sub-processors and Data Recipients
We use trusted third-party service providers acting as data processors under written agreements compliant with Article 28 GDPR. These providers cover the following categories: application and database hosting, payment processing and invoicing, transactional email delivery, error monitoring and security, product analytics, cookie consent management, and AI models. Each provider processes data only to the extent necessary for its specific function.
The current list of sub-processors — including their functions, processing locations, and applicable transfer safeguards — is maintained at mezantic.com/en/legal/service-providers and updated on an ongoing basis. We will give advance notice of any material changes to our sub-processor lineup in accordance with § 17.
Data may also be shared with public authorities (where legally required), external advisors (under confidentiality obligations), and parties to M&A transactions (subject to data minimisation).
§ 9. International Transfers
9.1. Where personal data is transferred outside the European Economic Area (EEA), Mezantic relies on one of the transfer mechanisms permitted by Chapter V of the GDPR, in the following order of preference:
(a) an adequacy decision of the European Commission under Article 45 GDPR. For transfers to certified organisations in the United States, Mezantic relies on Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework. The current list of DPF-certified organisations is published at https://www.dataprivacyframework.gov/list;
(b) standard contractual clauses approved by the European Commission under Article 46(2)(c) GDPR, namely the clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented by appropriate supplementary measures where required following Mezantic's transfer impact assessment;
(c) other lawful transfer tools listed in Article 46 GDPR, or, in narrowly limited situations, the derogations in Article 49 GDPR (in particular Article 49(1)(b) for transfers necessary for the performance of a contract with the data subject).
9.2. The Service Providers page at mezantic.com/en/legal/service-providers states, for each provider that may receive personal data outside the EEA, the applicable transfer mechanism (adequacy decision incl. DPF / 2021 SCCs / Article 49 derogation).
9.3. On request to hello@mezantic.com we provide further information about the safeguards in place for a particular transfer, including, where applicable, a copy of the 2021 SCCs we have entered into — with confidentiality of commercial terms preserved.
§ 10. Retention
| Data | Retention period |
|---|---|
| Operator account and profile data | Duration of account; deleted on closure except where legally required to retain |
| Operator Content (forms) | Duration of account or until deleted by the Operator |
| Respondent Responses | Duration of Operator's account or until deleted by the Operator |
| Respondent IP address / User-Agent | Retained with the corresponding Response |
| PDFs submitted to AI Features | Deleted shortly after task completion, cancellation, or failure (30 days target) |
| AI task metadata | Duration of account or shorter, based on operational need |
| Consent records | While consent is relied upon; thereafter for the period required to demonstrate accountability under Articles 5(2) and 7(1) GDPR (typically 6 years from end of calendar year of account closure or consent withdrawal) |
| Legal version/effective-date baselines and account creation timestamps | Retained as part of account, billing, and legal accountability records for the period needed to establish or defend contractual claims |
| Invoices and billing documents | 5 years from the start of the year following the financial year concerned (Article 74 of the Polish Accounting Act); plus the limitation period for tax liabilities (Article 70 § 1 and Article 86 § 1 of the Polish Tax Ordinance) |
| Security logs and error data | Limited operational period only |
| Email suppression list | Indefinitely for evidential purposes |
| Data retained for legal claims | Applicable limitation period under Article 118 of the Polish Civil Code (generally 3 years for commercial claims, 6 years for other claims) |
§ 11. Your Rights
As a data subject under the GDPR, you have the right to:
- Access your personal data and receive a copy (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data ("right to be forgotten") subject to legal retention obligations (Art. 17).
- Restrict processing in certain circumstances (Art. 18).
- Data portability for data processed by automated means on the basis of consent or contract (Art. 20).
- Object to processing based on our legitimate interests, including direct marketing — we will stop immediately upon objection (Art. 21).
- Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).
- Not be subject to solely automated decisions that produce legal or similarly significant effects (Art. 22).
To exercise any right, contact us at the address in § 2. We will respond within one month (extendable by two months in complex cases, with notice). Requests are free of charge unless manifestly unfounded or excessive.
For Operators, providing account data, authentication data, data necessary to provide the Service, billing data, and purchase data is voluntary but required to create an account, use the Service, or purchase a paid plan; refusal prevents provision of the Service to the relevant extent. Consents for analytics and marketing cookies, managed in the Mezantic consent panel, are fully voluntary; refusal or withdrawal does not affect the basic functionality of the Service.
The fields required in a public form and the legal basis for processing responses are determined by the Operator as controller of that form.
§ 12. Information for Respondents
12.1. Mezantic processes Responses on behalf of and on the instructions of the Operator who published the form. The Operator is the data controller for Response content. For questions about how your Response data is used — including the legal basis, purpose, and your rights — contact the Operator of the specific form. Mezantic cannot independently disclose, modify, or delete Responses without the Operator's authorisation.
12.2. If you cannot identify or reach the Operator, contact us at hello@mezantic.com and we will help direct your query.
§ 13. Cookies
We use cookies and similar technologies in accordance with applicable ePrivacy law (Directive 2002/58/EC Article 5(3) as transposed in the user's Member State, including, in Poland, Article 173 of the Act of 12 July 2024 — Electronic Communications Law). Cookies fall into four categories:
- Strictly necessary — required for the Service to function; no consent needed.
- Functional — improve the Service experience (e.g. language preferences); require consent.
- Analytics — measure traffic and usage (PostHog EU); require consent.
- Marketing — measure campaign performance (Google Analytics 4); require consent.
Manage or withdraw cookie consent at any time via the in-app consent panel where available. Full cookie details are in our Cookie Policy at mezantic.com/en/legal/cookies.
§ 14. Security
We protect personal data using appropriate technical and organisational measures (Article 32 GDPR), including TLS encryption in transit, encryption at rest, database Row-Level Security, environment separation, regular backups, security event monitoring, and access restricted to authorised personnel on a need-to-know basis.
In the event of a breach likely to result in high risk to individuals, we will notify the relevant supervisory authority and affected individuals in accordance with Articles 33–34 GDPR.
No online service can guarantee perfect security. Operators remain responsible for lawful form design, appropriate respondent notices, account access control, and safe handling of exported data.
§ 15. Automated Decision-Making and Profiling
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals (Article 22 GDPR). Automated mechanisms for analytics, AI cost control, and abuse detection do not make final, independent decisions affecting Operators.
§ 16. Direct Marketing
We send commercial communications only where you have consented. You can withdraw consent at any time via the unsubscribe link in any message or by contacting us.
Transactional emails (confirmations, invoices, security notices) are sent on the basis of contract performance and are not marketing — they cannot be opted out of while the account is active.
§ 17. Changes to this Policy
We will notify active Operators by email of any material change and post notice on the Service before changes take effect. Each version is dated; previous versions are available on request.
§ 18. Supervisory Authorities
You have the right under Article 77 GDPR to lodge a complaint with a competent data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
The primary supervisory authority for Mezantic as a Polish controller is:
President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) ul. Stawki 2, 00-193 Warsaw, Poland Telephone: +48 22 531 03 00 Website: https://uodo.gov.pl Electronic correspondence: kancelaria@uodo.gov.pl
Complaints in electronic form are submitted through the President's Electronic Inbox (Elektroniczna Skrzynka Podawcza). Complaints sent only by email to kancelaria@uodo.gov.pl may be left without consideration.
Users habitually resident in the United Kingdom may lodge a complaint with the Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; https://ico.org.uk.
This does not affect your right to lodge a complaint with the supervisory authority in your own Member State. We encourage you to contact us first — we will do our best to resolve any concern promptly.
§ 19. Language and Governing Law
19.1. This is the authoritative English-language Privacy Policy of Mezantic, prepared as a standalone document for English-speaking users. A Polish-language version (Polityka prywatności Mezantic) is maintained in parallel and updated simultaneously. Neither version is a translation of the other with a "prevailing" disclaimer — each is the primary information notice for its intended audience in the meaning of Article 12 GDPR (transparent information).
19.2. This Policy is governed by Polish law, without prejudice to the mandatory data protection rights of individuals under the GDPR and applicable local law.
§ 20. Contact
Email: hello@mezantic.com Post: ul. Gospodarcza 26, 20-213 Lublin
Thank you for using Mezantic.