Privacy Policy

The controller of personal data processed in connection with the use of this website and the services provided by us is:

Henry Luxury Estates Spółka z ograniczoną odpowiedzialnością
Al. Jerozolimskie 133/2, 02-304 Warsaw, Poland
KRS: 0001224245 · NIP: 1133193984 · REGON: 544008990

Contact regarding personal data protection: info@henryestates.pl.

We process personal data for the following purposes and on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR) — provision of virtual office services, mail handling, invoicing, and operation of the Client Panel.
• Legal obligation (Art. 6(1)(c) GDPR) — fulfilment of obligations under tax law, accounting law, and the Polish Act of 1 March 2018 on counteracting money laundering and terrorist financing (AML).
• Legitimate interest (Art. 6(1)(f) GDPR) — handling inquiries, preventing abuse, asserting or defending claims, and improving our services.

We process the following categories of personal data:

• Identification data — first name, last name, ID document type and number.
• Contact data — email address, phone number.
• Contract data — company name, NIP/KRS number, country of seat, selected service package.
• Correspondence data — sender details and contents of mail handled under the virtual office service.
• Transaction data — order details and payment references (we do not store payment card numbers).

We share personal data only with parties to whom we are obliged to disclose it or who support the provision of our services:

• IT and hosting provider (Hetzner Online GmbH) — servers on which the application and data are stored.
• Payment processor (Stripe Inc.) — processing of payment transactions.
• Email service provider (Resend Inc.) — delivery of transactional emails.
• Public authorities — on request and within the scope required by applicable law.

We do not sell personal data to third parties.

We retain personal data for the duration of the virtual office service agreement and thereafter for the period required by applicable law:

• 5 years after termination of the contract — tax and accounting obligations (Polish Accounting Act).
• 5 years from the establishment of the business relationship — obligations under the Polish AML Act.

Data processed solely on the basis of legitimate interest is deleted promptly after that interest ceases or after an objection is upheld.

Under the GDPR you have the following rights:

• Right of access — to obtain information about the data processed and a copy of that data.
• Right to rectification — to correct inaccurate or complete incomplete data.
• Right to erasure — to request deletion of data in cases provided for by law.
• Right to restriction of processing — to limit operations on data in specific situations.
• Right to object — to object to processing based on legitimate interest.
• Right to data portability — to receive data in a structured, commonly used format.
• Right to lodge a complaint — with the President of the Polish Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

To exercise these rights, please contact: info@henryestates.pl. We respond within 30 days of receiving the request.

Some of our service providers, in particular Stripe Inc. (payment processor, United States), may process personal data outside the European Economic Area. Such transfers take place on the basis of Standard Contractual Clauses (SCC) approved by the European Commission, ensuring an adequate level of data protection.

We use cookies for the proper functioning of the website and for analysing its use. Detailed information about the cookies used, their categories, and how to manage them is available in our Cookie Policy.

The Controller applies technical and organisational measures appropriate to the risk, in particular:

• encryption of connections (HTTPS/TLS) and of data at rest on servers;
• password hashing using bcrypt — user passwords are not stored in plaintext and are never known to the Controller;
• role-based access control (RBAC) — access to client data is limited to authorised staff to the extent necessary for their duties;
• logging and monitoring of system activity;
• regular software updates and security reviews.

We do not store payment card numbers — full card data is handled by Stripe Inc. in accordance with the PCI DSS Level 1 standard.

The Controller does not take decisions in a fully automated manner that produce legal effects concerning you or similarly significantly affect you, within the meaning of Art. 22 GDPR.

During the order process, we apply an automated check of the declared citizenship and country of residence against EU sanctions lists and the requirements of the Polish AML Act. The result of this check may lead to a refusal to complete the order in the self-service flow; in such a case we always make a manual review available upon contacting info@henryestates.pl.

We do not carry out profiling for marketing or advertising purposes.

Personal data is provided to us directly by you — when placing an order, signing the agreement, using the Client Panel, and contacting our support. In the course of handling correspondence, we also process the personal data of senders of letters addressed to your registered address, to the extent indicated on the envelope or in the contents of the mail.

The Controller reserves the right to amend this privacy policy in the event of changes in legislation, changes in the scope of the services provided, or for other justified reasons. The current version of the privacy policy is always available on this page. The date of the last update is shown at the top of the document.