Legal

Privacy policy

Personal-data processing rules at Murako architectural studio.

Data controller

The data controller is Marta Płocic, operating under the Murako brand, based in Rzeszów, Poland. For data-protection matters, contact: kontakt@murako.pl.

What we process and why

When you contact us via the form, we process the data you voluntarily provide:

  • name,
  • email address,
  • optional: phone, project location, budget range, project stage,
  • message body.

We use this data solely to handle your enquiry, respond to your message, and — if cooperation begins — deliver the design services you commission. Providing data is voluntary but required to submit the contact form.

Legal basis

  • Art. 6(1)(b) GDPR — steps taken prior to entering a contract, at the data subject's request.
  • Art. 6(1)(f) GDPR — legitimate interest of the controller in responding to enquiries.

Retention

Contact-form data is kept for up to 12 months after correspondence ends. If our exchange leads to a contract, data is retained for the duration of the engagement and afterwards for as long as required by law (in particular tax law) or as necessary to establish, exercise or defend legal claims.

Your rights

You have the right to:

  • access your data,
  • rectification,
  • erasure,
  • restriction of processing,
  • object to processing,
  • data portability.

To exercise these rights, contact us at kontakt@murako.pl. You may also lodge a complaint with the Polish Personal Data Protection Office (UODO, ul. Stawki 2, 00-193 Warsaw).

Automated decisions and profiling

We do not use your data for automated decision-making or profiling.

Analytics and performance

We use Vercel Web Analytics and Vercel Speed Insights to understand traffic and improve performance. Both run without cookies and without advertising identifiers. The data collected is limited technical data that does not directly identify visitors: visited page, referrer, approximate country-level location, device and browser type, and performance metrics (Core Web Vitals).

What we do not do: we do not use analytics or marketing cookies, do not build user profiles, do not fingerprint visitors for tracking purposes, do not track you across other sites, do not sell or share your data with third parties for advertising, and do not use Google Analytics, Meta Pixel or similar tools. Web fonts are served from our own server, not from Google Fonts.

Contact form and spam protection

The contact form is protected by Cloudflare Turnstile, provided by Cloudflare, Inc., to prevent spam and abuse. Cloudflare processes limited technical data — including your IP address and browser signals — for this purpose. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in form security). See Cloudflare's privacy policy for details.

Form messages are delivered through Resend, Inc., a transactional email service. Resend processes the message contents and sender address in order to handle and deliver them to our inbox. See Resend's privacy policy for details.

Cookies

The site uses only cookies strictly necessary for the contact form to work and for spam protection (e.g. Cloudflare Turnstile). These do not require consent under Art. 5(3) of the ePrivacy Directive (2002/58/EC) and Art. 173(3) of the Polish Telecommunications Act. We do not use analytics or marketing cookies.

Recipients

Your data may be processed by the following providers, only to the extent necessary to deliver the service:

  • Vercel, Inc. (USA) — site hosting and cookieless analytics,
  • Cloudflare, Inc. (USA) — contact-form protection (Turnstile),
  • Resend, Inc. (USA) — delivery of form messages,
  • Google Ireland Limited (Ireland, with transfers to Google LLC in the USA) — email hosting via Google Workspace.

We do not share data with third parties for advertising or other commercial purposes.

International data transfer

Some of the providers above (Vercel, Cloudflare, Resend, and Google for transfers to Google LLC) process data outside the EEA, in particular in the United States. Transfers rely on Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) and, where applicable, on the European Commission's adequacy decision under the EU–US Data Privacy Framework if the provider is certified.