How I handle your data.
Short version: I keep what you give me, use it only to help you, never sell it, and delete it when it's no longer useful. The long version below explains exactly how.
1. Who I am
I'm Paulo Adrega Brás, operating as PAULO ADREGA BRÁS Consulting (trading as PABC Consulting). I run a sole proprietorship registered in Poland (CEIDG / jednoosobowa działalność gospodarcza).
For data protection purposes, I'm the data controller (administrator danych osobowych) for any personal data you submit through pabcconsulting.com.
Name: PAULO ADREGA BRÁS Consulting
NIP: 5242876773
REGON: 381799982
Address: ul. Warszawska 116G, 05-123 Olszewnica Stara, Poland
2. What I collect, and why
If you fill in the contact form
I collect: your name, email, optionally your company, optionally how you heard about me, and whatever you write in the message field. I use this to read what you're asking and reply to you. That's the only purpose.
If you subscribe to Insights
I collect: your email. I use it to send you a notification when there's a new piece of writing on the site. That's it. There's no newsletter, no drip sequence, no automated marketing funnel.
If you complete the Hiring Operations Diagnostic
I collect: your answers to the 14 questions, your computed scores and quadrant result, your email (only at the end). I use this to send you a personalized report and, if relevant, to understand patterns across responses so I can make the diagnostic more useful.
About analytics
I use Google Analytics 4 (GA4) to understand which pages get visited and where visitors come from. GA4 only loads after you click "Accept analytics" on the cookie banner. If you decline (or ignore the banner), no GA4 cookies are set and no data is sent to Google from your visit. GA4 is configured with IP anonymization, no advertising features, no profile-building, and no data shared beyond Google itself. See the cookies page for the specific cookies, durations, and how to revoke consent.
What I don't collect
No tracking pixels from social platforms, no third-party advertising cookies, no behavioral profiling, no cross-site tracking. No marketing-automation tools quietly tracking you across the web.
3. Legal basis for processing (GDPR)
Under the GDPR, I need a legal basis to handle your data. Here's what applies:
- Consent (Art. 6(1)(a)) — when you tick the consent checkbox on the contact, subscribe, or diagnostic forms, you give me permission to use your data for the purposes listed above. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)) — limited and obvious: replying to your message, sending you what you asked for (e.g. your diagnostic report). You can object at any time.
- Legal obligation (Art. 6(1)(c)) — if we ever sign a contract, I'm required by Polish tax law to keep invoices and related records for 5 years. That's the only situation where I'm legally required to retain data longer than I'd want to.
4. How long I keep your data
Contact form submissions and diagnostic responses: 24 months from your last contact with me. If you reach out, go quiet, then come back within 24 months, I still have context. After 24 months of no engagement, I delete the data.
Subscribers to Insights: until you unsubscribe, then deleted within 30 days.
Contracts and invoices: 5 years from end of the fiscal year in which the contract was completed, as required by Polish tax law (Ordynacja podatkowa).
Email correspondence: as long as the conversation is active, then archived for up to 24 months, then deleted.
5. Who I share your data with
I share your data with a small number of service providers needed to operate the business. They process data on my behalf, under contract, and are themselves GDPR-compliant. None of them sell or further share your data.
- Email delivery providers — to send outgoing emails from the site (form notifications, confirmations, replies). Headquartered in the US, certified under the EU-US Data Privacy Framework.
- Cloud infrastructure providers — to host this website, route email, and handle network security. Headquartered in the US, certified under the EU-US Data Privacy Framework.
- Document storage providers — to store working notes and form submissions in spreadsheets I work from. Headquartered in the US, certified under the EU-US Data Privacy Framework.
I do not share your data with advertisers, data brokers, marketing platforms, or anyone else. There are no advertising partners. Ever.
For operational security reasons, I don't publicly list the specific vendor names. If you want to know exactly who processes your data, email privacy@pabcconsulting.com and I'll tell you directly. You have the right to ask under GDPR Art. 15.
If a tax authority or court legally compels me to share data, I will, but only what's specifically required.
6. Your rights under GDPR
You have the following rights, and I will respect them within 30 days of your request:
- Access — ask me what data I hold about you, and I'll send you a copy.
- Correction — if anything is wrong, tell me and I'll fix it.
- Deletion ("right to be forgotten") — ask me to delete your data and I will, unless I'm legally required to keep it.
- Restriction — ask me to stop using your data while keeping it on file.
- Portability — ask for your data in a structured format (JSON, CSV) so you can take it elsewhere.
- Objection — object to my processing your data on legitimate interest grounds.
- Withdraw consent — at any time, no questions asked.
- Complaint — file a complaint with the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl) if you think I'm mishandling your data.
To exercise any of these rights, email privacy@pabcconsulting.com. Plain English is fine. You don't need a formal letter.
7. International data transfers
Some of my service providers are based in the United States. Your data may be transferred there for processing. All of these providers are certified under the EU-US Data Privacy Framework, which the European Commission has determined provides an adequate level of protection.
8. Security
I take reasonable steps to protect your data: encrypted transmission (HTTPS everywhere), encrypted storage where the service provider supports it, no laptops without disk encryption, no unnecessary access from third parties. That said, no system is perfectly secure. If something does go wrong (a breach), I'll tell you and the Polish data protection authority within 72 hours.
9. Children
This site isn't aimed at people under 16. I don't knowingly collect data from minors. If you think I have, email privacy@pabcconsulting.com and I'll delete it.
10. Changes to this policy
If I update this policy, I'll change the "Effective" date at the top and, for significant changes, notify subscribers by email. The current version is always at pabcconsulting.com/privacy.
11. Contact
For anything related to your data, your privacy, or this policy:
Email: privacy@pabcconsulting.com
Postal: ul. Warszawska 116G, 05-123 Olszewnica Stara, Poland