Privacy Policy

March 2026

1. Data controller

The data controller for personal data processed through this website and our services:

The data controller is Zofia Żak, operating under the brand names ROI and Shine and People & Shine.
Warsaw, Poland
Email: contact@roiandshine.com

2. What data we collect

2.1 Contact data

When you book a consultation or submit a contact form, we collect: your name, email address, company name, job title, and optionally your phone number. This data is provided directly by you.

2.2 Company workforce data

As part of the pay gap analysis service, you provide us with anonymized employee compensation data. This typically includes: job titles or grades, departments, gender markers, base salary, variable compensation, seniority, location, and working time. This data must be anonymized before submission — we do not require or accept data that directly identifies individual employees by name.

2.3 Website usage data

When you visit our website, we automatically collect: your IP address (anonymized), browser type and version, pages visited, time spent on each page, referring website, and device type. This data is collected through cookies and analytics tools operating on our servers.

3. How we use your data

We process your data for the following purposes:

• Delivering the pay gap analysis service you have requested
• Communicating with you about your engagement, including scheduling consultations and sharing deliverables
• Responding to your inquiries submitted through the contact form or email
• Analyzing website usage to improve the site’s functionality and content
• Complying with legal and regulatory obligations

Legal basis under GDPR (Article 6)

• Performance of a contract (Art. 6(1)(b)) — processing necessary to deliver the consulting service you have engaged
• Legitimate interest (Art. 6(1)(f)) — website analytics and service improvement, where our interest does not override your rights
• Consent (Art. 6(1)(a)) — marketing communications, only if you have explicitly opted in
• Legal obligation (Art. 6(1)(c)) — where processing is required by law (e.g., tax and accounting records)

4. Workforce data — special provisions

The anonymized employee compensation data you provide for pay gap analysis is subject to additional safeguards:

• It is processed exclusively for the purpose stated in your service agreement — pay gap analysis and report generation
• It is stored on encrypted servers located within the European Union
• It is never shared with third parties, advertisers, or any entity outside the service engagement
• It is accessible only to the analyst assigned to your engagement
• It is retained for the duration of the engagement plus 12 months for follow-up reporting, unless you request earlier deletion
• It is permanently deleted after the retention period, with written confirmation provided upon request

We act as a data processor for workforce data you provide. A Data Processing Agreement (DPA) is executed as part of every service engagement before any data is transferred.

5. Data sharing

We do not sell, rent, or trade your personal data.

We use the following service providers to operate our website and services:

• Hosting: Vercel Inc. — website hosting and deployment. Servers located in the EU (Frankfurt region). Data processed: website traffic data.
• Analytics: Google Analytics — anonymized website usage statistics. IP anonymization is enabled. No personally identifiable information is transmitted.
• Scheduling: Calendly — consultation booking. Data processed: your name, email, and selected time slot.
• Email: Google Workspace — communication with clients. Data processed: email content and attachments.

All service providers are bound by data processing agreements and comply with GDPR requirements. We have verified that each provider offers adequate safeguards for data transferred outside the EU, where applicable.

6. Data retention

• Contact data (name, email, company): retained for 24 months after last interaction. Deleted upon request or after the retention period.
• Workforce analysis data (anonymized compensation data, reports): retained for the duration of the engagement plus 12 months. Permanently deleted after that period, or earlier upon your written request.
• Website analytics data: anonymized and aggregated, retained for 26 months. This data cannot be used to identify individual users.
• Invoicing and accounting records: retained for 5 years as required by Polish tax law.

7. Your rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your data (“right to be forgotten”), subject to legal retention requirements
• Right to restriction — request that we limit how we process your data
• Right to data portability — request your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — withdraw any previously given consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at: contact@roiandshine.com

We will respond within 30 days. If we need additional time due to the complexity of your request, we will inform you within the initial 30-day period.

8. Cookies

We use cookies on this website. For a detailed list of cookies, their purposes, and how to manage them, please see our Cookie Policy.

9. Data security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls limiting data access to authorized personnel only
• Regular review of security practices and service provider agreements
• Secure deletion procedures for data past its retention period

10. International data transfers

Our primary hosting and data processing takes place within the European Union. Where data is transferred to providers located outside the EU (e.g., certain Google services), such transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under GDPR Chapter V.

11. Children’s data

Our services are directed at businesses and their representatives. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected data from a minor, we will delete it immediately.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. The current version is always available at this page. The “Last updated” date at the top indicates the most recent revision.

For material changes affecting active clients, we will provide direct notification via email at least 14 days before the changes take effect.

13. Contact and complaints

For any questions regarding this Privacy Policy or your personal data:

Email: contact@roiandshine.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)
ul. Stawki 2, 00-193 Warszawa, Polska