typeofmd
PRIVACY

Privacy Policy

Short version: I collect the minimum needed to reply to you, never sell anything, and delete data when you ask.

Last updated: April 20, 2026

What data I collect

I try to keep the surface area small. The categories below cover everything that touches typeofmd.com.

  • Contact form submissions: name, company, email, engagement type, budget range, and the message you send.
  • Email correspondence you initiate or continue with me at typeofmd [at] pm [dot] me.
  • Anonymized server logs (IP, user agent, requested path) retained for 30 days for operational and security reasons.
  • No marketing cookies, no ad trackers, no cross-site profiling.

Why I collect it

Processing is grounded in the legal bases set out in Article 6(1) of the GDPR:

  • Art. 6(1)(b) — performance of a contract, or taking steps at your request before entering into one.
  • Art. 6(1)(f) — legitimate interest in responding to business inquiries and running a sustainable consultancy.
  • Art. 6(1)(c) — legal obligations, including accounting records retained in line with Polish tax law.

How long I keep it

  • Unanswered inquiries: 12 months, then deleted.
  • Active engagement correspondence: duration of the contract plus 5 years, as required by Polish tax law.
  • Server logs: 30 days.

Who I share it with

The list of processors and recipients is intentionally short.

  • Email provider hosting typeofmd.com mailboxes.
  • Accountant, strictly for invoicing and tax compliance.
  • Polish tax authority, when legally required.
  • No third-country transfers, except EU to US transfers via the email provider, carried out under Standard Contractual Clauses.

Your rights

Under the GDPR you have the right of access, rectification, erasure, restriction of processing, data portability, and objection. You may also lodge a complaint with UODO, the Polish Data Protection Authority.

I respond to rights requests within 30 days. Email typeofmd [at] pm [dot] me and I will confirm receipt.

Security

TLS is enforced everywhere, two-factor authentication is enabled on every account that touches client data, device storage is encrypted, and access follows a least-privilege model.

Changes

Material changes to this policy will be announced on this page along with an updated “Last updated” date. Minor editorial fixes will not trigger a new notice.