DilutoEU-INC HubSubscribe

Privacy Policy

How we collect, use, and protect your personal data on the EU-INC Resource Hub

Effective date: 1 February 2026 · Last updated: 1 February 2026

1. Who We Are

The data controller responsible for your personal data is Destina Slawinska Growify (“Diluto”, “we”, “us”, or “our”), a sole proprietorship registered in Poland.

Data Controller

  • Entity: Destina Slawinska Growify
  • Address: ul. Grunwaldzka 23, 65-328 Zielona Gora, Poland
  • Email: hello@diluto.eu
  • Websites: diluto.eu / diluto.pl
  • NIP: 9291789361

This Privacy Policy applies to the website diluto.eu (the “EU-INC Resource Hub” or “Site”), which provides informational content about the EU-INC framework, an AI chat assistant, and a newsletter subscription service.

Given the scale and nature of our processing activities, we have not appointed a Data Protection Officer pursuant to Article 37 of the GDPR. All data protection enquiries can be directed to us at hello@diluto.eu.

2. What Data We Collect

2.1 Newsletter Subscription Data

When you subscribe to the EU-INC newsletter, we collect:

  • Email address (required)
  • Full name (optional)
  • Company name (optional)
  • Country (optional)
  • UTM parameters (source, medium, campaign) — collected automatically to understand how you found us

2.2 AI Chat Assistant Data

When you use the AI chat assistant on our Site, we collect:

  • Conversation messages — the text of your questions and the assistant's responses
  • Session identifier — a randomly-generated ID to group messages within a single conversation
  • Topics discussed — categorised metadata about the subjects raised in the conversation

We do not require you to identify yourself to use the chat assistant. Please do not include personal data (such as your name, email, or company details) in your chat messages unless you choose to do so voluntarily.

2.3 Analytics and Technical Data

When you visit the Site, we automatically collect:

  • Page views and events — which pages you visit and how you interact with the Site
  • Device information — browser type, operating system, screen resolution
  • IP address — anonymised or truncated before storage where technically feasible
  • Referral source — how you arrived at the Site

3. How We Use Your Data

We process your personal data for the following purposes:

  • Delivering the EU-INC newsletter — sending you monthly email updates about the EU-INC framework, including regulatory developments, analysis, and practical guidance.
  • Providing the AI chat assistant — processing your questions through an AI model to generate relevant answers about the EU-INC framework.
  • Improving our services — analysing aggregate usage patterns, popular questions, and Site performance to improve the quality of our content and tools.
  • Website analytics — understanding how visitors use the Site so that we can optimise the user experience.
  • Sending confirmation and transactional emails — confirming your newsletter subscription and processing unsubscribe requests.
  • Ensuring security and preventing abuse — monitoring for fraudulent activity, rate limiting, and protecting the integrity of our services.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under the General Data Protection Regulation (EU) 2016/679 (“GDPR”):

Consent (Article 6(1)(a) GDPR)

  • Newsletter subscription — you actively opt in by submitting the subscription form
  • Non-essential cookies and analytics tracking (where consent is required)

You may withdraw your consent at any time by clicking the “Unsubscribe” link in any newsletter email or by contacting us at hello@diluto.eu.

Legitimate Interest (Article 6(1)(f) GDPR)

  • Providing the AI chat assistant — our legitimate interest in offering a useful informational tool about EU-INC
  • Website analytics — our legitimate interest in understanding Site usage and improving our services
  • Security and abuse prevention — our legitimate interest in protecting the Site and its users

We have conducted a balancing test for each legitimate interest and determined that our interests do not override your fundamental rights and freedoms, particularly given the limited nature of the data processed.

Legal Obligation (Article 6(1)(c) GDPR)

  • Retaining records required by applicable tax, accounting, or electronic services legislation
  • Responding to lawful requests from public authorities

5. Data Processors & Third Parties

We share your personal data only with trusted service providers (“data processors”) who process data on our behalf, under written data processing agreements that comply with Article 28 of the GDPR. We do not sell or share your data with third parties for their own independent purposes.

Supabase Inc.

  • Purpose: Database hosting and backend services — stores newsletter subscriber data and chat conversation records
  • Data location: European Union (EU region)
  • Safeguards: DPA in place, SOC 2 Type II, ISO 27001 certified

OpenAI, L.L.C.

  • Purpose: AI language model (GPT-4o-mini) — processes chat messages to generate responses about the EU-INC framework
  • Data location: United States (see Section 9 on international transfers)
  • Safeguards: DPA in place, SOC 2 Type II certified, zero data retention API policy enabled (chat messages are not used to train models)

Vercel Inc.

  • Purpose: Website hosting and edge delivery
  • Data location: European Union (fra1 region)
  • Safeguards: DPA in place, SOC 2 certified, GDPR-compliant

OVHcloud SAS

  • Purpose: SMTP email delivery — sends newsletter confirmation and transactional emails
  • Data location: European Union
  • Safeguards: DPA in place, ISO 27001 certified, headquartered in France

PostHog Inc.

  • Purpose: Product analytics — tracks page views, events, and user interactions
  • Data location: European Union (EU cloud instance)
  • Safeguards: DPA in place, SOC 2 Type II certified

Google LLC (Google Analytics 4)

  • Purpose: Website analytics — measures traffic, user behaviour, and acquisition channels
  • Data location: European Union / United States (see Section 9 on international transfers)
  • Safeguards: DPA in place, IP anonymisation enabled, data retention set to the minimum period

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. The specific retention periods are:

Data CategoryRetention Period
Newsletter subscriber dataUntil you unsubscribe, plus up to 30 days for processing the deletion request. If no engagement for 24 months, we will ask you to re-confirm your subscription.
Chat conversation messages90 days from the date of the conversation, then automatically deleted or anonymised for aggregate analytics.
Analytics data (PostHog / GA4)Up to 14 months from the date of collection (GA4 default minimum retention), or 24 months for PostHog.
Server logs and security dataUp to 12 months from the date of the event.
Consent and unsubscribe records3 years from the date of consent or withdrawal, for compliance and audit purposes.

After the applicable retention period expires, your data is securely deleted or irreversibly anonymised.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights with respect to your personal data. You may exercise any of these rights free of charge by contacting us at hello@diluto.eu.

  • Right of access (Article 15) — You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about the processing.
  • Right to rectification (Article 16) — You have the right to request that we correct any inaccurate personal data and complete any incomplete data.
  • Right to erasure (Article 17) — You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where there is no other legal basis for the processing.
  • Right to restriction of processing (Article 18) — You have the right to request that we restrict the processing of your data in certain circumstances, for example while we verify the accuracy of your data.
  • Right to data portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
  • Right to object (Article 21) — You have the right to object to processing based on our legitimate interests. Where you object to processing for direct marketing purposes, we will cease processing without delay.
  • Right to withdraw consent (Article 7(3)) — Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority in Poland is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, Poland; uodo.gov.pl. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU/EEA.

How to exercise your rights

Send an email to hello@diluto.eu with the subject line “GDPR Request”. We will respond within one month of receipt. In exceptional cases (complex or numerous requests), this period may be extended by two further months, in which case we will inform you of the extension and the reasons for the delay.

8. Cookies & Tracking Technologies

The Site uses cookies and similar technologies to operate, to analyse traffic, and to remember your preferences. The categories of cookies we use are:

Strictly Necessary Cookies

Essential for the Site to function (e.g., session tokens, security cookies, cookie consent preferences). These cannot be disabled. Legal basis: legitimate interest.

Analytics Cookies

Used by PostHog and Google Analytics (GA4) to collect anonymised information about how visitors use the Site, including pages visited, time on page, and referral sources. Legal basis: consent (where required by applicable law) or legitimate interest.

Functional Cookies

Used to remember your choices (e.g., whether you have dismissed a banner, chat session state). Legal basis: legitimate interest.

We do not use marketing or advertising cookies on diluto.eu. You can manage cookies through your browser settings. Blocking strictly necessary cookies may affect the functionality of the Site.

9. International Data Transfers

We strive to keep your data within the European Economic Area (EEA). The majority of our data processors store and process data on servers located in the EU (Supabase EU, Vercel fra1, OVH France, PostHog EU).

However, some of our processors are based in the United States:

  • OpenAI — Chat messages are sent to OpenAI's API for processing. The transfer is protected by the EU-U.S. Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) included in our DPA with OpenAI.
  • Google (Google Analytics) — Analytics data may be processed in the United States. The transfer is protected by the EU-U.S. Data Privacy Framework and Google's commitments to GDPR compliance, including IP anonymisation.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including adequacy decisions, Standard Contractual Clauses, and certification under the EU-U.S. Data Privacy Framework.

10. Children's Privacy

The EU-INC Resource Hub is designed for professionals, founders, and individuals interested in European corporate law. It is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@diluto.eu and we will promptly delete the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the services we offer. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page.
  • Notify newsletter subscribers by email if the changes materially affect how we process their data.
  • Post a prominent notice on the Site for at least 30 days.

We encourage you to review this page periodically. Your continued use of the Site after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights under the GDPR, please contact us:

General & Data Protection Enquiries

  • Email: hello@diluto.eu
  • Address: ul. Grunwaldzka 23, 65-328 Zielona Gora, Poland

Supervisory Authority

  • UODO (Poland)
  • ul. Stawki 2, 00-193 Warszawa
  • Web: uodo.gov.pl

We aim to respond to all data protection enquiries within 5 business days. GDPR rights requests will be fulfilled within one month of receipt.

Data Protection Commitment

This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) and applicable Polish data protection law. We are committed to processing your personal data lawfully, fairly, and transparently, and to upholding the principles of purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality.

Version 1.0 · Effective: 1 February 2026 · GDPR compliant