Privacy Policy

1. Who we are

This policy describes how Modestic Krystyna Zaitseva (hereafter “Modestic”, “we”, “us”), the data controller, processes personal data through the Modestic CRM application (“mCRM”, hereafter “the App”).

Legal name

Modestic Krystyna Zaitseva

Address

ul. I Poprzeczna 7b, Warszawa, Poland

NIP

8133873866

REGON

521112715

Contact

info@modestic.pl

2. Scope of this policy

mCRM is an internal business tool. It is not offered to third parties and has no public sign-up. It is used exclusively by Modestic staff to manage customer conversations that arrive through Facebook Messenger, Instagram Direct Messages, and WhatsApp. This policy covers data processed inside that tool.

For our website, marketing, and general company practices, see the primary policy at modestic.pl/polityka-prywatnosci.

3. What data we store

We store only what is needed to respond to inbound customer conversations and maintain continuity across messages:

• Display name and profile picture as provided by Meta platforms
• Channel-specific identifiers (Facebook PSID, Instagram user id, WhatsApp phone number)
• Optional fields added by our operators (phone number, email address) captured during the conversation
• The text and attachments of messages you send us, and of our replies
• Internal notes and lead information our operators create to serve you better (interest in a product, offer status, follow-up tasks)

We do not collect cookies, tracking identifiers, or analytics data through mCRM. Operators authenticate with email and password; their credentials are stored by Supabase and are not exposed to third parties.

4. Where the data comes from

Data is collected when you voluntarily message the Modestic page or account on Facebook Messenger, Instagram, or WhatsApp. It arrives in mCRM through Meta’s Graph API webhooks. We do not purchase contact lists, scrape data, or collect information from any third party.

5. Legal basis for processing (GDPR)

We process personal data under the General Data Protection Regulation (EU) 2016/679:

• Art. 6(1)(b) — performance of a contract: replying to your inquiry, preparing offers, and providing the service you asked about.
• Art. 6(1)(f) — legitimate interest: keeping a record of our communication for customer service quality and dispute resolution.
• Art. 6(1)(c) — legal obligation, where applicable (tax and accounting records of completed transactions).

6. How long we keep it

Conversation data is retained while you remain an active customer or for up to 3 years from the last interaction, whichever is shorter. Data required by law for accounting purposes is retained for the period the law requires (typically 5 years in Poland). You can request earlier deletion at any time (see §8).

7. Who has access

Inside mCRM, access is limited to authenticated Modestic staff. Data is stored in a Supabase project on managed infrastructure (PostgreSQL, encrypted at rest, TLS in transit). Our two sub-processors are Supabase Inc. (database and authentication) and Vercel Inc. (hosting). We do not share data with advertising networks, data brokers, or any other third party.

Meta Platforms Ireland Limited processes the messages themselves on their platforms; their privacy terms apply to that segment.

8. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Request deletion (“right to be forgotten”)
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent where processing is based on consent

Exercise any of these by emailing info@modestic.pl. We respond within 30 days.

If you believe your rights have been violated you can lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa.

9. Deletion via Meta

If you revoke the Modestic app’s access from your Facebook, Instagram, or WhatsApp settings, Meta will notify us and we will delete all data we hold for you automatically. You may also visit our deletion status page after initiating a revocation.

10. Security

Data is protected by authentication on all operator entry points, encryption in transit (HTTPS) and at rest, and platform-level isolation. Access tokens for Meta platforms are stored in server environment configuration, never in browser storage. Service role keys are scoped to server-side use only.

11. Changes to this policy

We may update this policy to reflect operational or legal changes. The “Last updated” date at the top of this page always shows the most recent revision.