Data Protection
How Threading Clouds collects, processes, and protects your personal data in accordance with GDPR.
Overview
Thanks for your interest in THREADING CLOUDS and for visiting our website. Protecting and securing your personal data when using our website is very important to us. Therefore, we would like to inform you about the personal data we collect when you visit our website and for what purposes it is used.
This data protection declaration applies to the Internet offer of Threading Clouds Sp. z.o.o, found under the domain https://www.threadingclouds.com, and the various subdomains ("our website").
For more information about how Threading Clouds Sp. z.o.o processes your data; please contact us at dataprotection@threadingclouds.com
1. Who is responsible for processing your data?
Responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR):
Threading Clouds Sp. z o.o.
ul. Zygmunta Augusta, nr 5, lok. 2
31-504 Kraków, Poland
Email: dataprotection@threadingclouds.com
2. Personal Data
Personal data is information that can be attributed to an identified, or directly or indirectly identifiable, natural person. Personal data includes but is not limited to general personal master data (e.g. name, address, date of birth, telephone number, e-mail address), CVs, bank data, data issued by public authorities (e.g. driving licence number, ID card number, passport number), value judgements (e.g. school and job references), online data (IP address, date, time and duration of use, location data), customer data and supplier data.
Processing personal data (e.g. collection, retrieval, use, storage or transmission) always requires a legal basis and a defined purpose. Stored personal data will be deleted as soon as the purpose of the processing has been achieved, and there are no legitimate grounds for further storage. Irrespective of this, we store your personal data in individual cases for the assertion, exercise or defence of legal claims and in the event of statutory retention obligations.
2.1 Collection, Processing and Use of Your Personal Data
Data protection is critical to us. Therefore, when processing your personal data, we strictly adhere to the legal provisions of the European Data Protection Regulation (GDPR) and — where applicable — the other data protection laws in the European Economic Area (EEA) and Switzerland.
2.2 Description of the Groups of People Concerned
As a matter of principle, only the data necessary to fulfil the company's purpose and the contractual agreements are collected. Personal data is collected, processed and used for the following groups of persons:
- Customer data: Personal identification and communication data are processed to communicate with customers and conduct our respective business and thus fulfil the business purpose. Furthermore, for the initiation of business contacts and the information of customers.
- Supplier data: The processing of personal identification data, communication and performance data, economic and financial information, payment and bank details, and performance data is carried out to communicate with the supplier and carry out our respective business.
- Employee data: The processing of personal identification and performance data, contract master data, insurance data, downtime, payment and bank connection data, tax and social security data, log-in data, communication data, travel booking data and vehicle booking data is carried out for the implementation and processing of the respective employment relationship, fulfilment of legal obligations and in our legitimate corporate interest.
- Applicant data: The processing of personal identification data, performance data, payment and bank details, as well as travel booking data (when booked by Threading Clouds) is carried out for the initiation of employment relationships, fulfilment of legal obligations, and the further development of our internal systems.
- Interested Parties: The processing of personal identification data, communication data and, where applicable, economic and financial information is carried out to fulfil the business purpose.
- Competition Participants: The processing of personal identification data, communication data and qualification data of participants in competitions is based on the consent of the data subject in accordance with Art. 6(1)(a), 7 GDPR. The data will not be transmitted to third parties. The participant may object to processing at any time.
- Other personal data: The processing of personal data of other business partners (e.g. system partners, chambers, associations, banks and authorities) is carried out within the framework of the respective cooperation and to fulfil our business purpose.
3. Processing of Data When Visiting Our Website
If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data are processed. In the event of express consent to transferring personal data to third countries, data processing is also carried out on the basis of Art. 49(1)(a) GDPR. If your data is required for the performance of a contract or pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required for the fulfilment of a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR.
3.1 Recipients or Categories of Recipients of Data
Threading Clouds is a technology company focused on cloud consultancy and services worldwide. We collect data to fulfil consulting and development activities at or for Threading Clouds' customers, affiliated companies, and all related ancillary businesses. This personal data will only be used for advertising/market research purposes if you have expressly given us your consent. As a matter of principle, only the data necessary for the fulfilment of the business purpose will be passed on. These are essentially the following recipients:
- Service providers used for the proper processing of business (e.g. providers for the website and marketing, suppliers supporting administrative processes, including travel service providers, insurance companies). The legal basis is Art. 28 GDPR in the case of order processing and Art. 88 GDPR to initiate or implement an employment relationship.
- External bodies for the fulfilment of the purposes mentioned under section 2 (e.g. customers or affiliated companies, credit institutions for salary payments, tax consultants and auditors). The legal basis is Art. 88 GDPR for establishing or implementing an employment relationship, or Art. 6(1)(f) GDPR for general operational obligations such as tax returns and auditing.
- Public authorities in the case of overriding legal provisions (e.g. social insurance institutions, financial authorities). The legal basis is Art. 6(1)(c) GDPR with the respective legal requirements, particularly labour and social law.
Furthermore, this personal data is processed to comply with statutory provisions and regulations, such as labour law, tax and social law, money laundering law and international sanctions regulations. The legal basis is Art. 6(1)(c) GDPR in conjunction with the respective provisions of national law.
3.2 Your Rights
Under the conditions of the GDPR, you have the following rights as a data subject:
- Right of access to the data stored about you (Art. 15 GDPR).
- Right to rectification of incorrect or incomplete data stored by us (Art. 16 GDPR).
- Right to erasure of data stored by us, insofar as the processing is not necessary for freedom of expression, the fulfilment of a legal obligation, reasons of public interest, or the assertion, exercise or defence of legal claims (Art. 17 GDPR).
- Right to restriction of processing, insofar as the accuracy of the data is disputed, the processing is unlawful, we no longer need the data, or you have objected to the processing under Art. 21 GDPR (Art. 18 GDPR).
- Right to data portability, insofar as you have provided personal data within the scope of consent or based on a contract, and this data was processed using automated procedures (Art. 20 GDPR).
- Right to object to processing of your personal data, insofar as this is carried out based on Art. 6(1)(e) or (f) GDPR and reasons for this arise from your particular situation, or the objection is directed against direct advertising (Art. 21 GDPR).
- Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR).
- Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence, place of work, or our company headquarters: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw.
Please contact us at dataprotection@threadingclouds.com if you wish to exercise these rights. If you want to request detailed information about all personal data that Threading Clouds holds about you, you must provide proof of identity.
3.3 Cookies
Cookies are small text files sent by us to the browser of your end device when you visit our website and stored there. Some functions of our website cannot be offered without cookies or local storage (technically necessary cookies). Other cookies enable us to carry out various analyses: to recognise the browser you are using when you revisit our website and transmit different information (non-essential cookies). With the help of cookies we can, among other things, make our website more user-friendly and effective for you by tracking your use and determining your preferred settings. Cookies do not cause any damage to your end device. They cannot execute programs or contain viruses.
Detailed information on the cookies used can be found in the cookie settings or the Consent Manager of this website.
3.4 Data Processing for the Provision of the Website
In the following, we inform you about the individual processing operations, the scope and purpose of the data processing, the legal basis, and the respective storage period. Automated decision-making in individual cases, including profiling, does not occur.
3.4.1 Nature and Extent of Processing
When you call up and use our website, we collect the personal data that your browser automatically transmits to our server. The following information is temporarily stored in a log file: IP address of the requesting computer; date and time of access; name and URL of the retrieved file; the website from which the access is made (referrer URL); browser used and, if applicable, the operating system of your computer and the name of your access provider.
3.4.2 Purpose and Legal Basis
The processing is carried out to protect our legitimate interest in displaying our website and guaranteeing security and stability, based on Art. 6(1)(f) GDPR. Data collection and storage in log files are necessary for the website's operation. Insofar as further storage of log files is required by law, the processing is carried out on the basis of Art. 6(1)(c) GDPR. There is no legal or contractual obligation to provide the data; however, calling up our website is not technically possible without transmitting it.
3.4.3 Storage Period
The data mentioned above is stored for the duration of the website display and for a maximum of 7 days for technical reasons.
3.5 Data Processing Within the Framework of the Contact Form
On our website, we offer you the opportunity to contact us via a contact form. The information collected via mandatory fields is required in order to process the request. You can voluntarily provide additional information you consider necessary for processing your enquiry.
3.5.1 Purpose and Legal Basis
The processing of your data through our contact form is carried out for communication and processing your enquiry based on your consent pursuant to Art. 6(1)(a) GDPR. Insofar as your enquiry relates to an existing contractual relationship, the processing is carried out to fulfil the contract on the basis of Art. 6(1)(b) GDPR. There is no legal or contractual obligation to provide your data, but processing your request is not possible without providing the mandatory fields.
3.5.2 Storage Period
Insofar as you use the contact form based on your consent, we store the data collected for each enquiry for a period of three years, starting with the completion of your enquiry or until you revoke your consent.
3.6 Data Processing Within the Framework of the Application Form
3.6.1 Purpose and Legal Basis
The processing of your data based on the use of the application form is carried out for the purpose of processing your application and deciding on the establishment of an employment relationship on the basis of applicable labour law. There is no legal or contractual obligation to provide your data, but it is not possible to process your application without providing the mandatory fields.
3.6.2 Storage Period
We store the data collected for the duration of the application process and, in the event of non-employment, for six months from the date of rejection.
If you give us your consent to include your data in our pool of applicants in order to offer you a suitable position at a later date, we will store this data for up to 24 months.
3.7 Data Processing Within the Framework of Google Analytics 4
We use Google Analytics 4 from Google Ireland Limited (property ID G-D5291N1DZE) as an analysis service for the statistical evaluation of our online offer. This includes the number of times our online offer is called up, sub-pages visited, and the length of time visitors stay. Google Analytics 4 uses cookies and other browser technologies to evaluate aggregated user behaviour. We have configured IP anonymisation (anonymize_ip) and disabled all advertising features (ad_storage, ad_user_data, ad_personalization remain denied at all times).
Google Analytics is loaded only after you grant consent through our consent manager. Google Consent Mode v2 is implemented site-wide with a default-deny posture: no Google Analytics requests are sent before consent is granted.
If you grant analytics consent, we may also record aggregate feature interactions such as opening the AI fit widget, copying its prompt, or selecting a third-party AI provider. These events are limited to the page path, provider name, and whether a best-effort prefilled provider URL was used. We do not record prompt text, clipboard contents, AI responses, visitor-entered answers, provider account identity, or full URLs with query strings.
3.7.1 Purpose and Legal Basis
The use of Google Analytics 4 is based on your consent pursuant to Art. 6(1)(a) GDPR. Where personal data is transferred to third countries outside the EEA (in particular the USA), and no adequacy decision of the European Commission exists, we rely on the standard contractual clauses of the EU Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021. A copy is available at EUR-Lex.
3.7.2 Storage Period
The concrete storage period is determined by Google Ireland Limited. Further information can be found in the Google Privacy Policy.
3.8 Data Processing Within the Framework of Microsoft Clarity
We use Microsoft Clarity from Microsoft Ireland Operations Limited (project ID wxlogbc4k5) to understand how visitors interact with our website. Clarity captures aggregated session replays and heatmaps. By default, all input fields, email addresses, and personally identifying text are masked before leaving your browser. Clarity uses cookies and browser technologies to correlate sessions.
Microsoft Clarity is loaded only after you grant consent through our consent manager. No Clarity requests are sent before consent is granted.
3.8.1 Purpose and Legal Basis
The use of Microsoft Clarity is based on your consent pursuant to Art. 6(1)(a) GDPR.
3.8.2 Storage Period
The concrete storage period is determined by Microsoft Ireland Operations Limited. Further information can be found in the Microsoft Privacy Statement.
3.9 Data Processing Within the Framework of Cloudflare Web Analytics
We use Cloudflare Web Analytics, a privacy-first web analytics service from Cloudflare, Inc. for aggregated traffic statistics (page views, referrers, country-level geography). Cloudflare Web Analytics is cookieless: it does not set cookies, does not track individual visitors across sites, and does not use device fingerprinting. No personal data is processed.
3.9.1 Purpose and Legal Basis
The use of Cloudflare Web Analytics is based on our legitimate interest in understanding aggregated website usage pursuant to Art. 6(1)(f) GDPR. Because no personal data is processed and no cookies are set, no consent is required under Art. 5(3) of the ePrivacy Directive.
3.9.2 Storage Period
The concrete storage period is determined by Cloudflare, Inc. Further information can be found in the Cloudflare Privacy Policy and the Cloudflare Web Analytics privacy notice.
3.10 Data Processing Within the Framework of Google Fonts
We use Google Fonts from Google Ireland Limited to provide fonts (Inter typeface) for our online offer. To obtain these fonts, you establish a connection to the servers of Google Ireland Limited, whereby your IP address is transmitted.
3.10.1 Purpose and Legal Basis
The use of Google Fonts is based on our legitimate interest in consistent typographic presentation pursuant to Art. 6(1)(f) GDPR.
3.10.2 Storage Period
The concrete storage period is determined by Google Ireland Limited. Further information can be found in the Google Privacy Policy.
3.11 Data Processing Within the Framework of Google reCAPTCHA v3
We have integrated Google reCAPTCHA v3 on our contact form, a service of Google Ireland Limited that enables us to distinguish whether a contact request originates from a natural person or is automated. reCAPTCHA v3 issues a risk score for each form submission based on signals such as IP address, browsing time, and mouse/keyboard interactions. No challenge ("select all images") is shown. The token is verified server-side; submissions below the score threshold are rejected. The reCAPTCHA badge is visible at the bottom of pages where the form is present.
3.11.1 Purpose and Legal Basis
The use of Google reCAPTCHA is based on our legitimate interest in protecting our contact form from automated abuse pursuant to Art. 6(1)(f) GDPR.
3.11.2 Storage Period
The concrete storage period is determined by Google Ireland Limited. Further information can be found in the Google Privacy Policy.
3.12 Data Processing Within the Framework of AWS (Amazon Web Services)
We use AWS Amplify Hosting and AWS Lambda from Amazon Web Services EMEA SARL to host our website and to receive contact-form submissions. When you access our website or submit the contact form, you establish a connection to servers of AWS in the European Union, whereby your IP address and possibly browser data such as your user agent are transmitted. Contact-form submissions are processed by an AWS Lambda function which verifies the reCAPTCHA token, validates the inputs, and forwards the message to our CRM (Zoho — see section 3.13) and to contact@threadingclouds.com via Amazon SES.
3.12.1 Purpose and Legal Basis
The use of AWS for hosting is based on our legitimate interest in a secure and efficient provision of our online offer pursuant to Art. 6(1)(f) GDPR. The use of AWS Lambda + SES for contact-form processing is based on Art. 6(1)(a) GDPR (consent, through your submission of the form) and Art. 6(1)(b) GDPR where pre-contractual measures are involved.
3.12.2 Storage Period
The concrete storage period is determined by AWS. Further information can be found in the AWS Data Processing Addendum and the AWS GDPR Compliance Centre.
3.13 Data Processing Within the Framework of Zoho CRM
When you submit our contact form, the details you provide (name, email address, company, area of interest, and your message) are transmitted to Zoho CRM, a customer relationship management service operated by Zoho Corporation B.V. We use Zoho's European data centres (zohoapis.eu), so this data is stored and processed within the European Union. The lead record allows us to respond to and manage your enquiry.
3.13.1 Purpose and Legal Basis
The processing of your contact-form data in Zoho CRM is carried out for communication and managing your enquiry, based on your consent pursuant to Art. 6(1)(a) GDPR (through your submission of the form) and, where your enquiry relates to a contractual or pre-contractual matter, on the basis of Art. 6(1)(b) GDPR. A data processing agreement pursuant to Art. 28 GDPR is in place with Zoho.
3.13.2 Storage Period
We store the lead data for as long as necessary to process your enquiry and maintain our business relationship, after which it is deleted in line with our retention policy. Further information can be found in the Zoho Privacy Policy.
3.14 Cookie Consent Manager
We use vanilla-cookieconsent, a self-hosted open-source consent manager, to obtain and record your cookie preferences. Your choice is stored locally in your browser (cc_cookie) and is used to gate the loading of Google Analytics 4 and Microsoft Clarity. No data is transmitted to any third party by the consent manager itself. You can review or change your preferences at any time via the "Manage cookies" link in the footer.
3.14.1 Purpose and Legal Basis
The use of the consent manager is based on our legal obligation under Art. 7 GDPR and Art. 5(3) of the ePrivacy Directive to obtain valid consent before storing non-essential information on your device.
3.14.2 Storage Period
The cc_cookie preference is stored for six months, after which the banner is shown again.
4. How Do We Protect Your Personal Data?
We implement physical, technical and administrative security measures to protect your personal data from loss, misuse, unauthorised access, disclosure and alteration. These security measures include firewalls, data encryption, physical access restrictions to our data centres, and permission controls for access to data.
5. Changes to Our Data Protection Declaration
We reserve the right to adapt this data protection declaration to always comply with the current legal requirements or to implement changes in the data protection declaration, e.g. when introducing new services. The latest data protection statement will then apply to your next visit. Last updated: May 2026.