Skip to main content

Legal

Privacy Policy

Version v1.0 · last updated April 2026

§ 01 — Scope

Privacy Policy

This policy describes how personal data submitted through drgladysz.com is collected, used, retained and protected. It is drafted to comply simultaneously with Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — including the special-category-data provisions of Article 9, the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC 2020) issued under it. The Polish term Rozporządzenie Ogólne o Ochronie Danych Osobowych (RODO) is used in the Polish version of this document and refers to the same instrument.

§ 02 — Controller

Who we are

The data controller for this website is Mateusz Gładysz, MD, FEBOPRAS, FEBHS, contactable at mateusz@drgladysz.com. Postal correspondence may be directed care of the Okręgowa Izba Lekarska w Warszawie, ul. Puławska 18, 02-512 Warszawa, Poland.

No Data Protection Officer (DPO) has been appointed. Article 37(1)(c) GDPR makes appointment compulsory only where a controller’s core activities consist of large-scale processing of special categories of data. The processing carried out through this website is limited to occasional inbound enquiries from a small number of identifiable individuals — it does not meet the “large scale” threshold articulated in Working Party 29 Guidelines on DPOs (WP243 rev.01) and adopted by the European Data Protection Board. The position will be reassessed once Polish clinical practice is operational and patient records are processed in volume.

§ 03 — Article 27 GDPR analysis

EU representative

Article 27 GDPR requires controllers established outside the Union to designate, in writing, a representative within the Union when offering goods or services to data subjects in the Union or monitoring their behaviour in the Union. The obligation does not apply where processing is occasional, does not include large-scale processing of special-category data, and is unlikely to result in a risk to the rights and freedoms of natural persons.

The controller is currently established in New Zealand. Processing through this website is limited to (i) cookie-free aggregate analytics and (ii) occasional inbound contact-form messages, which may incidentally contain health information. The volume is low, the population reached is small, the processing is not systematic monitoring, and no special-category data is processed at scale. On the basis of European Data Protection Board guidance and the conditions in Article 27(2)(a), the controller has assessed that the occasional-processing exemption applies and has therefore not appointed an Article 27 representative. This position is documented and will be re-examined as soon as the volume or nature of processing changes — in particular, before activation of Polish practice — and a representative will be appointed at that point if then required.

§ 04 — Data collected

What data we collect

The website itself does not require user accounts. Personal data may reach the controller through the following routes only.

Contact form and direct email. When a message is sent through the form on the contact page or directly to mateusz@drgladysz.com, the controller receives the information you choose to provide — typically a name, an email address, and the content of the message. Where you elect to describe a clinical concern, this content may include health information within the meaning of Article 9 GDPR and the HIPC 2020. You are not asked to do so and are advised, in the contact form interface itself, to share only the minimum information needed to triage your enquiry.

Aggregate audience measurement. The site uses Plausible Analytics, hosted in Germany by Plausible Insights OÜ. Plausible is cookie-free, does not use any persistent identifier, does not generate or store any data that constitutes personal data within the meaning of GDPR Article 4(1) on a per-visitor basis, and produces only aggregated counts (page views, referrers, country at country level, browser, screen size). Because the service is cookie-free and produces no personal data, no consent banner is required under Article 5(3) of the ePrivacy Directive (2002/58/EC) as implemented by the Polish Prawo telekomunikacyjne and successor Prawo komunikacji elektronicznej.

Server log data. The hosting provider records standard access logs (IP address, request path, timestamp, response code) for the limited time required to operate and secure the service.

Fonts and assets. The Plex typeface family is served as woff2 files from /public/fonts/ on the same origin as the site. No third-party font CDN is used; no font request leaves the site’s own infrastructure.

§ 05 — Purposes and legal bases

Why we collect it and on what basis

PurposeLegal basis (GDPR)NZ Privacy Act / HIPC anchor
Responding to enquiries received via contact form or emailArt. 6(1)(b) — steps prior to entering into a contract at the data subject’s request; and Art. 6(1)(f) — legitimate interest in professional correspondenceIPP 1, IPP 3, IPP 10; HIPC Rule 1 and Rule 10
Processing of any health information voluntarily submitted in such an enquiryArt. 9(2)(a) — explicit consent inferred from the act of voluntarily disclosing the information for the purpose of obtaining a professional opinion or appointment; and, where applicable, Art. 9(2)(h) — provision of healthcareHIPC Rules 1, 10 and 11
Operation, security and integrity of the siteArt. 6(1)(f) — legitimate interestIPP 5
Aggregate audience measurement (cookie-free)Art. 6(1)(f) — legitimate interest in understanding aggregate, non-identifying useIPP 1
Compliance with professional, tax and regulatory obligationsArt. 6(1)(c) — legal obligationIPP 11

Where Article 9(2)(a) applies, consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

§ 06 — Recipients and processors

Who we share data with

Data submitted through the site is not sold and is not used for advertising. The controller relies on the following processors, each engaged under a written agreement compliant with GDPR Article 28 and, where applicable, Standard Contractual Clauses for international transfers.

  • Vercel Inc. — hosting and edge delivery; EU edge regions used for delivery.
  • Sanity.io (Sanity AS, Oslo, Norway) — content management system. The CMS does not currently store user-submitted personal data; the structure permits this in future and the policy will be updated if it changes.
  • Resend, Inc. — transactional email delivery for messages dispatched from the site (Astro API route). The body of any contact-form submission transits this service in order to reach the controller’s mailbox.
  • Plausible Insights OÜ — cookie-free analytics, processed in Germany.
  • Mailbox provider — the controller’s professional email is hosted with a mailstore provider; correspondence held there is subject to that provider’s security and retention controls.

Disclosures to public authorities (regulatory, tax, judicial) are made only where required by law in New Zealand or Poland.

§ 07 — International transfers

Cross-border data transfers

The controller is currently in New Zealand. New Zealand has held an adequacy decision from the European Commission since 19 December 2012 (Commission Decision 2013/65/EU), reaffirmed in the Commission’s first adequacy review and not withdrawn. Transfers from the European Economic Area to the New Zealand controller therefore proceed on the basis of that adequacy decision. Transfers from New Zealand to Polish data subjects fall under the New Zealand Privacy Act 2020 IPP 12, which is satisfied by the destination’s status as an EU Member State subject to GDPR.

Where processors are established in third countries without adequacy (notably Vercel and Resend in the United States), the controller relies on Module 2 or 3 of the European Commission’s 2021 Standard Contractual Clauses, supplemented by the additional safeguards required by EDPB Recommendations 01/2020 in light of Schrems II. To the extent that the processor self-certifies under the EU–US Data Privacy Framework, that mechanism is also relied upon.

§ 08 — Retention

How long we keep it

CategoryRetention
Contact-form submissions and email correspondence with no clinical follow-upUp to 24 months from last contact, then deleted
Correspondence forming part of a clinical or pre-contractual recordRetained for the period required by applicable medical-records and tax law — in Poland, 20 years from last entry under Article 29 of the Ustawa o prawach pacjenta i Rzeczniku Praw Pacjenta; in New Zealand, 10 years under the Health (Retention of Health Information) Regulations 1996
Aggregate analytics (Plausible)Retained per Plausible’s published policy; aggregated and non-identifying
Server access logsUp to 30 days, then rotated and deleted

§ 09 — Your rights

Your rights

Under GDPR Articles 15–22 you have the right to request access to your data, rectification of inaccurate data, erasure, restriction of processing, data portability, and to object to processing carried out on the basis of legitimate interest. Where processing relies on consent (including Article 9(2)(a) consent for health data), you may withdraw that consent at any time.

Under the New Zealand Privacy Act 2020, IPP 6 gives you the right to confirm whether the controller holds personal information about you and to access it; IPP 7 gives you the right to request correction. Equivalent rights for health information are set out in HIPC Rules 6 and 7.

Requests are addressed to mateusz@drgladysz.com and are answered without undue delay and in any event within one month of receipt (GDPR Article 12(3)) or twenty working days (Privacy Act 2020 s. 40), whichever is shorter for the relevant request.

§ 10 — Cookies

Cookies and tracking

This site sets no cookies. Plausible Analytics is configured cookie-free. No advertising, retargeting or social-media trackers are loaded. Fonts are self-hosted; no third-party CDN call is made for assets.

§ 11 — Security

Security

The site is served exclusively over TLS. Email correspondence transits providers that implement TLS for transport. Access to the controller’s mailbox is protected by multi-factor authentication. The controller follows the principle of data minimisation and asks data subjects, in the contact-form interface, to share only what is necessary for the enquiry.

§ 12 — Children

Children’s data

The site is not directed at children. The age of digital consent in Poland under Article 8(1) GDPR, as set in the Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych, is 16. Personal data of a child below this age should not be submitted to the site without the consent of the holder of parental responsibility. Where a parent or guardian wishes to enquire about treatment of a minor, the enquiry should be made by that parent or guardian.

§ 13 — Complaints

Complaints

Complaints concerning the processing of personal data may be made to:

Prezes Urzędu Ochrony Danych Osobowych (UODO — Polish supervisory authority) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl

Office of the Privacy Commissioner | Te Mana Mātāpono Matatapu (New Zealand) PO Box 10 094, Wellington 6143 https://www.privacy.org.nz

Complaints concerning health information specifically may also be made to the Health and Disability Commissioner (https://www.hdc.org.nz) or, in Poland, to the Rzecznik Praw Pacjenta (https://www.gov.pl/web/rpp).

§ 14 — Changes

Changes to this policy

This policy may be revised — typically at the point at which a new processor is engaged or processing activities change. Substantive changes will be reflected in the document version and the “Last updated” date below; routine editorial changes will not.

Document control

Document version: v1.0 — April 2026 Last updated: April 2026 See also: Imprint · Polska wersja