Version 1.0 · Valid from 2026-05-30

Action Audit Service Privacy Policy

Last updated: 30 April 2026

1. Data Controller

The controller of your personal data is Ruby Logic Poland Sp. z o.o., with its registered office in Bielsko-Biała (43-300), ul. Aleksandrowicka 35, Poland, entered in the National Court Register (KRS) under number 0000933511, share capital: PLN 50,000, Tax ID (NIP): 5472228121, Statistical ID (REGON): 520477998 (hereinafter: "Controller" or "Ruby Logic").

Contact for data protection matters: [email protected]

Ruby Logic has implemented and maintains an Information Security Management System (ISMS) in accordance with the ISO/IEC 27001:2022 standard, covering the processes related to the development, maintenance, and provision of the Action Audit Software.

2. Scope of this Policy

This Privacy Policy applies to the processing of personal data in connection with the use of the Action Audit service, comprising:

the Action Audit Web Platform available at app.action-audit.com (hereinafter: "Platform"),
the Action Audit Mobile Application (hereinafter: "Mobile Application"),
the Action Booth Employee Kiosk (hereinafter: "Kiosk"),

(hereinafter collectively: "Service" or "System").

This Policy covers:
- users holding an account in the System (hereinafter: "Users"),
- clients (companies) that have entered into a licence agreement or are using the Evaluation Period (hereinafter: "Clients").

Processing of personal data of visitors to the action-audit.com website (without logging in), users of the contact form, or newsletter subscribers is governed by a separate document: Privacy and Cookie Policy — action-audit.com website.

3. Dual Role of Ruby Logic

Ruby Logic performs two distinct roles with respect to personal data protection:

Data scope	Ruby Logic's role	Description
User account data (first name, surname, e-mail, phone number)	Data Controller	Ruby Logic independently determines the purposes and means of processing this data — it is necessary for maintaining accounts and providing the Service.
Client Data (content entered into the System: tasks, audits, ideas, comments, attachments, etc.)	Data Processor on behalf of the Client	Ruby Logic processes this data solely for the purpose of providing the Service, on documented instructions of the Client (controller), under a Data Processing Agreement (DPA).

4. User Account Data — Ruby Logic as Controller

4.1 Scope of Data

Data	Source
First name and surname	Account registration / invitation by the Client's Administrator
E-mail address	Account registration
Phone number	Mobile Application registration
IP address	Automatically
System activity data (logins, actions)	Automatically
Device data (type, OS version, identifier)	Automatically (Mobile Application)

4.2 Purposes and Legal Bases for Processing

Purpose	Legal basis (GDPR)
Maintaining the User account, authentication, access authorisation	Art. 6(1)(b) — performance of a contract
Providing the Service (access to the Platform, Mobile Application, Kiosk)	Art. 6(1)(b) — performance of a contract
Handling the Evaluation Period (trial)	Art. 6(1)(b) — performance of a contract (Terms of Service)
Communication with the User (system notifications, technical support)	Art. 6(1)(b) — performance of a contract
Issuing invoices, settlements, tax and accounting obligations	Art. 6(1)(c) — legal obligation
IT security (system logs, access monitoring)	Art. 6(1)(f) — legitimate interest (security)
Direct marketing to existing Clients	Art. 6(1)(f) — legitimate interest
Establishing, pursuing, or defending legal claims	Art. 6(1)(f) — legitimate interest
Fulfilling obligations under the GDPR	Art. 6(1)(c) — legal obligation

5. Client Data (Content in the System) — Ruby Logic as Processor

With respect to content entered into the System by Users (tasks, audits, ideas, engineering changes, comments, attachments), Ruby Logic acts solely as a data processor on behalf of the Client (controller) within the meaning of Art. 28 GDPR.
The terms of data processing are set out in the Data Processing Agreement (DPA SaaS), a separate document accepted by the Client upon registration or signed as part of the Licence Agreement.
Questions regarding the purpose and scope of processing of content entered into the System should be directed to your company (the Client), which is the controller of such data.

6. Information for End Users (Employees of Client Companies)

If you use Action Audit as an employee or associate of a company that has purchased a licence or is using the Evaluation Period:

Your account (first name, surname, e-mail) was created by your company's administrator. In this respect, Ruby Logic is the controller of your data — we process it for the purpose of maintaining the account and providing the Service.
Content you enter into the System (tasks, audits, ideas, comments, etc.) is processed by Ruby Logic on your company's instructions (as a processor). The controller of such data is your company — questions regarding the purpose and scope of processing should be directed to your company.
Regardless of the above, you are entitled to exercise all rights listed in Section 9 with respect to data of which Ruby Logic is the controller (account data).

7. Data Recipients

Personal data may be disclosed to the following categories of recipients:

Data processors — hosting providers, cloud infrastructure providers, e-mail service providers, e-signature platforms — under data processing agreements (DPAs) compliant with Art. 28 GDPR.
Public authorities — only upon receipt of a request based on a valid legal basis (e.g. courts, law enforcement, the President of UODO).
Legal advisors and auditors — to the extent necessary for the provision of advisory, audit, or control services.

Ruby Logic does not sell personal data to third parties.

8. International Data Transfers

Personal data is generally processed within the European Economic Area (EEA). Core processing (hosting, databases, backups) takes place in data centres located within the EEA.

Where a transfer outside the EEA is necessary, the transfer is carried out solely on the basis of:

an adequacy decision of the European Commission (Art. 45 GDPR),
standard contractual clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR),
the EU-U.S. Data Privacy Framework (for certified US entities),
another mechanism provided for by the GDPR.

9. Data Subject Rights

Under the GDPR, you have the following rights:

Right	Description
Right of access (Art. 15)	Obtain information about processing and a copy of your data.
Right to rectification (Art. 16)	Request correction of inaccurate or completion of incomplete data.
Right to erasure (Art. 17)	Request erasure of data ("right to be forgotten"), subject to exceptions under the GDPR.
Right to restriction of processing (Art. 18)	Request restriction of processing in certain circumstances.
Right to data portability (Art. 20)	Receive data in a structured, commonly used, machine-readable format.
Right to object (Art. 21)	Object to processing based on legitimate interest, including direct marketing.
Right to withdraw consent (Art. 7(3))	Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint (Art. 77)	Lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

How to Exercise Your Rights

Requests may be submitted:

by e-mail: [email protected]
in writing: Ruby Logic Poland Sp. z o.o., ul. Aleksandrowicka 35, 43-300 Bielsko-Biała, Poland

Requests will be fulfilled without undue delay, and no later than 1 month from receipt. In the case of complex requests, the deadline may be extended by a further 2 months, of which you will be informed within the first month.

We may ask you to verify your identity before fulfilling a request, in a manner proportionate to the nature of the request.

Note: With respect to data of which your company is the controller (content in the System), requests should be directed to your company. Ruby Logic will fulfil the company's (as controller's) request in accordance with the DPA.

10. Data Retention Periods

Data category	Retention period	Legal basis
User account data	For the duration of the account + 30 days for deletion after account closure	Contract, Art. 17 GDPR
Client data (B2B contracting parties)	For the duration of the agreement + 5 years (limitation of claims)	Polish Civil Code
Evaluation Period (trial) data	Deletion within 30 days of access being blocked (no export functionality during trial)	Terms of Service
Tax and accounting documentation	5 years from the end of the tax year	Polish Tax Ordinance, Polish Accounting Act
System logs (access, activity)	Max. 12 months, unless required for incident investigation	Art. 6(1)(f) GDPR
Client Data (content in the System)	In accordance with the DPA — export within 30 days after termination of the agreement, deletion within the following 30 days	DPA SaaS

11. Data Security

Ruby Logic implements technical and organisational measures ensuring the protection of personal data in accordance with Art. 32 GDPR and the ISO/IEC 27001:2022 standard, including:

encryption of data in transit (TLS/SSL) and at rest,
access control based on the need-to-know and least privilege principles,
multi-factor authentication (2FA) for administrative accounts,
regular encrypted backups with replication to independent locations,
monitoring and logging of data access,
network segmentation, firewalls, and web application firewall (WAF),
secure development lifecycle (security by design, privacy by design),
regular staff training on personal data protection and information security.

More information on our approach to security is available in the public Information Security Policy.

12. Profiling and Automated Decision-Making

Ruby Logic does not carry out profiling or automated decision-making within the meaning of Art. 22 GDPR with respect to Service Users.

13. Changes to this Privacy Policy

Ruby Logic reserves the right to update this Policy, in particular in connection with changes to legislation, System functionality, or data processing practices.

We will notify you of material changes:
- via an in-System notification,
- via an e-mail to the Client's Administrator.

14. Related Documents

Document	Description
Privacy and Cookie Policy — action-audit.com website	Processing of data of website visitors, contact form, newsletter
Action Audit Terms of Service	General rules for using the Service
Action Audit End User Terms	Rules for using the Service by Users
Data Processing Agreement (DPA SaaS)	Terms of data processing commissioned by the Client
Privacy and Cookie Policy — action-audit.com website	Data processing and cookie rules on the website

15. Contact

For matters related to personal data protection:

Ruby Logic Poland Sp. z o.o.
ul. Aleksandrowicka 35, 43-300 Bielsko-Biała, Poland
E-mail: [email protected]
Website: https://action-audit.com

16. Language Version

The original language of this Policy is Polish. In the event of discrepancies between language versions, the Polish version shall prevail, unless mandatory provisions of law provide otherwise.