Privacy Policy

This Privacy Policy is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR). It sets out the principles for collecting and processing personal data in connection with this website and the services provided.

I. Data Controller

The Data Controller is Martyna Urbańczyk, conducting business under the name MARU digital Martyna Urbańczyk (Tax Identification Number (NIP): 725-192-18-01), operating the Polish Thread Genealogy brand at polishthread.com. For all matters related to the processing of personal data, please contact: martyna@polishthread.com.

II. Purposes, Legal Bases, and Retention Periods

Newsletter

Personal data collected in connection with your newsletter subscription are processed for the purpose of:

  1. sending newsletters by email containing information about my activities, based on your consent (Art. 6(1)(a) GDPR).

Your personal data may be shared with or entrusted to:

  1. my associates and third-party service providers performing specific services on my behalf (e.g., website hosting, newsletter distribution) — on the basis of appropriate authorizations or data processing agreements;
  2. public authorities entitled to request access to data, where required by a court order, administrative decision, or applicable law.

Retention period:

  1. Data processed on the basis of your consent will be retained until you withdraw that consent, which you may do at any time by writing to martyna@polishthread.com.

Contact & Genealogical Research

Personal data collected in connection with inquiries submitted by email or through the contact form, as well as data processed in the course of genealogical research, are processed for the purpose of:

  1. maintaining contact and responding to correspondence, requests, or inquiries — based on your consent given by providing your data in the body of your message (Art. 6(1)(a) GDPR);
  2. archiving conducted communications and established contacts — based on my legitimate interest (Art. 6(1)(f) GDPR);
  3. defending against claims and asserting my own rights — based on my legitimate interest (Art. 6(1)(f) GDPR);

Your personal data may be shared with or entrusted to:

  1. my associates and third-party service providers performing specific services on my behalf (e.g., website hosting, legal support) — on the basis of appropriate authorizations or data processing agreements;
  2. postal and courier service providers — on the basis of appropriate agreements;
  3. translators and external genealogical researchers conducting archival queries on behalf of the Controller — on the basis of a data processing agreement (Art. 28 GDPR); the scope of data shared is limited in each case to the minimum necessary to complete the task;
  4. public authorities entitled to request access to data, where required by a court order, administrative decision, or applicable law.

Retention period:

  1. Data processed on the basis of your consent will be retained until you withdraw that consent, which you may do at any time by writing to: [contact address].
  2. Data processed on the basis of my legitimate interest for archiving purposes — for 2 years from the date of last contact, or until you submit an objection to: [contact address].
  3. Data processed on the basis of my legitimate interest for sending occasional postal correspondence — until you submit an objection.

Working documentation related to the performance of genealogical services (document scans, research notes, correspondence with archives) is retained for 3 years from the date of completion of the engagement — corresponding to the limitation period for claims under a service contract (Art. 6(1)(f) GDPR, legitimate interest in the ability to defend against claims). After this period, the documentation is permanently deleted, unless the Client has objected to deletion or the parties have agreed otherwise.

Social Media

When you follow, comment on, or otherwise interact with my profiles on social media platforms, I become the controller of your personal data that is visible to me in accordance with the terms of service of the relevant platform.

I process your personal data that you use in accordance with the privacy rules set by the platform on which you have an account. This may include your name, date of birth, profile photo, location and workplace information, and other data associated with your account, as well as any personal data you voluntarily publish on the platform or send to me in a private message.

Your data are processed for the purpose of:

  1. operating my account on the social media platform in accordance with the platform’s terms of service and privacy policy, including engaging with other users — based on my legitimate interest (Art. 6(1)(f) GDPR);
  2. defending against claims and asserting my rights — based on my legitimate interest (Art. 6(1)(f) GDPR).

Your personal data may be shared with or entrusted to:

  1. my associates and third-party service providers performing specific services on my behalf (e.g., legal support) — on the basis of appropriate authorizations or data processing agreements;
  2. public authorities entitled to request access to data, where required by a court order, administrative decision, or applicable law.

Retention period:

  1. I will process your personal data until you object to further processing by clicking “Unlike,” removing a like from a post, deleting your comment, or contacting me at martyna@polishthread.com.

Social media platforms have their own privacy policies, terms of service, and data processing rules that are binding on their users and that I am required to comply with. If you are a user of such a platform, the processing of your personal data is also subject to those terms and policies, and you may exercise any rights afforded to you thereunder.

I currently maintain the following profiles:

  1. Polish Thread Genealogy on Facebook — privacy policy available here: https://www.facebook.com/privacy/policy/.
  2. Polish Thread on Instagram — privacy policy available here: https://privacycenter.instagram.com/policy/.

III. Special Categories of Data and Third-Party Data

In the course of providing genealogical services, the Controller may process special categories of personal data within the meaning of Art. 9 GDPR — in particular, information about religion, nationality, or ethnic origin contained in archival and vital records (baptism, marriage, and death registers). Such data are processed solely to the extent necessary to fulfill the genealogical engagement, on the basis of the Client’s explicit consent (Art. 9(2)(a) GDPR) or on the basis of the exception for data that have been manifestly made public by the data subject (Art. 9(2)(e) GDPR).

Genealogical research may also reveal data relating to living relatives of the Client (e.g., siblings, cousins) who are not a party to the engagement. Such data are processed solely to the extent necessary to prepare the genealogical documentation, on the basis of the legitimate interest of the Controller and the Client (Art. 6(1)(f) GDPR), and are not shared with third parties. The Client acknowledges that any information obtained in this manner relating to living individuals should be used by the Client in compliance with applicable data protection law.

The Controller informs that, in accordance with applicable law, data protection regulations do not apply to deceased persons. Data relating to ancestors processed in the course of genealogical research are therefore not subject to the GDPR, although the Controller handles such data with due care and respect.

Data necessary to fulfill a genealogical engagement are collected by the Controller from two categories of sources: (1) directly from the Client — in particular from documents, photographs, letters, and family heirlooms provided by the Client; (2) from publicly available sources — in particular archival collections, vital records, social media, and telephone directories, where there are reasonable grounds to believe that the individual in question is the person the Client is seeking. In the case of data obtained from public sources, the Controller applies the data minimization principle and processes only data strictly necessary for the specific engagement.

Where a living person sought by the Client is located, the following procedure applies: (1) if the located person confirms the family relationship and consents to being contacted by the Client, their data are shared with the Client to the extent necessary; (2) if the located person does not confirm the family relationship or does not consent to contact, their data are archived and not further processed until new circumstances arise (e.g., new documents evidencing the relationship). Upon the located person’s express request, their data are permanently deleted from the Controller’s records.

IV. Your Rights

You have the right to:

  1. access your personal data and obtain information about how they are being processed (Art. 15 GDPR);
  2. rectification or completion of your data if they are inaccurate or incomplete (Art. 16 GDPR);
  3. erasure of your data (“right to be forgotten”), where there is no legal basis for processing or where you have withdrawn your consent (Art. 17 GDPR);
  4. restriction of processing where the data are inaccurate, unnecessary, processed without a legal basis, or where you have lodged an objection to processing based on the Controller’s legitimate interest (Art. 18 GDPR);
  5. data portability — to receive your personal data in a structured, commonly used format, where data were provided to the Controller and are processed on the basis of consent (Art. 20 GDPR).

You have the right to object at any time to the processing of your personal data carried out on the basis of the Controller’s legitimate interest (Art. 6(1)(f) GDPR). In such a case, the Controller will cease processing your data for those purposes, unless there are compelling legitimate grounds for processing that override your interests, rights, and freedoms, or unless there are grounds for establishing, asserting, or defending legal claims.

You also have the right to object at any time to the processing of your personal data for direct marketing purposes — in which case the Controller will cease processing your data for such purposes and may not invoke any overriding legal grounds to continue.

You may exercise your right to object in any form — in writing or electronically at martyna@polishthread.com. In your objection, please specify which processing purposes are concerned and — if your objection is based on your particular situation — provide a statement of that situation. The Controller will consider your objection without undue delay, and no later than one month from receipt. In complex cases, this period may be extended by a further two months, of which you will be notified.

You have the right to withdraw your consent to processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. The supervisory authority in Poland is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, Warsaw, who can be reached:

  • by post: ul. Stawki 2, 00-193 Warsaw, Poland;
  • via the electronic submission platform at: https://uodo.gov.pl/pl/p/kontakt;
  • by phone: +48 22 531 03 00, Helpline: +48 606-950-000.

To exercise any of your rights, please contact: martyna@polishthread.com.

V. International Data Transfers

Some of the tools and solutions I use require transferring personal data outside the European Economic Area to third countries (e.g., cloud services or services related to cookies). Where such a transfer is necessary, I take every effort to ensure the highest possible standards of data security and privacy protection, and I select only service providers that offer such protection.

All data transfers take place on the basis of and within the limits of applicable law, in particular in accordance with Chapter V of the GDPR, which sets out the conditions for transferring personal data to third countries.

Current third-country transfers are as follows:

  • Google services, including email — possible transfer to the USA — Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Fiverr (Fiverr International Ltd., Tel Aviv, Israel) and Upwork (Upwork Global Inc., Santa Clara, USA) — used for receiving client orders; Client data are processed by these platforms in accordance with their respective privacy policies, available at fiverr.com and upwork.com.

VI. Profiling and Automated Decision-Making

Your personal data may be processed in the form of profiling through Google Analytics, which operates using cookies. For more information about profiling, please refer to the Cookie Policy below.

The Controller informs you that it does not engage in automated decision-making, including profiling, that would produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR). Profiling carried out through Google Analytics is used solely to analyze website traffic and does not result in any automated decisions affecting individuals.

VII. Cookies

For information about cookies, please refer to the Cookie Policy.

VIII. Embedded Third-Party Content

Content published on my website may include embedded content (e.g., videos, images, articles) from other websites. Embedded content from another website behaves in exactly the same way as if you had visited that website directly. Those websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that content if you have an account on that website and are logged in. Such websites operate independently of me and I have no control over them. They may have their own privacy policies, which I recommend you review.

IX. Information Duty Toward Persons Whose Data Were Obtained Indirectly (Art. 14 GDPR)

If, in the course of a genealogical query, the Controller makes direct contact with a living person whose data were obtained from a source other than that person themselves (e.g., from archival documents or from the Client), the Controller will fulfill the information duty under Art. 14 GDPR — that is, the Controller will inform that person of the Controller’s identity, the purpose and legal basis of processing, the source from which the data were obtained, and the rights available to that person. This information duty is fulfilled no later than at the time of first contact with that person.

X. Data Processing Inquiries

For all inquiries and correspondence regarding the processing of your personal data, please write to: martyna@polishthread.com.

XI. Changes to This Privacy Policy

The Controller reserves the right to amend this Privacy Policy by publishing updated content on the website. Any amended Privacy Policy will appear on the website with a new effective date.

Where an amendment to this Privacy Policy requires fulfillment of an information obligation under applicable data protection law, you will be notified of the change directly — by postal or electronic correspondence, by a notice displayed upon entering the website, or in another manner ensuring the easiest possible access to the updated information.

Privacy Policy version 1.1 — published April 2, 2026.