Cookie Policy

1.1 About this Policy and who we are

This Policy is issued by SETOR AI Sp. z o.o. (in full: SETOR AI Spolka z ograniczona odpowiedzialnoscia), a company incorporated under the laws of the Republic of Poland, KRS 0001202220, NIP 7123502599 (EU VAT: PL7123502599), REGON 543088690, with its registered office at ul. Tomasza Zana 1, 20-601 Lublin, Poland. We are the operator of the Websites and, for the personal data processed through the non-essential technologies described here, the data controller.

This Policy is issued in compliance with: Article 5(3) of the ePrivacy Directive 2002/58/EC (as amended), which requires prior consent before storing information on, or gaining access to information already stored in, your terminal equipment, except where strictly necessary; Article 399 of the Polish Electronic Communications Law (Prawo komunikacji elektronicznej, PKE), which transposes that requirement into Polish law and mandates prior consent for non-essential cookies; Article 400 PKE, under which the rules on the protection of personal data apply accordingly to that consent; and the GDPR (Regulation (EU) 2016/679), including Article 6(1)(a) (consent) and Article 6(1)(f) (legitimate interests) as the legal bases for the subsequent processing of the data concerned.

Our consent standard follows the Court of Justice of the European Union in Case C-673/17 (Planet49, 1 October 2018), which requires that consent for cookies be active and specific (no pre-ticked boxes), and that you be told, before consenting, about the duration of the cookies used and whether third parties may access them. Both items of information are provided in the tables below.

1.2 What cookies and similar technologies are

Cookies are small text files placed on your device (computer, tablet or phone) when you visit a website. They make websites work, improve their efficiency and provide information to the operator. A cookie contains a small amount of data, which may include a unique identifier.

Similar technologies - such as pixel tags and web beacons (including the Meta Pixel), browser local storage (localStorage, sessionStorage) and session recording scripts - are used alongside or instead of cookies for comparable purposes. This Policy covers all of them, collectively referred to as "cookies" unless stated otherwise. Article 5(3) ePrivacy Directive and Article 399 PKE apply to any storing of, or access to, information on your terminal equipment, regardless of the technology used.

1.3 Why we use cookies

• Strictly necessary - to make the Websites function and stay secure, and to remember your cookie consent preferences;
• Analytics (consent required) - to understand how visitors use the Websites so we can improve them and the Setor AI product;
• Marketing (consent required) - to measure the effectiveness of our advertising campaigns and to attribute conversions across the channels you arrive from;
• Session recording (consent required) - to replay anonymized interaction sessions in order to diagnose usability problems and errors.

We do not operate a real-time bidding exchange and we do not auction your data on advertising marketplaces. We may, however, share aggregated or anonymized insights derived from analytics (for example, conversion rates by traffic channel), and, where you consent to marketing cookies, the Meta Pixel will share data with Meta as described in Section 7.

We group cookies into four categories by purpose and legal basis. Each technology is described with sufficient detail - including its provider, duration and whether third parties may access it - for you to make an informed choice, as required by Planet49 (C-673/17).

2.1 Strictly necessary cookies (always active)

These cookies are essential for the Websites to function and cannot be switched off in our systems. They are set only in response to actions you take (logging in, submitting a form, setting your privacy preferences). They do not require consent, because they are exempt under Article 399(3) PKE and Article 5(3) ePrivacy Directive as strictly necessary for the provision of a service explicitly requested by you.

2.2 Analytics cookies (require your consent)

These technologies help us understand how visitors interact with the Websites. They are loaded and set only after you provide consent through the consent banner. We rely on consent under Article 6(1)(a) GDPR and Article 399 PKE for analytics; we do not claim legitimate interests for this purpose.

PostHog is configured to keep all data within the EU, not to share it with third parties for their own purposes, and not to use it for PostHog's own advertising. Withdrawing analytics consent through "Cookie Settings" stops all PostHog collection.

2.3 Marketing cookies (require your consent)

Marketing cookies measure the effectiveness of our advertising and attribute conversions (which ads lead to sign-ups). They are loaded and set only after you provide consent. Consistent with the CJEU in Case C-252/21 (Meta Platforms v Bundeskartellamt, 4 July 2023), we treat advertising and cross-context tracking as requiring consent and we do not rely on legitimate interests for these purposes.

2.4 Session recording cookies (require your consent)

Session recording reconstructs anonymized replays of how visitors move through the Websites (mouse movement, scrolling, clicks and form-field focus, with input contents masked) so we can find and fix usability problems and errors. It is a separate consent category and is loaded only after you provide consent, under Article 6(1)(a) GDPR and Article 399 PKE. Keystroke contents and sensitive fields are suppressed at source and are not recorded.

Session recording can be declined independently of analytics and marketing. Declining it has no effect on your access to, or the functionality of, the Websites.

3.1 Consent banner and prior blocking

When you first visit the Websites, a consent banner appears, giving clear information about each category and asking for your consent before any non-essential cookie is placed. No analytics, marketing or session-recording cookies, pixels, scripts or tracking technologies are loaded, executed or activated until you affirmatively consent to the relevant category. This includes the PostHog SDK, the PostHog session-recording module and the Meta Pixel - none is loaded into your browser until you consent.

3.2 Granular and active choice

Consent is collected by an affirmative action with no pre-ticked boxes, as required by Planet49 (C-673/17). You may:

• Accept all - consent to analytics, marketing and session-recording cookies (strictly necessary cookies are always active);
• Reject all - keep only strictly necessary cookies;
• Manage preferences - choose individual categories (for example, accept analytics but reject marketing and session recording).

3.3 Equal prominence, no dark patterns

• The "Reject all" control is presented with equal prominence to "Accept all" - same size, visual weight, visibility and number of clicks;
• We do not use dark patterns to nudge acceptance (no colour or size manipulation, misleading labels, pre-ticked boxes, or hiding the reject option behind extra clicks);
• The banner does not obscure content in a way designed to pressure you into accepting.

3.4 Freely given consent

Consent is freely given: access to the Websites is not conditional on accepting non-essential cookies (see Section 6), you can reject all of them and still use the Websites and, for logged-in users, the full Service, and the consequences of each choice are explained. This is consistent with Article 398 PKE, under which any consent to electronic marketing must be prior, voluntary and unbundled.

3.5 Withdrawing consent

You may withdraw or change your consent at any time by clicking the "Cookie Settings" link in the footer of any page, which reopens the same interface as the initial banner. Withdrawal is as easy as giving consent. On withdrawal, any running analytics, marketing or session-recording scripts are stopped, cookies in the withdrawn category are deleted or marked for deletion, and no new cookies in that category are set. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Under the accountability principle (Article 5(2) GDPR) and the duty to demonstrate consent (Article 7(1) GDPR), we keep the following proof for each visitor.

Consent decisions are logged server-side, not only in the browser cookie, so that proof survives cookie deletion and is available for audit by the supervisory authorities. In Poland, cookie obligations are enforced jointly by the President of the Office of Electronic Communications (UKE) and the President of the Personal Data Protection Office (UODO). These logs are retained for 3 years from the consent decision, covering the standard limitation period for enforcement.

We re-prompt for consent when this Policy is materially updated (for example, a new category or provider is added), when the consent record expires (12 months from the last decision), or when technical changes require a fresh decision.

5.1 Our consent tool

You can update your preferences at any time through the "Cookie Settings" link in the footer of every page. Changes take effect immediately.

5.2 Browser settings

Most browsers let you manage cookies in their settings. Disabling or deleting cookies through the browser may impair functionality, since strictly necessary cookies are required for login and session management.

• Google Chrome: Settings > Privacy and security > Cookies and other site data
• Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
• Apple Safari: Settings > Privacy > Manage Website Data
• Microsoft Edge: Settings > Cookies and site permissions > Manage and delete cookies

5.3 Provider-specific opt-out tools

• Meta ad settings: facebook.com/adpreferences - control how Meta uses data for advertising;
• Your Online Choices (EU): youronlinechoices.eu - opt out of interest-based advertising across multiple providers;
• PostHog: there is no separate PostHog opt-out tool; withdrawing analytics and session-recording consent through "Cookie Settings" is sufficient.

5.4 Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. There is no universally accepted standard for how websites should respond, and our Websites do not currently respond to DNT signals. We do, however, honour the granular preferences you set through our consent tool, which give you more reliable control.

Access to our Websites is not conditional on accepting non-essential cookies. You may refuse all analytics, marketing and session-recording cookies and still:

• Browse every page of setor.ai, including pricing, features and legal pages;
• Access all public content;
• Log in to app.setor.ai and use the full Service.

We do not intentionally degrade the experience for visitors who reject non-essential cookies. All core functionality operates identically regardless of your cookie choices.

7.1 Third-party access disclosure

When you consent to marketing cookies, the following third party may set cookies on, or read identifiers from, your device. We disclose third-party access in advance, as required by Planet49 (C-673/17).

PostHog cookies (ph_* analytics and session-recording state) are first-party cookies set by Setor AI through PostHog's SDK and are not used by PostHog for its own cross-site tracking. The setor_marketing cookie is first-party and used exclusively by Setor AI. Cloudflare security cookies are processed by Cloudflare strictly to protect and route traffic, not for advertising.

7.2 Cross-site tracking warning

If you accept marketing cookies, the Meta Pixel enables Meta Platforms, Inc. to link your visit to our Websites with your Meta account, combine it with your activity on other sites using the Meta Pixel, build or update an interest-based advertising profile, and deliver personalized ads to you on Meta's platforms. We receive only aggregated, anonymized campaign-performance data (for example, "X visitors from campaign Y completed a sign-up"); we do not receive Meta's advertising profiles about you.

Where the marketing cookies and the Meta Conversions API build or update advertising profiles, this is profiling within the meaning of the GDPR. Setor AI does not take decisions producing legal effects, or similarly significant effects, on you solely by automated means within the meaning of Article 22 GDPR, because any material decision in our sales process - whether and how to contact you, and any commercial outcome - is taken by a human member of our team who exercises genuine discretion in the assessment (not a rubber-stamp approval of an automated output). Where identifiers are hashed before transmission (for example, in the Conversions API), they remain personal data, as confirmed in Case C-604/22 (IAB Europe, 7 March 2024), and are protected accordingly.

If you do not want this cross-site tracking, you can reject marketing cookies in our banner (recommended), manage your Meta ad preferences at facebook.com/adpreferences, or use a browser extension that blocks tracking pixels.

7.3 Our responsibility and transfers

Once Meta sets or reads its cookies, its collection and use of the information are governed by Meta's own policies, and we are not responsible for Meta's processing on its platforms. We have verified that Meta participates in the EU-US Data Privacy Framework and have put in place the EU Standard Contractual Clauses (Decision 2021/914) as a contractual safeguard, supported where appropriate by a transfer impact assessment. The full list of our processors and sub-processors, with their transfer mechanisms, is set out in our Privacy Policy and Data Processing Agreement.

In addition to HTTP cookies, the Websites use the following browser-storage mechanisms.

We do not use device fingerprinting, canvas fingerprinting, font enumeration, WebRTC-based tracking or any other passive identification technique beyond what is disclosed in this Policy.

Separately from cookies, our servers and the Cloudflare network in front of them automatically receive your IP address and derive an approximate, server-side location from it (country, region/city, postal area and coarse coordinates). Following the CJEU in Case C-582/14 (Breyer), we treat the IP address as personal data.

We process these server-side identifiers on the basis of our legitimate interests (Article 6(1)(f) GDPR, read with Recitals 47 and 49) in keeping the Websites secure, preventing fraud and abuse, and routing traffic to the nearest infrastructure. This processing does not depend on cookies and therefore is not switched off by rejecting cookie categories. You have the right to object to this processing on grounds relating to your particular situation under Article 21(1) GDPR, by writing to office@setor.ai; we will stop unless we demonstrate compelling legitimate grounds that override your interests, or the processing is needed to establish, exercise or defend legal claims.

The Setor AI Service is a configurable tool that our business customers deploy in their own Instagram and messaging channels. Where you interact with an AI persona through a channel operated by one of our customers, Article 50(1) of the AI Act (Regulation (EU) 2024/1689) requires that the system be designed so that you are informed you are interacting with an AI, unless this is obvious from the context, with that information given at the latest at the time of the first interaction (Article 50(5)).

Setor AI meets the provider-side design obligation under Article 50(1) by supplying the capability to disclose - a configurable message stating that the counterpart is an AI. Our customer, who configures the persona (including how it introduces itself) and deploys the tool to its own audience, is responsible for the actual disclosure to end users and undertakes not to disable or circumvent that function. The transparency obligations relating to emotion recognition, biometric categorization and deepfakes under Article 50(3) and 50(4) rest with the deployer. The AI Act transparency rules apply from 2 August 2026. In Poland the competent authority for the AI Act is expected to be the body to be established under the legislation currently in progress (working name KRiBSI); the supervisory authority for the GDPR is the President of the Personal Data Protection Office (UODO).

We may update this Policy to reflect changes in the technologies we use, in applicable law or regulatory guidance, or in our operations. When we make material changes (for example, adding a category, a provider or a new form of cross-site tracking), we will update the "Last Updated" date, re-prompt for consent where the changes affect categories you previously chose, and, where appropriate, notify you through the consent banner. The current, authoritative version is always available at https://setor.ai/cookies. Previous versions are available on request at office@setor.ai.

For any question, concern or request about this Policy, our use of cookies and similar technologies, or to exercise your data-protection rights (including the right to object under Article 21 GDPR), contact us at office@setor.ai. Our Data Protection contact is reachable at the same address.

SETOR AI Sp. z o.o., ul. Tomasza Zana 1, 20-601 Lublin, Poland. KRS 0001202220, NIP 7123502599 (EU VAT: PL7123502599), REGON 543088690. office@setor.ai.

This Policy is governed by Polish law. For B2B disputes, the competent court is the District Court (Sad Rejonowy) Lublin-Wschod in Lublin sitting in Swidnik, or the Regional Court (Sad Okregowy) with subject-matter jurisdiction. Nothing in this Policy limits any rights you have as a consumer or as a natural person treated as a consumer under Articles 385(1) and 385(5) of the Polish Civil Code.