Privacy Policy

1.1. Data Controller

The data controller responsible for the personal data processed under this Policy is SETOR AI Spolka z ograniczona odpowiedzialnoscia (SETOR AI Sp. z o.o.), with its registered office at ul. Tomasza Zana 1, 20-601 Lublin, Poland.

• KRS (National Court Register): 0001202220, kept by the District Court Lublin-Wschod in Lublin with its seat in Swidnik
• NIP (Tax ID): 7123502599 (EU VAT: PL7123502599)
• REGON: 543088690

1.2. Single Point of Contact

For all matters concerning this Policy, including privacy inquiries, data subject rights requests, and security concerns, the single contact channel is office@setor.ai. We aim to acknowledge inquiries within five (5) business days and to provide a substantive response within thirty (30) calendar days, subject to extension as permitted by applicable law. For suspected data breaches or urgent security concerns, please include "SECURITY - URGENT" in the subject line.

1.3. Data Protection Officer

Where applicable law requires the formal appointment of a Data Protection Officer ("DPO") under Article 37 GDPR, Setor AI will appoint one and publish their contact details. In any case, all data protection matters, including any DPO function, can be reached through office@setor.ai. The competent supervisory authority for data protection in Poland is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, "UODO").

2.1. Territorial Scope

This Policy applies to all personal data processing carried out by Setor AI in the context of its establishment in the European Union (Poland), regardless of where the data subjects are located (Article 3(1) GDPR). It also applies to the processing of personal data of data subjects who are in the European Union, where the processing relates to the offering of goods or services to them or the monitoring of their behaviour within the European Union (Article 3(2) GDPR).

2.2. Global Customers and Local-Law Responsibility

Setor AI provides the Service to Customers located both inside and outside the European Union, and Customers may use the Service to reach an audience located anywhere in the world. Each Customer is solely responsible for ensuring that its use of the Service and its communications with its own audience comply with the laws of the Customer's jurisdiction and of the jurisdictions in which its End-Users are located. This includes, without limitation, local marketing and anti-spam laws (for example, the U.S. Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act), consumer-protection laws, local AI-disclosure requirements, and local data-protection and privacy laws (for example, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and comparable U.S. state and non-EU laws). The Customer warrants that it has a valid legal basis or consent, as required under applicable local law, to contact and process the personal data of its audience, and the Customer agrees to indemnify and hold Setor AI harmless against any claims, fines, damages, and costs arising from the Customer's breach of any such law, as further set out in Section 18.

2.3. Relationship to Other Documents

This Policy should be read together with our Terms of Service, the Data Processing Agreement (Appendix A of the Terms of Service), the Cookie Policy, and the Sub-Processor List (a current version of which is set out in Section 9 of this Policy). In the event of a conflict between this Policy and the DPA in respect of data processor activities, the DPA prevails.

We collect and process the following categories of personal data, depending on how you interact with the Service.

3.1. Account Data

• Identity data: full name, job title, business role;
• Contact data: business email address, telephone number (if provided);
• Business data: company name, company size, business website, industry sector;
• Authentication data: username, password (stored only in hashed form), multi-factor authentication credentials;
• Subscription data: selected pricing plan, subscription status, trial information;
• Consent and audit records: timestamp and version of Terms of Service and Privacy Policy acceptance, IP address, and user agent at the time of consent.

3.2. Messaging Platform Account Data (Meta API)

As part of the Service's core functionality, we integrate with Meta's Instagram, Facebook, and WhatsApp platforms via the Meta API. Through this integration we access and process: business or creator account identifiers and profile information (username, display name, profile picture, follower count, account category); linked Page information; permissions and access tokens granted by the Customer through the Meta authorization flow; account connection status and integration health data; and account insights and engagement metrics where authorized. Setor AI does not access, store, or process platform login credentials (username/password); authentication is handled exclusively through Meta's OAuth 2.0 authorization flow.

3.3. Google Account Data (Google APIs)

Where Customers connect Google services (such as Google Calendar for scheduling), we access and process the Google account identifier and email address, OAuth 2.0 access and refresh tokens, data from connected Google services as authorized by the Customer, and Google API usage metadata. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: we access only the data necessary for features the Customer has enabled, do not use Google user data for advertising, do not transfer it except as necessary to provide the requested features or to comply with law, and do not use it to train AI or machine learning models. Setor AI does not access, store, or process Google account passwords.

3.4. Message Content

A core component of the Service involves processing direct messages ("DMs") to enable automated conversation management, including the content of incoming and outgoing messages, conversation thread metadata (timestamps, message IDs, participant identifiers), attachment types and media metadata, labels, tags, and notes applied by Customers, automated response content generated by the Service, and conversation classification and scoring data (for example, lead qualification scores and sentiment indicators). This content may include personal data about the Customer's contacts (End-Users); in respect of such third-party data, the Customer is the data controller and Setor AI processes it solely on the Customer's behalf under the DPA.

3.5. Usage Data and Analytics

• Feature usage data (features accessed, frequency of use, interaction patterns);
• Session information (login timestamps, session duration, session identifiers);
• Performance data (load times, error events, API response metrics);
• Configuration data (settings, automation rules, template configurations);
• Onboarding progress and wizard completion data;
• Usage metrics (messages processed, contacts engaged, API calls, automation actions) collected for usage-based billing, pricing tier determination, and account management.

3.6. Payment Data

Billing and payment processing is handled by Stripe, Inc. We do not store full payment card numbers, CVV codes, or bank account details. We collect and store the billing name and address, the last four digits of the payment card (for reference), payment transaction identifiers, subscription billing history and invoice records, and tax identification numbers where applicable. All payment card data is collected, stored, and processed exclusively by Stripe in accordance with PCI-DSS Level 1 standards.

3.7. Technical Data, IP Address, and Server-Side Geolocation

When you visit our website or use our application, we automatically collect technical data, including your IP address, browser type and version, operating system and device type, referral URL, network and connection information, and timezone and language settings. We treat the IP address as personal data, consistent with the judgment of the Court of Justice of the European Union in Case C-582/14 (Breyer).

From the IP address and request headers we derive server-side geolocation data (country, city, postal/region code, and approximate coordinates) at the time of your request. We collect and use the IP address and derived geolocation for security, anti-fraud, abuse prevention, traffic routing, and integrity of the Service. The legal basis is our legitimate interest under Article 6(1)(f) GDPR (see recitals 47 and 49 GDPR). You have the right to object to this processing on grounds relating to your particular situation under Article 21(1) GDPR (see Section 11).

3.8. Cookies and Tracking Data

We use cookies, pixels, local storage, and similar technologies on our website and application. Strictly necessary cookies (session management, authentication, CSRF protection, consent storage) are used without consent; analytics, ad-tech, and marketing technologies are loaded only after your prior, granular consent. See Section 15.

3.9. Marketing Attribution and Ad-Tech Data

Where you reach us through a marketing campaign and have given the relevant consent, we may collect UTM parameters (source, medium, campaign, content, term), click identifiers (such as the Meta click identifier fbclid), referrer information, and landing page URLs, and we may set or read ad-tech identifiers (such as the Meta cookies _fbp and _fbc). First-party UTM and referrer attribution that does not require terminal-device access is processed in a first-party cookie; ad-tech pixels and identifiers are processed only on the basis of your consent (see Sections 4 and 15).

3.10. Communications Data

If you contact us, we collect your contact details, the content of your communication and any attachments, and related metadata (date, time, subject).

We process personal data only where a valid legal basis under Article 6 GDPR exists. The table below provides a per-activity breakdown as required by Articles 13(1)(c)-(d) and 14(1)(c)-(d) GDPR. We deliberately do not claim legitimate interest for analytics, ad-tech, or session recording; those activities rely on consent only.

Legitimate interest balancing tests. Where we rely on legitimate interests (Article 6(1)(f)), we have conducted and documented balancing tests weighing our interests against the rights and freedoms of data subjects. You may request information about the test applicable to a specific activity, and you may object under Article 21(1) GDPR, by contacting office@setor.ai.

5.1. The Service is a Configurable Tool

The Service provides a configurable AI tool. The Customer independently configures the AI persona, including how that persona presents itself in conversations. Setor AI supplies natural-language understanding, automated response generation, conversation classification and routing, sentiment analysis, lead qualification, and content safety filtering; the Customer determines, through configuration, how these capabilities are applied to the Customer's audience.

5.2. Integral Nature of AI Processing

AI processing is integral to the Service and necessary for the performance of our contract with the Customer (Article 6(1)(b) GDPR). Without AI processing, the core automation functionality cannot be delivered.

5.3. Third-Party AI Technology Partners

We engage specialist technology partners to provide AI and machine-learning infrastructure. These partners process personal data on our behalf as sub-processors under terms compliant with Article 28 GDPR. The current AI/ML sub-processors are identified in Section 9 (Sub-Processor List), including jurisdiction, transfer mechanism, and whether they train on the data processed.

5.4. Data Minimization, No Customer-Data Training, and Aggregated Improvement

• Message content is transmitted to AI infrastructure only to the extent necessary to deliver the requested functionality;
• No training on Customer Data: we do not use Customer Data or End-User message content to train, fine-tune, or improve general AI models, and our contracts with AI sub-processors prohibit such use of data processed through the Service;
• Aggregated and anonymized improvement: we may use aggregated and anonymized data derived from use of the Service to maintain, secure, troubleshoot, and improve the Service and its models, on the basis of our legitimate interest (Article 6(1)(f) GDPR). Anonymized data is not personal data; aggregated derived data in identifiable form is retained as set out in Section 4. Setor AI is the controller of such derived and aggregated data, while the Customer's content remains the Customer's;
• No cross-customer leakage: data from one Customer's account is not used to influence the Service for another Customer.

5.5. Human Oversight

Customers retain meaningful control over AI outputs: they configure automation rules, templates, and AI behaviour parameters; they can review, edit, override, or delete any automated response before or after delivery; they have dashboard-level visibility into automated conversations; and they can pause or disable automation at any time.

6.1. Identity Stitching Across Devices and Systems

For marketing and conversion-measurement purposes, and only with your consent, we link identifiers relating to you across devices and across systems - for example connecting a quiz interaction to an email address, to a CRM record, to Meta ad-tech identifiers, and to Stripe billing information. The purpose is to attribute marketing performance, measure conversions, and present relevant marketing.

One of the identifiers we use for this purpose is a hashed IP address (ip_hash) - a per-lead pseudonym derived by hashing the IP address together with the quiz result identifier. We use it solely to join events from the same lead across devices inside our own analytics. We do not store the raw IP address in analytics, and the ip_hash is never used as your identity key and never to link different individuals who share the same IP address (for example behind carrier-grade NAT). The ip_hash is created only after you pass the qualified quiz result and only with your analytics consent. It is retained for up to 36 months and then deleted or anonymised.

This linking constitutes marketing profiling within the meaning of the GDPR. Consistent with the case law of the Court of Justice of the European Union, ad-tech combination and cross-source linking of personal data are carried out on the basis of consent rather than legitimate interest (Case C-252/21, Meta v Bundeskartellamt, 4 July 2023). Hashed identifiers remain personal data where the individual can be re-identified, including in conjunction with additional information (Case C-604/22, IAB Europe).

6.2. No Solely Automated Decisions with Legal or Similarly Significant Effects

We do not take decisions producing legal effects concerning you or similarly significantly affecting you based solely on automated processing within the meaning of Article 22 GDPR. Setor AI does not make decisions producing legal effects or similarly significant effects concerning you by automated means alone, because any material decision (for example, a sales follow-up or commercial terms) is taken by a human who exercises genuine discretion over the outcome - not a rubber-stamp approval of an automated score. Marketing profiling only informs that human decision-making; it does not determine it.

You may withdraw your consent to identity stitching and ad-tech profiling at any time, and you have an unconditional right to object to processing for direct marketing under Article 21(2) GDPR (see Section 11).

7.1. Roles

7.2. Meta Pixel and Conversions API (Joint Controllership)

On our website, and only after your consent, we deploy the Meta Pixel and transmit conversion events to Meta through the Conversions API. For the collection and transmission of these events to Meta for Meta's own purposes, Setor AI and Meta Platforms, Inc. act as joint controllers within the meaning of Article 26 GDPR; the essence of that joint-controller arrangement is made available by Meta. Personal data transmitted to Meta (including hashed identifiers) may be transferred to the United States under the EU-US Data Privacy Framework and the Standard Contractual Clauses (see Section 9). You can withdraw consent at any time via the cookie settings.

7.3. Information for End-Users

• Who controls your data: the owner of the messaging account you contacted is the data controller for your message content; Setor AI processes it on their behalf as a processor.
• What happens to your messages: your messages may be processed by AI to generate automated responses, classify the conversation, and route it, depending on the account owner's configuration.
• Your rights: direct access, deletion, objection, and other requests to the account owner (the controller). You may also contact office@setor.ai and we will forward or assist as permitted by our processing obligations.
• AI transparency: the account owner (deployer) is responsible for informing you that you are interacting with an AI system (see Section 17).
• Retention: message data is retained for the duration of the Customer's subscription and deleted within 180 days of account closure; the Customer may delete conversations earlier.

7.4. Platform Compliance and Account Risk

Our processing complies with the Meta Platform Terms, the Instagram Platform Policy, and the WhatsApp Business terms. Meta may independently restrict, suspend, or terminate access to accounts or APIs for reasons outside Setor AI's control; please refer to the Terms of Service for the relevant provisions.

Where Customers authorize Google integrations, our processing of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Necessity: we request only the minimum OAuth scopes necessary for enabled features;
• Purpose limitation: Google user data is used solely for the authorized integration, never for advertising, profiling, or cross-service enrichment;
• No model training: Google user data is not used to train AI or machine-learning models;
• Token security: Google OAuth tokens are encrypted at rest (AES-256), transmitted only over TLS 1.3, and revoked and deleted within 30 days of disconnection. You can revoke access at any time via myaccount.google.com/permissions;
• Human access: restricted to explicit user consent, security investigation, legal compliance, or aggregated and anonymized internal metrics.

9.1. General Authorization of Sub-Processors

The Customer grants Setor AI a general written authorization to engage sub-processors within the meaning of Article 28(2) and 28(4) GDPR. We will inform Customers of any intended addition or replacement of a sub-processor at least 14 days in advance, thereby giving the Customer the opportunity to object. An objection must be based on a documented, reasonable data-protection risk; absence of objection within the notice period constitutes acceptance. Where a reasonable objection cannot be resolved, the Customer's sole and exclusive remedy is to terminate the affected part of the Service. We flag the position of each non-EEA sub-processor and impose Article 28-compliant terms (with the Standard Contractual Clauses 2021/914 and, where relevant, a transfer impact assessment) on each of them.

9.2. Categories of Recipients

Beyond the sub-processors listed below, we may disclose personal data to professional advisors (lawyers, accountants, auditors) under confidentiality, to an acquirer in connection with a merger or business transfer (under data-protection commitments no less protective than this Policy), and to competent authorities where required by law. The categories below are deliberately broad so that we can replace a provider within the same category without a contract amendment, subject to the notice and objection procedure in Section 9.1.

9.3. Sub-Processor List

9.4. International Transfers (Inbound and Outbound)

Because we serve Customers and End-Users worldwide, personal data may be transferred in both directions - into the European Economic Area (for example, where a non-EU Customer's audience data is processed on our EU infrastructure) and out of the European Economic Area (for example, to our sub-processors). Where we transfer personal data outside the European Economic Area (including to the United States), we rely on the EU-US Data Privacy Framework for certified recipients, with an automatic fallback to the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 where the recipient is not (or ceases to be) DPF-certified, in each case supported by a Transfer Impact Assessment (TIA) and supplemented by technical measures (encryption in transit via TLS 1.3 and at rest via AES-256, pseudonymization, and data minimization), contractual measures, and organizational measures. You may request a copy of the relevant SCCs and supplementary measures by contacting office@setor.ai; certain commercial terms may be redacted.

9.5. Local-Law, Export, and Sanctions Compliance

Polish law governs this Policy and the Service, without prejudice to the mandatory local-law obligations of each Customer. As set out in Section 2.2, each Customer remains responsible for compliance with the laws applicable to its own use of the Service and to its audience, and indemnifies Setor AI accordingly. The Customer further represents and warrants that it is not a person or entity that is the subject of economic or trade sanctions administered by the European Union, the United Nations, the United States (including OFAC), or other applicable authorities, and that it will not use the Service for any purpose prohibited by applicable export-control or sanctions laws, nor make the Service available to any sanctioned person or in any embargoed territory.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements, in accordance with the storage-limitation principle (Article 5(1)(e) GDPR).

On expiry of the applicable retention period, personal data is permanently deleted or irreversibly anonymized within 30 days. Data subjects may request earlier deletion under Section 11.

Where Setor AI acts as data controller, you have the following rights in respect of your personal data.

• Right of access (Article 15 GDPR): to obtain confirmation of processing and a copy of your data with supplementary information;
• Right to rectification (Article 16 GDPR): to correct inaccurate or complete incomplete data;
• Right to erasure (Article 17 GDPR): to have your data deleted in the cases set out in the GDPR, subject to exceptions (for example, retention required by law, or for the establishment, exercise, or defence of legal claims);
• Right to restriction (Article 18 GDPR): to restrict processing in defined circumstances;
• Right to data portability (Article 20 GDPR): to receive data processed by automated means on the basis of consent or contract in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller where technically feasible;
• Right to object (Article 21(1) GDPR): to object, on grounds relating to your particular situation, to processing based on legitimate interests, including the security, anti-fraud, geolocation, and first-party attribution processing described in this Policy; we will stop unless we demonstrate compelling legitimate grounds or processing is needed for legal claims;
• Unconditional right to object to direct marketing (Article 21(2) GDPR): if you object to processing for direct marketing, including marketing profiling, we will stop immediately and permanently;
• Rights regarding automated decisions (Article 22 GDPR): as explained in Sections 6 and 12, the Service does not subject you to solely automated decisions producing legal or similarly significant effects;
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior lawfulness, using the unsubscribe link in marketing emails, the "Cookie settings" link in the website footer, the dashboard for integrations, or office@setor.ai.

How to exercise your rights. Submit a request to office@setor.ai. We may verify your identity using the least intrusive method possible. We respond within thirty (30) calendar days, extendable by up to sixty (60) days for complex or numerous requests, with notice. Responses are free of charge, save for manifestly unfounded or excessive requests. Where Setor AI processes your data as a processor on behalf of a Customer, please direct your request to the Customer (controller); we will assist the Customer as required by the DPA.

The Service uses AI to automate aspects of message management, including response generation, conversation classification, lead scoring, sentiment analysis, and routing.

This processing does not constitute solely automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR. Setor AI does not take decisions producing legal effects or similarly significant effects concerning you by automated means alone, because any material decision is taken by a human who exercises genuine discretion over the outcome, rather than a rubber-stamp acceptance of an automated score or output. In addition: Customers retain full visibility and control through the dashboard; the Customer's human judgement is embedded in configuration and governs AI behaviour; the Service does not make binding determinations such as credit, employment, or access-to-essential-services decisions; and End-Users can request human interaction. Accordingly, we do not grant supplementary Article 22 rights beyond those required by law. The transparency and human-intervention safeguards described above and in Sections 5 and 6 apply.

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• Encryption: TLS 1.3 in transit; AES-256 at rest for tokens, credentials, and personal data;
• Access controls: role-based access control, least privilege, multi-factor authentication for internal systems, quarterly access reviews;
• Network security: Cloudflare WAF, DDoS protection, intrusion detection and prevention, network segmentation;
• Audit logging: immutable audit logs with 12-month retention;
• Vulnerability management: static application security testing in the CI/CD pipeline and automated dependency scanning;
• People and continuity: regular security awareness training, documented incident response with tabletop exercises, RPO 24 hours and RTO 48 hours;
• Vendor diligence: pre-engagement security assessment and annual review of sub-processors.

Comprehensive measures are detailed in the DPA. No method of transmission or storage is completely secure; we use commercially reasonable efforts to protect personal data and to address vulnerabilities promptly.

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, Setor AI will notify the competent supervisory authority (Prezes UODO) without undue delay and, where feasible, within 72 hours of becoming aware of it (Article 33 GDPR). Where the breach is likely to result in a high risk, we will communicate it to affected data subjects without undue delay (Article 34 GDPR), by email, in-app notification, and where individual notice is disproportionate, a website notice.

Where Setor AI acts as processor, we will notify the affected Customer without undue delay and no later than 24 hours after becoming aware of the breach; the Customer (controller) retains decision-making authority over notifications. All breaches are documented in accordance with Article 33(5) GDPR.

We use cookies, pixels, local storage, and similar technologies in three categories: strictly necessary (session, authentication, CSRF protection, consent storage), which require no consent; analytics and session recording; and marketing and ad-tech (including the Meta Pixel and identity stitching). Non-essential technologies are loaded only after your prior, active, granular consent, with no pre-ticked boxes, in accordance with Article 5(3) of Directive 2002/58/EC and the judgment of the Court of Justice of the European Union in Case C-673/17 (Planet49). In Poland, this is governed by the Act on Electronic Communications Law (Prawo komunikacji elektronicznej, "PKE"), in particular art. 399 (prior consent for storing or accessing information on terminal equipment) and art. 400 (application of the data-protection rules), enforced by the President of the Office of Electronic Communications (UKE) together with UODO.

We provide information about the duration of cookies and any third parties that may access them, and we do not use cookie walls. You can manage your preferences at any time via the "Cookie settings" link in the website footer. Full details are set out in our Cookie Policy.

The Service is a B2B platform intended exclusively for businesses and individuals acting in a professional capacity. It is not directed to, and we do not knowingly collect personal data from, individuals under the age of sixteen (16) (Article 8(1) GDPR as implemented in Poland). If we become aware of such inadvertent collection without appropriate consent, we will promptly delete the data. Customers must not use the Service to process personal data of individuals below the applicable age threshold without legally valid parental or guardian consent.

17.1. Framework and Timing

The EU AI Act (Regulation (EU) 2024/1689) establishes transparency obligations for AI systems that interact directly with natural persons (Article 50). The relevant transparency rules apply from 2 August 2026. Setor AI's AI-powered message automation is a limited-risk AI system under the AI Act. It is not a high-risk system under Annex III, and it does not engage in the prohibited practices listed in Article 5 (such as subliminal or manipulative techniques, exploitation of vulnerabilities, social scoring, untargeted scraping for facial-recognition databases, emotion recognition in the workplace or education, or real-time remote biometric identification).

17.2. Provider and Deployer Roles

Setor AI as provider: Setor AI satisfies the design obligation in Article 50(1) AI Act by providing the capability to disclose that the user is interacting with an AI system. The Service includes a configurable disclosure message and dashboard controls enabling that disclosure, designed so that the information can be provided to the natural person at the latest at the time of the first interaction (Article 50(5)). Setor AI does not design the Service to deceive End-Users about the nature of their interaction.

Customer as deployer: the Customer configures the AI persona, including how it presents itself, and deploys the tool toward its own audience. The Customer is responsible for actually informing End-Users that they are interacting with an AI system, and the Customer undertakes not to disable or circumvent the disclosure function and indemnifies Setor AI as set out in the Terms of Service. Where the Customer's specific use engages deployer obligations under Article 50(3) or 50(4) AI Act (emotion-recognition or biometric-categorization systems, or AI-generated or manipulated content), the Customer is responsible for the corresponding deployer disclosures.

17.3. Enforcement and Future Changes

Infringements of the transparency obligations in Article 50 may be subject to administrative fines under Article 99(4)(g) AI Act of up to EUR 15 million or 3% of total worldwide annual turnover, whichever is higher, with the lower of the two amounts applying to SMEs and start-ups under Article 99(6). The national authority competent for the AI Act in Poland is expected to be a dedicated body whose status is established by legislation currently in progress; UODO remains the supervisory authority for the GDPR. If regulatory guidance or enforcement reclassifies the Service, Setor AI will implement the required measures within the applicable deadline and update this Policy.

18.1. Limitation of Liability (B2B)

In relations with Customers who are not consumers (business-to-business), and to the fullest extent permitted by law, Setor AI's aggregate liability arising out of or in connection with the Service is limited to the total fees paid by the Customer in the twelve (12) months preceding the event giving rise to the claim. Setor AI is not liable for indirect, consequential, or incidental damage, or for lost profits (lucrum cessans), which may be limited or excluded by contract in B2B relations pursuant to art. 361 par. 2 and art. 353(1) of the Polish Civil Code (Kodeks cywilny, "KC").

18.2. Consumer Protection Clause

Where the other party is a consumer, or a natural person concluding a contract directly related to their business activity which is not of a professional character for that person (art. 385(1) and art. 385(5) KC), the limitations and exclusions in Section 18.1 apply only to the extent they do not constitute prohibited contractual clauses; any clause that would not bind such a person under mandatory consumer-protection law does not apply to that person, and their statutory rights remain unaffected.

18.3. Customer Indemnification (including Local-Law and Worldwide Use)

The Customer shall indemnify and hold Setor AI harmless against any claims, damages, fines, and costs arising from: (a) the absence of a valid legal basis or consent for the Customer to contact its own audience; (b) the Customer's failure to inform End-Users that they are interacting with an AI system; (c) the Customer's breach of the Meta, Instagram, or WhatsApp platform terms; (d) any prohibited or high-risk use of the Service within the meaning of the EU AI Act; and (e) the Customer's breach of any law applicable in its own jurisdiction or in the jurisdictions of its End-Users, including local marketing and anti-spam laws (such as the U.S. TCPA and CAN-SPAM Act), consumer-protection laws, local AI-disclosure requirements, local data-protection and privacy laws (such as the CCPA/CPRA), and export-control or sanctions laws.

Without prejudice to any other remedy, you have the right to lodge a complaint with a competent supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR). The supervisory authority in Poland is the President of the Office for Personal Data Protection (Prezes Urzedu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, Poland, uodo.gov.pl, tel. +48 22 531 03 00, kancelaria@uodo.gov.pl. We encourage you to contact us first at office@setor.ai. For business-to-business disputes, the courts competent for Setor AI's registered office are the District Court Lublin-Wschod in Lublin with its seat in Swidnik (or the materially competent Regional Court); Polish law governs.

We may update this Policy to reflect changes in our practices, applicable law, regulatory guidance, or operations. The date of the most recent revision is shown in the header. For material changes that significantly affect your rights or how we process your data, we will provide at least thirty (30) calendar days' advance notice by email, in-app notification, and a notice at https://setor.ai. Where applicable law requires explicit re-consent following a material change, we will implement a re-consent mechanism and will not rely on continued use as acceptance. Price changes require explicit acceptance; continued use alone does not constitute consent to a price increase.

Contact. For any question, concern, or request relating to this Policy or our data processing, contact office@setor.ai. Postal address: SETOR AI Sp. z o.o., ul. Tomasza Zana 1, 20-601 Lublin, Poland.