Ragnar Shield ← Back to sign-up
Legal document

PRIVACY POLICY

Working translation. This is an English working version of the Privacy Policy. The Polish version remains the binding legal text under Polish and EU law. In case of any discrepancy, the Polish version prevails.

General information

We respect the privacy of every person using the Ragnar Shield platform (ragnarshield.com). To that end we apply appropriate technological and organisational measures designed to prevent any unauthorised interference with users' privacy.

This Privacy Policy sets out the rules for processing your personal data in connection with using the Ragnar Shield platform, including the client panel available at ragnarshield.com, as well as in connection with contacting us.

By reviewing the following content you will learn, among other things:

  1. why we process your personal data,

  2. for what purpose we do so,

  3. whether providing the data is mandatory,

  4. how long we keep the data,

  5. to whom we may transfer your data,

  6. what rights you are entitled to.

All activities related to the collection and processing of data are undertaken with the aim of ensuring full security and compliance with the personal data protection law in force in Poland, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR").

We also note that the Ragnar Shield platform may contain links to external websites. While using the platform, cookies necessary for the operation of integrated functionalities (e.g. Google Analytics, Meta Pixel) may be placed on the user's end device. Each external provider independently sets the rules for using cookies in its own privacy policy, over which we have no control.

Personal Data Controller

The controller of your personal data is Ragnar Shield spółka z ograniczoną odpowiedzialnością, with its registered office in Mielec (39‑300 Mielec), ul. Wojska Polskiego 9, Poland, entered in the register of entrepreneurs of the National Court Register (KRS) under number 0001210137, NIP 8172223486, REGON 543456917.

In matters relating to the processing of personal data you may contact us:

  1. by email at contact@ragnarshield.com,

  2. by post to: ul. Wojska Polskiego 9, 39‑300 Mielec, Poland,

  3. via the contact form available at ragnarshield.com.

Data Protection Officer

With regard for the security and transparency of data processing, and the need for ongoing supervision, we have appointed a Data Protection Officer (DPO).

You can contact the appointed DPO by email at contact@ragnarshield.com (please add "DPO" to the subject line) or by mail to ul. Wojska Polskiego 9, 39‑300 Mielec, Poland (marked "Data Protection Officer").

Security

We take protection of your data particularly seriously and continuously develop our systems and security processes. Our platform operates in the SaaS (Software as a Service) model, and data is stored on OVH Cloud servers located within the European Economic Area (EEA). The security measures we use include in particular:

  1. restricted access to server infrastructure and platform systems, granted only to authorised persons,

  2. encryption of data in transit (TLS/SSL),

  3. user authentication using strong passwords (minimum 12 characters),

  4. separation of data between clients and access segmentation,

  5. proactive monitoring of platform availability and security,

  6. designing the platform with privacy by design and privacy by default in mind.

What data do we process?

In connection with the operation of the Ragnar Shield platform we process the following categories of personal data:

Registration and billing data:

  1. first name and surname of the person registering the account,

  2. email address (business or personal),

  3. postal address,

  4. contact phone number,

  5. company name, Tax ID (NIP), company address (for business accounts),

  6. invoicing details, order and payment history.

Operational data (inputs to services):

  1. domains and IP addresses of the infrastructure to be scanned,

  2. data of persons designated for OSINT analysis (first name, surname, role, email),

  3. application source code (within the code security scanning service),

  4. description of the organisation's activities and processes (within the regulatory compliance assessment service),

  5. client data processed during penetration testing.

Output data:

  1. security reports (vulnerabilities, risks, recommendations),

  2. person-exposure reports (OSINT), which may contain special categories of data,

  3. regulatory compliance assessments,

  4. results of scans and penetration tests.

Technical data collected automatically:

  1. IP address of the end device,

  2. device and browser identifiers,

  3. history of subpages visited within the site,

  4. traffic source, conversions,

  5. data collected via cookies and analytical tools (Google Analytics, Meta Pixel).

You provide the above data to us directly (e.g. by completing the registration form or placing a service order) or it is generated automatically while you use the platform.

Legal bases for processing

Processing personal data requires an appropriate legal basis under the GDPR. Within the Ragnar Shield platform we rely on the following bases:

  1. consent (Art. 6(1)(a) GDPR): processing takes place on the basis of your voluntary consent for a specific purpose, e.g. receiving marketing communications or the newsletter,

  2. performance of a contract (Art. 6(1)(b) GDPR): processing is necessary to provide the Ragnar Shield platform service, including the delivery of ordered scanning services, penetration tests, OSINT analysis, regulatory compliance assessment or code scanning,

  3. legal obligation (Art. 6(1)(c) GDPR): processing is necessary to comply with legal obligations, in particular regarding accounting and tax records,

  4. legitimate interest of the controller (Art. 6(1)(f) GDPR): processing is necessary to ensure platform security, detect abuse, improve services, establish or defend legal claims and conduct analytics, provided that this does not infringe your rights and freedoms,

  5. legal claims (Art. 9(2)(f) GDPR): processing is necessary for the establishment, exercise or defence of legal claims.

Who can have access to your data?

Apart from us, the following categories of entities may obtain access to your data:

  1. hosting service provider (OVH Cloud, servers located within the EEA),

  2. payment processors (Stripe, Przelewy24),

  3. providers of artificial intelligence services (LLM providers, including entities established in the United States),

  4. external OSINT data providers,

  5. providers of analytical and marketing tools (Google Analytics, Meta Pixel),

  6. external contractors performing manual penetration tests on behalf of Ragnar Shield,

  7. technology partners cooperating with us under the partner programme (API/white‑label),

  8. other entities that we work with and that help us carry out our business.

These entities process personal data on our behalf and are required to meet high security standards. We do not store payment card data (compliance with PCI DSS is ensured by the payment processors).

In specific cases we may also be legally obliged to disclose your data, in particular pursuant to a court order, legal provisions or a decision of a competent public authority. In each such case we verify the existence of a legal basis for the disclosure and document the decisions taken.

Transfers of data to so‑called third countries

As a rule, personal data processed within the Ragnar Shield platform is stored on OVH Cloud servers located within the EEA. When using providers established outside the EEA (in particular AI service providers established in the United States), data may be transferred outside the EEA. In each such case we ensure an appropriate level of data protection.

Out of care for the security of your data, we strictly observe the data‑transfer rules arising from the GDPR and transfer data only to countries or entities ensuring an adequate level of protection confirmed by a decision of the European Commission. For transfers to the United States we use only entities certified under the EU‑US Data Privacy Framework (DPF) or rely on Standard Contractual Clauses (SCC) approved by the European Commission.

How long do we keep your data?

We retain your data only for the period necessary to achieve the purposes set out in this Privacy Policy, taking into account applicable legal provisions. In particular:

  1. Registration and billing data is kept for the entire period of holding the account on the platform and for the period required by law for accounting and tax records (generally 5 years).

  2. Security reports are kept for the period matching the service package you selected (3, 12 or 36 months respectively), after which they are permanently deleted.

  3. Input data for one‑off services (domains, IP addresses, source code) is deleted after the report is delivered to the client panel.

  4. Data of persons obtained as part of OSINT analysis is kept for the minimum period necessary to deliver the report.

  5. After account deletion, data is retained for 30 days for the purposes of any potential claims, after which it is permanently deleted from our systems.

Is providing data mandatory?

Providing personal data is, as a rule, voluntary. However, providing first name and surname, email, postal address, phone number, and, for a business account, also company details (name, Tax ID, address), is necessary to set up an account on the platform and to place service orders. Without providing this data, using the platform will not be possible. Providing data may also be required under applicable law.

Your rights related to processing

Under data protection law you are entitled to a number of rights, the scope of which depends on the legal basis of the processing of your data.

Right of access

You have the right to obtain information on whether and how we process your personal data. As part of this right you may also request a copy of the data being processed.

Right of rectification

If the data we process is inaccurate or incomplete, you have the right to request its rectification or completion.

Right to erasure

You have the right to request erasure of your personal data (the so‑called "right to be forgotten"). This right is not absolute and applies in particular when:

  1. we no longer need your data,

  2. you have withdrawn the consent previously given for processing,

  3. you have effectively objected to the processing,

  4. the data was processed unlawfully.

A refusal to exercise this right is permissible in particular when:

  1. we are legally obliged to continue to retain the data,

  2. the data is necessary to establish, exercise or defend legal claims.

Right to restriction of processing

You have the right to request restriction of the processing of your data, in particular when you contest the accuracy of the data, the processing is unlawful, or we no longer need the data but you need it to establish, exercise or defend legal claims.

Right to object

In specific situations you have the right to object to the processing of your data. If the objection is justified, we will cease processing the data for the relevant purpose, unless we demonstrate the existence of important legitimate grounds for further processing that override your interests, rights and freedoms.

You have an absolute right to object to the processing of your data for direct marketing purposes. Upon such objection we will immediately cease processing the data for that purpose.

Right to data portability

You have the right to receive your personal data in a structured, commonly used, machine‑readable format (e.g. CSV) and the right to transmit such data to another controller. This right concerns data that you have provided to us, processed in an automated manner on the basis of consent or a contract.

If your data is processed on the basis of consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

Right to lodge a complaint with a supervisory authority

We make every effort to ensure that the processing of your data is carried out in accordance with the highest standards. If you have any questions or concerns, we encourage you to contact us. If our response turns out to be insufficient, or the way your right is exercised raises reservations, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO).

Exercising your rights

You may exercise your rights by sending the relevant request to contact@ragnarshield.com or by post to the company's registered address. We recommend submitting requests in written or electronic form, which will allow us to efficiently identify your request and provide a response as quickly as possible.

Exercising your rights is free of charge. We will make every effort to respond within one month of receiving the request. If it is necessary to extend this period, we will inform you of this without undue delay.

Cookies

The Ragnar Shield platform uses cookies, i.e. small text files saved on the user's end device. Cookies usually contain the name of the website they come from, the period for which they are stored on the end device, and a unique identifier.

We use cookies for the following purposes:

  1. providing the Ragnar Shield platform services,

  2. making it easier to use the platform while browsing,

  3. recognising the user upon reconnection to the platform from a device on which cookies have been saved,

  4. creating statistics that help us better understand how users use the platform, which makes it possible to improve its structure and content,

  5. adapting site content to individual user preferences and optimising the use of the websites,

  6. conducting analytical and marketing activities (Google Analytics, Meta Pixel).

The following types of cookies may be used on the Ragnar Shield platform:

  1. "session" — stored on the user's end device until the website is left or the browser is closed,

  2. "persistent" — stored on the user's end device for the period specified in the cookie parameters or until removed by the user,

  3. "performance" — enabling the collection of information on the use of the website,

  4. "functional" — enabling user‑selected settings to be remembered and the user interface to be personalised,

  5. "own" — placed by ragnarshield.com,

  6. "third‑party" — coming from external sites (e.g. Google Analytics, Meta Pixel).

Managing browser settings

Web browsers usually allow saving cookies on the end device by default. You can change these settings at any time.

A web browser allows you both to delete saved cookies and to block them automatically. Detailed information in this regard can be found in the help or documentation of the browser used.

Analytical and marketing tools

On the Ragnar Shield platform we use analytical and marketing tools provided by third parties, in particular:

  1. Google Analytics — to analyse traffic on the site and user behaviour,

  2. Meta Pixel (Facebook) — to measure the effectiveness of advertising campaigns and remarketing.

Via cookies and tracking pixels, these tools may collect the following data: IP address, device identifiers, history of subpages visited, traffic source and conversion information. This data may be transferred to provider servers located outside the EEA — in particular in the United States. In that case we apply the protection mechanisms described in the section on transfers to third countries.

Analytical and marketing scripts are run only after you have given consent via the cookie banner displayed on your first visit to the site.

Final provisions

We reserve the right to make changes to the Privacy Policy. We will inform you of every significant change with appropriate notice, by a message in the client panel or by email.

The Privacy Policy is effective from 1 May 2026.