Privacy Policy Hishoo Simulator

Version 4.0 | Effective Date: 11.05.2026
Controller: HISHOO P.S.A., ul. ¯niwna 15A, 81–586 Gdynia
DPO/Contact: wm@hishoo.me | +48 603 380 108

§ 1. Preliminary Information and Scope

1.1. This Privacy Policy sets out the rules for the processing of personal data by HISHOO P.S.A. in connection with the use of the HISHOO Simulator.

§ 2. Controller and DPO

2.1. Controller: HISHOO P.S.A., ul. ¯niwna 15A, 81–586 Gdynia. DPO: Walery Marcinowicz – wm@hishoo.me, tel. +48 603 380 108.
2.2. With regard to data entrusted by the Client, HISHOO P.S.A. acts as a data processor – Art. 28 GDPR.

§ 3. What Data We Process

• Identification data (user e-mail, username specified by the user): Performance of a contract – Art. 6 (1) (b)
• Voice data and transcripts of training sessions: Contract + legitimate interest – Art. 6 (1) (b) and (f)
• Analytical data of training sessions: Legitimate interest – Art. 6 (1) (f)
• Gamification data (e.g. points and experience levels, rankings): Performance of a contract – Art. 6 (1) (b)
• Technical data (IP, browser, logs): Legitimate interest (security) – Art. 6 (1) (f)
• Cookies: Consent – Art. 6 (1) (a)

§ 4. Purposes of Processing

4.1. We process data in order to: (a) provide the Hishoo Simulator Service; (b) analyze training sessions and generate reports; (d) ensure the security of the Service; (e) comply with legal obligations (KNF, DORA, tax law); (f) market – only with consent.

4.2. In the event of restructuring, merger, acquisition, or sale of the Controller's assets, personal data may be transferred to a legal successor or buyer who will assume the Controller's obligations regarding their protection.

§ 5. Data Recipients and Transfer outside the EEA

• Microsoft Azure: Hosting, databases, recordings – Location: EEA
• Azure Open AI: AI Models (analysis) – Location: EEA
• AI Google Studio: AI Models (analysis) – Location: EEA / USA + SCC*
• ElevenLabs: Speech synthesis – Location: EEA / USA + SCC*

* Transfer to the USA based on SCC (EC Decision 2021/914).

§ 6. Retention Periods

6.1. Data is stored for the duration of the contract + max. 30 days.

§ 7. Data Security

7.1. In the event of a data breach, Hishoo will notify the UODO within 72h and will inform the Client and, when required, directly the individuals concerned (Art. 33–34 GDPR).

§ 8. Data Subject Rights

8.1. Requests concerning rights under Art. 15–21 GDPR (access, rectification, erasure, restriction, transfer in JSON/CSV format, objection, withdrawal of consent) should be directed to the address wm@hishoo.me with the note "GDPR – [type of request]". A response will be provided within 30 days; the Controller may request identity verification. A complaint can be lodged with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland (www.uodo.gov.pl).

§ 9. Changes to the Policy

9.1. The Policy may be changed by the Controller. The Controller makes the current version of the Policy available at www.hishoo.me.

§ 10. Final Provisions

10.1. The Policy is governed by Polish law.