Open Mercato logoOpen Mercato

Privacy Policy

Last Updated: January 1, 2026

This Privacy Policy (this “Policy”) describes how CT Tornado sp. z o.o., a company duly incorporated and existing under the laws of the Republic of Poland, with its principal place of business in Wroclaw (address: ul. Wyspa Słodowa 7, 50-266 Wroclaw, Poland; registration: District Court for Wrocław-Fabryczna in Wroclaw, company no.: 873910; EU VAT no.: PL8982262377; share capital: PLN 5,000.00; “we”) collects, uses, stores, and protects personal data in connection with the services provided through our platform (the “Platform” and “Services”, respectively), the browsing of our website at https://openmercato.com (the “Site”), as well as our sales and marketing activities relating to our own Services (including responding to inquiries, maintaining business relationships, and sending product or company updates where permitted by law).

This Policy applies to the Platform accessible at https://demo.openmercato.com and to related informational resources, including technical and feature documentation available at https://docs.openmercato.com.

It applies to the personal data of:

  • Customers (entities or individuals who enter into a direct contractual relationship with us),
  • Customer Representatives (individuals acting on behalf of a Customer),
  • Authorized Users (e.g., a Customer’s employees, contractors, or other personnel who access the Services under the Customer’s Account),
  • Site Visitors (individuals who access or browse the Site without creating an Account),
  • Prospects and Marketing Recipients (individuals who contact us, subscribe to updates, attend our events/webinars, download materials, or otherwise receive or may receive information about our Services).

This Policy does not apply to data independently processed by Customers or third parties outside the hosted Platform environment—for example, data managed in their own systems, integrations, or external applications. Customers remain solely responsible for such external processing activities.

We are committed to safeguarding your privacy in accordance with applicable data-protection laws, including the General Data Protection Regulation (the “GDPR”) and the California Consumer Privacy Act (the “CCPA”).

By continuing to use our Site, Platform, and Services, you acknowledge that you have read and understood this Policy and agree to our collection, use, and disclosure of personal data as described herein.

Capitalized terms used in this Policy, to the extent not defined herein, have the meanings assigned to them in our Terms of Service, which govern access to and use of the Platform and Services.

1. Information We Collect

We collect personal data from or about you in the following ways:

Account Registration & Management (Customers, Customer Representatives, Authorized Users)

  • Contact and Identification Details: Name, email address, login credentials, role within the Customer’s organization.
  • Usage Data: Login history, IP address, device information, browser type, and access logs.

Site Browsing (Site Visitors)

  • Technical and Usage Data: IP address, cookies or similar technologies, browser information, pages viewed, and interactions on the Site, collected for analytics and security. We may also collect information about interactions with marketing content (e.g., campaign parameters) via cookies or similar technologies, subject to applicable consent requirements.

Communications and Support (All Categories)

  • Information shared through email inquiries, contact forms, or customer-support requests.

Marketing and Sales Communications (Prospects, Customers, Customer Representatives)

  • Contact Details: name, business email, company name, job title, country, and related correspondence.
  • Lead Source Data: how you came into contact with us (e.g., website form, event/webinar registration, referral, business card, inbound inquiry).
  • Marketing Preferences: subscription status, communication preferences, and opt-out history.

Other Voluntarily Provided Data

  • Any additional information you choose to provide (e.g., job title, preferences).

2. Purposes of Processing

We process personal data for the following purposes:

  • Provision of Services—creating and managing Accounts, authenticating users, and delivering contractual obligations under demo or paid access.
  • Authorized User Access—enabling the Customer’s designated personnel to use the Platform.
  • Platform Functionality and Improvement—ensuring the Platform and Site operate properly, performing usage analytics, optimizing experience, and improving our offerings.
  • Marketing of Our Services and Relationship Management—sending information about our Services (such as product updates, releases, events, webinars, and educational materials), managing leads and business relationships, and measuring the effectiveness of our communications, in each case where permitted by applicable law and subject to your choices (including opt-out).
  • Security and Fraud Prevention—monitoring access logs, detecting unauthorized activity, and protecting system integrity.
  • Legal Compliance—meeting obligations under applicable laws or enforcing our Terms of Service.
  • Customer-Created Modules or Entities—some Platform features allow Customers to create or upload custom modules or entities that may include personal data; in such cases, Customers act as independent data controllers responsible for compliance with applicable law.
  • Tenant Isolation and Optional Sharing—each Customer’s data is logically isolated from others; cross-tenant visibility occurs only where the Customer deliberately enables data sharing or integration.

3. Legal Bases for Processing

Our processing relies on one or more of the following legal bases under the GDPR:

  • Contractual Necessity—processing to perform our obligations (e.g., account setup, service delivery).
  • Legitimate Interests—for operational needs such as improving the Services and ensuring security, provided those interests do not override your rights; and direct marketing of our own Services to business contacts and relationship management, provided such interests are not overridden by your rights.
  • Legal Obligation—compliance with laws and regulations (e.g., accounting or lawful requests).
  • Consent—for certain electronic marketing communications, cookies or tracking technologies that require it under law.
  • Demo Access Basis—for free-of-charge demo use, our legitimate interest in providing, maintaining, and improving the Platform serves as the legal basis for processing limited personal data needed to enable access.

4. Data Recipients and Transfers

(a) Internal Access. Personal data is accessed only by authorized personnel (e.g., support, finance, administration).

(b) Third-Party Service Providers. We share data with trusted vendors who are contractually bound to protect it. These providers may include cloud-infrastructure, container-orchestration, and database-hosting services, analytics platforms, support tools, and payment processors, customer relationship management (CRM) systems, email delivery and marketing-automation providers, webinar/event-registration tools, consent-management platforms, and advertising or measurement partners (e.g., for campaign measurement), subject to applicable consent requirements.

(c) International Transfers. Where data is transferred outside the EEA, we apply appropriate safeguards (e.g., Standard Contractual Clauses).

(d) Processor Role and DPA. If we act as a processor (or subprocessor) on behalf of (or as subcontracted by) a Customer, such processing is governed by Section 13 of our Terms of Service, which constitutes the Data Processing Addendum (“DPA”) under Article 28 GDPR.

5. Data Retention

(a) Standard Retention Periods. We retain personal data only for as long as necessary to fulfill the purposes above or as required by law, namely:

  • Customers and Authorized Users—for the duration of the relationship plus any statutory periods.
  • Site Visitors—for the duration of the browsing session and analytics retention periods.
  • Communications Records—for a reasonable time to address inquiries or legal requirements.
  • Marketing and Sales Records—until you opt out/withdraw consent, or for as long as we maintain an active business relationship, and thereafter for a limited period consistent with our retention practices and any applicable limitation periods.

(b) Demo or Evaluation Environments. Personal data submitted to demo environments may be automatically deleted, anonymized, or rotated at short intervals (for example, every twenty-four (24) hours). Users should not rely on the persistence of any data entered for testing purposes.

(c) Deletion and Anonymization. After retention expires, data is securely deleted or anonymized.

6. Data Security

We implement commercially reasonable technical and organizational measures to safeguard personal data from unauthorized access or destruction. These include encryption (where applicable), role-based access controls, secure storage, and regular security assessments.

7. Your Rights Under GDPR

Subject to legal exceptions, you may exercise the following rights:

  • Access and Rectification—see what data we hold and correct errors.
  • Erasure and Restriction—request deletion or limited processing.
  • Portability—receive data in a structured, machine-readable format.
  • Objection—object to processing based on legitimate interests. You have an absolute right to object at any time to the processing of your personal data for direct marketing purposes; if you object, we will stop processing your data for such purposes.
  • Withdrawal of Consent—withdraw any previous consent without affecting prior lawful processing.

Authorized Users may need to coordinate such requests through their Customer organization.

8. Your Rights Under CCPA

If you are a California resident, you have the following rights:

  • Right to Know—request disclosure of categories and sources of personal information collected.
  • Right to Delete—ask us to delete personal information, subject to legal exceptions.
  • Right to Opt Out of Sale of Personal Information—if applicable, you may direct us not to sell your data.
  • Right to Non-Discrimination—you will not receive different pricing or service levels for exercising your rights.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

9. How to Exercise Your Rights and Contact Us

For requests or questions about this Policy or our data practices, contact us at:

We will respond within a reasonable time and may request identity verification where appropriate.

You may opt out of marketing communications at any time by using the unsubscribe link included in our messages (where available) or by contacting us at the email address above. Opting out of marketing does not affect service-related or administrative communications (e.g., security, billing, or contractual notices).

10. Updates to Privacy Policy

We may update this Policy from time to time to reflect changes in our practices or legal requirements. When updated, the “Last Updated” date will change, and we may notify you by email or on the Site where appropriate.