cayolargo.fi
Privacy Policy
At Halcyon Waters, we are deeply committed to protecting all data provided by our users. Our operations involve the collection of both personal data, which is strictly regulated under the General Data Protection Regulation (GDPR), and non-personal data.
Non-personal data refers to information that does not identify a specific individual, such as aggregated market statistics, anonymized derivatives usage patterns, general server performance metrics, or high-level browser type distributions. This Privacy Policy specifically governs the processing of personal data.
1Data Controller
The data controller of the following data subjects:
- –(1) Visitors of the www.cayolargo.fi website and related domains, dashboards, interfaces, APIs (“Platform”);
- –(2) Users who register an Account and use the Cayo Largo Platform and Services and its representatives and authorised personnel (“Users”);
- –(3) Persons who reach out to Halcyon Waters via contact forms, e-mail, chats or traditional mail;
- –(4) Persons who follow Halcyon Waters’s profiles on social media platforms.
is Halcyon Waters spółka z ograniczoną odpowiedzialnością (limited liability company) having its registered office at pl. Solny 2/3, 50-060 Wrocław, Poland, entered in the Register of Entrepreneurs of the National Court Register (KRS) kept by the District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register, under the KRS number: 0001245653, NIP (Tax ID No.): 8971973382, REGON (Statistical ID No.): 544943051, share capital: 5 000,00 PLN (“Halcyon Waters”, “we”, “us”, “our”).
You can contact Halcyon Waters with all questions relating to your privacy at: privacy [at] halcyonwaters [dot] com.
2When and How Do We Collect Your Personal Data
We collect your personal data from you when:
- –you browse our Platform;
- –you register an Account on the Platform and provide onboarding information;
- –you use our Services, dashboards, and APIs;
- –you contact us via e-mail, traditional mail, chats or contact forms;
- –we perform verification procedures (i.e. KYC, sanctions screening) as required by law and/or our internal compliance policies;
- –you follow or interact with our professional social media channels.
We may also collect your personal data from publicly available registers, including official registers such as the National Court Register (KRS).
3Purposes and Legal Basis for Data Processing
We process your personal data for the following purposes:
(1) Visitors of the Platform
- –ensuring the proper technical performance of the Platform based on legitimate interest (Article 6.1 (f) of the GDPR);
- –analytical (including the analysis of Platform usage statistics) and marketing purposes, based on our legitimate interest (Article 6(1)(f) of the GDPR).
Strictly necessary cookies or similar tools required for the proper and secure functioning of the Platform will be installed on your device automatically, in accordance with Article 399(3)(2) of the Act of 12 July 2024 – Electronic Communications Law (Prawo komunikacji elektronicznej). However, cookies other than those strictly necessary (e.g., analytics cookies or similar tools) will only be installed on your device subject to your consent.
Providing data collected via strictly necessary cookies or similar technologies is required for the proper functioning of our Platform. However, providing data collected through other types of cookies or similar technologies is entirely optional.
(2) Users
- –conclusion and performance of the Agreement, including in particular providing access to the Services (Article 6.1 (b) of the GDPR or Article 6.1 (f) of the GDPR in the case of representatives or authorised personnel of the Users);
- –Account management, technical support, and communication regarding service updates (Article 6.1 (b) of the GDPR);
- –invoicing, payment processing, and maintaining accounting records (Article 6.1 (c) of the GDPR);
- –protecting against legal claims and pursuing claims (Article 6.1 (f) of the GDPR);
- –responding to inquiries received via contact forms, e-mail or chats (Article 6.1 (f) of the GDPR);
- –informing you about new features, research notes, or subscription tiers (Article 6.1 (f) of the GDPR).
Providing your personal data is necessary to conclude and perform the Agreement and to comply with legal obligations.
(3) Persons who reach out to Halcyon Waters via contact forms, e-mail, chats or traditional mail
- –responding to the received inquiries (Article 6.1 (f) of the GDPR).
Providing your personal data is necessary for us to respond to your inquiries.
(4) Persons who follow Halcyon Waters’s profiles on social media platforms
- –informing you about the Services we provide and building a positive image of Halcyon Waters (Article 6.1 (f) of the GDPR);
- –responding to inquiries and comments received via social media (Article 6.1 (f) GDPR);
Providing your personal data is necessary to follow our social media profiles and respond to your inquiries and comments via these media.
4Categories of Data We Process
In case of:
(1) Visitors of the Platform
- –we process: IP address, metadata stored by cookies or similar tools (provided you have consented to such storage, with the exception of necessary cookies which do not require your consent as they are essential for the proper functioning of the Platform);
(2) Users
- –we process: full name, e-mail address, company name, login credentials (stored in hashed form), subscription tier, API keys, and logs of activity within the Platform including login timestamps, IP addresses, approximate geolocation derived from IP address, and browser/device information.
- –Where applicable and legally justified we process:
- –copies of government-issued identification documents (passport, national ID card, residence permit);
- –proof of business registration or incorporation (e.g. KRS extract, certificate of incorporation);
- –beneficial ownership declarations and supporting documentation;
- –proof of address (e.g. utility bill, bank statement, official correspondence);
- –information on politically exposed person (PEP) status;
- –results of sanctions screening and AML verification checks;
- –source of funds or source of wealth declarations, where required by applicable AML legislation.
- –API keys and authentication tokens are stored in encrypted form and are not accessible to Halcyon Waters personnel in plaintext.
(3) Persons who reach out to Halcyon Waters via contact forms, e-mail, chats or traditional mail
- –we process: name, surname, e-mail address, phone number, and any information voluntarily provided in correspondence.
(4) Persons who follow Halcyon Waters’s profiles on social media platforms
- –we process: your name or nickname, other information that is publicly available on your profile or that you voluntarily give us.
5Data Retention Period
We store your personal data for the following period of time:
(1) Visitors of the Platform
- –we store information about your IP address in our server logs for security purposes and for technical diagnostics, for a period necessary to achieve these purposes, typically not exceeding 60 days, unless a longer period is required to investigate a specific security incident.
- –we store information contained in cookie files for the period specified in section 10 (Cookies).
(2) Users
we store your Personal Data for the duration of the Agreement, and following its termination or expiration, for the limitation period for claims and the periods mandated by law, including in particular tax law and accounting regulations. Specifically, within this retention framework:
- –following the deletion of your Account, your primary profile data is deactivated immediately. However, a minimized archive of your core account data will be securely retained for a period of up to 5 years from the end of the calendar year in which the Account was deleted. This retention is strictly necessary to comply with statutory tax and accounting obligations under Polish law, as well as for the establishment, exercise, or defense of potential legal claims;
- –login logs will be stored until your Account is deleted;
- –data necessary to confirm your compliance with the confidentiality obligations arising from the Terms of Service (TOS) may be stored for a period of up to 10 years from the termination or expiry of the Agreement.
(3) Persons who reach out to Halcyon Waters via contact forms, e-mail, chats or traditional mail
- –we process your personal data for the duration of our correspondence and for a period of 3 years from the date of the last contact, unless a longer retention period is required for the establishment, exercise or defence of legal claims or to comply with a legal obligation. If you object to the processing before the expiry of this period, we will cease processing your data unless we demonstrate compelling legitimate grounds that override your interests.
(4) Persons who follow Halcyon Waters’s profiles on social media platforms
- –we process the data necessary for you to follow our social media profiles and for us to respond to your inquiries through these media for as long as you continue to follow or interact with our profiles, and we will retain your interactions such as comments or likes even after you stop following our profiles, until you revoke or delete them.
We will stop processing your personal data for marketing purposes if you withdraw your consent to receive commercial information from us or object to such processing.
6Disclosure of Your Personal Data
We may disclose your personal data to:
(1) Visitors of the Platform
- –cloud hosting and data storage provider (Amazon Web Services EMEA SARL);
- –IT services and systems providers, including analytics services and tools (Google Analytics 4 - Google Ireland Limited), that we use to operate the Platform and analyse Platform usage;
- –legal advisors and consultants servicing Halcyon Waters - to the extent such disclosure is necessary for our use of their services.
(2) Users
- –cloud hosting and data storage provider (Amazon Web Services EMEA SARL);
- –email service provider (AWS SES, Amazon Web Services EMEA SARL);
- –Payment providers (Stripe Technology Europe Limited);
- –provider of automated, real-time IP-based geolocation services ip-api.com (Artio s.r.o.);
- –IT services and systems providers that we use to operate contact form on the Platform and our mailboxes;
- –legal advisors and consultants servicing Halcyon Waters - to the extent such disclosure is necessary for our use of their services.
(3) Persons who reach out to Halcyon Waters via contact forms, e-mail, chats or traditional mail
- –cloud hosting and data storage provider (Amazon Web Services EMEA SARL);
- –email provider (AWS SES, Amazon Web Services EMEA SARL);
- –IT services and systems providers that we use to promote our Services;
- –Legal advisers and consultants servicing Halcyon Waters to the extent that disclosure is necessary to use their services.
(4) Persons who follow Halcyon Waters’s profiles on social media platforms
- –providers of IT services and systems that we use to run our Platform and analyse statistics;
- –legal advisers and consultants servicing Halcyon Waters to the extent that disclosure is necessary for the use of their services.
7International Data Transfers
Some of the third parties to whom we disclose personal data, including IT infrastructure providers, cloud hosting providers, AI model and systems providers, payment processors and analytics tools, are established outside the European Economic Area (EEA), including in the United States.
Where we transfer personal data outside the EEA, we ensure that adequate safeguards are in place, including:
- –standard contractual clauses adopted by the European Commission (Article 46.2(c) GDPR);
- –an adequacy decision by the European Commission (Article 45 GDPR), where applicable;
- –other appropriate safeguards recognised under the GDPR.
Where required, we carry out transfer impact assessments to evaluate whether the laws of the recipient country provide adequate protection for your personal data and, if necessary, implement supplementary measures.
You may obtain a copy of the applicable standard contractual clauses or information about the safeguards in place by contacting us at: privacy [at] halcyonwaters [dot] com.
8Your Rights
In relation to our processing of your personal data, you have the right to:
- –Access your data: You have the right to access the information that we have on you. If you choose to exercise this right, upon your request, we will also make sure to provide you with a copy of the data we process about you and information about how we process them. We will fulfill your request by sending you a copy electronically, unless the request expressly specifies a different method. For any subsequent access request, we may charge you with an administrative fee.
- –Rectification of data, erasure and restriction of processing: If you believe that the information we have about you is incorrect, you are welcome to contact us, so we can update it and keep your data accurate. We will automatically delete information about you after it is no longer needed for the purposes it was collected for. Nonetheless, if at any point you wish for us to delete information about you, you have the right to do so. You also have the right to obtain restriction of processing of your data.
- –Data portability: In case the processing of your personal data is based on a contract or your consent, you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format. You can also request us to transmit such data to another controller if it is technically feasible.
- –Withdraw your consent and object to processing: If the processing of your data is based on a consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on this consent before its withdrawal. In case the processing of your data is based on our legitimate interest you have the right to object to such processing. If you receive marketing information from us, you can object at any time by clicking “Unsubscribe”.
- –Lodge a complaint to the data protection authority: If you think that your rights were not observed or that your privacy was harmed, you can always lodge a complaint to the data protection authority - the President of the Polish Personal Data Protection Office.
In order to comply with requests concerning your rights, if the information that you provide is insufficient to identify you, we will ask you to give us some additional information that we will use to verify your identity. If you fail to provide such information we may refuse to fulfil your request.
If you have a complaint about how we process your personal data, we encourage you to contact us first at privacy [at] halcyonwaters [dot] com so that we can address your concerns. You also have the right to lodge a complaint with the supervisory authority as described above.
9Profiling
If you agree on marketing cookies we may profile your data to display you ads that are relevant and engaging for you. However, our activities do not significantly affect your decisions (including buying decisions).
10Cookies
Our Platform uses cookies. Cookies are small pieces of information that are stored on your end device, typically containing the website address, date of placement, expiration date, a unique number, and additional information depending on the purpose of the file. Similar technologies (such as JavaScript-based tokens stored in browser memory) may serve comparable purposes without writing persistent files.
We use the following cookies:
Strictly necessary cookies
These cookies are required for the Platform to function. They cannot be disabled. No consent is required for strictly necessary cookies under GDPR and the Polish Act of 12 July 2024 – Electronic Communications Law.
(i) Authentication Cookies (NextAuth.js). Set when you log in to your Account. Required for session management and security.
Cookie name: authjs.session-token
- Purpose
- Stores an encrypted JSON Web Token (JWT) that identifies your authenticated session. Contains no personal data in readable form.
- Duration
- 7 days from login. Renewed on each active session.
- Type
- HTTP cookie, Secure, HttpOnly, SameSite=Lax.
- Set by
- cayolargo.fi (first party).
Cookie name: authjs.csrf-token
- Purpose
- Protects against cross-site request forgery (CSRF) attacks on authentication endpoints.
- Duration
- Session (deleted when browser closes).
- Type
- HTTP cookie, Secure, SameSite=Lax.
- Set by
- cayolargo.fi (first party).
Cookie name: authjs.callback-url
- Purpose
- Stores the URL to redirect you to after successful login.
- Duration
- Session (deleted when browser closes).
- Type
- HTTP cookie, Secure, SameSite=Lax.
- Set by
- cayolargo.fi (first party).
Note: These cookies are only set when you log in. Users who browse the site without logging in will not receive authentication cookies.
(ii) Security Cookies (Cloudflare Turnstile). Cloudflare Turnstile is a bot-detection service used on specific forms: login, registration, contact, change-password, and newsletter signup. Turnstile may set the following cookie during challenge verification:
Cookie name: cf_clearance
- Purpose
- Records that you have successfully completed a Turnstile challenge, preventing repeated challenges during the same browsing session.
- Duration
- Up to 30 minutes.
- Type
- HTTP cookie, Secure, HttpOnly.
- Set by
- Cloudflare (third party, acting as data processor).
Turnstile operates as an invisible challenge and does not require user interaction in most cases. Cloudflare processes data under their privacy policy.
Analytical cookies and similar technologies
Analytical cookies and similar technologies are used to monitor and analyze Platform traffic and user behavior. They help us understand which pages are visited most frequently, how users navigate the site, where our traffic comes from, and how the Platform performs technically. This data is used solely in an aggregate, statistical form to improve our Platform’s functionality, content, and overall User experience.
Tool name: Google Analytics 4 (GA4) in cookieless mode (with analytics_storage set to "denied")
- Purpose
- Understanding general usage patterns (Platform views, traffic sources, device types).
- Duration
- 60 days.
- Type
- Cookieless measurement requests (network pings); no analytics cookies are set when analytics storage is denied.
- Set by
- Google Analytics 4 (Google Ireland Limited). More information is available in Google’s privacy policy.
Cookie Preference Settings. You can change your cookie preferences by changing the settings on your web browser and directly from within the Platform.
Detailed information regarding this can be found on the following websites:
In connection with the use of cookies or similar technologies provided by Google Ireland Limited and Cloudflare Inc., your personal data may be transferred outside of the European Economic Area on the basis of standard contractual clauses (Article 46.2 (c) GDPR).
11Social Media
We process personal data of users who follow and interact with our profiles on LinkedIn (LinkedIn Ireland Unlimited Company), X (International Company), Telegram (Telegram Messenger Inc.). You will find detailed information on the data processing of the individual portals at the links below:
In connection with the use of the above-mentioned social media, your personal data may be transferred by these entities outside of the European Economic Area on the basis of standard contractual clauses (Article 46.2(c) GDPR). Any questions regarding the transfer of data outside the EEA should be addressed directly to these entities.
12Changes to the Policy
The provisions of the Privacy Policy are subject to improvements and changes, and the latest version will be published on the Platform each time and will be dated as of the last update.
The Privacy Policy has been published on the Platform and comes into force on 2026-06-17.