POLEGIS
POLEGIS

Privacy and Security Policy - POLEGIS Management Support System

Effective date: 10 June 2026

This policy explains how POLEGIS Sp. z o.o. processes data in the POLEGIS application for iPhone and iPad and in the connected POLEGIS CMS/CRM service.

Controller and contact

  • Controller: POLEGIS Sp. z o.o., registered office address: Milenijna 43 / 2, 03-130 Warsaw, Poland.
  • Company identifiers: KRS 0001225297, NIP 9512641899, REGON 54404427500000.
  • Contact: biuro@polegis.pl; data protection contact: iod@polegis.pl.

Data processed by the app

  • Account identifiers, login name, e-mail address, role, session data and authentication events.
  • Mail headers, selected message content, attachments and reply/compose data when the user opens or sends mail.
  • Chat messages, group metadata, attachments, unread counters and trusted-device pairing data.
  • Notes, note sharing data, KSC survey answers, operational knowledge items, diagnostics and security logs.
  • Device metadata needed for native login, notification routing, vault status and fraud/security monitoring.

Purposes and legal basis

  • Providing the POLEGIS account, mobile workspace, mail, notes, chat, KSC surveys and support functions.
  • Securing the service, detecting suspicious logins, maintaining audit trails and sending administrative alerts.
  • Fulfilling legal, accounting and organisational obligations of POLEGIS and its authorised users.

Security and encryption

  • Communication with the backend uses HTTPS/TLS.
  • The iOS application stores access tokens and local vault metadata in iOS Keychain.
  • Secure Messaging can use end-to-end encryption and trusted-device pairing. Encrypted messages may require a paired trusted device or recovery flow before content can be read.
  • The application does not provide a standalone general-purpose encryption toolkit, VPN, anonymisation network or cryptocurrency functionality.

Encryption model and algorithms

  • Secure Messaging uses a recoverable multi-device Threema-inspired / MLS-inspired E2EE model. Live room transport, local device vault, user archive, user backup and service disaster recovery are separated. This is not an official Threema product, Threema protocol implementation or integration with Threema infrastructure.
  • Cryptographic operations in the web client use libsodium, i.e. NaCl-family cryptographic primitives. The backend stores public keys, routing metadata, device state and ciphertexts; private keys are kept in the local vault or in the user-controlled recovery backup.
  • Local vault and user backup: Argon2id13 password-based key derivation with random salt, plus XChaCha20-Poly1305-IETF authenticated encryption for confidentiality and integrity of the encrypted vault/backup payload.
  • Message, archive and pairing envelopes: libsodium crypto_box_seal sealed boxes, where the ciphertext is created for the recipient public key and can be opened only with the matching private key.
  • Keys and signatures: Ed25519 signing keys are used for detached signatures of device-related data; Curve25519/X25519 crypto_box key pairs are used for key exchange, archive keys and sealed-box envelopes.
  • Transport and device storage: HTTPS/TLS protects network communication; iOS stores tokens and local vault metadata in iOS Keychain; the web client encrypts the vault before storing it in IndexedDB.
  • Reference to the company whose secure-messaging model inspired this design: Threema.

Apple privacy information

  • Data is not used for third-party advertising tracking.
  • Data categories may include contact information, user content, identifiers, usage data and diagnostics, linked to the user for app functionality, security and account management.
  • Push notification tokens, if enabled, are used only for service notifications such as mail, chat or security notices.

Retention, recipients and rights

  • Data is retained for the period required to provide the service, preserve audit accountability and meet legal obligations.
  • Data may be processed by hosting, mail, SMS, analytics, security and Apple platform providers acting under appropriate arrangements.
  • Users may request access, rectification, deletion, restriction, objection or portability where applicable under GDPR.

Apple App Store: This page is the public privacy, security and encryption information page for the POLEGIS App Store application for iPhone and iPad.