Privacy Policy — How TaxFreeResidency.com Handles Your Data

Read this first

This page explains, in plain language, what personal data TaxFreeResidency.com collects when you visit the site or engage our services, what we do with it, who else sees it, how long we keep it, and what rights you have to control any of the above. We have written it to be readable rather than to comply with a checklist — but it is also the legally operative privacy notice under the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent regimes in the jurisdictions where most of our clients live.

Tax-residency work is unusually data-sensitive. To advise you well, we need to know where you currently pay tax, what your assets look like, where your family lives, and what your citizenship picture is. We treat that information accordingly. If anything below is unclear, write to us at the address in Section 10 — a human will reply.

This policy was last revised on 26 April 2026. Material changes are noted at the bottom of the page.

Section 1 — Who we are and who is responsible

TaxFreeResidency.com is operated by Zalewski Consulting, the data controller for all personal information collected through this website and through any service engagement that follows. Our registered office is in Warsaw, Poland, and the lead supervisory authority for our data processing is the Polish data protection regulator (UODO).

Where we engage external advisors — law firms, accountants, immigration agents, property professionals — to help deliver a service you have asked for, those firms act as separate data controllers in their own right, governed by their own privacy notices. We will always tell you who they are before any data is shared and obtain your written consent for each onward transfer.

If you would like a single named contact for any privacy question, write to privacy@taxfreeresidency.com and the request will be routed to the partner responsible for data protection.

Section 2 — What personal data we collect

The data we hold falls into four categories, depending on how far through the engagement you have travelled.

2.1 Visitors to the website

If you only browse the public pages of TaxFreeResidency.com, the data we collect is limited to what your browser sends to our hosting and analytics infrastructure. That includes your IP address (truncated for analytics), the pages you view, the country your IP resolves to, your device and browser type, the referring URL, and timestamps. We use this only to understand which content is useful, detect abuse, and keep the site secure. We do not attempt to identify individual visitors from this data.

2.2 People who contact us

If you fill in a form on our contact page, email us, book a call, or write to us via WhatsApp or Telegram, we collect the information you choose to share — typically your name, email address, phone number, country of current tax residence, citizenship, and a free-text description of your situation. We will only ever collect what you volunteer; we do not buy contact data, scrape professional networks, or run reverse-lookups on enquirers.

2.3 Clients in active engagement

Once you sign an engagement letter for tax residency consulting, residency application assistance, or business relocation, the data we hold expands to whatever the work itself requires. That can include passport copies, tax returns, bank statements, source-of-funds declarations, marriage and birth certificates, criminal record checks, leases or property titles, and corporate documents for any companies you own. We collect only what each program legally requires, and we tell you up-front what each document will be used for.

2.4 Special category data

Some of the information above qualifies as “special category” data under GDPR — for example, criminal record extracts requested by a Golden Visa authority, or health certificates required by a residency program. We process this data only with your explicit consent, only for the program that requires it, and only for as long as the program file remains open.

Section 3 — How we use your data (legal bases)

GDPR requires us to identify a lawful basis for every processing activity. For TaxFreeResidency.com, those bases are:

Consent — for marketing emails, optional analytics cookies, and any onward transfer to a third-party advisor. You can withdraw consent at any time without affecting work already completed.
Performance of a contract — for everything we do once you have signed an engagement letter: holding files, communicating with authorities, instructing third-party professionals, and storing your case notes.
Legitimate interests — for non-intrusive analytics, fraud and abuse prevention, internal record-keeping, and the running of our consultancy business. We balance this against your rights, and we will not process data on this basis where your interests override ours.
Legal obligation — for anti-money-laundering (“KYC”) checks we are required to perform, tax record retention obligations under Polish law, and responses to lawful orders from regulators or courts.

For special category data, the lawful basis is your explicit consent, given at the point we ask for the document.

We do not use any of the personal data we hold for automated decision-making or profiling that produces legal effects. Your consultant is a human being and so are the partners we route you to.

We share personal data only in the four scenarios below. In every case the recipient is identified to you in advance.

Service providers we depend on to run the business — our email host, our cloud document storage provider, our CRM, our accounting software, and our calendar-booking tool. Each is bound by a written data-processing agreement that mirrors the obligations we owe you, and the data they hold is encrypted in transit and at rest. A current list is available on request.
Advisors engaged for your specific case — for example, a Cyprus law firm preparing your non-dom registration, a Portuguese accountant filing your IFICI claim, or a UAE company-formation agent setting up your free-zone entity. We share only the documents that advisor needs and only after you have authorised the introduction in writing.
Government authorities — immigration departments, tax authorities, and consular officials for the program you are applying to. The data shared is whatever the program’s published checklist requires; nothing more.
When the law requires it — for example, in response to a lawful court order, an anti-money-laundering enquiry, or a regulator’s request. We will tell you about any such request unless we are legally prohibited from doing so.

We do not sell, rent, or trade personal data to anyone, ever. We do not share data with advertising networks, data brokers, or analytics platforms beyond the privacy-preserving traffic stats described in Section 7.

Section 5 — International data transfers

Most of the work we do involves moving data across borders — that is the nature of cross-border tax residency. Where data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (SCCs), an adequacy decision (where one exists), or your explicit informed consent for that specific transfer. Countries we routinely send case files to include the United Arab Emirates, Cyprus, Malta, Portugal, Italy, Greece, Switzerland, the United Kingdom, Singapore, Panama, and Paraguay. The list grows as our jurisdictional coverage grows; the engagement letter for your specific case will name the recipients explicitly.

If you would prefer your data not be transferred outside the EEA, tell us at the start — and we will tell you in writing whether the program you are pursuing can be delivered on that constraint. Most cannot.

Section 6 — How long we keep your data

We retain personal data for the shortest period that satisfies the purpose it was collected for, the law, and the practical reality that tax authorities can audit prior years long after a residency move is complete.

Website analytics: 14 months from collection.
Unconverted enquiries: 24 months from your last contact, then deleted unless you ask us to keep them on file longer.
Active client files: for the duration of the engagement plus six years after closure, in line with Polish tax-record-retention rules and the typical statute-of-limitations window for cross-border tax assessments.
KYC documents collected for anti-money-laundering compliance: five years after the engagement closes, as required by Polish law transposing the EU AML directives.
Marketing list subscriptions: until you unsubscribe, which you can do at any time using the link in every email.

When a retention period ends, the records are securely deleted from active systems and from our backups within the next backup-rotation cycle (typically 90 days).

Section 7 — Cookies and similar technologies

The site uses a small number of cookies and equivalent storage. They fall into three groups:

Strictly necessary cookies — for session security, preference storage, and basic site function. These run without your consent because the site cannot work without them.
Analytics cookies — privacy-preserving traffic statistics that tell us which articles are read, which countries our visitors come from, and how the site performs. We use a self-hosted analytics tool that does not set tracking identifiers across sites and does not share data with advertising networks.
Marketing cookies — none, currently. If we add them in future we will request consent first via a cookie banner.

You can decline analytics cookies on first visit and change your preferences at any time using the “Cookie settings” link in the site footer. Browser-level controls (do-not-track headers, third-party cookie blocking) are also honoured.

Section 8 — How we keep your data safe

Personal data sits inside a small number of vetted systems with strict access control. Files are encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 on managed cloud storage). Access is granted only to consultants actively working on your case and is logged. Multi-factor authentication is mandatory for every staff account that touches client data. Laptops are full-disk encrypted; office paper records, where they exist, are kept in locked storage and destroyed cross-cut on retirement.

We have a written incident-response plan. If a personal data breach affects you and is likely to result in a risk to your rights, we will notify you and the supervisory authority within 72 hours of becoming aware, in line with Article 33 GDPR.

Section 9 — Your rights

Under GDPR, the UK GDPR, and equivalent regimes you have the following rights regarding the data we hold about you. To exercise any of them, write to privacy@taxfreeresidency.com and we will respond within 30 days.

Right of access — a copy of the personal data we hold and a description of how we are using it.
Right to rectification — correction of inaccurate or incomplete data.
Right to erasure — deletion of data, subject to overriding obligations such as the AML retention period in Section 6.
Right to restrict processing — to pause our use of your data while a dispute or correction is resolved.
Right to data portability — a structured, machine-readable export of the data you provided to us.
Right to object — to processing based on legitimate interests or for direct marketing.
Right to withdraw consent — for any processing based on consent, at any time and without penalty.
Right to lodge a complaint — with your national data protection authority. For EU residents that is your country’s regulator; for the UK it is the Information Commissioner’s Office.

Section 10 — Contacting us or your data protection authority

For privacy questions, data subject rights requests, or concerns about how we have handled your information, write to privacy@taxfreeresidency.com or use the form on our contact page. We aim to resolve every query directly. If you remain unsatisfied, you have the right to escalate to the Polish data protection authority (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland) or to the supervisory authority in your own country of residence.

For broader questions about how we work — what we do, what we charge, how engagements run — see our About page, the services overview, and the FAQ. For the legal terms governing use of this site and any service engagement that follows, see our Terms of Service.

Changes to this policy

This policy will be updated whenever our processing changes materially or the law requires it. The “last updated” date at the top of the page will move forward, and significant changes will be flagged in the footer of the site for at least 30 days. If a change affects how we handle data you have already given us, we will write to you directly.

Last updated: 2026-04-26

Sources:
– EU GDPR — Regulation 2016/679
– Polish Data Protection Authority (UODO)
– European Commission — Standard Contractual Clauses
– UK ICO — Guide to the UK GDPR