Ragnar Shield ← Back to sign-up
Legal document

TERMS OF SERVICE

FOR THE PROVISION OF RAGNAR SHIELD PLATFORM SERVICES

Working translation. The official and binding version of these Terms of Service is the version drawn up in Polish. This English version is informational only. In case of any discrepancy between this English text and the Polish original, the Polish version prevails (see § 16.7).

§ 1. Definitions

Whenever the following terms are used in these Terms of Service:

  1. Price List — means the document setting out the current fees for the Services, constituting an annex to the Terms of Service or made available separately on the Platform.

  2. Operational Data — means data and information provided by the Client for the purpose of performing the Services, including domains, IP addresses, network configurations, data of persons designated for OSINT analysis, application source code and descriptions of the Client's processes and activities.

  3. Civil Code — means the Act of 23 April 1964 — the Civil Code (consolidated text: Journal of Laws of 2025, item 1071).

  4. Client — means a natural person, legal person or organisational unit without legal personality, using the Platform on the basis of an Agreement concluded with the Operator.

  5. Consumer — means a Client who is a natural person using the Platform for purposes not directly related to their business or professional activity, to the extent that mandatory provisions of law confer on them consumer status.

  6. Privileged Entrepreneur — means a Client who is a natural person running a sole proprietorship, concluding an Agreement directly related to their business activity, where that activity is not of a professional nature to that person within the meaning of Article 385(5) of the Civil Code, and to whom selected consumer rights apply by virtue of mandatory provisions of law.

  7. Account — means the Client's individual panel, created in the Platform's IT system after completion of the registration procedure, enabling the use of Platform functionality, the management of Services, the review of Reports and the making of payments.

  8. Operator — means Ragnar Shield spółka z ograniczoną odpowiedzialnością, with its registered office in Mielec, address: ul. Wojska Polskiego 9, 39‑300 Mielec, Poland, entered in the register of entrepreneurs of the National Court Register (KRS) under number 0001210137, Tax ID (NIP): 8172223486, REGON: 543456917, email address: contact@ragnarshield.com.

  9. Partner — means an entity cooperating with the Operator under a separate partnership agreement, authorised to use the Services through the Operator's API and to offer the Services to its end clients on the terms set out in the partnership agreement.

  10. Platform — means the Ragnar Shield IT system operated by the Operator, accessible via the ragnarshield.com website and the Client panel, comprising in particular: modules for scanning and monitoring IT infrastructure, penetration testing, person-security assessment ("OSINT"), regulatory compliance assessment, code security scanning, the reporting panel and the notification system.

  11. Privacy Policy — means the document setting out the rules for the processing of personal data by the Operator, available on the Platform.

  12. Report — means the document generated by the Platform as a result of providing a Service, made available to the Client in the Client panel as an online preview and as a downloadable PDF, comprising, depending on the Service: an Executive Summary (a management-level summary with an estimate of financial risk) and a Technical Report (a full technical analysis with CVSS scores and vulnerability details).

  13. Terms of Service — means this document together with its annexes, setting out the rules of use of the Platform by Clients and the rules for the provision of Services by the Operator.

  14. GDPR — means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

  15. Agreement — means the agreement for the electronic provision of Services concluded between the Operator and the Client through the Platform, on the terms set out in the Terms of Service.

  16. Service / Services — means the digital services provided by the Operator through the Platform, comprising: scanning and monitoring of IT infrastructure, penetration testing, OSINT, regulatory compliance assessment (Compliance Check), application code security scanning, and other services introduced by the Operator and described on the Platform.

  17. Consumer Rights Act — means the Act of 30 May 2014 on consumer rights (consolidated text: Journal of Laws of 2024, item 1796).

  18. Act on the Provision of Electronic Services — means the Act of 18 July 2002 on the provision of electronic services (consolidated text: Journal of Laws of 2024, item 1513).

  19. User — means a Client or another natural person using the Platform via a Client's account, including the Client's employees or collaborators authorised to use the Platform on the Client's behalf.

§ 2. General provisions

  1. The Terms of Service set out the rules and conditions of use of the Platform and the electronic provision of Services by the Operator through the Platform.

  2. The Terms of Service constitute the terms and conditions for the electronic provision of services within the meaning of Article 8 of the Act on the Provision of Electronic Services. The Terms of Service are made available free of charge before the conclusion of the Agreement, in a manner that allows them to be obtained, reproduced and recorded.

  3. Contact with the Operator is possible through:

  1. email at contact@ragnarshield.com (general matters and Account support) or support@ragnarshield.com (complaints and technical support);

  2. the contact form available at ragnarshield.com;

  3. postal address: ul. Wojska Polskiego 9, 39‑300 Mielec, Poland.

  1. The Operator reserves the right to conclude a separate agreement with a Client setting out individual conditions of use of the Platform. If such an agreement is concluded, its provisions take precedence over the corresponding provisions of the Terms of Service to the extent they are inconsistent.

  2. The provisions of the Terms of Service neither exclude nor limit the rights of Clients who are Consumers under mandatory provisions of law.

  3. The Services provided through the Platform are informational and diagnostic only. The Reports, analyses and recommendations generated by the Platform do not constitute a certified audit, a guarantee of security, or an individual advisory service replacing the analysis of a specialist. The Platform supports the assessment of security and regulatory compliance, but does not replace a formal audit, an expert opinion or legal advice.

§ 3. Technical requirements

  1. To use the Platform, the User must have an IT system meeting at least the following technical requirements:

  1. a device with Internet access,

  2. a current web browser in its latest stable version, in particular Google Chrome, Mozilla Firefox, Microsoft Edge or Safari, with support for cookies and JavaScript,

  3. an active email address.

  1. Communication between the User and the Platform takes place via encrypted HTTPS and the TLS protocol version 1.2 or higher, provided that the technical capabilities of the User's device and software allow it.

  2. The Platform uses the infrastructure of cloud service providers, including OVH Cloud, with the basic server infrastructure of the Platform located within the European Union. For generating Reports, analyses or selected functionalities, the Platform may use external programming interfaces of artificial-intelligence model providers, including Anthropic or OpenAI. Data transferred to such providers may be processed outside the European Economic Area ("EEA"). Detailed information on the data processors, the categories of data transferred, the location of processing and the mechanisms for transfers outside the EEA is set out in the Privacy Policy.

  3. The User is obliged to apply adequate technical and organisational measures to protect their devices, systems, email and Account access data against loss, disclosure, interception or unauthorised third-party access.

  4. It is prohibited to use the Platform in a way that may disrupt its proper functioning, compromise the security of the Platform, the Operator, other Users or third parties. In particular, it is prohibited to introduce into the Platform viruses, malicious software, bots, automation scripts, tools designed to bypass security measures, reverse-engineering tools or other solutions that may affect the integrity, availability or security of the Platform. It is also prohibited to test, scan, analyse vulnerabilities of, or attempt to penetrate or bypass the security of the Platform itself.

  5. The Operator shall exercise due care to ensure proper and uninterrupted functioning of the Platform, subject to technical breaks necessary for maintenance, service, update or development work. The Operator will notify Clients of planned technical breaks at least 24 hours in advance, where the nature of the work or security considerations permit. During the MVP phase, the Operator does not guarantee availability of the Platform at a specific SLA level. An SLA level, if offered, applies only to the Enterprise package or a separate agreement and must be expressly indicated in the Price List, the order or the individual agreement. The absence of such an express provision means that availability information is indicative only and does not constitute a guaranteed Service parameter.

§ 4. Registration and Account

  1. Use of the Platform requires the creation of an Account, unless the description of a given functionality on the Platform expressly allows its use without registration.

  2. During registration, the Client selects the type of Account: consumer or business. The Client is obliged to choose the type of Account in accordance with the actual capacity in which they intend to use the Platform.

  3. For a consumer Account, the following data is required: first name and surname, email address, postal address, contact phone number, and setting a password.

  4. For a business Account, the Client must provide: the first name and surname of the person registering, a business email address, a contact phone number, the name or business name of the entity, the registered office or place-of-business address, the Tax ID (NIP), and set a password meeting the security requirements specified on the Platform.

  5. Registering an Account requires acceptance of the Terms of Service and confirmation that the Privacy Policy has been read. For a business Account, the person registering also declares that they are authorised to act on behalf of the Client, including to set up the Account and use the Platform.

  6. The Client warrants that all data provided during registration is true, complete, current and accurate. In the event of any change of data, the Client is obliged to update it without delay via the Account settings or to notify the Operator of the change electronically.

  7. The Client is obliged to keep the Account access data confidential, in particular the login and password, and to protect them against access by unauthorised persons. The Client is obliged to notify the Operator without delay, and no later than within 24 hours of becoming aware of the event, of any case of unauthorised access to the Account or any reasonable suspicion of such access.

  8. The Operator may refuse to activate an Account, restrict access to selected Platform functionalities or suspend an Account if the data provided by the Client is untrue, incomplete, out of date or raises reasonable doubts, and also if required by law, security considerations, the need to prevent abuse, or the need to protect the rights or interests of the Operator, other Clients, Users or third parties. In the event of refusal to activate an Account, restriction of access or suspension of an Account, the Operator shall inform the Client of the reason for the decision, unless this is prevented by law, a decision of a competent authority or security considerations.

  9. Sharing Account access data with third parties is prohibited, with the proviso that a Client using a business Account may authorise its employees or collaborators to use the Platform on its behalf. The Client is liable for the actions and omissions of such persons made through the Account as for its own actions and omissions, unless mandatory provisions of law provide otherwise.

  10. After logging into the Account, the Client gains access to the Client panel, which may include in particular: a dashboard with an overview of security status, a list of Reports with online preview and PDF download, scan history, subscription management, alert configuration, billing data, invoice history and Account settings. The scope of functionalities available in the Client panel may depend, among other things, on the type of Account, the selected package and the Services ordered.

§ 5. Scope of Services

  1. The Operator provides the following Services through the Platform:

  1. automated scanning and security monitoring of the Client's digital infrastructure, including in particular: websites, web applications, network configurations, cloud services and mail servers. The Client provides the domain or IP addresses to be scanned. Scanning is performed from the outside (black-box model — without knowledge of internal configuration, or grey-box — with partial knowledge of the environment), without the need to install software on the Client's side. The Service is available in a one-off mode — a single scan, or in a continuous mode — monitoring with automated alerts and recurring reports.

  2. tests simulating attack scenarios against the Client's infrastructure, available in two variants:

  1. automated, performed using automated tools;

  2. manual, performed at the Operator's commission, as a premium service.

Penetration tests may require access to the Client's infrastructure and the installation of agents or software on the Client's resources. The output is a Report describing the identified attack vectors, a risk assessment and recommendations. The scope of the tests covers only the resources, methods, level of intrusiveness, time frames and environment indicated by the Client in the order form or in a separate scope document. The Operator is neither obliged nor authorised to conduct tests outside the scope so defined. A condition for starting penetration testing is the Client's prior acceptance of the "Penetration Testing Scope and Authorisation" document or an equivalent scope form, specifying at least: the resources to be tested (IP addresses, domains, applications), the environment (test or production), the permissible testing techniques and level of intrusiveness, the testing window, contact persons, the emergency test-suspension procedure and any exclusions. The Operator does not begin penetration testing until such authorisation has been obtained. The Client acknowledges that automated or manual penetration tests, by their nature, may cause disruption to the systems tested, temporary service unavailability, infrastructure load, application errors or data integrity issues. The Client should ensure that up-to-date backups are in place, designate an appropriate testing window and consider performing the tests in a test environment rather than in production. The Operator is entitled to immediately interrupt or limit the tests if their continuation could, in the Operator's reasonable judgement, cause material disruption to system operation, data loss, breach of third-party security, or exceed the agreed scope of testing.

  1. assessment of the visibility of designated persons on the Internet, including in the so-called dark web, and their exposure to threats such as blackmail, phishing or social engineering. The analysis is based exclusively on publicly available data and data obtained from external OSINT data providers. The Client designates the persons to be assessed and declares that it has a legal basis for commissioning such an analysis. The output is a person-exposure Report with an assessment of the threat level and recommendations. The Operator uses only providers that declare the lawfulness of the data sources and the compliance of processing with applicable law. The Operator does not, however, guarantee the completeness, currency or accuracy of the source data. The Operator does not remove data disclosed on the Internet or in external databases, and the OSINT Report is informational and preventive in nature.

  2. evaluation of the Client's compliance with selected regulations, e.g. NIS2, DORA, GDPR, EU AI Act. The Operator analyses the description of the Client's activity and processes, compares them against regulatory requirements and generates a Report with an assessment of compliance and a regulatory gap analysis. The assessment does not constitute an audit within the meaning of the law.

  3. automated security analysis of the source code of the Client's applications, covering identification of vulnerabilities, configuration errors and non-compliance with security best practices.

  1. The Operator may make available a free mini security report of an indicative nature, prepared exclusively on the basis of publicly available data. Before commissioning the mini-report, the User declares that they are authorised to commission analysis of the indicated domain or are acting with the consent of an authorised entity. The mini-report does not constitute a full Service within the meaning of the Terms of Service and does not give rise to an obligation to provide further Services.

  2. The Operator reserves the right to expand the catalogue of Services. The Operator will notify Clients of the introduction of new Services via the Platform.

  3. The following principles apply to all Services:

  1. The Services are performed in a manner that is as least intrusive to the Client's infrastructure as possible; however, due to the nature of automated tools, disruptions resulting from algorithm errors or the specifics of the Client's environment cannot be ruled out;

  2. The Operator is not liable for decisions taken or omitted by the Client on the basis of the Reports;

  3. the results of analyses may contain false positives (false positive — incorrect indication of a threat that does not exist) and false negatives (false negative — failure to detect an existing threat), and the Operator does not guarantee detection of 100% of vulnerabilities;

  4. the analyses rely on publicly available databases (including CVE), and where such databases contain erroneous data, the Operator is not liable for resulting inaccuracies in the Reports.

  1. Each Service generates a Report in at least two versions: an Executive Summary (a management-level summary in business language, with an estimate of financial risk based on the algorithmic Business Impact Engine model, the values of which are indicative only and do not reflect the actual scale of risk) and a Technical Report (a full technical analysis with CVSS scores and vulnerability details). For the OSINT service an additional person-exposure Report is generated. Reports are available in the Client panel and as PDF downloads. Reports may be generated or supported by artificial-intelligence systems, including language models (LLMs), RAG mechanisms and the Business Impact Engine module. The content of the Reports requires verification by the Client or a designated specialist and should not be treated as a stand-alone basis for legal, financial, HR, compliance or investment decisions.

  2. The Operator diagnoses and reports threats but does not itself remediate vulnerabilities detected in the Client's infrastructure or code. The Services are diagnostic in nature only.

§ 6. Client obligations and representations

  1. The Client is obliged to use the Platform in accordance with the provisions of the Terms of Service, generally applicable law and good practice.

  2. The Client is in particular obliged to:

  1. provide true, current and complete data in all forms available on the Platform;

  2. keep Account access data confidential and notify the Operator without delay of any case or suspicion of unauthorised access to the Account;

  3. inform the Operator of any changes to the data provided during registration;

  4. provide the Operational Data necessary to perform the ordered Service in a complete and reliable manner.

  1. When commissioning a scanning Service, penetration test or any other Service requiring access to IT resources, the Client represents and warrants that:

  1. it has the right to subject the indicated resources (domains, IP addresses, infrastructure, source code) to the analysis and tests within the scope of the ordered Service;

  2. it has all required consents and authorisations, including those of resource owners or administrators, where such resources are not the Client's exclusive property;

  3. the scope of the commissioned tests does not infringe the rights of third parties or generally applicable law.

  1. When commissioning the OSINT Service, the Client represents and warrants that it has a legal basis for commissioning the analysis of the designated persons, in particular the appropriate consent of those persons or another legal basis for processing their personal data. The Client bears sole responsibility for the lack of such a legal basis. The Operator does not verify the legal basis for the order and bears no liability if the Client lacks one. The OSINT Service may be commissioned only in respect of persons for whom the Client has a valid, specific, documented and adequate legal basis for carrying out the analysis, in particular persons within the Client's organisational structure (employees, collaborators, members of governing bodies), where the analysis is necessary and proportionate from the standpoint of the organisation's security. The Client is not entitled to commission the OSINT Service in respect of private individuals, persons in personal relationships with the Client, competitors, journalists, whistleblowers, public figures, or other persons where the purpose of the analysis would be to circumvent the law, obtain information for personal, retaliatory, discriminatory, debt-collection, political, investigative or other purposes inconsistent with the intended use of the Platform. The Client is obliged to fulfil GDPR information obligations towards such persons, unless a legally permissible exception applies. When placing an order for the OSINT Service, the Client is obliged to provide a declaration that it has a valid, documented and GDPR-compliant legal basis to commission OSINT analysis of the designated person, that it has fulfilled information obligations towards that person (unless an exception applies), and that it accepts liability for the compliance of the order with applicable law. The Client is obliged to use the OSINT Report exclusively for purposes consistent with the intended use of the Platform, i.e. for the purposes of organisational security assessment. It is forbidden to use the OSINT Report as a stand-alone or sole basis for decisions on hiring, promotion, dismissal, employee evaluation, disciplinary proceedings, discrimination, retaliatory or debt-collection actions.

  2. The Operator may refuse to perform the OSINT Service if it has reasonable doubts as to the lawfulness of the order, the scope of the analysis or the legal basis for processing the data of the person designated for analysis.

  3. When commissioning the application code security scanning Service, the Client declares that it holds the rights to the source code provided. The Client acknowledges that source code may contain personal data, passwords, API keys or other confidential information. The Operator processes the code provided exclusively for the purpose of performing the Service and deletes it after the Report is delivered.

  4. The Client is prohibited from:

  1. delivering, via the Platform, content of an unlawful nature;

  2. using the Platform for purposes inconsistent with its intended use or with generally applicable law;

  3. commissioning scanning, testing or penetration of resources for which the Client does not hold authorisations;

  4. attempting to test, scan or penetrate the Platform itself.

  1. The Client bears full responsibility for the content and data entered onto the Platform, including their compliance with the law and the Terms of Service, as well as for the actions of persons using the Platform through its Account.

  2. The Operator is entitled to verify whether the Client is authorised to commission scanning, testing or analysis of the indicated resources, in particular by requesting confirmation of control over the domain, an email address in the Client's domain, a DNS entry, a document confirming authorisation, a declaration from the resource administrator or another equivalent means of verification. Pending completion of verification, the Operator may withhold the start of the Service, refuse to perform it or limit its scope. The Operator may also refuse to perform a Service where it has reasonable doubts as to the Client's right to commission scanning, testing or analysis of the indicated resources.

§ 7. Liability of the Operator

  1. The Operator is responsible for providing the Services in accordance with generally applicable law and the Terms of Service.

  2. Subject to mandatory provisions of law, including provisions on the protection of Consumers and Privileged Entrepreneurs, the Operator is not liable for:

  1. decisions taken or omitted by the Client on the basis of Reports or other Service results;

  2. false positives and false negatives contained in the Reports, including failure to detect vulnerabilities;

  3. the effects of using the Platform inconsistently with its intended use or with the provisions of the Terms of Service;

  4. disruptions to the operation of the Client's scanned or tested systems, arising from the nature of automated tools or the specifics of the Client's environment;

  5. the User losing access to the Account as a result of disclosure of access data to third parties or failure to apply adequate protective measures;

  6. interruptions to the operation of the Platform resulting from force majeure, unlawful third-party actions or failures of external infrastructure;

  7. erroneous or out-of-date data contained in external databases (including CVE) on which the analyses rely;

  8. financial risk estimates generated by the Business Impact Engine module, which are indicative only and do not reflect the actual scale of risk.

  1. The Operator's liability for damages to the Client for non-performance or improper performance of the Services is limited to the amount paid by the Client for the given Service or for the current subscription period, whichever is greater, unless the damage was caused intentionally or as a result of gross negligence, or where such a limitation would be inadmissible under mandatory provisions of law.

  2. The Operator is not liable for indirect damages, lost profits, loss of data or business interruption suffered by the Client. This limitation does not apply to Consumers and Privileged Entrepreneurs to the extent it would conflict with mandatory provisions of law.

  3. Estimated Service delivery times (in particular: up to 24 hours for a one-off scan, 24–48 hours for OSINT and Compliance Check, 48–72 hours for automated penetration tests) are indicative and do not constitute a contractual SLA-type obligation, unless a separate agreement with the Client provides otherwise.

§ 8. Special provisions concerning Consumers

  1. The provisions of this paragraph apply to Clients who are Consumers. They apply correspondingly to Privileged Entrepreneurs, to the extent arising from mandatory provisions of law, in particular as regards prohibited clauses (Article 385(5) of the Civil Code), the right to withdraw from a distance Agreement (Article 38a of the Consumer Rights Act), and rights under warranty and non-conformity of the Service with the Agreement.

  2. A Consumer has the right to withdraw from the Agreement within 14 days of its conclusion, without giving any reason and without incurring any costs, subject to paragraph 3.

  3. The right of withdrawal does not apply to Services that have been fully performed with the express consent of the Consumer, who was informed before the performance began that, after performance is rendered by the Operator, they will lose the right of withdrawal from the Agreement. In the case of Services whose performance begins before the expiry of the withdrawal period, performance is started only after all of the following conditions have been met:

  1. the Consumer has made an express request for performance to begin before the expiry of the withdrawal period;

  2. the Consumer has confirmed that they acknowledge that, after the Operator has fully performed the Service, they will lose the right to withdraw from the Agreement; and

  3. receipt of this information has been confirmed on a durable medium.

  4. Where performance of a Service begins before the expiry of the withdrawal period with the Consumer's express consent, the Consumer is obliged to pay for the performance rendered up to the moment of withdrawal in proportion to the scope of the performance rendered, taking into account the agreed price.

The Operator records and confirms the granting of this consent on a durable medium, e.g. by email. In the event of effective withdrawal from the Agreement, the Operator shall refund all payments received from the Consumer without undue delay and no later than within 14 days of receipt of the declaration of withdrawal, using the same means of payment used by the Consumer, unless the Consumer has expressly agreed to another method of refund that does not entail any costs.

  1. The Consumer has the right to out-of-court dispute resolution with the Operator, in particular:

  1. before the district (municipal) consumer ombudsman or a social organisation whose statutory tasks include consumer protection;

  2. through ADR entities on the list maintained by the Office of Competition and Consumer Protection, available at uokik.gov.pl;

  3. before the Trade Inspection (Inspekcja Handlowa).

  1. Any provisions of the Terms of Service that would limit a Consumer's rights under mandatory provisions of law do not apply and are replaced by the corresponding generally applicable provisions.

§ 9. Personal data protection

  1. The controller of the personal data of Clients and Users is the Operator. The Operator processes personal data in accordance with the GDPR and generally applicable law, on the terms set out in detail in the Privacy Policy.

  2. To the extent that the Client provides the Operator with personal data of third parties, in particular employees, collaborators, members of governing bodies, end clients or other persons covered by the analysis, for the performance of the Services, the Client acts as the controller of such data and the Operator processes such data as a processor within the meaning of Article 28 GDPR, exclusively on the documented instructions of the Client, in the scope and for the purpose necessary to perform the Services.

  3. The Operator does not use the Client's Operational Data, the content of the Reports or the personal data of Clients to train or fine-tune its own artificial-intelligence models or those of external providers, unless the Client has given separate, express consent or the data has previously been anonymised.

  4. The Operator may use anonymised and aggregated statistical data on the use of the Platform for analytical, development and statistical purposes, provided that such data does not allow identification of the Client, the User or the data subjects.

§ 10. Intellectual property

  1. All components of the Platform, including the Ragnar Shield name and logo, the user interface, the software source code, databases, algorithms, analytical models, scanning engines and the Business Impact Engine, are protected by law and constitute the intellectual property of the Operator or of entities from which the Operator has obtained the relevant licences.

  2. None of the provisions of the Terms of Service, nor the use of the Platform, results in the transfer of any of the Operator's intellectual property rights to the Client. All forms of use of the Operator's intellectual property, in particular copying, modifying or distributing the Platform's software, are prohibited.

  3. The Operator retains rights to the methodology, templates, Report structure, analytical models, algorithms, databases, designations, know-how and tools used to generate the Reports. Data, information and materials provided by the Client remain the property of the Client. Upon delivery of a Report, the Operator grants the Client a non-exclusive, non-transferable licence to use the Report for the Client's internal needs, including management, technical, compliance, insurance, audit and legal purposes, without time limits. The Client may share the Report with its employees, collaborators, advisors, auditors, insurers and entities within its capital group.

  4. Source code, data and other materials provided by the Client for the purposes of performing the Services remain the property of the Client. The Client grants the Operator a royalty-free licence to process them solely to the extent necessary to provide the Services.

  5. The Operator may use the Client's name or logo in reference materials, portfolio or marketing communications only after obtaining the Client's prior, documented consent.

§ 11. Payment terms

  1. The detailed price list of Services constitutes a separate annex to the Terms of Service or is made available on the Platform. Prices for Clients who are not Consumers may be presented as net prices increased by VAT at the rate in force on the day the invoice is issued. Prices presented to Consumers are gross prices and include the applicable VAT.

  2. Payments are processed via the payment processors Stripe and Przelewy24. Available payment methods include: payment card, online transfer and BLIK. The settlement currency is the Polish zloty.

  3. Subscriptions renew automatically each month. The Client may cancel a subscription at any time from the Client panel, with effect at the end of the current billing period. Cancellation of a subscription does not entitle the Client to a refund of the fee for the current billing period.

  4. One-off Services are payable in advance at the time the order is placed. The agreement for a one-off service is deemed performed at the moment the Report is made available in the Client panel.

  5. VAT invoices are issued automatically and made available in the Client panel. The day of payment is deemed to be the day on which funds are credited to the Operator's account or the transaction is confirmed by the payment processor.

  6. The Operator reserves the right to change the Price List subject to a 30-day notice period, informing the Client by email. If the Client does not accept the change to the Price List, the Client may terminate the Agreement before the day the new Price List takes effect.

  7. If a payment for the next billing period cannot be processed, the Operator will make a repeat attempt to collect the fee after 3 business days, informing the Client of the issue at the same time. If the repeat attempt is unsuccessful, the Operator is entitled to suspend access to the Platform until the arrears are settled.

  8. The Operator may offer promotional codes, bundled packages and discounts, including codes providing free access to the Services during the MVP validation period. The terms of use of promotional codes are defined each time they are issued.

§ 12. Conclusion and termination of the Agreement

  1. The Agreement for the provision of Services is concluded electronically through:

  1. registration of an Account on the Platform;

  2. placing an order for a Service via the shopping cart;

  3. completing the form of data specific to the given Service;

  4. making the online payment.

  1. The Agreement is concluded at the moment payment is confirmed.

  2. The Client has the right to delete its Account at any time, without giving any reason, via the appropriate option in Account settings or by contacting the Operator at contact@ragnarshield.com. Deletion of the Account is equivalent to termination of the Agreement with effect at the end of the current billing period, and the Client retains access to the Account until the end of that period.

  3. The Operator is entitled to suspend the provision of Services or terminate the Agreement with immediate effect in the following cases:

  1. the Client's breach of the Terms of Service, in particular the provisions of § 6;

  2. use of the Platform for purposes inconsistent with the law;

  3. provision of untrue data;

  4. commissioning scanning or testing of resources for which the Client does not hold authorisations;

  5. attempting to test, scan or penetrate the Platform itself;

  6. abuse of the Services inconsistently with their intended use;

  7. failure to pay due fees despite the lapse of 14 days from the due date.

  1. The Operator shall notify the Client of suspension of Service provision or termination of the Agreement without delay, by electronic means, indicating the reason for the decision.

  2. After termination or expiry of the Agreement:

  1. the Client loses access to the Client panel and the Reports;

  2. the Client has the right to export their data and Reports within 14 days from the date of termination or expiry of the Agreement;

  3. after the period for exporting data has lapsed, the Operator deletes or anonymises the Client's data, subject to data whose further retention is required by law or necessary for the establishment, exercise or defence of claims.

§ 13. Complaints procedure

  1. The Client may submit a complaint concerning non-conformity of the Service with the Agreement, the Terms of Service, the Service description or the features presented to the Client before conclusion of the Agreement, as well as the manner of provision of the Services by the Operator, via:

  1. email to: support@ragnarshield.com;

  2. the contact form available on the Platform.

  1. A complaint should contain at least:

  1. the Client's first name and surname or business name;

  2. the email address associated with the Account;

  3. the order number to which the complaint relates;

  4. a detailed description of the non-conformity or problem identified, with the date of its occurrence;

  5. the Client's demand.

  1. Complaints submitted by Consumers: the Operator examines the complaint and replies within 14 days of receipt. Lack of a reply within this period means the complaint is deemed accepted.

  2. Complaints submitted by Clients who are not Consumers: the Operator examines the complaint within 14 business days of receipt or of supplementation, if the Operator has requested supplementation. For particularly complex complaints, this period may be extended to 30 days, of which the Operator informs the Client before the expiry of the original period.

  3. The Operator may ask the Client to supplement the complaint with additional information necessary to process it. The running of the complaint period for Clients who are not Consumers is suspended until the complaint is supplemented.

  4. If the complaint is upheld, the Operator takes action to bring the Service into conformity with the Terms of Service within a reasonable time and without undue inconvenience to the Client.

  5. For Clients who are Consumers, the complaints procedure does not limit or exclude rights arising from mandatory provisions of law, in particular the right to demand that the Service be brought into conformity with the Agreement, a price reduction or withdrawal from the Agreement.

§ 14. Partner programme

  1. The Operator runs a partner programme enabling Partners to use the Services through the Operator's API and to offer the Services to the Partner's end clients, including under a white-label model.

  2. Cooperation with Partners requires conclusion of a separate partnership agreement governing in particular: the scope of access to the API and SLA terms.

  3. An individual price list and terms of cooperation are agreed for each Partner.

  4. The Partner is liable towards the Operator for the actions and omissions of its end clients using the Services under the partnership agreement, to the extent set out in that agreement.

  5. The Terms of Service do not regulate the detailed terms of cooperation with Partners, which are set out in a separate partnership agreement.

§ 15. Changes to the Terms of Service

  1. The Operator reserves the right to amend the Terms of Service, in particular in the following cases:

  1. changes in generally applicable law affecting the Services;

  2. changes to the business or technical model of the Platform requiring an update of the rules of use of the Services;

  3. issuance of a court judgment, administrative decision or position of a regulatory authority requiring amendment of the Terms of Service;

  4. the need to remove inconsistencies or gaps in the Terms of Service that have come to light after their entry into force;

  5. introduction of new Services or Platform functionalities.

  1. The Operator informs Clients of a planned change to the Terms of Service at least 14 days before the date the changes take effect, by posting the amended Terms of Service on the Platform and sending a notification to the email address associated with the Account.

  2. A Client who does not accept the proposed changes to the Terms of Service has the right to stop using the Platform and to delete their Account before the day the amended Terms of Service take effect. Continued use of the Platform after that date constitutes the Client's acceptance of the changes. Changes to the Terms of Service do not affect the Client's acquired rights or one-off Services ordered and performed before the changes take effect.

  3. The provisions of the Terms of Service in force at the time of formation apply to legal relationships formed and fully performed before the date the amended Terms of Service took effect.

§ 16. Final provisions

  1. The Terms of Service and the Agreement for the provision of Services are governed by Polish law.

  2. Any disputes arising from these Terms of Service or the Agreement that are not resolved amicably or through the complaints procedure shall be settled by the common court having local jurisdiction over the Operator's registered office, subject to paragraph 3 of this section.

  3. In relation to Clients who are Consumers, the mandatory provisions of law applicable by reason of the Consumer's place of residence apply, and the court competent to hear the dispute is, at the Consumer's choice, the common court having jurisdiction over the Consumer's place of residence or the court competent under general rules. Consumers are additionally entitled to use the out-of-court methods of complaint handling and pursuing claims referred to in § 8(4) of the Terms of Service.

  4. The Client bears full responsibility for:

  1. any content, data and documents introduced by it onto the Platform, including their compliance with the law, accuracy and timeliness;

  2. actions and omissions performed via its Account, to the extent they result from its actions, omissions, breach of the Terms of Service, breach of law, or failure to exercise due care in protecting access data;

  3. damage caused to the Operator or other Users as a result of breach of the Terms of Service or generally applicable law.

  1. The Operator reserves the right to seek damages from the Client on general principles where the damage caused by the Client exceeds the value of the Operator's liability limitation set out in § 7 of the Terms of Service.

  2. The Terms of Service take effect on 1 May 2026.

  3. The official and binding version of these Terms of Service is the version drawn up in the Polish language. Where these Terms of Service are made available in an English version, that version is informational only.