PRIVACY POLICY

This Privacy Policy sets out the rules for the processing and protection of personal data by Ferro S.A. including data provided and obtained through the website www.ferro.pl and the e-commerce platform available on it

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we would like to inform you about the rules for the processing and use of your personal data by Ferro S.A., so-called cookies and other technologies, as well as your rights in this regard. At the same time, we assure you that we take due care to protect your privacy and the security of your personal data.

I. GENERAL PROVISIONS

1. Personal data Controller

The personal data Controller is FERRO S.A., with its registered office in Skawina, Przemysłowa Street 7, entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000289768, NIP (tax identification number): 944-20-51-648, REGON number: 356375388, which can be contacted in writing at the following address: Przemysłowa Street 7, 32-050 Skawina.

In accordance with Article 32 of the GDPR, the Controller implements appropriate technical measures, taking into account the state of knowledge, implementation cost, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, together with organizational measures ensuring a level of security appropriate to the risk.

The safeguards implemented to protect your data comply with legal requirements and ensure an adequate level of data confidentiality.

2. Data Protection Officer

The Controller has appointed a Data Protection Officer. If you have any questions regarding the processing of personal data or the exercise of your privacy rights, please contact the Data Protection Officer in person or by mail at: Przemysłowa 7 Street, 32-050 Skawina, or by email at: iod@ferro.pl

3. Definitions used in this Policy:

The Controller: personal data controller within the meaning of the GDPR, i.e. FERRO S.A., with its registered office in Skawina, at Przemysłowa 7 Street, 32-050 Skawina, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for Kraków – Śródmieście in Kraków, 12th Commercial Division of the National Court Register, under KRS number: 0000289768, NIP(tax identification number): 944-20-51-648, REGON number: 356375388;

Privacy Policy: this Privacy Policy;

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Website : the website operated by the Controller at the internet address www.ferro.pl;

Platform: an e-commerce platform available on the Website, after logging into your account, dedicated to the Controller's B2B customers (the Controller’s business customers/ clients with whom the Controller has commercial contracts/ agreements), the detailed rules of operation of which are set out in the Terms and Conditions for B2B Platform;

User(s): any adult natural person visiting, staying on the Website and/or using it, its subpages or specific functionalities;

Platform User(s) : the Controller's customer/client or its employees, persons to whom the Controller's customer/client has granted access to the Platform, using the Platform after logging into their account on the Platform.

II. DETAILED INFORMATION ON THE PROCESSING OF PERSONAL DATA

1. Scope of personal data processed, purposes and legal basis for processing

The Controller processes personal data of current and potential customers and contractors of the Controller, their representatives, other staff representatives, employees, associates, as well as other natural persons in relation to the products and services provided by the Controller. The Privacy Policy also contains information on the processing of personal data by the Controller in connection with the establishment and strengthening of business relationships and the functioning of the Controller's profiles on social media. Personal data is also processed in connection with the provision of various services offered to you via the Website, including the Platform.

▻ PROCESSING OF PERSONAL DATA OF CUSTOMERS/CONTRACTORS OF THE CONTROLLER

Purposes and legal basis for processing

Depending on your relationship with the Controller, the Controller may process personal data for the following purposes and on the following grounds:

[service provision, performance of contracts and agreements] submitting offers, concluding and performing contracts (and agreements) between the Controller and the customer/contractor, service provision, execution of payments, delivery of goods, contact related to the performance of the contract. The basis for the processing of personal data is the necessity: 1) to perform a contract to which you are a party, or to take action at your request prior to entering into a contract (Article 6(1)(b) of the GDPR); or 2) if you are representatives, staff representatives, employees, associates of the customer/contractor with whom the Controller concludes/performs a contract – for purposes arising from the legitimate interests of the Controller, consisting in establishing and maintaining contact with the customer/contractor and facilitating communication and the performance of the concluded contract (Article 6(1)(f) of the GDPR). The providing of personal data is voluntary, but necessary for the proper performance of the contract; the lack of certain data may result in the inability or refusal to conclude or perform the contract.

[consideration and handling of complaints] concerning the Controller's products, fulfillment of the Controller's obligations under the warranty, claims related to contracts concluded by the Controller. The legal basis for the processing of personal data is the necessity to perform the contract (Article 6(1)(b) of the GDPR) and/or the obligation arising from legal provisions (guarantee, warranty, liability for non-compliance of goods/products with the contract) (Article 6(1)(c) of the GDPR). Providing personal data is voluntary, but it may be necessary to handle complaints, and failure to provide such data may result in the inability to handle complaints.

[fulfillment of legal obligations], in particular those arising from tax and accounting regulations, keeping accounting books and tax documentation, including issuing and receiving invoices and bills related to business activities. The legal basis for the processing of personal data is the legal obligation imposed on the Controller under generally applicable law (Article 6(1)(c) of the GDPR).

[counterparty verification, sanctions verification, payment reliability verification] , and creditworthiness assessment when granting credit limits to customers, as well as to secure payments due (guarantee agreements and other secured instruments), in particular in the case of sole traders. The legal basis for processing personal data during counterparty and payment reliability verification is a legitimate interest consisting of the ability to protect the Controller’s rights, ensure the continuous and uninterrupted conduct of business, and ensure secure business transactions (Article 6(1)(f) of the GDPR). The processing of data as part of the verification of a business partner (counterparty) and persons associated with them against national, EU, and international sanctions lists is carried out on the basis of the Controller’s legal obligations (Article 6(1)(c) of the GDPR in conjunction with: the Act of April 13, 2022, on special measures to counteract support for aggression against Ukraine and to protect national security, Council Regulation (EU) No. 833/2014 of July 31, 2014, concerning restrictive measures in view of Russia’s action destabilising the situation in Ukraine, Council Regulation (EU) No. 269/2014 of March 17, 2014, on restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine).

[protection of rights and defense against potential claims, pursuit of potential claims related to the contract] , e.g., outstanding payments in debt collection and court proceedings, complaint handling, verification of the correctness of the complaint procedure, also for internal administrative and controlling purposes and for conducting business analyses. The legal basis for the processing of personal data is a legitimate interest consisting in the possibility of defending against claims or pursuing claims, as well as ensuring the continuous and uninterrupted conduct of business, effective management of the company, and the fulfillment of internal administrative and controlling objectives (Article 6(1)(f) of the GDPR).

[conducting correspondence, establishing or maintaining business relationships] e-mail and traditional correspondence, handling requests, applications, inquiries, service management, information flow, administrative activities within the Controller capital group. The legal basis for the processing of personal data is the legitimate interest indicated above, consisting in the possibility of communicating and resolving the matter to which the correspondence or telephone contact relates, as well as establishing and maintaining relationships within the scope of business activities (Article 6(1)(f) of the GDPR).

[marketing communications, sending commercial information]

• marketing of the Controller's products and services (including profiling, analysis to determine your needs and purchasing preferences, and, consequently, preparation of a product offer that takes these preferences into account, whereby profiling does not constitute automated decision-making that produces legal effects concerning the data subject or similarly significantly affects them and is not conducted on the basis of special category data. The User has the right to object to profiling for marketing purposes), including information about the activities of the Controller and the Controller’s capital group (FERRO capital group), events organized by the Controller and the Controller’s capital group, events in which it participates, sending commercial information. The legal basis for the processing of personal data is a legitimate interest consisting in marketing products and services, establishing and maintaining relationships within the scope of business activity, conducting communication, and sending commercial information (if you have consented to receive commercial information and marketing content from the Controller through specific channels and/or a contract has been concluded between you (or the entity you represent, of which you are an employee, associate, etc.) and the Controller (Article 6(1)(f) of the GDPR). The legal basis for the processing of personal data may also be consent, if you give it, e.g. when participating in industry events, open days, training courses organized by the Controller, or in which the Controller is a partner or participant. Providing personal data for marketing purposes is voluntary.

• marketing of products and services of companies from the Controller’s capital group. The legal basis for the processing of personal data is consent (Article 6(1)(a) of the GDPR) or the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).

• transfer of personal data to other companies from the Controller’s capital group for their marketing purposes. The basis for the transfer of your personal data is consent (Article 6(1)(a) of the GDPR).

• The list of companies comprising the FERRO capital group includes: Ferro S.A. based in Skawina (the Controller), Termet S.A. based in Świebodzice, Novaservis Ferro Group S.R.L. based in Cluj-Napoca, Novaservis spol. s r.o. based in Brno, Novaservis FERRO Bulgaria Ltd. based in Plovdiv, Ferro Baltics UAB based in Vilnius, Ferro Adriatica D.O.O. based in Bjelovar, Ferro Hungary Kft based in Budapest, Novaservis FERRO SK s.r.o., Senica.

[event organization] The legal basis for the processing of personal data is the legitimate interest in organizing the event, establishing and maintaining relationships during the event, including ensuring the participation of attendees (Article 6(1)(f) of the GDPR). Personal data is also processed in connection with the fulfillment of legal obligations arising from tax and accounting regulations, i.e., documenting the event for accounting purposes (Article 6(1)(c) of the GDPR).

Scope and source of personal data processed

The Controller processes personal data obtained directly from you or other employees, associates, representatives of the entity you represent or of which you are an employee, collaborator, or representative when concluding a contract with a customer/contractor and its performance or conducting business communication, as well as from entities belonging to the Controller’s capital group, or from publicly available sources, including business registers and websites.

If personal data is obtained from sources other than directly from the data subject, the Controller informs that the data may originate, in particular, from: (i) public business registers (National Court Register, Central Registration And Information On Business), (ii) publicly available websites and business portals (e.g., LinkedIn), (iii) from the Controller's contractors and business partners, (iv) from companies within the Controller’s capital group. The categories of data obtained from these sources include, in particular: first name and last name, company name, contact details (address, telephone number, email address), job title, and information about the business activity conducted.

If you are an employee, associate, or representative of a given entity, we may receive personal data from other persons in your organization, such as your first and last name, business phone number and e-mail address, place of work, position, information about the type of matters you deal with, and other data related to your function or relationship with the customer/contractor.

If you are a customer/contractor of the Controller, the following data is processed: first name(s) and last name, telephone number, e-mail address, address, job title, place of work, other data related to your function, certificates held, address to which the shipment (goods) is to be sent and/or to which the receipt (invoice) is to be issued. In the case of sole traders, additionally: the entrepreneur's company name, tax identification number, REGON number, registered office address or other data required by the law of the country of registration of the entrepreneur, alternatively Pesel number, identity document number, company bank account numbers, payer's address on the transfer. In addition, depending on the basis and purposes of processing, the Controller processes other personal data, such as:

• in the case of considering and handling complaints – the address where the product subject to complaint is located, information about the product and its defects/faults provided by you;

• in the case of entrepreneurs applying for a credit limit – personal data contained in financial documents related to the granting of a credit limit;

• when sending marketing communications, commercial information – data provided by you in the marketing form, in accordance with the scope of consents granted;

• other personal data provided to the Controller, if their processing comply with the rules set out in the GDPR.

▻ PROCESSING OF PERSONAL DATA OBTAINED THROUGH THE WEBSITE

Scope of personal data processed, purposes and legal basis for processing

[application form (complaint, warranty)] The use of the application form (complaint handling, warranty) requires the provision of personal data necessary to contact the User and consider complaints about the Controller's products, based on the warranty provided by the Controller. For this purpose, the Controller collects the data indicated in the application (warranty) form available at https://ferro.pl/serwis/reklamacje/ This includes contact details such as: first name, last name/company name, e-mail address, contact phone number, address where the product is located, information about the product and its defects/faults. Providing the data marked as mandatory is required in order to accept and handle complaints, and failure to provide it will result in the inability to handle the complaint. The legal basis for the processing of personal data is the necessity to perform the guarantee contract (Article 6 (1)(b) of the GDPR) and the obligation arising from the legal provisions regarding guarantees and warranties (Article 6 (1)(b) of the GDPR). Providing such data is voluntary, but may be necessary to handle complaints about the Controller's products. Personal data is processed for the purpose of providing services related to the warranty granted for the Controller's products, including accepting and considering complaints and fulfilling the Controller's obligations under this warranty, i.e. i) repair of the product, ii) replacement of the product with a new one, or iii) refund of the purchase price of the product – for the purpose of performing the warranty agreement (Article 6(1)(b) of the GDPR) and/or fulfilling an obligation under the law (warranty, guarantee) (Article 6(1)(c) of the GDPR).

[contact form] Using the contact form requires providing personal data necessary for communication and responding to messages sent to the Controller (first name, last name, e-mail address). The User may provide other data to facilitate contact or message handling. Providing data marked as mandatory is voluntary, but required in order to accept and handle messages, and failure to provide such data will result in the inability to handle the message. Providing other data is optional. Personal data is processed for the purpose of identifying the User, handling the User's message sent via the contact form, responding to questions asked to the Controller, and contacting the User. The legal basis for the processing of personal data is the necessity to perform a service contract (Article 6(1)(b) of the GDPR); and in the case of data that is not necessary to establish contact or handle messages, the legal basis for processing is the User's consent (Article 6(1)(a) of the GDPR). The legal basis for processing for analytical and statistical purposes is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in keeping statistics on messages and queries submitted by Users via the Website in order to improve its functionality.

[GPSR Form] The Controller provides a dedicated product safety form on the Website, allowing consumers to notify the manufacturer of accidents or safety issues they have experienced with a particular product or to file a complaint regarding a product’s safety. Providing data in the form is voluntary; however, providing the data marked as required (including contact information and details about the product and the incident) is necessary for the report to be accepted and processed. Failure to provide this information may prevent the report from being processed.

This form fulfills the manufacturer’s obligation under Article 9(11) of Regulation (EU) 2023/988 of the European Parliament and of the Council of May 10, 2023, on general product safety, amending Regulation (EU) No 1025/ 2012 and Directive (EU) 2020/1828 of the European Parliament and of the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC (GPSR Regulation). The legal basis for the processing of personal data is the legal obligation incumbent upon the Controller arising from generally applicable legal provisions (Article 6(1)(c) of the GDPR in conjunction with Article 9 of the GPSR Regulation). The data provided in the form will be used to process the product safety report, fulfill the manufacturer’s obligations regarding product safety monitoring, maintain an internal complaint registry, and, in the event a product is found to be hazardous, for the purposes of product recall and issuing safety warnings.

The data will be stored for the period necessary to process the report, and thereafter for the period required by law or until any potential claims become time-barred. In the internal complaint register, the Controller stores only those personal data that are necessary for the manufacturer to investigate a complaint regarding a product alleged to be dangerous. The Controller stores such data for as long as necessary to investigate the complaint and, in any case, no longer than five years after the date of their entry.

[newsletter] In order to send the newsletter, the Controller processes personal data in the form of an e-mail address and first name provided by the person during registration, as well as other data – last name, company name, address, if provided to the Controller for this purpose. Providing an e-mail address and first name is voluntary, but necessary to subscribe to the newsletter. The Controller sends a newsletter containing information about products, events, services, and activities of the Controller and the Controller’s capital group, if the User has given their consent. Consent may be withdrawn at any time without affecting the lawfulness of the processing carried out prior to its withdrawal. The User may unsubscribe from the newsletter at any time by clicking on the link contained in the newsletter or by sending a message to the following e-mail address: iod@ferro.pl . The legal basis for the processing of personal data is the User’s consent to receive newsletter (Article 6(1)(a) of the GDPR). In the case of customers who have previously purchased the Controller's products or services, the legal basis may also be the Controller's legitimate interest in direct marketing of its own products and services (Article 6 (1) (f) of the GDPR), in accordance with Article 398 of the Electronic Communications Act, you have expressed your interest in receiving information about the Controller's products, services, and activities by subscribing to the newsletter of your choice. The Controller may also process the e-mail address provided for analytical and statistical purposes - the legal basis for the processing of personal data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in analyzing the activity of Users on the Website in order to improve the functionalities used. If we collect your first name, it is collected for the purpose of personalizing content in order to refer to newsletter recipients in a more friendly manner.

[social media] The Controller processes the personal data of Users (in accordance with their social media profiles) who visit its social media profiles (Facebook, Instagram, LinkedIn, YouTube, Pinterest). In this case, the data is processed in connection with the maintenance of profiles, including for the purpose of informing Users about the Controller's activities in relation to the Controller and Controller capital group products, for statistical and analytical purposes. The legal basis for the processing of personal data by the Controller for this purpose is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in promoting the Controller and Controller capital group brands and activities, as well as improving the quality of services provided.

[analysis, statistics, Website security, safe] The Controller processes Users' data, including IP addresses, other identifiers, and information collected through cookies for analytical and statistical purposes and administering the Website, ensuring its security and efficient operation and functionality. The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in managing the Website, analyzing User activity and preferences in order to improve the functionalities used, the services provided by the Controller, and the content displayed to the User. In the case of cookies, the basis for data processing is the legitimate interest of the Controller, in connection with your consent to the use of cookies by the Controller on the Website. We have a legitimate interest in ensuring the quality of use of the Website and securing the efficient operation of its functionalities, which is possible thanks to the use of technical cookies. Consent is not required for cookies that are necessary for the functioning of the Website. Detailed information on cookies and other technologies can be found in section III of the Privacy Policy.

[marketing] The Controller's marketing activities, in which it processes Users' personal data, may consist of:

• sending e-mail notifications about interesting offers or content, which may also include commercial information (including newsletters);

• displaying marketing content to the User that is tailored to their preferences (contextual advertising). The basis for the processing of personal data/information about Users is the pursuit of the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in marketing in connection with targeting Users with contextual advertising;

• displaying marketing content to the User that corresponds to their interests (behavioral advertising). The Controller and its partners process Users' personal data, including information collected through cookies and other similar tracking technologies, for marketing purposes in connection with targeting Users with behavioral advertising (i.e., advertising that is tailored to the User's preferences). The basis for the processing of Users' personal data is the realization of the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in marketing in connection with targeting Users with behavioral advertising.

• conducting other activities related to the marketing of goods and services of the Controller and companies from the Controller capital group (sending commercial information by electronic means, telemarketing activities), which are described in the tab PROCESSING OF PERSONAL DATA OF CUSTOMERS/CONTRACTORS. The marketing consent form is available on the Website.

In addition, Users' data may be processed for the purpose of establishing, pursuing or defending claims related to the exercise of rights or obligations arising, for example, from a warranty, from complaints, which constitutes the Controller's legitimate interest, which is the basis for data processing (Article 6(1)(f) of the GDPR).

Scope and source of personal data processed

The Controller processes personal data provided by Users via the Website. The Controller determines on a case-by-case basis which data is necessary to provide a given service. Providing data in connection with the use of the Website is voluntary, however, failure to provide certain information, which is generally marked as mandatory on the Controller's websites, will result in the inability to perform a given service and achieve a specific goal or take specific actions.

In addition, information about User (which may be considered personal data) is collected by solutions and tools used by the Controller, i.e.:

• newsletter management system – collects IP addresses, information about your activity in relation to the content sent in the newsletter, such as opening messages, clicking on links, etc.,

• tools and solutions such as Facebook Custom Audiences, including Meta (Facebook) Pixel, Google Analytics, Google Ads, YouTube collect information about Users' activities in connection with the use of the Website, i.e., information about the web browser and operating system, viewed and transitions between subpages, time spent on the Website, age range, approximate location limited to the city, interests determined based on online activity.

***

The Controller requests that you do not provide any information belonging to special categories of personal data (e.g., information about race or ethnic origin, religious and philosophical beliefs, political opinions, information concerning physical or mental health, genetic data, etc.) via the Website. The Website is intended for use by adults, so please do not provide any data concerning minor persons/ children via the Website.

▻ PROCESSING OF PERSONAL DATA THROUGH THE PLATFORM

Purposes and legal basis for processing

[order processing, performance of sales contracts] receiving and processing orders, delivering products ordered via the Platform to client/ customers with whom the Controller has concluded commercial contracts, communication related to order fulfillment. The basis for the processing of personal data is the necessity: 1) to perform a contract with client (Article 6(1)(b) of the GDPR); or 2) if you are representatives, staff representatives, employees, or associates of a client/contractor with whom the Controller concludes/executes a contract – for purposes arising from the legitimate interests of the Controller, consisting in establishing and maintaining contact with the customer/contractor and facilitating communication and the performance of the concluded contract (Article 6(1)(f) of the GDPR). In addition, the data will be processed for the purpose of fulfilling the Controller's legal obligations resulting from the sale of products, in particular those resulting from tax and accounting regulations.

[maintaining an account on the Platform] maintaining an account, creating an account, managing access to the account, communicating with the Platform User in connection with the operation of the account. The legal basis for the processing is the necessity to perform the contract or take action prior to its conclusion (contract for the service of maintaining an account on the Platform (Article 6(1)(b) of the GDPR)).

[other] In addition, following the execution of an order placed on the Platform, the Controller may, depending on the situation, process data for the following purposes:

[consideration and handling of complaints] 

• [fulfillment of legal obligations]

• [protection of rights and defense against possible claims, enforcement of possible claims related to the contract]

• [marketing communications, sending commercial information] if the User has given their marketing consent.

Detailed information on this matter can be found in the previous sections of the Privacy Policy.

Additionally, the Platform User may use all the functionalities of the Website, and therefore the Controller may process, depending on the scope of use of the Website, their data in the manner described in the section PROCESSING OF PERSONAL DATA OBTAINED THROUGH THE WEBSITE AND COOKIES AND OTHER TECHNOLOGIES.

Source and scope of personal data processed

The Controller processes the data of customers with whom commercial contracts have been concluded – the customer's name (company name), address, first name, last name, business e-mail address, and telephone number, as well as the first name, last name, business e-mail address, and telephone number of employees and persons to whom the Controller's customer has granted access to the Platform (which have been provided to the Controller in connection with the creation of an account on the Platform). Additionally, as part of order fulfillment: the address of the delivery recipient indicated in the order and the delivery address, as well as information about orders and products.

Personal data is obtained directly from the client/customer or from persons to whom the client has granted access to the Platform.

Providing personal data is voluntary, but failure to do so makes it impossible to create and use an account on the Platform and access its functionality, including ordering via the Platform.

2. Recipients of personal data

Depending on the purpose of processing, the Controller may transfer personal data to:

• authorized employees and associates of the Controller, as well as entities (companies) and their employees belonging to the Controller's capital group;

• entities supporting the Controller in the performance of its rights and obligations, and service providers to whom the Controller outsources services related to the processing of personal data: including distributors, subcontractors, service providers, transport companies, freight forwarders, warehousing companies, IT, legal, marketing, and accounting service providers, independent consultants, and IT service providers.

• The Controller may transfer your personal data to entities such as: companies providing postal and courier services, and in the event of a violation of the Controller's rights and interests, also to entities such as: banks, debt collection companies, insurance companies, law firms, entities providing accounting services, independent advisors/external auditors.

• In the case of data obtained through the Website, these will primarily be IT service providers, hosting providers, providers responsible for the operation of IT systems, Platform, mailing systems (e.g., GetResponse sp. z o.o. – newsletter delivery, use of the mailing system, newsletter subscription), and systems used to handle complaints about the Controller's products.

• supervisory authorities, courts, and other public authorities and authorized entities, where necessary to comply with legal obligations.

3. Period of storage of personal data

The period of processing of personal data by the Controller depends on the purposes (and grounds for processing) for which they are processed, including the type of service provided through the Website, as well as the performance of obligations under the law. Personal data is processed as follows:

• in the case of personal data processing for the purpose of concluding and performing a contract – for the duration of the contract, subject to the requirements of applicable law, including regulations on the prevention of money laundering and terrorist financing;

• in the case where the basis for the processing of personal data is consent, personal data will be processed until the consent is withdrawn;

• where the legal basis for the processing of personal data is the legitimate interest of the Controller – for the duration of the Controller's legitimate interest, until an effective objection to the processing of personal data is notified, unless the purpose of the processing ceases earlier. In the case of data collected via the contact form – for the period during which the Controller maintains correspondence with the User regarding the User's message. The Controller will process personal data for the duration of the current business relationship (e.g., responding to questions, exchanging correspondence, presenting offers), and for one year after the relationship has ended. After this period, the Controller may contact the User to ask about the possibility of further processing of personal data. In the case of data collected via the application form (warranty) – for the Controller to perform activities related to the handling of complaints and completion of service activities to be carried out, and after the complaint has been considered, for a period of one year;

• in the case of personal data processing for the purpose of fulfilling obligations under the law – for the period of performing the obligations and tasks resulting from specific legal provisions – for the purpose of performing tax and accounting obligations, until the end of the financial year and for five years after its expiry, in accordance with Polish tax law;

• for the period of use of the Website, until it becomes outdated or loses its usefulness – with regard to personal data obtained through the Website, the use of cookies, data processed mainly for analytical and statistical purposes, and the administration of the Website;

• the period of storage of personal data may be extended by the period of limitation of claims, including civil, administrative, and tax claims, if the processing of personal data is necessary for the Controller to enforce any claims or defend against such claims.

4. Rights related to the processing of personal data

In situations and under the rules specified in detail in Articles 15-22 of the GDPR, you have rights regarding the protection of personal data.

[complaint to the authority] The Controller makes every effort to ensure that your personal data is protected in accordance with applicable law. However, if you consider that the processing of personal data by the Controller is unlawful, you have the right to lodge a complaint with the competent supervisory authority (i.e., in Poland, to the President of the Personal Data Protection Office).

In addition, you have the right to:

[access] obtain confirmation from the Controller whether or not your personal data is being processed and, if so, to obtain access to it (a copy of it).

[rectification]  rectify personal data that is inaccurate. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.

[erase]  erase personal data if:

• the personal data is no longer necessary for the purposes for which it was collected or processed;

• the person has withdrawn the consent on which the processing was based and there is no other legal basis for the processing;

• the person objects to the processing and there are no other legitimate grounds for processing by the Controller, or objects to processing for marketing purposes;

• the personal data has been processed unlawfully;

• the personal data must be erased for compliance with a legal obligation in EU law or Polish law;

• the personal data has been collected in relation to the offer of information society services referred to in the GDPR.

The right to erase of personal data cannot be exercised to the extent that the Controller must continue to process such data in order to comply with a legal obligation, or if further processing is necessary to establish, pursue, or defend the Controller's claims.

[restrictions] restrictions on the processing of personal data in cases specified in the GDPR. In such cases, processing may be restricted solely to specific purposes.

[portability] portability of personal data; in certain cases, you have the right to receive your personal data processed by the Controller in a structured, commonly used, machine-readable format, and you have the right to transmit that personal data to another entity.

[objection] You have the right to object to the processing of data due to your particular situation, in the scope, the processing of data is based on a legitimate interest. In addition, you have the right to object to the processing of your personal data for direct marketing purposes, including profiling related to direct marketing.

[withdrawal of consent] withdraw your consent to the processing of personal data at any time – in the scope, that the processing is based on your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The consequence of withdrawing consent will be the cessation of services that were provided solely on the basis of your consent.

In order to exercise any of the above rights, please contact the Controller at the address indicated in I.2. of the Privacy Policy. Additionally, you can unsubscribe from the newsletter service via the link provided in each message from the Controller containing the newsletter.

5. Profiling

The Controller does not use personal data for automated decision-making, which has legal effects on a person or similarly significantly affects a person. However, the Controller conducts profiling for marketing purposes, particularly as part of behavioral advertising. Profiling involves the automatic processing of data regarding User behavior on the Website (such as pages viewed, time spent on the Website, clicks) to analyze preferences and interests and customize the displayed marketing content. Marketing profiling does not produce any legal effects or have any similar significant impact on the data subject and is not based on special category data. The User has the right to object to profiling for marketing purposes, which can be done by contacting the Controller at the addresses indicated in point I.2 of the Privacy Policy.

6. Transfer of personal data to third countries

As general rule, the Controller does not transfer personal data of customers/contractors to third countries. The Controller will transfer personal data to a third country (outside the European Economic Area) only when necessary, and this will be done in compliance with the data protection measures provided for by law, including: i) based on a decision of the European Commission confirming an adequate level of personal data protection in the country to which the personal data will be transferred - with reference to the countries to which they have been issued, ii) on the basis of standard contractual clauses approved by the European Commission, or iii) another mechanism allowing the transfer of personal data to a third country in accordance with the law. In particular, data transfer to third countries may occur in connection with the use of the following services: Google Analytics and Google Ads (Google LLC, USA), Meta Pixel and Facebook Custom Audiences (Meta Platforms, Inc., USA), Microsoft Azure (Microsoft Corporation, USA). Currently, data transfer to the USA takes place on the basis of the European Commission's implementing decision of July 10, 2023, confirming the adequate level of protection of personal data under the EU-US Data Privacy Framework, with respect to entities certified under this program, or on the basis of standard contractual clauses approved by the European Commission.

The Controller uses the tools, services, and solutions of providers from entities outside the European Economic Area described in the Privacy Policy, which store (or may store) Users' personal data on servers located in third countries, in particular in the USA (e.g., Google, Microsoft, Meta (formerly Facebook). The providers of these tools guarantee an adequate level of personal data protection through appropriate compliance mechanisms provided for by the GDPR, in particular through the use of standard contractual clauses. Detailed information on the processing of personal data by providers of such services can be found in their privacy policies and terms and conditions, available on their websites, e.g.:

• Meta (formerly: Facebook): https://www.facebook.com/privacy/explanation

• GetResponse: https://www.getresponse.pl/informacje-prawne/polityka-prywatnosci

• Google: https://policies.google.com/privacy?hl=pl

• Microsoft: https://privacy.microsoft.com/pl-pl

III. COOKIES AND OTHER TECHNOLOGIES

1. General information

Cookies are small files (usually text files) stored on the User's end device (local computer disk, phone, tablet, etc.) while using the Website, which store settings, preferences, and information related to the User's use of the Website, such as browser type, etc.

Cookies are stored on the end device in order to ensure the proper functioning of the Website, determine the User's regionalization, analyze the usability of the Website, and for statistical purposes, e.g., to analyze the popularity of individual tabs and services. A prerequisite for the proper functioning of the Services on the Website is the correct configuration of the web browser so that it can accept cookies. The use of cookies enables the improvement of the Website for the needs of the Users visiting it.

The Controller uses Cookies (and other similar tracking technologies) for purposes which constitute the Controller's legitimate interest (Article 6(1)(f) of the GDPR), i.e. analytical and statistical purposes related to Website traffic, marketing purposes, and adapting the content of the Website to the preferences of Users. The Controller's legitimate interest consists in analyzing the activity and preferences of customers while using the Website in order to improve its functionality, as well as in marketing related to behavioral advertising targeted at Users. Data collected using Cookies technology is processed in an automated manner, which enables the assessment of certain factors relating to natural persons (e.g., analyzing the viewership of subpages, analyzing the viewership of the Website).

The Controller reserves the right to collect Users' IP addresses, which may be helpful in diagnosing technical problems with the ICT system and creating statistical analyses (e.g., determining which regions generate the most visits to the Website). Additionally, they may be useful in the administration and improvement of the Website. IP addresses are collected anonymously, which means that they are not associated with any User data. Data collected using cookies does not generally allow for the identification of the User.

2. User privacy management

Below are ways in which you can manage your privacy on the Internet:

[management via web browser] You can block cookies from being stored on your device by adjusting your web browser settings. Users can delete cookies already stored on their end device by using the appropriate functions of their web browser or other software/applications designed for this purpose. Instructions on how to delete cookies in individual web browsers can be found, among others, at the following addresses:

• Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647

• Mozilla Firefox: https://support.mozilla.org/pl/kb/ciasteczka?redirectlocale=en-US&redirectslug=Cookies

• Microsoft Edge: https://support.microsoft.com/pl-pl/windows/zarz%C4%85dzanie-plikami-cookie-w-przegl%C4%85darce-microsoft-edge-wy%C5%9Bwietlanie-zezwalanie-blokowanie-usuwanie-i-u%C5%BCywanie-168dab11-0753-043d-7c16-ede5947fc64d

• Opera: https://help.opera.com/pl/latest/web-preferences/#cookies

• Safari: https://support.apple.com/pl-pl/105082

[management from the Website]  The User may manage their choices regarding the use of cookies directly from the Website. By clicking on the so-called cookie banner (banner appearing on the Website) and the “I accept all cookies” button, the User agrees to the use of Cookies. If the User wants to manage Cookies and change the Cookie settings, please click on the “Cookie settings” button. If the User wishes to opt out of the use of cookies, please click on the “Reject all cookies (except essential ones)” button. Please note, however, that disabling cookies may result in the Website not functioning properly.

[“floating” banner/pop-up] Information about the cookies used is also displayed for convenience on a “floating” banner/pop-up at the bottom of the Website. Depending on the User's decision, cookies of specific categories (except for necessary/required cookies) can be enabled or disabled at any time, and settings can be changed.

[other] e.g., incognito mode in a web browser, additional cookie management software, Google Analytics Opt-out , Facebook Ads Settings . In addition, the User can verify the privacy settings for the browser used with the tools available at the following links: http://www.youronlinechoices.com/pl/twojewybory and http://optout.aboutads.info/?c=2&lang=EN

3. Types of used cookies

[necessary/required]  – technical cookies (Always active)

This type of cookies is necessary for the functioning of the Website and cannot be disabled in our systems. Necessary cookies are usually used in response to actions taken by the User, such as setting privacy options, saving a list to the clipboard, or filling out forms. These include files responsible for functions essential for security or enabling external functions, such as displaying a map section. You can change your browser settings to block them, but the Website will not function properly. These cookies do not store any personal data.

[analytical/statistical cookies] These cookies enable the Controller to count visits and traffic sources so that we can collect information such as the most popular subpages and see how Users navigate the Website. All information collected by these cookies is aggregated and therefore anonymous. If you block this type of cookie, we will not be able to collect information about your use of the Website and will not be able to monitor its performance.

[preference cookies]  These cookies enable the Website to provide enhanced functionality and personalization of the content displayed. They may be set by the Controller or by external providers whose services have been added to our Website. If you do not allow the use of these cookies, some or all of these services may not function properly.

[marketing cookies] These cookies may be set through the Website by our advertising partners to create a profile of the User's interests and display relevant ads on other websites. If you do not allow the use of these cookies, the ads displayed will be less tailored to your interests. They do not directly store personal data, but they may be able to identify the User's browser and internet device. Social media cookies (e.g., Meta (Facebook)) are used on the Website to enable features such as logging in, liking and sharing content, or displaying ads when you visit social media sites.

Detailed information about the cookies used on the Website, including their types, storage period, and providers, is available in the information panel displayed in the cookie banner when you first visit the Website and at any time through the cookie preference settings (“floating banner”). The use of cookies other than those that are necessary (required) is based only on the User's consent, which can be withdrawn or modified at any time by changing the settings available in the cookie banner or in the web browser.

4. Cookies and other third-party technology

The Website uses both Controller Cookies and Third Party Cookies, as well as other solutions and tools used for analytical and marketing purposes from third parties. Detailed information on third party solutions and tools can be found in the privacy policy or regulations of the respective provider. Below we present basic information in this regard.

[Google Ads] this is an advertising service provided by Google LLC, USA, which the Controller uses to run advertising campaigns, conduct remarketing, and analyze their effectiveness, including conversion tracking and the optimization of marketing activities. Google Ads also allows for the display of ads and sponsored links in Google search results and on websites partnered with Google LLC to Users who have visited the Website. When using Google Ads, the Controller does not collect data that would allow you to be identified. Information on the processing of information by Google LLC in relation to this tool can be found at: https://policies.google.com/technologies/ads?hl=pl.

[Google Analytics] is a web analytics service provided by Google LLC, USA, to analyze how User use the Website, to compile reports and statistics on the functioning of the Website. Google Analytics uses cookies stored on your computer to enable you to use the Website. Google uses the information transmitted to analyze how customers use the Website,  to create reports on activity on the Website, and to provide other services to the Controller related to the use of the Website and the Internet. In addition, Cookies will be used by Google advertising networks to display advertisements tailored to the way the User uses the Website. If the User does not want to receive personalized ads, he can disable them using the Google Ads Preferences Manager (personalization) in accordance with the instructions available at: https://support.google.com/ads/answer/2662856?co=GENIE.Platform%3DAndroid&hl=pl The IP address identified by Google Analytics will not be associated with any other data collected by Google. When using Google Analytics, the Controller does not collect data that would allow you to be identified. The information to which the Controller has access within Google Analytics includes, in particular: information about the web browser and operating system, viewed pages and transitions between subpages, and time spent on the Website. Information about the processing of information by Google LLC in relation to this tool can be found at: https://www.google.com/intl/pl/policies/privacy/partners

Third parties supporting the Controller in its activities, such as marketing agencies and PR agencies, may also use Google Analytics to analyze information from Google Ads and DoubleClick cookies for purely statistical purposes and to analyze User behavior when using the Website.

[Google Tag Manager] a tool that allows you to manage the analytical and marketing tools used on the website. Google Tag Manager itself does not collect users' personal data, but other tools that may process information about the User can be launched through it. Detailed information on data processing in relation to this service is available at: https://www.google.com/analytics/terms/tag-manager/ , and the data processing rules are available at: https://business.safety.google/privacy/

[Meta Ads Tools (Facebook/Instagram), including Meta (Facebook) Pixel] Meta Pixel is a solution operated by Meta Platforms, Inc., USA (formerly Facebook) used to target specific users with advertising messages. When using Facebook Pixel, the Controller does not collect data that would allow you to be identified. Information on the processing of information by Meta Platforms and the rules for using the tools can be found at the following links: https://www.facebook.com/legal/Controller_addendum , https://www.facebook.com/about/privacy

[other] The Controller also uses other tools. Below are links to the policies of tool providers, where detailed information on their processing of data/information is presented:

• LinkedIn Ads: LinkedIn Advertising Policies LinkedIn Privacy Policy

• TikTok Ads: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms , https://www.tiktok.com/legal/page/eea/privacy-policy/pl

• Pinterest: https://policy.pinterest.com/pl/privacy-policy#section-residents-of-the-eea

Please note that the Controller has no influence on the manner and rules of information processing by the above-mentioned providers.

[social media plugins] The Website uses social media plugins (Facebook, Instagram, YouTube, Pinterest, LinkedIn). When using the Website via plugins, certain information about the Uuser, such as the IP address of the device, browser ID, date and time of viewing the website, is transmitted to social media providers. The providers receive information that the User's browser has displayed the Website, even if the User does not have a profile at the given service provider or is not logged in. In addition, clicking on social media plugins establishes a direct connection to the servers of these media providers, who may collect other data from the User's device. The Controller has no influence on the data processing policies of these providers. For more information on the processing of personal data by these entities, including your rights, please visit their websites, e.g.:

• Meta (Facebook i Instagram): https://www.facebook.com/policy.php

• Google: https://privacy.google.com/take-control.html?categories_activeEl=sign-in

• Pinterest: Privacy Policy | Pinterest Policy

• YouTube: https://www.youtube.com/intl/ALL_pl/howyoutubeworks/privacy/

• LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL

[logs] In addition to cookies, the Website may collect data collected by Internet system administrators in so-called logs or log files. The information contained in the logs may include, among other things, the User's IP address, the type of platform and web browser, the Internet provider. Logs are saved and stored on the server. The data saved in the server logs is not linked to Users and is not used by the Controller to identify you. The Controller processes information from logs for technical and administrative purposes, to ensure the security of the IT system, and for system management.