Privacy Policy

§1. GENERAL PROVISIONS
This Privacy Policy applies to the personal data of users (hereinafter referred to as “Users”) of the website operating at www.x-projekt.com.pl (hereinafter referred to as the “Service” or “Portal”).
The data controller is X-Projekt Projects & Development Spółka z ograniczoną odpowiedzialnością, headquartered in Poznań (60-012), ul. Opłotki 23, registered in the Register of Entrepreneurs of the National Court Register maintained by the District Court Poznań-Nowe Miasto and Wilda in Poznań, VIII Commercial Division of the National Court Register under Polish National Court Register (KRS) number 0000592038, REGON 363236833, VAT EU PL7822599989. Contact with the Data Controller can be made via mail, email (biuro@x-projekt.com.pl), or phone (+48 61 847 50 71) (hereinafter referred to as the “Service Provider”).
For any questions or requests regarding your rights, please contact our Data Protection Officer – Paweł Sarnowski, via email at rodo@x-projekt.com.pl.
Data protection is carried out in accordance with applicable legal requirements, and data is stored on secured servers.
For better understanding, “GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
The Service Provider respects the privacy of Users visiting www.x-projekt.com.pl. Like most website publishers, the Service Provider collects IP addresses of Users and necessary information about their use of the site, used solely for technical and administrative purposes (except for geolocation services directing Users to appropriate city subpages). The Service Provider does not attempt to identify Users.
Personal data provided in the landing page form is treated as confidential and is not visible to unauthorized persons.

§2. DATA CONTROLLER

The Service Provider is the data controller of Users’ data. This means that if a User uses the services of www.x-projekt.com.pl, the Service Provider may process the following personal data: first name, last name, phone number, mailing address, email address, IP address, and data contained in messages sent to us, which we receive based on your voluntary consent.

Personal data is processed:
a. In accordance with data protection regulations,
b. In line with the implemented Privacy Policy,
c. To the extent and purpose necessary to establish, shape the content of, change, or terminate the Agreement and properly perform electronic services,
d. To the extent and purpose necessary to fulfill legitimate interests (legally justified purposes), provided that the processing does not violate the rights and freedoms of the data subject:
I. To the extent and purpose consistent with the consent expressed by the User when making a purchase offered by the Service Provider,
II. To the extent and purpose consistent with the consent expressed by the User when contacting the Service Provider to obtain information about the Portal’s offer and providing their personal data.
In the case mentioned in point II, only the first name, last name, email address, and data provided in the message content are collected and processed.

Purpose of Data Processing
Legal Basis and Data Retention Period
Scope of Processed Data

Performance of a contract or taking steps at the request of the data subject prior to entering into a contract.
Article 6(1)(b) of the GDPR (performance of a contract)
Data are stored for the period necessary for the performance, termination, or other expiration of the concluded contract.
Maximum scope: first and last name; email address; contact phone number; delivery address (street, building number, apartment number, postal code, city, country); residential/business/registered office address (if different from the delivery address).
In the case of Users who are not consumers, the Controller may additionally process the company name and the User’s tax identification number (VAT EU).
The provided scope is the maximum – for example, in the case of personal pickup, providing a delivery address is not required.
Direct marketing
Article 6(1)(f) of the GDPR (legitimate interests pursued by the controller)
Data are stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the data subject arising from the Controller’s business activity. The limitation period is defined by legal regulations, in particular the Civil Code (the basic limitation period for claims related to business activity is three years, and for a sales agreement, two years).
The Controller may not process data for direct marketing purposes if the data subject has effectively objected to such processing.
First name, last name, email address
Marketing
Article 6(1)(a) of the GDPR (consent)
Data are stored until the data subject withdraws their consent to the further processing of their data for this purpose.
First name, last name, email address
Responding to the inquiry, contacting via the provided contact details
Article 6(1)(a) of the GDPR (consent)
Data are stored for the time necessary to respond to the inquiry, but no longer than permitted by applicable law.
First name, last name, email address
Maintaining tax or accounting books
Article 6(1)(c) of the GDPR in connection with Article 86 § 1 of the Tax Ordinance Act of January 17, 2017 (Journal of Laws of 2017, item 201) or Article 74(2) of the Accounting Act of January 30, 2018 (Journal of Laws of 2018, item 395)
Data are stored for the period required by law, which obliges the Controller to maintain tax books (until the expiration of the tax liability limitation period, unless tax laws provide otherwise) or accounting books (5 years, starting from the beginning of the year following the financial year to which the data pertain).
First name and last name; residential/business/registered office address (if different from the delivery address); company name and the User’s tax identification number (VAT EU).
Establishment, assertion, or defense of claims that the Controller may raise or that may be raised against the Controller
Article 6(1)(f) of the GDPR
Data are stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the data subject arising from the Controller’s business activity. The limitation period is defined by legal regulations, in particular the Civil Code (the basic limitation period for claims related to business activity is three years, and for a sales agreement, two years).
First name and last name; contact phone number; email address; delivery address (street, house number, apartment number, postal code, city, country); residential/business/registered office address (if different from the delivery address).
In the case of Users who are not consumers, the Controller may additionally process the company name and the User’s tax identification number (VAT EU).

Every data subject has the right to access, rectify, delete, or restrict processing of their data, the right to object, and the right to lodge a complaint with a supervisory authority.

The Service Provider reserves the right to process User data after contract termination or consent withdrawal only to the extent necessary to assert potential claims or if national, EU, or international law obliges us to retain data.

The Service Provider has the right to share User personal data with entities authorized under applicable law (e.g., law enforcement agencies).

Deletion of personal data may occur upon withdrawal of consent or a legally permissible objection to data processing.

For the proper functioning of the Portal, including the execution of concluded contracts, it is necessary for the Controller to use external entities (e.g., software providers, couriers, payment processors). The Controller uses only processors who provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing complies with GDPR and protects the rights of data subjects.

The Service Provider may share personal data with other entities authorized under applicable law and carriers/shippers, electronic or card payment processors, service providers supplying the Controller with technical, IT, and organizational solutions, accounting, marketing, legal, and advisory service providers.

The Service Provider uses web analytics systems that may be used to create User profiles. Except for marketing purposes and with the User’s consent, the User’s profile will not be marked with their name or any identifier that could directly identify them. Web analytics systems use cookies in their processes.

The personal data collected by the Service Provider will be processed solely for the purpose for which it was provided, in accordance with the scope of the User’s consent and based on and within the limits of the law. The User has the right to access and correct their personal data and to request in writing to stop processing their personal data. Corrections can be made by contacting the Portal’s support via traditional mail or email.

The Service Provider informs that authorized state authorities may also access User personal data within the scope of their competencies defined by applicable regulations, particularly judicial authorities (police, prosecutor’s office, courts).

The Service Provider informs that Users can only browse job offers published via the Portal anonymously. Users cannot register as employees or apply for jobs via the Portal anonymously or under a pseudonym. To register as an employee and apply for jobs, it is necessary to provide personal data as specified in this Policy.

§3. COOKIES

The website www.x-projekt.com.pl uses cookies. These are small text files sent by a web server and stored by the browser software on the computer. When the browser reconnects to the site, the website recognizes the type of device used by the User. Parameters allow the server that created them to read the information contained in them. Cookies facilitate the use of previously visited websites.

Collected information includes IP address, browser type, language, operating system type, internet service provider, time and date information, location, and information sent via the contact form.

The collected data is used to monitor and check how Users use our websites to improve the functioning of the Service, ensuring more efficient and trouble-free navigation. The Service Provider may monitor User information using the Google Analytics tool, which records User behavior on the site.

Cookies identify the User, allowing the content of the website they use to be tailored to their needs. By remembering their preferences, they enable the appropriate adjustment of advertisements directed to them. The Service Provider uses cookies to guarantee the highest standard of convenience for the www.x-projekt.com.pl service, and the collected data is used only within the Service Provider’s organization to optimize operations.

On the www.x-projekt.com.pl website, the Service Provider uses the following cookies:

a) “Necessary” cookies, enabling the use of services available within the service, e.g., authentication cookies used for services requiring authentication within the service;

b) Cookies used to ensure security, e.g., used to detect abuses in the field of authentication within the service;

c) “Performance” cookies, enabling the collection of information on how the website’s pages are used;

d) “Functional” cookies, allowing “remembering” the settings selected by the User and personalizing the User interface, e.g., in terms of the selected language or region from which the User comes, font size, website appearance, etc.;

e) “Advertising” cookies, enabling the delivery of advertising content more tailored to the User’s interests.

The User can disable or restore the option of collecting cookies at any time by changing the settings in the web browser. Instructions for managing cookies are available at: http://www.allaboutcookies.org/manage-cookies

The User should be aware that disabling cookies may affect how the website is displayed in the browser. Not changing the cookie settings means they will be placed on the User’s end device, and thus the Service Provider may access them.

Using the Portal without changing browser settings means acceptance of the above rules for using cookies and consent to their use by the Service Provider.

Additional personal data is collected only in places where the user explicitly consents by filling out the form. The above data is retained and used only for the purposes necessary to perform the given function.

§4. VALIDITY AND CHANGES TO THE PRIVACY POLICY

This Privacy Policy has been in effect since May 25, 2018.

The Service Provider reserves the right to amend the Privacy Policy and the Cookie Policy at any time. The consolidated text of the Privacy Policy and Cookie Policy after any changes will be available on the main page of the Portal under the “Privacy Policy” tab. Each change to the Privacy Policy and Cookie Policy will be visible in the “Privacy Policy” tab on the main page of the Portal.

§5. INFORMATION ON DATA PROCESSING

The Controller of your personal data is X-Projekt Projects & Development Spółka z ograniczoną odpowiedzialnością, with its registered office in Poznań (60-012), ul. Opłotki 23, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for Poznań-Nowe Miasto and Wilda in Poznań, VIII Commercial Division of the National Court Register, under KRS number 0000592038, REGON 363236833, VAT EU PL7822599989. You may contact the Controller by post, email (biuro@x-projekt.com.pl), or phone (+48 61 847 50 71).

The Data Protection Officer is Paweł Sarnowski. You may contact the Officer by email (rodo@x-projekt.com.pl), phone (+48 537 450 560), or post: X-Projekt, ul. Opłotki 23, 60-012 Poznań.

Your personal data is processed on the basis of Article 6(1)(a)–(f) of the GDPR for the following purposes:

a) conclusion, execution, or termination of contracts or other legal actions – this includes all preparatory activities preceding contract conclusion, including analysis, as well as activities during contract execution or termination;

b) actions based on the consent granted by the data subject, provided the processing is based on such consent;

c) performance of tasks in the public interest, as required by law;

d) fulfillment of the Controller’s legal obligations, such as issuing and storing invoices and accounting documents within the deadlines and forms prescribed by law;

e) establishing, exercising, or defending legal claims;

f) creation of analyses, summaries, and statistics for the Controller’s internal use;

g) other purposes related to the Controller’s business activity and the fulfillment of the Controller’s legitimate interests, including marketing, financial and accounting settlements, timely delivery of purchased goods, handling of potential complaints, proper installation of purchased materials, and debt collection.

Your data will be stored for a period of 5 years from the end of the year in which the transaction took place, in accordance with the Accounting Act of September 29, 1994 (Journal of Laws of 2018, item 395, consolidated text).

The Controller may share personal data with the following categories of entities:

a) subcontractors, i.e., entities through which the Controller performs its obligations, such as carriers, accounting offices, payment system operators, or debt collection companies;

b) entities providing marketing and training services;

c) owners of IT platforms where personal data is stored;

d) public authorities, if required by applicable law.

You have the right to:

a) request access to your personal data;

b) request the deletion of your personal data;

c) request the restriction of the processing of your personal data;

d) object to the processing of your personal data;

e) correct your personal data;

f) transfer your data;

g) withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;

h) lodge a complaint with the supervisory authority if you believe that the processing of your personal data violates the GDPR.

Your personal data will not be transferred outside the European Economic Area.

Your personal data will not be subject to automated decision-making, including profiling.

Providing your personal data is voluntary but necessary for the conclusion and performance of the contract.