Privacy and cookie policy
1. Definitions and general information
If you use our website or its services, including e-consultations, we collect and process your personal data. The Privacy Policy describes the principles and purposes of the processing of this personal data and contains information about cookies and similar technologies that we use on the website.
The following terms have the following meanings:
| CONCEPT | EXPLANATION |
| admin or we | The Controller is an entity that determines the purposes and methods of personal data processing, and is responsible, m.in for an adequate level of data protection and the exercise of the rights of data subjects. The administrator of your personal data obtained in connection with your use of the website or services offered through it, including e-consultations, is us, i.e.: Exorigo-Upos S.A. with its registered office in Warsaw (Skierniewicka 10 A, 01-230 Warsaw) |
| personal data | any information about an identified or identifiable natural person (i.e. a living person); an identifiable natural person can be identified, directly or indirectly, m.in by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity |
| Data subject | any natural person whose personal data is processed by the Administrator in connection with its business, e.g. a person with whom it has a contractual contract with the Administrator or directing an inquiry to it in the form of an e-mail. |
| Cookies | IT data is stored on the end device, containing data on the User’s website use. |
| Privacy | This Privacy Policy |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
| service | Website exorigo-upos.com |
| You or the user | any natural person who visits the site or uses the services offered through it |
2. Purposes and grounds for our processing of personal data
Depending on the website’s functions, we may process your personal data for various purposes and on different legal grounds. For example, we may process your data to conduct marketing activities, market and statistical analyses, improve the quality of our services, or perform legal obligations to which we are subject. Details are described below.
| AREA | PURPOSE AND BASIS OF PROCESSING |
| USE OF THE SERVICE | We use cookies or similar technologies on this website. Therefore, as a controller, we process information that may be considered. Personal data (e.g., IP address, online identifiers, data of your device, data on website activity). We process this information for the following purposes:
You can find more information about cookies further down in the privacy policy. We register your activity on the website in the so-called system logs (a special computer program that stores a chronological record containing information about events and activities concerning our IT system/our platform). The information collected in the logs may include personal data (e.g., IP address and data on your device). We process this information primarily to provide our services via the platform (Article 6(1)(b) of the GDPR). We also process it for technical and administrative purposes (e.g. error detection). To ensure the security of our IT system/platform (e.g. detection of network attacks) and management of this system/platform, as well as for analytical and statistical purposes – in this respect, the legal basis for the processing is our legitimate interest (Article 6(1)(f) of the GDPR) consisting in ensuring the proper functioning of the to improve the service and to protect our business interests. |
| CONTACT SUPPLIER | We provide the possibility of contacting us using the electronic contact form available on the website. You will be asked to provide the required personal data (e.g. name, email address) using this form. The above data is necessary to receive and handle your inquiry and allow us to contact you. You provide the data voluntarily, but it is not possible to send an inquiry without providing this data. In order to facilitate contact and handle your inquiry, you may also voluntarily provide us with other personal data (e.g., your phone number). We process the personal data in the contact form to identify the sender and handle the inquiry. The legal basis for the processing is our legitimate interest (Article 6(1)(f) of the GDPR) to respond and provide support to you. In some cases (e.g., if you file a complaint), we may also process the data contained in the complaint form to establish, pursue, or defend against claims. The basis for the processing is our legitimate interest (Article 6(1)(f) of the GDPR), which consists of protecting our rights and financial interests, resolving any dispute with you, and responding to your complaint. |
| DIRECT MARKETING | We conduct marketing activities considering the legal regulations applicable to us, including respect for restrictions or prohibitions on advertising and promotion. We do not use your sensitive data (special categories of data within the meaning of Art. 9 GDPR) for marketing purposes. Sending you marketing When using the platform, you can optionally agree to receive from us, through the communication channel of your choice (e.g. e-mail, SMS or similar electronic means of communication) our offers, promotions, news and similar marketing content about the platform and our business. The legal basis for the processing is your consent (Article 6(1)(a) of the GDPR). The content you receive may be tailored to you (e.g. based on your city, gender or age group). Online Marketing Within the limits permitted by law, we can also inform about our activities using online marketing tools (e.g., banners on other websites). For this purpose, we may use information collected in connection with your use of our platform (e.g. information that you are a customer may be used by us to optimize our online information campaigns). The legal basis for such processing is our legitimate interest in informing you about our activities and our services (Article 6(1)(f) of the GDPR). We use marketing partners such as Google, Microsoft or Meta (Facebook) to show you our tailored campaigns based on information collected while using the platform, m.in. cookies if you have consented to their use. The basis for such processing is your consent (Article 6(1)(a) of the GDPR). More information on this subject can be found in the privacy policy section on cookies. Custom audiences We may target our campaigns on social media platforms (e.g. Facebook) or platform service providers such as Google to a specific audience (so-called custom audiences). For this purpose, we use various technologies, such as a tracking pixel, the collection of information about the activities of users on our profile (company page) on a social media platform or we transmit a secure file with some of our users’ data to the operator of the respective platform (e.g. Meta). It contains, among other things, email addresses or telephone numbers that allow a platform operator such as Meta to identify you as a user of our platform (data matching). For example, if we want to display our campaigns on Facebook to people who are already our customers, we provide the Facebook operator (Meta) with a secure list with the necessary data; if our clients are Facebook users, they will see our campaign. In the same way, we can exclude all or some of our clients from the group of campaign recipients. The personal data provided is properly secured. Meta (Facebook) As part of the platform, we use tools that Meta Platforms Ireland Ltd offers, such as the Meta pixel or event analysis in the mobile application and service. For example, when you visit a platform, the Meta pixel sends a message to Meta. Thanks to this, we can better adjust our campaigns on the Facebook platform and check their effectiveness. It also lets us obtain analytics and measurements from Meta about our products and services. We are jointly responsible for collecting and processing data with Meta Platforms Ireland Limited (joint controller). This includes the following objectives:
|
| DETERMINATION, INVESTIGATION, ENFORCEMENT OF CLAIMS | In such a case, some personal data provided by the User as part of the use of the functionalities on the Website may be processed, such as: name, surname, data on the use of services, if the claims arise from how the User uses the services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis – legitimate interest (Article 6(1)(f) of the GDPR), consisting in the determination, investigation and enforcement of claims and defence against claims in proceedings before courts and other state authorities. |
| RECRUITMENT | As part of the “Career” tab, the Administrator provides information about its employment policy and recruitment processes. Suppose the User decides to participate in the recruitment process conducted by the Administrator. In that case, it should be noted that the Administrator expects candidates to provide personal data (e.g. in their CV or resume) only to the extent specified in the labour law provisions. To carry out the recruitment process in the scope of data not required by law – the legal basis for the processing is consent (Article 6(1)(a) of the GDPR).. |
| RetailTech News NEWSLETTER | If you would like to receive information about our news and promotions, you can use our free newsletter service (newsletter subscription). To do this, we will ask you to provide your email address. This is voluntary, but necessary to use the newsletter. By subscribing to the newsletter, you agree to receive commercial information (e.g. offers, promotions) and other marketing content about Exorigo-Upos. Your consent also includes the use of systems to send the newsletter automatically. You can unsubscribe from the newsletter anytime (withdraw your consent). All you have to do is click on the special link at the end of each message or email us to unsubscribe from the newsletter. The withdrawal of consent does not affect the lawfulness of our processing of your personal data based on consent before its withdrawal. When you subscribe to the newsletter, we process your personal data to send it. The legal basis for this processing is your consent (Article 6(1)(a) of the GDPR). |
| COMPANY PROFILE IN SOCIAL MEDIA | If you visit our profile (company account/company page) on a social media platform such as Facebook (https://www.facebook.com/grupaexorigoupos/), Instagram (https://www.instagram.com/exorigo/), or LinkedIn (https://www.linkedin.com/company/exorigo/) and interact with us (e.g., by following, leaving comments, or liking us), we process your personal data. The scope of personal data that we process includes data that you provide to us yourself, as well as data obtained by us from the operator of the respective platform, including data such as your social media platform ID (name or profile name), profile picture/avatar, etc. Providing data is voluntary, but without it, it is impossible to use some functions of the social media platform (e.g. add a comment, write us a message). Independent of us, the platform operator processes your personal data to provide you with the services of this platform, according to its rules and terms of use. Read the terms and conditions of use and the privacy policy/information on processing personal data applicable to your platform. You will find links to our profiles (accounts/company pages) on social media platforms when browsing our website. After clicking the link, you will be redirected to our profile (account/company website), which we run within the selected platform. When you are redirected to such a platform, the operator of the platform in question is also the controller of your personal data, who may use the collected information for their purposes (e.g. they may use the information that you have switched from our website to a social media platform, e.g. for advertising purposes, market research or collecting information about your preferences). We do not influence the processing of personal data, which the platform operator carries out independently of us as a separate controller. You can find detailed information on the processing of personal data by social media platforms and in their privacy policies:
Facebook, LinkedIn If you use our profile (company page) or the associated content on these platforms, we process your personal data. The data we process may include:
The Facebook and Instagram platforms are operated by Meta Platforms Ireland Limited (Serpentine Avenue, Block J, Dublin 4, Ireland—hereinafter referred to as “Meta”). Meta processes your personal data in accordance with its privacy policy, which is available at https://www.facebook.com/privacy/policy/ (Facebook) and https://privacycenter.instagram.com/policy (Instagram). Joint control with Meta We use statistical information related to the use of our Facebook profile (business page), which Meta makes available to us in an anonymized form, including through the “Audience Insights” service. This service does not allow you to assign information to users or access their profiles. You can learn more about Facebook Business Page Insights at https://www.facebook.com/legal/terms/information_about_page_insights_data. We are joint controllers of your personal data with the operator Facebook and Meta (Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland) about processing data for Page Insights (Insights Data). Joint control includes the aggregate data analysis to display user activity statistics on our profile. Meta’s responsibilities for data processing under joint controllership are:
The scope of our responsibility for the processing of data within the framework of joint controllership is:
The Irish Data Protection Commission is the central supervisory authority for joint processing. Detailed information on mutual arrangements between the joint controllers is available on the https://www.facebook.com/legal/terms/page_controller_addendum. In connection with maintaining profiles (company pages) on the platforms, we may process your personal data for which is our legitimate interest (Article 6(1)(f) of the GDPR), consisting of:
|
| COLLECTING CONTRACTOR DATA | Suppose you are our contractor or a contact person acting on behalf of a contractor. In that case, we may process your personal data – most often this will be your name and surname, e-mail address, telephone number, data on your business activity or function. We need this data for ongoing contact, preparation, and conclusion of the contract, as well as its implementation and settlement. In such cases, the basis for processing is the concluded contract or actions aimed at its conclusion – by Article 6(1)(b) of the GDPR – or our legitimate interest, which is to ensure efficient cooperation and performance of contractual obligations (Article 6(1)(f) of the GDPR). Your data may also be processed in connection with legal obligations to which we are subject as the controller, e.g. in issuing invoices, keeping accounting books or tax documentation. In this case, we operate based on Article 6(1)(c) of the GDPR. We also contact our contractors or their representatives for marketing purposes – for example, to inform them about new services and solutions or invite them to participate in industry events. If you consent to such activities, we process your data based on Article 6(1)(a) of the GDPR. If we do not require consent and the communication takes place within the framework of an existing business relationship, the basis is our legitimate interest by Article 6(1)(f) GDPR. We store the data only for as long as necessary—in particular, for the duration of the contract and for the period required by law, as well as for the time necessary to assert or defend against claims. If the processing is based on consent—e.g., for marketing purposes—the data will be processed until it is withdrawn. At any time, you can ask us what data we process about you, request its rectification, restrict processing, and, in certain situations, delete or object. If we process data based on your consent, you have the right to withdraw it, without affecting the lawfulness of the processing before the withdrawal. |
| DATA COLLECTION IN OTHER CASES | In connection with its business, the Controller also collects personal data in other cases – e.g. during business meetings, at industry events or through the exchange of business cards – for purposes related to establishing and maintaining business contacts. Personal data is provided in such cases voluntarily. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in creating a network of contacts in connection with the conducted activity. Personal data collected in such cases is processed only for the purpose for which they were collected. |
2.1. The Administrator ensures that the amount of data processed in correspondence is consistent with the principle of data minimisation and that only authorised persons have access to it.
2.2. When using the website, additional information may be collected, including the IP address assigned to the Client’s end device (e.g., phone, tablet, computer) or the external IP address of the Internet provider, domain name, browser type, access time, and operating system type.
2.3. to market our products and improve services, navigation data may also be collected from Users, including information about links and references they decide to click on or other activities undertaken on our website, based on the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in facilitating the use of services provided by electronic means and improving the functionality of these services.
2.4. The provision of personal data is voluntary in connection with the provision of services via the Website, with the proviso that failure to provide the data specified in the form will prevent the provision of this service.
3. Cookies and similar technologies
We use cookies on our platform and may use other similar technologies and tools that are stored on your device and allow us or other parties we work with to collect information (e.g., tracking pixels, local data files, tags), which we refer to collectively as “cookies” for simplicity.
Cookies are small text files that are saved and stored on your device (e.g., in your computer’s or smartphone’s memory). They allow, for instance, to recognize your device and display the website correctly (including adapting it to the user’s preferences) and to collect various information related to the user’s browsing on the platform. Cookies usually contain the name of the website (domain) from which they originate, how long they are stored on your device, and a unique identifier.
Cookies perform various functions. Some of them are strictly necessary for the proper operation of the platform, while others collect information related to your use of the platform, e.g., by remembering your visits and activities during that time.
We use cookies and similar technologies primarily for the following purposes:
- authenticate you within the platform (so you can log in and be logged in);
- Analytics and statistics so that we can better understand how users use the platform so that we can improve the platform and provide better services;
- marketing (e.g., in connection with collecting information for online campaigns).
The information collected by cookies does not usually directly identify you personally. From our perspective, the information we obtain through cookies is anonymous. However, in some cases, especially when combined with other information, cookies have the potential to identify a specific individual (e.g., IP address in combination with a cookie ID and information held by third-party vendors we use. We want to be transparent and privacy-oriented, so we cautiously assume in our privacy policy states that their use involves the processing of personal data.
Cookies have different periods of activity, after which they are automatically deleted (expire) – unless you delete them yourself beforehand. Some cookies are temporary (so-called session cookies, which are saved only for the duration of your session on the platform or a little longer – e.g. several minutes) and are automatically deleted when you close your browser or log out of the platform. Other cookies (e.g. Google Analytics, cookie display) are stored longer (e.g. for several months or even years) and can be deleted, e.g. through your browser settings.
Some cookies come from our domain (so-called first-party cookies), and others come from external servers are stored by third parties (e.g. service providers we use – so-called third-party cookies).
3.1. Strictly necessary cookies
Some cookies are necessary for the platform’s proper and secure operation. Therefore, by the law (Article 398 of the Electronic Communications Law), their use does not require your consent.
3.2. Analytical and statistical cookies
As part of the platform, we use the services of other companies that provide us with analytical and statistical services (e.g. Google Analytics). For this purpose, we use our cookies (first party) or external cookies (provided by external providers), which allow us to monitor, for analysis and statistics – how you use the platform and what pages you browse within the platform. They also allow us to analyse data about the traffic on the platform’s websites, IP and MAC address, general geographical data, the type of browser and device from which you connect to the platform, information about your Internet provider and information about the actions you take within the platform (analytics). This allows us to create general reports and statistics to improve the platform and fix bugs.
3.3. Marketing cookies
Marketing cookies allow us to display marketing content (e.g. business information) tailored to you (based on, among other things, information about your visit to our platform, the pages you have viewed on our platform and the links you have clicked). They are used, m.in other things, to tailor marketing content on the Internet, to display marketing content outside of our platform, and to keep marketing statistics. The information collected by these cookies may be transferred to other companies that offer their advertising networks or tools for marketing campaigns (e.g., Microsoft, Meta, Google).
All marketing activities we undertake are in accordance with the restrictions and prohibitions regarding advertising that apply to the website.
3.4. Consent to the use of cookies
The use of cookies requires your consent (except for the so-called strictly necessary cookies we wrote about above). We display a message on the platform informing you about our use of cookies. In this notice, you can consent to using cookies for the purposes indicated therein or refuse such consent. If you refuse permission, we may only use strictly necessary cookies for the website to function – your consent is not needed to use these cookies, as without them the website will not function properly (Article 398 of the Electronic Communications Law).
If personal data is processed as part of the use of cookies requiring consent (this applies to non-essential cookies – e.g. analytical, marketing), the basis for such processing is your consent (Article 6(1)(a) of the GDPR). Further processing of your personal data, collected initially through cookies, may take place based on our legitimate interest (Article 6(1)(f) of the GDPR – e.g. marketing of products or services, creation of statistics and analyses), by what we have described in the previous sections of the privacy policy.
In the case of third-party cookies, your consent to using such a cookie also means that your data obtained through such a cookie will be transferred to a third-party provider.
You can withdraw your consent to the use of cookies at any time, e.g., by using the cookie settings in the cookie “box” displayed on our website’s interface or by using the settings of your web browser. You can also set your browser to block all or some cookies automatically. Detailed information about the browser’s functionality and settings can be found in its documentation.
If you block essential cookies, the website will not function properly for technical reasons.
3.5. List of cookies used on the website
| Name | Domain | Description | Duration | Type |
| __cf_bm | .hs-scripts.com | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| __cf_bm | .hscollectedforms.net | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| __cf_bm | .hubspot.com | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| _cfuvid | .hubspot.com | Calendly sets this cookie to track users across sessions to optimise the user experience by maintaining session consistency and providing personalized services. | session | Necessary |
| __cf_bm | .hs-analytics.net | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| __cf_bm | .hsadspixel.net | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| __cf_bm | .hs-banner.com | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| __cf_bm | .hsforms.com | This cookie, set by Cloudflare, supports Cloudflare’s bot management. | 1 hour | Necessary |
| _cfuvid | .hsforms.com | Calendly sets this cookie to track users across sessions to optimise the user experience by maintaining session consistency and providing personalized services. | session | Necessary |
| File BCOOKIE | .linkedin.com | LinkedIn sets this cookie to track your use of the embedded services. | 1 year | Advertisement |
| li_gc | .linkedin.com | LinkedIn has set this cookie to store the visitor’s consent to using cookies for non-essential purposes. | 6 months | Functional |
| Lidc | .linkedin.com | LinkedIn sets a Lidc cookie to make it easier for you to choose a data centre. | 1 day | Functional |
| _fbp | .exorigo-upos.com | Facebook sets this cookie to store and track interactions. | 3 months | Analytics |
| lastExternalReferrer | exorigo-upos.com | never | Other | |
| lastExternalReferrerTime (Czas odwołania) | exorigo-upos.com | never | Other | |
| topicsLastReferenceTime | exorigo-upos.com | never | Other | |
| wpEmojiSettings Supports | exorigo-upos.com | WordPress sets this cookie when users interact with emojis on your WordPress site. It helps determine if the user’s browser can display emojis correctly. | session | Necessary |
3.6. Cookie mechanism
The cookie mechanism is safe for your device. With it, viruses or other unwanted software cannot enter your device. However, you can restrict or disable access to cookies in your browser settings. If you do so, you can still use the Service, although some features that require cookies may not be available.
3.7. Changing your cookie settings
Below you will find instructions on how to change your cookie settings in popular web browsers:
4. Period of personal data processing
The period of our processing of your personal data depends on the type, purpose and basis of the processing. We store the data:
- in the case of processing based on a legitimate interest (e.g. protection against claims or pursuing claims) – for the period necessary to pursue this interest (e.g. in the case of property claims – until the statute of limitations for such claims expires), unless you have previously effectively objected to the processing of personal data;
- if the basis for processing is the necessity to conclude and perform a contract, for the duration of such a contract;
- if the processing is based on a legal obligation, for a period resulting from the provisions of law (e.g. tax documentation is usually stored for 5 years from the end of the year in which the tax payment date falls);
- if the data is processed based on consent – until the consent is withdrawn, unless we no longer need the data to achieve the purpose for which the consent was collected.
We may extend the period of processing of your personal data if the processing is necessary to establish, pursue or defend against possible claims or when it is necessary to comply with legal obligations to which we are subject, and after that time only in the case and to the extent required by law. After the expiry of the storage period, we delete or irreversibly anonymize the data.
Personal data provided as part of comments posted as part of our Facebook fanpage will be stored until they are deleted by the author (unless we delete them ourselves beforehand). For more information on processing personal data in the Facebook social network, please visit: https://www.facebook.com/about/privacy.
5. Rights of data subjects
You have the right to access your personal data, request its rectification, deletion, restriction of processing, the right to transfer data (if the processing is carried out in an automated manner based on a contract or consent), the right to object to the processing of data (if the processing is carried out based on a legitimate interest – e.g. in connection with the implementation of analytical and statistical purposes—or for direct marketing), the right to withdraw consent, and the right to complain to the supervisory authority.
We provide more information about your rights below:
- The right to request access to your personal data from us: This means that you can obtain information from us You can obtain information about how and to what extent we process your personal data and a copy of it.
- The right to request that we rectify your personal data: You can request that we rectify (correct) your personal data, e.g., if it has been incorrectly stored or has changed.
- The right to request that we erase your personal data: You can ask us to erase your personal data if there is no basis for us to process it or if there are other circumstances provided for by the GDPR.
- The right to request that we restrict the processing of your personal data: This means that you can request that your personal data be processed only to a limited extent, until your objection to the processing of your data is considered or until your request for rectification is considered, or if you want us to connection with your claims or in connection with with the finding of unlawful data processing.
- Right to data portability: If we process your personal data based on consent or based on a contract with you and this is done by automated means (e.g. by computer), you have the right to request that we provide you with your personal data that You have provided us with such personal data in a structured, commonly used, machine-readable format (np. XML). You may provide such personal data yourself to another controller of your choice. In addition, if technically possible, while maintaining appropriate security standards, at your request, we may transfer your personal data to another controller you indicated. The right to data portability must not adversely affect the rights and freedoms of others.
- Right to object to processing: Where we process your personal data on the basis of a legitimate interest, you may object to such processing on grounds relating to your particular situation. We will then analyse the objection regarding compelling legitimate grounds for processing your personal data, which override your interests, rights and freedoms, or grounds for us to assert or defend against claims. In the event of an effective objection, we can no longer process the personal data concerned.
- If we process your personal data for direct marketing, you can object to such processing at any time. That objection does not require any justification. If we receive such an objection, we will no longer process your data for direct marketing purposes.
- Right to withdraw consent to the processing of personal data: When we process your personal data based on consent, you may withdraw such consent at any time with effect for the future. This means that the withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. To withdraw your consent, you can, for example, contact us through the contact channels indicated below, change the settings in your customer account or use the special link visible in the e-mail sent by us.
- Right to complain to a supervisory authority: If you believe that our processing of your personal data is unlawful, you have the right to complain to a supervisory authority dealing with personal data protection. In Poland, the supervisory authority is the Office for Personal Data Protection President.
It may happen that we will not be able to exercise some rights, e.g. due to legal obligations imposed on us. For example, the right to erasure (the so-called right to be forgotten) generally does not apply to data collected as part of medical records. Your personal data, which we process as part of medical documentation, must be stored for the period specified in the law. During this period, we cannot comply with your request to delete this personal data.
In connection with exercising the rights described above, we may verify your identity.
6. Data recipients
As part of the platform operation, we use the services of third parties (our subcontractors and external suppliers). Therefore, the recipients of your personal data will be IT service providers (e.g. hosting), companies such as banks and payment processors, companies providing accounting services (in connection with issuing an invoice/bill), entities providing tools for creating online surveys, and our medical staff. If we transfer your data to external entities, it is done with respect for medical confidentiality and other legally protected secrets (especially with encryption or other appropriate safeguards).
We may also disclose personal data to courts or competent public authorities (e.g., law enforcement agencies) or other authorized third parties. Data disclosure takes place only if there is an appropriate legal basis for it (e.g., a legal provision requiring the disclosure of personal data) and in accordance with applicable regulations.
When you use third-party cookies, the data collected by these cookies, including information that may constitute personal data, is collected by third-party providers of these cookies (see section 3 of the privacy policy on cookies for details).
If you visit or follow our fan page, which is part of the Facebook social network, or interact through this fan page, we may disclose your personal data to the operator of this website and its other users on the terms set out by the operator of the Facebook social network. You can find the privacy policy of Meta Platforms Ireland Limited (Serpentine Avenue, Block J, Dublin 4, Ireland) at https://www.facebook.com/privacy/policy.
7. Source of personal data
We generally obtain personal data directly from you when you use the platform or its services.
8. Data transfers outside the EEA
The service providers are mainly based in Poland and other European Economic Area (EEA) countries. If your data is transferred outside the EEA, the Controller will apply appropriate legal safeguards, i.e. standard contractual clauses for the protection of personal data, approved by the European Commission.
The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, we ensure that we will only transfer your personal data outside the EEA where necessary and with adequate protection. We do not currently plan to transfer your data outside the EEA.
9. Safety
The procedures introduced by the Administrator ensure an appropriate level of confidentiality and integrity of the personal data he processes. Only properly trained and authorized persons have access to personal data. The Administrator uses organisational and technical solutions to ensure that all operations on personal data are registered and performed only by authorised persons. The Controller takes the necessary steps when selecting processors and other subcontractors to ensure that the level of protection of personal data with these entities is sufficient. The administrator conducts an ongoing risk analysis and monitors the adequacy of the data security measures used to address the identified threats. If necessary, the Administrator implements additional measures to increase data security.
10. Our contact details and data protection officer
You can contact us by mail at our address: Exorigo-upos S.A., Skierniewicka 10 A, 01-230 Warsaw.
We have appointed a Data Protection Officer (DPO). Our DPO is Krzysztof Pawelec. You can contact him in matters related to the processing of personal data by us by sending an e-mail to the following address: ochronadanych@exorigo-upos.pl or by writing to the following address: Exorigo-upos S.A., Skierniewicka 10 A, 01-230 Warsaw with the note “DPO”.
11. Changes to the privacy policy
We keep our privacy policy under review and update it as needed. If the changes are material, we will endeavour to notify you through the available contact channels (e.g. by email).
The current version of the privacy policy is effective from 2025.05.16