Privacy and cookie policy

Information on Data Processing and the Privacy and Cookies Policy of the website

  1. This Privacy Policy sets out the principles for the processing of personal data obtained through the website
  2. The owner of the Website is Exorigo-Upos SA with its registered office in Warsaw (01-230), ul. Skierniewicka 10A, NIP: 5252535950, REGON: 146251737.
  3. The personal data collected by Exorigo-Upos (hereinafter: the Administrator) throughthe Website are processed in accordance with Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as “GDPR”, the Personal Data Protection Act of May 10, 2018, the Telecommunications Law Act of July 16, 2004 and the Act on the provision of electronic services of July 18, 2002.
  4. This document is an expression of concern for the rights of visitors to the Website located in the company’s domains and using the services offered through it.
  5. By using the Website, the User confirms acceptance of these terms and conditions whether or not you chose to register with the Administrator’s Service.


  1. Administrator (Company): The administrator of personal data of the Website Users is:
    Exorigo-Upos SA with its registered office in Warsaw (01-230), ul. Skierniewicka 10A.
  2. Datapersonal data : information about an identified or identifiable natural person (data subject).
  3. Data subject: any natural person whose personal data is processed by the Administrator in connection with his activity, e.g. a person with whom he has a contractual contract with the Administrator or sending an inquiry to him in the form of an e-mail.
  4. Cookie files:computer data which are stored on the terminal equipment and which contain data on the User’s use of the Website;
  5. Policy: this Policy for the processing of personal data on the Website.
  6. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data).
  7. Website:
  8. User: any natural or legal person using the functionality of the Website.


  1. The administrator collects and processes personal data in accordance with applicable legislation, including in particular the GDPR in order to carry out business activity.
  2. The administrator adheres to the principle of ensuring transparency (transparency) of personal data processing. Data subjects are informed about the processing of data at the latest at the time of their collection, moreover, they are informed about the purpose and legal basis of their processing.
  3. The Administrator makes sure that the principle of personal data minimization is respected in the Company. The data is collected to the extent necessary for the indicated purpose of processing, and processed only for the minimum retention period. In order to speed up and improve customer service. The administrator obtains from them personal data that is not necessary, e.g. to perform the contract concluded with them – such as a telephone number or e-mail address, only with their consent, and before collecting such data, informs customers about the voluntary provision of such data.
  4. The administrator ensures an appropriate level of security and confidentiality of personal data processed by him. In the event of an incident related to the security of personal data, the Company informs the persons to whom the personal data relate about such an event in a manner consistent with the law.


  1. The procedures introduced by the Administrator ensure an appropriate level of confidentiality and integrity of personal data processed by him. Only properly trained and authorized persons have access to personal data. The administrator uses organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.
  2. The administrator takes the necessary steps when selecting processors and other subcontractors so that the level of personal data protection at these entities is sufficient.
  3. The administrator conducts risk analysis on an ongoing basis and monitors the adequacy of the data security applied to the identified threats. If necessary, the Administrator implements additional measures to increase data security.


  1. The administrator collects information on natural persons conducting business or professional activity on their own behalf and natural persons representing legal persons or organizational units that are not legal persons, to whom the law grants legal capacity, conducting business or professional activity on their own behalf. Users’ personal data is processed for the following purposes:
  2. providing access to the website in the form of providing Users with content collected on the website and concluding and performing contracts with the Administrator. The legal basis for processing is the necessity of processing to perform the contract (Article 6para.1b) of the GDPR).
  3. using the survey/contact form, pursuant to (Article 6para.1a) of the GDPR – the data subject has consented to the processing of his personal data in order to present an offer prepared on the basis of the data indicated in the survey/form. When using the contact form on the website, the User provides: Name , Name and e-mail address, telephone number (optional), position name (drop-down list to choose from), also indicates the subject he is interested in, he can use the description field.
  4. direct marketing, pursuant to Article 6para.1f) of the GDPR – the Administrator’s legitimate interest in acquiring new Users and encouraging the purchase of products and services. Marketing activities towards new Users are carried out, after prior consent to communication, via at least one contact channel, i.e. e-mail or telephone.
  5. determination, investigation and enforcement of claims. In this case, some personal data provided by the User as part of using the functionalities on the Website may be processed, such as: name, surname, data on the use of services, if the claims result from the way in which the User uses the services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis – legitimate interest (Article 6para.1f) of the GDPR), consisting in determining, pursuing and enforcing claims and defending against claims in proceedings before courts and other state authorities.
  6. recruitment. As part of the “Career” tab, the Administrator provides information about its employment policy, as well as about recruitment processes. If the User decides to participate in the recruitment process conducted by the Administrator, it should be noted that the Administrator expects candidates to provide personal data (e.g. in a CV or curriculum vitae) only to the extent specified in the provisions of labor law. in order to carry out the recruitment process in the field of data not required by law – the legal basis for processing is consent (Article 6para.1a) of the GDPR);
  7. data collection in other cases. In connection with the conducted activity, the Administrator also collects personal data in other cases – e.g. during business meetings, industry events or by exchanging business cards – for purposes related to establishing and maintaining business contacts. Personal data is provided in such cases voluntarily. The legal basis for processing in this case is the legitimate interest of the Administrator (Article 6para.1f) of the GDPR), consisting in creating a network of contacts in connection with the conducted activity. Personal data collected in such cases are processed only for the purpose for which they were collected.
  8. The administrator ensures that the amount of data processed in correspondence complies with the principle of data minimization and that only authorized persons have access to it.
  9. When using the website, additional information may be downloaded, in particular: the IP address assigned to the end device (e.g. telephone, tablet, computer) of the Customer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type.
  10. In order to market our own products and improve services, navigation data may also be collected from Users, including information about links and references that they decide to click or other activities undertaken on our website, based on the Administrator’s legitimate interest (Article 6para.1f) of the GDPR), consisting in facilitating the use of services provided electronically and improving the functionality of these services.
  11. The provision of personal data is voluntary, in connection with the provision of services via the Website, with the proviso, however, that failure to provide the data specified in the form will prevent the provision of this service.


  1. The period of data processing by the Administrator depends on the purpose of processing:
  2. Agreement : if the basis for processing is necessary to conclude and perform the agreement, personal data will be processed until its completion.
  3. Consent : if processing is based on consent, personal data is processed until its withdrawal. Withdrawal of consent, however, does not affect the lawfulness of the processing that was made on the basis of consent before its withdrawal.
  4. Legal provision : in the event that the legal basis is a legal provision, the period of personal data processing also results from specific provisions.
  5. Legitimate interest of the Administrator : in the case of data processing based on the legitimate interest of the Administrators, personal data is processed for a period enabling its implementation or until an effective objection to data processing is submitted.
  6. Protection against claims : the period of data processing may be extended if the processing is necessary to establish, pursue or defend against any claims, and after this period, only if and to the extent required by law.
  7. If the retention period expires, personal data is immediately deleted or anonymized.


  1. The User’s personal data is transferred to service providers used by the Administrator when running the Website. Service providers to whom personal data are transferred, depending on contractual arrangements and circumstances, or are subject to the Company’s instructions as to the purposes and methods of data processing (processors) or independently determine the purposes and methods of their processing (administrators). 
  2. The administrator uses suppliers who process personal data only at his request. These include, among others: 
  3. technical service providers who may operate the technical infrastructure we need to provide portal services, in particular providers who host , store and maintain the website, its content and the data we process, and manage the infrastructure; 
  4. partners who support the Administrator in the provision of marketing services. 
  5. Service providers are mainly based in Poland and other countries of the European Economic Area (EEA). In the event that your data is transferred outside the EEA, the Administrator will apply appropriate legal safeguards, i.e. standard contractual clauses for the protection of personal data, approved by the European Commission. 
  6. Navigation data can be used to provide Users with better service, analyze statistical data and adjust the Website to Users’ preferences, as well as administer the Website. 
  7. The personal data of the Website Users are not made available to third parties, except when such disclosure results from the applicable provisions of law obliging the Administrator of personal data to transfer them to authorized entities, in particular organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office for Competition Protection and Consumers or the President of the Office of Electronic Communications.


  1. Our website uses small files called cookies . They are saved on the end device of the person visiting the website, if the web browser allows it. A cookie file usually contains the name of the domain it comes from, its “expiration time” and an individual, randomly selected number identifying this file. Information collected using this type of files enables the development of general statistics of visits to our website.
  2. The administrator uses the following types of cookies: 
    1. technical cookies (essential) – some cookies ensure the proper functioning of certain parts of the website and learning about the User’s preferences. By placing functional cookies, the Administrator facilitates visiting the Website. In this way, the User does not have to enter the same information multiple times when visiting the website.
    2. Preference cookies – collect information about the User’s preferences and enable us to remember the language and other local settings and adjust the website accordingly.
    3. statistical cookies – they are used to optimize the use of the Website for Users. They make it possible to view the use of our website. Anonymous static data is collected using external cookies and through Google Analytics analytical tools (administrator of external cookies: Google Inc based in the USA). 
    4. marketing – these are cookies (or other forms of local storage) that are used to create a User’s profile in order to display advertisements to him.
  3. List of cookies used by the website:

Administrator cookies:

Supplier Name Storage period
Necessary cookies bscookie 1 year li_gc 1 80 days ppms_webstorage permanent test_cookie 24 hours stg_debug Until the end of the session cf_bm 24 hours
Preferential Cookies lidc 24 hours
Statistical Cookies _ga 2 years _ga# 2 years _gat 24 hours _gid 24 hours _pk_id# 1 year _pk_ses# 24 hours AnalyticsSyncHistory 30 days ln_or 24 hours ppms_privacy _#GUID# 1 year hubspotutk 180 days __hsc 24 hours __hssrc Until the end of the session __hstc 180 hours
Marketing cookies __ptq.gif Until the end of the session _fbp 3 months bcookie 1 year IDE 1 year stg_externalReferrer Until the end of the session UserMatchHistory 30 days pagead/1p-user-list/388359745/ Until the end of the session pagead/1p-user-list/388359745/ Until the end of the session
  1. Marketing and Statistical cookies placed on the Website User’s end device may also come from the Administrator’s partners and be used for analytical and marketing purposes. Detailed information in this regard can be found in the privacy policy of a given partner.
  2. Cookies are used to:
    1. analyzes and research as well as audience audits, in particular to create anonymous statistics that help to understand how customers use the website, which allows improving its structure and content;
    2. ensuring the smooth functioning of the Website and adapting it to the needs of customers;
    3. providing advertising services – presenting advertising messages tailored to the User’s preferences.
  3. The administrator uses the following analytical and marketing tools provided by partners:
    1. Google Analytics – provides statistics and basic analytical tools to measure User behavior on the website.More information: .
    2. Doubleclick – it is a platform that enables partners to implement advertising campaigns commissioned by us, i.e. their planning, display, measurement of implementation and reporting. We try to make our advertisements best suited to the interests of Users. More information: .
    3. Hubspot– is a platform that allows you to integrate marketing, sales, content management and customer service. More information can be found in the company’s privacy policy:
  4. Cookie mechanism is safe for end devices used by the Website. In particular, this way is not possible to get viruses or other unwanted software or malware to the Customers’ end devices. Nevertheless, in their browsers, Users have the option of limiting or disabling the access of cookies to end devices. If you use this option, the use of the Website will be possible, except for functions that by their nature require cookies. 
  5. The website client has the option of refusing to consent to the use of cookies in cases where the Administrator’s consent is required by law by pressing the “<I reject all>” button on the screen informing about the use of cookies . the website user also has the option of managing cookies by changing the settings on his device. The Customer’s consent will not be required when storing or accessing cookies is necessary in order to complete the operation requested by the user.
  6. The administrator does not use cookies to profile visitors to the websites referred to above.
  7. Below we present how you can change the settings of popular web browsers regarding the use of cookies: 
    1. Internet Edge
    2. Mozilla Firefox 
    3. Chrome browser 
    4. Safari browser
    5. Opera browser.
  8. The Administrator may collect Customers’ IP addresses. The IP address is a number assigned to the end device of the person visiting the Website by the Internet service provider. The IP number allows access to the Internet. In most cases, it is dynamically assigned to the end device, i.e. it changes each time you connect to the Internet, and for this reason it is commonly treated as non-personal identifying information. The IP address is used by the Administrator when diagnosing technical problems with the server, creating statistical analyzes (e.g. determining from which regions we record the most visits), as information useful in administering and improving the Website, as well as for security purposes and possible identification of undesirable automatic programs for viewing the content of the Website. 

The website contains links and references to other websites. The administrator is not responsible for the privacy protection rules applicable to them.


  1. The Administrator processes the personal data of users who visit the Administrator’s profiles that are run in social media (Facebook, Linkedin ). These data are processed only in connection with maintaining the profile, including to inform users about the Administrator’s activity and to promote various types of events, services and products. The legal basis for the processing of personal data is the legitimate interest (Article 6para.1f) of the GDPR) consisting in promoting own brands.
  2. On the website, the Administrator uses social plugins of various websites.
  3. When using plug-ins, your web browser establishes a direct connection to the servers of the social network. The website operator receives the information that the user’s web browser has displayed the corresponding page of our online offer, even if the user does not have an account with this provider or is not currently logged in there. In this case, the log files (including the IP address) are sent directly by the Internet browser to the server of the respective provider and stored there, if necessary. The location of the provider or its server may be outside the EU or EEA (e.g. in the USA).
  4. Facebook plugins – our website contains plugins for the social network Facebook, Facebook Inc., 1 Hacker Way , Menlo Park, California 94025, USA. You can recognize the Facebook plug-ins by the Facebook logo or the Like button on our website. For an overview of Facebook plugins, see: . Information on Facebook’s privacy policy can be found here:
  5. LinkedIn plugin – our website uses functions from the LinkedIn network. The service is provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. You can find an overview of the LinkedIn plugins and their appearance here: . Information on data protection can be found on LinkedIn here:
  6. Hubspot – we use the Hubspot platform to integrate marketing, sales, content management and customer service. More information can be found in the privacy policy of the company that helps us implement this tool:


Rights of data subjects

Data subjects have the following rights:

  1. The right to information about data processing – on this basis, the Administrator provides the person submitting such a request with information about the processing of their personal data, including, in particular, about the purposes and legal grounds for processing, the scope of data held, entities to which they are disclosed and the planned date of their removal;
  2. The right to obtain a copy of the data – on this basis, the Company provides a copy of the processed data regarding the person submitting the request;
  3. The right to rectification – the Administrator is obliged to remove any inconsistencies or errors in the processed personal data and supplement them if they are incomplete;
  4. The right to delete data – on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
  5. The right to limit processing – in the event of such a request, the Administrator will cease to perform operations on personal data, with the exception of operations to which the data subject has consented and their storage, in accordance with the adopted retention rules or until the reasons for limiting data processing cease to exist ( e.g. a decision of the supervisory authority will be issued, allowing further data processing);
  6. The right to transfer data – on this basis, to the extent that personal data is processed in connection with the concluded contract or consent, the Administrator will issue personal data provided by the person to whom they relate, in a format that allows them to be read by a computer. It is also possible to request that these data be sent to another entity – however, provided that there are technical possibilities in this respect both on the part of Exorigo-Upos SA and that other entity;
  7. The right to object to the processing of data for marketing purposes – the data subject may object to the processing of personal data for marketing purposes at any time, without the need to justify such an objection;
  8. The right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property). An objection in this respect should contain a justification;
  9. The right to withdraw consent – if personal data are processed on the basis of consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the withdrawal of this consent;
  10. Right to complain – if it is found that the processing of personal data violates the provisions of the GDPR or other provisions regarding the protection of personal data, the data subject may submit a complaint to the President of the Office for Personal Data Protection.


The administrator has appointed a Data Protection Officer who can be contacted:

  1. via e-mail
  2. by correspondence to the address of Exorigo-Upos SA ul. Skierniewicka 10A, 01-230 Warsaw with the note “personal data protection”.

The response to the notification should be given within one month of its receipt. If it is necessary to extend this period, the Company will inform the applicant about the reasons for such extension.


  1. In the event of a change in the applicable privacy policy, appropriate modifications to the above provision will be made.
  2. Questions related to the Privacy Policy should be sent to the following address:
  3. Date last modified: 30.03.2023