Privacy Policy

§1
GENERAL PROVISIONS

1.This document sets out the Privacy Policy for the website operating at www.cwmip.pl, run by CWMiP Chimiak, Witkowska, Muczkowska, Pilecka sp.j., Rondo Ignacego Daszyńskiego 2B, 00-843 Warsaw, entered in the Register of Entrepreneurs of the National Court Register under number KRS 0001111241. The document specifically includes provisions concerning the protection of personal data and the security of other data entered into the Service by the User.

2. The Privacy Policy constitutes an integral annex to the Terms of Service of the website www.cwmip.pl.

§2
DEFINITIONS

The terms used in this document mean:

1.Personal Data Controller (also referred to as the Controller) – CWMiP Chimiak, Witkowska, Muczkowska, Pilecka sp.j.

2. Service – the website at www.cwmip.pl and all its subpages.

3. User – a natural person who uses the Service and provides their personal data through it.

4. Personal Data – information about a natural person who is identified or identifiable by one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recordings, contact details, location data, information contained in correspondence, and information collected via recording devices or other similar technology.

5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.

6. Terms of Service – the Terms of Service of the website www.cwmip.pl.

§3
PERSONAL DATA PROTECTION

1.The Controller is the personal data controller within the meaning of the GDPR.

2. The Controller collects and processes personal data in accordance with applicable legal regulations, including in particular the GDPR, and in accordance with the principles set out therein.

3. The Controller informs about data processing at the time of data collection. The Controller processes data within the scope, duration, and purposes indicated each time in the content provided alongside forms used to collect personal data from the User.

4. The Controller transfers Personal Data only to trusted subcontractors, such as couriers, providers responsible for IT systems, banks and payment operators, accounting and legal service providers, marketing agencies (in the scope of marketing services), and entities providing other IT and programming services.

5. The Controller has the right to transfer selected Personal Data of the User to competent authorities or third parties if required by applicable law and if such entities request access based on a relevant legal basis.

6. The Controller ensures the security and confidentiality of processed personal data and provides the User with access to information regarding the data processing. If, despite security measures, a personal data breach occurs (e.g., a data leak or loss) and it poses a high risk to the User’s rights or freedoms, the Controller will inform the User in accordance with legal requirements.

Users may contact the data controller at:
Mailing address: Rondo Ignacego Daszyńskiego 2B, 00-843 Warsaw
Email: cwmip@cwmip.pl
Phone number: +48 696 480 603

§4
PERSONAL DATA SECURITY

1.The Controller uses all available technical and organizational measures to ensure the security of the User’s personal data and to protect it from accidental or intentional destruction, accidental loss, alteration, unauthorized disclosure, or access. Users’ personal data is stored and processed on secure servers using appropriate security measures in accordance with Polish law.

2. The data is stored on high-class equipment and servers in well-secured data centers accessible only to authorized individuals.

3. The Controller processes personal data in compliance with all legal and technical requirements. It continuously analyzes risks associated with personal data processing and ensures access to the data is granted only to authorized individuals and only to the extent necessary for them to fulfill their duties.

4. The Controller also ensures that its subcontractors and partners apply appropriate security measures when processing personal data on the Controller’s behalf.

5. The Controller commits to storing backup copies containing the User’s personal data.

§5
USER RIGHTS

1. If a User’s personal data changes, they should update it by sending a relevant message to the Controller.

2. The User has the following rights:
a. the right to information about the processing of personal data,
b. the right to obtain a copy of the personal data processed by the Controller,
c. the right to rectify personal data,
d. the right to delete personal data (based on this, the User may request deletion of data that is no longer necessary for the purposes it was collected),
e. the right to restrict the processing of personal data,
f. the right to data portability,
g. the right to object to the processing of personal data for marketing purposes (the User may object at any time without providing justification),
h. the right to object to other data processing purposes (the User may object at any time, based on their specific situation; such objection must be justified),
i. the right to withdraw consent if data is processed based on prior consent (withdrawing consent does not affect the lawfulness of processing before the withdrawal),
j. the right to lodge a complaint with the supervisory authority competent for the User’s habitual residence, workplace, or the place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office.

3. The Controller may refuse to delete the User’s personal data if retaining it is required by law.

4. Users may submit requests regarding the above rights by post or email. The Controller’s contact details are provided in §3(7).

5. If the Controller is unable to identify the person based on the request, it will ask the applicant for additional information. Failure to provide such information will result in refusal to fulfill the request.

6. The Controller shall respond to the request within one month of receipt. If more time is needed, the Controller will inform the applicant about the reasons and the expected time for the response.

§6
LEGAL BASIS, PURPOSE, AND DATA RETENTION PERIOD

1.Personal data is processed for the following purposes and based on the following legal grounds:
a. Use of the Website:
Personal data of all individuals using the Website (including IP address or other identifiers and information collected via cookies or similar technologies) is processed by the Controller for the following purposes:
i. to provide electronic services (legal basis: necessity of processing for the performance of a contract – Article 6(1)(b) of the GDPR),
ii. to establish, pursue, or defend against claims (legal basis: the Controller’s legitimate interest – Article 6(1)(f) of the GDPR, which is the protection of the Controller’s rights).

b. Contact form, traditional and electronic correspondence (email):
The User may send messages to the Controller using the contact details available on the Website, in the Terms of Service, or in this Privacy Policy, as well as via the contact form available on the Website. Personal data contained in such correspondence is used solely for communication and handling the matter the correspondence concerns. The legal basis for data processing is the Controller’s legitimate interest – Article 6(1)(f) of the GDPR – in maintaining correspondence related to its business operations, or, if the contact relates to services or a contract, the necessity of processing for the performance of a contract – Article 6(1)(b) of the GDPR.

c. Telephone contact:
The User may contact the Controller by phone regarding services or an existing contract, or for other matters. If the phone call is not related to a contract or service, the Controller may request personal data only if necessary to address the matter. The legal basis for processing is the Controller’s legitimate interest – Article 6(1)(f) of the GDPR – in addressing matters related to its business operations, or, if the call concerns a contract or service, the necessity of processing for the performance of a contract – Article 6(1)(b) of the GDPR.

d. Social media profiles:
The Controller maintains social media profiles (e.g., on LinkedIn). It processes personal data left by individuals interacting with these profiles, such as comments or online identifiers. This data is used to manage the profiles effectively and allow interaction. The legal basis for processing is the Controller’s legitimate interest – Article 6(1)(f) of the GDPR – in promoting its business and services, and if needed, for pursuing or defending against third-party claims. This does not cover data processing by the social media platforms themselves. Users should refer to the privacy policies of the respective platforms for their data processing practices.

2. The duration of personal data processing depends on the service provided, the purpose, and the legal basis for processing. As a general rule, data is processed for the duration of the service or order. When processing is based on consent, the data is processed until that consent is effectively withdrawn. If processing is based on the Controller’s legitimate interest, the data is processed until a valid objection is raised.

3. The period referred to in section 2 may be extended if the data must be retained to establish, pursue, or defend against legal claims. After this period, personal data may only be processed to the extent required by applicable law.

4. After the processing period expires, personal data is either deleted or irreversibly anonymized.

§7
COOKIE POLICY

1.The Controller uses cookies. Cookies are small text files sent by the Website and stored on the User’s end device (e.g., computer or smartphone).

2.The Website uses two types of cookies: session cookies and persistent cookies. Session cookies are temporary and remain on the User’s device until logging out, leaving the site, or closing the browser. Persistent cookies remain on the User’s device for the period specified in the cookie parameters or until manually deleted.

3. The Controller uses the following types of cookies on the Website:
a. Necessary cookies – these enable the use of services and features available on the Website, such as user authentication or filling a shopping cart during an online purchase.

4. The legal basis for processing data in connection with the use of necessary cookies is the necessity of processing personal data to perform a contract (Article 6(1)(b) of the GDPR).

5. Consent referred to in section 5 is given via a relevant form displayed during the User’s first visit to the Website. This consent can be withdrawn or adjusted at any time. To change or withdraw previously given consent, contact the Controller.

6. The User can modify cookie settings via their web browser.

7. Changing cookie and similar technology settings may affect the functionality of the Website and the services it provides.

§8
SERVER LOGS

1.Like most websites, the Controller stores HTTP requests directed to its server (server logs). This means the Controller stores the following information:
a. IP addresses from which users access the Website,
b. time of the request,
c. time of the response,
d. client station name – identified via the HTTP protocol,
e. information about errors that occurred during the HTTP transaction,
f. the URL of the previously visited page (referrer link),
g. browser information.

2. Collected logs are stored for an indefinite period as auxiliary material for Website administration. The information contained therein is not disclosed to anyone except persons authorized to administer the Website. Log files may be used to generate statistics that help manage the Website. Such summaries do not contain any identifying features of visitors.

3. The information contained in the logs is processed by the Controller for technical and administrative purposes, for system security, and for system management. The legal basis for processing personal data in this context is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

§9
DATA TRANSFER OUTSIDE THE EEA

1.When using tools that support the Controller’s ongoing operations (e.g., those provided by Google), Users’ personal data may be transferred outside the European Economic Area (EEA), particularly to the United States or another country where the cooperating entity processes personal data on behalf of the Controller.
The Controller transfers personal data outside the EEA only when necessary and only with appropriate safeguards in place, primarily through the use of standard contractual clauses issued by the European Commission.

§10
FINAL PROVISIONS

1. This Privacy Policy is subject to updates based on ongoing analysis of technical and legal conditions related to personal data processing.

2. This Privacy Policy is effective as of April 18, 2025.