Privacy Policy

1. data controller

The controller of the personal data is Legitize sp. z o.o with its registered office in Warsaw, address: ul. Prosta 51/ P.1, 00-838 Warsaw, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XIV Economic Division of the National Court Register under the KRS number 0001148544, NIP 9522264978, REGON 540620061 (hereinafter referred to as "Administrator„).

Data subjects whose data the controller processes

The controller processes data:

• visitors to and users of the website https://legitize.io/ ("Website");
• people who follow and interact with the Administrator's profiles on social networks (LinkedIn);
• persons who contact the Administrator via e-mail, telephone, or the contact form on the Site or other available communication channels;
• candidates for the Administrator's staff;
• our business partners (advisors or consultants, contractors and service providers to the Administrator.

3 Method of data extraction

The controller obtains personal data directly from the data subjects when the data subjects:

• browse the Site;
• follow and interact with the Administrator's social media channels;
• contact the Administrator via e-mail, telephone or the contact form on the Site or other available communication channels;
• respond to the Administrator's job offers;
• contact the Administrator in the course of business cooperation, consulting or advising, performing and providing services to the Administrator.

4 Aims and legal basis of data processing

Personal data is processed for the following purposes:

1. Visitors and users of the Site:
   • To ensure the proper technical functioning of the Site (Article 6(1)(b) of the RODO);
   • Responding to enquiries (Article 6(1)(f) RODO);
   • profiling for the purpose of analysing statistics on the use of our Website (Article 6(1)(f) RODO).

The provision of personal data is necessary for the use of our Site.

2. Individuals who follow and interact with the Administrator's profile on LinkedIn:
   • informing about the benefits provided by the Administrator and building a positive image of the Administrator (Article 6(1)(f) RODO);
   • responding to enquiries and comments received via social media (Article 6(1)(f) of the DPA).

The provision of personal data is necessary in order to observe the Administrator's social media profiles and respond to queries and comments via these media.

3. Persons contacting the Administrator by email, telephone or form:
   • responding to enquiries (Article 6(1)(f) RODO).

4. Candidates for the Administrator's staff:
   • to carry out the recruitment process and to assess the candidate's ability, competence and suitability for the position applied for (Article 6(1)(b) of the DPA and Article 6(1)(a) of the DPA);
   • retention of documentation related to the job application for the purposes of future recruitment processes - provided the candidate has given his/her consent (Article 6(1)(a) RODO);
   • fulfilment of legal obligations that arise from the Labour Code and other provisions of Polish labour law (Article 6(1)(c) of the DPA).

Within the scope of the provisions of the Labour Code (art. 22¹) the provision of personal data by the candidate is necessary for the recruitment process. Otherwise, the provision of data is voluntary and is not a condition for taking part in the recruitment. If the candidate does not want the Administrator to process his/her personal data to a greater extent than specified in the provisions of the Labour Code, he/she should refrain from including such data in his/her application. 

5. Business partners:
   • Contact with employees of business partners who are legal entities (Article 6(1)(f) RODO);
   • Contact with business partners, running a sole proprietorship (Article 6(1)(b) RODO);
   • The defence and assertion of claims arising from contracts concluded with our business partners (Article 6(1)(f) RODO).

The provision of personal data is necessary for the establishment and operation of a business relationship with the Administrator.

5 Types of data processed

Depending on the purpose of the processing, different personal data may be processed.

In the case of:

1. visitors to and users of the Site 

• IP address, data stored in cookies;

2. people who follow the Administrator's profile on LinkedIn and interact with it:

• your name or nickname, other information which is publicly available on your profile or which you voluntarily provide;

3. persons who contact the Administrator via e-mail, telephone, or the contact form on the Site or other available communication channels

• your name, email address, telephone number or other information you voluntarily provide;

4. candidates for the Administrator's staff

• name, e-mail address, telephone number, information on education, qualifications and previous employment and other information which you voluntarily provide;

5. business partners (advisers or consultants, contractors and service providers to the Administrator)

• name, VAT number, e-mail address, telephone number.

6 Data retention period

Personal data is stored:

1. visitors to and users of the Site:

• The Administrator stores information about the IP address for as long as it is archived in the logs of the server on which the Website is located, i.e. for 5 years;
• The information contained in cookies shall be stored by the Administrator in accordance with the retention periods contained in the table contained in point. 9 of this document.

2. individuals who follow and interact with the Administrator's profile on LinkedIn:

• the data necessary to follow the Administrator's social media profiles and respond to queries through this medium will be stored by the Administrator as long as the person remains an observer of the Administrator's profile or interacts with it, with interactions such as comments or likes remaining visible even after the person stops following the Administrator's profile, as long as the person does not revoke or delete them.

3. persons who contact the Administrator via e-mail, telephone or the contact form on the Site or other available communication channels:

• the data necessary to respond to enquiries the Administrator shall retain for as long as is necessary to resolve the case or as long as is required by the limitation periods laid down by law;
• In addition, personal data needed by the Administrator to defend or assert claims shall be retained by the Administrator for as long as required by the statute of limitations for claims.

4.Candidates for the Administrator's staff:

• if the candidate does not consent to the processing of personal data contained in the recruitment documents for the purposes of future recruitment, this data will be deleted immediately after the recruitment for the position applied for has ended;
• if the candidate consents to the processing of personal data contained in the recruitment documents for the purposes of future recruitment, the Administrator will keep this data until the consent is withdrawn, but no longer than for 2 years after the end of the recruitment.

5. business partners (advisors or consultants, contractors and service providers to the Administrator)

• personal data obtained by contacting employees of business partners who are legal entities and by contacting business partners who are sole proprietors, the Administrator retains as long as required by tax law;
• In addition, the data needed by the Administrator to defend or enforce claims arising from contracts concluded with business partners is stored by the Administrator for as long as required by the legal limitation periods for claims.

7 Recipients of personal data

Data may be transferred depending on the category of persons providing it:

1. visitors to and users of the Site:

• providers of IT services and systems, including services and analytical tools that the Administrator uses to operate the Website and to analyse statistics on its use;
• legal advisers and consultants serving the Administrator to the extent that disclosure is necessary for the use of their services;

2. individuals who follow and interact with the Administrator's profile on LinkedIn:

• social network operators;
• entities contracted by the Administrator to maintain social media profiles;
• providers of IT services and systems that the Administrator uses to maintain profiles on LinkedIn
• legal advisers and consultants serving the Administrator to the extent that disclosure is necessary for the use of their services;

3. persons who contact the Administrator via e-mail, telephone or the contact form on the Website or other available communication channels:

• email operators;
• postal operators and couriers;
• providers of IT services and systems that the Administrator uses for the use of e-mail and the Site;
• legal advisers and consultants serving the Administrator to the extent that disclosure is necessary for the use of their services;

4. candidates for the Administrator's staff:

• providers of IT services and systems that the Administrator uses to manage recruitment processes;
• legal advisers and consultants serving the Administrator to the extent that disclosure is necessary for the use of their services;

6. business partners (advisors or consultants, contractors and service providers to the Administrator):
   • entities providing accounting and bookkeeping services to the Administrator;
   • IT service and system providers, used for management within the Administrator's organisational structure;
   • legal advisers and consultants serving the Administrator to the extent that disclosure is necessary for the use of their services.

As the Administrator uses Google Work Space, personal data may be transferred by this entity outside the European Economic Area on the basis of standard contractual clauses (Article 46(2)(c) RODO). Any questions regarding the transfer of data outside the EEA should be addressed directly to this entity.More information can be found here: https://policies.google.com/privacy?hl=pl

8 Rights of data subjects 

Every data subject has the right to:

1. Access, rectification, erasure or restriction of processing. 

At any time, the person whose data the Administrator processes has the right to access information about him or her and to rectify it if it is incorrect, and at his or her request, the Administrator will delete the data collected about him or her once the purpose for which the data was collected has been fulfilled. At any time, the data subject also has the right to request the Administrator to erase the data about him or her or to restrict the processing of the data.

2. Transfer of personal data (in case of processing based on consent or contract).

To the extent that personal data is processed by automated means for the performance of a contract (Art. 6(1)(b) RODO) or on the basis of consent (Art. 6(1)(a) RODO, Art. 9(2)(a) RODO), the data subject has the right to receive personal data concerning him or her from the Controller in a structured, commonly used machine-readable format, and has the right to send this personal data to another controller without hindrance from the Controller.

3. To object to the processing of data.

To the extent that personal data is processed for the purposes of the legitimate interests of the Controller (Article 6(1)(f) RODO), the data subject has the right to object to the processing of personal data.

4. Withdrawal of consent to data processing.

To the extent that personal data is processed for the purposes of the legitimate interests of the Controller (Article 6(1)(f) RODO), the data subject has the right to object to the processing of personal data.

5. Submit a complaint to the President of the Data Protection Authority.

If the person whose data is processed by the Controller finds that such processing of personal data violates the applicable data protection regulations, he/she has the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection in Warsaw.

9 Cookies and tracking technologies

Cookies are small packets of information stored on terminal equipment, usually containing the address of the service, the date of placement, the expiry date, a unique number and additional information according to the purpose of the file.

Cookies used by the Website:

The storage of cookies can be deactivated directly on the device used to connect to the Website, according to the instructions of the browser manufacturer:

–        Google Chrome

–        Safari

–        Mozilla Firefox

For information on how to configure and delete cookies in other web browsers, please refer to their manufacturers' websites. 

10. automated decision-making

The administrator does not use automated decision-making or profiling.

11. Changes to the privacy policy

Date of last update: 12 February 2025. The provisions of this policy may be updated. The latest version of the document is always available on the Site and is dated as last updated.

12 Contact

The Administrator can be contacted on matters related to data protection:

• Email: karolina@legitize.io
• Address: Legitize sp. z o.o., 9 Majowa Street 05-077 Warsaw