Privacy Policy

1. Identity of the Data Controller

The data controller for personal data collected through the website riwumo-rahude.info is Riwumo Rahude, with its registered address at Kazimierza Gierdziejewskiego 7, Warszawa, Poland. Contact regarding data protection matters may be directed to [email protected] or by telephone to +48 22 478 3800.

This Privacy Policy applies to all personal data processed in connection with use of the website and any communications sent through it. Processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR") and the Polish Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018 poz. 1000, as amended).

2. Categories of Personal Data Collected

We collect personal data only to the extent necessary for the purposes described in this policy. The categories of data we may process include:

• Contact data: name and email address provided when submitting the contact form.
• Communication data: the content of messages sent to us via the contact form or by email.
• Technical data: IP address, browser type, operating system, pages visited, and timestamps generated automatically by web server logs. This data does not directly identify individuals in most circumstances but may constitute personal data under GDPR.
• Cookie data: information stored in browser cookies as described in our Cookie Policy, including consent preferences. Analytical and functional cookies are only set with your explicit consent.

We do not collect special categories of personal data (sensitive data) as defined in Article 9 GDPR, including data concerning health, financial account details, or biometric identifiers.

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes and on the following legal bases under Article 6 GDPR:

• Responding to contact form enquiries: processing is necessary for the performance of steps taken at the request of the data subject prior to entering into a contract, or alternatively on the basis of our legitimate interest in responding to communications directed to us (Article 6(1)(b) and (f) GDPR).
• Website security and administration: processing of technical log data is based on our legitimate interest in maintaining the security and proper functioning of the website (Article 6(1)(f) GDPR).
• Compliance with legal obligations: where applicable law requires retention or disclosure of data, processing is based on Article 6(1)(c) GDPR.
• Analytics and improvement of the website: where consent has been obtained for analytical cookies, processing is based on Article 6(1)(a) GDPR. Consent may be withdrawn at any time through the cookie preferences panel accessible from any page of the website.

4. Data Retention Periods

Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Specific retention periods are as follows:

• Contact form data (name, email, message content) is retained for a period of up to 12 months from the date of the initial communication, unless a longer period is required to resolve a matter or comply with a legal obligation.
• Technical log data is retained for up to 90 days in standard operation, subject to extension where required for security investigation purposes.
• Cookie consent records are retained for 12 months, corresponding to the consent validity period.

Where data is no longer required, it is deleted or anonymized in a manner that prevents reconstruction of identifiable information.

5. Disclosure to Third Parties

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. Personal data may be disclosed in the following limited circumstances:

• Service providers: we use third-party service providers for website hosting and email delivery. These providers act as data processors under GDPR and are bound by data processing agreements that require them to process data only on our instructions and in accordance with applicable law.
• Legal obligations: where we are required to disclose personal data by law, court order, or regulatory requirement, we will do so. Where possible and legally permissible, we will notify the data subject.
• Business transfers: in the event of a merger, acquisition, or transfer of substantially all assets, personal data held by us may form part of the transferred assets, subject to this Privacy Policy continuing to apply.

Where personal data is transferred to countries outside the European Economic Area, we ensure appropriate safeguards are in place in accordance with Chapter V GDPR, including standard contractual clauses where applicable.

6. Rights of Data Subjects

Under GDPR and applicable Polish law, you have the following rights regarding your personal data:

• Right of access (Article 15 GDPR): you may request a copy of the personal data we hold about you and information about how it is processed.
• Right to rectification (Article 16 GDPR): you may request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17 GDPR): you may request deletion of your personal data where there is no longer a lawful basis for processing, subject to any overriding legal obligations we may have.
• Right to restriction of processing (Article 18 GDPR): you may request that we limit processing of your personal data in certain circumstances.
• Right to data portability (Article 20 GDPR): where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used format.
• Right to object (Article 21 GDPR): you may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receipt of the request, as required by Article 12 GDPR.

7. Right to Lodge a Complaint

If you believe that the processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the supervisory authority. In Poland, the competent supervisory authority is:

Prezes Urzędu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
Website: uodo.gov.pl
Email: [email protected]

You also have the right to seek judicial remedy against the controller or processor and to seek compensation for material or non-material damage resulting from an infringement of GDPR (Article 82 GDPR).

8. Security Measures

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (Article 32 GDPR). These measures include use of encrypted connections (HTTPS/TLS) for data transmission, access controls limiting data access to authorised personnel, and regular review of security practices.

No method of data transmission or storage is completely secure. While we take all reasonable steps to protect personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the supervisory authority in accordance with Articles 33 and 34 GDPR.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The date of the most recent revision is shown at the top of this document. Where changes are material, we will take appropriate steps to inform users. Continued use of the website after changes to this policy constitutes acceptance of the revised policy.

For questions about this Privacy Policy or data processing practices, contact us at [email protected].