Privacy Policy

#Privacy and Cookies Policy of WPPoland.com

This Privacy Policy explains how WPPoland processes personal data of users of wppoland.com, the contact form, and related communication channels.

#§1. Data Controller and Contact

The data controller is Mariusz Szatkowski, operating as WPPoland Mariusz Szatkowski, ul. Starowiejska 16/2, 81-356 Gdynia, Poland, Tax ID (NIP): 7393037445.

Contact for privacy matters:

• e-mail: [email protected]
• postal address: WPPoland Mariusz Szatkowski, ul. Starowiejska 16/2, 81-356 Gdynia, Poland

#§2. Scope and Definitions

1. This policy applies to users of wppoland.com in all language versions.
2. Definitions:
   • Service: the website wppoland.com.
   • User: a natural person using the Service or contacting the Controller.
   • GDPR: Regulation (EU) 2016/679.

#§3. Purposes and Legal Bases

We process personal data only where we have a legal basis:

1. Contact and handling inquiries (form/e-mail):
   • Art. 6(1)(b) GDPR (steps prior to entering into a contract),
   • Art. 6(1)(f) GDPR (legitimate interest: communication and inquiry handling).
2. Security and stability of the Service (logs, abuse protection):
   • Art. 6(1)(f) GDPR.
3. Traffic analytics (Umami) and Service development:
   • Art. 6(1)(a) GDPR (consent for analytics; Umami is cookieless and anonymous and loads only after consent is granted),
   • Art. 6(1)(f) GDPR for strictly necessary technical measurements.
4. Compliance with legal obligations (e.g., tax/accounting):
   • Art. 6(1)(c) GDPR.
5. Establishing, exercising, or defending legal claims:
   • Art. 6(1)(f) GDPR.

#§4. Categories of Data

1. Data provided by the User via form or e-mail, such as name, e-mail address, message content, and any other data submitted voluntarily.
2. Automatically collected technical data: IP address, device type, operating system, browser, connection time, server logs, and cookie identifiers.

#§5. Contact Form and Processors

1. The contact form is technically operated by Web3Forms.
2. Web3Forms acts as a technical provider (processor or separate controller under its own terms), and form data are forwarded to the Controller.
3. The Controller processes received form data for the purposes described in this policy.
4. Web3Forms privacy policy: https://web3forms.com/privacy.

#§6. Data Recipients and Transfers Outside the EEA

1. Data may be shared with entities supporting the Controller, in particular hosting providers, analytics/security providers, and IT service providers.
2. Because contact-form data are handled via Web3Forms and the Service is hosted on Cloudflare, some data may be transferred outside the EEA (e.g., to the USA) with safeguards required by GDPR, including Standard Contractual Clauses (SCCs), and where applicable also based on the EU-U.S. Data Privacy Framework. Umami Cloud (analytics) processes its anonymized, cookieless usage data within the EU/EEA, so the analytics service does not involve a transfer outside the EEA.
3. Data are disclosed to public authorities only where legally required.

#§7. Retention Periods

1. Contact data: for the period necessary to handle an inquiry and follow-up communication, then for the limitation period for claims (typically up to 3 years unless a longer period is required by law).
2. Data processed due to legal obligations (e.g., accounting/tax): for statutory retention periods (typically 5 years from the end of the relevant tax year).
3. Analytics data: Umami collects anonymized, cookieless usage statistics and stores no personal data; analytics consent can be withdrawn at any time.
4. Server logs and security data: for as long as necessary to ensure security and investigate incidents, typically no longer than 12 months unless needed longer for legal defense.
5. Data processed under legitimate interest: until an effective objection is raised or the purpose ceases.

#§8. User Rights

Users have the right to:

1. access personal data,
2. rectify data,
3. erase data,
4. restrict processing,
5. data portability (where applicable),
6. object to processing based on Art. 6(1)(f) GDPR,
7. withdraw consent at any time (without affecting lawfulness before withdrawal),
8. lodge a complaint with a competent supervisory authority, including the President of the Personal Data Protection Office (UODO) in Poland (ul. Stawki 2, 00-193 Warsaw), or your local EU/EEA authority.

Requests can be sent to: [email protected]. We respond without undue delay, usually within 1 month from receipt. For complex requests, the deadline may be extended by up to 2 additional months, and we will inform you of the reasons. We may request identity verification before completing a request.

#§9. Cookies and Similar Technologies

1. The Service uses:
   • necessary cookies (operation and security),
   • functional/security cookies where required for Service operation.
2. Analytics is provided by Umami, which is cookieless and anonymous: it sets no tracking cookies, collects no personal data, and does not track Users across sites. It loads only after the User grants the analytics consent category.
3. Non-essential technologies are used based on User consent where required by law.
4. Consent can be changed or withdrawn in cookie settings and browser settings.
5. Umami privacy details: https://umami.is/privacy.

#§10. Security and Incidents

1. We apply technical and organizational safeguards appropriate to risk, including HTTPS, access control, and security monitoring.
2. In case of a personal data breach, we act in accordance with GDPR, including notification to the supervisory authority where required (typically within 72 hours of becoming aware of the breach).
3. We do not use solely automated decision-making, including profiling, that produces legal effects concerning users or similarly significantly affects them.

#§11. Policy Updates

1. This policy may be updated due to legal, technological, or organizational changes.
2. The current version is always available on wppoland.com.
3. Material changes are communicated on the Service.

#Legal Notice

WPPoland Mariusz Szatkowski
ul. Starowiejska 16/2
81-356 Gdynia, Poland
E-mail: [email protected]

#Image Credits

The photographs of Mariusz Szatkowski used on this website were taken by Marta Weronika Pawłowska.

#§12. Data Subject Rights

#Right to Access

Users have the right to access their personal data. Access requests get processed within one month. Identity verification may be required.

Access includes data copies in common electronic formats. Reasonable requests get accommodated free of charge. Excessive requests may incur reasonable fees.

#Right to Rectification

Inaccurate personal data gets corrected promptly. Complete incomplete data gets completed. Rectification requests require verification.

Notifications get sent to recipients where required. Data subjects get informed about recipients.

#Right to Erasure

Users may request erasure of their personal data. Erasure applies when data is no longer necessary. Withdrawal of consent triggers erasure rights.

Exceptions exist for legal obligations and legal claims. Erasure may affect service delivery. Consequences get explained to data subjects.

#Right to Restriction

Users may request restriction of processing. Restriction applies during accuracy disputes. Processing gets limited pending resolution.

Data may get stored but not processed further. Restrictions get lifted when grounds end. Data subjects get informed before restrictions lift.

#Right to Portability

Users may receive their data in structured formats. Common electronic formats enable data transfer. Portability applies to automated processing bases.

Data gets transmitted directly where technically feasible. Alternative formats get provided when direct transmission is impossible.

#Right to Object

Users may object to processing based on legitimate interests. Objections get assessed promptly. Processing stops unless compelling grounds override.

Direct marketing objections get honored immediately. No justification needed for marketing objections.

#Complaints

Users may lodge complaints with supervisory authorities. Polish supervisory authority is UODO. Complaints get addressed internally first.

Supervisory authority contact information gets provided. Complaints do not affect other rights.

#§13. Third-Party Processors

#Hosting Services

Our hosting provider processes data on our behalf. Hosting includes server storage and maintenance. Data processing agreements govern these relationships.

Hosting providers meet security standards. Regular audits verify compliance. Data stays within EU where possible.

#Analytics Tools

Umami (Umami Cloud) processes anonymized usage data. Umami Cloud is hosted in the EU/EEA. Analytics helps understand website usage. Umami is cookieless and privacy-friendly by design.

Analytics data stays anonymous and stores no personal data. Umami does not track users across sites. Users may withdraw analytics consent anytime.

#Communication Tools

Email services process communications. Support tickets get stored securely. Communication data retention follows legal requirements.

Email marketing requires explicit consent. Unsubscribe options get honored promptly. Contact preferences get respected.

#Payment Processors

Payment processors handle financial transactions. Payment data gets processed by processors. We do not store payment card details.

PCI DSS compliance gets verified. Payment security gets audited. Transaction records get retained as required.

#§14. Cookies and Tracking

#Essential Cookies

Essential cookies enable basic website functions. These cookies do not require consent. Disabling essential cookies affects functionality.

Essential cookies include session management. Security cookies prevent fraud. Load balancing cookies improve performance.

#Analytics

Umami measures website usage without cookies. Usage data helps improve the website. Analytics loads only after consent is granted.

Umami provides anonymous usage insights. Data stays anonymous and includes no personal data. Users may withdraw consent anytime.

#Marketing Cookies

Marketing cookies track visitors across websites. Targeting enables personalized advertising. Marketing requires explicit consent.

Third-party advertisers may use cookies. Ad preferences get managed through industry tools. Consent management gets implemented.

#Cookie Management

Browser settings manage cookies. Consent tools on website control tracking. Opt-out options disable tracking.

Cookies get reviewed periodically. Unnecessary cookies get removed. New cookies get assessed for necessity.

#§15. Data Retention

#Contact Inquiries

Contact inquiry data gets retained for one year. Inquiries not leading to projects get deleted. Project-related data gets retained longer.

Communication records support dispute resolution. Business records get retained as required by law. Retention periods follow legal requirements.

#Website Analytics

Umami stores only anonymized, cookieless usage statistics and no personal data. Aggregated metrics may be kept for trend analysis. Analytics consent can be withdrawn at any time.

Data aggregation reduces identification risk. Retention reviews happen annually. Unnecessary data gets purged.

#Financial Records

Invoice data gets retained for five years. Tax requirements dictate retention periods. Financial records support compliance.

Archival storage protects historical records. Access gets restricted appropriately. Retention policies follow legal requirements.

#Security Logs

Security logs get retained for three months. Log rotation prevents excessive storage. Logs support incident investigation.

Log analysis identifies security patterns. Automated alerts detect anomalies. Retention supports compliance requirements.

#§16. International Transfers

#EU/EEA Transfers

Data primarily stays within EU/EEA. No additional safeguards needed for EU transfers. GDPR protections apply throughout.

#Third-Country Transfers

Transfers outside EU/EEA require safeguards. Standard Contractual Clauses govern transfers. Adequacy decisions may apply.

Transfer impact assessments get conducted. Additional measures protect data. Transfers get minimized where possible.

#US Services

US services may process data. Privacy Shield or equivalent protections apply. Data gets protected appropriately.

Subcontractor agreements get required. Compliance gets verified periodically. Transfer mechanisms get documented.

#§17. Children’s Data

#Age Restrictions

Services do not target children under 16. Parental consent required for processing children’s data. Age verification does not occur actively.

Parents may request information about children’s data. Parental responsibility gets verified. Data gets deleted upon request.

#Educational Services

Educational services may have different requirements. Parental consent gets obtained where required. Educational institution agreements govern processing.

School verification gets conducted. Educational purpose limitations apply. Data minimization gets implemented.

#§18. Profiling and Automation

#Automated Decisions

No solely automated decisions affect users. Human oversight exists for significant decisions. Profiling does not produce legal effects.

Automated tools assist but do not decide. Human review applies where required. Appeals get handled manually.

#Personalization

Content personalization improves user experience. Recommendations based on past behavior. Personalization uses minimal data.

Users may opt out of personalization. Preference settings get respected. Personalization gets explained where required.

#§19. Links to Third Parties

#External Websites

Links to external websites get provided for information. External sites have separate privacy practices. We do not control external sites.

Third-party privacy policies get reviewed where possible. External sites get monitored for broken links. Linking does not imply endorsement.

#Social Media

Social media features may be integrated. Social media platforms collect data independently. Privacy settings on platforms control sharing.

Social buttons get implemented carefully. Data sharing requires user action. Platform privacy policies govern their practices.

#§20. Business Transfers

#Merger or Sale

Business transfers may involve data transfer. Acquisitions require data protection measures. Customer data transfers with businesses.

Notice gets provided where required. Data protection levels get maintained. Transfer agreements include privacy provisions.

#Insolvency

Insolvency proceedings may affect data. Data gets protected during proceedings. Administrators get bound by privacy obligations.

Data may get transferred to purchasers. Customer interests get protected. Legal requirements get followed.

#§21. Contract Performance

#Service Delivery

Data processing necessary for service delivery. Contract terms govern data use. Service provision requires data processing.

Contract performance includes communication. Account management requires data. Service improvements use aggregated data.

#Customer Support

Support requests require data access. Issue resolution uses necessary data. Support quality depends on information accuracy.

Support interactions get recorded. Training purposes may use support data. Retention follows support policies.

#§22. Legal Compliance

#Law Enforcement

Law enforcement requests get evaluated. Legal process required before disclosure. We object to overbroad requests.

Data may get disclosed with legal authority. Disclosure scope gets limited where possible. Users get notified where permitted.

#Regulatory Requests

Regulatory bodies may request data. Compliance gets assessed carefully. Required disclosures get made appropriately.

Regulatory relationships get managed. Data protection gets maintained. Legal requirements get followed.

#§23. Questions and Contact

#General Inquiries

Questions about this policy get answered. Contact through [email protected]. Response within reasonable timeframes.

Detailed questions may require follow-up. Additional information may get requested. Complex requests may take longer.

#Data Subject Requests

Data subject requests get handled specially. Identity verification gets required. Requests get processed within timeframes.

Expedited processing may get available. Complex requests may require extension. Fees may apply to excessive requests.

#§24. Policy Review

#Regular Reviews

This policy gets reviewed annually. Legal updates get incorporated. Technological changes get addressed.

Industry best practices get considered. User feedback gets reviewed. Policy improvements get implemented.

#User Feedback

Feedback about privacy practices gets welcomed. Concerns get addressed promptly. Suggestions may get implemented.

Privacy remains priority. Continuous improvement gets pursued. User trust gets maintained.