1. Xelto Sp. z o.o., with its registered office at ul. Winogrady 18, 61-663 Poznań, Poland, entered in the Register of Entrepreneurs of the Polish National Court Register (Krajowy Rejestr Sądowy – KRS), maintained by the District Court Poznań-Nowe Miasto i Wilda in Poznań, VIII Commercial Division, under number: 0000472643, holding Polish Tax Identification Number (NIP): 9721243826 and Polish National Business Registry Number (REGON): 302415061, with share capital of PLN 100,000.00 (hereinafter referred to as the "Controller"), is the controller of the personal data of individuals (hereinafter referred to as "Users") using the website available at xelto.com (hereinafter referred to as the "Portal").
2. The personal data of Users is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter "GDPR"), as well as the applicable provisions of Polish law, including the Act on Personal Data Protection and the Act on Rendering Electronic Services of 18 July 2002 (Journal of Laws of 2002, No. 144, item 1204, as amended).
3. The Controller applies appropriate technical and organizational measures to safeguard the processed data and protect it against unauthorized access, disclosure, alteration, loss, or destruction.
4. Capitalized terms used herein shall have the meaning assigned to them in this Policy, unless otherwise defined herein.

II. LEGAL BASIS FOR DATA PROCESSING

1. The Controller processes personal data of Users based on the following legal grounds:
   • Performance of a contract – pursuant to Article 6(1)(b) of the GDPR, to take steps at the User’s request prior to entering into a contract and to perform services offered via the Portal.
   • Compliance with legal obligations – including obligations arising from tax and accounting regulations (e.g., the Polish VAT Act and the Accounting Act).
   • Legitimate interests pursued by the Controller – in accordance with Article 6(1)(f) of the GDPR, including for marketing activities, analytical purposes, Portal optimization, and protection of legal claims.
   • Consent of the User – under Article 6(1)(a) of the GDPR, for the processing of personal data for marketing purposes (electronic or telephone communication) and for the transmission of commercial information, granted through interactive forms on the Portal.
   • Establishment, exercise, or defense of legal claims – in accordance with relevant provisions of Polish civil law.
2. The Controller processes personal data voluntarily provided by Users as well as data collected automatically regarding the manner of using the Portal, in accordance with Article 6(1)(f) of the GDPR, based on the legitimate interests pursued by the Controller, in particular for direct marketing purposes and Portal optimization.
3. Personal data provided voluntarily by Users is not combined with data collected automatically regarding their use of the Portal. If, for technical reasons, such a combination occurs, the combined data will be processed solely for the Controller's legitimate interests, in particular, to optimize and personalize the Portal's functionalities and for statistical purposes.
4. The User's personal data may also be processed based on explicit consent for the purpose of sending commercial information electronically. The User has the right to withdraw such consent at any time.
5. Data processed in connection with service orders and contracts will be stored until the expiry of limitation periods for claims arising therefrom. Due to tax and accounting obligations, certain data will be stored for 6 years from the termination of the services.
6. Data processed for marketing purposes will be processed until the relevant consent is withdrawn.
7. Data related to complaints will be processed until the expiry of rights related thereto.
8. Data obtained for the purpose of contacting the Controller will be archived for 3 years after the end of contact.
9. Data processed in connection with potential claims and archiving will be processed for 3 years from the end of service provision.

III.  PURPOSE, SCOPE AND RECIPIENTS OF DATA PROCESSING

• The purpose, scope, and recipients of the User’s personal data depend each time on the User’s consent, legal provisions, or actions taken by the User on the Portal.
• The Controller ensures that personal data is processed:
  • Lawfully, fairly, and transparently,
  • For specific, legitimate purposes,
  • In an adequate, relevant, and limited manner,
  • Accurately and, where necessary, kept up to date,
  • For no longer than necessary,
  • With appropriate technical and organizational security measures.
• The User may provide the following personal data:
  • First name and last name,
  • Email address,
  • Telephone number.
• The provision of personal data is voluntary. However, failure to provide data may prevent the Controller from providing services. Depending on the nature of the service, the User may be asked to provide additional personal data, which will be specified on the relevant Portal pages.
• Purposes of data processing:
  • Using services available on the Portal (Contact, Career, Leave a Message tabs),
  • Placing orders, concluding and performing service agreements, settlements, complaints handling, archiving, ongoing contact regarding orders or agreements,
  • Marketing of the Controller's own products and services (via electronic or telephone communication), based on the User's consent,
  • Marketing of partners’ products and services (via electronic or telephone communication), based on the User's consent,
  • Building and publishing rankings, subject to the acceptance of the terms and conditions of a specific event.
• Possible recipients of personal data:
  • Controller's employees and associates,
  • Entities authorized under applicable law,
  • Third parties, based on data processing agreements, for purposes including archiving, storage, IT services, accounting, tax services, courier services, and maintaining relations with Users,
  • Entities located in third countries (including the USA), in connection with:
    • Activities on social media platforms and the use of plugins (e.g., Facebook, Twitter, Google+);
    • Use of analytical tools for anonymized tracking of user behavior (e.g., Google Analytics, Gemius Traffic, Chartbeat);
    • Use of advertising platforms (e.g., Google AdSense).

7. All entities processing data on behalf of the Controller are contractually bound to ensure confidentiality and data protection.
8. The User's personal data will not be sold or transferred to third parties for purposes other than those specified in this Policy.

IV. USER RIGHTS

1. Each User has the right to:
   • Access their personal data,
   • Rectify their personal data,
   • Request the erasure of their personal data,
   • Request restriction of processing,
   • Object to processing,
   • Lodge a complaint with a supervisory authority.
2. Withdrawal of consent or objection to processing may be made by sending an email to: sales@xelto.com.
3. After consent withdrawal or objection, personal data will no longer be processed for the specified purposes. The User may also request rectification or update of their data by sending an email to the Controller.
4. In case of irregularities in data processing, the User may lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
5. Contact with the person supervising data processing within the Controller's organization is possible via email at: office@xelto.com

V. CONTACT WITH THE CONTROLLER

1. The User may contact the Controller at any time by sending a message in writing or via email to the address indicated in Section I or to: office@xelto.com
2. The Controller stores correspondence with Users for statistical purposes, for the efficient handling of inquiries, complaints, or potential administrative actions. Such data will not be used for purposes other than handling the inquiry.
3. The Controller may require identity verification before processing any User request related to personal data.

VI. SECURITY MEASURES

1. The Controller applies appropriate technical and organizational measures to ensure the security of personal data, adequate to the risks and categories of processed data. In particular, data is protected against unauthorized access, loss, alteration, or destruction.
2. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, the Controller applies, among others:
   • data encryption,
   • the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems,
   • the ability to restore access to data in a timely manner in the event of technical incidents,
   • regular testing and evaluation of the effectiveness of security measures.

VII. FINAL PROVISIONS

1. The Controller uses various systems to monitor User activity on the Portal, including third-party services such as Google Analytics, provided by Google Inc. Google Analytics uses "cookies," which are text files placed on the User's device to help analyze how Users use the Portal. The Controller also uses server log files to count Portal visitors and assess its technical performance. By continuing to use this website, you consent to the use of cookies in accordance with this policy.
2. The Controller uses two types of cookies:

1. Session Cookies: Stored temporarily on the User’s device until the end of the browser session. They do not collect personal or confidential information,
2. Persistent Cookies: Stored on the User’s device until manually deleted. They do not collect personal or confidential information.

3. Given the dynamic development of the monitoring services market, the Controller endeavors to inform Users about new service providers and the User agrees that such entities may include other companies in the future. The User may withdraw consent to the use of cookies at any time by changing browser settings.
4. Information generated by cookies about the User’s use of the Portal (including their IP address) may be transmitted to Google Inc. servers in the USA and stored in accordance with Google's privacy policy (available at: http://www.google.com/intl/en/privacy/privacy-policy.html).
5. The Controller reserves the right to send Users non-commercial, system-related messages, including information about changes to the Portal, completed transactions, surveys, greetings, or system notifications. Such messages may also be sent by third parties acting on behalf of the Controller based on appropriate data processing agreements.
6. The Portal may contain links (e.g., third-party logos) redirecting Users to external websites. The Controller is not responsible for the content of such websites or for their privacy policies, security policies, or use of cookies.
7. The Controller may amend this Policy due to changes in law, technological developments, or the expansion of Portal functionalities. Each amendment will be published on the Portal, and the new version of the Policy will be publicly available with a new date.
8. In the event of discrepancies between this Policy and the consents granted by the User, the User's consent or applicable law shall prevail.
9. The User's personal data may be subject to automated processing, including profiling, to analyze or predict preferences, behavior, and to tailor the information provided to the User accordingly.