Privacy and Cookies Policy

Privacy Policy Concerning Personal Data Processing and Cookies Policy

In connection with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (referred to as “GDPR”), and the Act on Personal Data Protection of 10 May 2018, to meet the obligations under the GDPR, the following is our privacy and cookies policy (“Privacy and Cookies Policy”). This policy outlines the principles of processing your personal data and includes, in particular, information regarding:

1. The personal data Controller;
2. The method of collection, scope, and purpose of personal data processing;
3. The territorial scope and period of personal data processing;
4. The recipients of personal data, other than the Controller;
5. Pursuing claims related to personal data processing, including the rights of data subjects;
6. Legal grounds for personal data processing.

I Personal Data Controller

Your personal data controller is Creotech Instruments S.A., with its registered office in Piaseczno, 05-500 ul. Jana Pawła II 66, entered into the register of undertakings kept by the District Court for the capital city of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, under number KRS: 0000407094 (the “Controller”).

You can contact the Controller via email at iod@creotech.pl; by phone at 22 246 45 75 or by post at the address indicated above.

II Data Protection Officer

The Controller has appointed a Data Protection Officer (DPO), who can be reached via email at iod@creotech.pl or by post at the address indicated above, with the annotation Data Protection Officer.

III Method of Collection, Scope, Purpose, and Legal Grounds for Processing of Personal Data

1. General information

The Privacy Policy applies to individuals who visit the Controller’s website (the “User” or “Users”) at www.creotech.pl (the “Website“) who contact the Controller via the form available on the Website (the “Form“), providing the following personal data indicated in the Form: name and surname, email address, telephone number. Furthermore, the scope of the User’s personal data processed by the Controller under this Privacy Policy includes data other than those specified above if provided to the Controller by the User via email to the Controller’s email address listed on the Website.

We request that you refrain from providing any information containing special categories of personal data as outlined in Article 9(1) of the GDPR (information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a person’s sex life or sexual orientation, and criminal history) via email or the Form. If such information is provided for any reason, it will constitute explicit consent for the Controller to collect and use such information in the manner specified in the Privacy Policy or as specified at the location of disclosure.

Through the Form, Users can direct inquiries to the Controller regarding products and services offered by the Controller.

2. Scope and Objectives of Personal Data Collection

When using the Website, the Controller may process users’ personal data, such as:

1. Full name;
2. Phone number;
3. Email address;
4. Mailing address;
5. Specialization/position;
6. Information contained in CVs;
7. Additional information provided by the User via email.

The Controller processes the User’s personal data for the following purposes:

• To handle the User’s general inquiries;
• To handle the User’s specialized inquiries;
• To prepare an offer for the User, in the event that the Controller receives a request for proposal;
• To carry out recruitment processes;
• For marketing or informational purposes, specifically through direct marketing of the Controller’s products, sending newsletters to the User, or providing other information about products or services offered by the Controller;
• To take steps to conclude a contract with the User;
• To carry out activities related to the performance of a contract concluded with the User.

The personal data of Users will not be subjected to automated processing, including in the form of profiling, meaning that no decisions that produce legal effects concerning a person or similarly significantly affects them will be made solely on the basis of automated processing of personal data and will not be associated with such automated decision-making.

3. Legal Grounds for Personal Data Processing

Whenever we collect personal data, we always specify the legal basis for their processing. When we refer to:

• Article 6(1)(a) of the GDPR – it means that we process personal data based on the consent obtained;
• Article 6(1)(b) of the GDPR – it means that we process personal data as they are necessary for the performance of a contract or to take action prior to entering into a contract, upon request received;
• Article 6(1)(c) of the GDPR – it means that we process personal data to comply with a legal obligation;
• Article 6(1)(f) of the GDPR – it means that we process personal data for the purpose of pursuing legitimate interests, which are always clearly communicated.

4. Log files

Whenever a User accesses the Website, the Controller’s IT system automatically gathers and processes data and information related to the User’s device to ensure the proper operation of electronically provided services. This data includes: the IP address of the User’s computer, details stored in cookies or similar technologies, session information, internet browser data, the User’s operating system details, device information, and activity on the Website, including visits to individual subpages.

This information does not reveal the User’s identity but could constitute personal data when combined with other data. As such, the Controller ensures it receives the comprehensive protection granted to Users under the GDPR.

This data is processed pursuant to Article 6(1)(b) of the GDPR, aiming to deliver services via the Website, and under Article 6(1)(a) of the GDPR, regarding the consent for the usage of certain cookies or similar technologies. This consent is expressed through the User’s internet browser settings in line with Telecommunications Law. The data remains processed until the User discontinues the Website use.

5. Usage Statistics

To enhance its service quality and ensure the security of the Controller’s system, the Controller analyzes statistical data regarding the use of the Website, including session details, IP address, time spent on individual pages and subpages, usage of specific service functionalities, and data about the User’s device and browser. The Controller uses cookies or similar technologies, and Google Analytics statistical tools. These data are processed under Article 6(1)(f) of the GDPR, i.e. within the confines of the Controllers legitimate interest to improve the Website’s usability, enhance service quality and functionality. This data processing does not violate the rights or freedoms of Users. The User’s information is not used for any additional purposes; adjusting content presentation on the Website, streamlining Website usage, and boosting service quality via the Website not only align with industry standards but also match user expectations from online service providers.

Users may withdraw their consent at any time by changing their web browser settings to modify the permission for cookies or similar technologies.

6. Marketing and PR Activities of the Controller

The Controller may post marketing information about its products or services on the Website. This content is displayed by the Controller in accordance with Article 6(1)(f) of the GDPR, in accordance with the legitimate interest of the Controller consisting in publishing content related to the services provided and the content of promotional campaigns in which the Controller is involved. This action does not violate the rights or freedoms of Users.

Furthermore, the Controller may also publish marketing information pertaining to the products or services of its business partners. This content is displayed based on Article 6(1)(f) of the GDPR, under the legitimate interest of the Controller to undertake marketing activities for its partners’ products or services.

Users have the right to object to the processing of their personal data for marketing purposes.

7. Personal Data Processing on Social Media Platforms

The Controller maintains profiles on the following social media platforms, through which it interacts with Users. As such, the Controller acts as a co-controller of personal data along with the social media platforms’ providers: Detailed information on the personal data processing by these providers can be found on their respective pages:

• Facebook: https://facebook.com/privacy/explanation;
• Twitter: https://twitter.com/en/privacy;
• Linkedin: https://www.linkedin.com/legal/privacy-policy;
• YouTube: https://policies.google.com/privacy?hl=en/.

The Controller operates and manages its social media accounts to promote its products, services, and overall business activity. In doing so, it manages the personal data of social media users who follow the Controller’s profiles, including those who participate in contests, events, and dialogues with both the Controller and other users through these accounts managed by the Controller.

If a user wishes to cease the processing of their personal data shared via social media platforms, they should stop following the Controller’s profiles via the platforms’ functionalities, such as unliking the Controller’s profile on Facebook.

All rights to trademarks (including logos), copyrights, database rights, and all other intellectual property rights related to the website content and social media profiles belong to the Controller.

It is prohibited to copy, modify, use in any form, or reproduce, in whole or in part, the website content for commercial purposes without the prior written consent of the Controller and the content’s author.

The content presented on the website and social media profiles is intended to promote the Controller’s activities. The use of materials for other purposes is forbidden.

Materials shared on the Controller’s social media profiles are either owned by it or have been posted with the consent of the content creators.

Users engaging with the Controller’s social media profiles declare that their posted content:

Will not be inappropriate. Content is defined as inappropriate when it: i. constitutes plagiarism, is defamatory, offensive, aggressive, untrue, misleading, derogatory, discriminatory, threatening, harassing, expresses racial or sexual prejudice; ii. contains mocking, rude or offensive elements, insults, indecent suggestions, profanity; iii. contains quotes from other users’ statements taken out of context in order to create a false or negative impression; iv. is indecent, obscene or pornographic in nature; or; violates another person’s right to confidentiality or privacy, b. Will not prejudice any ongoing legal proceedings that the user is aware of; c. will not contain accusations of indecency or personal criticism directed against the Controller’s employees; d. are highly unlikely to: (i) cause fear, uncertainty or anxiety to another person, (ii) incite violation of social norms; or (iii) incite aggression or hatred based on race or religion, e. will not infringe any copyrights, trademarks, patents or other intellectual property rights of the Controller or any third party; f. will not be technically harmful (including, in particular, computer viruses, logic bombs, Trojan horses, computer worms, harmful components, corrupted data or other malicious software, harmful data or actions);g. will not constitute an offer, advertisement or promotion of any product or service, nor will they contain requests for donations or financial support; h. will not constitute spam or unsolicited mail advertising; I. will not be intended to impersonate another person or otherwise misrepresent the user’s identity, affiliation or position. will not present or encourage behavior that could be considered a crime, lead to civil liability or is unlawful.

Users may post links to other websites or subpages of websites on the Controller’s profile if:

a) The content or links do not violate the Privacy Policy;

b) The terms of use of such websites or subpages allow for such links;

c) They are clearly and visibly marked as links;

d) They are relevant to the content alongside which they are posted;

e) They do not automatically trigger downloads of any files.

The Controller reserves the right to immediately delete any content not conforming to these rules, especially comments that are:

a) defamatory, false and misleading;

b) offensive, insulting or threatening;

c) obscene or sexually explicit;

d) aggressive, racist, sexist, homophobic or discriminate against any religion or group of people.

Such links will be deleted immediately.

Without the Controller’s express consent, Users may not repost any content or materials that have been previously removed.

8. COOKIES

1. Cookies are understood to mean computer data stored in the User’s end devices, intended for use with websites. Specifically, these are text files that contain the name of the website they originate from, the duration of their storage on the end device, and a unique number.
2. The Controller uses two types of cookies: a) Session cookies: these are stored on the User’s device and remain there until the browser session ends. At that point, the information is permanently removed from the device’s memory. Session cookies do not allow for the collection of any personal or confidential information from the User’s device. b) Persistent cookies: these are stored on the User’s device and remain there until they are manually deleted. Closing the browser session or turning off the device does not delete them. Persistent cookies do not allow for the collection of any personal or confidential information from the User’s device.
3. The Controller does not automatically gather any information, with the exception of details contained within cookies.
4. Within the Website, the following types of cookies are utilized: a) “Essential” cookies, enabling the use of services offered within the Service, for example, authenticating cookies used for services that require authentication, for logging in and User session maintenance at each subpage of the Website; b) “Security” cookies, used to detect fraud in authentication within the Website; c) “Performance” cookies, allowing for the collection of information on the usage of the website pages of the Website; d) “Functional” cookies, enabling the storage of settings selected by the User and personalization of the User interface, for example, in terms of the chosen language or the User’s region, the font size, the layout of the website etc. customization of the Website to the User’s individual preferences, primarily these file recognize the User’s device to display the Website according to the User’s preferences’.
5. To ensure the security of entrusted data, the Controller has developed internal procedures and recommendations to prevent the disclosure of data to unauthorized persons. The Controller monitors their execution and constantly checks their compliance with the relevant legal acts – the Act of Personal Data Protection Act, the Act on Providing Services by Electronic Means, as well as all kinds of executive acts and acts of Community law.
6. By default, web browsing software allows cookies to be placed on the User’s end device. These settings can be changed by the User to block the automatic management of cookies in the web browser settings or to notify the User each time they are sent to the User’s device.
7. The User can change the settings related to cookies at any time. Detailed information about the options and ways of handling cookies is available in the software settings (web browser).

Examples of editing options in popular browsers:

• Mozilla Firefox: www.support.mozilla.org/pl/kb/ciasteczka
• Internet Explorer: www.support.microsoft.com/kb/278835/en
• Google Chrome: www.support.google.com/chrome/bin/answer.py?hl=en&answer=95647
• Safari: www.safari.helpmax.net/pl/oszczedzanie-czasu/blokowanie-zawartosci/

8. Please be advised that changes to the settings in the User’s web browser may prevent the proper operation of the Website.

IV Duration and Territorial Scope of Personal Data Processing

1. Duration of Personal Data Processing

The period of personal data processing depends on the basis and purpose of the processing. The Controller always informs about this period before collecting personal data or during the collection process. Examples of personal data retention periods include:

1. Personal data processed in connection with marketing activities will be processed until an objection to their processing is received or until the purpose of the processing has been fulfilled.
2. Personal data processed on the grounds of consent will be kept until such consent is withdrawn or the purpose of the processing has been fulfilled.
3. Personal data processed using cookies and similar technologies will be kept until these cookies are removed through browser or device settings, or until an objection to their processing is lodged.
4. Personal data processed for compliance with legal obligations (e.g., for taxation, accounting, or reporting purposes) will be kept for the duration mandated by relevant accounting or tax legislation.
5. Personal data associated with the provision of the Controller’s services will be stored for the period during which claims can be made against or by the Controller, that is, in accordance with the applicable legal provisions on the limitation periods for claims.

2. Territorial Scope of Personal Data Processing

The User’s personal data will be processed solely within the territory of the Republic of Poland. However, the Controller may utilize services offered by entities headquartered outside the European Economic Area (EEA) or that may store data outside the EEA. In such instances, the Controller will adhere to the stipulations outlined in Article 49 of the GDPR.

V Recipients of Personal Data

The Controller transfers the User’s personal data to other entities only based on requirements arising from applicable legal provisions or in connection with the purpose for which the personal data were provided to the Controller, in particular when necessary for the execution of a service request received by the Controller on behalf of the User. Personal data will be transferred to other entities only under separate personal data processing agreements, ensuring the necessary protection of the transferred data.

Recipients of the User’s personal data processed by the Controller may include:

1. Entities processing personal data under personal data processing agreements (so-called processors);
2. Entities providing hosting services to the Controller, in terms of delivering, handling, and servicing the Controller’s software or electronic equipment;
3. Entities providing marketing and PR services for the Controller,
4. Entities providing survey research services;
5. Auditors, experts, tax advisors, legal advisors, debt collection companies;
6. Public administration bodies, in particular supervisory authorities.

The Controller may use tools provided by entities based outside the European Economic Area (EEA) or that may store data outside the EEA. Personal data will not be transferred to international organizations. The Controller will apply all legally available measures to secure the transfer of this data. Transferring data outside the EEA may occur based on exceptions provided in Article 49 of the GDPR, if the conditions specified in this article are met. Information about the security measures and the scope of data transferred outside the EEA can be obtained by contacting the Controller or the DPO.

Navigating through the website may redirect to another website managed by a different Controller. The Controller is not responsible for the processing of personal data by other websites. Users should read the Privacy Policy upon every new visit.

VI User Rights in Relation to Personal Data Processing

Users have the right to:

1. Access – Obtain confirmation from the Controller whether their personal data is being processed. If User data are being processed, they are entitled to access the data and receive information about: the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data has been or will be disclosed, the planned duration of data storage or the criteria used to determine that period, the right to request rectification, deletion, or restriction of processing of personal data, and to object to such processing (Article 15 of the GDPR).
2. Receive a copy of the data – Obtain a copy of the data undergoing processing, where the first copy is free of charge. For any further copies, the Controller may charge a reasonable fee based on administrative costs (Article 15(3) of the GDPR).
3. Rectification – Request rectification of inaccurate personal data or completion of incomplete data (Article 16 of the GDPR).
4. Erasure – Request erasure of personal data if the Controller no longer has legal grounds for their processing or the data are no longer necessary in relation to the purposes of processing (Article 17 of the GDPR).
5. Restriction of processing – Request restriction of processing of personal data (Article 18 of the GDPR) when: a. The User contests the accuracy of the personal data – for a period enabling the Controller to verify the accuracy of the personal data; b. The processing is unlawful, and the User opposes the erasure of the data requesting the restriction of their use instead; c. The Controller no longer needs the data for the purpose of processing, but they are required by the User for the establishment, exercise or defense of legal claims; d. The User has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the User.
6. Data portability – Receive personal data in a structured, commonly used and machine-readable format, and request the transmission of those data to another controller, if the processing is based on the User’s consent or on a contract with the User and if the processing is carried out by automated means (Article 20 of the GDPR).
7. Object – Object to the processing of personal data for legitimate interests pursued by the Controller, including profiling, on grounds relating to the particular situation of the User. The Controller will then assess whether there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the User or for the establishment, exercise, or defense of legal claims. If, according to the assessment, the User’s interests are more compelling than the interests of the Controller, the Controller is obliged to cease processing data for these purposes (Article 21 of the GDPR).
8. Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawing consent will result in the Controller ceasing to process personal data for the purpose for which consent was given.

To exercise the aforementioned rights, Users should contact the Controller using the provided contact details and inform which right and to what extent they wish to exercise.

VII President of the Personal Data Protection Office

Data subjects have the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office, located in Warsaw, Stawki 2, who can be contacted in the following ways:

1. by post: ul. Stawki 2, 00-193 Warszawa;
2. by email available at: https://www.uodo.gov.pl/pl/p/kontakt;
3. by phone: (22) 531 03 00/

VIII Changes to the Privacy Policy

The Privacy Policy may be amended and updated according to the current needs of the Controller, especially in the event of changes in the technology used by the Controller to process personal data (if such change affects the wording of the Privacy Policy), as well as in the case of changes in the methods, purposes, or legal bases of personal data processing.

The Controller reserves the right to withdraw or change the content presented on the site without prior notice. The Controller is not liable if, for any reasons beyond the Controller’s control, the Website is unavailable at any time or for any period.

The Controller reserves the right to occasionally restrict access to some parts of the Website in connection with maintenance work or updating the Website.

The Privacy and Cookies Policy becomes effective on the date of approval.

For matters not regulated by the Privacy Policy, concerning its subject, and in the case of any part of the Privacy Policy being inconsistent with applicable law, the relevant provisions of Polish law shall apply instead of the questioned provision of the Policy, in particular:

1. The Civil Code of 23 April 1964;
2. The Act on the Protection of Certain Consumer Rights and on the Liability for Damage Caused by a Dangerous Product of 2 March 2000
3. The Act on Specific Conditions of Consumer Sale and Amendments to the Civil Code;
4. The Act of 18 July 2002 on Providing Services by Electronic Means (the “ESA”);
5. The Act on Personal Data Protection of 29 August 1997
6. The GDPR.