Privacy and Cookies Policy

Privacy Policy regarding the processing of personal data and Cookies Policy

In connection with the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”), as well as the Polish Personal Data Protection Act of 10 May 2018, and to comply with the obligations under the GDPR, the following Privacy and Cookies Policy (hereinafter the “Privacy and Cookies Policy”) is presented.

This Policy sets out the rules for the processing of your personal data and includes, in particular, information regarding:

1. the controller of personal data,

2. the method of collection, scope, and purpose of personal data processing,

3. the territorial scope and retention period of personal data processing,

4. recipients of personal data other than the Controller,

5. the pursuit of claims related to the processing of personal data, including the rights of data subjects,

6. the legal grounds for the processing of personal data.

I. Personal Data Controller

The controller of personal data is Creotech Quantum S.A., with its registered office in Warsaw, 02-823, ul. Osmańska 14, entered in the Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number: 0001177677 (hereinafter the “Controller”).

The Controller may be contacted electronically at: iod@xxxxxx; by phone at: +48 22 xxx xx xx; or by post at the address indicated above.

II. Data Protection Officer

The Controller has appointed a Data Protection Officer (DPO), who may be contacted electronically at: iod@xxxxxx or by post at the address indicated above, with the note “Data Protection Officer.”

III. Method of Collection, Scope, Purpose, and Legal Basis for Processing Personal Data

1. General Information

This Privacy Policy applies to individuals visiting our website (hereinafter the “User”) at www.creotechquantum.pl (the “Website”) who contact us via the form provided on the Website (the “Form”), submitting personal data such as first and last name, email address, and phone number. Other personal data provided via email to the address listed on the Website are also processed in accordance with this Privacy Policy.

Please do not submit, via email or the Form, any special categories of personal data under Article 9(1) of the GDPR (e.g., race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, genetic or biometric data, sexual life or orientation, or criminal history). If you do submit such data, it will be considered explicit consent for us to process it as described here or where it was disclosed.

The Form is used for sending inquiries regarding our products and services.

2. Scope and Purpose of Collected Personal Data

While using the Website, we may process personal data including:

• first and last name

• phone number

• email address

• mailing address

• specialization/position

• information included in CVs

• other data provided via email

We process personal data for purposes such as:

• handling general and specialized inquiries

• preparing offers based on requests

• recruitment

• marketing and informational purposes (e.g., newsletters, direct marketing of our products, or other product/service information)

• concluding agreements with Users

• performing activities related to agreements with Users

Users’ personal data will not be processed in an automated manner, including profiling. No decisions producing legal effects or significantly affecting the individual will be based solely on automated processing.

3. Legal Basis for Processing Personal Data

When collecting personal data, we always inform Users of the legal basis for its processing. In particular:

• Article 6(1)(a) GDPR – we process personal data based on the consent given,

• Article 6(1)(b) GDPR – we process personal data because it is necessary for the performance of a contract or to take steps prior to entering into a contract at your request,

• Article 6(1)(c) GDPR – we process personal data to comply with a legal obligation,

• Article 6(1)(f) GDPR – we process personal data to pursue our legitimate interests, which we always disclose.

4. Log Files

Whenever a User accesses the Website, the Administrator’s IT system automatically collects and processes information about the User’s device to ensure the proper functioning of electronic services. This may include: IP address, information contained in cookies or similar technologies, session data, web browser information, operating system data, device information, and activity on the Website, including individual subpages.

This information does not directly identify the User but, when combined with other data, may constitute personal data and is therefore fully protected under the GDPR.

These data are processed in accordance with Article 6(1)(b) GDPR for the purpose of providing electronic services via the Website, and in accordance with Article 6(1)(a) GDPR with respect to the User’s consent to the use of certain cookies or similar technologies, expressed through appropriate browser settings under the Telecommunications Law. These data are processed for the duration of the User’s use of the Website.

5. Statistics on the Use of Administrator Services

To improve the quality of its services and ensure system security, the Administrator processes statistical information about Website usage. This includes session information, IP address, time spent on pages and subpages, use of specific website functionalities, and information about the User’s device and browser.

The Administrator uses cookies, similar technologies, and tools such as Google Analytics. This data is processed under Article 6(1)(f) GDPR, i.e., in the Administrator’s legitimate interest to facilitate Website use, improve service quality and functionality, while not infringing on the rights or freedoms of Users. User information is not used for any other purposes. Customizing content display, facilitating Website use, and improving service quality are standard practices and expected by Website Users.

Users may withdraw their consent at any time by changing their web browser settings regarding the use of cookies or similar technologies.

6. Marketing and PR Activities of the Administrator

The Administrator may display marketing information about its own products or services on the Website. This is carried out pursuant to Article 6(1)(f) GDPR, based on the Administrator’s legitimate interest in sharing content related to its services and promotional activities. This does not infringe on the rights or freedoms of Users.

The Administrator may also display marketing information about products or services of its business partners, under Article 6(1)(f) GDPR, based on its legitimate interest in promoting these products or services.

Users have the right to object to the processing of their personal data for marketing purposes.

7. Processing of Personal Data on Social Media Platforms

The Administrator operates profiles on the following social media platforms, through which it interacts with Users. In this context, the Administrator acts as a joint controller of personal data together with these platform providers. Details on how these providers process personal data can be found at:

• Facebook: https://pl-pl.facebook.com/privacy/explanation

• Twitter: https://twitter.com/en/privacy

• LinkedIn: https://www.linkedin.com/legal/privacy-policy

These accounts are managed to promote the Administrator’s products, services, and activities. Personal data of social media users who follow the Administrator’s profiles, participate in contests, events, or engage in dialogue via these accounts, may be processed in this context.

To stop the processing of personal data shared via social media, Users should unfollow the Administrator’s profiles using the platform’s options, e.g., clicking “Like” on Facebook.

All rights to trademarks, logos, copyrights, database rights, and other intellectual property in the Website content and social media profiles belong to the Administrator. Copying, modifying, using, or reproducing content, in whole or in part, for commercial purposes without prior written consent is prohibited.

Content on the Website and social media profiles is intended solely to promote the Administrator’s business. Materials posted on the Administrator’s profiles are either owned by the Administrator or shared with the permission of the original authors.

Users posting content on the Administrator’s social media profiles warrant that their content:

a. is appropriate and does not:

i. constitute plagiarism, defamation, offensive, aggressive, false, misleading, humiliating, discriminatory, threatening, harassing, or express racial/sexual prejudice;

ii. contain mocking, uncivil, obscene language, insults, or profanity;

iii. quote others out of context to create false impressions;

iv. be obscene, indecent, or pornographic;

v. violate the confidentiality or privacy of others;

b. does not interfere with ongoing legal proceedings;

c. does not accuse or personally criticize Administrator employees;

d. is unlikely to: (i) cause fear, uncertainty, or distress, (ii) incite violation of social norms, or (iii) provoke aggression or hatred on racial or religious grounds;

e. does not infringe intellectual property rights of the Administrator or third parties;

f. is not technically harmful (including viruses, malware, or corrupted data);

g. is not an offer, advertisement, or solicitation for financial support;

h. is not spam or intrusive email marketing;

i. does not impersonate others or misrepresent identity, affiliation, or position;

j. does not encourage criminal or unlawful behavior.

Users may post links to other websites provided that:

a. the content or links do not violate this Privacy Policy;

b. the linked sites allow such links;

c. links are clearly marked;

d. linked content is relevant to where the link is posted;

e. the link does not automatically download files.

The Administrator reserves the right to immediately remove any content violating these rules, particularly comments that are:

a. defamatory, false, or misleading;

b. offensive, insulting, or threatening;

c. obscene or sexual;

d. aggressive, racist, sexist, homophobic, or discriminatory.

Without the Administrator’s explicit consent, Users may not repost any content, materials, or applications previously removed.

8. COOKIES

1. Cookies are computer files stored on the User’s device to facilitate the use of websites. Specifically, these are text files containing the website’s name, the duration of storage on the User’s device, and a unique identifier.

2. The Administrator uses two types of cookies:

a. Session cookies: stored on the User’s device only for the duration of the browser session. Once the session ends, the information is permanently deleted from the device. Session cookies do not allow the collection of any personal or confidential data from the User’s device.

b. Persistent cookies: stored on the User’s device until they are deleted. Ending a browser session or turning off the device does not remove these cookies. Persistent cookies do not allow the collection of any personal or confidential data from the User’s device.

3. The Administrator does not automatically collect any information other than that contained in cookies.

4. The following types of cookies are used on the Website:

a. “Essential” cookies: necessary for using services available on the Website, e.g., authentication cookies for services requiring login and maintaining User sessions across pages.

b. Security cookies: used to detect abuse in authentication or for other security-related purposes.

c. Performance cookies: collect information on how Users interact with the Website to generate anonymous statistics without identifying individual Users.

d. Functional cookies: enable the Website to “remember” User settings and personalize the interface, e.g., chosen language or region, font size, website appearance, or other adjustments according to User preferences. These cookies recognize the User’s device to display the Website in accordance with their preferences.

5. To protect Users’ data, the Administrator has implemented internal procedures and guidelines to prevent unauthorized access. Compliance is continuously monitored, and procedures are verified against applicable laws, including the Personal Data Protection Act, the Act on Electronic Services, and relevant EU regulations.

6. By default, web browser software allows cookies to be stored on the User’s device. Users can change these settings to block automatic cookie handling or to be notified each time cookies are sent to their device.

7. Users may modify their cookie settings at any time. Detailed instructions for managing cookies are available in browser settings. Examples for popular browsers include:

• Mozilla Firefox: www.support.mozilla.org/en-US/kb/cookies

• Internet Explorer: www.support.microsoft.com/kb/278835/en

• Google Chrome: www.support.google.com/chrome/bin/answer.py?hl=en&answer=95647

• Safari: www.safari.helpmax.net/en/saving-time/blocking-content/

8. The Administrator informs Users that changing browser settings may prevent the Website from functioning properly.

IV. Duration and Territorial Scope of Personal Data Processing

1. Duration of Personal Data Processing

The period for which personal data is processed depends on its legal basis and purpose. The Administrator always informs Users of this period before or during the collection of personal data. Examples of retention periods include:

1. Personal data processed for marketing purposes – retained until the User objects to the processing of such data or until the purpose of processing has been fulfilled.

2. Personal data processed based on consent – retained until consent is withdrawn or until the purpose of processing has been fulfilled.

3. Personal data processed using cookies or similar technologies – retained until the cookies are deleted via the User’s browser or device settings, or until the User objects to their processing.

4. Personal data processed in connection with compliance with applicable legal obligations (e.g., for tax, accounting, or reporting purposes) – retained for the period required under generally applicable accounting or tax law.

5. Personal data related to the provision of the Administrator’s services – retained until the period for potential claims against or by the Administrator expires, in accordance with generally applicable laws regarding limitation periods.

2. Territorial Scope of Personal Data Processing

Users’ personal data will be processed exclusively within the territory of the Republic of Poland. However, the Administrator may use tools or services provided by entities located outside the European Economic Area (EEA), or that may store data outside the EEA. In such cases, the Administrator ensures compliance with the requirements set out in Article 49 of the GDPR.

V. Recipients of Personal Data

The Administrator discloses Users’ personal data to other entities only when required by applicable law or in connection with the purpose for which the personal data were provided to the Administrator. In particular, this applies when disclosure is necessary to fulfill a User’s request for a specific service. Personal data will be shared with other entities solely under separate agreements on the processing of personal data, which guarantee the appropriate protection of the transmitted data.

Recipients of Users’ personal data processed by the Administrator may include:

1. Entities processing personal data under data processing agreements (so-called processors);

2. Entities providing hosting services, software or hardware delivery, support, and maintenance for the Administrator;

3. Entities providing marketing and PR services to the Administrator;

4. Entities conducting survey or research services;

5. Auditors, experts, accountants, tax advisors, legal advisors, and debt collection agencies;

6. Public administration authorities, including supervisory authorities.

The Administrator may use tools or services provided by entities located outside the European Economic Area (EEA) or that may store data outside the EEA. Personal data will not be transferred to international organizations. The Administrator will apply all legally available safeguards to ensure the security of such transfers. Transfers outside the EEA may occur under the exceptions provided in Article 49 of the GDPR, provided the conditions specified therein are met. Information regarding safeguards for data transferred outside the EEA can be obtained by contacting the Administrator or the Data Protection Officer.

The Website may contain links redirecting Users to other websites managed by different administrators. The Administrator is not responsible for the processing of personal data on such external websites. Users should review the privacy policy of any website they visit, particularly on each new visit.

VI. User Rights in Relation to Personal Data Processing

Users have the following rights:

1. Access – obtain confirmation from the Administrator as to whether their personal data are being processed. If the data are being processed, the User has the right to access them and to receive information on: the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data have been or will be disclosed, the retention period of the data or the criteria for determining it, and the rights to request rectification, deletion, or restriction of personal data, as well as the right to object to such processing (Art. 15 GDPR).

2. Obtaining a copy of data – receive a copy of the personal data being processed. The first copy is provided free of charge; a reasonable fee may be charged for additional copies to cover administrative costs (Art. 15(3) GDPR).

3. Rectification – request correction of inaccurate personal data or completion of incomplete data (Art. 16 GDPR).

4. Deletion – request the deletion of personal data if the Administrator no longer has a legal basis for processing them, or if the data are no longer necessary for the purposes of processing (Art. 17 GDPR).

5. Restriction of processing – request the restriction of personal data processing (Art. 18 GDPR) in the following situations:

a. The User contests the accuracy of the personal data – for the period necessary for the Administrator to verify their accuracy;

b. Processing is unlawful, and the User opposes deletion, requesting restriction of use instead;

c. The Administrator no longer needs the data, but the User requires them to establish, exercise, or defend legal claims;

d. The User has objected to processing – until it is determined whether the Administrator’s legitimate grounds override the User’s grounds for objection.

6. Data portability – receive personal data in a structured, commonly used, machine-readable format and request transmission of such data to another administrator, where the data are processed based on the User’s consent or a contract and are processed in an automated manner (Art. 20 GDPR).

7. Objection – object to the processing of personal data for the Administrator’s legitimate purposes, for reasons related to the User’s particular situation, including profiling. The Administrator will evaluate whether compelling legitimate grounds exist for processing that override the interests, rights, and freedoms of the User, or the grounds for establishing, exercising, or defending legal claims. If the User’s interests prevail, the Administrator will cease processing the data for those purposes (Art. 21 GDPR).

8. Withdrawal of consent – withdraw consent at any time without providing a reason. Processing carried out prior to the withdrawal remains lawful. Withdrawal of consent will result in the cessation of personal data processing by the Administrator for the purpose for which the consent was originally given.

To exercise any of these rights, Users should contact the Administrator using the provided contact details and clearly specify which right they wish to exercise and to what extent.

VII. President of the Personal Data Protection Office

Individuals whose personal data are processed have the right to lodge a complaint with the supervisory authority, namely the President of the Personal Data Protection Office, headquartered in Warsaw at ul. Stawki 2. Contact can be made in the following ways:

1. By mail: ul. Stawki 2, 00-193 Warsaw, Poland

2. Via the electronic contact form: https://www.uodo.gov.pl/pl/p/kontakt

3. By phone: +48 (22) 531 03 00

VIII. Amendments to the Privacy Policy

The Privacy Policy may be amended or updated as needed, particularly in the event of changes to the technology used for personal data processing (if such changes affect the Policy’s content), or changes in the methods, purposes, or legal bases of processing.

The Administrator reserves the right to withdraw or modify content on the Website without prior notice. The Administrator is not liable if, for reasons beyond its control, the Website is unavailable at any time or for any period.

The Administrator may also occasionally restrict access to certain parts of the Website due to maintenance or updates.

This Privacy and Cookies Policy comes into effect on the date of its approval.

In matters not covered by this Privacy Policy, or where any part of the Policy conflicts with applicable law, the relevant provisions of Polish law shall apply, in particular:

1. The Act of 23 April 1964 – Civil Code

2. The Act of 2 March 2000 on the Protection of Certain Consumer Rights and on Liability for Damage Caused by a Dangerous Product

3. The Act of 27 July 2002 on Special Conditions of Consumer Sale and Amendments to the Civil Code

4. The Act of 18 July 2002 on the Provision of Electronic Services (UŚUDE)

5. The Act of 10 May 2018 on the Protection of Personal Data

6. The GDPR

Information Clause – Contact Form

In accordance with Articles 13(1) and 13(2) of the General Data Protection Regulation (GDPR) of 27 April 2016, we inform you that:

1. The administrator of your personal data is Creotech Quantum S.A., headquartered in Warsaw, 02-796, ul. Migdałowa 4, registered in the register of entrepreneurs maintained by the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register, under KRS number: 0001177677, NIP: 9512623625, REGON: 541983914. The Administrator has appointed a Data Protection Officer, who can be contacted via email at iod@xxx.

2. Your personal data will be processed solely for contact purposes necessary to provide the requested service, based on Article 6(1)(f) GDPR.

3. Recipients of your personal data will be employees of the Administrator, only within the scope of their official duties and based on proper authorization.

4. Your personal data will not be transferred to any third country or international organization.

5. Your personal data will be retained until the conclusion of the communication and then archived for 10 years on email servers.

6. You have the right to access your personal data and to request its correction, deletion, restriction of processing, data portability, or to object to its processing.

7. You have the right to lodge a complaint with the supervisory authority – the Personal Data Protection Office – if you believe that the processing of your personal data violates the GDPR.

8. Providing your personal data is voluntary.

9. Your personal data will not be processed in an automated manner, including profiling. No decisions producing legal effects or significantly affecting you will be made solely based on automated processing of your personal data.

Information Clause – Job Applicants

In accordance with Articles 13(1) and 13(2) of the General Data Protection Regulation (GDPR) of 27 April 2016, we inform you that:

1. The administrator of your personal data is Creotech Quantum S.A., headquartered in Warsaw, 02-767, u. Migdałowa 4, registered in the register of entrepreneurs maintained by the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register, under KRS number 0001177677, NIP 9512623625, REGON 541983914, with a fully paid share capital of PLN 150,000.

2. The Administrator has appointed a Data Protection Officer (DPO), who can be contacted via email at iod@xxxx.

3. Your personal data will be processed for the purpose of recruitment conducted by Creotech Quantum S.A., based on Article 6(1)(c) GDPR in conjunction with Article 221 §1 of the Polish Labour Code, and Article 6(1)(a) GDPR (consent).

4. The personal data processed will include, as specified in Article 221 §1 of the Polish Labour Code: first name(s) and surname, date of birth, contact details, education, professional qualifications, employment history, and any other data included in recruitment documents you provide, with your consent.

5. Your personal data may be disclosed to entities supporting the Administrator in carrying out recruitment, including those entrusted with data processing under Article 28 GDPR, such as IT service providers, software support companies, or document archiving services.

6. Your personal data will be retained for the duration of the recruitment process and for the period of limitation of claims, i.e., three years from the end of the recruitment process, unless you have consented to your data being retained for future recruitment purposes.

7. Your personal data will not be transferred to any third country or international organization.

8. You have the right to access your personal data and to request rectification, deletion, restriction of processing, data portability, and to object to processing.

9. You have the right to lodge a complaint with the supervisory authority, the Personal Data Protection Office, if you believe that the processing of your personal data violates GDPR.

10. Your personal data will not be processed in an automated manner, including profiling. No decisions producing legal effects or significantly affecting you will be based solely on automated processing of personal data.