Protecting Your Privacy

Our Comprehensive Privacy Policy for Datumo

[#privacy-policy]I. Privacy Policy[#privacy-policy]

conducted by DATUMO sp. z o.o. with its seat in Warsaw
Version 3.0 adopted on December 16, 2024

§ 1. Privacy Policy Assumptions

We kindly request all users of the website https://www.datumo.io/ to familiarise themselves with the content of this document. The purpose of the Privacy Policy is to provide information about the purposes and legal basis for processing the personal data of website users by DATUMO sp. z o.o. as the data controller. DATUMO sp. z o.o. attaches great importance to respecting the privacy of users of the website and makes every effort to ensure that they feel comfortable and secure while using it. Furthermore, the Administrator ensures that the personal data processing process is transparent and compliant with applicable data protection laws, the guidelines of the supervisory authority and best practices.

This Privacy Policy fulfils the informational obligation as stipulated in Article 13 of the GDPR. However, in case of any doubts, the Administrator remains at your disposal and will strive to address any questions or concerns regarding the processing of personal data.

§ 2. Definitions of Terms

Privacy Policy – this document, the content of which is available at https://www.datumo.io/privacy-policy

Website - the website available at https://www.datumo.io

Administrator - the entity that independently or jointly with others determines the purposes and means of processing personal data, in this case, DATUMO sp. z o.o.;

Personal data – according to Article 4(1) of the GDPR this refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing - any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

GDPR - - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, Official Journal of the European Union L 2016 No. 119, page 1).

§ 3. Information about the Data Controller

The data controller for personal data is DATUMO sp. z o.o., with Tax Identification Number (NIP): 5252727187, National Business Registry Number (REGON): 36857993400000, and National Court Register (KRS): 0000700398. The registered office of the Data Controller is located in Warsaw, at Józefa Piusa Dziekońskiego Street 1, 00-728 Warsaw. You can contact the Data Controller via email at contact@datumo.pl and by mail at the registered office address, for all matters related to the processing of personal data and the exercise of rights under the GDPR.

§ 4. Scope and Purposes of Data Processing

In accordance with the principles of processing personal data as outlined in Article 5 of the GDPR, particularly the principles of data minimization and privacy by default, the Administrator limits the scope of processed personal data within the use of the website (as well as in the execution of all processes conducted as part of the company's operations) to the necessary data. Data is collected through the use of a contact form or by sending messages to the provided email addresses (e.g., contact@datumo.pl, cv@datumo.pl). To use the contact form on the website https://www.datumo.io/, the following personal data is collected: first name, last name, company, phone number, email address, and the content of the message.

In the case of submitting CVs electronically through the website, personal data of candidates contained in the CVs and attached documents, as well as in the application form, are collected. This may include first name, last name, email address, and other relevant data.

When establishing electronic contact through the LinkedIn platform, the personal data of LinkedIn users—such as their name, surname, email address, phone number, profile image, and professional accomplishments - are processed.

In the case of a personal visit to the Administrator's office or a video conference (e.g. a business meeting or job interview), it is possible that the image of a person may be processed.

The Administrator ensures that data is always obtained for legitimate and clearly defined purposes:

providing website accessibility and functionality services;
handling communication between the Administrator and the User (including contact via email and the contact form);
conducting recruitment processes;
entering into contracts;
fulfilling legal requirements (including accounting regulations, civil code provisions);
establishing and pursuing claims or defending against claims;
informing about provided services and promoting them on social media platforms;
facilitating electronic business contact with LinkedIn users who may be interested in the Administrator's activities, to build positive relationships with LinkedIn users, and to share information promoting the Administrator's operations.
sending industry and commercial information with consent;
administering the IT system, improving the functionalities used, and services provided.

§ 5. Legal Bases for Data Processing

The Administrator ensures compliance with the principle of legality and takes utmost care to ensure that every operation involving personal data is based on a legal basis. The Administrator processes personal data on various legal grounds as derived from both Article 6(1) of the GDPR and national laws, including the Accounting Act and the Civil Code.

Depending on the case and the purpose of processing, the legal basis for processing personal data may include:

consent (Article 6(1)(a) of the GDPR, as well as Article 398 of the Electronic Communications Law, including the candidate's consent expressed when sending a CV via the Website, consent to electronic contact, consent to sending business and commercial information, consent to electronic business contact with LinkedIn users potentially interested in the Administrator's activity, building positive relationships with LinkedIn users and sending information promoting the Administrator's activity);
contract with the Client (Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract, including training and courses);
legal obligation of the Administrator (Article 6(1)(c) of the GDPR: processing is necessary for compliance with a legal obligation to which the Administrator is subject, including obligations arising from accounting regulations and the Civil Code);
legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR: processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject). The Administrator relies on legitimate interests in the analysis, development, improvement, and optimization of the website's operation (primarily for system security purposes), as well as in defence against potential claims and social media profiling.

§ 6. Data Retention Periods

The Administrator takes measures to ensure that user data on the website is retained only for the period necessary to fulfill the purpose or obligations imposed on the Administrator. The data processing period may be extended when processing is necessary for the establishment, exercise, or defense of legal claims, and after that time, only to the extent and for the duration required by applicable laws. After the processing period expires, the data is irreversibly deleted or anonymized.

Depending on the specific situation related to data processing, the Administrator has established the following data processing periods in their activities:

5 years from the beginning of the year following the financial year in which the payment was made (in accordance with Article 74 of the Accounting Act);
the period necessary for the exercise of rights and claims by the Administrator or the Client, and the statutory limitation periods (6 years, and for periodic benefits claims and claims related to business activities - 3 years);
until the withdrawal of consent if data is processed based on consent;
the Administrator does not have control over data retention periods on its profiles on social media platforms.

§ 7. Rights of Data Subjects and Methods of Exercising Rights

Requests regarding the rights of the data subject can be submitted:

electronically to the email address: contact@datumo.pl;
by mail to the address: Józefa Piusa Dziekońskiego Street 1, 00-728 Warsaw

The exercise of the rights of data subjects is generally free of charge unless otherwise provided by GDPR regulations. In accordance with Article 12(5) of the GDPR, the Administrator may charge a reasonable fee, taking into account administrative costs for providing information, communication, or taking requested actions.

If the conditions specified in the GDPR are met and unless special provisions exclude them, users of the website may have the following rights regarding the processing of personal data:

Art. 13 and 14 of the GDPR - Right to Information The Administrator, when obtaining personal data, provides all the information outlined in the content of Articles 13 and 14 of the GDPR. The Administrator takes appropriate measures to provide the data subject with all the information in a concise, transparent,easily accessible form, in clear and plain language.
Art. 15 of the GDPR - Right of Access to Personal Data The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed. The controller provides the data subject with a copy of the personal data undergoing processing.
Art. 16 of the GDPR - Right to Rectification of Personal Data The data subject has the right to request the controller to rectify inaccurate personal data concerning them without undue delay.
Art. 17 of the GDPR - Right to Erasure of Personal Data The data subject has the right to request the controller to erase personal data concerning them without undue delay in situations where the conditions specified in this provision are met, and it is not excluded by other specific regulations.
Art. 18 of the GDPR - Right to Restriction of Processing of Personal Data The data subject has the right to request the controller to restrict processing in certain legally defined cases. If processing is restricted, such personal data may only be processed, with the exception of storage, with the data subject's consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Art. 19 of the GDPR - Right to Notification Regarding Rectification or Erasure of Personal Data or Restriction of Processing The controller informs every recipient to whom the personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1), and 18 of the GDPR, unless this proves impossible or involves disproportionate effort. The controller informs the data subject about the serecipients if the data subject requests it.
Art. 20 of the GDPR - Right to Data Portability If the processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive the personal data concerning them which they have provided to the controller in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to anothercontroller without hindrance from the controller to which the personal data have beenprovided.
Art. 21 of the GDPR - Right to Object to Processing of Personal Data The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions.

Furthermore, users have the right to lodge a complaint with the supervisory authority responsible for data protection in Poland: the Office for Personal Data Protection, Stawki Street 2, 00-193 Warsaw.

§ 8. Personal Data

Authorised subcontractors and collaborators of the Administrator have direct access to the personal data of users processed by the Administrator.

Providers of recruitment services, including the platform used for job applications, may have access to personal data related to the recruitment of candidates.

Furthermore, access to data is granted to entities to which the Administrator entrusts the processing of personal data through data processing agreements or the acceptance of regulations (e.g., IT system providers, courier services, accounting entities).

Personal data may be disclosed to, among others, state authorities in accordance with legal regulations, or other entities authorised under legal regulations, for the purpose of fulfilling obligations imposed on the Administrator.

In the case of users leaving personal data on the Administrator's profiles on social media platforms, the Administrator is not responsible for the content posted by users on the profile, nor does the Administrator have control over how users' personal data will be processed by social media platforms.

The personal data of users is not commercially disclosed to other entities.

We make every effort to ensure that the entities to whom we provide personal data guarantee the use of protection measures appropriate to the applicable personal data protection regulations, thereby ensuring high standards and security. For more information, please refer to their privacy policies.

§ 9. Personal Data Security

The Administrator implements technical and organisational measures to ensure the protection of processed data appropriate to the threats and categories of data subject to protection. This includes safeguarding personal data against unauthorised access by unauthorised persons, loss, or damage (access restricted to authorised persons only). The Administrator also carefully selects contractors, provides training to staff in the area of personal data protection and information security, and diligently analyses requests for the exercise of data subject rights.

§ 10. Voluntary / Mandatory Provision of Personal Data

Providing data is voluntary, but in most cases necessary because it conditions the achievement of a purpose adequately related to the matter. Without providing personal data, it is not possible to enter into a contract, contact the Administrator, conduct recruitment, exercise rights, or pursue claims.

§ 11. Data Transfer to Third Countries, Automated Decision-Making,and Profiling

Personal data of users are not and will not be intentionally transferred to a third country or international organisation, but the Administrator notes that it uses cloud technologies provided by entities that may be located and operate outside the EEA. Data is not used for automated decision-making, including profiling.

§ 12. Use of Cookies

The Website collects information contained in cookies. Cookies are text files that are stored on the User's end device of the Website. They are intended for use on the Website's pages. They primarily contain the name of the originating website, their unique number, and the duration of storage on the end device. The Administrator is the entity that places cookies on the User's end device and has access to them.

Cookies are used for the following purposes:

customising the website's content to the individual preferences of the User, primarily by recognizing their device in order to display the page according to their preferences;
preparing statistics that help understand the preferences and behaviours of users; the analysis of these statistics is anonymous and allows for adjusting the content and appearance of the website to current trends; statistics are also used to assess the popularity of the site;
enabling login and maintaining the User's login on each subsequent page of the Website.

The Website uses four types of cookies – essential, marketing, personalization, and statistical. Users have the option to allow all cookies, reject all cookies, or choose individual cookies.

The user can change their browser settings at any time to block the use of cookies or to receive information about their placement in their device each time. Other available options can be checked in the settings of their web browser. It should be noted that most browsers are set by default to accept the storage of cookies on the end device. Cookies used by the Website (placed on the user's end device) may be shared with cooperating service providers.

The Administrator informs that changes to the settings in the User's web browser may restrict access to some of the website's functions. Information regarding web browser settings can be found in its menu (help) or on the website of its manufacturer.

§ 13. Final Provisions

Changes to the Privacy Policy may be made by the Administrator and will be published on the Website.

In matters not covered by the Privacy Policy, the relevant provisions of the applicable law, guidelines from the supervisory authority, and the European Data Protection Board shall apply.

Any potential disputes concerning the provisions of the Privacy Policy will first be subject to amicable resolution.

‍

[#form-consents]II. Form Consents[#form-consents]

Clause providing information on consent for the processing of personal data (response to inquiries via form on the website).

In fulfilling the obligations as specified in Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR, Official Journal of the European Union L 119, page 1, as amended), I hereby inform that:

The administrator of your personal data is DATUMO sp. z o.o., Tax Identification Number (NIP): 5252727187, National Business Registry Number (REGON): 36857993400000, National Court Register (KRS): 0000700398. The Administrator's registered office is located in Warsaw, at Józefa Piusa Dziekońskiego Street 1, 00-728 Warsaw. You can contact the Administrator via email at contact@datumo.pl and by mail at the registered office address, for all matters related to the processing of personal data and the exercise of rights under GDPR.
Your personal data provided in the contact form is processed in order to enable the response to inquiries through electronic means via the form on the website https://www.datumo.io.
The legal basis for processing your personal data is the consent you have provided to the Administrator - Article 6(1)(a) of GDPR.
Your personal data will be stored until you withdraw your consent for data processing. You should inform DATUMO sp. z o.o. about data processing withdrawal (contact@datumo.pl).
Your personal data is not commercially disclosed to other entities. Access to your data may be granted to subcontractors and collaborators of DATUMO sp. z o.o., service providers, entities with whom a data processing agreement has been concluded, entities authorised by law.
Your personal data is not and will not be intentionally transferred to a third country or international organisation. However, the Administrator notes that cloud technologies provided by entities operating outside the European Economic Area (EEA) may be utilised. Your data is not used for automated decision-making, including profiling.
You have the right to:
- request access to personal data and their correction from the administrator,
- request the deletion or restriction of data processing, provided that the conditions specified in the law are met,
- raise an objection to data processing, provided that the conditions specified in the law are met,
- data portability, provided that the conditions specified in the law are met,
- withdraw your consent for processing at any time without affecting the lawfulness of processing based on consent before its withdrawal,
- lodge a complaint with the supervisory authority: Office for Personal Data Protection, Stawki Street 2, 00-193 Warsaw.
Providing your personal data is voluntary but necessary to enable electronic contact.

‍

Clause providing information on consent for the transmission of sectoral and commercial information.

Complying with the obligation specified in Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR, Official Journal of the European Union L No. 119, p. 1 as amended), we inform that:

The Administrator of your personal data is DATUMO sp. z o.o., NIP: 5252727187, REGON: 36857993400000, KRS: 0000700398. The Administrator's registered office is located in Warsaw, at Józefa Piusa Dziekońskiego Street 1, 00-728 Warsaw. For all matters related to the processing of personal data and the exercise of rights under the GDPR you can contact the Administrator via email at: contact@datumo.pl and by mail at the registered office address.
Your personal data is processed for the purpose of sending sectoral and commercial information, including marketing, to the provided email address.
The legal basis for processing your personal data is your consent, pursuant to Article 6(1)(a) of the GDPR and article 398 of the Polish Act on Electronic Communications Law.
Your personal data will be stored until you withdraw your consent for data processing, which should be communicated to the Administrator (contact@datumo.pl).
Your personal data is not commercially shared with other entities. Access to this data may be granted to the employees and collaborators of the Administrator, service providers (including IT system providers), entities with whom a data processing agreement has been concluded and entities authorised under legal regulations.
Your personal data is not and will not be intentionally transferred to a third country or international organisation. However, the Administrator notes that may use cloud technologies provided by entities that may be located and operate outside the European Economic Area (EEA). Your data is not used for automated decision-making, including profiling.
You have the right to:
- request access to personal data from the Administrator and its rectification,
- request the erasure or restriction of data processing, provided that the conditions specified by law are met,
- raise an objection to the processing, provided that the conditions specified by law are met,
- request data portability, provided that the conditions specified by law are met,
- withdraw consent for processing at any time without affecting the lawfulness of processing based on consent before its withdrawal,
- file a complaint with the supervisory authority: the Office for Personal Data Protection, Stawki Street 2, 00-193 Warsaw.
Providing your personal data is voluntary.

‍

Clause providing information on consent for processing and storage of personal data (recruitment processes, submitting cv).

In accordance with Article 13 of the EU Regulation 2016/679 (General Data Protection Regulation, OJ EU. L No. 119, page 1, as amended, hereinafter referred to as GDPR), the Administrator hereby informs as follows:

The controller of your personal data is DATUMO sp. z o.o., Tax Identification Number (NIP): 5252727187, National Business Registry Number (REGON): 36857993400000, National Court Register (KRS): 0000700398. The registered office of the Controller is located in Warsaw, at Józefa Piusa Dziekońskiego Street 1, 00-728 Warsaw. You can contact the Controller via email at contact@datumo.pl and by postal mail at the registered office address.
Your personal data (contained in the submitted CV and attached documents) are processed for the purpose of conducting recruitment for contractors/collaborators and - if consent has been granted - for inclusion in the database of candidates interested in cooperation with DATUMO sp. z o.o. This includes, primarily, the following purposes:
- contacting a candidate regarding the current recruitment process as well as future recruitments, if the candidate has given consent to remain in the database,
- maintaining personnel records of candidates and candidate case files at DATUMO sp. z o.o. with its registered office in Warsaw,
- archiving recruitment documentation.
The legal basis for processing your personal data is the consent provided to the Controller by submitting the CV, in accordance with Article 6(1)(a) of GDPR. Additionally, if the provided data includes special categories of personal data as referred to in Article 9(1) of the GDPR, the legal basis is Article 9(2)(a) of the GDPR.
Your personal data is not disclosed to any commercial entities. Access to your data may be granted to contractors and collaborators of the Company, service providers, entities authorised under the provisions of the law and entities to whom data processing has been entrusted in accordance with Article 28 of GDPR. Furthermore, the provider of recruitment services, including the platform used for applications, may have access to your personal data obtained in connection with the ongoing recruitment process.
Your personal data is not and will not be intentionally transferred to a third country or international organisation. However, the Controller acknowledges that it utilises cloud technologies provided by entities that may be located and operate outside the European Economic Area (EEA). The data is not used for automated decision-making, including profiling.
The processing period for personal data is determined by the duration of the recruitment process and the period of archiving recruitment documentation. In the event of granting consent to process personal data for inclusion in the database of candidates interested in cooperation with DATUMO sp. z o.o., the data will be processed until the consent is withdrawn, which can be done by sending a revocation to the address contact@datumo.pl. However, the withdrawal of consent does not affect the lawfulness of data processing based on the consent before its withdrawal.
You have the right to:
- request access to your personal data and their correction from the Controller,
- request the deletion or limitation of data processing, provided that the conditions specified in the law are met,
- object to data processing, provided that the conditions specified in the law are met,
- data portability, provided that the conditions specified in the law are met,
- withdraw your consent for processing at any time, without affecting the legality of processing based on consent before its withdrawal,
- lodge a complaint with the supervisory authority: the Office for Personal Data Protection, Stawki Street 2, 00-193 Warsaw.
Providing your personal data is voluntary but necessary to participate in the recruitment process and necessary to be included in the database of candidates interested in cooperation with DATUMO sp. z o.o.,(if the candidate has given consent).

‍

[#social-media-information-clauses-regarding-data-processing]III. Social media - Information Clauses Regarding Data Processing[#social-media-information-clauses-regarding-data-processing]