ProductOrg

Privacy Policy

This Privacy Policy defines the rules for processing and protecting personal data of ProductOrg.com website users, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Polish Personal Data Protection Act of 10 May 2018.

1. Data Controller

Your personal data controller within the meaning of GDPR is:

Krzysztof Niewiński conducting business under the name: ProductOrg Krzysztof Niewiński

ul. Zawiszy 16B/57, 01-167 Warsaw

Tax ID (NIP): 118-159-63-32

REGON: 361184552

Contact with the Data Controller regarding personal data protection:

Email: krzysztof@productorg.com

Phone: +48 510 002 690

The Data Controller has not appointed a Data Protection Officer (DPO). For matters concerning the processing of personal data, please contact the Data Controller directly.

2. Scope of Collected Personal Data

Depending on the use of individual website functions, we process the following categories of personal data:

a) Identification and contact data

  • Name and surname (of the buyer and training attendees)
  • Email address (of the buyer and training attendees)
  • Phone number of the buyer (optional)

b) Order and payment data

  • Data necessary for VAT invoice issuance: company name, address (street, postal code, city), Tax ID (NIP)
  • Purchase history and training participation
  • Payment data (processed by payment operator Stripe)
  • Stripe payment session identifier
  • List of attendees assigned to the order

c) Contact data from lead magnet form

  • Name and surname
  • Email address
  • Phone number
  • Company name (optional)
  • Job position (optional)

d) Technical and behavioral data

  • IP address
  • Browser type and version
  • Website activity data (visited pages, visit time)
  • Cookie data (details in section 8)

Providing personal data is voluntary but necessary for:

  • Concluding and performing the training participation agreement (basis: Article 6(1)(b) GDPR)
  • Issuing VAT invoice (basis: Article 6(1)(c) GDPR – legal obligation)
  • Handling inquiries through contact form (basis: Article 6(1)(a) GDPR – consent)

Failure to provide data will make it impossible to achieve the above purposes.

3. Purposes and Legal Bases for Data Processing

We process your personal data only on the basis of legal provisions and for the following purposes:

a) Performance of training participation agreement

Purpose: conclusion and performance of the agreement, booking confirmation, training materials delivery, certificate issuance

Legal basis: Article 6(1)(b) GDPR (performance of contract)

Retention period: for the duration of the contract and 6 years after its termination (limitation period for claims – Article 118 of the Civil Code)

b) Issuance and storage of VAT invoices

Purpose: fulfillment of tax and accounting obligations

Legal basis: Article 6(1)(c) GDPR (legal obligation arising from the Accounting Act and VAT Act)

Retention period: 5 years from the end of the year in which the invoice was issued (Accounting Act requirement)

c) Contact form handling

Purpose: providing a response to the inquiry, communication

Legal basis: Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR (legitimate interest of the Data Controller)

Retention period: until the response is provided or consent is withdrawn, but no longer than 3 years

d) Direct marketing of our own products and services

Purpose: sending information about new trainings, promotions, newsletter

Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Data Controller) or Article 6(1)(a) GDPR (consent to marketing)

Retention period: until objection is raised or consent is withdrawn, but no longer than 3 years from the last interaction

e) Website traffic analysis and service quality improvement

Purpose: visit statistics, user behavior analysis, website optimization

Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Data Controller in improving services)

Retention period: up to 26 months (retention period for analytical cookies)

f) Pursuing claims and defense against claims

Purpose: establishing, pursuing or defending against claims

Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Data Controller)

Retention period: for the limitation period for claims (up to 6 years from the event)

4. Profiling and Automated Decision-Making

We inform you that your personal data is not used for automated decision-making, including profiling, within the meaning of Article 22 GDPR, which produces legal effects or similarly significantly affects your situation.

We use analytical tools (e.g. Google Analytics) to analyze website traffic, but we do not make automated decisions based on them that affect your rights.

5. Personal Data Recipients

Your personal data may be shared with the following categories of recipients (data processors):

Stripe Payments Europe Ltd.

Purpose: online payment operator – processing card payments, BLIK, online transfers

Location: Ireland (EEA)

Data is transmitted in encrypted form. Stripe may transfer data to the USA based on Standard Contractual Clauses approved by the European Commission. Transferred data: buyer email, attendee names, attendee emails, order amount.

Cloudways (www.cloudways.com)

Purpose: website hosting, cloud data storage

Location: EEA/USA (depending on server location)

Cloud hosting platform. Data may be stored on servers in the EEA or outside the EEA depending on the chosen server location. Cloudways ensures appropriate safeguards in accordance with GDPR.

Brevo (formerly Sendinblue)

Purpose: contact management (CRM), sending transactional emails (order confirmations, certificates) and marketing newsletter

Location: France (EEA)

Transferred lead data: first name, last name, email, phone number, company name, job position. Contacts are added to a dedicated mailing list for marketing communication.

Google LLC (Google Analytics, Google Tag Manager)

Purpose: website traffic analysis, visit statistics, campaign effectiveness measurement

Location: USA

Data transfer outside the EEA is based on Standard Contractual Clauses. Tools are loaded ONLY after user consent via the Klaro consent manager (opt-in approach compliant with GDPR). Without consent, no tracking scripts are activated and no data is collected or transferred to Google. Users can withdraw consent at any time in cookie settings in the page footer.

Meta Platforms Inc. (Facebook Pixel)

Purpose: remarketing, ad targeting, advertising campaign conversion analysis

Location: USA

Data transfer outside the EEA is based on Standard Contractual Clauses. Tool is activated only with user consent via the Klaro consent manager.

BR SIGMA

Purpose: accounting services, VAT invoice issuance

Location: Poland

Accounting office BR SIGMA, ul. Ks. J. Popiełuszki 7A lok 17, 01-786 Warsaw (www.brsigma.com.pl)

inFakt (www.infakt.pl)

Purpose: VAT invoice storage and management, accounting documentation archiving

Location: Poland

inFakt.pl invoicing system operated by Sygnity S.A., ul. Łopuszańska 32, 02-220 Warsaw. Transferred data: VAT invoice data (name or company name, address, Tax ID, order amounts). inFakt ensures data security in accordance with GDPR requirements.

The Data Controller does not sell or share personal data with third parties for marketing purposes.

Some data may be transferred outside the European Economic Area (EEA), particularly to the United States. Data transfer is carried out solely on the basis of:

  • Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR), or
  • European Commission adequacy decision (Article 45 GDPR).

You can obtain a copy of the appropriate safeguards by contacting the Data Controller.

6. Personal Data Retention Period

Personal data is stored for the period necessary to achieve the purposes for which it was collected, taking into account legal provisions:

  • Training agreement data – for the duration of the contract and 6 years after its termination (limitation period for claims – Article 118 of the Civil Code)
  • VAT invoice issuance data – 5 years from the end of the tax year in which the tax obligation arose (Article 70 § 1 of the Tax Ordinance Act)
  • Marketing data (based on consent) – until consent is withdrawn or objection is raised, but no longer than 3 years from the last interaction
  • Marketing data (legitimate interest) – until objection is raised, but no longer than 3 years from the end of the last contract
  • Contact form data – until a response is provided or consent is withdrawn, but no longer than 3 years
  • Cookie data – in accordance with the cookie policy (up to 26 months for analytical cookies, 12 months for functional cookies)

After the above periods, data is deleted or anonymized in a way that makes identification impossible.

7. Your Rights Related to Data Processing

In accordance with GDPR, you have the following rights:

a) Right of access to data (Article 15 GDPR)

You have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and a copy thereof.

b) Right to rectification (Article 16 GDPR)

You have the right to request from the Data Controller immediate rectification of inaccurate personal data concerning you or completion of incomplete data.

c) Right to erasure – "right to be forgotten" (Article 17 GDPR)

You have the right to request erasure of personal data if they are no longer necessary for the purposes for which they were collected, you withdraw consent, object to processing, data was processed unlawfully, or must be erased to comply with a legal obligation.

d) Right to restriction of processing (Article 18 GDPR)

You have the right to request restriction of processing of personal data in cases specified in Article 18 GDPR (e.g. questioning the accuracy of data, objecting to processing).

e) Right to data portability (Article 20 GDPR)

You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format, and to transmit that data to another controller.

f) Right to object to processing (Article 21 GDPR)

You have the right to object at any time – for reasons relating to your particular situation – to processing of personal data concerning you based on Article 6(1)(f) GDPR (legitimate interest), including profiling. The Data Controller may continue processing if it demonstrates compelling legitimate grounds for processing that override your interests.

g) Right to withdraw consent (Article 7(3) GDPR)

If processing is based on consent, you have the right to withdraw consent to processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

h) Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority responsible for the protection of personal data if you believe that the processing of personal data concerning you violates GDPR provisions.

To exercise the above rights, please contact the Data Controller:

Email: krzysztof@productorg.com or in writing to: ul. Zawiszy 16B/57, 01-167 Warsaw

The Data Controller will respond to your request without undue delay, no later than one month from receipt of the request.

Supervisory authority in Poland:

Personal Data Protection Office (Urząd Ochrony Danych Osobowych)

ul. Stawki 2, 00-193 Warsaw

https://uodo.gov.pl

8. Cookies and Tracking Technologies

The ProductOrg.com website uses cookies – small text files saved on your device while browsing the website.

Types of cookies used:

Necessary Cookies (session)

Purpose: Ensuring proper website operation, login handling, shopping cart, session management

Period: For the duration of the session or up to 12 months

Do not require consent – Article 173(3) of the Telecommunications Act

Functional Cookies

Purpose: Remembering user preferences (language, region)

Period: Up to 12 months

Require consent

Analytical Cookies

Purpose: Website traffic analysis, visit statistics (Google Analytics, Google Tag Manager)

Period: Up to 26 months

Require user consent. Without consent, analytical cookies are not set and tracking scripts are not loaded.

Marketing Cookies

Purpose: Remarketing, ad personalization (Facebook Pixel, Google Ads)

Period: Up to 24 months

Require consent

Managing cookies:

You can change your cookie settings at any time in your browser or use the consent management tool on the website. Information about managing cookies can be found in your browser's help:

  • Chrome: https://support.google.com/chrome/answer/95647
  • Firefox: https://support.mozilla.org/pl/kb/wlaczanie-i-wylaczanie-ciasteczek
  • Safari: https://support.apple.com/pl-pl/guide/safari/sfri11471/mac
  • Edge: https://support.microsoft.com/pl-pl/microsoft-edge

Disabling cookies may affect website functionality. Some features may not work properly.

9. Personal Data Security

The Data Controller uses appropriate technical and organizational measures to ensure the security of processed personal data, particularly to protect data from disclosure to unauthorized persons, loss, destruction, or unauthorized modification.

Applied security measures include:

  • Connection encryption – SSL/TLS certificate (HTTPS connection)
  • Infrastructure security – firewall, regular software updates
  • Access control – limiting access to personal data to authorized persons only
  • Backup copies – regular backups to protect against data loss
  • Security monitoring – system logs, incident analysis
  • Staff training – persons with access to data are trained in personal data protection

In the event of a personal data breach, the Data Controller will take remedial action and inform UODO (Office for Personal Data Protection) and the data subjects concerned (if required by law).

10. Changes to the Privacy Policy

We reserve the right to make changes to this Privacy Policy in case of changes in legislation, technology development, or changes in the scope of services provided.

We will inform about any significant changes by posting information on the website's homepage or by sending a notification to your email address (if you have given consent).

The current version of the Privacy Policy is always available at: https://productorg.com/en/privacy-policy

Last updated: January 18, 2026

In case of questions regarding personal data processing or this Privacy Policy, please contact:

ProductOrg Krzysztof Niewiński

ul. Zawiszy 16B/57, 01-167 Warsaw

Tax ID (NIP): 118-159-63-32

REGON: 361184552

Email: krzysztof@productorg.com

Phone: +48 510 002 690