Personal Data Processing Policy



WARSAW, September 29, 2020

We do our utmost to protect your privacy and personal data. In order to achieve this, we use the most modern standards and technologies to ensure the security of personal data, including minimising the risk of interception, unauthorised modification, loss or damage of personal data by third parties. 

Please read this Policy before providing any information.

By using our website, you accept the terms of this Policy, which includes information on the manner, scope and purpose of obtaining and processing your Personal Data.

We would like to inform you that you can visit our website without disclosing your Personal Data. In this case, we only collect data relating to visits to our website, including in particular your IP address, browser type and operating system name. They are used solely for statistical purposes and do not permit any association with your person.

  1. The purpose of this Policy is to explain the principles under which Personal Data is processed and to discuss the fundamental rights of persons whose Data is processed by the Administrator.
  2. The terms used in this Policy mean:
Administrator, CompanyUntold Tales S.A. with its registered office in Warsaw (postal code: 01-830) at 36 Zjednoczenia Avenue, registered in the District Court under no. KRS 0000860756, NIP: 1182213801
Data, Personal datapersonal data which constitute information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, internet identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual
Person, personsthe natural person(s) whose Data are Processed by the Administrator
Policythis personal data processing policy
Processingan operation or set of operations which is performed upon Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organisation, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction
Servicethe Internet service operating at
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU.L.2016.119.1 as amended)
ActAct of 10 May 2018 on personal data protection (Journal of Laws 2018.1000 as amended)
  1. The administrator of personal data provided to the Company is the Company.
  2. The Administrator may be contacted via the Company’s mailing address, i.e. Warsaw (postcode: 01-830) at Al. Zjednoczenia 36, as well as via e-mail: [email protected].
  3. The Administrator ensures that the Data is collected only to the extent necessary for the indicated purpose and only for the period of time necessary.
  4. The Administrator ensures that the Data entrusted to him/her are Processed in accordance with the provisions of the GDPR and the Act.
  1. The Administrator shall Process Personal Data necessary for the realization of the specific purpose of the Processing, in particular: name, surname, e-mail address, correspondence address, telephone/fax number, address of residence, NIP (Tax Identification Number), REGON (Statistical Identification Number), PESEL (Personal Identification Number), which were provided during the Administrator’s activity.
  2. The provision of the Data is necessary to take action at the request of the Data Subject or to fulfil the legal obligation imposed on the Administrator.
  3. The remaining part of the data provision is voluntary, however, depending on the circumstances, the refusal to provide access to or to provide the data or the request to delete the data may prevent the Administrator from providing information about its activity and from maintaining contact.

Scope and source of Data

  1. The service is hosted (technically maintained) on the operator’s server:
  2. The Administrator processes Personal Data, in particular in the following scope: name, surname, company, e-mail address, telephone/fax number, correspondence address.
  3. The Administrator obtains the Data directly to the Person through the contact form placed on the website: and other forms placed on the website.
  4. The service collects information provided voluntarily by the user, including personal data, provided that they are provided.
  5. The service may save information about the parameters of the connection (time stamp, IP address).
  6. The service, in some cases, may save information to facilitate the linking of data in the form with the e-mail address of the user completing the form. In this case, the user’s e-mail address appears inside the url of the page containing the form.

Processing objectives

The Administrator processes the Data for the purpose:

  1. reply to the form sent (legal basis: Article 6(1)(a) of the GDPR, Article 6(1)(f) of the GDPR);
  2. ongoing contact in connection with the conclusion or performance of a contract, submission of a tender, sending of a contract, answers to questions (legal basis: Article 6(1)(b) GDPR, Article 6(1)(f) GDPR);
  3. conduct e-mail and traditional correspondence in connection with the performance of contracts, orders, submissions of tenders and enquiries (legal basis: Article 6(1)(b) GDPR, Article 6(1)(f) GDPR);
  4. telephone contact in connection with the provision of services and activities, including the performance of contracts, information on services (legal basis: Article 6(1)(b) GDPR, Article 6(1)(f) GDPR);
  5. execution of contracts, orders, including the assertion of claims or defence against claims (legal basis: Article 6(1)(b) of the GDPR, Article 6(1)(f) of the GDPR);
  6. performance of contracts concluded by the Administrator in order to cooperate with suppliers and other entities cooperating with the Administrator (legal basis: Article 6.1.b of the GDPR, Article 6.1.f of the GDPR);
  7. for other legitimate purposes related to establishing and maintaining business contacts and networking, e.g. by exchanging business cards, organising/participating in business meetings/conferences/events (legal basis: Article 6(1)(f) of the GDPR);
  8. potential cooperation (legal basis: Article 6(1)(a) of the GDPR, Article 6(1)(f) of the GDPR);
  9. the determination or the assertion of, or defence against, any such claims (legal basis: Article 6(1)(f) GDPR).

Data retention period

  1. The Administrator shall Process Personal Data during the period of maintaining current relations, including the exchange of correspondence, or until the withdrawal of consent to Data Processing. 
  2. In case of Data Processing on the basis of the Administrator’s legitimate interest – the Data shall be Processed for the period enabling the realization of such interest or to raise an effective objection to the Data Processing. 
  3. The Processing Period may be extended within the limits of the law in case the Processing of Personal Data is necessary to pursue or defend against claims. 
  4. With regard to Data processed for marketing purposes, data will not be processed for more than 3 years.
  5. After the processing period, the data will be deleted or rendered anonymous.
  1. In connection with the Administrator’s activities, to the extent necessary, Personal Data may be transferred to external entities, including in particular:
  1. entities providing accounting services;
  2. entities providing legal services;
  3. entities providing marketing services;
  4. employees of the co-workers who use the data in order to achieve the purpose of the website;
  5. entities engaged in postal or courier activities;
  6. entities responsible for operating information systems and equipment;
  7. state bodies or other entities authorised by law to perform the Administrator’s duties;

The controller shall not transfer Personal Data outside the EEA.


The Administrator shall not make decisions in an automated manner in individual cases, in particular Personal Data shall not be subject to profiling.

  1. Subject to the situations specified in the law, the Data Subject is entitled to the following:
  1. the right to access their Data;
  2. the right to rectify inaccuracies or errors in the Processed Data or to supplement them;
  3. the right to be informed about the Processed Data, including the purposes and grounds of the Processing;
  4. the right to restrict the Processing of Personal Data;
  5. the right to withdraw consent at any time without affecting the lawfulness of the Processing, provided that the Processing is based on consent;
  6. the right to transfer Personal Data;
  7. the right to object to the Processing of Personal Data;
  8. the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for the Protection of Personal Data, in case the Processing of Personal Data is found to violate the provisions of law, including the GDPR.
  9. Requests for exercising the above powers should be submitted in writing or electronically to the addresses indicated in this Policy.
  1. The controller makes every effort to ensure the security of personal data entrusted to him/her.
  2. The Administrator: 
  1. ensures the transparency of the Data Processing;
  2. inform about the Data Processing at the moment of its collection, except for the situations in which it is not obliged to do so under separate provisions;
  3. ensure that the Data are collected only to the extent necessary for the indicated purpose and are Processed only for the period necessary,
  4. ensure the confidentiality of the Data by access to the Data only by authorized persons.
  5. In a situation when, despite the security measures taken, the personal data protection has been violated and this violation could result in a high risk of violation of the rights and freedoms of the Data Subjects, the Administrator shall immediately inform the Data Subjects about such an event.
  1. The policy shall apply from September 29, 2020.
  2. The policy shall be reviewed and, where necessary, updated on an ongoing basis.
  3. The Administrator reserves the right to change this Policy at any time without the need to inform the persons. 
  4. The introduced changes in the Policy shall always be published in the Service.
  5. The introduced changes shall come into force on the date of publication of the Policy in the Service.
  6. The Administrator has a separately regulated cookie policy, which can be found on the Company’s website