Privacy Policy

Learn how we process and protect your personal data on nidomed.pl

I. General provisions

  1. This Privacy Policy sets out the rules for processing and protecting personal data of Users of the website available at https://nidomed.pl (hereinafter: the "Website").
  2. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter: "GDPR"), the Polish Act of 10 May 2018 on the Protection of Personal Data, and the Act of 18 July 2002 on the Provision of Electronic Services.
  3. The Website processes data necessary for its proper operation and — with the User's consent — data for analytical, marketing, and functional purposes.

II. Data controller

  1. The data controller is NIDO Marta Karwot-Pięta, with its registered office at ul. Władysława Żeleńskiego 86, 31-353 Kraków, Poland, NIP: 6472186653, REGON: 365831356 (hereinafter: the "Controller").
  2. The Controller has appointed a Data Protection Officer (DPO), who can be contacted on all matters relating to personal data processing at: [email protected].

III. Purposes and legal bases for processing

The Controller processes personal data for the following purposes:

3.1. Handling contact form enquiries

Scope of data: name, email address, phone number (optional), message content.

Legal basis: Art. 6(1)(f) GDPR — the Controller's legitimate interest in responding to enquiries.

Retention period: until the correspondence is concluded, then until the expiry of the limitation period for claims (maximum 3 years).

3.2. Server logs

Scope of data: IP address, date and time of request, requested URL, referring page address, HTTP response code, browser and operating system information (user-agent), request identifier.

Legal basis: Art. 6(1)(f) GDPR — the Controller's legitimate interest in ensuring the security and stability of the Website and detecting abuse.

Retention period: up to 90 days, unless the data is necessary for establishing, pursuing, or defending claims.

3.3. Analytics and statistics (Google Analytics 4)

Scope of data: cookie identifiers, device and browser data, Website activity data.

Legal basis: Art. 6(1)(a) GDPR — User's consent expressed via the cookie banner (category: analytical).

Retention period: in accordance with Google Analytics settings (default: 14 months).

3.4. Marketing and remarketing (Meta Pixel)

Scope of data: cookie identifiers, Website activity data, device information.

Legal basis: Art. 6(1)(a) GDPR — User's consent expressed via the cookie banner (category: marketing).

Retention period: in accordance with Meta's policy (up to 180 days from last interaction).

3.5. Google Maps and Google Reviews display

Scope of data: IP address, device data, Google cookies.

Legal basis: Art. 6(1)(a) GDPR — User's consent expressed via the cookie banner (category: external functional).

IV. Data recipients

Personal data may be shared with the following categories of recipients:

  1. CloudVity Grzegorz Data, ul. Słoneczna 26i lok. 2, 32-005 Niepołomice, Poland — hosting services provider (based on a data processing agreement, servers located in Poland);
  2. Google Ireland Limited (Google Analytics 4, Google Maps, Google Reviews) — based on User consent;
  3. Meta Platforms Ireland Limited (Meta Pixel) — based on User consent;
  4. entities providing legal or accounting services to the Controller.

V. Data transfers outside the European Economic Area

  1. Due to the use of Google and Meta services, personal data may be transferred to the United States of America.
  2. The transfer is based on European Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 establishing an adequate level of protection under the EU-US Data Privacy Framework. Google LLC and Meta Platforms Inc. are certified participants in the Data Privacy Framework.
  3. Data processed by the hosting provider is stored exclusively on servers located in the Republic of Poland.

VI. User rights

Users have the following rights in relation to their personal data:

  1. right of access to personal data (Art. 15 GDPR);
  2. right to rectification (Art. 16 GDPR);
  3. right to erasure — "right to be forgotten" (Art. 17 GDPR);
  4. right to restriction of processing (Art. 18 GDPR);
  5. right to data portability (Art. 20 GDPR);
  6. right to object to processing based on the Controller's legitimate interest (Art. 21 GDPR);
  7. right to withdraw consent at any time (Art. 7(3) GDPR).

To exercise the above rights, please contact the Data Protection Officer at: [email protected]. The Controller will respond without undue delay, within one month of receiving the request.

Users also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland).

VII. Cookies

  1. The Website uses cookies — small text files stored on the User's device.
  2. Cookies are divided into the following categories:
    1. Necessary — ensure proper functioning of the Website, no consent required;
    2. External functional — enable embedded content from external services (Google Maps, Google Reviews) — consent required;
    3. Analytical — collect information about Website usage (Google Analytics 4) — consent required;
    4. Marketing — enable personalized advertising (Meta Pixel) — consent required.
  3. Users can change or withdraw cookie settings at any time using the "Cookie settings" button in the Website footer or through browser settings.

VIII. Automated decision-making and profiling

  1. The Controller does not make decisions based solely on automated processing that would produce legal effects or similarly significantly affect Users (Art. 22 GDPR).
  2. If the User consents to marketing cookies (Meta Pixel), their data may be used by Meta Platforms Ireland Limited for profiling for advertising purposes. This profiling does not produce legal effects. Consent can be withdrawn at any time via cookie settings.

IX. Data security

The Controller applies appropriate technical and organizational measures to ensure the security of personal data, including:

  1. SSL/TLS encryption of data transmission;
  2. regular software updates;
  3. access control;
  4. regular backups;
  5. server log monitoring to detect unauthorized access attempts.

X. Final provisions

  1. In matters not regulated by this Privacy Policy, the provisions of the GDPR and Polish law shall apply.
  2. The Controller reserves the right to amend this Privacy Policy. Users will be informed of any changes through an appropriate notice on the Website.
  3. Changes to the Privacy Policy take effect on the date of their publication on the Website.

XI. Contact details

For matters related to personal data processing, please contact:

  1. Data Protection Officer: [email protected]
  2. by post: NIDO Marta Karwot-Pięta, ul. Władysława Żeleńskiego 86, 31-353 Kraków, Poland

Last updated: 26 January 2026