I. General Information
 
1. This Privacy Policy is a set of rules intended to inform about all aspects of the process concerning the collection, processing, and protection of your personal data. The Policy is addressed to all users (hereinafter: “Users”) of the Controller’s Website.
 
2. This Policy defines the rules concerning the processing of personal data by the Personal Data Controller, which is:
 
Spoco Sp. z o.o., with its registered office at ul. Stępińska 45/6, 00-739 Warsaw, NIP: 5213797137, REGON: 3684649410, KRS: 0000698036, e-mail address: hello@spoco.co
(hereinafter: the “Controller”).

The Data Controller has appointed a Data Protection Officer: Daria Bartnicka
Contact regarding the processing of personal data is possible via e-mail correspondence at: iod@spoco.co or to the Controller’s registered office address.

3. This Policy may be amended and updated in the event of changes in personal data processing practices (taking into account current case law and guidelines of the Polish Data Protection Authority - PUODO) or changes in generally applicable laws. The Controller will appropriately inform the Users of the Website about changes to the Policy by posting relevant information on the Website.

4. Using the Controller’s Website requires the User to read and accept the content of this Privacy Policy.

5. Providing personal data to the Controller is voluntary but constitutes a necessary condition for using the Website.

II. Definitions
 

1. Controller means the entity that decides how and for what purposes Personal Data is Processed. The Controller is responsible for ensuring that the processing complies with applicable data protection law.
    

2. Personal Data means any information concerning any identified or identifiable natural person.
    

3. To Process, Processing, or Processed means any operation related to Personal Data, performed in an automated or non-automated manner, such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    

4. Processor means any person or entity that Processes Personal Data on behalf of the Controller (other than an employee of the Controller).
    

5. Website – https://www.spoco.co/
    

6. Controller’s Fanpages on social media platforms:

• Facebook at the link https://www.facebook.com/www.spoco.co

• LinkedIn at the link https://pl.linkedin.com/company/spo-co

• Instagram at the link https://www.instagram.com/spoco.co

III. Processing of Users’ Personal Data
 

1. The Controller may collect Users’ Personal Data, in particular, in the following cases:
   
   a. when Personal Data is provided by Users (e.g. by email, phone, via contact form, or in any other way) based on Article 6(1)(f) GDPR (legitimate interest of the Controller – responding to a message or inquiry) in connection with the necessity to handle the reported matter or process the inquiry,
   
   b. for the purpose of pursuing claims and taking actions in connection with the defense of the Controller’s rights, conducting legal proceedings, as well as, among others, enabling the use of the Website through cookies, preventing fraud during the use of the Website, and creating summaries, analyses, and statistics for the Controller’s internal needs. This includes, in particular: reporting, marketing research, planning Website development, development work, opinion surveys, creation of statistical models based on Article 6(1)(f) GDPR (the aforementioned legitimate interest of the Controller),
   
   c. acquisition of Users’ Personal Data published on social media (Controller’s Fanpage) (e.g. obtaining information from Users’ private profiles on social media, to the extent that such information is publicly visible) based on Article 6(1)(f) GDPR (legitimate interest of the Controller – promoting own activities and services, managing the social media profile (Fanpage), building and strengthening relationships with customers, conducting analyses and statistics on the popularity and functioning of the profile, as well as establishing, pursuing, and defending against potential claims related to the use of the profile, responding to contact),
   
   d. acquisition or request for Users to provide their Personal Data during visits to the Controller’s websites or when using any features or resources available on or through the Website – namely cookies and third-party entities. When Users visit the Website, their devices and browsers may automatically share certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connections to the Website, and other technical communication information), some of which may constitute Personal Data. During the visit to the Website, no Personal Data of Users will be stored by the Controller without an appropriate legal basis. Regarding cookies, the Controller – apart from necessary files – will obtain the User’s consent for the installation of additional cookies (including third-party cookies like Google Analytics). Granting the aforementioned consent is optional and does not affect the ability to use the Website. Processing is carried out on the basis of Article 6(1)(a) (consent – regarding cookies other than necessary) and Article 399 of the Electronic Communications Law (legal provision – regarding necessary cookies).
    

2. Providing personal data is voluntary, it is not a statutory obligation. However, in certain cases, the use of the Website is not possible without providing personal data. Categories of Users’ Personal Data Processed by the Controller may, in particular, include:
   a. Personal details: first name(s), surname(s),
   b. Contact details: company information, email address, telephone number,
   c. Message content: all messages (inquiries, statements, views, and opinions) submitted via the contact form or published on the Controller’s website or Fanpages by the User,
   d. IP address, cookies, and information on how the User uses our Website – during the use of the Website,
   e. Image: in the case of publishing an opinion, posting a comment, clicking the “Like” button on the Controller’s social media profile (Fanpage) (provided that the User’s private account makes their image publicly available).
    

3. The Controller uses Fanpage-type profiles on social media platforms. Public data shared by Users of social media may be used for the following purposes:
   a. responding to private messages addressed to us,
   b. conducting discussions in the comment sections under individual posts,
   c. sharing our posts with those following our Fanpage,
   d. marketing purposes involving informing about our services and ourselves through posts placed on our Fanpage, including sponsored posts shown to a broader group of Users,
   e. statistical purposes involving the presentation of data on the visibility of our posts, their reach, and number of interactions; the data presented to us by the owners of social media platforms are statistical in nature but are created based on observations of behavior on our Fanpage.
    

4. Currently, the Controller’s Website uses redirections to the following social media platforms (Fanpages):
   • Facebook,
   • Instagram,
   • LinkedIn.
    

5. Upon liking the Controller’s post, leaving a comment, sending a private message, or subscribing to the channel, the Controller jointly with:
   • Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland,
   • LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland,
   becomes the Controller of your personal data shared on its Fanpage in the scope of data processing for statistical and advertising purposes.
    

6. In connection with the above, we encourage you to read the privacy policy of:

• Facebook – https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

• LinkedIn – https://pl.linkedin.com/legal/privacy-polic

• ​Instagram – https://privacycenter.instagram.com/policy/

IV. Sharing of Personal Data with Third Parties
 

1. The Controller may share Users’ Personal Data:
   a. with entities entrusted with data processing, e.g. providers of technical services or entities providing advisory services,
   b. with other controllers if required by law or in good faith that such action is necessary to comply with applicable legal provisions, in particular in response to a court request or requests from state authorities.
    

2. If we engage a third party to process Users’ Personal Data, pursuant to a data processing agreement concluded with such an entity, the Processor shall be obliged to:
   a. Process only the Personal Data indicated in prior written instructions of the Controller; and
   b. apply all measures to protect the confidentiality and security of the Personal Data and ensure compliance with all other requirements of generally applicable law.
    

3. Due to the use of services provided by Facebook, Instagram or LinkedIn, data may be transferred by these entities to third countries – the United States of America (USA) in connection with their internal data sharing, e.g. with Facebook - Meta Platforms Inc., LinkedIn Corporation, X Corp., Google LLC (USA) or Beijing ByteDance Technology Co Ltd. (China), which remains beyond the Controller’s influence.

​V. Services of Third Parties
 

1. The Website may contain features or links redirecting to websites and services provided by third parties that are not managed by us. The information you provide on such websites or services shall be subject to their own privacy policies and data processing procedures.
    

2. The Controller shall not be held responsible for processing procedures applied by independent Controllers of websites and service providers.
    

3. We encourage you to review the privacy and security policies of third parties before providing them with any information.
    

VI. Data Protection
​

1. The Controller informs that appropriate technical and organisational measures have been implemented to protect Personal Data, particularly including safeguards against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access and other unlawful and unauthorised forms of Processing, in accordance with applicable law.
    

2. The Controller shall not be held responsible for the acts or omissions of Users. Users are responsible for ensuring that all Personal Data is transmitted to the Controller in a secure manner.
    

3. Personal Data shall not be subject to automated profiling, i.e. automated decision-making concerning the User, meaning decisions taken by technical means without human involvement, producing legal effects with respect to the profiled person or otherwise significantly affecting such person.
    

VII. Data Accuracy
​

1. The Controller shall take all reasonable measures to ensure that:
   a. the Personal Data of Users processed by the Controller is accurate and, where necessary, kept up to date;
   b. any Personal Data of Users processed by the Controller that is inaccurate (having regard to the purposes for which it is processed) is erased or rectified without undue delay.
    

2. The Controller may, at any time, ask Users to confirm the accuracy of the Personal Data being Processed.

​VIII. Data Minimisation
 

1. The Controller shall take all reasonable measures to ensure that the scope of Users’ Personal Data being Processed is limited to the Personal Data that is adequately required for the purposes set out in this Policy.

​IX. International Data Transfers
 

1. Personal Data may be shared and processed outside the European Economic Area (the European Economic Area consists of the European Union as well as Iceland, Liechtenstein and Norway, collectively the "EEA"). If Personal Data is transferred outside the EEA, the Controller shall require appropriate safeguards. The Controller shall fulfil its obligations under Chapter V of the GDPR to ensure the legality of such processing.

​X. Personal Data Retention Period
 

1. The criteria determining the duration of the period during which the Controller retains Users’ Personal Data are as follows: The Controller retains Users’ Personal Data in a form allowing identification only for as long as is necessary to achieve the purposes set out in this Policy, unless the provisions of generally applicable law require a longer data retention period. The Controller may, in particular, retain Users’ Personal Data for the entire period necessary to establish, exercise or defend legal claims (statute of limitations in accordance with Article 118 of the Civil Code).
    

2. Personal Data is retained:

a. for a period of 30 days from the moment of contact (phone, email from the website); Personal Data may be processed for a longer period if, as a result of the inquiry sent, the User decides to use the Controller's services (Account on the Website, conclusion of a contract);
b. in the event of using our services (Account on the Website, conclusion of a contract), for the duration of contract performance and for the period necessary to handle submitted complaints, until the resolution of any disputes and settlement of parties, taking into account relevant limitation periods for claims;
c. for the Controller's internal purposes where the legal basis for processing is the Controller’s legitimate interest, Personal Data will be retained until the legally justified interests of the Controller forming the basis for data processing are fulfilled or until an objection to such processing is submitted, following a proper assessment by the Controller of the User’s interest and the Controller’s processing grounds;
d. in the case of data processed on our Fanpage, until the moment of opting out from further following/commenting on our Fanpage, e.g. by clicking “dislike”, withdrawing a like of a post or removing a comment to a post, or cancelling the Subscription.

XI. Users’ Rights
 

1. In connection with the processing of personal data, you are entitled to the following rights:
   a. Right of access to processed personal data – on this basis, the Controller, upon request of the data subject, provides information on the processing of their personal data, including in particular the purposes and legal grounds for processing, the scope of held data, the entities to whom personal data is disclosed, and the planned date of their deletion. As part of the right of access, the data subject may also request information on whether their data has been shared and whether it is subject to profiling or automated decision-making. The data subject also has the right to obtain a copy of their data.
   b. Right to rectification of data – on this basis, the Controller, upon request of the data subject, removes any inconsistencies or errors in the processed personal data and supplements or updates it if it is incomplete or has changed.
   c. Right to erasure of data – on this basis, the Controller, at the request of the data subject, deletes data which is no longer necessary for any of the purposes for which it was collected, the consent for its processing has been withdrawn, or an objection has been submitted, and it is not required for the establishment, exercise or defence of the Controller’s legal claims.
   d. Right to restriction and data portability – on this basis, the Controller, at the request of the data subject, ceases to perform operations on the personal data within the legally permitted scope and also provides that personal data in a format readable by a computer.
   e. Right to lodge a complaint – by exercising this right, a person who believes that their personal data is being processed unlawfully may lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
   f. Right to object – the data subject may at any time object to the processing of personal data for purposes for which the data was collected and is being processed. In particular, if personal data is being processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing purposes.
   g. Right to withdraw consent – if personal data is being processed on the basis of consent, the data subject may withdraw such consent at any time. The withdrawal of consent does not render the processing that took place before the withdrawal unlawful; however, it means that the personal data will no longer be used for those purposes from the moment consent is withdrawn.
    

2. A request to exercise the rights described above may be submitted by traditional mail to the address of the Controller’s registered office or via email: iod@spoco.co
    

The request should, if possible, precisely indicate the subject matter of the request, in particular the recipient of the request and the right which the requesting person intends to exercise. If the Controller is unable to determine the content of the request or identify the requester based on the submitted application, the Controller shall ask the applicant for additional information.

XII. Cookies
​

1. During the User’s use of the Website, data concerning the User is automatically collected. Such data may include:
   a. IP address,
   b. domain name,
   c. type of browser,
   d. type of operating system.
    

2. This data may be collected through:
   a. cookies,
   b. the Google Analytics system,
   c. Pixel services,
   d. and may be stored in server logs.
    

3. A cookie is a small text file stored by a browser on your computer's hard drive or on your smartphone’s memory card. During subsequent visits to the website, information stored in the cookie is sent back to the Website. This allows the Website to recognise you and adjust the content to your needs.
    

4. In order to improve our Website, provide the most relevant content, and analyse how Users use our Website, we may use cookies.
    

5. We may process the data contained in cookies for the purposes of:
   a. personalising the Website, remembering information about the User so that they do not have to re-enter this information during subsequent visits;
   b. delivering advertisements, content, and information tailored to the User;
   c. monitoring aggregated website usage metrics, such as the total number of visitors and pages viewed.
    

6. We use the following types of cookies:
   a. Essential
   Essential cookies are necessary for the proper functioning of the Website. They enable basic functions such as security, network management, and accessibility. Without these cookies, some parts of the website may not function properly.
   b. Functional
   Functional cookies enhance the User experience by remembering preferences and settings. They allow websites to offer personalised features and services, such as remembering login data or language preferences.
   c. Analytics
   Analytical cookies help website owners understand how visitors interact with their websites by collecting and reporting information anonymously. These cookies track metrics such as page views, time spent on pages, and user behaviour, which may be used to improve website performance.
   d. Advertising
   Advertising cookies are used to display relevant advertisements to users. They track browsing habits and activity across websites to create a profile of the user’s interests. This helps advertisers display targeted ads more likely to be of interest to the user.
    

7. We hereby inform you that lack of consent, deletion, blocking, or restriction of the placement of cookies may cause difficulties or even prevent the use of the Website.