GDPR Policy

Effective Date: 20 October 2025

1. Data Controller Information

2. Legal Bases for Processing (Art. 6 GDPR)

We process personal data on the basis of:

• Art. 6(1)(a) GDPR – Consent of the data subject (contact forms, newsletters)
• Art. 6(1)(b) GDPR – Necessity for contract performance or pre-contractual measures (business inquiries)
• Art. 6(1)(c) GDPR – Compliance with legal obligation (tax, commercial, accounting law)
• Art. 6(1)(f) GDPR – Legitimate interests (website security, fraud prevention)

3. Legitimate Interests (Art. 6(1)(f) GDPR)

Our legitimate interests in processing include:

• Website security and protection against cyberattacks
• Detection and prevention of fraud and abuse
• Analysis and improvement of website functionality
• Monitoring and logging access for security purposes

Note: Your rights may limit our interests. Please contact us if you object.

4. Categories of Personal Data

Category	Examples	Source
Identification data	First name, last name, job title	Contact form
Contact data	Email, phone, company name	Form, correspondence
Communication data	Message content, subject	Form, email
Technical data	IP address, user-agent, access logs	Server, website
Location data	Approximate location from IP	IP analysis (optional)

5. Data Processors and Recipients

5.1. Data Processors (Art. 28 GDPR)

• Hosting Provider: OVH (European data centers)
• Email Provider: SMTP provider (custom configuration)
• CAPTCHA Provider: Cloudflare (form security)
• Maps Provider: OpenStreetMap / Nominatim (address geocoding)

5.2. Data Recipients

Data may be shared with:

• KERAN CONSULTING employees authorized to access
• Service providers under data processing agreements (DPA)
• Public authorities when required by law (prosecutors, police, tax authorities)
• Other recipients only with consent or legal requirement

6. Data Retention Period (Art. 17 GDPR)

Data Type	Retention Period	Justification
Contact form data	3 years	Tax & commercial law requirements
Marketing data	Until consent withdrawal	Basis: GDPR consent
Technical logs (IP, access)	Up to 12 months	Security & diagnostics
Error and anomaly logs	Up to 6 months	Security monitoring
Session cookies	End of session	Website functionality

7. Rights of Data Subjects

7.1. Right of Access (Art. 15 GDPR)

You have the right to request access to your personal data. We must: (a) confirm processing, (b) provide a copy of data, (c) explain purposes and bases, (d) identify recipients.

7.2. Right to Rectification (Art. 16 GDPR)

You may request correction of inaccurate, incomplete, or incorrect data without undue delay.

7.3. Right to Erasure – Right to Be Forgotten (Art. 17 GDPR)

You may request deletion of data if:

• Data are no longer necessary for the processing purpose
• You withdraw consent (if consent was the only basis)
• You object to processing
• Data were processed unlawfully
• Legal obligation to delete exists

Exceptions: We cannot delete data if processing is required for archival, statistical, or scientific purposes, or if a legal obligation to retain exists (tax, accounting).

7.4. Right to Restrict Processing (Art. 18 GDPR)

You may request restriction (suspension) of processing if:

• You contest the accuracy of data
• Processing is unlawful but you don't want deletion
• Data are no longer needed but you need them for legal claims
• You object but our interests may prevail

7.5. Right to Data Portability (Art. 20 GDPR)

You may request data in a structured, widely-used, machine-readable format (e.g., CSV) for transfer to another controller.

7.6. Right to Object (Art. 21 GDPR)

You may object to processing based on Art. 6(1)(f) (legitimate interests) and Art. 6(1)(e) (public task). After objection, we stop processing unless we have compelling reasons.

7.7. Right to Withdraw Consent (Art. 7(3) GDPR)

If processing is based on consent, you may withdraw it at any time. This does not affect processing before withdrawal.

7.8. Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

We do not make decisions based solely on automated processing that significantly affects you. All decisions include human evaluation.

8. Exercising Rights – Procedure

To exercise your rights, contact us at:

• Email: dyro@romanowski.com.pl
• Mail: ul. Pieczyska 5A, 05-651 Chynów, Poland

Your request should include:

• Clear specification of the right you're exercising
• Identification data (name, email, phone)
• Copy of valid ID (for verification)

Response timeframe: 30 days from receipt (extendable by 60 days).

9. Automated Decision-Making and Profiling

This website does not use automated decision-making or profiling. All decisions affecting you are made by humans.

10. Data Breaches (Art. 33-34 GDPR)

In case of data breach (unauthorized access, data loss):

• We will notify the competent authority without undue delay (if high risk)
• We will notify affected individuals
• We will publish breach information on this website or via email

11. International Data Transfers (Art. 44-49 GDPR)

Data are stored in Poland and the EU. For transfers outside EU/EEA:

• We use Standard Contractual Clauses (SCC)
• We ensure protection equivalent to GDPR

12. Commercial Use of Data

We do not sell or share personal data for financial gain. Data are not subject to commercial trading.

13. Contact and Complaints

13.1. KERAN CONSULTING Contact

• Email: dyro@romanowski.com.pl
• Phone: +48 601 267 270
• Address: ul. Pieczyska 5A, 05-651 Chynów, Poland

13.2. Supervisory Authority (EU Member State DPA)

For Poland – Polish Data Protection Authority (UODO)

• Address: ul. Stawki 2, 00-193 Warsaw, Poland
• Email: kancelaria@uodo.gov.pl
• Website: https://uodo.gov.pl
• Complaint form: https://uodo.gov.pl/skargi-i-wnioski

14. Changes to This Policy

We reserve the right to modify this policy. The new version will be published on this page with an effective date. Material changes will be announced on the homepage.

---

Last updated: 20 October 2025 | In accordance with GDPR (EU 2016/679) and applicable national data protection laws