This Privacy Policy describes how Kohowi, operating at 3 Maja 47, Poznań, Poland ("we," "us," or "the Controller"), collects, processes, stores, and protects personal data of individuals who visit or interact with the website kohowi.info. Processing of personal data is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation, "GDPR"), the Polish Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018 poz. 1000), and any other applicable data protection legislation in force in the Republic of Poland.
The controller of personal data collected through the website kohowi.info is Kohowi, with its registered address at 3 Maja 47, Poznań, Poland. For all matters relating to personal data processing, the Controller can be contacted by email at [email protected] or by telephone at +48 736 882 226. The Controller has not designated a Data Protection Officer, as the nature and scale of processing does not trigger the mandatory appointment obligation under Article 37 of the GDPR. Any data protection enquiries should be directed to the contact details above.
The Controller collects personal data in the following categories: (a) identification data, including full name provided voluntarily through the contact form; (b) electronic contact data, including email address and telephone number; (c) communication content, being the content of any message submitted via the contact form; (d) technical data, including IP addresses, browser type and version, operating system, referring URLs, pages visited, and timestamps of access, collected automatically through server logs and analytics tools; and (e) cookie-related data, as further described in the Cookie Policy available at kohowi.info/cookies.html. The Controller does not collect sensitive personal data within the meaning of Article 9 of the GDPR, including health data, biometric data, or data revealing racial or ethnic origin.
Personal data is processed for the following purposes, each supported by a distinct legal basis under Article 6 of the GDPR:
3.1 Responding to contact enquiries. When a data subject submits a message through the contact form, the Controller processes the name, email address, telephone number, and message content for the purpose of responding to that enquiry. The legal basis is Article 6(1)(b) GDPR (processing necessary for the performance of pre-contractual measures taken at the request of the data subject) or, where no contractual relationship is contemplated, Article 6(1)(f) GDPR (legitimate interest in responding to incoming communications).
3.2 Website operation and security. Technical data collected automatically is processed to ensure the secure and functional operation of the website, to prevent fraudulent or abusive access, and to diagnose technical issues. The legal basis is Article 6(1)(f) GDPR (legitimate interest of the Controller in maintaining a secure and operational web presence).
3.3 Analytics and website improvement. Where the data subject has given consent through the cookie consent mechanism, anonymised or pseudonymised usage data may be processed to understand how visitors interact with the website and to improve its content and structure. The legal basis is Article 6(1)(a) GDPR (consent).
3.4 Legal compliance. Personal data may be retained or disclosed where required by applicable law, regulatory requirement, or lawful order of a competent authority. The legal basis is Article 6(1)(c) GDPR (legal obligation).
The Controller retains personal data only for the period necessary to fulfil the purpose for which it was collected, unless a longer retention period is required or permitted by law. Contact form submissions are retained for a period not exceeding 24 months from the date of last correspondence, after which they are securely deleted. Technical and server log data is retained for a period not exceeding 12 months. Data processed on the basis of consent is retained until the consent is withdrawn or, if not withdrawn, for the period specified in the relevant cookie category as described in the Cookie Policy. Where legal proceedings or regulatory investigations are ongoing or reasonably anticipated, data may be retained for the duration of those proceedings plus any applicable statutory limitation period.
The Controller does not sell personal data to third parties. Personal data may be disclosed to the following categories of recipients: (a) hosting and infrastructure providers who process data on behalf of the Controller under data processing agreements compliant with Article 28 of the GDPR; (b) email service providers used to manage and respond to contact enquiries; (c) analytics service providers, where consent has been given for analytics cookies; and (d) competent public authorities, courts, or regulatory bodies, where disclosure is required by applicable law. Where personal data is transferred to recipients located outside the European Economic Area, the Controller ensures that appropriate safeguards are in place as required by Chapter V of the GDPR, including standard contractual clauses adopted by the European Commission.
Data subjects whose personal data is processed by the Controller have the following rights under the GDPR, exercisable by contacting the Controller at [email protected]: (a) the right of access to personal data processed by the Controller (Article 15 GDPR); (b) the right to rectification of inaccurate or incomplete personal data (Article 16 GDPR); (c) the right to erasure of personal data in circumstances set out in Article 17 GDPR; (d) the right to restriction of processing in circumstances set out in Article 18 GDPR; (e) the right to data portability where processing is based on consent or contract and is carried out by automated means (Article 20 GDPR); (f) the right to object to processing based on legitimate interests (Article 21 GDPR); and (g) the right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal (Article 7(3) GDPR). The Controller will respond to rights requests within one month of receipt, which may be extended by a further two months in cases of complexity or volume, with notification of the extension provided within the initial one-month period.
Data subjects who consider that the processing of their personal data infringes the GDPR have the right to lodge a complaint with a supervisory authority. In Poland, the competent supervisory authority is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warsaw, Poland, website: uodo.gov.pl. Data subjects may also lodge a complaint with the supervisory authority of the EU member state in which they habitually reside or work, or in which the alleged infringement took place.
The Controller does not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects data subjects within the meaning of Article 22 of the GDPR. Analytical processing of website usage data is carried out in aggregate form for the purpose of understanding general visitor behaviour and does not involve individual-level decisions that affect data subjects' rights or interests.
The Controller implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, in accordance with Article 32 of the GDPR. These measures include, as appropriate: encrypted transmission of data via HTTPS, access controls limiting data access to authorised personnel, regular review of data processing practices, and contractual obligations imposed on data processors to maintain equivalent security standards. No method of electronic storage or transmission is entirely secure, and the Controller cannot guarantee absolute security; however, commercially reasonable efforts are made to protect personal data.
The Controller reserves the right to update this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, or data processing practices. The updated version will be published at kohowi.info/privacy.html with a revised "Last Updated" date. Where changes are material, the Controller will take reasonable steps to bring them to the attention of data subjects. Continued use of the website following publication of an updated Privacy Policy constitutes acknowledgement of the updated terms, to the extent permitted by applicable law.