GDPR Information Clause

Information on the processing of personal data in accordance with Art. 13 and 14 of Regulation (EU) 2016/679 (GDPR).

Basic Information

CONTROLLER
SecureWarp Sp. z o.o. (KRS: 5342655540)
CONTACT
office [at] securewarp.pl
DATA PROTECTION OFFICER
Not appointed — the controller is directly accessible at the email address indicated above
SUPERVISORY AUTHORITY
President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl

Categories of Data Processed

Depending on the purpose of processing, SecureWarp may process the following categories of personal data:

  • Identification data: first name, surname, job title, company name
  • Contact data: email address, telephone number
  • Communication data: content of email correspondence and contact form submissions
  • Financial data: invoicing details (VAT number, address, company name) — for clients only
  • Technical data: IP address, HTTP headers — processed by CDN infrastructure (Cloudflare)

SecureWarp does not process special categories of personal data (sensitive data) within the meaning of Art. 9 GDPR.

Purposes and Legal Bases for Processing

A. Clients and prospective clients (Art. 13 GDPR)

  • Handling enquiries and correspondence — legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) or Art. 6(1)(f) GDPR (legitimate interest)
  • Performance of a cybersecurity services contract — legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Issuing invoices and accounting — legal basis: Art. 6(1)(c) GDPR (legal obligation — Accounting Act and tax regulations)
  • Establishment and defence of legal claims — legal basis: Art. 6(1)(f) GDPR (legitimate interest)

B. Individuals contacting us via the contact form (Art. 13 GDPR)

  • Responding to enquiries — legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) or Art. 6(1)(f) GDPR (legitimate interest of the controller in providing a response)

C. Data obtained from public sources (Art. 14 GDPR)

As part of OSINT services, SecureWarp may process personal data obtained from public sources (LinkedIn, public registers, public domain records) exclusively at the instruction and on behalf of the client, acting as a data processor on the basis of a data processing agreement.

Retention Periods

  • Email correspondence / contact form: up to 2 years from the last contact or until the purpose is fulfilled
  • Contractual documentation: up to 5 years after the end of the contract
  • Accounting documents: 5 years from the end of the tax year in which the invoice was issued
  • Data for legal claims: until the expiry of the limitation period (up to 6 years)

Rights of Data Subjects

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR) — to obtain a copy of the data being processed and information about the processing
  • Right to rectification (Art. 16 GDPR) — to request the correction of inaccurate or completion of incomplete data
  • Right to erasure (Art. 17 GDPR) — to request the deletion of data in cases specified in the GDPR
  • Right to restriction of processing (Art. 18 GDPR) — to request that processing be suspended in specified cases
  • Right to data portability (Art. 20 GDPR) — to receive data in a structured format where processing is carried out automatically on the basis of consent or a contract
  • Right to object (Art. 21 GDPR) — to object to processing based on legitimate interest or for direct marketing purposes
  • Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, withdrawal does not affect the lawfulness of processing carried out before the withdrawal

Please address requests to exercise your rights to: office [at] securewarp.pl. A response will be provided without undue delay, and no later than 30 days from receipt of the request.

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland) if you believe that the processing of your data infringes the GDPR.

Automated Decision-Making and Profiling

SecureWarp does not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

Voluntary Provision of Data

Providing personal data in the contact form is voluntary, but necessary in order to respond to your enquiry. Failure to provide the data makes it impossible to establish contact. For clients, the provision of data required for the performance of the contract and the issuance of invoices follows from legal or contractual requirements.