← Back to homepage

Privacy Policy

Version: v.13 | In force since: 2026-06-08

This Policy explains what data we collect through the Administrator's websites (incl. crmdlakazdego.pl and mojbni.pl), for what purpose, on what legal basis, to whom we transfer it and what rights you have. It is supplemented by the Terms of Service.

Privacy Policy of the websites operated by the Administrator — in particular www.crmdlakazdego.pl together with its subpages and subdomains *.crmdlakazdego.pl, as well as mojbni.pl.

Glossary

For the purposes of this Policy, the following terms have the meanings set out below:

  1. Website — the websites operated by the Administrator, in particular crmdlakazdego.pl together with all its subpages and subdomains (incl. ad.crmdlakazdego.pl, basic.crmdlakazdego.pl, sms.crmdlakazdego.pl) and mojbni.pl.
  2. User — any natural person using the Website, contacting the Administrator via forms, e-mail, SMS, Facebook Messenger, WhatsApp, or by completing a Meta advertising form.
  3. Personal data — information enabling the identification of a natural person (in particular: first name, surname, e-mail address, phone number, company name, tax ID (NIP)).
  4. Processing — any operation performed on personal data (collection, storage, modification, sharing, deletion).
  5. GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

§ 1 General provisions — Data Controller

The controller of personal data collected via the Website (as defined in the Glossary, in particular crmdlakazdego.pl with its subdomains *.crmdlakazdego.pl and mojbni.pl) is:

CRMDLAKAŻDEGO.PL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Międzyrzecze Górne, Międzyrzecze Górne 552, 43-392 Międzyrzecze Górne, Poland, entered in the Register of Entrepreneurs of the National Court Register (KRS) under no. 0000646936, whose registration files are kept by the DISTRICT COURT IN BIELSKO-BIAŁA, 8th COMMERCIAL DIVISION OF THE NATIONAL COURT REGISTER, holding tax ID (NIP): 9372687179, REGON: 365857551, share capital PLN 6,250.00 (paid up in full), e-mail address: biuro@crmdlakazdego.pl, phone number: +48 660 563 040 (the „Administrator").

Contact person on the Administrator's side for matters relating to personal data protection: Artur Osiński (e-mail: biuro@crmdlakazdego.pl).

The Administrator has not appointed a Data Protection Officer. For all matters relating to personal data protection, please contact us directly at biuro@crmdlakazdego.pl.

Personal data collected by the Administrator via the Website is processed in accordance with the GDPR and with the provisions of the Polish Act of 10 May 2018 on the protection of personal data and the Polish Act of 18 July 2002 on providing services by electronic means.

§ 2 Type of personal data processed, purpose and scope of data collection

Purpose of processing and legal basis. The Administrator processes Users' personal data for the following purposes:

  1. where a contact form or e-mail is submitted — to respond to the enquiry and handle business correspondence, on the basis of Art. 6(1)(f) GDPR (the Administrator's legitimate interest in handling enquiries from persons interested in the offer);
  2. where the User subscribes to the Newsletter or grants marketing consent — to send commercial information by electronic means, on the basis of Art. 6(1)(a) GDPR (User's consent) and Art. 10(2) of the Polish Act of 18 July 2002 on providing services by electronic means;
  3. where consent to analytics cookies is given — to analyse Website traffic using Google Analytics 4, on the basis of Art. 6(1)(a) GDPR (User's consent) in conjunction with Art. 173 of the Polish Act of 16 July 2004 — Telecommunications Law;
  4. where consent to marketing cookies is given — to measure the effectiveness of advertising campaigns and carry out remarketing using the Meta Pixel, on the basis of Art. 6(1)(a) GDPR (User's consent);
  5. where a Meta advertising form (Facebook / Instagram Lead Ads) is submitted — to respond to the enquiry, present a commercial offer and make return contact, on the basis of Art. 6(1)(b) GDPR (taking steps at the request of the data subject prior to entering into a contract);
  6. where contact is made with the Administrator via Facebook Messenger (including through a link from Google Ads) — to respond to the enquiry and handle business conversation, on the basis of Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (the Administrator's legitimate interest in serving potential clients);
  7. to ensure the security of the Website, defend against and pursue claims, and keep internal statistics — on the basis of Art. 6(1)(f) GDPR (the Administrator's legitimate interest).

Detailed rules for processing data in connection with Meta advertising are set out in § 9 of this Policy.

Type of personal data processed:

  • Newsletter and contact form — first name and surname, e-mail address, phone number (optional), company name (optional), content of the enquiry.
  • Meta advertising form (Lead Ads) — first name and surname, e-mail address, phone number, town, company name, and other fields completed by the User in the advertising form (the scope depends on the specific campaign and is visible to the User in the form before submission). The Administrator also receives from Meta technical lead metadata: lead ID, campaign ID, ad set ID, and the date and time the form was completed.
  • Facebook Messenger — publicly available data from the User's Facebook profile (first name, surname, profile picture), message content together with any attachments (photos, files, location), the User's identifier limited to the Administrator's page (so-called Page-Scoped ID), message dates and times, as well as contact details the User voluntarily shares in the conversation (e-mail, phone number, company tax ID, etc.).
  • Technical data (pseudonymous) — IP address (anonymised), device and browser type, operating system, how the Website is used (analytics and marketing cookies — after consent is given).

Data retention period. Users' personal data is stored by the Administrator:

  • in the case of handling enquiries from the contact form or e-mail — for the time necessary to handle the enquiry, no longer than 3 years from the last contact;
  • where the basis for processing is the performance of a contract — for as long as necessary to perform the contract and, thereafter, for a period corresponding to the limitation period for claims (as a rule 3 or 10 years, in accordance with the provisions of the Polish Civil Code);
  • where the basis for processing is consent (newsletter, marketing) — until the User withdraws consent;
  • leads from Meta advertising forms (Lead Ads) — in an intermediate spreadsheet (Google Sheets) for a maximum of 6 months from acquisition, and in the Administrator's internal system (CRM) — until consent is withdrawn or deletion is requested, subject to the obligation to retain accounting documentation where the contact resulted in a contract;
  • Facebook Messenger messages — in Meta's infrastructure in accordance with that provider's policy; a copy of the conversation in the Administrator's systems is created only after the contact is qualified as a potential client and is retained analogously to contact form data;
  • technical processing logs (incl. n8n, Meta webhook) — a maximum of 30 days, after which they are deleted automatically;
  • data processed on the basis of the Administrator's legitimate interest — for the time necessary to achieve the purpose, no longer than the limitation periods for claims.

While using the Website, additional information may be collected, in particular: the IP address assigned to the User's computer or the external IP address of the internet provider, domain name, browser type, access time, operating system type. The legal basis is the Administrator's legitimate interest (Art. 6(1)(f) GDPR) in ensuring the security and proper functioning of the Website.

§ 3 Sharing of personal data

Users' personal data is transferred to service providers used by the Administrator in operating the Website and in handling advertising and communication channels. Depending on the contractual arrangements and circumstances, the service providers to whom data is transferred either act on the Administrator's instructions as to the purposes and means of processing (processors — under a data processing agreement, Art. 28 GDPR) or independently determine the purposes and means of processing (controllers).

The main service providers to whom the Administrator transfers or entrusts personal data are:

  • providers of hosting infrastructure and backups — operating within the European Economic Area; off-site backups are additionally encrypted before transfer;
  • providers of transactional e-mail and e-mail notifications — including providers established in the United States of America, to whom data is transferred on the basis of the standard contractual clauses approved by the European Commission (SCC 2021/914);
  • Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — operator of Google Analytics 4, Google Tag Manager and Google Sheets, used as intermediate storage for leads from Meta advertising before they are moved to the Administrator's CRM system;
  • Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) and Meta Platforms, Inc. (1601 Willow Road, Menlo Park, CA 94025, USA) — operator of the Facebook, Instagram and Messenger platforms, through which the Administrator runs Lead Ads and handles enquiries via the Messenger communicator;
  • providers of technical monitoring and application error handling services — including providers established in the United States of America, to whom data is transferred on the basis of the standard contractual clauses approved by the European Commission (SCC 2021/914);
  • providers of artificial intelligence tools, to the extent and on the terms described in § 8 of this Policy.

Transfer of data outside the European Economic Area (EEA). Some processing operations carried out by the providers indicated above may take place on servers located in the United States of America. The legal basis for such transfer is:

  • in the case of Google LLC — participation in the EU-US Data Privacy Framework (certification valid as at the effective date of this Policy);
  • in the case of Meta Platforms, Inc. — participation in the EU-US Data Privacy Framework (certification valid as at the effective date of this Policy);
  • in the case of transactional e-mail providers and technical monitoring providers established in the United States — the standard contractual clauses approved by the European Commission (SCC 2021/914);
  • in the case of the artificial intelligence tool providers indicated in § 8 — the standard contractual clauses approved by the European Commission (where a given provider does not participate in the EU-US Data Privacy Framework).

Apart from the cases described above, Users' personal data is stored exclusively within the European Economic Area (EEA). For the Google Analytics 4 service, data is additionally anonymised (the anonymize_ip option is enabled) before being transferred to Google.

§ 4 Right of control, access to one's own data and rectification

The data subject has the right to access their personal data and the right to rectify, erase, restrict processing, the right to data portability, the right to object, and the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

Legal bases for the User's request:

  • access to data — Art. 15 GDPR;
  • rectification of data — Art. 16 GDPR;
  • erasure of data (the „right to be forgotten") — Art. 17 GDPR;
  • restriction of processing — Art. 18 GDPR;
  • data portability — Art. 20 GDPR;
  • objection — Art. 21 GDPR;
  • withdrawal of consent — Art. 7(3) GDPR.

How rights can be exercised:

For general requests concerning personal data (access, rectification, erasure of all data, restriction of processing, portability, objection, withdrawal of consent) — send an e-mail to: biuro@crmdlakazdego.pl.

For a request to cease electronic contact (newsletter, commercial messages sent by e-mail, SMS, Facebook Messenger or WhatsApp) — depending on the channel:

  • e-mail: reply with the word STOP or REZYGNUJĘ (I OPT OUT), addressing the reply to biuro@crmdlakazdego.pl (regardless of the sender address from which the User received the message);
  • SMS: send a reply message containing STOP or REZYGNUJĘ to the Administrator's contact number provided in the SMS received; if no contact number was provided in the message — to +48 660 563 040;
  • Facebook Messenger or WhatsApp: reply with the word STOP or REZYGNUJĘ in the given conversation.

For a request to erase data acquired in connection with Meta advertising (Lead Ads on Facebook / Instagram or communication via Messenger) — in the manner described in detail in § 10 of this Policy.

The Administrator fulfils the request or refuses to fulfil it without undue delay, and no later than within 30 days of receiving it. If it is found that the processing of personal data infringes the GDPR, the data subject has the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).

§ 5 Cookies and tracking technologies

The Website uses cookies — small text files saved on the User's end device while using the Website — in order to ensure the proper operation of the Website (necessary cookies), to support functions such as form validation (functional cookies), to analyse traffic and User behaviour (analytics cookies), and to measure the effectiveness of advertising and run remarketing campaigns (marketing cookies).

The identifiers of analytics and marketing tools (incl. the Google Analytics 4 Measurement ID and the Meta Pixel identifier) are configured separately for each website operated by the Administrator. The specific identifier used on a given website is provided by the Administrator on request, sent to biuro@crmdlakazdego.pl.

Categories of cookies used on the Website:

  • Necessary — User session, cookie consent preferences, CSRF token. Used without the User's consent on the basis of the Administrator's legitimate interest (Art. 6(1)(f) GDPR); the Website does not work without them.
  • Functional — handling of the contact form (anti-spam token, validation). Enabled by default, with the option to disable them in the consent manager.
  • Analytics — Google Analytics 4, help to understand how the Website is used. User's consent required, disabled by default.
  • Marketing — Meta Pixel (Facebook Pixel), used to measure the effectiveness of advertising campaigns and for remarketing. User's consent required, disabled by default.

Cookie consent manager — Klaro. The Website uses the Klaro cookie consent manager (open-source, self-hosted). At any time the User may change their preferences by clicking „Cookie settings" in the page footer — this opens the Klaro modal, where individual cookie categories can be enabled or disabled.

Analytics cookies — Google Analytics 4 (GA4). The Administrator uses Google Analytics 4 to collect information about how the Website is used, including browser type, visit duration, links clicked and pages visited by the User. This data is used to create statistics and analyses that help optimise the Website.

Google Tag Manager (GTM). The Administrator uses Google Tag Manager (operator: Google Ireland Limited and Google LLC) to manage tags and tracking scripts embedded in the Website. GTM itself does not collect Users' personal data — it only acts as a container for other tools (incl. Google Analytics 4 and the Meta Pixel), which are launched in accordance with the consents granted by the User through the Consent Mode v2 mechanism.

Marketing cookies — Meta Pixel (Facebook Pixel). The Administrator uses the Meta Pixel provided by Meta Platforms Ireland Limited and Meta Platforms, Inc. in order to:

  • measure the effectiveness of ads run on Facebook and Instagram (conversions, events such as „Lead", „PageView", „ViewContent");
  • create custom audiences for remarketing;
  • create lookalike audiences based on Users' behaviour on the Website.

The Meta Pixel collects technical information (incl. IP address, device identifier, browser and operating system information, data about subpages viewed, events such as button clicks) and — only if the User is recognised as logged in to Meta — may be linked to their Facebook or Instagram profile. Legal basis: Art. 6(1)(a) GDPR (User's consent given in the cookie banner).

Joint controllership: with regard to measuring advertising effectiveness, the Administrator and Meta Platforms Ireland Limited act as joint controllers within the meaning of Art. 26 GDPR, on the terms set out in the Controller Addendum published by Meta at facebook.com/legal/controller_addendum. The remaining scope of data processing on Meta's side (incl. creating audiences) is carried out on the terms set out in Meta's Privacy Policy.

Consent mechanism (Consent Mode v2). In accordance with the GDPR and the Telecommunications Law, analytics and marketing cookies are disabled by default (the analytics_storage, ad_storage, ad_user_data and ad_personalization signals are set to denied). Google Analytics 4, the Meta Pixel and other tracking tools do not collect data or record events until the User gives active consent (opt-in) by clicking the „Accept all" button in the cookie banner. Rejecting cookies or making no choice means that analytics and marketing data is not collected.

IP anonymisation. Where consent is given, Users' IP addresses are anonymised before being transferred to Google.

Cookie data retention period. Data collected via analytics cookies is stored by Google for up to 14 months (in line with the default GA4 settings). The User's consent choice is stored locally in the browser. If accepted — the choice is permanent and the banner will not be shown again. If rejected — the choice expires after 6 months, after which the banner is shown again, giving the option to choose again.

The User has the right to manage their cookie consent at any time. This is possible in several ways:

  • Cookie banner — displayed on the first visit to the Website. The User may accept all cookies or choose only the necessary ones.
  • Privacy settings panel — available in the Website footer (the „Cookie settings" link) — opens the Klaro consent manager modal, allowing granular enabling / disabling of individual categories.
  • Browser settings — the User may delete or block cookies using their web browser settings.

Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Note: rejecting analytics or marketing cookies, or giving no consent, means that the Administrator does not collect or process data using Google Analytics, the Meta Pixel or other tracking tools that require consent.

§ 7 Data security and final provisions

The Administrator applies technical and organisational measures ensuring the protection of the personal data processed, appropriate to the risks and the categories of data protected, and in particular safeguards the data against being made available to unauthorised persons, taken by an unauthorised person, processed in breach of applicable law, and against alteration, loss, damage or destruction.

The technical measures applied by the Administrator include in particular:

  • encryption of HTTPS connections (TLS 1.2 or newer) on all subpages of the Website;
  • encryption of off-site backups using GPG before they are transferred to external entities;
  • two-factor authentication (2FA) for persons with access to the admin panel and to the Administrator's internal systems;
  • security monitoring and application error handling (incl. Sentry, Better Stack) with event logging;
  • regular updates of server and application software;
  • restriction of access to personal data solely to authorised members of the Administrator's team.

The Administrator provides appropriate technical measures preventing unauthorised persons from obtaining and modifying personal data transmitted electronically.

In matters not regulated by this Privacy Policy, the provisions of the GDPR, the Polish Act of 10 May 2018 on the protection of personal data, the Polish Act of 18 July 2002 on providing services by electronic means, and other relevant provisions of Polish law apply accordingly.

§ 8 Processing of data using artificial intelligence (AI) tools

The Administrator informs that, as part of serving Website Users — in particular in analysing enquiries from the contact form, business correspondence, team work planning, archiving meeting notes and operational support — tools based on artificial intelligence are used (language models such as Claude by Anthropic, Google Gemini, or equivalent tools).

Users' personal data (within the scope set out in § 2: first name and surname, e-mail address, phone number, content of the enquiry) may be processed for this purpose by AI service providers — exclusively within the European Union / European Economic Area, or on the basis of the standard contractual clauses approved by the European Commission in the case of a transfer outside the EU/EEA.

The Administrator maintains the confidentiality of this data and applies pseudonymisation where operationally possible.

The artificial intelligence tools used by the Administrator are not used for automated decision-making producing effects on the User's situation that is based solely on automated processing (within the meaning of Art. 22 GDPR).

§ 9 Processing of data in connection with Meta advertising (Lead Ads and Messenger)

The Administrator carries out advertising activity on the Facebook and Instagram platforms (operator: Meta Platforms Ireland Limited and Meta Platforms, Inc., hereinafter „Meta") and receives, through them, enquiries from persons interested in the Administrator's offer. This section explains what data is processed in this connection and on what terms.

9.1. Meta Lead Ads advertising forms.

  1. Ads run on Facebook and Instagram contain a built-in contact form (Lead Ad) which the User completes directly within the Meta app. The completed data is then transferred to the Administrator via Meta's programming interface (Marketing API, leadgen event).
  2. The scope of data collected by the advertising form includes at least the first name and surname, e-mail address and phone number. Depending on the campaign, the form may contain additional fields, the full list of which is visible to the User in the form before submission (incl. town, company name, industry, open questions). The Administrator also receives from Meta technical lead metadata: lead ID, campaign ID, ad set ID, and the date and time the form was completed.
  3. After data is received from Meta, it is temporarily saved in an intermediate spreadsheet (Google Sheets) as an operational buffer before being moved to the Administrator's CRM system. The intermediate spreadsheet is not shared with third parties and is accessible only to authorised members of the Administrator's team. The maximum retention period of data in the intermediate spreadsheet is 6 months.
  4. After the data is moved to the Administrator's CRM system, it is processed under the rules described in § 2 (purpose: handling the enquiry and business contact) and § 4 (User's rights).
  5. The legal basis for processing data collected via the Lead Ad form is Art. 6(1)(b) GDPR — taking steps at the request of the data subject prior to entering into a contract.

9.2. Communication via Facebook Messenger.

  1. The Administrator runs an official Facebook page at facebook.com/crmdlakazdego (public page identifier: 1850174928623460). This page has its own Messenger communicator, to which Users can write directly from Facebook or via the link m.me/1850174928623460 — in particular after clicking an ad in Google Ads search results or in the Administrator's other campaigns. The link to Messenger may contain an additional parameter (e.g. ?ref=campaign-identifier), which the Administrator uses solely to assess advertising campaign effectiveness; this parameter is saved together with the conversation metadata.
  2. Upon starting a conversation, the Administrator receives from Meta: publicly available data from the User's Facebook profile (first name, surname, profile picture); the User's identifier limited to the Administrator's page (so-called Page-Scoped ID — a non-universal identifier that cannot be associated with another fan page); the content of all messages exchanged in the conversation together with any attachments (photos, files, location); message dates and times; contact details (e-mail, phone number, tax ID, other) which the User voluntarily shares in the conversation.
  3. The conversation content is stored in Meta's infrastructure in accordance with that provider's policy. The Administrator creates a copy of the conversation in its systems (CRM) only upon qualifying the contact as a potential business client.
  4. The legal basis for processing data from Messenger conversations is Art. 6(1)(b) GDPR (steps prior to entering into a contract) and Art. 6(1)(f) GDPR (the Administrator's legitimate interest in serving potential clients).

9.3. Data transfer to the USA. Data transferred by Meta to the Administrator's infrastructure under Lead Ads and Messenger may, during processing on Meta's side, be located in the United States of America. The legal basis for such transfer is the participation of Meta Platforms, Inc. in the EU-US Data Privacy Framework (certification valid as at the effective date of this Policy), as also referred to in § 3 of this Policy.

9.4. Erasure of data acquired from Meta advertising. The manner of fulfilling a request to erase data acquired in connection with Meta advertising (Lead Ads, Messenger) is described in detail in § 10 of this Policy.

§ 10 Erasure of data acquired in connection with Meta advertising

This section describes how a request is fulfilled to erase personal data that the Administrator acquired in connection with ads run on Meta platforms (Facebook, Instagram) — in particular as a result of completing a Lead Ad form or as a result of a conversation in the Messenger communicator.

10.1. How to submit a request. To request the erasure of your personal data acquired by the Administrator in connection with Meta advertising, send an e-mail to: biuro@crmdlakazdego.pl, putting the phrase „Meta data erasure" in the subject line. In the message, please provide data enabling the unambiguous identification of the person to whom the request relates:

  • the e-mail address or phone number with which the requesting person contacted the Administrator (e.g. data provided in the Lead Ad form or shared in the Messenger conversation);
  • optionally: the Messenger conversation identifier, the approximate date of contact, or the name of the advertising campaign from which the contact originated.

10.2. Time of fulfilment. The Administrator erases the personal data covered by the request from its systems (including the CRM system and the intermediate Google Sheets spreadsheet) within no more than 14 business days of receiving the request. After erasure, the Administrator confirms the fact of data erasure by a return e-mail.

10.3. Reservations. The following may be excluded from data erasure:

  • data whose retention is required by law (in particular by accounting regulations concerning accounting documentation, where the contact resulted in a contract and the issuance of an invoice);
  • data necessary to establish, pursue or defend the Administrator's claims (until the limitation period expires).

Data not subject to the exclusions described above is erased in full.

10.4. Data stored by Meta. The Administrator erases data only from its own systems. Data stored independently on Meta's side (the content of Messenger conversations in the Meta app, lead data in the Meta Ads Manager panel) is subject to erasure in accordance with Meta's separate privacy policy and procedures, available at facebook.com/privacy/policy. To erase data from Meta's systems, the User should use the privacy settings of their Facebook / Instagram account or contact Meta directly.

10.5. The Administrator's full contact details are set out in § 1 of this Policy.

§ 11 Entry into force

This Privacy Policy, in its current wording, is in force as of 2026-06-08.

The Administrator reserves the right to make changes to the Privacy Policy. Users will be informed of material changes by a notice on the Administrator's Website and, where appropriate, also by electronic means.