PRIVACY POLICY OF THE HRLEVELUP.PL WEBSITE

I. Principles of Personal Data Processing

By using our HRLEVELUP.PL website, available at https://hrlevelup.pl/ (hereinafter: “the Website”), you provide us with your personal data. This data is processed solely to the extent necessary for the proper functioning of the Website, to contact users, and to provide the services offered.

II. Data Controller

The controller of your personal data is HR LEVEL UP spółka z ograniczoną odpowiedzialnością (limited liability company) with its registered office in Warsaw, at: ul. Złota 59, 00-120 Warsaw, entered into the register of entrepreneurs of the National Court Register, maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0000950443, NIP: 5252894229, REGON: 521142870, share capital: PLN 5,000.00. Data is processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and other applicable legal acts regarding personal data protection.

III. Contact for Data Protection Matters

If you have any questions regarding personal data processing or this Privacy Policy, you can contact us via:

– email address: joanna.chrobak@hrlevelup.pl
– correspondence address: ul. Złota 59, 00-120 Warsaw
– phone: +48 609 649 639

IV. Scope and Sources of Data

The scope of processed data depends on the purpose for which it was provided. Data may be provided to us directly by you, e.g., via a contact form, email, or CV submission. In such cases, we may process, among others, your first name, last name, email address, company name, position, and other voluntarily provided data.

When using the Website, data may also be collected automatically, such as IP address, browser type, operating system, visited subpages, date and time of visit, and other technical data. Providing personal data is voluntary but may be necessary for contact or service provision.

V. Data Protection and Security

Personal data is protected with the highest security standards. The Controller regularly analyzes risks and implements technical and organizational measures to ensure protection against unauthorized access, loss, or disclosure of data.

VI. Purposes and Legal Bases for Data Processing

Personal data is processed for the following purposes:

  • Responding to inquiries and conducting correspondence – Art. 6(1)(f) GDPR. If you contact us, you provide us with your data (e.g., first name, last name, email, optionally also company and position). This data is necessary for us to respond to your message. This data is essential for us to present an offer and then prepare and conclude an agreement. The content of correspondence may be archived, and we cannot definitively state when it will be deleted. You have the right to request access to the history of correspondence you have had with us (if archived), as well as to request its deletion, unless its archiving is justified due to our overriding interests, e.g., defense against potential claims from your side.
  • Preparation and execution of agreements – Art. 6(1)(b) GDPR. When you contact us to conclude an agreement, you provide us with your data necessary to prepare an offer and then negotiate and conclude the agreement. This data is essential for us to present an offer and then prepare and conclude an agreement. The content of correspondence may be archived, and we cannot definitively state when it will be deleted. You have the right to request access to the history of correspondence you have had with us (if archived), as well as to request its deletion, unless its archiving is justified due to our overriding interests, e.g., defense against potential claims from your side.
  • Conducting marketing activities – Art. 6(1)(a) GDPR (with user consent). Your personal data may also be used by us to provide you with marketing content regarding the Website and our services via email. Such activities are undertaken by us only if you give your consent, which you can withdraw at any time.
  • Analysis and optimization of Website operation – Art. 6(1)(f) GDPR. We collect anonymous information about the use of the Website to better adapt its operation to user needs. This data helps us improve functionality, effectiveness, and user experience. In most cases, information processed in this way does not constitute personal data.
  • Conducting recruitment processes – Art. 6(1)(a, b, c, f) GDPR. If you send us your data in connection with an ongoing recruitment, we process it to conduct the recruitment process, including evaluating your qualifications, competencies, and suitability for the position or form of cooperation. Depending on the legal basis: (i) for data specified in Art. 22(1) § 1 of the Labor Code – data is processed for the purpose of fulfilling the legal obligation of the employer in connection with recruitment (Art. 6(1)(a) GDPR), while for other data, it is based on your consent (Art. 6(1)(a) GDPR) – if you independently send a CV or consent to participate in future recruitments, (ii) for taking steps prior to entering into a contract (Art. 6(1)(b) GDPR) – when you contact us regarding your desire to participate in the recruitment process, (iii) based on our legitimate interest (Art. 6(1)(f) GDPR) – to the extent necessary to verify your candidacy, contact you, and protect against potential claims. We store candidates’ personal data for the duration of the recruitment process and for 3 years after its completion for potential defense against claims, and if consent is given for participation in future recruitments – for 5 years or until consent is withdrawn. Providing data is voluntary but necessary to participate in the recruitment process.

VII. Data Sharing

Data may be transferred only to entities cooperating with the Controller in operating the Website, e.g., hosting providers, IT companies, legal advisors, accountants, as well as public authorities to the extent specified by law, and other subcontractors who gain access to data if the scope of their activities requires such access. All data processors ensure an adequate level of protection.

VIII. Transfer of Data Outside the EEA

Your personal data may be transferred to countries outside the European Economic Area in connection with the use of subcontractors’ services. We transfer personal data outside the EEA only if the country ensures an adequate level of data protection or appropriate legal measures are applied, such as standard contractual clauses, binding corporate rules, etc.

IX. Data Retention Period Data Retention Period

Personal data is stored for the period necessary to achieve the purpose for which it was collected, or until the legal basis for its processing expires, e.g., withdrawal of consent, expiration of claims, or termination of a legal obligation, effective objection to data processing, in cases where the basis for processing your data was the legitimate interest of the controller.

Detailed information on the period for which we process your data can be found in point VI of the Privacy Policy with respect to individual data processing purposes.

X. Profiling and Automated Decisions

The Controller may use IT systems (e.g., eRecruiter, Thomas International, Gallup StrengthsFinder) for partially automated data analysis, including competency profiling. Profiling does not lead to decisions that produce legal effects concerning the user. The decision to use the proposed services always rests with you.

XI. Rights of Data Subjects

In accordance with the GDPR, you have the right to:

  • access your data and receive a copy thereof,
  • rectify or erase it,
  • restrict processing,
  • data portability,
  • object to processing (if the basis is the legitimate interest of the controller),
  • withdraw consent (if granted), provided that data processing until your consent is withdrawn remains lawful,
  • lodge a complaint with the President of the Personal Data Protection Office.

To exercise these rights, please contact us using the details provided in this Policy. We guarantee the confidentiality and security of all data provided to us.

The rules related to the exercise of the above-mentioned rights are described in detail in Articles 16 – 21 of the GDPR. We encourage you to familiarize yourself with these provisions.

XII. Cookies

The Website uses cookies to ensure its proper functioning, personalize content, and analyze website traffic. Cookies do not cause changes to your device settings, while allowing you to use all Website functions.

During your first visit to the website, you are shown information about the use of cookies. By using the appropriate option in your browser, you can manage cookies, which means you can always change cookie settings or delete cookies altogether.

Please remember that disabling or restricting cookie support may cause difficulties in using the Website, as well as many other websites that use cookies.

If you want to learn more about managing cookies, you can use your browser’s help file.

Cookies on the Website are used for the following purposes:

  • adapting the content of the Website to user preferences and optimizing its use; in particular, these files allow recognition of the Website user’s device and appropriate display of the Website, tailored to their individual needs;
  • creating statistics that help understand how Website users use the website, which allows for improving its structure and content;
  • providing users with advertising content more tailored to their interests

XIII. Server Logs

Using the Website involves sending requests to the server where the website is stored. Each request directed to the server is saved in server logs.

Logs include, among others, your IP address, server date and time, information about the web browser and operating system you are using. Logs are saved and stored on the server.

The data saved in server logs is not associated with specific individuals using the website and is not used by us to identify you.

Server logs are solely auxiliary material used for Website administration, and their content is not disclosed to anyone other than persons authorized to administer the server.

XIV. Changes to the Privacy Policy

The Controller reserves the right to make changes to this Privacy Policy. The current version of the document will always be published on the Website with the effective date.

This Privacy Policy is effective from February 13, 2026.