We all appreciate a bit of privacy. Below, you can find the terms under which I process your personal data. It always takes place according to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”. This Privacy Policy is an implementation of the information requirement set out in Art. 13 GDPR.

§1. Personal Data

1. Who is the Controller of your data?

The Controller of your personal data is Julia Kołodko-Langer, running a non-agricultural business activity under the name Onion Brains by Julia Kołodko-Langer, Chełmska 9/164 Street, 00-724 Warsaw, NIP (TIN) PL1230979092, REGON 381692907, hereinafter referred to as the ”Controller.”

2. How to contact the Controller?

You may contact me by sending an email to hello@juliakolodko.com. If you prefer written correspondence, please send your letter to the address indicated in section 1.

3. What data do I collect and what is the purpose of their processing?

I process only such data that have been provided to me, and I do not conclude on their basis about your other data or circumstances. Depending on the case, this may be your first name and surname, email address, telephone number, or the data you provide while browsing the website www.juliakolodko.com (e.g., to subscribe to the newsletter).

Your personal data are processed exclusively for the purposes for which they have been provided. If you provide your data in an email, the data will be processed in connection with that email, e.g., our cooperation and performance of the contract. If the data are provided for the purpose of subscription to the newsletter, they will be processed with the intention to send such a newsletter. The data you leave while browsing the website www.juliakolodko.com are used for traffic analysis and statistical purposes.

Provision of data is voluntary, however, in some instances, it will be necessary for the fulfillment of the purposes mentioned above (conclusion of contracts, subscription to the newsletter), and the consequence of their non-provision will be the impossibility to use such services.

4. On what basis do I process your data and from who do I obtain them?

Depending on the case, the legal basis for processing your data may be:

• Your express consent (e.g., subscription to the newsletter) – Art. 6(1) letter a GDPR; remember – consent is voluntary and may be withdrawn at any time, which, however, does not affect the legality of the data processing prior to the withdrawal.
• Performance of the contract for the purpose of which you have provided the data (e.g., in case of training, mentoring, courses or other nonstandard services) – Art. 6(1) letter b GDPR.
• The Controller’s legitimate interest – Art. 6(1) letter f GDPR; legitimate interest in data processing is, depending on the situation, direct marketing of my products and services, desire to provide you with highest quality services and to improve their operation, development of positive relations with you and other customers, answering inquiries, suggestions, concerns or complaints, and establishment, assertion or execution of claims and defense against claims in proceedings before courts or other state authorities.

In most cases, I obtain data directly from you. If I obtain your data on another basis, I will notify you shortly of that fact and present all necessary information, as specified in Art. 14 GDPR, to enable exercise of your rights.

5. How long will I process the data?

Your data will not be stored longer than necessary. The data received for the purposes of the newsletter will be stored until you opt-out from the subscription or until we abandon its distribution. The data relating to a contract for the provision of services (e.g., training, mentoring, courses) will be processed for a period necessary for its performance, settlement and making possible claims – no longer than for 3 years of the contract’s conclusion if you are an entrepreneur, or 6 years – in other situations.

Notwithstanding the above – I process the data recorded in my accounting books for the period of 5 years from the beginning of the year following the trading year in which the payment was to be made under the concluded contract for sale or the provision of services – in the light of my bookkeeping obligation.

Upon expiry of the above periods, your personal data will be erased or anonymized (turned into a permanent sequence of characters preventing identification of the data subject).

6. Who has access to your data?

The Controller may share your data with other entities, e.g., her subcontractors providing services in support of the Controller’s activities, to the extent necessary for the fulfillment of the purposes of the processing, e.g., to providers of marketing tools, accountants, legal advisors. Depending on the circumstances, such persons may be subject to the Controller’s instructions as to the purposes and methods of data processing (processors) or independently establish the purposes and methods of processing personal data (controllers).

Processors. The Controller uses the services of entities processing personal data exclusively in her direction and under-documented orders. These are, among others, providers of hosting services, disk space within a cloud, providers of marketing systems (e.g., for distribution of newsletters or other emails), systems for the analysis of Website traffic or effectiveness of marketing campaigns, etc.

Presently, the Controller cooperates with the following processors:

1. The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, United States of America – the provider of the MailChimp service for newsletter distribution;
2. EventLabs Sp. z o. o. seated in Warsaw, ul. Mokotowska 1, 00-640 Warszawa, KRS: 323662;
3. Justyna Parzuchowska, running a non-agricultural business activity under the name Biuro Rachunkowe Justyna Parzuchowska in Warsaw, ul. Zdziarska 83Z/27 flat 2, 03-287 Warsaw, NIP (TIN): PL1131892548
4. KEI.PL Sp. z o.o. seated in Cracow, ul. Zakopiańska 9, 30-418 Cracow, KRS: 0000732079, NIP (TIN): PL6792736374
5. Łukasz Dusza, running a non-agricultural business activity under the name Łukasz Dusza in Przemyśl, ul. Henryka Siemiradzkiego 6/29, 37-700 Przemyśl, NIP (TIN): PL7952369029;
6. Fakturownia Sp. z o. o. seated in Warsaw, ul. Smulikowskiego 6/8, 00-389 Warszawa, KRS: 0000572426.

Other controllers. The Controller additionally uses services of entities which do not act exclusively in her direction and by themselves establish the purposes and methods of use of personal data. These are entities providing mainly remarketing campaign services or conducting statistical research.

Presently, the Controller cooperates with the following entities having the status of personal data controllers:

1. PayU S.A. seated in Poznań, ul. Grunwaldzka 186, 60-166 Poznań, KRS: 274399 – electronic payment operator;
2.  Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, United States of America;
3. Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043, United States of America;
4. mBank S.A. seated in Warsaw, ul. Senatorska 18, 00-950 Warszawa, KRS: 25237;

Persons authorized by the Controller to process data. The Controller shares personal data with all her collaborators authorized to process personal data on her behalf, which is a consequence of the fact that on a day-to-day basis, there are people behind particular activities.

State authorities. Personal data are also provided when so requested by competent state authorities, in particular, organizational units of the Prosecutor’s Office, Police, courts or the supervisory authority for personal data protection (President of the Personal Data Protection Office).

Location. The abovementioned entities are seated mainly in Poland and other countries of the European Economic Area (EEA). However, certain of those entities may be seated outside the EEA. In connection with the transfer of personal data outside the EEA, the Controller has taken care that the service providers guarantee a high level of personal data protection. Such guarantees follow, in particular, from participation in the program "Privacy Shield" established under the implementing decision of the Commission (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield. In situations where the above requirement is not met, the Controller will ensure the conformity of data processing with the GDPR by obtaining consent from data subjects to such transfer, and the lack of consent will preclude the transfer of any personal data of the data subject to a third country.

7. Processing of children’s personal data

To subscribe to the newsletter or conclude a contract with me for the provision of other services – a person must attain the age of 16 or at least 13 years and obtain consent from a person exercising parental authority or guardianship over the child. The Controller does not knowingly intend to collect personal data of persons under 16 without obtaining consent from their parent or guardian.

8. What rights do you have?

You are entitled to request from me the access to your data, their rectification, portability or erasure (“right to be forgotten”), and the right to restrict data processing.

You are also entitled to lodge a complaint against further processing, or to withdraw consent to personal data processing. The exercise of the right to withdraw consent does not affect the processing prior to the withdrawal of consent.

If the Controller processes data contrary to the law, you have the right to lodge a complaint with the supervisory authority, that is the President of the Personal Data Protection Office.

The above entitlements may be exercised by contacting the Controller in one of the ways indicated in section 2 of this Policy. Specific situations in which the above rights apply and the terms of their exercise have been specified in Arts. 15-21 GDPR.
Requests of data subjects are processed as soon as possible, however, no later than within one month of their receipt.

9. Automated decision-making and profiling

The Controller shall take all reasonable efforts to adjust the offer of her products and services and all marketing messages sent to website users to their interests and preferences. To that end, the Controller may implement automated processing of personal data, which does not, however, take the form of profiling – meaning the use of the data collected by the Controller to evaluate certain personal factors of a natural person, in particular, to analyze such factors or to project aspects relating to the data collected by the Controller or to draw conclusions about personal characteristics and factors other than the ones collected by the Controller. However, the Controller may take advantage of the results of profiling conducted by third parties (e.g., Google, Facebook) when sending marketing and remarketing messages to website users.

At the same time, the Controller points out that targeting and personalization of the Controller’s marketing communications, in particular offers and commercial information, on the basis of the collected behavioral data (relating to the behavior of website users and their activities in the website, in particular the history of visited subpages), provided that they are not an effect of inference about other personal characteristics or factors of a website user on the basis of the data collected by the Controller, do not amount to profiling.

The above activities and decision-making may have a character of automated personal data processing – which takes place when a given activity or omission of a website user causes the display of a specific commercial message or the user being sent specific commercial information (mailing, newsletter) – identical for all users who behave similarly. However, such a message is not sent to the website user based on the assumptions made by the Controller’s use of automated means but in relation to particular information provided by the website user.

Having weighed the interests of the Controller and the interests, rights, and freedoms of website users, I have concluded that the presentation and distribution of commercial contents in connection with automated decision-making will not excessively interfere with the privacy of website users and will not be an excessive nuisance to such users. When weighing the interests, rights, and freedoms, I considered particularly the following:

• Sending marketing messages to an email address is in line with reasonable expectations of newsletter subscribers who have expressed their intention to receive such messages in emails according to the applicable legislation (especially the Act on the provision of services by electronic means and the Telecommunications Law Act).
• Automatic data processing and decision-making are based exclusively on the data provided by website users themselves and the data derived from their activities on the website other than sensitive data, data on private life, health, professional experience, effects of work, financial standing or activities on other websites.
• The Controller does not conclude any personal factors or characteristics of website users.
• Decisions made based on the effects of automated data processing refer exclusively to website users being shown particular contents or advertisements or sent (or not) particular marketing messages, which may not be considered as imposing legal consequences on such users or exerting material influence on their legal situation;
• Website users may easily withdraw their consent to the receipt of commercial information and processing of their personal data by a message sent to the Controller.

In the light of the above, it must be concluded that automated processing of personal data and decision-making are not a material threat to the rights and freedoms of data subjects, do not give rise to any material legal consequences for data subjects, do not exert significant impact on data subjects in any way similar to producing legal consequences for such persons and are not unduly burdensome, and, in consequence, (i) there are no preconditions which would preclude attribution of the overriding character to the Controller’s interests; (ii) such automated processing and decision-making are not covered by the prohibition set out in Art. 22(1) GDPR and no consent is required from the data subject, and, as a consequence, (iii) the Controller is not required to implement appropriate remedies protecting the rights, freedoms and legitimate interests of data subjects, including the right to obtain human intervention from the personal data controller, to express one’s own position and to question the automated decision.

10. Amendments to the Privacy Policy

According to the needs, the Controller may amend or update this Privacy Policy. Amendments shall be effective as of their publication. However, the previous provisions shall apply to contracts concluded prior to the amendment. I shall notify all amendments and supplementations by placing appropriate information on the website’s main page.

§2. Cookies Policy

1.  Cookies

To ensure efficient operation of the website, I sometimes place on the user’s computer (or another device) small files – so-called “cookies.” Most major websites do the same.

The provision by website users of the data covered by cookies is voluntary, and the manifestation of such intention on the part of the user are appropriate settings of the internet browser through which the user accesses the website. Withdrawal of consent may be affected by cumulative erasure of the cookies installed by the website through the browser settings (optimally, combined with clearing the browser’s cache) and simultaneous change of the browser’s settings to prevent the installation of cookies.

2.  What are cookies?

A “cookie” is a small text file saved by a website on a computer or mobile device of an Internet user when the user browses the website. In this way, the website may remember for a longer period the user’s actions and preferences (such as username, language, font size, and other options). Thanks to the above, you do not have to enter the same information each time you come back to the site or navigate between websites.

3.  How do I use cookies?

I use cookies to remember the order of activities, to identify each user on the website and to analyze the behavior of a user browsing the website. These are so-called session cookies, which are stored on your computer only for the duration of a single visit, and permanent cookies, which are stored for a longer period.

Cookies are generated by the Controller and by third parties, in particular, the Facebook website, within the framework of the implemented tool called Facebook Pixel; the information contained in cookies is respectively controlled by the Controller or by third parties.

The purposes for which I use cookies do not require identification of the data subject. In the light of the above, the Controller shall not be obliged to keep, obtain, or process additional information to identify the data subject merely for the purpose of applying the GDPR.

In this connection, the Controller notifies the above to website users in this Privacy Policy. In such situations, the rights referred to in section 8 of the Privacy Policy shall not apply, unless the data subject, with a view to exercising his rights under the GDPR, provides additional information permitting his identification.

Cookies are not used for reasons other than mentioned above.

4. How do I control my cookies?

Cookies may be independently controlled and erased – details are available on the website www.aboutcookies.org and, in most cases, the “Help” tab in the menu of your browser. You may erase all cookies installed on your computer. Moreover, in most browsers, you may choose a setting which prevents the installation of such files. In such a case, it may be necessary to adjust certain preferences during each visit to a given site, and a part of options and services may become inaccessible.