Privacy Policy

Information regarding the Data Processing and Privacy Policy and the use of cookies on the website


Policy: above Policy for processing personal data in Exorigo-Upos Sp. z o.o.

Administrator: Exorigo-Upos Sp. z o.o. (Skierniewicka 10A, 01-230 Warsaw), entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Department of the National Court Register, number KRS: 0000216709, NIP: 9281838767, REGON: 971302261.

Personal data: information about an identified or identifiable physical person (the data subject).

RODO: Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (general regulation on data protection).

The data subject: every natural person whose personal data is processed by the Administrator in connection with the activity carried out by him, eg a person going to restricted access zones in the Administrator's locations, a person with whom the Administrator binds or orders a contract in the form of an e-mail.


The administrator collects and processes personal data in accordance with applicable law, in particular with the RODO, in order to carry out its business activities.

The administrator applies to the principle of ensuring transparency of personal data processing. Data subjects are informed about the processing of data at the latest at the time of their collecting, furthermore they are informed of the purpose and legal basis of their processing – eg. when concluding a contract for the sale of goods or services.

The administrator makes sure that the principle of personal data minimization is respected in the Company. Data is collected to the extent necessary for the indicated purpose of processing, and processed only for a minimum retention period. In order to speed up and improve the service of its clients, the Administrator obtains personal data from them that are not necessary, for example, to perform the contract concluded with them - as a phone number or e-mail, only with their approval, and before collecting such data, informs customers of their voluntary application.

The administrator ensures an adequate level of security and confidentiality of personal data processed by him. In the event of an incident related to the security of personal data, the Administrator informs about such an event persons whose personal data concerns, in a manner consistent with the law.


The data administrator has appointed a Data Protection Officer to contact through:

  1. e-mail,
  2. by correspondence to the address of Exorigo-Upos Sp. z o.o., Skierniewicka 10A, 01-230 Warsaw with the inscription "protection of personal data".


Procedures introduced by the Administrator ensure an appropriate level of confidentiality and integrity of personal data processed by him. Only persons who are properly trained and have appropriate authorizations can access personal data. The administrator applies organizational and technical solutions to ensure that all operations on personal data are registered and made only by authorized persons.

The administrator takes the necessary steps when selecting the processors and other subcontractors to ensure the level of personal data protection for these entities it was enough.

The administrator conducts a risk analysis on an ongoing basis and monitors the adequacy of data security measures applied to the identified threats. If necessary, the Administrator implements additional measures to increase data security.


Customers' personal data is collected in the case of

Subscribing to the newsletter (Newsletter),
to perform the contract, the object of which is a service provided electronically, in accordance with art. 6 par. 1 lit. RODO. In case of use the Newsletter service, the customer provides their name and e-mail address.

Use the contact form based of art. 6 par. 1 point f) RODO
the legally justified interest of the Administrator consisting in undertaking necessary actions at the request of the data subject and answering an inquiry. In case of using contact form on the Exorigo-Upos website, the Customer provides: e-mail address, telephone number and first and last name.

Direct marketing, based on art. 6 par. 1 point f) RODO
the legitimate interest of the Administrator consisting in gaining new clients and encouraging the purchase of products and services of the Companies in the Exorigo-Upos capital group. Marketing activities towards new customers are conducted, after prior consent to communication, with at least one contact channel, like e-mail or telephone.

Collecting data in other cases.
In connection with the conducted activity, the Administrator collects personal data also in other cases – eg. during business meetings, at industry events or by exchanging business cards - for purposes related to establishing and maintaining business contacts. Personal data is given in such cases on a voluntary basis. The legal basis for processing is in this case the legitimate interest of the Administrator (Article 6 (1) letter f) of the RODO, consisting in creating a network of contacts regarding the activity. Personal data collected in such cases is processed only for the purpose for which it was collected.

The administrator ensures that the amount of data processed in correspondence is consistent with the principle of data minimization and that only authorized persons have access to it.

During using the website, additional information may be downloaded, in particular: the IP address assigned to the terminal device (eg. telephone, tablet, computer) of the Customer or external IP address of the Internet provider, domain name, browser type, access time, type of operating system.

In order to market your own products and improve services from customers, navigational data may also be collected, including information about links which clients decide to click, or other activities on our site, based on the Administrator's legitimate interest (Article 6 paragraph 1 letter f RODO), consisting in facilitating the use of services provided electronically and improving the functionality of these services.

The transfer of personal data to the Administrator is voluntary related to implementation of the contract, the subject of which is the service provided electronically. With understanding,
that when Client does not submit data specify in form, makes it impossible to execute the Client's order.


The period of data processing by the Administrator depends on the purpose of processing.

In the event that the basis for processing is necessary for the conclusion and performance of the contract, personal data will be processed until its completion.

If the processing is based on consent, personal data is processed until it is withdrawn.

The rule of law
In the case when the legal basis is the law, the period of personal data is processing also with results from specific provisions.

Legitimate interest of the Administrator
In the case of data processing on the basis of the legally justified interest of the Administrator, personal data are processed for a period enabling this implementation or for reporting effective objections to the processing of data.

Protection against claims
The processing period may be extended if the processing is necessary to establish, investigate or defend against any claims, and after that period, only in the case and to the extent that it will be required by law.

If the retention period has expired, personal data shall be deleted or anonymized without delay.

Personal data may be transferred to entities that process personal data at the request of the Administrator, like IT service providers - where such entities process data on the basis of a contract with the administrator and only in accordance with the administrator's instructions. Service providers are based mainly in Poland and other countries of the European Economic Area (EEA). If your data were transferred outside the EEA, the Administrator will apply appropriate legal safeguards, like standard contractual clauses for the protection of personal data, approved by the European Commission. In the case of a request, the Administrator provides personal data to authorized state authorities, in particular organizational units of the Prosecutor's Office, the Police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.

Our website uses files with small size, called cookies. They are saved by the Administrator on the final device of the visitor of the website, if the web browser allows it. A cookie file usually contains the name of the domain it originates from, its "expiration time" and an individual, randomly selected number identifying this file. Information collected by means of such files enables the development of general statistics of visits to our website.

The Administrator use two types of cookies:

Serial cookies: after the end of a given browser session or the final device is turned off, the stored information is removed from the device's memory. The mechanism of session cookies does not allow to retrieve any personal data or any confidential information from final devices.

Persistent cookies: they are stored in the memory of the Customer's final device and remain there until they are deleted or expired. The mechanism of persistent cookies does not allow for the collection of any personal data or any confidential information from the terminal equipment of customers.

The Administrator use cookies files to analyze data that helps to understand how customers are helping to understand how they work. Administrator does not use cookies to profile people visiting websites referred to above.

The mechanism of cookies is safe for end devices from which clients of the website customers. In this particular way, it is not possible for viruses or other unwanted software or malware to enter the end devices of the clients. In their browsers, they have the ability to access cookies for end devices. Use this site with your websites, features that by their nature require cookies.

Below, we present how you can change the settings of popular web browsers in the use of cookies:

a) Internet Explorer
b) Mozilla Firefox browser
c) Chrome browser
d) Safari browser
e) Opera browser

The Administrator can collect IP addresses of Clients. An IP address is a number assigned to the final device of the person visiting the website by the internet service provider. The IP number allows access to the internet. In most cases, it is assigned to the terminal device dynamically, i.e. it changes every time you connect to the Internet and is commonly regarded as non-private identifying information. The IP address is used by the Administrator in diagnosing technical problems with the server, creating statistical analyzes (like determining in which regions we note the most visits), as information useful in administering and improving the website, as well as for security purposes and possible identification of server-biased, undesirable automatic programs for viewing the contents of our website.


Rights of data subjects
The data subjects have the following rights:

  1. The right to inform about the processing of data - on this basis, the person submitting such a request to the Administrator provides information about the processing of his personal data, in particular, about the purposes and legal grounds of processing, the scope of data held, entities to which they are disclosed and the planned date of their removal,
  2. The right to obtain a copy of data - on this basis, the Administrator provides a copy of the data processed concerning the person making the request,
  3. Right to rectify - the Administrator is obliged to remove any incompatibilities or errors of personal data being processed and to supplement them if incomplete,
  4. The right to delete data - on this basis you can request deletion of data, the processing of which is no longer necessary to carry out any of the purposes for which they were collected.
  5. The right to limit processing - in the event of such a request, the Administrator ceases to conduct operations on personal data, except for operations agreed to by the data subject and their storage, in accordance with accepted retention rules or until the reasons for processing restrictions cease to exist. data (eg a decision of the supervisory authority will be issued, allowing further processing of data),
  6. The right to data transfer - on this basis, to the extent to which personal data are processed in connection with the concluded agreement or consent, the Administrator will provide personal data provided by the person concerned in a format that allows their reading by a computer. It is also possible to request that data to be sent to another entity - provided, however, that there are technical possibilities in this respect both on the part of the Administrator and that other entity,
  7. Right to object to the processing of data for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection,
  8. Right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data on the basis of the Administrator's legitimate interest (eg for analytical or statistical purposes or for reasons related to the protection of property). Opposition in this respect should contain justification,
  9. Right of withdrawal of consent - if personal data are processed on the basis of expressed consent, the data subject has the right to withdraw it at any time, but this does not affect the legality of the processing carried out prior to the withdrawal of the consent,
  10. The right to complaint - if it is found that the processing of personal data violates the provisions of the RODO or other provisions on the protection of personal data, the data subject may file a complaint to the President of the Office for Personal Data Protection.

Reporting requests related to the implementation of rights

An application for the exercise of the rights of data subjects may be submitted:

  1. in writing, by traditional mail, to the address of Exorigo-Upos Sp. z o.o. ul. Skierniewice 10A, 01-230 Warszawa with the note "Data Protection Officer"
  2. via e-mail to the following address: A response to the notification should be given within one month of its receipt. If it is necessary to extend this deadline, the Administrator informs the applicant about the reasons for such extension.


In the event of a change in the current privacy policy, appropriate modifications to the above provision will be made.