Privacy Policy

Information on Processing of Personal Data, Privacy Policy and Cookie Notice Concerning Website

  1. The hereby Privacy Policy sets the rules for processing of personal data obtained via exorigo360.comWebsite.
  2. Exorigo-Upos S.A. is a Website Owner with its registered office in Warsaw (01-230), Skierniewicka 10A street, hereinafter referred to as ”Exorigo-Upos”. Exorigo-Upos, FINTURE Sp. z o.o. and FINTURE.AI Sp. z o.o. are the companies related by shares and organisationally which have an established cooperation, providing comprehensive IT solutions. The entities have signed a contract for mutual Website administration. The contract’s provisions have been described further below in more detail.
  3. Personal data obtained by Exorigo-Upos, FINTURE Sp. z o.o. and FINTURE.AI Sp. z o.o. (hereinafter referred to as ”Joint Controllers”) via Website is being processed in compliance with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and of the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation), also referred to as „GDPR”, Personal Data Protection Act of 10 May 2018, Polish Act of Telecommunications Law of 16 July 2004, and Polish Act on Rendering Electronic Services of 18 July 2002.
  4. Joint Controllers exercie due diligence to respect the privacy of Clients’ (according to the definition above) visiting the Website.


  1. Personal data: information on identified or identifiable natural person (a data subject).
  2. Data subject: every natural person whose personal data is processed by the Joint Controllers in relation to the businesses conducted by them, e.g. a natural person bound by agreement with one of the Joint Controllers or a natural person who addresses questions to a Joint Controller via electronic mail.
  3. Policy: the following Policy refers to the personal data processing in the enterprises being part of Exorigo-Upos corporate group.
  4. GDPR: Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and of the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation).
  5. Website: website.
  6. Joint Controllers: The personal data you have submitted is administered by the parties who mutually decide on the objectives and methods of data processing: Exorigo-Upos S.A., FINTURE Sp. z o.o. and FINTURE.AI Sp. z o.o., hereinafter referred to jointly as ”Joint Controllers”. There is a single contact address to the aforemensioned companies: Skierniewicka 10A street, 01-230 Warsaw.


As part of joint data controller agreement, Joint Controllers agreed on the scope of their responsibility regarding GDPR-related obligations, specifically, Exorigo-Upos S.A. is responsible for:

  • compliance with disclosure requirements pursuant to GDPR, related to disclosure of information mentioned in Art. 13 and Art. 14;
  • carrying out activities related to promotion of their products and services in order to obtain new clients;
  • notification of data subjects about data violations, pursuant to Art. 34 GDPR;
  • reporting of personal data violations to supervisory authorities, pursuant to Art. 33 GDPR;
  • the obligations resulting from GDPR, related to exercising of the rights you are entitled to. Regardless of this settlement, you are in a position to exercise the rights herein mentioned also towards the Joint Controllers: FINTURE Sp. z o.o. and FINTURE.AI Sp. z o.o. Your claim will be delivered by the Joint Controllers to Exorigo-Upos S.A. for its further execution.


The Data Controllers collect and process the data according to the mandatory provisions of law, GDPR in particular, in order to conduct their business activities.

The Data Controllers comply with the principle of transparency related to personal data processing. The natural persons whose data is being processed are informed about the data processing not later than at the point of data collection. In addition, the natural persons are also provided with the information on the goals and a legal basis of data processing, e.g. while signing a contract of sale of goods or services.

The Joint Controllers aim at respecting the principle od personal data minimisation. The data is collected within a scope necessary for stated goals of data processing. In addition, the data is processed only within a minimal retention period. In order to accelerate and improve their customer service, the Data Controllers acquire the customer’s personal data necessary for e.g. execution of an agreement concluded with a customer – phone number or e-mail address – exclusively under the customer’s consent. Before the collection of this data, a customer is informed about the voluntary nature of their data disclosure.

The Joint Controllers provide a necessary level of security and confidentiality in relation to the processed data. Should any incident related to data security occur, in compliance with above-mentioned information, Exorigo-Upos S.A. informs the relevant natural persons, in a way compliant to the regulations.


The Joint Controllers have appointed an Inspector for Data Protection who can be contacted via:

  1. e-mail,
  2. correspondence address:

Exorigo-Upos S.A.,
Skierniewicka 10A street,
01-230 Warsaw
with a note: „personal data protection”.


The procedures implemented by the Joint Controllers ensure an adequate level of confidentiality and integrality for the data being processed. Personal data can be accessed only by by the persons adequately trained, with suitable authorisations. The Joint Controllers employ organisational and technical solutions in order to ensure all the operations with personal data are registered and carried out only by the authorised persons.

The Joint Controllers undertake necessary steps when deciding on the processing parties and other subcontractors to provide a sufficient level of personal data security for these parties.

The Joint Controllers conduct up-to-date risk assessment and evaluates the adequacy of data security measures employed for identified risks. If necessary, the Joint Controllers implement additional measures to increase data security.


Customers’ personal data is collected in the following cases:

Subscription of information bulletin (Newsletter) in order to execute a contract with its subject being a servise executed electronically, pursuant to Art. 6(1)(b) GDPR. Using a Newsletter service, a Customer discloses their name and e-mail address.

Using a contact form pursuant to Art. 6(1)(f) GDPR – legally justified interest of the Joint Controller consinting of taking up necessary actions on demand of a person the data concerns, and responding an inquiry. Using a contact form on Exorigo-Upos websites, a Customer discloses: e-mail address, phone number, name and surname.

Completing a survey, pursuant to Art. 6(1)(a) GDPR – a person the data concerns gave their assent on personal data processing in order to prepare an offer based on the data indicated in a survey/form. Using a contact form on website, a Customer discloses: e-mail address, company name, industry, size of business (number of employees) and wielkość firmy (ile os. zatrudnia), and province.

Direct marketing, pursuant to Art. 6(1)(f) GDPR – legally justified interest of the Joint Controllers consisting of aquisition of new customers and encouragint purchase of products and services provided by the companies within Exorigo-Upos corporate group. Marketing activities involving new clients are carried out only after a client’s assent on communication, at least via one communication channel, e-mail or phone.

Establishing claims, claims assertion and einforcement of claims. In these cases, some personal data disclosed by a Client using Website features, e.g. name, surname, data related to the usage of services, if the claims result from the way a Client uses the services, other data necessary to prove the existence of claim, including the scope of damage suffered. The legal basis – legally justified interest (Art. 6(1)(f) GDPR, that is, establishing, asserting and einforcing the claims as well as defence of claims in legal proceedings and the proceedings concerning other government agencies.

Data collection in other cases. With regard to the conducted business, the Joint Controllers collect the personal data also in other cases – e.g. during business meetings, industry events or when exchanging business cards to make and sustain business contacts. In such cases, personal data is disclosed voluntarily. The legal basis for data processing is a legally justified interest of Joint Controllers (Art. 6(1)(f) GDPR), consisting in networking in relation to conducted business. Personal data collected in mentioned cases are processed exclusively for the purpose it has ben collected for.

Exorigo-Upos ensures that the amount of data processed in correspondence is consistent with the principle of data minimisation and that only authorized persons have access to it.

Using the Website, additional information may be downloaded, in particular: IP address assigned to the user’s (Client’s) device (eg. telephone, tablet, computer) or external IP address of the Internet provider, domain name, browser type, access time, type of operating system.

For own products marketing purposes or for improvement of services, the Client’s navigational data can be also collected including information about the links and hyperlinks they decide to click or other activities on our site, on the basis of legitimate interest of the Joint Controllers (Art. 6(1)(f) GDPR), RODO), consisting in facilitating the use of services provided electronically and improving the functionality of these services.

The transfer of personal data to the Exorigo-Upos is voluntary, in relation to the services provided via Website. When Client does not submit the data specified in form, the service will not be provided.


The period of data processing by Exorigo-Upos depends on the purpose of processing.

When the basis for processing is necessary for the conclusion and performance of the contract, personal data will be processed until its completion.

If the processing is based on consent, personal data is processed until it is withdrawn.

The rule of law
In the case when the legal basis is the law, the period of personal data is processing also with results from specific provisions.

Legitimate interest of Exorigo-Upos
In the case of data processing on the basis of the legally justified interest of Exorigo-Upos, personal data are processed for a period enabling this implementation or for reporting effective objections to the processing of data.

Protection against claims
The processing period may be extended if the processing is necessary to establish, investigate or defend against any claims, and after that period, only in the case and to the extent that it will be required by law.

If the retention period has expired, personal data shall be deleted or anonymized without delay.


Personal data may be transferred to entities that process personal data at the request of Exorigo-Upos, like IT service providers – where such entities process data on the basis of a contract with the administrator and only in accordance with the administrator’s instructions. Service providers are based mainly in Poland and other countries of the European Economic Area (EEA). If your data were transferred outside the EEA, Exorigo-Upos will apply appropriate legal safeguards, like standard contractual clauses for the protection of personal data, approved by the European Commission.

In the case of a request, Exorigo-Upos provides personal data to authorized state authorities, in particular organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.


Our website uses files with small size, called cookies. They are saved by the Administrator on the final device of the visitor of the website, if the web browser allows it. A cookie file usually contains the name of the domain it originates from, its “expiration time” and an individual, randomly selected number identifying this file. Information collected by means of such files enables the development of general statistics of visits to our website.

Exorigo-Upos use two types of cookies:

Serial cookies: after the end of a given browser session or the final device is turned off, the stored information is removed from the device’s memory. The mechanism of session cookies does not allow to retrieve any personal data or any confidential information from final devices.

Persistent cookies: they are stored in the memory of the Customer’s final device and remain there until they are deleted or expired. The mechanism of persistent cookies does not allow for the collection of any personal data or any confidential information from the terminal equipment of customers.

The Administrator use cookies files to analyze data that helps to understand how customers are helping to understand how they work. Exorigo-Upos does not use cookies to profile people visiting websites referred to above.

The mechanism of cookies is safe for end devices from which clients of the website customers. In this particular way, it is not possible for viruses or other unwanted software or malware to enter the end devices of the clients. In their browsers, they have the ability to access cookies for end devices. Use this site with your websites, features that by their nature require cookies.

Client of a party has a possibility to refuse consent for using cookie files in cases when the Controller, to obtain such a consent, Controller is obliged by law with clicking the button <I resign> on the screen with cookies information. Client of a party has an option to manage cookie files changing the settings in their device. Client’s permission won’t be demanded when data storage or access to cookie files is necessary to carry out a service demanded by a Client.

6. Below, we present how you can change the settings of popular web browsers in the use of cookies:

Joint controllers can collect IP addresses of Clients. An IP address is a number assigned to the final device of the person visiting the website by the internet service provider. The IP number allows access to the internet. In most cases, it is assigned to the terminal device dynamically, i.e. it changes every time you connect to the Internet and is commonly regarded as non-private identifying information. The IP address is used by Exorigo-Upos in diagnosing technical problems with the server, creating statistical analyzes (like determining in which regions we note the most visits), as information useful in administering and improving the website, as well as for security purposes and possible identification of server-biased, undesirable automatic programs for viewing the contents of our website.


Rights of data subjects
The data subjects have the following rights:

  1. The right to inform about the processing of data – on this basis, the person submitting such a request to Exorigo-Upos S.A. provides information about the processing of his personal data, in particular, about the purposes and legal grounds of processing, the scope of data held, entities to which they are disclosed and the planned date of their removal;
  2. The right to obtain a copy of data – on this basis, Exorigo-Upos S.A. provides a copy of the data processed concerning the person making the request;
  3. Right to rectify – Each of the Joint controllers is obliged to remove any incompatibilities or errors of personal data being processed and to supplement them if incomplete;
  4. The right to delete data – on this basis you can request deletion of data, the processing of which is no longer necessary to carry out any of the purposes for which they were collected;
  5. The right to limit processing – in the event of such a request, Exorigo-Upos ceases to conduct operations on personal data, except for operations agreed to by the data subject and their storage, in accordance with accepted retention rules or until the reasons for processing restrictions cease to exist. data (eg a decision of the supervisory authority will be issued, allowing further processing of data);
  6. The right to data transfer – on this basis, to the extent to which personal data are processed in connection with the concluded agreement or consent, Exorigo-Upos S.A. will provide personal data provided by the person concerned in a format that allows their reading by a computer. It is also possible to request that data to be sent to another entity – provided, however, that there are technical possibilities in this respect both on the part of Exorigo-Upos S.A. and that other entity;
  7. Right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;
  8. Right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the Joint controllers legitimate interest (eg for analytical or statistical purposes or for reasons related to the protection of property). Opposition in this respect should contain justification;
  9. Right of withdrawal of consent – if personal data are processed on the basis of expressed consent, the data subject has the right to withdraw it at any time, but this does not affect the legality of the processing carried out prior to the withdrawal of the consent;
  10. The right to complaint – if it is found that the processing of personal data violates the provisions of the RODO or other provisions on the protection of personal data, the data subject may file a complaint to the President of the Office for Personal Data Protection.

Reporting requests related to the implementation of rights

An application for the exercise of the rights of data subjects may be submitted:

  • 1. in writing, by traditional mail, to the address of Exorigo-Upos S.A. Skierniewicka 10A street, 01-230 Warszawa with the note “Data Protection Officer” or
  • 2. via e-mail to the following address: A response to the notification should be given within one month of its receipt. If it is necessary to extend this deadline, Exorigo-Upos S.A. informs the applicant about the reasons for such extension.


In case of any amendments to the binding privacy policy, necessary adjustments will be implement in the abovementioned document.