Privacy Policy

1. Data Controller

The Data Controller within the meaning of Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR") is:

Michał Pietrucin conducting business under the name Michał Pietrucin Usługi Graficzne (Michał Pietrucin Graphic Design Services)
ul. Konrada Leczkowa 19/19, 80-432 Gdańsk
NIP: 578 284 79 30
also operating under the trade name nexgraf,
hereinafter referred to as the "Data Controller".

For matters concerning personal data protection, please contact the Data Controller:

• Email: kontakt@nexgraf.pl
• Phone: +48 692 11 99 53
• Mailing address: ul. Konrada Leczkowa 19/19, 80-432 Gdańsk

2. Scope, Purposes and Legal Bases of Data Processing

The Data Controller processes personal data only to the extent necessary to achieve specific, explicit and legally justified purposes. Below is detailed information about individual processing activities:

2.1. Contact Form and Quote Requests

• Data Scope: first and last name, business email address, company name or employer, telephone number (optional), message content.
• Purpose of Processing: handling inquiries, preparing individual quotes, establishing and maintaining B2B cooperation.
• Legal Basis: Article 6 (1)(b) GDPR — necessity to take action before entering into a contract at the request of the data subject; alternatively Article 6 (1)(f) GDPR — legitimate interest of the Data Controller in the form of handling incoming business inquiries.
• Retention Period: throughout the course of correspondence, and then until the expiration of the period of limitations for any claims, no longer than 3 years from the last contact.

2.2. Performance of Contracts and B2B Cooperation Management

• Data Scope: identification and contact data of persons representing the client (first name, last name, position, business email address, telephone number), client company data (company name, NIP, headquarters address), data necessary for issuing and settlement of invoices.
• Purpose of Processing: execution of graphic design assignments, current operational communication, issuance and archiving of accounting documents.
• Legal Basis: Article 6 (1)(b) GDPR — necessity to perform a contract to which the data subject is a party or to take action at their request before entering into a contract; Article 6 (1)(c) GDPR — necessity to comply with a legal obligation binding on the Data Controller arising from tax and accounting laws.
• Retention Period: for the duration of the contract and, after its termination, for the period required by law (tax documentation: 5 years from the end of the tax year in which the tax payment deadline expired; civil claims: until the expiration of the period of limitations, typically 3 years).

2.3. Direct Marketing

• Data Scope: business email address, company name.
• Purpose of Processing: sending commercial information about nexgraf services by electronic means, only after obtaining explicit consent.
• Legal Basis: Article 6 (1)(a) GDPR — voluntary, specific, informed and explicit consent of the data subject, expressed before processing begins; regarding electronic communication — Article 10 of the Act of 18 July 2002 on Provision of Services by Electronic Means.
• Retention Period: until the data subject withdraws consent. Withdrawal of consent does not affect the lawfulness of processing conducted before its withdrawal.

2.4. Establishment and Defense Against Claims

• Data Scope: data of contracting parties, data relating to performance of assignments, correspondence documentation.
• Purpose of Processing: establishing, pursuing or defending against legal claims.
• Legal Basis: Article 6 (1)(f) GDPR — legitimate interest of the Data Controller consisting of the ability to pursue and defend against claims.
• Retention Period: until the expiration of the period of limitations for claims arising from a given contract or legal event.

3. Cookies and Tracking Technologies

The tan-loris-913150.hostingersite.com service may use cookies (small text files stored by the browser on the user's device). Cookies do not contain identification data and are not used to create personal profiles.

3.1. Necessary (Technical) Cookies

Necessary cookies ensure basic technical functions of the service, such as navigation and access to protected areas. The service cannot function properly without these cookies. Their use does not require separate user consent under Article 173 (3) of the Act of 16 July 2004 — Telecommunications Law.

3.2. Analytical (Statistical) Cookies

Analytical cookies allow the Data Controller to collect anonymized statistical information about how the website is used (e.g., number of visits, time spent on the site, most frequently visited pages) in order to continuously improve it. They are used only after the user has voluntarily consented. The user may withdraw consent at any time.

3.3. Cookie Settings Management

The user may change cookie settings at any time through their web browser settings, including completely blocking cookies or ordering deletion of stored files. Restricting cookie use may affect some website functionality. Instructions for managing cookies are available in the documentation of popular browsers: Chrome, Firefox, Safari, Edge, Opera.

4. Recipients of Personal Data

Personal data may be shared only with the following categories of recipients when necessary to achieve processing purposes:

• Data Processors (Processors): suppliers of IT infrastructure, hosting and email services, project management tools and communication services — only on the basis of data processing agreements (Article 28 GDPR) ensuring an appropriate level of protection.
• Accounting Office / Tax Advisor: to the extent necessary for maintaining accounting records, tax settlements and invoice issuance — on the basis of a data processing agreement.
• Law Firm: to the extent necessary for pursuing or defending against legal claims — on the basis of professional privilege.
• Public Bodies and State Administration: only when the obligation to inform them results from absolutely binding legal provisions (e.g., tax authorities, supervisory bodies, courts).

The Data Controller does not sell, rent or share personal data with third parties for marketing or commercial purposes.

5. Transfer of Data to Third Countries and International Organizations

In connection with the use of external technology providers' services with headquarters or servers outside the European Economic Area (EEA) — in particular services from Google LLC (Google Fonts, Google Analytics) — data may be transferred to third countries. The Data Controller ensures that each such transfer takes place on the basis of appropriate legal safeguards, in particular:

• standard contractual clauses approved by the European Commission in accordance with Article 46 (2)(c) GDPR;
• European Commission decision finding an adequate level of protection in a given country (Article 45 GDPR).

The Data Controller provides information about the mechanisms of transfer used upon request of the data subject.

6. Rights of Data Subjects

Each person whose personal data is processed by the Data Controller has the following rights under GDPR, exercised free of charge upon submission of an appropriate request to: kontakt@nexgraf.pl:

• Right of Access to Data (Article 15 GDPR) — the right to obtain from the Data Controller confirmation of whether personal data concerning them is being processed, and if so — the right to obtain access to such data and a copy thereof.
• Right to Rectification (Article 16 GDPR) — the right to request immediate rectification of inaccurate personal data or supplementation of incomplete data.
• Right to Erasure (Article 17 GDPR) — the right to request deletion of personal data when one of the circumstances specified in Article 17 (1) GDPR occurs, subject to the exceptions specified in Article 17 (3) GDPR.
• Right to Restriction of Processing (Article 18 GDPR) — the right to request restriction of data processing in cases specified in Article 18 (1) GDPR.
• Right to Data Portability (Article 20 GDPR) — the right to receive personal data in a structured, commonly used format suitable for machine reading and the right to transmit it to another controller — if processing is based on consent or a contract and is automated.
• Right to Object (Article 21 GDPR) — the right to object at any time to processing of personal data based on Article 6 (1)(e) or (f) GDPR, including profiling. The Data Controller will cease processing unless it demonstrates compelling legitimate reasons for processing that override the interests of the data subject, or reasons for establishment, pursuit or defense of claims.
• Right to Withdraw Consent (Article 7 (3) GDPR) — the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

The Data Controller considers requests without unnecessary delay, but no later than within one month of their receipt. In justified cases, this period may be extended by a further two months, of which the Data Controller will inform the requestor.

7. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates GDPR or other personal data protection laws, you have the right to lodge a complaint with the appropriate supervisory authority. In the Republic of Poland, the supervisory authority is:

President of the Office for Personal Data Protection
ul. Stawki 2, 00-193 Warszawa
Hotline: 606-950-000
https://uodo.gov.pl

8. Security of Personal Data

The Data Controller implements appropriate technical and organizational measures ensuring protection of processed personal data against accidental or unlawful destruction, loss, modification, unauthorized disclosure or access. The implemented security measures include in particular:

• encryption of data transmission using SSL/TLS protocol (HTTPS connection);
• application of the principle of minimum privileges — access to data is available only to authorized persons, to the extent necessary to perform their assigned tasks;
• regular reviews and updates of applied IT security measures;
• conclusion of confidentiality agreements (NDAs) and data processing agreements with external entities that have access to personal data.

In the event of a personal data breach that may pose a high risk of violation of the rights or freedoms of natural persons, the Data Controller will promptly notify the data subjects in accordance with Article 34 GDPR.

9. Automated Decision-Making and Profiling

The Data Controller does not apply automated decision-making that would produce legal effects against natural persons or similarly significantly affect them, including profiling within the meaning of Article 22 GDPR.

10. Changes to Privacy Policy

This Privacy Policy may be periodically updated in connection with changes in legislation, guidelines of supervisory authorities or changes in applied technologies. The Data Controller informs about significant changes by publishing an updated version of the document on the tan-loris-913150.hostingersite.com website along with the date of last modification. Use of the website after publication of changes is equivalent to acceptance of their content. The Data Controller encourages regular review of this document.

This Privacy Policy is effective as of April 8, 2026.