Privacy Policy

1. General Information

This Privacy Policy sets out the rules for the processing of personal data and the use of cookies and other tracking technologies in connection with the use of the website fingrow-group.com (hereinafter: the “Website”).

We care about the privacy of visitors to the Website as well as our clients and contractors. This document explains what data we collect, for what purpose and on what legal basis, to whom we may transfer them, and what rights are available to the persons whose data we process.

The processing of personal data is carried out in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the “GDPR”);
• the Polish Act of 10 May 2018 on the Protection of Personal Data;
• the Polish Act of 18 July 2002 on the Provision of Services by Electronic Means;
• the Polish Act of 16 July 2004 – Telecommunications Law.

2. Data Controller

The controller of your personal data is:

Fingrow Consulting Group S.A., 00-634 Warsaw, ul. Progi 1 lok. 1, Tax ID (NIP): 7010781327

For matters concerning the processing of personal data, you can contact the Controller:

• by post – at the registered office address indicated above,
• by email – at: biuro@fingrow-group.com,
• by phone – at: +48 22 504 07 20.

3. Data Protection Officer

The Controller has not appointed a Data Protection Officer. For all matters concerning the processing of personal data, please contact the Controller directly at: biuro@fingrow-group.com.

4. Scope of Processed Data and Purposes of Processing

Depending on the form of interaction with the Website and the Controller, we process the following categories of personal data:

4.1. Contact Form

If you use the contact form available on the Website, we process:

• first and last name,
• email address,
• telephone number (if provided),
• subject of the message,
• content of the message,
• other data that you voluntarily include in the content of the message.

Purpose of processing: responding to inquiries, conducting correspondence and presenting cooperation offers.

Legal basis:

• Art. 6(1)(b) GDPR – pre-contractual measures taken at the request of the data subject,
• Art. 6(1)(f) GDPR – the legitimate interest of the Controller consisting in handling inquiries and communicating with potential clients.

4.2. Email and Telephone Correspondence

If you contact the Controller by email or telephone, we process the data contained in the correspondence, including the identification and contact details of the sender and the content of the communication.

Purpose of processing: conducting communication, handling inquiries, archiving business correspondence.

Legal basis: Art. 6(1)(b) and (f) GDPR.

4.3. Provision of Advisory, Investment and Legal Services

As part of concluded contracts and ongoing business cooperation, we may process a broader scope of data, including:

• identification data (first name, last name, PESEL number, ID document number),
• contact details (residential or business address, telephone number, email address),
• data of representatives and contact persons on the client’s side,
• financial and asset data necessary to provide advisory or investment services,
• professional and business data (position, experience, capital connections),
• data required by anti-money laundering and counter-terrorism financing regulations (AML).

Purpose of processing: conclusion and performance of the contract; provision of advisory, investment, legal and accounting services; invoicing and settlements; pursuit of claims; and fulfilment of obligations arising from legal provisions.

Legal basis:

• Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures,
• Art. 6(1)(c) GDPR – legal obligations (including tax, accounting, AML and anti-fraud regulations),
• Art. 6(1)(f) GDPR – the legitimate interest of the Controller, including the pursuit and defence of claims.

4.4. Automatically Collected Data (Server Logs)

When you use the Website, the following technical data is automatically recorded on the server:

• IP address,
• type and version of browser,
• operating system,
• visit time and pages visited,
• the address of the page from which the redirection took place (referrer).

Purpose of processing: ensuring the proper operation of the Website, diagnostics, security of the IT system, and detection and prevention of abuse.

Legal basis: Art. 6(1)(f) GDPR – the legitimate interest of the Controller.

4.5. Cookies and Similar Technologies

Detailed information can be found in section 9 of this Policy.

5. Voluntary Nature of Data Provision

The provision of personal data is voluntary, but in some cases necessary for:

• responding to an inquiry submitted via the contact form,
• concluding and performing a contract,
• issuing an invoice and fulfilling accounting and tax obligations.

In the case of obligations arising from legal provisions (e.g. AML, tax, accounting regulations), the provision of certain data is a statutory requirement, and refusal to provide them makes it impossible to provide the service.

6. Data Retention Period

We store personal data for the period necessary to achieve the purposes for which they were collected, in particular:

Purpose of processing	Retention period
Handling inquiries via the contact form	Up to 12 months from the last contact, unless the inquiry leads to the conclusion of a contract
Performance of a contract	For the duration of the contract and after its termination – until the expiry of the limitation period for claims (generally 6 years)
Accounting and tax documentation	5 years from the end of the calendar year in which the tax obligation arose
Data processed on the basis of consent	Until the consent is withdrawn
Data processed on the basis of legitimate interest	Until an effective objection is raised or the interest ceases
Data required by AML regulations	5 years from the date of termination of business relations with the client (with the possibility of extension in accordance with the regulations)
Server logs	Up to 12 months

7. Data Recipients

Your personal data may be transferred to the following categories of recipients:

• entities within the Fingrow group – to the extent necessary for the provision of services, within the competences of individual companies (e.g. legal, financial, investment and insurance advisory);
• providers of IT and hosting services – in connection with technical support of the Website, email, CRM systems and other IT tools;
• entities providing accounting, audit and advisory services – to the extent necessary to fulfil their obligations towards the Controller;
• law firms, notaries and bailiffs – in connection with legal services and proceedings;
• couriers and postal operators – for the purpose of delivering correspondence;
• banks and payment institutions – within the scope of settlement services;
• state authorities and authorised entities – in cases provided for by law (e.g. tax offices, the Social Insurance Institution, courts, the prosecutor’s office, the General Inspector of Financial Information – GIIF).

Each entity processing data on our behalf is obliged to maintain confidentiality and to apply data protection measures in accordance with the GDPR – in particular, on the basis of a data processing agreement.

8. Transfer of Data Outside the European Economic Area

In most cases, personal data are processed within the European Economic Area (EEA). To the extent that we use the services of providers established outside the EEA (e.g. Google – analytical services, cloud computing providers, certain marketing tools), the transfer of data takes place on the basis of:

• adequacy decisions of the European Commission, or
• standard contractual clauses approved by the European Commission, or
• other appropriate safeguards provided for in Art. 46 GDPR.

You may contact the Controller to obtain a copy of the safeguards applied.

In connection with cooperation with partners from Ukraine, data may be transferred to entities established in the territory of Ukraine – in such cases, we apply standard contractual clauses and additional security measures in accordance with the requirements of the GDPR.

9. Cookies

9.1. What are cookies

Cookies are small text files saved by the browser on the user’s end device, used to operate the functions of the Website and to conduct statistical analyses.

9.2. Types of cookies used

The Website uses the following categories of cookies:

a) Essential cookies – necessary for the proper operation of the Website, including remembering language preferences, user sessions and cookie choices. These cookies do not require consent.

b) Functional cookies – allowing the user’s settings to be remembered (e.g. selected language – Polish, English, Ukrainian).

c) Analytical and statistical cookies – used to analyse traffic on the Website, in particular via Google Analytics provided by Google Ireland Limited / Google LLC. They allow us to understand how users use the Website and to improve its functionality.

d) Marketing cookies – used to present advertisements tailored to the user’s preferences and to measure the effectiveness of advertising campaigns.

e) Third-party cookies – originating from providers of content embedded in the Website, including:

• Google Maps (map on the Contact page),
• Google Fonts (web fonts),
• LinkedIn, Facebook (social plugins and links).

9.3. Cookie management

The use of analytical, marketing and functional cookies other than essential ones requires your consent, expressed via the consent banner displayed on your first visit to the Website. Consent can be withdrawn at any time and the settings can be changed.

Regardless of the above, cookie settings can be changed in your web browser. Instructions for the most popular browsers:

• Google Chrome: https://support.google.com/chrome/answer/95647
• Mozilla Firefox: https://support.mozilla.org/pl/kb/ciasteczka
• Microsoft Edge: https://support.microsoft.com/pl-pl/microsoft-edge
• Safari: https://support.apple.com/pl-pl/guide/safari/sfri11471/mac

Limiting the use of cookies may affect some functionalities of the Website.

10. Analytical and Marketing Tools

10.1. Google Analytics

We use the Google Analytics service provided by Google Ireland Limited. This tool uses cookies to collect anonymous information about how the Website is used. The collected data is transmitted to and stored by Google.

We have activated IP anonymisation, which means that the user’s IP address is shortened within the EEA countries before further transmission.

Google’s privacy policy: https://policies.google.com/privacy

Opt-out from measurement by Google Analytics: https://tools.google.com/dlpage/gaoptout

10.2. Google Maps

The Contact page contains an embedded Google Maps map. When it is loaded, a connection is established with Google’s servers and technical data is transmitted (including the IP address).

10.3. Google Fonts

The fonts used on the Website are downloaded from the Google Fonts servers, which involves transmitting the user’s IP address and browser information to Google.

10.4. Social Media Plugins and Links

The Website contains links to our profiles on social networks (LinkedIn, Facebook). Clicking on a link redirects to an external service, the administrator of which is a third party that applies its own privacy policy:

• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Facebook (Meta): https://www.facebook.com/privacy/policy

11. Rights of Data Subjects

In connection with our processing of your personal data, you are entitled to the following rights:

• Right of access to data (Art. 15 GDPR) – the right to obtain information as to whether and what data concerning you are processed by us, and to obtain a copy of them.
• Right to rectification of data (Art. 16 GDPR) – the right to request correction of inaccurate data or the completion of incomplete data.
• Right to erasure of data (“right to be forgotten”, Art. 17 GDPR) – in situations provided for in the GDPR, including when the data are no longer necessary for the purposes for which they were collected.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) – in relation to data processed on the basis of consent or contract in an automated manner.
• Right to object (Art. 21 GDPR) – to data processing based on the legitimate interest of the Controller, including profiling.
• Right to withdraw consent (Art. 7(3) GDPR) – at any time, if the processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
• Right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.

To exercise the above rights, please contact the Controller by email at biuro@fingrow-group.com or by post to the registered office address.

12. Profiling and Automated Decision-Making

Your data may be subject to profiling in analytical tools (Google Analytics) for statistical and marketing purposes; however, this profiling does not produce legal effects and does not significantly affect your situation. We do not make decisions based solely on automated data processing.

13. Data Security

The Controller applies appropriate technical and organisational measures aimed at ensuring the security of the processed personal data, in particular:

• encryption of the connection with the Website (HTTPS / SSL protocol);
• access control to systems and data;
• regular backups;
• periodic audits and security reviews;
• personnel training in the field of personal data protection;
• data processing agreements with service providers.

14. Links to External Sites

The Website may contain links to websites of other entities. The Controller is not responsible for the privacy policies applied by the owners of those sites. We recommend reading the privacy policies in force on the services you visit.

15. Changes to the Privacy Policy

This Privacy Policy may be periodically updated, in particular in connection with changes to legal provisions, the introduction of new functions on the Website or the use of new tools. The current version of the Policy is always available on the Website, indicating the date from which it applies.

In the event of significant changes, we will inform you via a notice on the Website or – if required – by email.

16. Contact

If you have any questions regarding this Privacy Policy or the processing of personal data by Fingrow Consulting Group S.A., please contact us:

Email: biuro@fingrow-group.com
Address: 00-634 Warsaw, ul. Progi 1 lok. 1