General Data Protection Regulation (GDPR)
PRIVACY POLICY - Econverse Foundation (registered under the name “Fundacja Econverse” in Polish National Court Register - KRS)
GDPR, i.e., the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), regulates the protection of personal data of natural persons within the European Union. The objective of the GDPR is to strengthen and harmonize regulations regarding personal data protection in the EU.
Caring for the personal data of individuals cooperating with us, we have developed this Privacy Policy. Its purpose is to provide information on what personal data we collect, for what purposes we process it, how we use it, and who we are. This Policy also indicates the rights you are entitled to in connection with the processing of your personal data by us.
Note: This Privacy Policy does not apply to the processing of personal data of employees and associates.
WHO IS THE DATA CONTROLLER?
We kindly inform you that the Controller of your personal data is:
Fundacja Econverse (Econverse Foundation) Ul. Święty Marcin 29/8 | 61-806 Poznań KRS: 0000958429 | NIP: 781 203 28 96
hereinafter referred to as the "Data Controller".
DATA PROTECTION OFFICER
We kindly inform you that we have not appointed a Data Protection Officer. In case of questions regarding personal data protection, we invite you to contact us by sending an email to: fundacja@econverse.org with the subject line "RODO" (or "GDPR").
WHOSE PERSONAL DATA WILL WE PROCESS?
As the Data Controller, we will process the personal data of:
Participants of events, fairs, etc.;
Our clients and potential clients;
Our contractors – suppliers (including potential ones);
Business and substantive partners, etc.;
Persons representing entities with whom we cooperate;
Entities with whom we have relationships, but who are not yet our clients.
WHERE DID WE OBTAIN YOUR PERSONAL DATA FROM?
We obtained your personal data:
From registration and application forms;
In connection with your participation in our events;
Directly from you as a result of our correspondence, conversations, meetings, sending of information, or use of our services;
Within the framework of our ongoing cooperation;
From public registers, e.g., CEIDG, KRS, the VAT white list;
From other sources, including publicly available ones, such as websites.
WHAT ARE OUR PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA?
To provide our services, the Data Controller processes your personal data for various purposes, but always in accordance with the law. We process personal data that we receive from you when you use our services and during contacts with us. This data is always processed in accordance with the General Data Protection Regulation (GDPR) and national regulations.
Below you will find the purposes of processing your personal data along with the legal bases:
A. Purpose: Signing up for and participating in our events, fairs, etc. (including recording the image of participants).
Data (Natural Persons): Name and surname, contact details (e.g., email, phone number), date of birth, nationality, personal data of co-participants, website address, image of participants recorded in photo reports/films, and other info provided.
Data (Legal Persons): Company name, registered office, contact details, tax ID (NIP), website address, registry info, and other info provided.
Legal Basis:
Art. 6(1)(a) GDPR (Consent): Voluntary consent (e.g., regarding the transfer of data).
Art. 6(1)(f) GDPR (Legitimate Interest): To properly provide services regarding the realization of our events.
B. Purpose: Conclusion and performance of a contract (provision of services).
Data: Similar to section A (Name, contact details, company info, etc.).
Legal Basis:
Art. 6(1)(b) GDPR (Performance of Contract): Necessary for the performance of a contract or to take steps prior to entering into a contract.
Art. 6(1)(f) GDPR (Legitimate Interest): E.g., for contact purposes and providing information related to the contract.
C. Purpose: Fulfillment of legal obligations (e.g., issuing VAT invoices, accounting documents, tax settlements).
Data: Name, surname, contact details, company name, address, NIP, REGON, PESEL/date of birth, bank account number, registry info.
Legal Basis:
Art. 6(1)(c) GDPR (Legal Obligation): Necessary for compliance with a legal obligation to which the Controller is subject.
D. Purpose: Handling matters directed directly to the Data Controller (e.g., complaints).
Data: Identification and contact details as listed above.
Legal Basis:
Art. 6(1)(f) GDPR (Legitimate Interest): Contacting you, handling complaints/grievances.
E. Purpose: Establishment, defense, and pursuit of claims.
Data: Name, surname, contact details, PESEL, nationality, company data (NIP, REGON), etc.
Legal Basis:
Art. 6(1)(f) GDPR (Legitimate Interest): Establishing, pursuing, or defending against claims from participants, clients, or third parties.
F. Purpose: Storing unanswered offers/inquiries.
Data: Name, company name, email, phone number, or other provided data.
Legal Basis:
Art. 6(1)(f) GDPR (Legitimate Interest): Enabling you to use our services for a specific time without needing to renew the offer.
G. Purpose: Archival and evidentiary purposes.
Data: Full identification and contact data (natural and legal persons) as described in previous sections.
Legal Basis:
Art. 6(1)(f) GDPR (Legitimate Interest): Proving facts related to contract performance if requested by state authorities.
Art. 6(1)(c) GDPR (Legal Obligation): Compliance with legal duties.
H. Purpose: Website administration (automatic data collection).
Data: IP address, server date/time, browser info, OS info.
Legal Basis:
Art. 6(1)(a) GDPR (Consent): E.g., via cookie settings.
Art. 6(1)(f) GDPR (Legitimate Interest): Ability to administer the website.
I. Purpose: Direct marketing.
Data: Name, contact details, DOB, nationality, company info, etc.
Legal Basis:
Art. 6(1)(a) GDPR (Consent).
Art. 6(1)(f) GDPR (Legitimate Interest): Realizing interests such as answering queries or sending offers.
J. Purpose: Sending a newsletter.
Data: Name, surname, contact details (email, phone).
Legal Basis:
Art. 6(1)(a) GDPR (Consent): Voluntary consent to receive the newsletter.
SECURITY OF PERSONAL DATA
Caring for the security of all data in our company, and in particular ensuring confidentiality and integrity, we have implemented appropriate technical and organizational measures, such as:
We conduct risk analysis on an ongoing basis to properly match solutions to potential threats related to breaches;
Access to data is granted only to authorized persons and only to the extent necessary to perform their tasks;
We sign data entrustment agreements on an ongoing basis with entities to whom we entrust personal data processing, ensuring these entities guarantee the highest level of security;
Access to systems is strictly controlled in accordance with security procedures.
SOCIAL MEDIA PORTALS
As part of our activities, we process your personal data on various social media portals, such as LinkedIn, Instagram, Facebook, EventBrite, Evenea, X.
Data processing takes place for the following purposes and on the following legal bases.
Purposes of data processing:
Communication and interaction with users: Responding to inquiries, comments, building relationships, and increasing engagement;
Marketing and promotion: Promoting services, products, events via posts and ads;
Event organization: Managing registrations, informing about details, communication with participants;
Analysis and statistics: Monitoring reach and marketing effectiveness;
Building company image: Presenting activities and engaging in dialogue.
Legal bases:
User Consent (Art. 6(1)(a) GDPR): Expressed through interactions with our profiles/content.
Legitimate Interests (Art. 6(1)(f) GDPR): Marketing, communication, and analytical purposes to promote our activity.
We ensure that processing on social media complies with regulations. More info can be found directly on the policies of: LinkedIn, Instagram, Facebook, EventBrite, Evenea, X.
REQUIREMENT TO PROVIDE PERSONAL DATA
Providing any personal data is voluntary and depends on your decision. However, in some cases, providing specific personal data is necessary to meet your expectations regarding the use of the service provided by the Data Controller. To receive a commercial offer, it is necessary to provide an email address — without this, we cannot meet your expectations and maintain the highest quality of service.
DO WE CONDUCT AUTOMATED DECISION-MAKING AND PROFILING?
Within the events we organize, we apply profiling of participants to better match our services to their needs and expectations. Profiling covers both behavioral data (behavior during events, interactions with program elements) and psychological data (allowing deeper understanding of motivations, interests, and preferences). This allows us to create more engaging and personalized experiences. All collected data is processed in accordance with GDPR, ensuring confidentiality.
Legal bases for profiling:
Participant Consent (Art. 6(1)(a) GDPR): Voluntary consent.
Performance of Contract (Art. 6(1)(b) GDPR): Necessary to ensure high-quality services adapted to needs.
Legitimate Interests (Art. 6(1)(f) GDPR): Analysis and improvement of services, provided it does not violate rights and freedoms.
TO WHOM MAY WE TRANSFER YOUR PERSONAL DATA?
We may transfer your data to:
Our employees and associates who need access to perform obligations or actions for you;
Our partners for events, fairs, and other activities where we use external support.
Like most entrepreneurs, we use the help of other entities, which often involves transferring personal data. We may transfer your data to the following recipients:
Entities providing marketing services, training organization, events;
Entities servicing our IT and telecommunications systems;
Entities conducting payment activities (banks, payment institutions);
Entities conducting credit (banks) or leasing activities;
Postal and courier service providers;
Entities providing advisory, consulting, audit, legal, tax, accounting, or HR services;
Entities preparing photo and video reports from our events.
Additionally, based on appropriate legal provisions or decisions of a competent authority, we may have to transfer data to public or private entities such as the Social Insurance Institution (ZUS), Tax Office, National Revenue Administration, etc.. We analyze every such request carefully to avoid accidental disclosure to unauthorized persons.
DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (to third countries)?
Due to cooperation with partners from the United Kingdom and the USA, we transfer your personal data outside the European Economic Area (EEA). We ensure that every transfer complies with applicable regulations and European standards.
Transfer bases:
Standard Contractual Clauses (SCCs): Approved by the European Commission.
Adequacy Decisions: For the UK, we rely on the EC decision stating the UK provides an adequate level of protection.
Other appropriate safeguards: E.g., binding corporate rules when SCCs or adequacy decisions are not possible.
We regularly monitor our partners to ensure they adhere to strict standards. In case of questions, please contact us.
COOPERATION WITH GOOGLE, GOOGLE ANALYTICS, AND MICROSOFT We use services that may require transferring data outside the EEA:
Google & Google Analytics: Data may be transferred to servers in the USA. Google adheres to SCCs and GDPR mechanisms .
Microsoft: We use Azure and Office 365. Microsoft adheres to SCCs and GDPR mechanisms.
HOW LONG MAY WE STORE YOUR PERSONAL DATA?
We process data for the time needed to achieve the designated purpose.
Afterward, data is irreversibly deleted or destroyed. Specific periods:
Contract execution: Duration of the contract + up to 6 years after its termination.
Claims: Up to 10 years for establishing/defending claims.
Offers (no contract concluded): 1 year.
Tax obligations: 5 years (e.g., storing invoices).
Based on Consent: Until withdrawal or achievement of purpose, but not longer than 2 years.
Legitimate Interest/Marketing: Until objection or achievement of purpose, but not longer than 2 years.
Cookies/Website Admin: Until outdated or loss of utility, but not longer than 5 years.
Note: Periods in years are calculated from the end of the year in which processing began to streamline the deletion process. Right to be forgotten: Such situations are reviewed individually.
WHAT RIGHTS DO YOU HAVE?
We inform you that you have the right to:
Right of access: Obtaining information on processing and a copy of the data.
Right to rectification: Correcting erroneous or outdated data.
Right to erasure ("Right to be forgotten"): Deleting data processed without legal grounds.
Right to restriction of processing: Limiting processing to storage only.
Right to data portability: Receiving your data or transferring it to another controller.
Right to object: Objecting to processing (especially for direct marketing).
Right to withdraw consent: At any time. Note: This does not affect processing done before withdrawal.
These rights are not absolute, and we may refuse fulfillment in accordance with the law after careful analysis. Regarding the right to object based on legitimate interest, we may refuse if we demonstrate overriding legitimate grounds or grounds for claims . However, an objection to marketing is always effective immediately. You can exercise your rights by emailing fundacja@econverse.org with the note "RODO".
HOW TO EXERCISE THE RIGHT TO WITHDRAW CONSENT?
You can withdraw consent at any time by emailing fundacja@econverse.org with the note "RODO". Withdrawal does not make prior processing illegal.
YOU HAVE THE RIGHT TO LODGE A COMPLAINT
If you believe your data is processed unlawfully, you can lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw.
FINAL PROVISIONS
Matters not regulated here are governed by the Civil Code, Polish law, and EU law (GDPR). Changes to the policy will be communicated on the website or at the Controller's office. This Privacy Policy is effective from February 16, 2026.