Privacy Policy

General Provisions

This Privacy Policy sets out the rules for the processing of personal data of users of the website available at: https://pulaski.pl/ (hereinafter: “the Website”).

The controller of personal data is the Kazimierz Pułaski Foundation in Warsaw, ul. Oleandrów 6, 00-629 Warsaw, KRS: 0000233247, tel.: 22 378 11 95, email: office@pulaski.pl (hereinafter: “Controller”).

The Controller can be contacted atoffice@pulaski.pl .

The Controller has appointed a Data Protection Officer, who can be contacted by email atiod@pulaski.pl .

The Controller takes particular care to protect users’ privacy and ensure the security of personal data processed in connection with the use of the Website. Personal data is processed in accordance with applicable law, in particular:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, hereinafter referred to as the ePrivacy Directive)
• Act of 12 July 2024 – Electronic Communications Act
• The Act of 10 May 2018 on the protection of personal data
• other applicable legal provisions.

We make every effort to ensure all possible physical, technical and organisational measures to protect personal data against accidental or intentional destruction, accidental loss, alteration, unauthorised disclosure, use or access, in accordance with all applicable legal provisions.

Definitions

For the purposes of this Policy, the following definitions apply:

Controller – The Casimir Pulaski Foundation.

User – means an entity to whom, in accordance with the Policy and the law, services may be provided electronically or with whom an Agreement for the provision of electronic services may be concluded.

Customer – a User entering into a sales contract via the Website.

Personal data – information relating to an identified or identifiable natural person, in accordance with Article 4(1) of the GDPR.

Personal data collected on the website

1. When using the website, we may process users’ personal data, such as the device’s IP address.
2. Personal data is processed by the Controller’s employees and associates on the basis of the authorisations granted. Every person authorised to process personal data has been made aware of the principles of personal data protection and has undertaken to keep the information provided confidential.
3. Personal data may be entrusted to an external entity that supports the Controller in achieving the purposes of processing, including marketing, hosting, IT, administrative, legal and advisory services.
4. The Controller uses only the services of professional entities that guarantee the highest standard of service and ensure the security of the information entrusted to them.
5. The website may redirect you to another website managed by a different Controller (Facebook social media). The Controller is not responsible for the processing of personal data by other websites. On each new visit, the user should familiarise themselves with the content of the Privacy Policy.

Scope of personal data processed

The Controller may process users’ personal data within the following scope.

Data relating to the use of data for statistical, analytical and reporting purposes

In the case of data being used for statistical, analytical and reporting purposes

the following personal data may be processed:

• first name and surname
• email address
• employer’s name.

Providing the above data is voluntary.

Data related to the registration process, invitations and participation in events organised by the Casimir Pulaski Foundation

This means, in particular:

a) compiling a list of participants;

b) carrying out registration to enable participation;

c) implementation of the programme.

In the case of organising an event, the following may be processed:

• first name and surname
• email address
• home address,
• job title,
• employer details,
• telephone number,
• image captured during the event.

A customer account allows you, in particular, to:

• placing orders,
• access to order history,
• managing user data,
• faster processing of subsequent orders.

Data in the newsletter

When you subscribe to the newsletter, the following data is processed:

• your email address.

This data is used solely for the purpose of sending marketing information regarding the Controller’s products or services.

Data provided via the contact form

If you use the contact form, the Controller may process:

• your email address,
• message content.

Recruitment-related data

If you submit a recruitment application, the Controller may process the data necessary to consider it, in particular:

• first name and surname
• email address
• home address,
• position,
• employer details,
• telephone number,
• work experience,
• education,
• other information contained in the CV.

Purposes and legal basis for data processing

Personal data may be processed for the following purposes:

1. Performance of a contract Legal basis: Article 6(1)(b) of the GDPR

Processing includes, among other things:

• acceptance of an order, i.e. registration for an event organised by the Controller,
• fulfilment of the order/service, i.e. event management,
• processing payments,
• contacting the customer.

2. Recruitment

Legal basis: Article 6(1)(a) of the GDPR

Processing includes, among other things:

• Analysis of the CV submitted,
• Invitation to a job interview

3. Fulfilment of legal obligations

Legal basis: Article 6(1)(c) of the GDPR.

This applies in particular to obligations arising from tax and accounting regulations.

4. Pursuit of claims

Legal basis: Article 6(1)(f) of the GDPR

The Controller’s legitimate interest in pursuing or defending claims.

5. Direct marketing – newsletter

Legal basis: Article 6(1)(a) of the GDPR – user consent, provisions
ePrivacy Directive 2002/58/EC and the Electronic Communications Act.

Sending marketing content via the communication channel specified by the User (email, SMS, post, telephone), in accordance with the consent given.

6. Responses to user enquiries

Legal basis: Article 6(1)(f) of the GDPR

The Controller’s legitimate interest in handling user enquiries.

Recipients of personal data

Personal data may be transferred to entities cooperating with the Controller to the extent necessary for the provision of services, in particular:

• electronic payment operators,
• courier companies and logistics operators,
• IT and hosting service providers,
• mailing system providers,
• entities providing accounting, legal or advisory services.

These entities process personal data on the basis of data processing agreements.

The controller may transfer personal data to public bodies or supervisory authorities if such an obligation arises from legal provisions.

Transfer of data outside the European Economic Area

In certain cases, personal data may be transferred outside the European Economic Area. In such cases, the Controller ensures an adequate level of data protection by applying the mechanisms provided for in the GDPR. Data transfers outside the EEA may take place on the basis of the exceptions provided for in Article 49 of the GDPR, provided that the conditions set out in that article apply. Information regarding the safeguards applied and the scope of data transferred outside the EEA can be obtained by contacting the Controller.

Data retention period

Personal data is retained for the period:

• the performance of the sales contract,
• required by tax and accounting legislation,
• until consent is withdrawn (in the case of the newsletter),
• until the limitation period for claims arising from the contract expires.

Data relating to web traffic analysis, collected via cookies and similar technologies, may be stored until the cookie expires. Some cookies never expire; therefore, the data retention period will be equivalent to the time necessary for the Controller to fulfil the purposes related to data collection, as well as to ensure security and analyse historical data relating to website traffic.

Rights of data subjects

1. You have the right to:
   1. Request access to your data from the Controller, as well as receive a copy of it (Article 15 of the GDPR).
   2. To request that the Controller rectify or correct your data (Article 16 of the GDPR), in relation to a request for rectification, should you notice that the data is incorrect or incomplete.
   3. To request that the Controller erases your data (Article 17 of the GDPR).
   4. Request that the Controller restrict processing (Article 18 of the GDPR), e.g. if you notice that the data is incorrect, you may request that the processing of your data be restricted for a period allowing us to verify the accuracy of that data.
   5. Request that the Controller transfer the data to another Controller (Article 20 of the GDPR).
   6. To object to the processing of data (Article 21 of the GDPR) on grounds relating to your particular situation where the data is being processed for purposes based on the Controller’s legitimate interests – Article 6(1)(f) of the GDPR.
   7. To withdraw consent to the processing of personal data at any time, if the processing is based on consent (Article 7(3) of the GDPR).

The data subject has the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office – if they consider that the processing of personal data infringes the law.

To exercise these rights, please contact the Data Protection Officer.

Profiling

Users’ personal data will not be processed by automated means, including profiling, i.e. no decisions producing legal effects concerning a person or similarly significantly affecting them will be based solely on the automated processing of personal data and will not involve such an automated decision as referred to in Article 22(1) and (4) of the GDPR.

Activity on social media platforms

1. The Controller is the owner of an account on the social media platform:
   1. Facebook: https://www.facebook.com/FundacjaPulaskiego/
   2. Instagram: https://www.instagram.com/pulaskifoundation/
   3. X: https://x.com/FundPulaskiego
   4. LinkedIn: https://www.linkedin.com/company/casimir-pulaski-foundation/
2. The Controller maintains and manages accounts on social media platforms for the purpose of promoting its products, services and business activities. As part of these activities, it processes the personal data of social media users who follow the Controller’s profiles and engage in dialogue with both the Controller and other users via accounts managed by the Controller.
3. If a user wishes to stop the processing of personal data shared via social media platforms, they should stop following the Administrator’s profiles using the options provided by the platform.
4. All rights to trademarks (including logos), copyright, database rights and all other intellectual property rights to the content of the website and social media profiles belong to the Administrator.
5. It is prohibited to copy, modify, use in any form, or reproduce, in whole or in part, the content of the website for commercial purposes without the prior written consent of the Administrator and the author of the text.
6. The content presented on the website and social media profiles is intended to promote the Administrator’s activities. Use of the materials for any other purpose is prohibited.
7. The materials made available on the Administrator’s social media profiles are the Administrator’s property or have been made available with the consent of the authors of such content.
8. A user who uses the Administrator’s social media profiles declares that the Content they post:
   1. will not be inappropriate. Content is considered inappropriate if:
      1. it constitutes plagiarism, is defamatory, offensive, abusive, untrue, misleading, derogatory, discriminatory, constitutes a threat or harassment, or expresses racial or sexual prejudice;
      2. contains elements that are mocking, uncivil, offensive, abusive, obscene, or profane;
      3. contains quotes from other users taken out of context to create a false or negative impression;
      4. is indecent, obscene or pornographic; or
      5. constitutes a breach of another person’s right to confidentiality or privacy;
   2. shall not prejudice any ongoing legal proceedings of which the user is aware;
   3. shall not contain accusations of indecency or personal criticism directed against the Administrator’s staff;
   4. are highly unlikely to: (i) cause fear, uncertainty or anxiety to another person; (ii) incite a breach of the rules of social coexistence; or (iii) incite aggression or hatred on racial or religious grounds;
   5. shall not infringe any copyright, trademark, patent or other intellectual property rights of the Administrator or any third party;
   6. shall not be technically harmful (including, in particular, computer viruses, logic bombs, Trojan horses, computer worms, harmful components, corrupted data or other malicious software, harmful data or activities);
   7. shall not constitute an offer, advertisement or promotion of any product or service, nor shall they contain requests for donations or financial support;
   8. shall not constitute spam or unsolicited advertising sent by email;
   9. shall not be intended to impersonate another person or otherwise misrepresent the user’s identity, affiliation or position;
   10. shall not present or encourage behaviour that could be considered a criminal offence, give rise to civil liability or be contrary to the law.
9. The User may post links to other websites and web pages on the Administrator’s profile provided that:
   1. the content or links to such websites or web pages do not breach any provisions of the Privacy Policy;
   2. the terms and conditions of use for such websites or web pages permit the posting of links to them;
   3. they are clearly and visibly marked as links;
   4. the content of the websites or web pages is clearly related to the Content alongside which the link is placed; and
   5. the link does not cause any files to be downloaded automatically.
10. The Administrator reserves the right to remove any content that does not comply with the above rules, and in particular comments that are:
    1. defamatory, untrue or misleading;
    2. offensive, insulting or threatening;
    3. obscene or of a sexual nature;
    4. harassing, racist, sexist, homophobic or discriminatory towards any religion or other groups of people.

Such content will be deleted immediately.

11. Without the Administrator’s express consent, the User is not authorised to repost any Content or other materials or applications that have previously been removed.

Server logs and technical data

When using the Website, technical information may be automatically recorded, in particular:

• IP address,
• date and time of visit,
• web browser type,
• operating system,
• referrer URL.

This data is used for administrative and statistical purposes.

Data security

The controller employs appropriate technical and organisational measures to ensure the protection of personal data, in particular:

• data transmission encryption (SSL),
• data access control,
• IT system security measures,
• information security management procedures.

Cookies

This Policy sets out the rules for the use of cookies by the online shop available at https://pulaski.pl/ (hereinafter: “the Shop”).

Cookies are small text files stored on the User’s device (computer, smartphone, tablet) when using the website.

What cookies are used on the Shop

The following types of cookies are used on the website:

Essential technical cookies – these enable the Shop to function properly, including maintaining the user’s session, managing the shopping basket and securing forms.

Analytical cookies (Shoper) – used to collect anonymous information about how the shop is used (e.g. number of visits, pages viewed, duration of visit), in order to improve it.

Functional cookies – these enable the store to remember user preferences, such as recently viewed products.

Third-party cookies (Facebook) – may be stored when the user visits social media sites.

Essential (technical) cookies

These are files necessary for the Shop to function properly.

What they include:

• user session ID
• cookie consent record
• security (e.g. form protection)

What they are used for:

• maintaining the user’s session,
• ensuring security (e.g. protection against misuse),
• storing cookie consent.

Without these files, the shop cannot function properly – for example, it would not be possible to add a product to the basket or place an order. These cookies are used without the user’s consent (basis: legitimate interest / necessity of the service).

Analytical (statistical) cookies

The website uses analytical cookies provided by the website’s software provider.

What they are used for:

• collecting anonymous information about how the website is used (e.g. pages visited, time spent on the site),
• analysing clicks and user behaviour,
• compiling statistics.

This data is used to improve the website and optimise the information displayed. These cookies are optional – they require the user’s consent.

Functional cookies

What they are used for:

• They remember:
  • recently viewed pages
  • user preferences (e.g. language, settings),
• improving the user experience.

These cookies are optional – they require the user’s consent.

Marketing cookies (if present)

May be used to:

• tailoring adverts to the user,
• measuring the effectiveness of marketing campaigns.

These cookies are optional – they require the user’s consent.

Social media cookies (third-party)

What happens:

• the page contains a link to Facebook
• after clicking, the user is redirected to the Meta website

Cookies are set by Facebook (after the redirect). They are not active on the website without interaction

Classification of cookies by storage duration

• session cookies – deleted when the browser is closed
• Persistent cookies – stored until they are deleted or expire

Managing cookies

You can manage your cookie settings at any time:

a) From the cookie banner

• accept all cookies,
• reject optional cookies,
• select cookie categories.

b) From your browser

You can:

• delete stored cookies,
• block the storage of cookies,
• set notifications for when they are saved.

Example paths:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Settings → Privacy & Security
• Edge: Settings → Cookies and site permissions

Changing these settings may affect how the website works (e.g. the shopping basket or login may not work).

How to delete cookies

Chrome:

Settings → Privacy → Clear browsing data

Firefox:

Settings → Privacy → Cookies and site data

Edge:

Settings → Cookies and site permissions

Cookies themselves do not, as a rule, contain personal data, but they may be linked to other information and may then be treated as personal data.

Final provisions

1. The Controller reserves the right to occasionally restrict access to certain parts of the Website in connection with maintenance work or updates to the Website.
2. This Privacy Policy comes into effect on the date of approval, 13 April 2026.
3. In matters not covered by the Privacy Policy but relating to its subject matter, and in the event of any part of the Privacy Policy being inconsistent with applicable law, the relevant provisions of Polish law shall apply in place of the disputed provision of the Policy, in particular:
   1. the Act of 23 April 1964 – Civil Code,
   2. the Act of 30 May 2014 on consumer rights
   3. the ePrivacy Directive,
   4. the Act of 12 July 2024 – Electronic Communications Law,
   5. the Act of 10 May 2018 on the protection of personal data
   6. GDPR.