Privacy Policy

General provisions

This Privacy Policy defines the rules for the processing of personal data of users using the website available at: https://pulaski.pl/ (hereinafter: “Website”).

The controller of personal data is the Casimir Pulaski Foundation in Warsaw, ul. Oleandrów 6, 00-629 Warsaw, KRS: 0000233247, tel.: 22 378 11 95, email: office@pulaski.pl (hereinafter: “Controller”).

The Controller can be contacted at office@pulaski.pl.

The Controller has appointed a Data Protection Officer, who can be contacted via electronic mail at iod@pulaski.pl.

The Controller exercises special care to protect the privacy of users and to ensure the security of personal data processed in connection with the use of the Website.

Personal data are processed in accordance with applicable legal provisions, in particular:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;

• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), referred to as the ePrivacy Directive;

• Act of 12 July 2024 – Electronic Communications Law;

• Act of 10 May 2018 on the Protection of Personal Data;

• Other applicable legal provisions.

We make every effort to provide all possible physical, technical, and organizational measures for the protection of personal data against their accidental or intentional destruction, accidental loss, alteration, unauthorized disclosure, use, or access, in accordance with all applicable legal provisions.

Definitions

For the purposes of this Policy, the following definitions are adopted:

• Controller – Casimir Pulaski Foundation.

• User – means an entity for which services may be provided by electronic means in accordance with the Policy and legal provisions, or with which an Agreement for the provision of services by electronic means may be concluded.

• Customer – a User concluding a sales contract via the Website.

• Personal Data – information about an identified or identifiable natural person, in accordance with Art. 4 point 1 of the GDPR.

Personal data collected on the website

While using the website, we may process users’ personal data, such as the device’s IP.

Personal data are processed by the Controller’s employees and associates based on granted authorizations.

Each person who has been admitted to the processing of personal data has been familiarized with the principles of personal data protection and has committed to maintaining the confidentiality of the shared information.

Personal data may be entrusted to an external entity that supports the Controller in the implementation of processing purposes, including: marketing service, hosting, IT, administrative service, legal service, advisory service.

The Controller uses the services of only professional entities who guarantee the performance of the service at the highest level and ensure the security of the entrusted information.

Through the website, redirection to another website managed by another Controller (social media Facebook) may occur.

The Controller is not responsible for the processing of personal data through other websites.

During each new visit, the user should read the content of the Privacy Policy.

Scope of processed personal data

The Controller may process users’ personal data in the following scope:

Data related to the use of data for statistical, analytical, and reporting purposes:

In the case of using data for statistical, analytical, and reporting purposes, the following personal data may be processed:

• first and last name;

• e-mail address;

• name of employer.
  Providing the above data is voluntary.

Data related to the registration process, invitation, and participation in events organized by the Casimir Pulaski Foundation:

This means in particular:

a) creating a list of participants;

b) conducting registration to enable participation;

c) implementation of the program.

In the case of organizing an event, the following may be processed:

• first and last name;

• e-mail address;

• residence address;

• position;

• employer’s data;

• telephone number;

• image captured during the event.

A customer account enables in particular:

• placing orders;

• access to order history;

• managing user data;

• faster implementation of subsequent orders.

Data within the newsletter:

In the case of signing up for the newsletter, the following is processed: e-mail address.

These data are used exclusively for the purpose of sending marketing information regarding the Controller’s products or services.

Data provided in the contact form:

In the case of using the contact form, the Controller may process: e-mail address, message content.

Data related to recruitment:

In the case of sending a recruitment application, the Controller may process data necessary for its consideration, in particular:

• first and last name;

• e-mail address;

• residence address;

• position;

• employer’s data;

• telephone number;

• professional experience;

• education;

• other data contained in the CV.

Purposes and legal bases for processing

Personal data may be processed for the following purposes:

• Performance of a contract Legal basis: Art. 6(1)(b) of the GDPR. Processing includes, among others: order acceptance, i.e., registration for an event organized by the Controller; implementation of the order/service, i.e., event handling; payment handling; contact with the customer.

• Recruitment Legal basis: Art. 6(1)(a) of the GDPR. Processing includes, among others: analysis of the submitted CV; invitation to a recruitment interview.

• Fulfillment of legal obligations Legal basis: Art. 6(1)(c) of the GDPR. This concerns in particular obligations arising from tax and accounting regulations.

• Pursuing claims Legal basis: Art. 6(1)(f) of the GDPR. The legally justified interest of the Controller consisting in pursuing or defending claims.

• Direct marketing – newsletter Legal basis: Art. 6(1)(a) of the GDPR – user consent; provisions of the ePrivacy Directive 2002/58/EC and the Electronic Communications Law. Sending marketing content through the communication channel indicated by the User (e-mail, SMS, traditional mail, telephone), in accordance with the expressed consent.

• Responses to user inquiries Legal basis: Art. 6(1)(f) of the GDPR. The legally justified interest of the Controller consisting in handling user inquiries.

Recipients of personal data

Personal data may be transferred to entities cooperating with the Controller to the extent necessary for the implementation of services, in particular:

• electronic payment operators;

• courier companies and logistics operators;

• IT and hosting service providers;

• mailing system providers;

• entities providing accounting, legal, or advisory services.
  These entities process personal data on the basis of data processing entrustment agreements.
  The Controller may transfer personal data to public entities or supervisory authorities if such an obligation results from legal provisions.

Transfer of data outside the European Economic Area

In some cases, personal data may be transferred outside the European Economic Area.

In such a case, the Controller ensures an adequate level of data protection by using mechanisms provided for in the GDPR. Data transfer outside the EEA may occur on the basis of exceptions provided for in Art. 49 of the GDPR, provided that the conditions specified in that article apply.

Information on the applied safeguards and the scope of data sent outside the EEA can be obtained by contacting the Controller.

Data retention period

Personal data are stored for the period of:

• implementation of the sales contract;

• required by tax and accounting law provisions;

• until the withdrawal of consent (in the case of the newsletter);

• until the statute of limitations for claims arising from the contract expires.
  Data related to network traffic analysis, collected through cookies and similar technologies, may be stored until the cookie file expires.
  Some cookie files never expire; therefore, the data retention time will be equivalent to the time necessary for the Controller to achieve the purposes related to data collection, as well as to ensure security and analysis of historical data related to website traffic.

Rights of data subjects

The user has the right to:

• Request from the Controller access to your data, as well as receiving a copy of them (Art. 15 GDPR).

• Request from the Controller rectification or correction of data (Art. 16 GDPR), in relation to a request for rectification of data when you notice that the data are incorrect or incomplete.

• Request from the Controller erasure of data (Art. 17 GDPR).

• Request from the Controller restriction of processing (Art. 18 GDPR), e.g., when you notice that the data are incorrect, you may request restriction of processing of your data for a period allowing us to check the correctness of these data.

• Request from the Controller the transfer of data to another Controller (Art. 20 GDPR).

• Object to the processing of data (Art. 21 GDPR) for reasons related to a particular situation against the processing of data for a purpose resulting from the legally justified interests of the Controller – Art. 6(1)(f) of the GDPR.

• Withdraw consent to the processing of personal data at any time, if the processing takes place on the basis of consent (Art. 7(3) GDPR).

• The data subject has the right to lodge a complaint with the supervisory authority – President of the Personal Data Protection Office, in case of considering that the processing of personal data violates the law.
  In order to exercise the rights, you should contact the Data Protection Officer.

Profiling

Personal data of Users will not be processed in an automated manner, including in the form of profiling, i.e., no decisions causing legal effects for a person or significantly affecting them in a similar way will be based solely on automated processing of personal data and are not associated with such an automatically made decision referred to in Art. 22(1) and (4) of the GDPR.

Activity on social portals

The Controller is the owner of accounts on social portals:

• Facebook: https://www.facebook.com/FundacjaPulaskiego/

• Instagram: https://www.instagram.com/pulaskifoundation/

• X: https://x.com/FundPulaskiego

• LinkedIn: https://www.linkedin.com/company/casimir-pulaski-foundation/

The Controller maintains and manages accounts on social services for the purpose of promoting products, services, and its activities.

As part of these activities, it administers the personal data of users of social portals who follow the Controller’s profiles, conduct a dialogue both with the Controller and other users via accounts managed by the Controller.

If the user wants to end the processing of personal data shared via social portals, they should stop following the Controller’s profiles, using the options provided by the portal.

All rights to signs (including logos), copyrights, database rights, and all other intellectual property rights to the content of the website and profiles on social portals belong to the Controller.

It is prohibited to copy, modify, use in any form, or reproduce, in whole or in part, the content of the website for commercial purposes without the prior written consent of the Controller and the author of the text.

The content presented on the website and profiles on social portals is intended to promote the Controller’s activities.

Using the materials for any other purpose is prohibited.

Materials shared on the Controller’s social profiles are its property or have been shared with the consent of the authors of such content.

A user who uses the Controller’s profiles on social accounts declares that the Content placed by them:

• will not be inappropriate. Content is considered inappropriate when: it constitutes plagiarism, is defamatory, offensive, aggressive, untrue, misleading, derogatory, discriminatory, has the character of a threat, harassment, expresses prejudice on racial or sexual grounds;

• contains elements of mockery, is uncultured, offensive, insults, indecent suggestions, swearing;

• contains quotes of other users’ statements taken out of context to create a false or negative impression;

• is indecent, obscene, or has a pornographic character; or

• constitutes a violation of another person’s right to confidentiality or privacy;

• will not be detrimental to any pending legal proceedings of which the user is aware;

• will not contain accusations of lack of decency or personal criticism directed against the Controller’s employees;

• will with high probability not: (i) cause fear, uncertainty, or anxiety to another person, (ii) incite violation of the principles of social coexistence; or (iii) incite aggression or hatred on racial or religious grounds;

• will not violate any copyrights, trademarks, patents, or other intellectual property rights of the Controller or any third party;

• will not be technically harmful (including, in particular, computer viruses, logic bombs, Trojan horses, computer worms, harmful components, corrupted data, or other malicious software, harmful data or actions);

• will not constitute an offer, advertisement, or promotion of any product or service, nor will it contain requests for donations or financial support;

• will not constitute spam or pushy advertising sent by mail;

• will not be aimed at impersonating another person or another false presentation of the user’s identity, their affiliation or position;

• will not present or encourage behaviors that could be considered a crime, lead to civil liability, or are contrary to the law.

A user may place links to other websites and subpages on the Controller’s profile if:

• the content or links to such websites or subpages do not violate any provisions of the Privacy Policy;

• the terms of use of such websites or subpages allow the placement of links to them;

• they are clearly and visibly marked as links;

• the content of the websites or subpages has a clear connection with the Content near which the link is placed; and

• the link does not cause the automatic download of any files.

The Controller reserves that all content inconsistent with the above rules, and primarily comments of the following character:

• defamatory, untrue, and misleading;

• offensive, insulting, or containing threats;

• obscene or of a sexual nature;

• of an aggressive character, racist, sexist, homophobic, or discriminating against any religion or other groups of people;
  Will be immediately deleted.
  Without the explicit consent of the Controller, the User is not entitled to re-post any Content or other materials or applications that were previously removed.

Server logs and technical data

During the use of the Service, technical information may be automatically saved, in particular:

• IP address;

• date and time of the visit;

• web browser type;

• operating system;

• URL address of the referring page.
  These data are used for administrative and statistical purposes.

Data security

The Controller applies appropriate technical and organizational measures ensuring the protection of personal data, in particular:

• encryption of data transmission (SSL);

• access control to data;

• security of IT systems;

• information security management procedures.

Cookies

This Policy defines the rules for the use of cookies by the online store available at https://pulaski.pl/ (hereinafter: “Store”).

Cookies are small text files saved on the User’s terminal device (computer, smartphone, tablet) during the use of the website.

What types of cookies are used in the Store

The following types of cookies are used on the website:

• Necessary technical cookies – enable the correct functioning of the store, including maintaining the user session, basket handling, and securing forms.

• Analytical cookies (Shoper) – serve to collect anonymous information about the way the store is used (e.g., number of visits, pages viewed, time of visit), in order to improve it.

• Functional cookies – enable remembering user preferences, such as recently viewed products.

• Third-party cookies (Facebook) – may be saved after the user moves to social media services.

Necessary cookies (technical)

These are files necessary for the proper functioning of the Store.

What they include: user session identifier, cookie consent record, security (e.g., form protection).

What they are for: maintaining the user session, ensuring security (e.g., protection against abuse), remembering cookie consents.

Without these files, the store cannot function properly – e.g., it would not be possible to add a product to the basket or place an order.

These cookies are used without the user’s consent (basis: legitimate interest / necessity of the service).

Analytical cookies (statistical)

Analytical cookies of the Website software provider are used on the website.

What they are for: collecting anonymous information about the way the website is used (e.g., subpages visited, time of stay), analysis of clicks and user behavior, creating statistics.

These data are used to improve the Website and optimize the displayed information. These cookies are voluntary – they require user’s consent.

Functional cookies

What they are for: they remember: recently viewed pages, user preferences (e.g., language, settings), improving the convenience of using the website.

These cookies are voluntary – they require user’s consent.

Marketing cookies (if they occur)

They can be used for: matching advertisements to the user, measuring the effectiveness of marketing campaigns.

These cookies are voluntary – they require user’s consent.

Social media cookies (indirect)

What happens: the page contains a link to Facebook; after clicking, the user goes to the Meta service. Cookies are already set by Facebook (after transition). They are not active on the website without interaction.

Division of cookies by retention time

• session cookies – deleted after closing the browser;

• persistent cookies – stored until they are deleted or expire.

Management of cookie files

The User may manage cookie settings at any time:

a) From the level of the cookie banner: acceptance of all cookies, rejection of optional cookies, selection of cookie categories.

b) From the level of the browser: you can delete saved cookies, block saving cookies, set notifications about their saving.

Example paths:

• Chrome: Settings → Privacy and security → Cookies

• Firefox: Settings → Privacy and security

• Edge: Settings → Cookies and site permissions
  Changing settings may affect the functioning of the website (e.g., lack of basket or login).

How to delete cookies

Chrome: Settings → Privacy → Clear browsing data

Firefox: Settings → Privacy → Cookies and site data

Edge: Settings → Cookies and site permissions

As a rule, cookies themselves do not contain personal data, but they can be linked to other information and then they can be treated as personal data.

Final provisions

The Controller reserves the right to occasionally restrict access to some parts of the Website in connection with maintenance work or website updates.

The Privacy Policy enters into force on the day of approval, 13 April 2026.

In matters not regulated in the Privacy Policy, concerning its subject, and in the case of inconsistency of any part of the Privacy Policy with applicable law, instead of the challenged provision of the Policy, the relevant provisions of Polish law apply, in particular:

• Act of 23 April 1964 – Civil Code;

• Act of 30 May 2014 on Consumer Rights;

• ePrivacy Directive;

• Act of 12 July 2024 – Electronic Communications Law;

• Act of 10 May 2018 on the Protection of Personal Data;

• GDPR.