Privacy Policy
This policy explains how personal data is processed on certapoland.com and in connection with our services, and what rights you have. Legal notice and liability terms are published separately at Legal Notice.
I. Data controller
The controller of your personal data is Biuro Rachunkowe Precyzja Sp. z o.o., ul. Twarda 18, 00-105 Warszawa, Poland (KRS 0000854434, NIP 5252832004, REGON 386751000). Certa Poland is a brand of Biuro Rachunkowe Precyzja Sp. z o.o. Contact in data-protection matters: office@certapoland.com.
II. What we process, why, and on what basis
- Assessment requests and enquiries (form, e-mail, phone). Purpose: responding to your enquiry and taking steps at your request before a contract (Art. 6(1)(b) GDPR); maintaining business correspondence and the ability to establish or defend against potential claims and keep a record of business dealings (Art. 6(1)(f) — legitimate interest). Providing this data is voluntary, but necessary for us to respond. How the form works: data submitted through the “Book an assessment” form is transmitted to us as an e-mail message to the controller’s mailbox; this website does not keep it in databases of its own. Standard technical logs of our infrastructure providers may apply (see §III). As of the date of this policy, form data is not entered into any CRM system.
- Service delivery (accounting, payroll, compliance). Basis: contract performance (Art. 6(1)(b)) and the controller’s legal obligations under Polish accounting and tax law (Art. 6(1)(c)). Roles under the GDPR: where our clients (employers) entrust us with personal data of their employees or contractors for payroll and accounting purposes, we act as a processor (Art. 28 GDPR) and the client remains the controller — except where the law imposes obligations directly on us (e.g. AML, our own tax and accounting duties), in which case we act as a controller. Individuals whose data we process in the course of services receive separate information clauses; this policy is the general information layer of the website.
- Anti-money-laundering (AML). Where — at the relevant stage of the relationship — the controller is legally obliged to apply financial-security measures, we verify identity as required by the Polish AML Act. Basis: Art. 6(1)(c). Providing this data is a statutory requirement; without it we cannot provide the services concerned (Art. 41 of the AML Act). AML documentation is retained in secured archives of the controller.
- Analytics. Purpose: understanding how the site is used. Basis: your consent (Art. 6(1)(a)), given via the cookie banner. You may withdraw consent at any time (see §IV and §VI) — withdrawal does not affect the lawfulness of processing before withdrawal. Until you consent, analytics does not run.
III. Recipients and international transfers
- Public bodies (tax offices, ZUS, GUS) — only where the law requires, in the course of service delivery.
- Processors / providers:
- Cloudflare, Inc. (USA) — website hosting and delivery, e-mail routing, consent & analytics layer (Cloudflare Zaraz);
- Google Ireland Ltd. (Ireland — service provider for Google Analytics 4 in the EEA) with possible processing by Google LLC (USA) as part of Google’s infrastructure;
- Zenbox.pl (Poland) — mailbox hosting of the controller.
- Transfers outside the EEA: where a recipient holds an active certification under the EU–US Data Privacy Framework (Commission adequacy decision of 10 July 2023), we rely on the DPF; otherwise we rely on Standard Contractual Clauses together with supplementary measures where required. For the US-based providers above (Cloudflare, Inc. and Google LLC), transfers rely on active DPF certification verified as at the date of this policy, or on Standard Contractual Clauses where certification does not apply; Zenbox.pl processes data in Poland. Certification status is verified as at the date of this policy and periodically.
IV. Cookies
We use a consent-management banner (Cloudflare Zaraz). Categories:
- Necessary (technical) — required for the site and its security to function (served by Cloudflare); stored for the duration of the session or up to 12 months; these cannot be switched off.
- Analytics (Google Analytics 4) — set only after you opt in; cookies of the
_gafamily, stored up to 24 months; used to produce aggregated usage statistics.
Legal basis for storing/accessing cookies: your consent, as required by the Polish Electronic Communications Law (PKE), except for cookies strictly necessary to provide the service. Refusing consent is as easy as giving it, and you can change your choice at any time via “Cookie settings” available on the site.
V. Retention periods
- Enquiries that do not lead to cooperation: up to 12 months from the end of the exchange; correspondence within a business relationship: up to the limitation period for business-related claims under Polish law (as a rule 3 years, Art. 118 of the Civil Code). You may object at any time (see §VI).
- Accounting and tax records (clients): at least 5 years from the end of the calendar year in which the tax payment deadline expired (Art. 70 §1 and 86 §1 of the Tax Ordinance; Art. 74 of the Accounting Act); this period may be extended where the limitation period is suspended or interrupted.
- AML documentation: 5 years counted from the first day of the year following the end of the business relationship or transaction (Art. 49 of the AML Act), or longer where required in connection with pending proceedings or upon request of the GIIF.
- Analytics: event-level GA4 data up to 14 months; aggregated statistics do not identify you.
V-bis. Data obtained from other sources
In connection with our statutory duties (in particular AML), we may obtain personal data of clients’ representatives and beneficial owners from the client and from public registers (e.g. KRS, CEIDG, CRBR): identification and contact data within the scope required by law. Where the law expressly governs obtaining or disclosing such data, the exemption of Art. 14(5)(c) GDPR may apply.
VI. Your rights
You have the right to: access your data and obtain a copy; rectification; erasure (where no statutory retention duty applies); restriction of processing; objection to processing based on legitimate interest; data portability; and — for processing based on consent — the right to withdraw consent at any time, without affecting processing carried out before withdrawal.
You may lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa. We do not make automated decisions producing legal effects (Art. 22 GDPR).
VII. Contact
Data-protection matters and exercising your rights: office@certapoland.com.
Last updated: 4 July 2026. Polish version: /polityka-prywatnosci/.