Privacy Policy – Sellhorn Polska Sp. z o.o.

Privacy Policy – Sellhorn Polska Sp. z o.o.

§1. General provisions

  1. This Privacy Policy sets out the rules for the processing of personal data of users of the website operated by Sellhorn Polska Sp. z o.o. with its registered office in Szczecin. The document explains how and to what extent user data is collected, for what purposes it is processed, what rights data subjects have, and what security measures are used to protect the data.
  2. The Privacy Policy aims to ensure transparency of processes related to the processing of personal data and the fulfillment of obligations under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”), the Personal Data Protection Act, and regulations on the provision of electronic services.
  3. The administrator of the personal data of users of the website is Sellhorn Polska Sp. z o.o., acting as a separate, independent data administrator, independent of Sellhorn Ingenieurgesellschaft mbH based in Hamburg (Germany).
  4. You can use the website without providing any personal data, except in situations where you voluntarily decide to use features that require such data (e.g., a contact form, if available on the website).
  5. In matters not covered by this Policy, the provisions of the GDPR, the Act on the provision of electronic services, and the Telecommunications Law shall apply.
  6. Definitions used in this Policy (optional):
    • GDPR – Regulation 2016/679 on the protection of personal data.
    • Data controller – Sellhorn Polska Sp. z o.o.
    • Website – website operated by the Data Controller.
    • User – natural person using the Website.
    • Personal data – information about an identified or identifiable person.

§2. Administrator data

  1. The administrator of personal data of users of the Website is Sellhorn Polska Spółka z ograniczoną odpowiedzialnością with its registered office in Szczecin, at the following address:
 ul. Szeroka 56B, 71-211 Szczecin,
 wpisana do Rejestru Przedsiębiorców KRS,
 NIP: 852 270 93 74,
 REGON: 529139530.
  2. The Administrator can be contacted in matters relating to the processing of personal data, in particular via:
    • email address: info@sellhorn.pl,
    • mailing address: Sellhorn Polska Sp. z o.o., ul. Szeroka 56B, 71-211 Szczecin.
  3. Sellhorn Polska Sp. z o.o. acts as an independent administrator of personal data, separate from Sellhorn Ingenieurgesellschaft mbH based in Hamburg (Germany).
 The data of Website users is not automatically transferred to other entities within the Sellhorn Group, unless this results from separate arrangements or the express consent of the user.
  4. The Administrator has not appointed a Data Protection Officer, and in matters relating to personal data protection, please contact the Administrator directly using the contact details provided above.

§ 3. Scope of data processed on the Website

  1. Use of the Website does not require the User to provide any personal data. The Website does not contain a contact form or any other functionality enabling direct transfer of personal data to the Administrator.

3.1. Data collected automatically

  1. In connection with the use of the Website, the Administrator may process technical data collected automatically by ICT systems, such as:
    • the IP address of the User’s device,
    • the type and version of the web browser,
    • device type and operating system,
    • language settings,
    • unique device or browser identifiers,
    • information about how the Website is used (so-called usage data),
    • statistical data generated by analytical tools (e.g., Google Analytics, Matomo),
    • cookies and similar technologies – in accordance with a separate Cookie Policy.
  2. The data referred to above is anonymous and, as a rule, does not allow for the identification of a specific User. However, it may be considered personal data if, in conjunction with other information, it allows for the identification of a natural person.

3.2. Data provided voluntarily by the User

  1. As of the date of this Policy, the User is not able to voluntarily provide their personal data via the Website (e.g. through the contact form, registration, sending documents, subscribing to the newsletter, etc.).
  2. If functionalities enabling the transfer of personal data are implemented in the future, the Administrator will supplement this Policy with relevant information, including the scope of data, purposes, and legal basis for its processing.

§ 4. Purposes and legal basis for data processing

  1. The Administrator processes personal data only to the extent necessary to ensure the proper functioning of the Website, as well as – in the cases specified below – in connection with the User’s voluntary communication with the Administrator. The purposes and grounds for processing depend on the category of data.

4.1. Contact via email

  1. The Website does not provide a contact form, but the User may contact the Administrator using the email address provided on the Website.
  2. The data provided in the email (e.g., first name, last name, email address, phone number, other information provided voluntarily) is processed for the purpose of:
    • correspondence,
    • responding to inquiries,
    • resolving reported issues.
  3. The legal basis for data processing in the context of correspondence is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in communicating with persons interested in its activities.

4.2. Statistics and analytics

  1. The administrator may process technical data generated automatically by analytical tools in order to analyze traffic on the Website, improve its functioning, ensure ICT security, and compile viewing statistics.
  2. The legal basis for data processing for analytical purposes is the User’s consent (Article 6(1)(a) of the GDPR), expressed through a cookie banner or browser settings.
 If consent is refused, the tools operate in a limited mode, in accordance with the Google Consent Mode v2 mechanism.

4.3. Cookies and similar technologies

  1. The Website uses cookies and similar technologies to:
    • ensuring the proper functioning of the Website,
    • adjusting the Website settings,
    • conducting statistical analyses,
    • supporting external tools (e.g., maps, videos, analytics). 

Detailed information can be found in a separate Cookie Policy.

  2. The legal basis for data processing in relation to cookies is:
    • the User’s consent (Article 6(1)(a) of the GDPR) – for analytical, marketing, and functional cookies,
    • the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) – for cookies necessary to ensure the proper functioning of the Website.

4.4. Recruitment (if launched in the future)

  1. If functions enabling the submission of application documents or candidate data are implemented, the Administrator will process personal data for the purpose of evaluating the application and conducting the recruitment process.
  2. The legal basis for processing candidates’ data will be:
  • necessity to take action prior to entering into a contract (Article 6(1)(b) of the GDPR),
  • consent (Article 6(1)(a) of the GDPR) – with regard to participation in future recruitment processes or the transfer of data not required by the Labor Code.
  1. Detailed information regarding the processing of candidates’ data will be provided when the recruitment functions are launched on the Website.

4.5. Correspondence exchange and B2B relations

  1. In the case of contact between company representatives and contractors via email, telephone, or other means, the Administrator may process company data and contact person identification data solely for the purpose of:
  • conducting business communication,
  • preparing offers,
  • implementing cooperation.
  1. The legal basis for such processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in maintaining business relations and conducting correspondence related to business activities.

§ 5. Data recipients

  1. In connection with the use of the Website, Users’ personal data may be transferred only to entities cooperating with the Administrator to the extent necessary to ensure the proper functioning of the Website, its security, and technical support. Data is never transferred for commercial or marketing purposes without the User’s consent.
  2. The recipients of the data may include, in particular:
a) entities providing IT services to the Administrator, including entities responsible for the maintenance and technical support of the Website;
b) the hosting provider whose servers host the Website and systems processing technical data;
c) providers of analytical tools, such as Google Ireland Ltd. (Google Analytics), Matomo, or Microsoft Clarity – only in the scope of technical and statistical data, on the terms specified in the Cookie Policy;
d) providers of services enabling the functioning of additional components of the Website (e.g., maps, videos, integrations), if implemented in the future;
e) law firms, advisors, auditors – only in situations where access to data is necessary to protect the rights of the Administrator or a legal obligation (e.g., handling correspondence, disputes, inspections);
f) public authorities – only to the extent and on the basis of applicable law;
g) companies from the Sellhorn Group, only if there is an actual and justified flow of data related to the performance of a specific task or User inquiry (which is not the case as of the date of this Policy).
  3. The Administrator does not transfer, sell, or disclose data to unauthorized persons or entities. All entities processing data on behalf of the Administrator operate on the basis of relevant data processing agreements in accordance with Article 28 of the GDPR.

§ 6. Transfer of data outside the European Economic Area (EEA)

  1. As a rule, Users’ personal data is not transferred outside the European Economic Area (EEA). The Administrator uses services and technical solutions that have their registered office, infrastructure, or subsidiaries within the EEA, and data processing takes place within the European Economic Area.
  2. Any transfer of data outside the EEA may only take place if:
    • The user voluntarily consents to the use of cookies or analytical/marketing tools operated by entities outside the EEA.
    • The Administrator will activate a tool that enables data transfer outside the EEA (e.g., Google Analytics, Google Tag Manager, Microsoft Clarity).
  3. When using tools provided by Google LLC, Microsoft Corporation, or other entities based in the United States, data transfers may take place on the basis of:
a. Data Privacy Framework (DPF) – if the provider is certified under a program approved by the European Commission,
b. Standard Contractual Clauses (SCC) – approved by the European Commission, together with additional safeguards ensuring an adequate level of data protection.
  4. Data transfer outside the EEA takes place only to the extent necessary to achieve a specific purpose (e.g., analytics) and in compliance with the mechanisms provided for in the GDPR, ensuring an adequate level of personal data protection.
  5. The administrator does not transfer data to third countries in an uncontrolled, unauthorized manner or without an appropriate legal basis.
  6. Information on specific tools that may cause data to be transferred outside the EEA can be found in a separate Cookie Policy.

§ 7. Data retention period

  1. Personal data is stored by the Administrator only for the period necessary to achieve the purposes for which it was collected, and then for the time required by law or to secure claims. The Administrator applies the principle of data minimization, limiting data storage to the minimum necessary.
  2. As of the date of this Policy, the Website does not allow Users to enter personal data using forms or to send documents. The following storage periods apply to both data currently being processed and data that may be processed in the future in connection with the planned development of the Website’s functionality.

7.1. Data from contact forms (planned feature)

  1. When the contact form is activated, the data voluntarily provided by the User will be stored for the following period:
    • from 6 to 12 months after the end of correspondence, unless the nature of the case or further communication justifies longer storage (e.g., preparation of an offer, further negotiations).

7.2. Statistical data and data from analytical tools

  1. Technical and statistical data processed by analytical tools (e.g., Google Analytics, Matomo) are stored in accordance with the settings of these tools:
    • usually up to 26 months, unless the User withdraws their consent or deletes cookies using their browser settings or consent management panel.

7.3. Recruitment data (planned feature)

  1. If recruitment features enabling the submission of application documents are made available on the Website, candidates’ data will be stored for the following period:
    • 3 months – in the case of recruitment completed without accepting a candidate,
    • 6 or 12 months – when the candidate gives additional, voluntary consent to participate in future recruitment processes,
    • longer only if required by law or obligations related to the recruitment process.

7.4. Technical data and server logs

  1. Technical data, including server logs, is stored for a period of:
    • from 30 to 90 days, unless longer storage is necessary to ensure security, detect fraud, conduct technical analysis, or pursue the legitimate interests of the Administrator.

7.5. Data processed on the basis of consent

  1. Data processed on the basis of consent (in particular data from cookies, analyses, marketing) will be stored until the following points in time:
    • Revocation of consent by the user,
    • expiration of the period specified in the tool settings,
    • or expiry of the processing purpose.

7.6. Data processed in the context of email correspondence

  1. Data provided to the Administrator via email is stored for the following period:
    • up to 12 months after the end of correspondence, unless the nature of the case or legal regulations require longer storage (e.g., business matters, claims investigation).

§ 8. Cookies and similar technologies

  1. The Website may use cookies and other similar technologies to ensure its proper functioning, improve the quality of use of the Website, conduct statistical analyses, and support external tools (e.g., maps, video materials, interactive elements).
  2. Cookies may be installed both by the Administrator (so-called own cookies) and by third parties whose services are used by the Website (e.g., providers of analytical tools or multimedia components).
  3. Depending on the Website settings and the User’s consent, the following categories of cookies may be used:
    1. essential cookies – enabling the Website to function properly;
    2. analytical/statistical cookies – used to analyze traffic and how the Website is used;
    3. functional cookies – enabling the User’s preferences to be remembered;
    4. marketing cookies – used when advertising or remarketing tools are activated.
  4. The website may use analytical or marketing tools provided by external suppliers (e.g., Google, Microsoft, Matomo, or other tools), but their use is based solely on the User’s consent, expressed through the appropriate settings in the cookie banner or consent management panel (CMP).
  5. Consent management for the installation of cookies is carried out using a cookie banner displayed during the first visit, in accordance with the requirements of the GDPR and the Google Consent Mode v2 mechanism. The user can accept specific categories of cookies, refuse their installation, or adjust their preferences.
  6. You can change your cookie settings at any time using the functions available in your web browser or through the consent management panel on the Website. Instructions on how to delete and block cookies can be found in a separate Cookie Policy.
  7. Detailed information on how cookies work, their types, storage time, consent management mechanism, and third-party providers can be found in a separate document—the Cookie Policy—available on the Website.

§ 9. User Rights

  1. Users whose personal data is processed by the Administrator have rights under the provisions of the GDPR. The Administrator ensures that these rights are exercised in accordance with applicable regulations and with respect for data security principles.

9.1. Right of access to data (Article 15 of the GDPR)


The user has the right to obtain confirmation from the Administrator as to whether their personal data is being processed and, if so, access to that data and information about how it is being processed.


9.2. Right to rectification (Article 16 of the GDPR)


The user has the right to request the correction of personal data that is incorrect, as well as the completion of incomplete data.


9.3. Right to erasure (Article 17 of the GDPR)


The user may request the deletion of their data (“right to be forgotten”) in situations specified in the GDPR, in particular when:

  • the data is no longer necessary for the purposes for which it was collected,
  • the user has withdrawn their consent,
  • the data is being processed unlawfully.

9.4. Right to restriction of processing (Article 18 of the GDPR)


The user may request restriction of data processing in cases provided for in the GDPR, e.g. for the duration of the examination of an objection or verification of the accuracy of the data.


9.5. Right to data portability (Article 20 of the GDPR)


To the extent that processing is based on consent or for the performance of a contract and is carried out by automated means, the User has the right to receive the data in a structured format and to transmit it to another controller.


9.6. Right to object to data processing (Article 21 of the GDPR)


The user has the right to object to data processing based on the legitimate interest of the Administrator, including profiling, if there are special circumstances justifying the objection.


9.7. Right to withdraw consent (Article 7(3) of the GDPR)


If processing is based on the User’s consent (e.g., consent to analytical or marketing cookies), the User may withdraw their consent at any time without affecting the lawfulness of processing prior to withdrawal.

Withdrawal of consent regarding cookies is possible through the consent management panel or browser settings.


9.8. Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR)


The user has the right to lodge a complaint with the supervisory authority if they believe that their data is being processed in violation of the regulations. In Poland, the supervisory authority is:
Prezes Urzędu Ochrony Danych Osobowych
 ul. Stawki 2, 00-193 Warszawa
 www.uodo.gov.pl


9.9. Exercising rights

  1. In order to exercise their rights, Users may contact the Administrator via email at info@sellhorn.pl or in writing to the Administrator’s registered office address.
  2. The Administrator shall respond to the request within 30 days, in accordance with Article 12 of the GDPR.
  3. In case of doubt as to the identity of the person submitting the request, the Administrator may ask for additional information necessary for verification.

§ 10. Data security

  1. The administrator takes appropriate technical and organizational measures to ensure the security of the personal data being processed and to protect it from unauthorized access, loss, destruction, or modification. These measures are tailored to the type of data being processed and the risk of violating the rights and freedoms of the data subjects.
  2. The security measures applied include, in particular:
    1. use of secure SSL/TLS connection encryption protocol,
    2. security measures for servers and hosting on which the Website is maintained,
    3. access control and the use of multi-factor authentication (MFA) for company email and tools used to operate the Website,
    4. regular updates of systems, software, and website components,
    5. the use of organizational measures to ensure data confidentiality and integrity.
  3. The controller applies the principle of data minimisation – only those data that are necessary to achieve a specific purpose are processed, and only for the shortest possible period.
 Electronic correspondence conducted via email is protected by appropriate server security measures, encryption protocols, and organisational safeguards that prevent unauthorised access.

§ 11.Information on the voluntary provision of data

  1. Using the Website does not require providing personal data, and any data supplied to the Controller (e.g., via email) is provided voluntarily and solely at the User’s initiative.
  2. Technical data collected automatically during a visit to the Website (e.g., IP address, device information, statistical data) are gathered to ensure the proper functioning of the Website, and their processing is based on the Controller’s legitimate interest or the User’s consent expressed through the consent-management panel (with respect to analytical and marketing cookies).
  3. If, in the future, features enabling the submission of personal data are made available (e.g., a contact or recruitment form), the provision of such data will be:
    • voluntary, but necessary for the achievement of a given purpose (e.g., providing a response to an inquiry or reviewing a recruitment submission),
    • subject to separate information clauses presented at the time the data are provided.

§ 12. Final provisions

  1. This Privacy Policy is effective as of 01.12.2025.
  2. The Controller reserves the right to make changes to the Privacy Policy, in particular in the event of:
    • the launch of new Website functionalities,
    • changes in legal regulations,
    • decisions of supervisory authorities,
    • implementation of new technologies or analytical tools.
  3. Information about changes to the Privacy Policy will be published on the Website along with the current version of the document. Using the Website after the changes take effect constitutes acceptance of the new version of the Policy.
  4. Matters not regulated by this Policy are governed by the provisions of the GDPR, the Personal Data Protection Act, and regulations concerning the provision of electronic services.

Scroll to Top