Privacy Policy

§1 Company details

The controller of personal data processed in connection with the use of the Certiget online service, available at www.certiget.pl and www.certiget.eu, is Certiget sp. z o.o., with its registered office in Warsaw (02-972) at ul. Sarmacka 20a/14, entered in the Register of Entrepreneurs of the National Court Register under KRS number 0001060298, NIP 9512578741 (hereinafter: “Certiget” or the “Controller”).

You may contact the Controller:

electronically via e-mail: [email protected],

by phone: +48 797 123 382,

via the contact form available at: https://certiget.pl/kontakt.

§2 General provisions

This Privacy Policy sets out the rules for processing personal data by Certiget sp. z o.o. in connection with the use of the Certiget online service available at www.certiget.pl and www.certiget.eu, as well as in connection with the provision of services offered by Certiget.

Certiget processes personal data in accordance with applicable laws, in particular in accordance with:
a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR),
b) the Polish Act of 10 May 2018 on the protection of personal data,
c) other generally applicable legal provisions concerning the protection of personal data.

This Privacy Policy is of an informational nature and fulfils the Controller’s information obligation referred to in Articles 13 and 14 GDPR.

This Privacy Policy applies to all individuals whose personal data are processed by Certiget, regardless of the form of contact or the scope of use of the Service.

In matters not regulated by this Privacy Policy, the relevant provisions of the Certiget Terms and Conditions and applicable laws shall apply.

§3 Purposes and legal bases for processing personal data

Depending on how the Certiget Service is used, the actions taken and the consents granted, users’ personal data may be processed for the following purposes and on the following legal bases:

A. Use of the Service and contact with Certiget

For the purpose of:
a) handling inquiries submitted to Certiget via the contact form, e-mail or other communication channels,
b) conducting correspondence related to the operation of the Service,
c) taking actions at the user’s request prior to entering into an agreement,
personal data are processed—depending on the nature of the inquiry and the stage of the relationship with the user—on the basis of Article 6(1)(b) GDPR (steps taken prior to entering into a contract) or Article 6(1)(f) GDPR (the Controller’s legitimate interest consisting in handling inquiries addressed to Certiget).

B. Publication and handling of reviews

For the purpose of:
a) enabling users to submit reviews regarding cooperation with certification bodies,
b) verifying the authenticity of reviews,
c) publishing and presenting reviews in the Service,
personal data are processed:

as regards the publication of reviews—on the basis of Article 6(1)(b) GDPR, i.e., for the performance of a contract consisting in providing an electronic service under the Terms and Conditions of the Service,

as regards verification of review authenticity and prevention of abuse—on the basis of Article 6(1)(f) GDPR, i.e., the Controller’s legitimate interest in ensuring the reliability of reviews and transparency of information presented in the Service.

C. Additional services offered by Certiget

If the user uses additional services referred to in the Terms and Conditions of the Service, in particular such as:
a) intermediary services in collecting certification offers,
b) preparation of comparative summaries,
c) consulting, implementation, training or marketing services,
personal data are processed for the purpose of concluding and performing an agreement, on the basis of Article 6(1)(b) GDPR.

To the extent that legal provisions impose on Certiget an obligation to process personal data (in particular for accounting, tax or archiving purposes), personal data are processed on the basis of Article 6(1)(c) GDPR.

D. Marketing and newsletter

For the purpose of:
a) sending the newsletter,
b) sending commercial and marketing information related to Certiget’s activities,
personal data are processed on the basis of Article 6(1)(a) GDPR, i.e., the user’s voluntary consent.

The user has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

E. Analytical and statistical purposes

Personal data may be processed for analytical and statistical purposes related to improving and developing the Service, on the basis of Article 6(1)(f) GDPR, i.e., the Controller’s legitimate interest, provided that where such processing requires the user’s consent (e.g., via cookies), the data are processed only after such consent is given.

§4 Categories of personal data processed

The scope of personal data processed depends on how the Certiget Service is used, the actions taken and the functionalities or services used by the user.

Certiget processes only personal data necessary to achieve the specified purposes, in accordance with the data minimization principle referred to in Article 5(1)(c) GDPR.

A. Data processed in connection with using the Service

In connection with using the Certiget Service, the following categories of personal data may be processed:
a) identification and contact data—in particular an e-mail address and a phone number (if the user chooses to provide it),
b) data provided in correspondence or contact forms,
c) technical data—in particular the IP address and data concerning the device, browser and operating system, to the extent resulting from the use of the Service.

B. Data processed in connection with publishing reviews

When a user submits a review in the Certiget Service, the following personal data may be processed:
a) e-mail address—for the purpose of verifying the authenticity of the review,
b) the content of the review and the rating assigned to it,
c) other data voluntarily provided by the user in the review content.

The data referred to in section 4(a) are not published in the Service and are used solely for purposes related to handling and verifying reviews.

C. Data processed in connection with additional services

If the user uses additional services offered by Certiget, in particular services consisting in intermediary collection of offers, consulting, trainings or implementation services, the following categories of data may be processed:
a) the user’s identification and contact data,
b) identification and contact data of the entity on whose behalf the user acts, including in particular the company name, registered office address, NIP and REGON,
c) information regarding the entity’s operations and the scope of planned implementations, certifications or trainings, to the extent necessary to provide the given service.

The scope of data referred to in section 6 is each time limited to the data necessary to provide the specific service.

D. Data processed for marketing and newsletter purposes

If the user subscribes to the newsletter or gives consent to receive commercial information, the user’s e-mail address is processed.

§5 Sources of personal data

Personal data processed by Certiget primarily come directly from the individuals to whom the data relate.

Personal data may come in particular from the following sources:
a) contact forms and other forms available in the Certiget Service,
b) correspondence conducted via e-mail, phone calls or other communication channels used by Certiget,
c) data provided by the user when submitting a review or using interactive functionalities of the Service,
d) data provided by third parties acting on behalf of or with the consent of the user—to the extent necessary to provide a given service,
e) publicly available sources, in particular in the case of data relating to entities operating in the certification area, such as official websites, industry registers or publicly available professional networks.

Data from publicly available sources referred to in section 2(e) concern only data related to the professional or business activities of entities, in particular data identifying the entity or its representatives in the context of their professional role, and are processed for the purpose of presenting information in the catalog of certification bodies or for contact purposes, in accordance with applicable law.

Certiget does not obtain or process personal data from public sources beyond data related to professional or business activity; in particular, it does not process private data, sensitive data or data used for purposes unrelated to the operation of the Service.

Where personal data are obtained from sources other than directly from the data subject, Certiget fulfils the information obligations under Article 14 GDPR, unless one of the exemptions applies.

§6 Retention period for personal data

Personal data processed by Certiget are retained only for the period necessary to achieve the purposes for which they were collected and are then deleted or anonymized, unless applicable law requires further retention.

The retention period depends in particular on:
a) the type of personal data,
b) the purpose of processing,
c) the legal basis for processing,
d) legal obligations of the Controller.

Retention periods by category

Personal data processed in connection with handling inquiries and correspondence with users are retained for the duration of the contact and, after it ends, for the period necessary to secure or pursue potential claims, in accordance with applicable limitation periods.

Personal data processed in connection with publishing reviews in the Service are retained for as long as the review remains available in the Service and, after its deletion, for the period necessary to pursue the Controller’s legitimate interests, in particular to defend against potential claims.

Personal data processed in connection with the performance of additional services, including paid services, are retained for the duration of the agreement and, after it ends, for the period resulting from applicable laws, in particular tax and accounting regulations and limitation periods.

Personal data processed for marketing purposes, including newsletters, are retained until consent is withdrawn by the user or until the given marketing purpose is discontinued.

Personal data processed for analytical and statistical purposes are retained for the period resulting from the configuration of the analytical tools used or until an objection to such processing is raised, unless the law provides otherwise.

Deletion of data

After the periods referred to above expire, personal data are deleted or anonymized in a manner preventing identification of the data subject.

§7 Rights of data subjects

A data subject whose personal data are processed by Certiget has—within the scope specified by the GDPR—the following rights:

Scope of rights

The right to access personal data and obtain information about their processing, pursuant to Article 15 GDPR.

The right to rectify personal data, including the right to request prompt correction of inaccurate data or completion of incomplete data, pursuant to Article 16 GDPR.

The right to erasure of personal data (“right to be forgotten”), pursuant to Article 17 GDPR, unless grounds for refusing the request apply.

The right to restriction of processing, pursuant to Article 18 GDPR.

The right to data portability, pursuant to Article 20 GDPR, to the extent that processing is based on consent or a contract and is carried out by automated means.

The right to object to the processing of personal data, pursuant to Article 21 GDPR, in particular where processing is based on the Controller’s legitimate interest.

Where processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal.

Exercising rights

To exercise their rights, the data subject may contact Certiget in the manner indicated in §1 of this Privacy Policy.

Certiget responds to requests without undue delay and in any event within one month of receipt, with the possibility of extending this period in cases provided for in the GDPR.

In the event of justified doubts as to the identity of the person submitting the request, Certiget may request additional information necessary to confirm their identity, to the extent necessary to properly fulfil the request.

Right to lodge a complaint

The data subject has the right to lodge a complaint with the competent supervisory authority for personal data protection, in particular the President of the Personal Data Protection Office (PUODO), if they consider that the processing of their personal data violates the GDPR.

§8 Recipients of personal data

Personal data processed by Certiget may be disclosed only to authorized entities, to the extent necessary for the purposes for which the data are processed and in accordance with applicable law.

Recipients of personal data may include in particular:

A. Entities cooperating in the provision of services

Certification bodies, consulting companies, training providers or other entities cooperating with Certiget—only where the user uses additional services involving intermediary collection of offers, preparation of comparative summaries or other services requiring transfer of personal data.

After personal data are transferred to the entities referred to in section 3, those entities become independent controllers of the personal data and process them in accordance with their own purposes, rules and applicable law.

Certiget is not liable for the independent purposes and further processing of personal data by the entities referred to in section 3, beyond the scope of services provided by Certiget; the transfer of data is carried out each time in accordance with applicable law.

B. Data processors acting on behalf of Certiget

Personal data may be transferred to entities processing data on behalf of Certiget (so-called processors), in particular providers of:
a) IT and maintenance of IT infrastructure,
b) hosting, e-mail and analytics tools,
c) accounting, bookkeeping and legal services,
d) marketing and communication services—to the extent necessary for the specified purposes.

The entities referred to in section 6 process personal data under data processing agreements and solely in accordance with Certiget’s documented instructions.

C. Public authorities

Personal data may also be disclosed to public authorities or other entities authorized to receive them under applicable law.

§9 Transfers of personal data outside the European Union / European Economic Area

As a rule, Certiget processes personal data within the European Union and the European Economic Area (EU/EEA).

Due to Certiget’s use of tools or services provided by entities based outside the EU/EEA or IT infrastructure located outside the EU/EEA, personal data may be transferred to third countries, in particular to the United States.

Transfers of personal data to third countries take place only to the extent necessary for specific processing purposes and with appropriate safeguards required by the GDPR.

When transferring personal data outside the EU/EEA, Certiget applies appropriate transfer mechanisms, in particular:
a) European Commission adequacy decisions,
b) standard contractual clauses adopted by the European Commission,
c) other measures and mechanisms permitted by the GDPR, including—where necessary—additional safeguards in accordance with Article 46 GDPR.

The user may obtain information about the safeguards applied for transfers outside the EU/EEA by contacting Certiget as indicated in §1 of this Privacy Policy.

§10 Cookies and analytics tools

Cookies

The Certiget Service uses cookies and similar technologies to ensure the proper operation of the Service, improve its functionality and perform statistical analyses. Detailed information about the cookies used, including their retention periods, is available in the consent management mechanism provided in the Service.

Cookies are small text files stored on the user’s end device (e.g., computer, smartphone, tablet) which enable proper functioning of the Service, remember certain information about the user’s use of the Service and—depending on their type—analyze how the Service is used.

Certiget uses the following types of cookies:
a) necessary cookies—required for proper operation of the Service and its basic functionalities; their use does not require the user’s consent,
b) functional cookies—allowing the Service to remember selected user settings and adapt the Service to user preferences,
c) analytical/statistical cookies—used to collect aggregated statistical information about the use of the Service in order to optimize and develop it.

Analytical cookies and other cookies that are not necessary cookies are used only after obtaining the user’s consent through the consent management mechanism available in the Service.

The user may change cookie settings at any time, in particular via their web browser settings or through the consent management mechanism provided in the Service. Restricting cookies may, however, affect certain functionalities of the Service.

Analytics tools

Certiget may use analytics tools, in particular Google Analytics or other similar tools, for the purpose of:
a) analyzing traffic in the Service,
b) improving the quality and functionality of the Service,
c) creating aggregated statistics regarding the use of the Service.

Data collected via analytics tools are statistical in nature and are used by Certiget solely for analytical and optimization purposes. Such data are not used by Certiget to directly identify users or to make decisions producing legal effects with respect to them.

§11 Amendments to the Privacy Policy and final provisions

This Privacy Policy is of an informational nature and is effective from the date of its publication in the Certiget Service.

Certiget reserves the right to introduce amendments to this Privacy Policy, in particular in the event of:
a) changes in applicable law,
b) changes in the methods or purposes of processing personal data,
c) development of the Service functionalities,
d) the need to adjust the Privacy Policy to current technological or organizational realities.

Amendments to the Privacy Policy are published in the Certiget Service and take effect on the date of publication, unless the amended Privacy Policy provides otherwise.

In the event of significant changes affecting the scope or manner of processing personal data, Certiget will take appropriate information measures in accordance with applicable law.

Certiget has implemented an information security management system based on the requirements of ISO/IEC 27001, in order to ensure an appropriate level of protection of personal data and other information processed as part of the Service operations.

Detailed rules for the processing and protection of personal data and information security are set out in internal documents applicable at Certiget, in particular the Personal Data Protection Policy and the Information Security Policy.

In matters not regulated by this Privacy Policy, relevant provisions of generally applicable law shall apply, in particular the GDPR, as well as the provisions of the Certiget Service Terms and Conditions.

 Approved on 08/02/2026