Private policy

1. Data Controller

The Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (GDPR) is JAY DESIGN sp. z o.o., ul. Żurawia 32/34, 00-515 Warsaw, Poland, NIP: 7011143913, e-mail: jay.dizstudio@gmail.com (the “Controller”).

The Controller has not appointed a Data Protection Officer.

2. Purposes and legal basis of processing

Personal data are processed for the purposes of:

• concluding and performing contracts;

• providing design and construction services;

• handling inquiries and correspondence;

• fulfilling accounting and tax obligations;

• establishing or defending legal claims.

The legal bases for processing are Article 6(1)(b), (c) and (f) GDPR.

3. Scope of processed data

The Controller may process, in particular:

• name and surname;

• phone number;

• e-mail address;

• project or business address;

• other data necessary for contract performance.

4. Storage and security

Personal data are stored in electronic form and, where necessary, in paper form.

Appropriate technical and organizational measures are applied to protect data against loss, unauthorized access, alteration or disclosure. Access is limited to authorized persons only.

5. Data recipients

Data may be transferred to processors acting on behalf of the Controller, including IT service providers, accounting firms and subcontractors, based on GDPR-compliant data processing agreements.

6. Retention period

Data are retained:

• for the duration of the contract;

• after termination, for periods required by law;

• until the limitation period for potential claims expires;

• or until an effective objection is raised, where processing is based on legitimate interest.

7. Data subject rights

Data subjects have the right to access, rectify, erase, restrict processing, data portability, object to processing and withdraw consent (where applicable).

Requests may be submitted by e-mail. Responses are provided within 30 days.

8. Supervisory authority

Data subjects have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO).

9. Transfers outside the EU

Personal data are not transferred outside the EU, except where IT tools are used whose providers apply standard contractual clauses in accordance with GDPR.

10. Automated decision-making

Personal data are not subject to automated decision-making or profiling.

11. Voluntary provision of data

Providing personal data is voluntary but necessary to conclude contracts or provide services.

12. Final provisions

The Controller reserves the right to amend this Privacy Policy. The current version is always available on the website.