Skip to main content
Last update: 20 October 2023

Privacy policy

§ 1. General provisions

  1. This document sets out the Privacy Policy of the Website and the Agent, which includes, in particular, regulations concerning the protection of personal data and the security of other data entered into the Website by the Customer.
  2. The Privacy Policy shall be an integral annex to the Regulations.

§ 2. Definitions

The terms used in this document shall have the following meaning:

  1. Service Provider - co.brick sp. z o.o., 44-100 Gliwice, Kaczyniec 9, e-mail address:,
  2. Website - a website that can be visited via the Internet through the Webpage;
  3. Agent - software used to provide services to the Customer;
  4. Webpage - a webpage at as well as any and all of its subpages;
  5. Parties - Service Provider and Customer;
  6. Customer - a natural person conducting a business activity who uses the Website and enters his/her personal data into the Website;
  7. User - a Customer and any other person who has been granted access to the Website and the Agent by the Customer.

§ 3. Personal data protection

  1. The Service Provider is the Controller of personal data within the meaning of the General Data Protection Regulation of 27 April 2016 (GDPR).
  2. The Service Provider processes your data to the extent, within the time and for the purpose indicated each time in the information provided under the forms used to collect personal data from the Customer.
  3. Personal data will be provided exclusively to the Service Provider's trusted subcontractors, i.e. suppliers of IT services, an accounting firm, administration.

§ 4. Customer entitlements

  1. In the event of a change in personal data, the Customer should update it either by sending the Service Provider an appropriate message or by using the relevant procedure on the Website.
  2. The customer shall have the right to request access to the content of his/her personal data, to rectify or delete it as well as the right to restrict its processing. Furthermore, the Customer shall also be entitled to withdraw his or her consent at any time without affecting the lawfulness of processing, to move his or her data and to object to the processing of his or her personal data.
  3. The Customer shall have the right to lodge a complaint with the President of the Personal Data Protection Authority.
  4. The provision of personal data is voluntary; however, the lack of consent to data processing prevents the Customer from using the Website.
  5. The Service Provider may refuse to delete the Customer's personal data if the retention of the personal data is necessary due to an obligation imposed on the Service Provider by law.

§ 5. Data encryption

  1. The Service Provider undertakes to encrypt data transmission in order to secure the Customer's data retained in the system.
  2. Any Customer's connection with the Website shall be encrypted and confidential.

§ 6. Technical data protection

  1. The Service Provider shall use all technical and organisational methods to ensure the security of Customer's personal data and protect it against accidental or intentional destruction, accidental loss, modification, unauthorised disclosure or access. The information shall be retained and processed on highly secured servers, with appropriate safety measures meeting the requirements of the Polish law.
  2. The Service Provider undertakes to retain backup copies containing personal data of the Customer.
  3. Entrusted data is stored on top-of-the-range hardware and servers in appropriately secured information storage centres, accessible only by authorised persons.
  4. The Service Provider shall carry out activities related to the processing of personal data in accordance with all legal and technical requirements imposed by the personal data protection regulations.
  1. For convenience of Users or for purposes necessary for the functioning of the Website, the Website uses cookies, among other things, to adapt the Website to Users' needs and for statistical purposes. Cookies are small text files sent by the website visited by an Internet user to the user's hardware.
  2. The Website uses two types of cookies: session cookies and persistent cookies. Session cookies are temporary files which are stored on the User's end device until logging out, leaving the webpage or shutting down the software (web browser). Persistent cookies are stored on the User's end device for a time specified in the cookie data parameters or until they are deleted by the User.
  3. The Website uses the following types of cookies:
    1. "strictly necessary" cookies – to enable using services available within the Website, e.g. used for user authorisation processing;
    2. "secure" cookies – to ensure security, for instance, to detect the misuse of Website services;
    3. "performance" cookies – to collect data on how the Website is used;
    4. "functional" cookies – to remember User's settings and to customise User's interface, e.g. selected language or region, font size, appearance of the Website, etc.;

§8. Logs

  1. As practised by most websites, we shall store HTTP queries submitted to our server (server logs). In connection with the above, the following data shall be stored:
    1. IP addresses from which users browse information provided on our website;
    2. the time the query was received;
    3. response time;
    4. name of customer's station – identification carried out via HTTP and HTTPS,
    5. information on errors in HTTP and HTTPS transactions;
    6. URL address of a page previously visited by the User (referrer link);
    7. information about the user's browser.
  2. The data collected in logs shall be used exclusively for the purpose of Website administration.
  3. The logs collected shall be stored for an indefinite time as auxiliary materials for the purposes of Website administration. The information contained therein shall not be disclosed to anyone other than persons authorised to administer the Website. The log files may be used to generate statistics constituting aid in administration. Summaries in the form of such statistics shall contain no features identifying website visitors.

§ 9. Contact

  1. The Customer and the User may contact the Service Provider at any time to obtain information about whether the Service Provider uses his/her personal data and if so, in what manner.
  2. The Customer and the User may also request the Service Provider to delete his/her personal data in whole or in certain parts.
  3. The Service Provider may be contacted by sending an e-mail at:

Personal data processing agreement

concluded by and between:

The entity that enters into a contract with the Processor for the provision of services and whose details are provided in the registration form, hereinafter referred to as the "Controller", and

co.brick sp. z o.o., 44-100 Gliwice, Kaczyniec 9

hereinafter referred to as the "Processor",

hereinafter referred to as the "Party" and collectively as the "Parties".

§ 1. Definitions

For the purposes of the Agreement, the Controller and the Processor agree that the following terms shall have the following meanings:

  1. Personal Data – data within the meaning of Art. 4 (1) of Regulation (EU) 2016/679, i.e. any information relating to an identified or identifiable natural person;
  2. Processing of Personal Data – any operation or a set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction within the meaning of in Article 4 (2) of Regulation 2016/679;
  3. Agreement – this Agreement;
  4. Master Agreement - the contracts entered into by the Controller and the Processor for the provision of services with the content set out in the Regulations;
  5. Regulation 2016/679 – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L. of 2016 No. 119, p. 1).

§ 2. Representations of the parties

The Parties hereby represent as follows:

  1. The Parties represent that the Agreement is concluded for the purposes of ensuring compliance with the obligations referred to in Article 28 of Regulation 2016/679 in connection with the conclusion of the Master Agreement.
  2. The person entering into the Master Agreement and transferring the personal data to the Processor is duly authorised to represent the Controller,
  3. The Controller represents that it is the data controller of Personal Data within the meaning of Article 4 (7) of Regulation 2016/679, i.e. the entity which, alone or jointly with others, defines the purposes and means of the processing of Personal Data,
  4. The Processor represents that it is a data processor within the meaning of Article 4 (8) of Regulation 2016/679, under the Agreement, which means that it will process Personal Data on behalf of the Controller.

§ 3. Subject matter and duration of processing

  1. The Controller shall outsource the processing of Personal Data to the Processor and the Processor undertakes to process the Personal Data in accordance with the provisions of law and the Agreement.
  2. The Agreement is concluded for the duration of the Master Agreement and the performance of all obligations under the Agreement and the Master Agreement.

§ 4. Purpose and basic principles of processing

  1. The Processor may process Personal Data exclusively to the extent and for the purposes provided for in the Agreement.
  2. The purpose of the entrustment of the Processing of Personal Data is the performance of the Master Agreement, including, in particular, the performance by the Processor of the service of providing the application and the agent and the performance of services through them.
  3. The scope of the Personal Data processed by the Processor under the Agreement includes the categories of Personal Data entrusted each time to the Controller for processing via the application and the agent.
  4. The scope of Personal Data processed by the Processor under the Agreement includes data of employees and associates of the Controller.
  5. The Processor shall process Personal Data only at a documented instruction of the Controller. A documented instruction shall mean a data processing request contained in the Master Agreement.
  6. When processing Personal Data, the Processor shall comply with the principles set out in the Agreement.

§ 5. Detailed rules for entrusting processing

  1. Prior to commencing the Processing of Personal Data, the Processor must take the personal data security measures referred to in Article 32 GDPR, and in particular:
    1. taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with various probability of occurrence and degree of threat, is obliged to apply technical and organisational measures to ensure protection of Personal Data being processed, so as to ensure a security level corresponding to that risk. The Processor shall properly document the implementation of such measures and update them in consultation with the Controller,
    2. ensure that any natural person acting under the authority of the Processor who has access to the Personal Data processes the Personal Data at the request of the Controller, including in line with its guidelines and instructions, for the purposes and to the extent provided for in the Agreement,
    3. keep a register of all categories of processing activities performed on behalf of the Controller referred to in Article 30.2 of Regulation 2016/679 and make it available to the Controller at its request, unless the Processor is exempt from this obligation pursuant to Article 30.5 of Regulation 2016/679.
  2. The Processor shall ensure that the persons who have access to Personal Data keep them as well as the data protection measures applied confidential. The confidentiality obligation shall continue to be binding on such persons after the performance of the Agreement and the termination of employment with the Processor. For this purpose, the Processor will allow the data to be processed only by persons who have signed an obligation to keep personal data confidential and how maintain confidentiality thereof.

§ 6. Other obligations of the processor

  1. The Processor undertakes to assist the Controller in complying with the obligations set out in Articles 32-36 of Regulation 2016/679; in particular, the Processor undertakes to provide the Controller with information and carry out the Controller's instructions regarding the personal data security measures in place, whereas the Processor shall provide the Controller with information on personal data breaches within 24 hours from the moment a personal data breach is identified.
  2. The Processor undertakes to assist the Controller, through appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects for the exercise of their rights set out in Articles 15 to 22 of Regulation 2016/679, in particular the Processor undertakes to transmit to the Controller each request from a data subject within 5 days of receipt of the request.
  3. The Processor undertakes to comply with any guidelines and recommendations issued by the relevant supervisory authority or EU advisory data protection body concerning the processing of Personal Data, in particular those concerning the scope of Regulation 2016/679.
  4. The Processor undertakes to immediately inform the Controller (in accordance with the manner of contacting or sending notices specified in the Master Agreement) of any proceedings, including in particular administrative or judicial proceedings, relating to the processing of Personal Data by the Processor, of any administrative decision or ruling relating to the processing of Personal Data which is addressed to the Processor as well as of any checks and inspections relating to the processing of Personal Data by the Processor, in particular those conducted by the supervisory authority.

§7. Subprocessing

  1. The Processor may use the services of another processor (subprocessor).
  2. The Controller agrees to subcontract the processing of the entrusted Personal Data in particular to companies cooperating with the Processor, entities providing personnel, accounting and IT services to the Processor.
  3. Where the processing of Personal Data is further subcontracted, the processing shall be subcontracted on the basis of an agreement under which the subcontractor (subprocessor) undertakes to comply with the same obligations as those imposed on the Processor under the Agreement.
  4. The Processor shall ensure that the subcontractors (subprocessors) to which the processing of data is subcontracted provide at least an equivalent level of protection of Personal Data to that provided by the Processor.

§ 8. Audit of the processor

  1. The Controller is authorised to verify whether the Processor observes the rules of Personal Data processing arising from Regulation 2016/679 and the Agreement by requesting any information regarding the Personal Data provided.
  2. The Controller shall also have the right to conduct audits or inspections of the Processor regarding the compliance of the processing operations with the law and with the Agreement. The audits or inspections referred to in the preceding sentence may be carried out by third parties authorised by the Controller. Audits and inspections shall be carried out by prior arrangement between the Parties as to the date and manner thereof.
  3. The Processor undertakes to inform the Controller immediately if, in the Processor's opinion, an instruction given to the Processor constitutes a breach of Regulation 2016/679 or other data protection legislation.

§ 9. Liability of the parties

  1. The Processor shall be liable for any damage which may arise for the Controller or third parties as a result of Personal Data processing by the Processor in breach of the Agreement. The Processor's liability for the acts and omissions of subcontractors (sub-processors) is excluded.
  2. In the event of non-performance or improper performance of the Agreement by the Processor and a breach of the provisions concerning the processing of personal data, the Processor undertakes to pay compensation, with the full liability of the Processor (towards the Controller and third parties) being limited to the amount of PLN 2,000.

§ 10. Completion of the entrustment of processing

  1. After the end of the provision of processing services, the Processor, at Controller's request and subject to section 2, shall cease the Processing of Personal Data and remove all Personal Data and their copies from its files and IT systems.
  2. Despite the cessation of the provision of services related to entrusting the Processing of Personal Data, the Processor shall have the right to process data relating to the confirmation of the performance of the service for the Controller.
  3. The erasure of Personal Data referred to in section 1 shall be understood as the destruction of those Personal Data or such a modification that will render it impossible to identify the data subject.
  4. Data erasure should be documented by a written statement signed by the persons authorised by the Processor. The Processor undertakes to provide the Controller with a statement on the erasure of Personal Data within 7 days from the submission of such request by the Controller.
  5. The termination of the Master Agreement at any time and under any procedure by any of the Parties shall result in the expiry of the Agreement.
  6. The Controller shall be entitled to terminate the Agreement with immediate effect if:
    1. the supervisory authority finds that the Processor does not comply with the principles of Personal Data Processing in relation to data entrusted by the Controller,
    2. As a result of the audit referred to in § 8 of the Agreement, the Controller finds that the Processor does not comply with the principles of Personal Data Processing in relation to the data entrusted by the Controller and the 14-day deadline for the elimination of the breaches expired ineffectively,
    3. The Processor has used Personal Data inconsistently with the Agreement or with provisions of the law, has improperly processed the entrusted Personal Data despite a prior notice to change the manner of its processing or has entrusted processing of Personal Data to another entity without Controller’s consent.

§ 11. Final provisions

  1. Any and all amendments to the Agreement shall be made in a document-like form, otherwise being null and void.
  2. The agreement is concluded in a clickable form by accepting its terms and conditions by selecting the relevant checkbox when first logging into the system provided by the Processor.
  3. Any matters not regulated by the Agreement shall be governed by the provisions of the Civil Code of 23 April 1964 (Journal of Laws of 2017, item 459, as amended) and the provisions of Regulation 2016/679.
  4. Any disputes relating to the performance of the Agreement shall be settled by the court having jurisdiction over the Processor's registered office.