§ LEGAL — PRIVACY

Privacy policy.

How Oxenex Sp. z o.o. processes personal data under the General Data Protection Regulation (GDPR) and applicable national law.

1. Data controller

The controller responsible for personal data processed via this website is:

ENTITY
Oxenex Sp. z o.o.
ADDRESS
ul. Chmielna 73, 00-801 Warszawa, Poland
EMAIL
privacy@oxenex.eu

2. Data we collect

2.1 When you visit this site

  • Server log files: IP address (anonymised), browser type, operating system, referring URL, date and time of access
  • Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure and stable site operation
  • Retention: 30 days, then deleted

2.2 When you submit the contact form

  • Name, organisation, email address, and the content of your message
  • Legal basis: Art. 6(1)(b) GDPR — to take steps at your request prior to entering a contract
  • Retention: for the duration of our business relationship plus 6 years for tax and commercial records (as required by Polish law)

2.3 When you apply for a role

  • Name, contact details, CV content, cover letter, any attachments you send
  • Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures at your request
  • Retention: 6 months after application closure, unless you consent to extended retention

3. Third-party processors

We use the following third parties to operate this site. All are bound by data processing agreements where applicable:

  • [REPLACE: Hosting provider, e.g. Hetzner, AWS] — website hosting
  • [REPLACE: Email provider] — business email
  • Google Fonts — web font delivery from fonts.gstatic.com. [REPLACE with self-hosted fonts in production to avoid third-party data transfer]

4. Cookies and tracking

This site does not currently use analytics cookies or tracking pixels. If we add these in future, we will obtain explicit opt-in consent before loading any non-essential cookies, in accordance with the ePrivacy Directive and Art. 7 GDPR.

5. Your rights

Under the GDPR, you have the right to:

  • Request access to the personal data we hold about you (Art. 15 GDPR)
  • Request correction of inaccurate data (Art. 16 GDPR)
  • Request deletion of your data (Art. 17 GDPR)
  • Restrict processing in certain circumstances (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Lodge a complaint with a supervisory authority — in Poland, Urząd Ochrony Danych Osobowych (UODO)

To exercise any of these rights, contact us at privacy@oxenex.eu. We will respond within 30 days.

6. International transfers

Data is processed within the European Union. If any third-party processor transfers data outside the EU/EEA, this is covered by Standard Contractual Clauses (SCCs) or an adequacy decision under Art. 45 GDPR. [REPLACE: list any sub-processors outside EU/EEA]

7. Data security

We apply technical and organisational measures proportionate to the risk, including encryption in transit (TLS 1.3), access controls, regular security reviews, and principle-of-least-privilege for staff access.

8. Changes to this policy

We may update this privacy policy from time to time. The version and date below reflect the current policy. Material changes will be announced via prominent notice on this site.

VERSION 1.0 · LAST UPDATED: [REPLACE: DATE]

PLACEHOLDER NOTICE This privacy policy must be reviewed and completed by qualified privacy counsel before deployment. Inaccurate GDPR disclosures carry fines up to €20 million or 4% of global turnover under Art. 83 GDPR.