Privacy policy

1. General provisions

This Privacy Policy explains how Incom Group S.A. processes and protects personal data collected through the website and related online services, forms, and communications made available through the website www.incomgroup.pl, hereinafter referred to as the „Website”.

By using the Website, contacting us, applying for a job, registering as a partner, subscribing to our newsletter, or submitting documents through the Website, you acknowledge that your personal data may be processed as described in this Privacy Policy.

2. Data controller

The controller of your personal data is:

For all questions relating to personal data and the exercise of your rights, please contact us at: ochronadanych@incomgroup.pl

3. What data we collect, for what purposes, and on what legal basis

• 3.1. Browsing the Website

  You may browse the Website without actively submitting personal data through a form. However, when you use the Website, we may automatically process certain technical data, such as your IP address, browser type, device type, operating system, date and time of access, pages visited, referring source, and information collected through cookies or similar technologies.

  We process this data in order to operate the Website, maintain security, prevent abuse, diagnose technical problems, generate statistics, and improve the Website, its content, and its performance.

  The legal basis for this processing is our legitimate interest in ensuring the proper functioning, security, and improvement of the Website under Article 6(1)(f) GDPR. Where non-essential cookies or similar technologies are used, the legal basis is your consent, where required by law.

• 3.2. Contact forms and general business communication

  If you contact us through a contact form, by email, or by telephone, we may process the data you provide, including your name, email address, telephone number, company details, and the content of your message.

  We process this data in order to respond to your enquiry, continue correspondence, provide information you request, and maintain general business communication.

  The legal basis for this processing is our legitimate interest under Article 6(1)(f) GDPR. Where your request concerns entering into a contract, the processing may also be necessary under Article 6(1)(b) GDPR.

  Providing such data is voluntary, but it may be necessary for us to respond to your enquiry.

• 3.3. Recruitment

  If you apply for a job through the Careers section of the Website, we may process the data you provide in the application process, including your name, surname, telephone number, email address, CV, attachments, and any other information you choose to submit.

  We process this data in order to conduct the current recruitment process and, if you give separate consent, to consider you for future recruitment processes. Your application data may also be shared with other entities within the Incom Group for recruitment purposes.

  The legal basis for this processing may include:

  • Article 6(1)(c) GDPR — where processing is necessary to comply with obligations arising under applicable employment law;
  • Article 6(1)(b) GDPR — where processing is necessary to take steps at your request before entering into an employment or similar contract;
  • Article 6(1)(a) GDPR — where you consent to future recruitment or to the processing of additional data not required by law;
  • Article 6(1)(f) GDPR — where processing is necessary for the establishment, exercise, or defence of legal claims or for internal recruitment administration.

  Please do not include sensitive personal data in your application unless it is strictly necessary and lawful to do so.

• 3.4. Partner registration, customer account creation, cooperation, and order handling

  If you register through the „Become a Partner” or equivalent section of the Website, we may process personal data and business data necessary to evaluate the application, verify the applicant, create an account, prepare documentation, enter into and perform a contract, and manage the ongoing business relationship.

  Depending on the registration form and the information you provide, this may include:

  • company name, legal form, VAT or tax number, registration number, DUNS, date of registration, and other business identification data;
  • registered office address, invoice address, shipping address, and related business contact details;
  • bank name, bank account number, IBAN, SWIFT/BIC, and finance contact details;
  • names, positions, business email addresses, and telephone numbers of contact persons, representatives, owners, directors, purchasing contacts, finance contacts, and other persons involved in cooperation;
  • data relating to persons authorized to collect goods or act on behalf of the applicant;
  • data necessary for electronic invoicing, account administration, order fulfilment, customer service, complaint handling, and related operational communication;
  • documents and supporting materials submitted during the registration or verification process.

  The legal basis for this processing may include:

  • Article 6(1)(b) GDPR — where the data concern a sole trader or other individual party to the contract;
  • Article 6(1)(c) GDPR — where processing is necessary to comply with legal obligations, including accounting, tax, and record-keeping obligations;
  • Article 6(1)(f) GDPR — where processing is necessary for our legitimate interests, including business onboarding, verification of business partners, prevention of abuse, and the establishment, exercise, or defence of legal claims;
  • Article 6(1)(a) GDPR — where you separately consent to receiving marketing information by electronic means.

  Where you provide personal data of other persons, such as employees or representatives, you are responsible for ensuring that you are entitled to provide such data and that the relevant persons have been informed accordingly.

• 3.5. Newsletter and marketing communications

  If you subscribe to our newsletter or otherwise consent to receive marketing communications, we may process your email address and, where applicable, your name, surname, company details, preferences, and information related to the effectiveness of our communications.

  We process this data in order to send newsletters, commercial information, information about offers, promotions, new products, events, or price changes, and to measure the effectiveness of such communications.

  The legal basis for this processing is your consent under Article 6(1)(a) GDPR and, where relevant, the consent required by applicable electronic communications laws.

  You may withdraw your consent at any time, including by using the unsubscribe link contained in a marketing email or by contacting us at ochronadanych@incomgroup.pl.

• 3.6. Whistleblowing and reports of legal or ethical violations

  If you submit a report through the whistleblowing or ethics reporting section of the Website, we may process the personal data contained in your report, including your name, surname, position, contact details, and any other data included in the report.

  We process this data in order to receive, assess, investigate, follow up on, and document reports; communicate with the reporting person where appropriate; take remedial measures; and comply with applicable laws and internal procedures.

  The legal basis for this processing is Article 6(1)(c) GDPR, where processing is necessary to comply with legal obligations applicable to us, and Article 6(1)(f) GDPR, where processing is necessary for our legitimate interests.

4. Cookies, IP addresses, analytics, and marketing technologies

The Website uses cookies and similar technologies. A cookie is a small text file stored on your device when you visit a website.

We may use:

• strictly necessary cookies — required for the proper functioning and security of the Website;
• preference cookies — which remember your settings;
• analytics cookies — which help us understand how the Website is used;
• marketing cookies — which support advertising, audience building, remarketing, and campaign measurement.

Depending on the page, your consent settings, and the services currently enabled on the Website, we may use tools such as:

• Google Ads Remarketing;
• Google Analytics 4;
• Criteo;
• GetResponse;
• Microsoft Clarity;
• Meta (Facebook) Pixel.

These tools may collect information such as cookie identifiers, IP address, browser and device data, page views, interactions with the Website, campaign attribution data, and related marketing or analytics information.

The current categories of cookies and the most up-to-date consent options are available through the cookie banner or cookie settings tool used on the Website.

5. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.

In particular:

• recruitment data is retained for the duration of the current recruitment process and, where you have consented, for the period covered by that consent;
• contact and enquiry data is retained for the duration of the correspondence and, depending on its outcome, either becomes part of our customer or partner records or is deleted if no cooperation is established;
• where discussions have clearly ended, data may be removed from operational systems without undue delay and from backup copies within up to 30 days;
• where there is no response and the status of the matter remains unclear, we may retain the relevant data for up to 6 months from the date of the last message;
• account, partner, and contract-related data is retained for the duration of the account or contractual relationship;
• accounting, tax, and settlement documents are retained for the period required by law, including, where applicable, up to 5 years calculated from the end of the calendar year in which the relevant tax payment deadline expired;
• marketing data processed on the basis of consent is retained until consent is withdrawn or until the purpose of processing no longer exists;
• whistleblowing-related data is retained for the period required by applicable law and internal procedures, including, where applicable, for 3 years after the end of the calendar year in which follow-up actions or related proceedings were completed.

We may retain data for a longer period where necessary to comply with legal obligations, resolve disputes, enforce agreements, or establish, exercise, or defend legal claims.

6. Sharing of personal data and international transfers

We may share personal data, where necessary, with:

• entities within the Incom Group;
• service providers and processors supporting our business and the Website, including IT, hosting, analytics, marketing, communication, legal, accounting, recruitment, customer service, and security providers;
• banks, payment-related providers, couriers, logistics providers, and other entities involved in the performance of contracts or orders;
• public authorities and other entities authorized to receive data under applicable law.

Some of our service providers may be located outside the European Economic Area. In such cases, we ensure that an appropriate transfer mechanism is used, such as an adequacy decision issued by the European Commission or standard contractual clauses.

7. Your rights

Subject to the conditions and limitations set out in applicable law, you have the right to:

• access your personal data and obtain a copy of it;
• rectify inaccurate or incomplete personal data;
• request the erasure of your personal data;
• request the restriction of processing;
• object to the processing of your data where processing is based on legitimate interests;
• receive your data in a structured, commonly used, machine-readable format and request data portability where applicable;
• withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal;
• lodge a complaint with the competent supervisory authority, including the President of the Personal Data Protection Office in Poland.

To exercise your rights, please contact us at: ochronadanych@incomgroup.pl

8. Security of personal data

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, unlawful disclosure, or destruction. These measures include secure communication encryption, access controls, authentication mechanisms, internal authorization procedures, and limiting access to personal data to those persons who need it in order to perform their duties.

Persons authorized to process personal data on our behalf are bound by confidentiality obligations and are required to process data in accordance with applicable law and our instructions.

9. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. The current version will always be available on the Website. Any changes become effective upon publication, unless stated otherwise.

10. Contact

If you have any questions, comments, or requests relating to this Privacy Policy or the processing of your personal data, please contact us: