PRIVACY AND PERSONAL DATA PROTECTION POLICY OF THE EMPIERMEDIA.COM SERVICE

Date of last update and entry into force: July 18, 2025

I. PRELIMINARY PROVISIONS AND DEFINITIONS

This Privacy and Personal Data Protection Policy (hereinafter referred to as the "Policy") is an integral part of the legal ecosystem governing the operation of the website available at the URL https://empiermedia.com and all its associated subdomains, microservices, and satellite applications (collectively referred to as the "Service" or "Platform"). This document has been prepared based on the highest standards of informational transparency and compliance with applicable data protection laws, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR").

Definitions used in this Policy:

Personal Data

in accordance with the definition in Art. 4(1) of the GDPR, any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing

in accordance with the definition in Art. 4(2) of the GDPR, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

User

any natural person who visits the Service, uses its functionalities, content, or services, regardless of whether they have a registered user account or use the Service as an unregistered person;

Cookies

small text files or other tracking technologies installed and stored on the User's end device (computer, smartphone, tablet, smart TV, etc.) by the web browser when visiting the Service.

II. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

The controller of your personal data within the meaning of the GDPR is [full name of the entity] with its registered office in [address], which is the entity responsible for determining the purposes and means of processing personal data in connection with the operation of the Service.

In matters related to the processing of personal data, the exercise of your rights, and any issues concerning privacy protection, please contact us via the dedicated email address or in writing to the Controller's registered office address.

III. DETAILED PURPOSES, LEGAL BASES, AND PERIODS OF PERSONAL DATA PROCESSING

The Controller processes Users' personal data only for clearly defined, lawful purposes, based on the appropriate legal bases provided for in the GDPR.

3.1. Provision of services by electronic means and operation of the Service

• Purpose of processing: To ensure the proper functioning of the Service, provide services by electronic means in the scope of making available informational, educational, and promotional content regarding the offered services, manage user sessions, and ensure the technical security of the platform.
• Categories of data processed: IP address of the device, information about the web browser and operating system, activity timestamps, geographical location data (at the country/region level), session identifiers, technical data regarding the use of the Service.
• Legal basis: The processing is necessary for the performance of a contract for the provision of services by electronic means to which the User is a party (Art. 6(1)(b) of the GDPR) and the legitimate interest of the Controller in ensuring the security and stability of IT systems (Art. 6(1)(f) of the GDPR).
• Processing period: For the duration of active use of the Service and for an additional period of 12 months from the last activity for security and technical analysis purposes.

3.2. Handling inquiries and communication with Users

• Purpose of processing: Identification of the sender of correspondence, handling inquiries submitted via contact forms, email, or other communication channels, responding to questions, providing technical and substantive support.
• Categories of data processed: First and last name or nickname, email address, phone number (optional), company name and position (for business contact), content of the correspondence, message metadata.
• Legal basis: The processing is necessary to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of the GDPR) or the legitimate interest of the Controller in conducting business correspondence and customer service (Art. 6(1)(f) of the GDPR).
• Processing period: For the time necessary to handle a specific inquiry, and then for a period of 3 years for archival purposes and the possible establishment, exercise, or defense of legal claims.

3.3. Analytical activities and Service optimization

• Purpose of processing: Conducting advanced statistical analyses of website traffic, studying User behavior, identifying preferences and patterns of using the Service, optimizing functionality and content, improving the quality of services provided, creating business reports.
• Categories of data processed: Anonymized or pseudonymized data on activity within the Service, navigation paths, time spent on individual subpages, traffic sources, aggregated demographic data, information about devices and browsers.
• Legal basis: The legitimate interest of the Controller in analyzing the effectiveness of the Service's operation and optimizing the offered services (Art. 6(1)(f) of the GDPR).
• Processing period: Data in an aggregated and anonymized form may be stored indefinitely. Data that allows for identification is deleted after 26 months from its collection.

3.4. Use of the Google Analytics 4 tool

• Purpose of processing: Detailed analysis of internet traffic, creating reports on User behavior, tracking conversions, analyzing the effectiveness of content and functionalities of the Service using advanced analytical tools from Google.
• Categories of data processed: Pseudonymized user identifiers, data on sessions and events in the Service, information about devices and browsers, geographic data, parameters of organic and paid traffic.
• Legal basis: The legitimate interest of the Controller in conducting business and marketing analyses (Art. 6(1)(f) of the GDPR).
• Processing period: In accordance with the data retention settings in Google Analytics 4, for a maximum period of 14 months, with the possibility of earlier deletion at the User's request.

3.5. Establishment, exercise, or defense of legal claims

• Purpose of processing: Documenting the Controller's activities, collecting evidence in potential legal disputes, defending against unfounded claims, pursuing receivables, cooperating with law enforcement and supervisory authorities.
• Categories of data processed: Any personal data processed for other purposes that may be relevant for establishing facts in legal cases.
• Legal basis: The legitimate interest of the Controller in protecting its legal rights and interests (Art. 6(1)(f) of the GDPR).
• Processing period: Until the expiry of the limitation periods for claims specified in civil law, for a maximum period of 10 years from the end of the provision of the service.

IV. DETAILED CHARACTERISTICS OF COOKIES AND SIMILAR TECHNOLOGIES

The Service uses advanced tracking technologies, including cookies, web beacons, local storage, session storage, and other mechanisms for collecting data on User activity.

4.1. Taxonomy and classification of cookies

• Strictly necessary cookies: Files that are absolutely essential for the proper functioning of the Service, enabling basic functionalities such as page navigation, access to secure areas, and remembering language preferences.
• Functional cookies: Files that allow the Service to remember choices made by the User (e.g., username, language, region) and provide enhanced, more personalized features.
• Analytical/performance cookies: Files used to collect information about how Users use the Service, allowing for traffic analysis, identification of popular content, and optimization of functionality.
• Targeting/advertising cookies: Files used to track User activity across different websites to create interest profiles and display personalized advertising content.

4.2. Detailed specification of Google Analytics 4

The Service implements the latest version of the analytical tool Google Analytics 4 (GA4), provided by Google LLC, with its registered office in Mountain View, California, USA. GA4 is an advanced, next-generation analytics platform that uses machine learning and artificial intelligence to provide deep insights into User behavior.

• Mechanism of action: GA4 uses an event-based measurement model that records User interactions with the Service as a sequence of events. The system automatically tracks key metrics such as page views, sessions, conversions, engagement, and user paths.
• Collected parameters: Client IDs, Session IDs, event timestamps, device parameters (device type, operating system, browser), geographic data (country, region, city), traffic sources, marketing campaign parameters.
• Privacy mechanisms: GA4 implements advanced privacy protection mechanisms, including automatic IP address anonymization, the ability to exclude sensitive data, compliance with GDPR, and consent management mechanisms.

4.3. Managing consent and cookie preferences

Users have full control over the use of cookies on the Service. On the first visit, an information banner is displayed with the option to configure detailed preferences for individual cookie categories.

Control mechanisms:

• Granular management of cookie categories
• Ability to withdraw consent at any time
• Configuration at the web browser level
• Use of dedicated opt-out tools
• Automatic respect for Do Not Track signals

V. CATALOGUE OF USER RIGHTS UNDER THE GDPR

In connection with the processing of personal data, Users have a wide range of rights set out in Chapter III of the GDPR, which can be exercised by contacting the Controller.

5.1. Right of access to personal data (Art. 15 GDPR)

The User has the right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the information specified in Art. 15(1) of the GDPR, including in particular information about the purposes of the processing, the categories of data, the recipients of the data, and the planned storage period.

5.2. Right to rectification of personal data (Art. 16 GDPR)

The User has the right to demand from the Controller the immediate rectification of inaccurate personal data concerning them, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.

5.3. Right to erasure of personal data - "right to be forgotten" (Art. 17 GDPR)

The User has the right to demand from the Controller the immediate erasure of personal data concerning them in the cases specified in Art. 17(1) of the GDPR, in particular when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

5.4. Right to restriction of processing (Art. 18 GDPR)

The User has the right to demand from the Controller the restriction of processing in the cases specified in Art. 18(1) of the GDPR, in particular when they contest the accuracy of the personal data or object to its processing.

5.5. Right to data portability (Art. 20 GDPR)

The User has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller.

5.6. Right to object (Art. 21 GDPR)

The User has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the legal basis specified in Art. 6(1)(f) of the GDPR (legitimate interest), including profiling based on those provisions.

5.7. Right to withdraw consent

In cases where processing is based on consent (Art. 6(1)(a) of the GDPR), the User has the right to withdraw consent at any time, although the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5.8. Right to lodge a complaint with a supervisory authority

The User has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if the User considers that the processing of personal data relating to them infringes the GDPR.

Contact details of the Polish supervisory authority:

VI. DATA RECIPIENTS AND INTERNATIONAL TRANSFERS

6.1. Categories of personal data recipients

In connection with the processing purposes specified in this Policy, the Controller may disclose personal data to the following categories of recipients:

• Technical subcontractors: Hosting service providers, Content Delivery Network (CDN) operators, cloud service providers, IT system administrators.
• Analytics service providers: Google LLC (Google Analytics), providers of web traffic analysis tools, business intelligence platforms.
• Communication service providers: Email operators, CRM system providers, customer communication platforms.
• Entities providing legal and accounting services: Law firms, accounting offices, auditors, tax advisors.
• Public authorities: Courts, prosecutors, law enforcement agencies, public administration bodies - only in cases provided for by law.

6.2. Data transfers outside the European Economic Area

Due to the use of services from technology providers based in third countries, in particular Google LLC (United States), Users' personal data may be transferred outside the European Economic Area (EEA).

Protection mechanisms: All data transfers outside the EEA are carried out using appropriate safeguards provided for in Chapter V of the GDPR, in particular:

• Standard Contractual Clauses approved by the European Commission
• Certification of compliance with recognized data protection standards
• Binding Corporate Rules approved by the competent supervisory authorities
• Adequacy decisions of the European Commission

VII. SECURITY MEASURES AND DATA PROTECTION

The Controller implements advanced technical and organizational measures to ensure an appropriate level of security for personal data, taking into account state-of-the-art technology, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Technical measures:

• Encryption of data in transit (TLS/SSL protocols)
• Encryption of data at rest (AES-256)
• Advanced authentication and authorization systems
• Regular software and system updates
• Real-time security monitoring
• Intrusion Detection and Prevention Systems (IDS/IPS)
• Regular backups with rapid recovery capability

Organizational measures:

• Information security policies
• Employee training on data protection
• Access control based on the principle of least privilege
• Regular security audits
• Security incident response procedures
• Confidentiality agreements with employees and subcontractors

VIII. SYSTEM LOGS AND TECHNICAL MONITORING

The operation of the Service involves the automatic generation and storage of system logs containing technical information about User activity. These logs are an essential element for ensuring the security, stability, and proper functioning of the technical infrastructure.

Content of system logs:

• IP addresses of end devices
• Timestamps of HTTP requests
• Server response codes
• Browser and operating system information (User-Agent)
• URLs of requested resources
• Volume of data transferred
• Information on errors and technical incidents

Purposes of processing logs:

• Ensuring the security of IT systems
• Diagnosing and resolving technical faults
• Optimizing infrastructure performance
• Analyzing traffic patterns for technical purposes
• Detecting and preventing cyber-attacks

Retention period: System logs are stored for a maximum period of 12 months, after which they are automatically deleted or anonymized.

IX. PRIVACY POLICY UPDATE PROCEDURES

This Policy is subject to regular review and updates to ensure compliance with evolving laws, changes in data processing practices, and the technological development of the Service.

Procedure for introducing changes:

1. Identification of the need to update the Policy
2. Drafting of changes by the legal team
3. Consultation with data protection experts
4. Approval of changes by the Controller's management
5. Publication of the updated version on the Service
6. Notification of Users about significant changes

Communication of changes: Users will be informed of any significant modifications to the Policy via a prominent notice on the Service and, if an email address is available, by electronic means at least 14 days before the changes come into effect.

X. FINAL PROVISIONS

This Policy is an integral part of the legal regulations of the Service and should be interpreted in conjunction with other regulatory documents, in particular the Terms of Service for the provision of services by electronic means.

In matters not regulated by this Policy, the provisions of the GDPR, the Act of 10 May 2018 on the Protection of Personal Data, the Act of 18 July 2002 on the Provision of Services by Electronic Means, and other applicable provisions of Polish and EU law shall apply.

Any disputes arising from this Policy shall be resolved by the common courts having jurisdiction over the Controller's registered office, subject to the mandatory provisions on the jurisdiction of courts in consumer cases.

This Privacy Policy enters into force on June 28, 2025, and supersedes all previous versions of documents regulating personal data protection issues on the Service.

This document has been prepared in accordance with the highest industry standards and legal requirements. The Controller reserves the right to make modifications to ensure continuous compliance with applicable laws.