1. Introduction
Astrum Consulting LLC (KRS 0001007307) is committed to protect the privacy of website users and handling their personal data in compliance with the General Data Protection Regulation (GDPR) and the Polish Data Protection Act.
2. Controller and Contact Details
Astrum Consulting LLC (KRS 0001007307), with registered office at Stanisława Żaryna 2b, biuro 20, 02-593, Warszawa, Polska, is the data controller for processing carried out via our websites and client onboarding channels. For any inquiries, please contact: contact@astrum.consulting,postal address - Stanisława Żaryna 2b, biuro 20, 02-593, Warszawa, Polska. The supervisory authority in Poland is the President of the Personal Data Protection Office (UODO). Data subjects may lodge a complaint with UODO.
3. Categories of Data and Sources
We process:
Identification and contact data (name, email, phone, messenger handles).
Professional data (role, company, jurisdiction preferences).
Transactional and contractual data (engagement scope, invoices).
Technical data (IP, device, logs) and cookies/trackers as described in our Cookies Section.
Sources include data subjects directly, publicly available business sources (e.g., LinkedIn), and service providers acting as processors. Where data are not obtained directly from you, we provide the information required by Articles 14(1)–(3) GDPR within the statutory timeframes.
4. Special Categories and Criminal Data
We do not intentionally collect special category data per GDPR Article 9 or data on criminal convictions per Article 10. If such data are provided incidentally, processing will occur only under a clear legal basis and safeguards or the data will be promptly erased.
5. Legal Bases and Legitimate Interests
This section implements Articles 6(1)(a)–(f) GDPR and Articles 12–14 GDPR for transparency; where legitimate interests apply, a balancing test is documented and available upon request.
Processing relies on:
Contract performance or steps prior to a contract (Article 6(1)(b)).
Legal obligations (e.g., tax/accounting) (Article 6(1)(c)).
Consent for specific marketing or optional analytics (Article 6(1)(a)).
• Legitimate interests (Article 6(1)(f)), such as business development, service security, fraud prevention, and asserting or defending legal claims; interests are balanced against data subject rights.
6. Cookies and Electronic Communications
We use cookies and similar technologies for essential functionality, analytics, and, where applicable, marketing. Non‑essential cookies operate only with prior consent that meets GDPR standards (specific, informed, freely given, unambiguous) and can be withdrawn anytime via our Consent Management Platform. Under Polish Electronic Communications Law, storing or accessing information on a user’s device requires prior clear information on purposes and the ability to manage settings; consent may be given via software or service configuration and must comply with GDPR consent requirements. Essential cookies strictly necessary to deliver a service requested by the user do not require consent.
7. Retention Schedule
We retain personal data only for the period necessary for the purposes stated:
Contract and client files: for the contract term and statutory limitation periods for claims and accounting retention (generally 5 years for accounting documents under Polish rules, unless a longer period applies for claims).
Marketing contacts: until consent is withdrawn or an objection is sustained, with periodic suppression list maintenance to honor opt‑out.
Technical logs and security records: typically 6–24 months, unless needed to investigate incidents or comply with legal obligations.
• • Accounting records retention aligns with Polish accounting/tax regulations (typically 5 years from end of calendar year). If statutory limitation periods for civil claims are longer, we retain related records accordingly.
Specific retention periods are reviewed periodically and documented in our Records of Processing Activities.
8. Data Subject Rights and How to Exercise Them
Data subjects have rights of access, rectification, erasure, restriction, portability, and objection; consent may be withdrawn at any time without affecting prior processing. Rights requests can be submitted to contact@astrum.consulting. Identity verification may be required. Complaints may be lodged with UODO.
We respond within one month of receipt of a verifiable request; this period may be extended by two further months where necessary, notifying you within one month of receipt. This reflects Article 12(3) GDPR.
• You may lodge a complaint with the President of the Personal Data Protection Office (UODO). Contact details: uodo.gov.pl.
9. Processing as Controller and Processor; Joint Controllers
We act as:
Controller for our websites, marketing, and client onboarding.
Processor when processing personal data strictly on a client’s documented instructions under a data processing agreement that meets GDPR Article 28 requirements.
We execute Article 28 GDPR data processing agreements with processors, including confidentiality, sub‑processor authorization, assistance with rights and security, return/erasure at end of services, audits, and SCCs where applicable. We maintain a current list of processors or categories available upon request
Where acting as joint controllers, we define respective responsibilities under Article 26 and make the essence available to data subjects.
10. International Data Transfers
Personal data may be transferred outside the EEA when necessary to provide services or operate infrastructure. Transfers occur only:
To countries with an adequacy decision, or
Under appropriate safeguards such as Standard Contractual Clauses with supplementary measures following a transfer risk assessment.
For transfers to non‑adequate countries, we rely on Standard Contractual Clauses under Article 46(2)(c)–(d) GDPR and perform transfer risk assessments, implementing supplementary measures where needed; copies available upon request.
Copies of SCCs and information on safeguards are available upon request.
11. Security Measures
We implement appropriate technical and organizational measures proportionate to risks, including access controls, encryption in transit and at rest where appropriate, network security, vendor due diligence, staff training, and incident response procedures, consistent with Article 32. Periodic testing and audits are conducted. We review technical and organizational measures at least annually and after material changes, consistent with Article 32 GDPR.
12. Data Breach Notification
We assess all personal data incidents. If a breach is likely to result in a risk to the rights and freedoms of natural persons, we notify UODO without undue delay and, where feasible, within 72 hours. If the risk is high, we also inform affected data subjects without undue delay, describing the breach, likely consequences, and mitigation measures.
13. Records of Processing Activities (ROPA)
We maintain records of processing activities as required by Article 30, including purposes, categories of data and data subjects, recipients, transfers, retention, and security measures, and make them available to UODO upon request.
14. Data Protection by Design and by Default
We integrate data minimization, purpose limitation, and access limitation into our processes and systems and select privacy‑preserving defaults, with periodic reviews of necessity and proportionality.
15. Data Protection Impact Assessments (DPIA)
For processing likely to result in high risk (e.g., extensive monitoring, large‑scale special categories, innovative tech), we conduct DPIAs and consult UODO if residual high risk remains.
16. Data Protection Officer
If our activities meet the criteria of GDPR Articles 37–39 or Polish law, we appoint a Data Protection Officer and publish their contact details; otherwise, we designate a privacy lead responsible for compliance.
17. Children’s Data
Our services are directed to business users and are not intended for children. We do not knowingly collect data from children; if we learn of such collection, we will erase the data unless a legal basis and appropriate safeguards apply.
18. Direct Marketing and Objection
Where permissible, we may send B2B marketing communications; recipients may opt out at any time. We honor the right to object to processing for direct marketing, after which we cease such processing and maintain a suppression list. Separate consent is obtained where required by e‑privacy rules. We respect the right to object to processing for direct marketing at any time (Article 21(2)–(3) GDPR). Where e‑privacy rules require consent (e.g., certain electronic communications or cookies), we obtain it in advance; withdrawal does not affect prior lawful processing.
19. Processors and Third‑Party Recipients
We share data with vetted service providers acting under contracts that meet Article 28, and with professional advisors or authorities where legally required. We ensure confidentiality, security, and that processing occurs only on documented instructions. A current list or categories of processors is available upon request. Typical recipients include cloud hosting, email, analytics, CRM, communications, payments, and professional advisors. We ensure transfers outside the EEA comply with Chapter V GDPR. A current list or categories is available upon request.
20. Language and Local Notices
We provide privacy information in Polish to users in Poland and in English for international users. In case of discrepancies, the Polish version prevails for Polish users.
21. How to Contact UODO
Data subjects may lodge a complaint with the President of the Personal Data Protection Office (UODO). Contact details and procedures are available on UODO’s official website.
22. Personal Data We Collect
Astrum may collect the following types of personal data:
- Name
- Email Address (if provided)
- Phone Number (if provided)
- Telegram Nickname (if provided)
- Any other information voluntarily provided by the user during interactions on our website.
23. Data Subject Rights
Users have the following rights regarding their personal data:
- The right to access their personal data.
- The right to rectification of inaccurate data.
- The right to erasure ('right to be forgotten').
- The right to restrict processing.
- The right to data portability.
- The right to object to processing.
- Rights related to automated decision-making and profiling.
24. Changes to this Policy
This Data Processing Policy may be updated from time to time. The latest version will be available on our website. This Policy implements Regulation (EU) 2016/679 (GDPR), including Articles 5, 6, 12–23, 24–28, 30, 32–36, 44–49, and the Polish Act of 10 May 2018 on the Protection of Personal Data establishing the President of the Personal Data Protection Office (UODO) and enforcement framework in Poland. Cookie/e‑privacy requirements are addressed under Polish electronic communications rules, requiring consent for non‑essential cookies and prior information
The kind of partnership that simplifies complexity. Let’s get to know each other.
© 2024-2025. All rights reserved.
