Privacy Policy
Version effective as of 22 April 2026
TABLE OF CONTENTS
1.
DEFINITIONS
1.1.
For the purposes of this Policy, the following definitions shall apply:
1.1.1.
Policy – this Privacy Policy;
1.1.2.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
1.1.3.
Controller – Fundacja Aesthetic Unit Klub Sportowy, with its registered office in Warsaw, entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw, XIV Commercial Division of the National Court Register, under number KRS 0001120591, holding NIP: 5253012964 and REGON: 529355966;
1.1.4.
Website – the website operated by the Controller at https://aesthetic-unit.com.
1.1.5.
User – any natural person visiting the Website or using one or more of the services or functionalities described in the Policy.
1.2.
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.
DATA PROCESSING IN CONNECTION WITH USE OF THE WEBSITE
2.1.
This Policy sets out the rules for the processing of personal data by the Controller.
2.2.
In connection with the User's use of the Website, the Controller collects data to the extent necessary to provide particular services offered, as well as information about the User's activity on the Website. The detailed rules and purposes of personal data processing collected during the use of the Website by the User are described below
3.
PURPOSES AND LEGAL BASES FOR DATA PROCESSING
A.
USE OF THE WEBSITE
3.1.
Personal data of persons using the Website (in particular IP address, device data, browser data, geographical location, time of visit and other information collected through cookies) are processed by the Controller:
3.1.1.
For analytical and statistical purposes – the legal basis is the Controller's legitimate interest (Art. 6(1)(f) GDPR) consisting in conducting analyses of Users' activity and their preferences in order to improve the quality of services provided;
3.1.2.
For the possible establishment and pursuit of claims or defence against them – the legal basis is the Controller's legitimate interest (Art. 6(1)(f) GDPR) consisting in protecting its rights.
3.2.
User activity on the Website, including personal data, is recorded in system logs (a special computer program used to chronologically store records of events and actions relating to the IT system used to provide services by the Controller). The Controller also processes them for technical and administrative purposes, for the purpose of ensuring the security of the IT system and managing that system, as well as for analytical and statistical purposes – the legal basis for processing in this respect is the Controller's legitimate interest (Art. 6(1)(f) GDPR).
3.3.
CONSULTATIONS. Within the Website, the Controller provides the possibility to book a consultation through a form. The use of the form requires the provision of the following personal data, necessary to conduct the consultation:
3.3.1.
Name;
3.3.2.
E-mail address;
3.3.3.
Phone number.
3.4.
Personal data are processed:
3.4.1.
For the purpose of handling the request and carrying out the consultation – the legal basis for processing is the taking of steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR);
3.4.2.
For analytical and statistical purposes – the legal basis for processing is the Controller's legitimate interest (Art. 6(1)(f) GDPR) consisting in conducting analyses of Users' activity on the Website and their preferences in order to improve the functionalities used;
3.4.3.
For the possible establishment and pursuit of claims or defence against them – the legal basis for processing is the Controller's legitimate interest (Art. 6(1)(f) GDPR) consisting in protecting its rights;
3.4.4.
For the performance of bookkeeping, tax and accounting obligations – processing necessary for the performance of a legal obligation to which the Controller is subject (Art. 6(1)(c) GDPR).
B.
MARKETING AND COMMUNICATION
3.5.
In connection with directing advertisements to the User that are not tailored to the User's preferences (contextual advertising), we process the User's data on the basis of our legitimate interest (Art. 6(1)(f) GDPR).
3.6.
The Controller may process the User's personal data, including data from cookies and similar technologies, for marketing purposes related to displaying advertisements tailored to the User's interests (behavioural advertising). Such processing takes place solely on the basis of consent (Art. 6(1)(a) GDPR), which the User may withdraw at any time.
3.7.
Within the newsletter, the Controller may send marketing content – in such case the legal basis is consent (Art. 6(1)(a) GDPR) to receive the newsletter; the User may unsubscribe from the newsletter at any time.
3.8.
The User's personal data may be used to direct marketing content through various communication channels (e-mail, SMS/MMS, telephone) – solely with the User's consent (Art. 6(1)(a) GDPR), which may be withdrawn at any time.
3.9.
The User has the right to withdraw consent given for the processing of data for marketing purposes at any time, which does not affect the lawfulness of processing carried out before the withdrawal of consent.
3.10.
The Controller processes the personal data of Users visiting the Controller's profiles maintained on social media. Such data are processed exclusively in connection with the maintenance of the profile, including for the purpose of informing Users about the Controller's activities and promoting various events, services and products. The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Art. 6(1)(f) GDPR) consisting in promoting its own brand.
4.
COOKIES AND SIMILAR TECHNOLOGY
4.1.
The Website uses cookies, i.e. small text files installed on Your device while browsing the Website. Cookies collect information facilitating use of the Website (e.g. by remembering Your visits and actions taken), as well as for the purposes of personalisation, marketing or analytics.
4.2.
The Controller uses so-called service cookies primarily for the purpose of providing the User with services rendered electronically and improving the quality of these services. In this regard, the Controller and other entities providing analytical, statistical and marketing services to the Controller use cookies by storing information or obtaining access to information already stored in the User's telecommunications terminal equipment (computer, phone, tablet, etc.). Cookies used for this purpose include:
4.2.1.
User input cookies (session identifier), for the duration of the session;
4.2.2.
Authentication cookies used for services requiring authentication, for the duration of the session;
4.2.3.
User centric security cookies, e.g. used for detecting authentication abuse;
4.2.4.
Multimedia player session cookies (e.g. flash player cookies), for the duration of the session;
4.2.5.
Persistent cookies used for user interface customisation, for the duration of the session or slightly longer;
4.2.6.
Cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (files used by Google to analyse how the User uses the Website, to create statistics and reports on the functioning of the Website). Google does not use the collected data to identify the User or combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners
4.2.7.
Marketing and remarketing cookies, used to present advertisements tailored to the User's preferences (behavioural advertising), to conduct remarketing campaigns and automate communication (e.g. sending messages after specific actions on the Website) – solely with the User's explicit consent.
5.
RIGHTS OF DATA SUBJECTS
5.1.
Every person whose personal data is processed has the right:
5.1.1.
Of access to data – pursuant to Art. 15 GDPR:
5.1.1.1.
You have the right to obtain from the Controller information as to whether personal data is being processed, and, if so, you have the right to:
5.1.1.1.1.
Access to your personal data,
5.1.1.1.2.
Obtain a copy of your personal data,
5.1.1.1.3.
Obtain information about the purposes of processing, the categories of personal data being processed, the recipients or categories of recipients of such data, the envisaged period for which data will be stored, or, where not possible, the criteria used to determine that period, the rights available under the GDPR, the right to lodge a complaint with a supervisory authority, the source of such data, automated decision-making, including profiling, and the safeguards applied in connection with the transfer of such data outside the European Union;
5.1.2.
To information about the processing of personal data;
5.1.3.
To obtain a copy of data;
5.1.4.
To rectification or change of data – pursuant to Art. 16 GDPR:
5.1.4.1.
You have the right to request the Controller to rectify without undue delay inaccurate personal data concerning you,
5.1.4.2.
Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data or changes to the data, including contact and address data, including by means of providing a supplementary statement,
5.1.4.3.
You may request rectification or completion of personal data in the form of an e-mail to the following address: office@aesthetic-unit.com. The Controller will accordingly provide a link to change the data.
5.1.5.
To erasure of data (the so-called “right to be forgotten”) – pursuant to Art. 17 GDPR:
5.1.5.1.
You have the right to request the erasure of all or some of your personal data,
5.1.5.2.
You have the right to request erasure of personal data if:
5.1.5.2.1.
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
5.1.5.2.2.
A given consent has been withdrawn, to the extent that the personal data were processed based on that consent,
5.1.5.2.3.
An objection has been raised against the use of the data for marketing purposes,
5.1.5.2.4.
The personal data are being processed unlawfully,
5.1.5.2.5.
The personal data must be erased for compliance with a legal obligation under the law of the Union or a Member State to which the Controller is subject,
5.1.5.2.6.
The personal data were collected in relation to the offering of information society services.
5.1.5.3.
Notwithstanding a request for erasure of personal data, in connection with the raising of an objection or the withdrawal of consent, the Controller may retain certain personal data to the extent that processing is necessary for the establishment, exercise or defence of legal claims, as well as for compliance with a legal obligation requiring processing under the law of the Union or a Member State to which the Controller is subject. This applies in particular to personal data including: first name, surname, e-mail address, which are retained for the purposes of handling complaints and claims related to the use of the Controller's services, or additionally the address, which is retained for the purposes of handling complaints and claims related to service contracts.
5.1.6.
To restriction of processing of data – pursuant to Art. 18 GDPR:
5.1.6.1.
You have the right to request restriction of the processing of personal data. Submitting a request, until it is considered, prevents the use of certain services whose use would involve the processing of the data covered by the request. Until the request is considered, the Controller will not send any communications, including marketing communications.
5.1.6.2.
You have the right to request restriction on the use of personal data in the following cases:
5.1.6.2.1.
When you contest the accuracy of your personal data – then the Controller restricts their use for the period necessary to verify the accuracy of the data;
5.1.6.2.2.
When the processing of the data is unlawful and, instead of erasing the data, you request restriction of their use;
5.1.6.2.3.
When the personal data are no longer necessary for the purposes for which they were collected or used, but they are needed by you for the establishment, exercise or defence of legal claims;
5.1.6.2.4.
When you have objected to the processing of your data – then the restriction takes place for the period necessary to consider whether – due to your particular situation – the protection of your interests, rights and freedoms overrides the interests pursued by the Controller when processing personal data.
5.1.7.
To data portability – pursuant to Art. 20 GDPR:
5.1.7.1.
You have the right to receive your personal data, which you have provided to the Controller, and then transmit it to another data controller of your choice. You also have the right to request that the personal data be transmitted by the Controller directly to such a controller, where technically feasible. In such a case, the Controller will send your personal data in the form of a csv file, which is a commonly used format, suitable for machine reading, allowing the transmission of received data to another data controller.
5.1.7.2.
In the event of exercising the above rights, the Controller shall fulfil or refuse to fulfil the request without undue delay, but no later than within one month of its receipt. However, if – due to the complexity of the request or the number of requests – the Controller is unable to fulfil the request within one month, it will fulfil it within the next two months, informing you in advance, within one month of receipt of the request, of the intended extension of the deadline and its reasons.
5.1.7.3.
You may submit to the Controller complaints, inquiries and requests regarding the processing of your personal data and the exercise of the rights vested in you.
5.1.7.4.
You have the right to request the Controller to provide a copy of the standard contractual clauses.
5.1.8.
To object to the processing of data for marketing purposes or to object to other purposes of data processing – pursuant to Art. 21 GDPR:
5.1.8.1.
You have the right to object at any time – on grounds relating to your particular situation – to the processing of your personal data, including profiling, if the Controller processes your data on the basis of a legitimate interest, e.g. analytics;
5.1.8.2.
You may object to the processing of personal data by sending an e-mail message containing information about opting out of receiving marketing communications;
5.1.8.3.
If the Controller finds your objection justified and does not have another legal basis for processing personal data, it will erase the personal data against whose processing you have objected.
5.1.9.
To withdraw consent – pursuant to Art. 7(3) GDPR:
5.1.9.1.
You have the right to withdraw any consent you have given to the Controller;
5.1.9.2.
Withdrawal of consent takes effect from the moment of expressing the intention to withdraw consent;
5.1.9.3.
Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out by the Controller before the withdrawal of consent.
5.1.10.
To lodge a complaint with the supervisory authority dealing with the protection of personal data.
5.2.
Contact with the person supervising the processing of personal data in the Controller's organisation is possible electronically at the e-mail address: office@aesthetic-unit.com.
5.3.
The User has the right to lodge a complaint with the President of the Personal Data Protection Office, in the scope of violation of the User's rights to the protection of personal data or other rights granted under the GDPR.
6.
DATA RETENTION PERIOD
6.1.
The period for processing data by the Controller depends on the legal basis and the purpose of processing, in accordance with the provisions of law. In particular:
6.1.1.
In the case of data processing on the basis of the Controller's legitimate interest, e.g. for security reasons, the data are processed for the period enabling the pursuit of this interest or until an effective objection to the processing of data is raised;
6.1.2.
If the processing is based on consent, the data are processed until consent is withdrawn;
6.1.3.
In connection with the performance of the contract and the pursuit of claims and defence against claims related thereto – for the duration of the contract, and after its termination until the expiry of the limitation period for claims related thereto;
6.1.4.
In connection with the handling of requests, complaints, claims or other correspondence addressed to the Controller – until the matter covered by the request, complaint, claim or other correspondence addressed to the Controller has been clarified;
6.1.5.
In connection with the performance of legal obligations – until the obligation expires.
6.2.
The data processing period may be extended where processing is necessary for the establishment or pursuit of claims or for defence against claims, and after that period – only if and to the extent required by law. After the expiry of the processing period, the data are irreversibly deleted or anonymised.
6.3.
The Company reserves the right to process data after termination of the contract or withdrawal of consent only to the extent necessary to pursue possible claims before a court or if national or EU law, or international law, obliges it to retain data.
6.4.
Erasure of personal data may occur as a result of the withdrawal of consent or the lodging of a legally permissible objection to the processing of personal data.
7.
DATA RECIPIENTS
7.1.
In connection with the provision of services, personal data will be disclosed to external entities, including in particular:
7.1.1.
Providers of IT, hosting and IT system maintenance services – in order to ensure the proper operation of the Website, storage and management of data.
7.1.2.
Payment operators and banks – for the purpose of handling payments, settlements, where necessary.
7.1.3.
Entities providing accounting, legal or advisory services – for the performance of legal, tax obligations or the pursuit of claims.
7.1.4.
Marketing and analytical partners – for the purpose of conducting analytical, statistical and marketing activities (subject to consent).
7.1.5.
Affiliated entities – solely to the extent necessary for the provision of services or technical support.
7.1.6.
Public authorities or third parties entitled to obtain data on the basis of legal provisions – solely to the extent and for the purposes resulting from those provisions.
7.2.
The entities to which personal data are transferred, depending on contractual arrangements and circumstances, either are subject to the Controller's instructions as to the purposes and means of processing such data (processors) or independently determine the purposes and means of their processing (controllers):
7.2.1.
Processors: the Controller cooperates with entities that process personal data solely on the Controller's instructions. These include, among others, providers of hosting services, accounting services;
7.2.2.
Controllers: the Controller cooperates with entities that do not act solely on instructions and themselves determine the purposes and means of personal data processing (e.g. banks, payment operators).
8.
TRANSFERS OF DATA OUTSIDE THE EEA
8.1.
The level of personal data protection outside the European Economic Area (EEA) may differ from that provided by European law. The Controller will transfer the User's personal data only when necessary and with an adequate level of protection ensured.
8.2.
The User will be informed of each transfer of personal data outside the EEA.
9.
SECURITY OF PERSONAL DATA
9.1.
The Controller continuously conducts risk analyses to ensure that personal data are processed by it in a secure manner – ensuring, above all, that only authorised persons have access to the data and only to the extent necessary in view of the tasks they perform. The Controller ensures that all operations on personal data are recorded and carried out only by authorised employees and associates.
9.2.
The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures in every case where they process personal data on the Controller's instructions.
9.3.
The Controller applies appropriate technical and organisational measures ensuring the security of personal data processing, including, among others, data encryption, access management, monitoring of IT systems and regular security audits.
10.
CONTACT DETAILS
10.1.
Contact with the Controller is possible via e-mail: office@aesthetic-unit.com or correspondence address: ul. Aleja “Solidarności” 68 apt. 121, 00-240 Warsaw, Poland.
11.
CHANGES TO THE PRIVACY POLICY
11.1.
The Controller reserves the right to introduce changes to the Policy at any time. Updates to the Policy will be published on the website https://aesthetic-unit.com.