Privacy Policy
§1. DEFINITIONS
a. Controller – KFB Technologies Sp. z o.o. with its registered office in Wrocław, Mydlana 7, 51-502
Wrocław; NIP: 8951956972; KRS: 0000336485; REGON: 021059652.
b. Personal Data – any information relating to an identified or identifiable natural person, directly or
indirectly, on the basis of, inter alia, an identifier such as name and surname, identification
number, email address, telephone number, residential address, location data, online identifier
(IP), image or information collected via cookies and other similar technologies.
c. Client – an entity with which KFB has concluded the Agreement.
d. Platform – a digital platform available on the Internet at app3.rafa-imp.com, via a web browser,
operated and administered by the Controller.
e. Policy – this privacy policy.
f. Representatives – natural persons who represent the Client or who are contact persons in
connection with the conclusion and performance of the Agreement.
g. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC.
h. Website – a website available at rafa-imp.com, via a web browser, operated and administered by
the Controller.
i. Agreement – an agreement concluded between the Client and the Controller covering, in
particular, the service of access to the Platform.
j. User – any natural person who uses the Website or gains access to the Platform, browses its
content or uses the services and functionalities available therein, regardless of the extent and
frequency of use.
§2. CONTACT WITH THE CONTROLLER
You can contact the Controller:
a. at the email address: info@rafa-imp.com or
b. at the correspondence address: ul. Mydlana 7, 51-502 Wrocław.
§3. PURPOSES AND LEGAL BASES FOR PERSONAL DATA PROCESSING
CONCLUSION AND PERFORMANCE OF THE AGREEMENT
The Controller processes Personal Data of Representatives:
a. for the purpose of concluding and performing the Agreement – the legal basis for processing is
the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the performance of the
Agreement concluded between the Controller and the Client;
b. for the performance of legal obligations imposed on the Controller, including tax and accounting
obligations – the legal basis for processing is the necessity of processing to comply with legal
obligations (Article 6(1)(c) GDPR);
c. for the establishment, exercise and defense of claims – the legal basis for processing is the
Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the defense of its business
interests.
Personal Data of Representatives, including first name, surname, email address and telephone
number, has been provided to the Controller by the Client represented by the given Representative in
connection with the conclusion or performance of the Agreement.
USE OF THE PLATFORM
The Controller processes Personal Data of Users:
a. for the purpose of providing services by electronic means consisting in enabling Users to use the
functionalities and services available within the Platform – the legal basis for processing is the
necessity of processing for the performance of a contract (Article 6(1)(b) GDPR);
b. in the case of registered Users – for the purpose of providing services related to running and
maintaining an account on the Platform – the legal basis for processing is the necessity of
processing for the performance of a contract (Article 6(1)(b) GDPR);
c. for the purpose of fulfilling statutory obligations imposed on the Controller – the legal basis for
processing is the necessity to comply with legal obligations incumbent on the Controller (Article
6(1)(c) GDPR);
d. for the purpose of handling correspondence and responding to questions asked – the legal basis
for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in answering
queries addressed to it; as regards data provided voluntarily in the queries, the legal basis for
processing is consent (Article 6(1)(a) GDPR);
e. for the purpose of handling complaints – the legal basis for processing is the necessity of
processing for the performance of the contract (Article 6(1)(b) GDPR) to which the complaint
relates;
f. for analytical and statistical purposes consisting in conducting analyses and statistics of Users’
activity on the Platform in order to improve the functionalities and services offered by the
Controller – the legal basis for processing is the User’s consent to the use of cookies and other
analytical tools (Article 6(1)(a) GDPR);
g. for the purpose of preventing abuse – the legal basis for processing is the Controller’s legitimate
interest (Article 6(1)(f) GDPR), consisting in detecting and eliminating abuse on the Platform;
h. for the purpose of establishing and pursuing claims or defending against claims – the legal basis
for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the
protection of its rights.
If, when using the Platform, a User provides Personal Data of a third party, the Controller processes
that third party’s Personal Data, provided by the User, for the purpose of providing services by
electronic means consisting in enabling Users to use the functionalities and services available within
the Platform. In such case, the legal basis for processing is the Controller’s legitimate interest (Article
6(1)(f) GDPR), consisting in enabling Users to use the functionalities and services available within the
Platform.
If a User publishes Personal Data of another person on the Platform, they may do so only if it does not
violate applicable provisions of law or the personal rights of that person.
USE OF THE WEBSITE
The Controller processes Personal Data of Users:
a. for the purpose of providing services by electronic means consisting in enabling Users to use the
functionalities and services available on the Website – the legal basis for processing is the
necessity of processing for the performance of a contract (Article 6(1)(b) GDPR);
b. for the purpose of handling correspondence and responding to questions asked – the legal basis
for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in answering
queries addressed to it; as regards data provided voluntarily in the queries, the legal basis for
processing is consent (Article 6(1)(a) GDPR);
c. for analytical and statistical purposes consisting in conducting analyses and statistics of Users’
activity on the Website in order to improve the functionalities and services offered by the
Controller – the legal basis for processing is the User’s consent to the use of cookies and other
analytical tools (Article 6(1)(a) GDPR);
d. for the purpose of tailoring the Controller’s and partners’ ads on the Website – the legal basis for
processing is the User’s consent to the use of cookies and other marketing tools (Article 6(1)(a)
GDPR);
e. for the purpose of preventing abuse – the legal basis for processing is the Controller’s legitimate
interest (Article 6(1)(f) GDPR), consisting in detecting and eliminating abuse on the Website;
f. for the purpose of establishing and pursuing claims or defending against claims – the legal basis
for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the
protection of its rights.
If, when using the Website, a User provides Personal Data of a third party, the Controller processes
that third party’s Personal Data, provided by the User, for the purpose of providing services by
electronic means consisting in enabling Users to use the functionalities and services available within
the Website. In such case, the legal basis for processing is the Controller’s legitimate interest (Article
6(1)(f) GDPR), consisting in enabling Users to use the functionalities and services available within the
Website.
If a User publishes Personal Data of another person on the Website, they may do so only if it does not
violate applicable provisions of law or the personal rights of that person.
§4. VOLUNTARINESS OF PROVIDING PERSONAL DATA
Providing Personal Data is voluntary, but necessary to use the services provided by the Controller or
to obtain responses to queries addressed to the Controller.
§5. PERSONAL DATA PROCESSING RETENTION PERIOD
Personal Data will be processed for the period necessary to achieve the purposes of processing. As a
rule, this period includes the duration of the Agreement, the time of providing given service (including
the period of having an active account on the Platform), or lasts until consent is withdrawn or a valid
objection to processing is lodged if the legal basis for processing is the Controller’s legitimate interest.
In the case of cookies and other analytical and marketing tools, the Controller stores Personal Data
until the expiry of the lifetime of individual cookies described in the cookie banner, until the User
deletes them from their device or withdraws the consent given. The processing period may be
extended if necessary for the pursuit, establishment or defense against claims. After its expiry, data
will be processed only to the extent required by law. Upon completion of processing, Personal Data
will be permanently deleted or anonymized.
§6. RECIPIENTS OF PERSONAL DATA
As part of achieving the processing purposes indicated in §3 above, Users’ Personal Data may be
transferred to external entities providing services to the Controller, including IT service providers,
analytics providers, as well as entities providing accounting and advisory services.
The Controller also reserves the right to disclose selected information regarding persons using the
Platform and the Website to competent authorities or third parties who submit a request for such
information, relying on an appropriate legal basis (in accordance with applicable law).
§7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The Controller transfers data outside the EEA only when necessary and possible while maintaining
appropriate safeguards. In practice, this means, inter alia:
a. establishing cooperation with entities located in countries which – by decision of the European
Commission – offer an adequate level of protection of Personal Data. In some cases, it may be
necessary for the given entity to participate in international programs recognized by the
Commission, committing it to applying EU standards (more information can be found here);
b. using so-called Standard Contractual Clauses (SCC), which are officially approved by the
European Commission. These clauses, together with additional safeguards, ensure that data will
be protected in a way comparable to the rules applicable within the EU (details of the SCC are
available here).
In connection with the achievement of the purposes described in this Policy, Users’ Personal Data may
be transferred outside the EEA in the following cases:
a. in connection with the use on the Website of the tools: Google Analytics, Google Tag Manager
and YouTube, Users’ Personal Data may be transferred to Google LLC, with its registered office
in the USA. Transfer of Personal Data to the provider is based on the adequacy decision referred
to in letter a. above, in connection with that provider’s entry on the list of self-certified entities
under the Data Privacy Framework;
b. in connection with the use on the Website and on the Platform of the tool Microsoft Clarity, Users’
Personal Data may be transferred to Microsoft Corporation with its registered office in the USA.
Transfer of Personal Data to the provider is based on the adequacy decision referred to in letter
a. above, in connection with that provider’s entry on the list of self-certified entities under the Data
Privacy Framework;
c. in connection with the use on the Website of the tool Calendly, Users’ Personal Data may be
transferred to Calendly LLC with its registered office in the USA. Transfer of Personal Data to the
provider is based on the adequacy decision referred to in letter a. above, in connection with that
provider’s entry on the list of self-certified entities under the Data Privacy Framework;
d. in connection with the use on the Website of the tool Linkedin Insight Tag, the provider of this tool
(LinkedIn Ireland Unlimited Company with its registered office in Ireland) may transfer Personal
Data to other entities established outside the EEA. Transfer of Personal Data is based on the
adequacy decision referred to in letter a. above, in connection with that provider’s entry on the list
of self-certified entities under the Data Privacy Framework, as well as on Standard Contractual
Clauses (SCC) referred to in point b above.
§8. USERS’ RIGHTS
Data subjects have the right to:
a. withdraw consent at any time where the legal basis for processing Personal Data is consent
(withdrawal of consent will not affect the lawfulness of processing carried out before its
withdrawal);
b. access Personal Data and receive a copy thereof;
c. rectify Personal Data or complete it;
d. request for erasure of Personal Data in cases provided for by law;
e. request restriction of processing of Personal Data;
f. object to the processing on the basis of the Controller’s legitimate interest – on grounds relating
to the particular situation of the data subject whose data is processed by the Controller;
g. object to processing for marketing purposes;
h. receive from the Controller Personal Data in a structured format and transfer the Personal Data to
another controller;
i. lodge a complaint with the supervisory authority (in Poland: President of the Personal Data
Protection Office).
To exercise these rights, please contact the Controller using the contact details provided in §2 above
or contact the competent supervisory authority.
§9. ANALYTICAL AND MARKETING TOOLS
The Controller uses cookies in the following categories: necessary, functional, analytical and
marketing:
a. necessary cookies – technical files that are essential for the Website to function properly;
b. functional cookies – files used to remember settings that tailor the Website to Users’ choices;
c. analytical cookies – files used to measure the effectiveness of marketing activities and improve
the functioning of the Website;
d. marketing cookies – files used to profile ads displayed on external websites according to Users’
preferences.
Detailed information on cookies used within a given category (including information on the name and
purpose of a given cookie and its expiry period) can be obtained via the cookie banner displayed on
the Website and on the Platform.
The use of cookies other than those necessary to display the Website and the Platform, i.e.,
functional, analytical and marketing cookies, requires separate consents from the User.
The User may give separate consents to the use of functional, analytical and marketing cookies via
the cookie banner used to manage cookies, which is displayed upon entering the Website and the
Platform. The User may manage the consents granted, including withdrawing consents at any time by
invoking the cookie banner and changing settings.
The User may also delete cookies at any time from the settings of their browser. Information on how to
do this from various browsers can be found below:
a. Google Chrome
b. Mozilla Firefox
c. Safari
d. Internet Explorer
The Controller uses tools and solutions for analytical and marketing purposes on the Website and the
Platform. Basic information about these tools is provided below. Detailed data in this respect can be
found in the privacy policy of the specific partner.
a. Google Analytics
Google Analytics cookies are used by Google to analyze how the service is used by the user, to create
statistics and reports on the functioning of the service. Google does not use the collected data to
identify the user nor does it combine this information to enable identification. Detailed information on
the scope and principles of data collection within this service is available here:
https://policies.google.com/technologies/ads?hl=pl
b. Google Tag Manager
A tool enabling easy management of tags and scripts on the site without interfering with the source
code. Controllers use it to efficiently implement analytical and marketing tools. Detailed information on
the scope and principles of data collection within this service is available here:
https://policies.google.com/privacy?hl=pl
c. Microsoft Clarity
A tool for analyzing user behavior using heatmaps and session recordings. Controllers use it to identify
usability issues and improve proper use of the Platform and the Website. Detailed information on the
scope and principles of data collection within this service is available here:
https://clarity.microsoft.com/privacy
d. Calendly
This tool enables scheduling meetings and synchronizing calendars on the Website. Users who wish
to schedule a meeting indicate an available date in the calendar and leave their Personal Data
enabling subsequent contact. Detailed information on the scope and principles of data collection within
this service is available here: https://calendly.com/legal/privacy-notice
e. Linkedin Insight Tag
A monitoring tool that collects data about users visiting a page from LinkedIn. Controllers use it for
analytics, conversion measurement and ad targeting. Detailed information on the scope and principles
of data collection within this service is available here:
https://www.linkedin.com/help/lms/answer/a489169?lang=pl-PL
f. YouTube
Video materials originating from the YouTube may be embedded on the Website. Playing such
material may involve processing of data by the provider of YouTube – Google. Detailed information on
the scope and principles of data collection within this service is available here:
https://policies.google.com/privacy?hl=pl
§10. SOCIAL MEDIA PROFILES
The Controller operates its official profiles on various social media platforms (e.g., LinkedIn, YouTube).
If the User visits the Controller’s profiles and interacts with them (e.g., by posting posts or comments),
the Controller processes Users’ Personal Data for the purpose of running the profiles and
communicating with Users. Such processing is based on the Controller’s legitimate interest consisting
in promoting its own brand and informing about the offer of products and services (Article 6(1)(f)
GDPR). Personal Data is processed until the User lodges a valid objection or stops following the
profile on the given social media platform.
When using profiles, the Controller processes only Personal Data that is disclosed publicly (e.g.,
comments). Social media platform providers (e.g., LinkedIn, Google) also process Personal Data – the
scope and purposes of Personal Data processing may differ from those of the Controller. Information
on the processing of Personal Data by social media platform providers can be found in their privacy
policies.
§11. FINAL PROVISIONS
The Policy is continuously verified and updated as necessary. The current version of the Policy was
adopted and is effective from November 17, 2025.