Privacy policy

Last updated: 01.01.2026

§ 1. General information

  1. This Privacy Policy sets out the rules for the processing of personal data by Tovoda sp. z o.o., as well as the rules for the use of Cookies and tracking technologies within the operation of the Platform.
  2. The Platform enables, among other things, access to data made available by Tovoda, integration with Tovoda's services and products, and contact with Tovoda. The data controller is Tovoda, in accordance with the further provisions of the Policy.
  3. For the purposes of this Policy, the following terms have the following meanings:
    1. Controller – the controller of personal data, i.e. the entity that independently determines the purposes and means of processing personal data. The Controller is Tovoda;
    2. Cookies – IT data saved on the User's end device, used among other things for the proper operation of the Platform and for statistical and marketing purposes;
    3. Personal data – information about an identified or identifiable natural person, processed via the Platform;
    4. Platform – the Tovoda mobile application, website and shop available at www.tovoda.pl, and the Tovoda system available at system.tovoda.pl;
    5. Policy – this Privacy Policy;
    6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
    7. Tovoda – Tovoda sp. z o.o. with its registered office in Habdzin (05-520) at Habdzin 73A, NIP: 1231582623, REGON: 54200484000000, entered into the register of entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number 0001178886;
    8. User – any natural person using the Platform.
  4. The entity responsible for carrying out the tasks indicated in the Policy is the Controller.
  5. Users' personal data is processed in accordance with:
    1. the Act of 10 May 2018 on the Protection of Personal Data (Dz.U. z 2018 r., poz. 1000 z późn. zm.),
    2. the provisions of the GDPR,
    3. the Act of 18 July 2002 on Providing Services by Electronic Means (Dz.U. z 2020 r., poz. 344 t.j.).

§ 2. Personal data controllers

  1. The controller of the personal data of Platform Users, persons using the contact forms, and all data collected in connection with the operation of the Platform is Tovoda.
  2. In matters concerning the processing of personal data by Tovoda, you may contact us by email: biuro@tovoda.pl or in writing to Tovoda's registered office address.

§ 3. Categories of data and their sources

  1. The scope of personal data processed by Tovoda depends on the type of relationship with the User and the purpose of the processing. Personal data may be obtained directly from the User or from the technical systems used by the Platform.
  2. In particular, the following personal data may be processed:
    1. Identification and contact details of Users:
      1. first and last name,
      2. email address,
      3. telephone number,
      4. affiliation, position,
      5. the name and address of the institution or company,
      6. correspondence address,
      7. tax identification number (NIP – in the case of business activity),
      8. KRS number,
      9. IP address,
      10. electronic signature (if used).
    2. Data concerning the use of the Platform and its functions:
      1. data provided in forms,
      2. session and activity history data (session duration, clicks, language preferences),
    3. Data collected automatically by the Platform's ICT systems:
      1. IP address,
      2. data on the operating system, web browser, device type and identifier,
      3. system logs and diagnostic data (e.g. error messages, HTTP response codes),
      4. session identifiers, authorization tokens,
      5. data on how the Platform's features are used (response times, number of subpages visited, entry source).
    4. Data collected using Cookies and similar technologies:
      1. device identification data,
      2. session data,
      3. User preferences (language, Cookie consents),
      4. identifiers assigned by external tools (Google Analytics, Facebook Pixel, etc.). Detailed information is provided in § 9.
  3. Personal data may be obtained:
    1. directly from the User during registration or use of the Platform,
    2. from third parties (e.g. the User's representatives, external verification providers),
    3. from publicly available databases or registers.
  4. Personal data is processed in accordance with the principle of minimization, to the extent necessary to achieve the purposes indicated in the following paragraphs of the Policy.

§ 4. Purposes and legal bases of processing

  1. Personal data is processed by Tovoda in order to perform specific functions of the Platform, based on the appropriate legal grounds in accordance with Article 6 GDPR.
  2. Personal data is processed for the following purposes:
    1. providing electronic services and ensuring the functionality of the Platform – pursuant to Article 6(1)(b) GDPR (necessity for the performance of a contract),
    2. ensuring the technical security and operation of the Platform, including creating technical logs and keeping operation records – pursuant to Article 6(1)(f) GDPR (the Controller's legitimate interest),
    3. handling inquiries submitted via forms, applications, and email correspondence – pursuant to Article 6(1)(f) GDPR (legitimate interest) or Article 6(1)(a) GDPR (consent, where required),
    4. conducting marketing activities for our own products and services, including by sending newsletters – pursuant to Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR (legitimate interest),
    5. analyzing the operation of the Platform and introducing improvements – pursuant to Article 6(1)(f) GDPR (legitimate interest),
    6. conducting analyses and statistics on the use of the Platform in order to improve and develop it – pursuant to Article 6(1)(f) GDPR,
    7. pursuing or defending against claims – pursuant to Article 6(1)(f) GDPR,
    8. conducting technical tests and developing the Platform using test data, anonymized data, or – to a minimal extent – actual operational data – pursuant to Article 6(1)(f) GDPR,
    9. preventing abuse, ensuring payment security, blocking unauthorized access, detecting hacking attempts or unauthorized use of the Platform – pursuant to Article 6(1)(f) GDPR (the Controller's legitimate interest),
    10. fulfilling tax and accounting obligations, including the archiving of accounting and transaction documents – pursuant to Article 6(1)(c) GDPR.
  3. Providing personal data by the User is voluntary, but may be necessary to use certain Services. In cases where the provision of data is required by law or necessary to perform the functions of the Platform, failure to provide it may prevent the use of the given Service. In all other cases, the provision of data is voluntary.
  4. Where data is collected on the basis of consent, the User has the right to withdraw it at any time, without affecting the lawfulness of the processing carried out before its withdrawal.
  5. To the extent necessary for the proper functioning of the Platform and its functionalities, the Platform uses the User's metadata. Metadata means the process by which the IT system reads and recognizes the configuration and components of the computer used by the User in order to adapt the page to its capabilities and to establish a secure connection between the User's computer and the Platform. Importantly, such metadata cannot lead to the identification of the User, nor is it in any way harmful to the data stored on the computer. Nevertheless, the User has the right at any time to withdraw consent to the processing of metadata by appropriately configuring their browser or device, or by installing an appropriate plug-in provided by the browser or device manufacturer. To do so, the User should consult the software manufacturer and its recommendations.
  6. The Controller does not carry out profiling or make automated decisions concerning Users that produce legal effects or similarly significantly affect them.

§ 5. Processors and data recipients

  1. Personal data processed within the Platform may be entrusted to external service providers acting on Tovoda's behalf, in accordance with Article 28 GDPR.
  2. Data may be processed by entities providing services in the areas of:
    1. hosting and data storage (e.g. Amazon Web Services),
    2. mailing and communication automation (e.g. Mailgun, Brevo),
    3. technical support and analytics of the Platform's operation,
    4. the administrative maintenance of internal systems and tools,
    5. payment processing and transaction handling.
  3. Tovoda may use further processors (sub-processors), a list of whose categories or names is made available on the Privacy Policy website. All processors operate on the basis of appropriate data processing agreements and ensure at least an equivalent level of security and compliance with the GDPR.
  4. Personal data may also be disclosed to authorized public authorities where such an obligation arises from mandatory provisions of law.

§ 6. Transfer of data outside the EEA

  1. Personal data processed within the Platform may be transferred outside the European Economic Area (EEA) only where this is necessary for the provision of services rendered by Tovoda or its processors – in particular when using tools offered by providers established outside the EEA (e.g. Google LLC, Mailgun Technologies, Inc.).
  2. In the cases referred to in paragraph 1 above, the transfer of data takes place in accordance with Chapter V of the GDPR, and in particular on the basis of:
    1. standard contractual clauses adopted by the European Commission (SCC),
    2. a European Commission decision confirming an adequate level of protection,
    3. binding corporate rules or other safeguard mechanisms provided for by law.
  3. Tovoda ensures that all entities processing data outside the EEA guarantee an adequate level of personal data protection and meet the requirements set out in the GDPR.
  4. The Controller always informs of its intention to transfer personal data outside the EEA at the stage of collecting such data.

§ 7. Data retention period

  1. Personal data processed by Tovoda is stored for the period necessary to achieve the purposes for which it was collected, and thereafter for the period resulting from legal provisions or the legitimate interests of the Controller, including in particular:
    1. technical data and system logs – for a period no longer than 12 months, unless applicable regulations provide otherwise,
    2. data related to financial and accounting documentation – for a period of 10 years from the end of the financial year to which it relates, in accordance with tax and accounting regulations.
  2. After the periods indicated in paragraph 1 have elapsed, personal data is permanently deleted or anonymized in a manner that prevents identification of the data subject, unless further storage is required by law.

§ 8. Rights of data subjects

  1. Every person whose data is processed in connection with the use of the Platform is entitled to the rights specified in the GDPR, in particular:
    1. the right to access your data and to obtain a copy of it,
    2. the right to rectify (correct) data,
    3. the right to erasure of data (“the right to be forgotten”),
    4. the right to restrict processing,
    5. the right to transfer data to another Controller,
    6. the right to object to data processing,
    7. the right to withdraw consent to data processing – where the processing is based on consent.
  2. In order to exercise their rights, the User should contact us at the email address: biuro@tovoda.pl or in writing to Tovoda's registered office address.
  3. Every data subject also has the right to lodge a complaint with the President of the Personal Data Protection Office if they consider that the processing of their personal data infringes the provisions of the GDPR.

§ 9. Cookies and tracking technologies

  1. “Cookies” are understood to mean IT data, in particular text files, stored on Users' end devices (usually on the computer's hard drive or on a mobile device) used by the User's browser to save certain settings and data for the purpose of using websites. These files make it possible to recognize the User's device and display the website appropriately, ensuring comfort during its use. Storing “Cookies” therefore makes it possible to properly prepare the website and offer according to the User's preferences – the server recognizes the User and remembers, among other things, preferences such as: visits, clicks, and previous actions.
  2. “Cookies” contain, in particular, the domain name of the website from which they originate, the length of time they are stored on the end device, and a unique number used to identify the browser through which the connection to the website is made.
  3. “Cookies” are used for the purpose of:
    1. adapting the content of websites to the User's preferences and optimizing the use of websites,
    2. creating anonymous statistics that, by helping to determine how the User uses websites, make it possible to improve their structure and content,
    3. providing website Users with advertising content tailored to their interests.
  4. “Cookies” are not used to identify the User, and their identity is not determined on their basis.
  5. The basic classification of “Cookies” distinguishes between:
    1. Essential “Cookies” – are absolutely necessary for the proper functioning of the website or of the functionalities that the User wishes to use, since without them we could not provide many of the services we offer. Some of them also ensure the security of the services we provide electronically.
    2. Functional “Cookies” – are important for the operation of the website because:
      1. they serve to enrich the website's functionality; without them the website will function correctly, but it will not be adapted to the User's preferences,
      2. they serve to ensure a high level of website functionality; without them the level of the website's functionality may decrease, but their absence should not entirely prevent its use,
      3. they serve most of the website's functionalities; blocking them will cause certain functions not to work properly.
    3. Business “Cookies” – enable the implementation of the business model on which the website is made available; blocking them will not render all functionality unavailable, but may reduce the level of service due to the website owner's inability to generate the revenue that subsidizes its operation. This category includes, for example, advertising “Cookies”.
    4. “Cookies” for website configuration – enable the setting of functions and services on websites.
    5. “Cookies” for website security and reliability – enable the verification of authenticity and the optimization of website performance.
    6. “Cookies” for authentication – enable notification when the User is logged in, so that the website can show the appropriate information and functions.
    7. “Cookies” examining the session state – enable the recording of information about how Users use the website. These may relate to the most frequently visited pages or any error messages displayed on certain pages. “Cookies” used to record the so-called “session state” help improve services and increase browsing comfort.
    8. “Cookies” examining processes occurring on the website – enable the smooth operation of the website and the functions available on it.
    9. Advertising “Cookies” – enable the display of advertisements that are more interesting to Users and at the same time more valuable to publishers and advertisers; “cookies” may also be used to personalize advertising, as well as to display advertisements outside websites.
    10. “Cookies” accessing location – enable the displayed information to be adapted to the User's location.
    11. “Cookies” for analytics, research, or audience audit – enable the website owner to better understand their Users' preferences and, through analysis, to improve and develop products and services. Usually, the website owner or a research company collects information anonymously and processes data on trends without identifying the personal data of individual Users.
    12. Harmless “Cookies” – include Cookies necessary for the proper operation of the website and required to enable the website's functionality to work, but their operation has nothing to do with tracking the User
    13. “Cookies” for tracking purposes – used to track Users, but not containing information that would (without other data) identify a specific User.
  6. The use of “Cookies” to adapt the content of websites to the User's preferences does not, as a rule, involve the collection of any information allowing the User to be identified, although such information may sometimes constitute personal data. Personal data collected using “Cookies” may be gathered solely for the purpose of performing certain functions for the User. Such data is encrypted in a manner that prevents access to it by unauthorized persons.
  7. The Cookies used by this website are not harmful either to the User or to the end device they use, which is why, for the proper functioning of the service, it is recommended not to disable their support in browsers. In many cases, the software used to browse websites (the web browser) by default allows information to be stored in the form of “Cookies” and other similar technologies on the User's end device. The User may at any time change the way the browser uses “Cookies”. To do so, the browser settings should be changed. The way to change the settings differs depending on the software (web browser) used. You will find the appropriate instructions on the subpages, depending on the browser you use.
  8. As part of Cookie technology, the Controller may use tracking pixels or clear GIF files in order to collect information about how the User uses its services and about the User's response to marketing messages sent by email. A pixel is a piece of software code that allows an object to be embedded on a page, usually a pixel-sized image, which makes it possible to track Users' behavior on the websites on which it is placed. After appropriate consent has been given, the browser automatically establishes a direct connection to the server storing the pixel, which is why the processing of data collected by the pixel takes place under the data protection policy of the partner administering that server.
  9. The Controller may use internet log files (which contain technical data, such as the User's IP address) in order to monitor traffic within its services, resolve technical problems, detect and prevent fraud, and enforce the provisions of the User Agreement.
  10. The Controller informs that the website does not respond to DNT (Do Not Track) signals; however, the User may disable certain forms of online tracking, including some analytical data and personalized advertising, by changing the cookie settings in their browser or by using our cookie consent tools (if applicable).
  11. Detailed information on changing Cookie settings and deleting them yourself in the most popular web browsers is available in the help section of the web browser and on the following pages (simply click the relevant link):
    1. Google Chrome
    2. Mozilla Firefox
    3. Microsoft Edge
    4. Opera
    5. Safari macOS
    6. Safari iOS/iPadOS
  12. Detailed information on managing Cookies on a mobile phone or other mobile device should be found in the user manual of the given mobile device.

§ 10. Changes to the Privacy Policy

  1. Tovoda reserves the right to change this Policy at any time, in particular in the event of:
    1. changes in the law regarding the protection of personal data or services provided by electronic means,
    2. the implementation of new Platform functionalities,
    3. the need to clarify provisions or improve their transparency,
    4. changes in technology, tools, or external services used.
  2. Users will be informed of any material change to the Policy with appropriate advance notice – at least 14 days before the changes take effect – by:
    1. a message displayed on the Platform,
    2. an email message (if the User has provided an address for communication),
    3. an update to the version of the document, indicating its effective date.
  3. Archived versions of the Policy will be available for inspection on the Platform or sent by Tovoda upon request.
  4. Continued use of the Platform after the date on which the changes take effect will be treated as acceptance of the updated content of the Policy.

§ 11. Contact details and final information

  1. In the event of questions, requests, or demands concerning the processing of personal data by Tovoda, Users may contact us by email at: biuro@tovoda.pl or by post to the registered office address.
  2. This Policy is effective from the date of its publication on the Platform's website. The current version of the document is available in the “Privacy Policy” tab.
Tovoda
Tovoda sp. z o.o.
Habdzin 73A, 05-520 Habdzin, Polska
Registered in the National Court Register maintained by the District Court for the Capital City of Warsaw, 14th Commercial Division, under KRS number 0001178886.
InstagramTikTokLinkedInFacebook
Patronite
2026 © Tovoda - All rights reserved