Privacy Policy and Cookie Policy

This Privacy Policy and Cookie Policy (the "Policy") describes how personal data is processed and protected in connection with the use of the ukcompany.eu web application (the "Service"), and the rules for using cookies and similar technologies.

The data controller is EXELO ITS Sp. z o.o., registered office at ul. Michala Kleofasa Oginskiego 2, 85-092 Bydgoszcz, Poland, NIP 5272857846, owner and operator of ukcompany.eu (the "Controller").

The Controller processes personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Polish Data Protection Act of 10 May 2018, the Act of 18 July 2002 on electronic services, and the Act of 12 July 2024 – Electronic Communications Law.

To the extent that the processing concerns natural persons subject to the UK data protection regime, the Controller also has regard to the UK GDPR and the Data Protection Act 2018.

The Controller ensures that personal data is: processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and kept up to date; stored no longer than necessary; processed with appropriate security.

The Controller has not appointed a Data Protection Officer. For data protection matters, please contact the Controller at: office@exelo.pl.

The Service is intended exclusively for professional business users. The paid services of the Service are not directed at consumers or persons using the Service for private, personal, family or household purposes. The mere technical availability of the Service in a given country does not mean that the Service is directed at consumers in that country.

The publicly available pages of the Service (the website) may be viewed by persons from various countries. This does not change the business nature of the paid services or the scope in which they are offered. This Policy is consistent with the Terms of Service, which establish a B2B-only service model.

• Controller – EXELO ITS Sp. z o.o., the entity determining the purposes and means of processing.
• Personal data – information relating to an identified or identifiable natural person.
• GDPR – Regulation (EU) 2016/679 on the protection of personal data.
• Service – the ukcompany.eu web application and the features provided therein.
• Report – a compilation of information about a business entity (Counterparty), generated from registry data and other lawful sources, made available to the Account User.
• Visitor – a person browsing the publicly available pages of the Service without creating an Account.
• Account User – a natural person acting as an entrepreneur or on behalf of a Business Customer, holding an Account in the Service.
• Business Customer / Organization – an entrepreneur, legal person, organizational unit or other entity conducting business activity, on whose behalf the Account User acts.
• Contact person / representative of the Customer – a person designated for contact, billing, account administration or representation of the Business Customer.
• Person appearing in a Report – a natural person whose data appears in public registries, official state databases or other lawful sources of the United Kingdom and is presented in a Report, e.g. a director, secretary, person with significant control (PSC), officer, beneficial owner, self-employed person, or a person representing or connected with a business entity.
• Counterparty – a business entity whose data is presented in a Report for verification.
• Cookies – text files and similar technologies stored on a terminal device while using the Service.

The Controller processes personal data of the following categories of persons:

• Visitors – with respect to data collected automatically while browsing the public pages of the Service (e.g. technical data, cookies).
• Account Users and persons representing a Business Customer – with respect to data provided when creating and managing an Account and Organization and using the services, as well as data collected automatically.
• Contact persons / representatives of the Customer – with respect to data necessary for servicing, billing and representing the Business Customer.
• Persons appearing in Reports – natural persons whose data is disclosed in public registries or other lawful sources (e.g. board members, shareholders, proxies, attorneys-in-fact, beneficial owners, self-employed persons) and presented in Reports to enable verification of a Counterparty. Details on this category are described in Section 6.

A. Account Users and persons representing a Business Customer. The Controller processes data for the purposes of: managing the Account, Organization and access to the Service; performing the agreement with the Business Customer; handling payments, invoices and settlements; technical and organizational communication; ensuring security, keeping logs and preventing abuse; and establishing and defending legal claims.

Legal bases for this category:

• Art. 6(1)(b) GDPR (performance of a contract) — only where the natural person is directly a party to the contract, e.g. a self-employed person (sole proprietorship);
• Art. 6(1)(f) GDPR (legitimate interest) — where the person acts on behalf of a company, organization or other Business Customer; the legitimate interest being the provision of services to the Business Customer and maintaining the business relationship;
• Art. 6(1)(c) GDPR (legal obligation) — accounting, taxes and other statutory obligations;
• Art. 6(1)(a) GDPR (consent) — marketing consents, newsletter and non-essential cookies, where used.

B. Persons appearing in Reports. The legal basis is Art. 6(1)(f) GDPR and, to the extent the UK data protection regime applies, correspondingly Art. 6(1)(f) UK GDPR, i.e. the legitimate interest of the Controller and professional business users. That interest consists in enabling access to registry and business information supporting professional business users' own assessment of cooperation risk, preventing abuse, and protecting the security of commercial transactions.

The Controller has carried out a legitimate interest assessment (balancing test), taking into account the public nature of the data sources, the business purpose of processing, the limited scope of data processed, and the rights and freedoms of the data subjects. In the Controller's assessment, the processing does not override the interests or fundamental rights and freedoms of these persons, given that the data comes from public sources and is used for a professional, limited purpose of counterparty verification.

This section is addressed to natural persons whose data may be presented in Reports (e.g. board members, shareholders, proxies, attorneys-in-fact, beneficial owners, self-employed persons or persons representing a business entity).

Categories of data that may be processed:

• first and last name;
• function and role within the entity;
• connections with the business entity;
• dates of appointment, taking office, or removal;
• activity status;
• registry data and public identifiers;
• other data disclosed in registries or other lawful sources.

Data sources: the data comes from public registries, official state databases and other lawful sources (see Section 7).

Purpose of processing: the data is presented to professional business users in order to enable the verification of counterparties and to support those users' own assessment of cooperation risk. A Report is informational only.

The Controller is not the original source of registry data, does not make entries in the public registries of the United Kingdom and has no influence over the content of the data disclosed in those registries. The Controller presents data to the extent it has been disclosed in the source, subject to the functionality and scope of the Service.

A person whose data appears in a Report may submit a request for access, rectification, restriction of processing, objection or any other request provided for under the GDPR (see Section 13). An objection to processing will be considered individually, taking into account the interests of the person and the legitimate interest of the Controller and business users.

Where data is not obtained directly from the data subject but from public registries or other lawful sources, the Controller fulfils the information obligation referred to in Art. 14 GDPR by making this Policy available and — where required and possible — in another appropriate manner.

In cases where individually informing each person appearing in public registries would require a disproportionate effort, the Controller may fulfil the information obligation by publicly providing this information, in accordance with Art. 14(5) GDPR, following an appropriate assessment.

In respect of data obtained from public registries, official state databases or other lawful sources of the United Kingdom, the Controller may fulfil the information obligation in this manner where individually informing each person would require a disproportionate effort.

Data provided by the Account User or the Customer's representative:

• email address and password (stored solely as cryptographic hashes);
• full name (optional);
• Organization data: company name, tax identifier (NIP / VAT ID / TAX ID), address — for business accounts;
• contact person / representative data for servicing and billing;
• content of messages sent via the contact form.

Data collected automatically during use:

• IP address, browser and operating system information, approximate location;
• server logs, login dates and times, pages viewed, features used;
• cookie identifiers.

Data obtained from external sources (presented in Reports):

Data presented in Reports may come from public registries, official state databases and other lawful sources of the United Kingdom, as well as from commercial data providers, provided that such data has been made available lawfully.

Contains public sector information licensed under the Open Government Licence v3.0.

Providing personal data by the Account User is voluntary but necessary to create an Account, purchase credits, and use the full functionality of the Service. Failure to provide the required data prevents the provision of those services.

Providing data identifying business activity (e.g. VAT ID) is required for Users outside Poland and for issuing an invoice.

Personal data may be shared with the following categories of recipients:

• Hosting, database and authentication infrastructure provider — providing data storage and Service operation, with servers located in the European Union (Frankfurt, Germany). The entity processes data under a data processing agreement and Standard Contractual Clauses where applicable.
• Network services (CDN), DDoS protection and edge hosting provider — ensuring the security, availability and performance of the Service.
• Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA) — payment processor. Payment card data is tokenized directly by Stripe and is not stored on the Controller's servers. Stripe is PCI DSS Level 1 certified and participates in the EU-US Data Privacy Framework.
• providers of accounting, legal and IT services to the Controller;
• public authorities — only where disclosure is required by law.

A data processing agreement ensuring lawful and secure processing is concluded with each processor acting on the Controller's behalf.

The Service may be technically accessible from various countries worldwide. Technical availability does not mean that the paid services are directed at consumers in those countries.

• A business User outside the European Economic Area (EEA) is responsible for the compliance of their use of the Service and Reports with the law of their country of establishment, the country in which they conduct business, and the country to which the data relates.
• If a User outside the EEA accesses a Report containing personal data, they undertake to apply appropriate technical and organizational measures to protect that data.
• The User may not share Reports with unauthorized persons, resell them, copy them in bulk, or use them to build a competing database.

Given that data may originate from sources in the United Kingdom, processing may involve the flow of data between the United Kingdom and the European Economic Area. The Controller applies the appropriate bases and safeguards required by the GDPR, the UK GDPR and the rules on international data transfers, where applicable.

Some of the Controller's processors may be based outside the EEA (including in the USA). In such cases, data transfers are safeguarded by:

• EU-US Data Privacy Framework certification — where the provider is actively certified, or
• Standard Contractual Clauses approved by the European Commission, where applied, and
• storing data in the European Union where technically feasible.

Accessing a Report by a business User established or operating outside the EEA may result in data being made available outside the EEA. The User is responsible for the further use of that data, in accordance with the Terms of Service and applicable law.

Every data subject has the following rights:

• right of access and to obtain a copy of the data;
• right to rectification of inaccurate or incomplete data;
• right to erasure ("right to be forgotten") — in cases specified in Art. 17 GDPR;
• right to restriction of processing — in cases specified in Art. 18 GDPR;
• right to data portability — for data processed under a contract or consent;
• right to object — to processing based on legitimate interest, including direct marketing;
• right to withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal;
• right to lodge a complaint with a competent supervisory authority — the President of the Polish Data Protection Office (ul. Stawki 2, 00-193 Warsaw), the authority of your country of habitual residence, and — in respect of the UK data protection regime — the competent authority in the United Kingdom (the Information Commissioner's Office, ICO).

The Controller responds to a request, as a rule, within one month of receipt. In complex cases or where there is a large number of requests, this period may be extended by a further two months, of which the person will be informed. To confirm identity, the Controller may request additional information.

Erasure or rectification of data in the Service does not always mean a change of data in a public registry. For data originating from a public registry, the person may also be required to contact the relevant registry to change the source data, as the Controller has no influence over the content of entries in such registries.

To exercise these rights, please contact: office@exelo.pl.

• Account data — for the period the Account is held, and after deletion until the periods below expire and for the time needed to delete backups (up to 30 days).
• Organization data — for the term of the agreement with the Business Customer and for the period needed to settle that agreement.
• Billing and invoicing data — for the period required by tax and accounting law (as a rule 5 years from the end of the year in which the tax obligation arose).
• Security logs — for the period necessary to ensure Service security, no longer than 12 months.
• Contact data (e.g. correspondence, contact form) — for the time needed to handle the matter and 12 months thereafter.
• Marketing data — until consent is withdrawn or an objection is raised.
• Report data — an unlocked Report is available to the User for 30 days from unlocking.
• Cache of data fetched from sources — data fetched from public registries is cached as a rule for up to 1 hour (with exceptions, e.g. ECB exchange rates, up to 24 hours) and then refreshed.
• Information on transactions and unlocked Reports — for the period required by settlement and tax law (as a rule 5 years).
• Data for establishing and defending claims — until the limitation periods expire (up to 6 years).

The Controller applies technical and organizational measures ensuring data protection appropriate to the risks and categories of protected data, in particular:

• encryption of data transmission (HTTPS/TLS);
• passwords are stored solely as cryptographic hashes using appropriate security mechanisms;
• protection of data requiring heightened protection;
• access controls and authentication mechanisms;
• storing data on infrastructure located in the European Union;
• regular backups and security monitoring.

The Controller does not make decisions about Users based solely on automated processing, including profiling, that would produce legal effects or similarly significantly affect them within the meaning of Art. 22 GDPR.

Reports should not be used by Users as the sole basis for solely automated decisions about natural persons where such decisions produce legal effects concerning them or similarly significantly affect them.

• Marketing communications (email, newsletter or similar activities) are carried out only on an appropriate legal basis, in particular consent where required.
• Consent to marketing communications may be withdrawn at any time.
• Technical and security messages and information regarding the operation of the Account and the Service do not constitute marketing and may be sent to provide the service.

The Service uses cookies and similar technologies. Essential cookies are used to ensure the proper operation of the Service, to maintain login sessions, for security and to provide the core functions of the Service. To the extent that the use of cookies involves the processing of personal data, the legal basis for processing in the case of essential cookies is Art. 6(1)(f) GDPR, i.e. the Controller's legitimate interest in ensuring the security, availability and proper operation of the Service, and — for functions available after logging in — also Art. 6(1)(b) GDPR, where processing is necessary to perform a contract or take steps at the User's request.

Cookies and similar technologies other than essential, in particular analytical, non-technically-required functional and marketing cookies, are used only after obtaining the User's consent, where such consent is required by applicable law. The legal basis for processing personal data in such a case is Art. 6(1)(a) GDPR. The storage of, or access to, information on the User's terminal device takes place in accordance with the applicable electronic communications and privacy rules. Consent is voluntary and can be withdrawn at any time.

Cookie categories:

• Essential — maintaining login sessions and core Service functions; always active.
• Analytical — analysis of Service usage for improvement.
• Functional — remembering User preferences (e.g. language selection).
• Marketing — where used.

A detailed list of the cookies and similar technologies used is set out in the table below:

Users can also manage cookies via their browser settings. Disabling essential cookies may prevent use of the Service.

The Service is intended exclusively for business use and is not directed at persons under 18 years of age. The Controller does not knowingly collect data of minors.

The Controller reserves the right to amend this Policy. Users will be notified of material changes via a notice in the Service or by email. The current version of the Policy is always available in the ukcompany.eu Service (the "Privacy Policy" page).

For matters related to personal data processing and the exercise of rights, please contact us at: office@exelo.pl

EXELO ITS Sp. z o.o.
ul. Michala Kleofasa Oginskiego 2
85-092 Bydgoszcz, Poland