FOSE PRIVACY POLICY

Last updated: December 8, 2025

1. Data Controller

The controller of personal data is:

Fose sp. z o.o.
Braniborska 69
53-680 Wroclaw
VAT ID (NIP): 8971944245
e-mail: info@fose.eu

For all matters related to personal data processing, you can contact us at: info@fose.eu.

The service is intended for business customers (B2B). Account registration is available only for entities conducting business activity.

2. Scope of Processed Data

Depending on how you use the service, we may process:

  • first and last name,
  • company name,
  • VAT ID / EU VAT number,
  • registered address / delivery address,
  • e-mail address,
  • phone number,
  • invoice details,
  • order history,
  • B2B account data,
  • data of representatives or contact persons on the contractor's side,
  • technical data (IP address, cookie identifiers, browser data, system logs).

Providing data is voluntary; however, to the extent required for entering into a contract or registering an account, it is necessary. Failure to provide data prevents account registration or order fulfillment.

We process only data necessary to achieve the specified purposes.

3. Purposes and Legal Bases for Processing

We process data for the following purposes:

a) Handling inquiries (contact form)
Legal basis: Article 6(1)(f) GDPR (legitimate interest of the controller consisting in handling inquiries and business communication).
The controller's legitimate interest is handling inquiries, conducting business communication, ensuring service security, protection against abuse, and pursuing claims.

b) B2B account registration and order fulfillment
Legal basis: Article 6(1)(b) GDPR (performance of a contract or taking steps prior to entering into a contract).

c) Fulfillment of accounting and tax obligations
Legal basis: Article 6(1)(c) GDPR (legal obligation resulting from accounting and tax regulations).

d) Direct marketing (newsletter)
Legal basis: Article 6(1)(a) GDPR (consent). Newsletter messages are sent exclusively to registered B2B customers who provided voluntary consent.

Consent can be withdrawn at any time via the unsubscribe link in the e-mail message. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

e) Ensuring system security and preventing abuse
Legal basis: Article 6(1)(f) GDPR (legitimate interest of the controller consisting in protecting the service and pursuing claims).
The controller's legitimate interest is ensuring service security, protection against abuse, and pursuing claims.

4. Data of Representatives and Contact Persons

In B2B cooperation, we process data of persons representing the contractor and persons designated for contact. These data are processed in connection with contract performance and business communication.

5. Data Retention Period

We retain data as follows:

  • accounting data and sales documents - for the period required by law (as a rule, 5 years from the end of the tax year),
  • data related to contract performance - for the duration of cooperation and the limitation period for claims,
  • marketing data - until consent is withdrawn,
  • contact form data - for the period necessary to handle the inquiry,
  • system logs and technical data - for the period necessary to ensure service security.

6. Data Recipients

Data may be transferred to entities supporting our business operations, in particular:

  • hosting and IT infrastructure providers,
  • mail system providers,
  • accounting software providers,
  • payment operators,
  • courier companies,
  • analytics tools providers (Google Analytics),
  • form security tools providers (Google reCAPTCHA).

These entities process data under data processing agreements.

7. Data Transfers Outside the EEA

Due to the use of Google tools (Google Analytics and Google reCAPTCHA), data may be transferred to third countries, in particular to the United States.

Data transfers are based on a European Commission adequacy decision (EU-US Data Privacy Framework) or on Standard Contractual Clauses.

Where data are transferred outside the EEA, appropriate safeguards required by law are applied.

8. Cookies and Similar Technologies

The service uses cookies and similar technologies.

1. Technical cookies (necessary)

These files are necessary for the proper operation of the service, in particular for:

  • maintaining user session after login,
  • shopping cart operation,
  • ensuring system security,
  • protecting forms via Google reCAPTCHA,
  • remembering the user's cookie consent choice.

These cookies do not require user consent.

2. Analytics cookies (Google Analytics)

The service uses Google Analytics to analyze how the service is used and to improve it.

Analytics cookies are installed only after user consent is obtained via the cookie banner.

Consent to analytics cookies is voluntary and does not affect the ability to use the service.

Consent to analytics cookies can be withdrawn at any time by changing cookie settings.

Google Analytics may process, among others, IP address (with anonymization), device information, and on-site activity data.

These data are processed in statistical form and are not used to identify specific users.

Detailed rules for data transfers outside the EEA are described in section 7 of this Policy.

3. Remembering user choice

Information about granting or refusing analytics cookies consent is stored in a technical cookie in order to remember the user's choice.

This cookie is stored for up to 30 days.

After this period, the user will be asked again to make a choice.

The user can change their decision at any time by clicking the "Cookie settings" link available in the website footer.

Restricting technical cookies may affect proper service operation (e.g. inability to log in).

9. Google reCAPTCHA

The service uses Google reCAPTCHA to protect registration and login forms against spam and abuse.

reCAPTCHA works by analyzing user behavior to determine whether an action is performed by a human or by an automated system.

As part of this process, the following may be processed:

  • IP address,
  • device and browser information,
  • on-site activity data.

These data are processed under Article 6(1)(f) GDPR, i.e. the controller's legitimate interest in ensuring service security and protection against abuse.

Detailed rules for data transfers outside the EEA are described in section 7 of this Policy, while details on data processing by Google are available in Google's Privacy Policy.

10. Profiling and Automated Decision-Making

Personal data are not subject to automated decision-making or profiling within the meaning of Article 22 GDPR.

11. Data Subject Rights

You have the right to:

  • access data,
  • rectify data,
  • erase data,
  • restrict processing,
  • data portability,
  • object to processing (where based on Article 6(1)(f) GDPR),
  • withdraw consent at any time (if processing is based on consent).

Where processing is based on Article 6(1)(f) GDPR, you have the right to object to processing on grounds relating to your particular situation.

You also have the right to lodge a complaint with the President of the Personal Data Protection Office.

12. Changes to the Privacy Policy

We reserve the right to introduce changes to this Privacy Policy. The current version is always published in the service.