ContactContact
AI Training Cooperation model Integrations Case Studies
Book a live presentation
AI agent will call you back
Consultation with an expert
No commitment
JDE AI Bridge AI Practice for NetSuite RAG Knowledge Base RAG - Cloud Edition JDE Cloud Connector Doc AI Doc AI for AI Agents Voice AI Agent
Book a live presentation
AI agent will call you back
Consultation with an expert
No commitment

Privacy Policy

Xelto Sp. z o.o., Xelto Digital Sp. z o.o., Xelto Czechia s.r.o. place great importance on transparency of operations and value every individual's fundamental right to privacy. The guarantee of confidentiality and protection of your data is important to us, which is why we strive to ensure that our data processing principles comply with applicable law, as well as respect fundamental rights and freedoms, and ensure their confidentiality and proper security.

The purpose of this Privacy Policy, hereinafter referred to as the "Policy", is to inform you about matters related to the processing of personal data and privacy protection in connection with the use of our website. In the Policy, we provide you with information on how your personal data will be processed and in what manner and for what purposes such data will be used. A person who visits the website and actively uses it thereby accepts the terms set out in this document.

Information about the Data Controller

The controller of your personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR") is:

  • Xelto Sp. z o.o., ul. Winogrady 18, 61-663 Poznań, NIP: 972-12-43-826, REGON: 302415061, KRS: 0000472643;
  • Xelto Digital Sp. z o.o., ul. Kurniki 9, 31-156 Kraków, NIP: 6762580430, REGON: 386040730, KRS 0000841003;
  • Xelto Digital Czechia s.r.o., Rybná 716/24, 110 00 Prague, DIČ CZ10964452;

depending on which company's services you use.

In the context of recruitment processes and marketing activities, we act as joint controllers of your personal data. Under a written joint controllership agreement, we have agreed on the scope of our respective responsibilities for fulfilling obligations under the GDPR, in particular that:

  • We, as Controllers, are responsible for fulfilling the information obligation towards you.
  • Xelto Sp. z o.o. as Joint Controller is responsible to you for enabling the exercise of your rights. Regardless of the above, you may also exercise your rights against any of the Joint Controllers. In such a case, we will forward your request to the Joint Controller who will fulfil it.

The Controller may be contacted via the correspondence details indicated above and the following contact details:

Voluntary provision of personal data

The provision of your personal data is voluntary but necessary for the Controller to achieve its purposes.

Rights of the data subject

You have the following rights in relation to the processing of your personal data:

  • the right to request access to your personal data;
  • the right to request rectification of your personal data if you consider the data to be inaccurate or incomplete;
  • the right to request erasure of your personal data when:
    • your data are no longer necessary for the purposes for which they were collected,
    • you withdraw consent to processing and the Controller has no other legal basis for further processing,
    • you object to the processing of personal data and the Controller has no overriding legitimate grounds for further processing,
    • you object to the processing of personal data for direct marketing purposes,
    • your personal data have been processed unlawfully,
    • your personal data must be erased in order to comply with a legal obligation,
    • your personal data were collected in connection with the provision of information society services offered to a child.
    The right to erasure does not apply to data processed on the basis of applicable law or data processed for the purpose of establishing, defending or pursuing potential claims.
  • the right to request restriction of processing of your personal data when:
    • you consider the personal data to be inaccurate,
    • your personal data are being processed unlawfully but you do not want them to be erased by the Controller,
    • the Controller no longer needs your personal data but they are necessary for you to establish, exercise or defend claims,
    • you have objected to the processing of personal data;
  • the right to object to the processing of personal data where processing is based on the legitimate interests of the Controller and the objection is justified by your particular situation;
  • the right to withdraw consent to the processing of your personal data, whereby withdrawal of consent does not affect the lawfulness of processing carried out on the basis of your consent prior to its withdrawal;
  • the right to data portability where data are processed on the basis of consent or a contract;
  • the right to lodge a complaint with the supervisory authority responsible for the protection of personal data, i.e. the President of the Personal Data Protection Office, if you consider that the processing of personal data violates the GDPR. Detailed information is available at: https://uodo.gov.pl/pl/83/155.

To exercise the above rights, please contact the Controller: Xelto Sp. z o.o.; Xelto Digital Sp. z o.o.; Xelto Digital Czechia s.r.o. using the contact details provided above.

Transfer of data to third countries

As a rule, personal data will not be transferred to a third country or international organisation. However, in certain situations, personal data may be transferred to countries outside the European Economic Area. This will only occur when the conditions set out in Chapter V of the GDPR are met. In the event of a transfer of personal data to countries outside the European Economic Area, the Controller will ensure all formalities related to the proper protection of personal data, including the use of standard contractual clauses adopted by the European Commission.

Profiling

User personal data may also be processed in an automated manner, including profiling. The consequence of profiling will be the assignment of a profile to a given User for the purposes of analysis or prediction of User preferences, behaviour, attitudes and the customisation of information provided to the User via the Portals.

Purposes, legal bases and retention periods

Processing of personal data of job applicants (recruitment)

Purpose of processing personal data and legal basis:

  • Art. 6(1)(b) GDPR — entitlement to request data necessary to take action prior to entering into a contract within the scope indicated in Art. 22(1) of the Polish Labour Code;
  • Art. 6(1)(c) GDPR — in connection with Art. 22(1) of the Polish Labour Code;
  • Art. 6(1)(a) GDPR — consent of the job applicant to the processing of personal data beyond the scope indicated in Art. 22(1) of the Polish Labour Code, and where consent is given for the processing of personal data for future recruitment processes;
  • Art. 6(1)(f) GDPR — establishing, pursuing and securing potential claims and defending against claims related to recruitment processes;
  • Art. 9(2)(a) GDPR — where the job applicant provides personal data of a special category.

Obligation to provide data:

The provision of personal data is voluntary; however, failure to provide the information indicated in Art. 22(1) of the Polish Labour Code will result in the received application documents not being considered by the Joint Controllers.

Retention period:

  • Personal data will be retained for the period necessary to conduct the recruitment process — a maximum of 3 months from the date of its completion.
  • Where appropriate consent has been given for future recruitment processes, personal data will be retained for a maximum period of 12 months.

Data recipients:

  • entities cooperating with the Joint Controllers under concluded data processing agreements and ensuring that those entities apply adequate technical and organisational measures to protect data;
  • Pracuj.pl Group;
  • entities to which the Joint Controllers are obliged to transfer data under applicable law.

Processing of personal data of contractors

Purpose of processing personal data and legal basis:

  • Art. 6(1)(b) GDPR — actions aimed at entering into a contract — in the case of a potential Client who is a natural person conducting business activity or a partner in a civil partnership, being a potential Party to the contract;
  • Art. 6(1)(b) GDPR — conclusion and performance of the subject matter of the contract on which the cooperation is based — in the case of a Contractor who is a natural person conducting business activity or a partner in a civil partnership being a Party to the contract;
  • Art. 6(1)(f) GDPR — defence against or pursuit of mutual claims;
  • Art. 6(1)(f) GDPR — contact for the purpose of accepting and fulfilling orders;
  • Art. 6(1)(f) GDPR — performance of the subject matter of the contract — reviewing solution instructions;
  • Art. 6(1)(f) GDPR — contact with natural persons whose data have been provided by Contractors for the purpose of performing the subject matter of the contract, including persons authorised to represent the Contractor, employees/associates of the Contractor;
  • Art. 6(1)(c) GDPR — fulfilment of the Controller's obligations under tax and accounting legislation.

Obligation to provide data:

The provision of personal data is voluntary but necessary for the preparation of an offer, the performance of a contract, and financial settlements. Failure to provide data makes it impossible for the Controller to achieve its purposes.

Source of data:

If the Data Controller did not obtain data directly from the data subject, personal data including: first name(s) and surname, e-mail address, telephone number, position/function, place of employment may have been obtained by the Data Controller from the contract on the basis of which the Data Controller processes the data, or were provided by the Contractor.

Retention period:

  • personal data will be retained for the duration of the contract;
  • personal data contained in the contract will be processed for the period resulting from applicable law, including tax and financial reporting regulations — 5 years — calculated from the beginning of the year following the financial year in which the operations, transactions and proceedings were finally completed, repaid, settled or became statute-barred;
  • personal data may be processed for securing or defending against potential claims for the period required by applicable law;
  • in the case of potential Contractors — personal data are retained for the period necessary to achieve the processing purpose, for no longer than 3 years.

Data recipients:

  • entities cooperating with the Data Controller under concluded data processing agreements and ensuring that those entities apply adequate technical and organisational measures to protect data;
  • law firms cooperating with the Controller;
  • banks — for the purpose of financial settlements;
  • entities to which the Controller is obliged to transfer data under applicable law.

Processing of personal data for marketing purposes

Purpose of processing personal data and legal basis:

  • Art. 6(1)(f) GDPR — sending marketing information about products, services, promotions and events, as well as satisfaction surveys, to the electronic communication channels you have indicated, pursuant to consent given under Art. 398(1) of the Act of 12 July 2004 — Electronic Communications Law;
  • Art. 6(1)(f) GDPR — defence against or pursuit of mutual claims.

Obligation to provide data:

The provision of personal data is voluntary but necessary for the Joint Controllers to achieve the processing purpose.

Retention period:

Personal data will be processed until the consent given is withdrawn, an effective objection to processing is lodged, or the limitation period for claims expires.

Data recipients:

  • entities cooperating with the Data Controller under concluded data processing agreements and ensuring that those entities apply adequate technical and organisational measures to protect data;
  • entities to which the Controller is obliged to transfer data under applicable law.

Cookies and third-party tools

Types of cookies:

The Controller uses two types of cookies:

  • Session cookies: are stored on the User's Device and remain there until the end of the browser session. The stored information is then permanently deleted from the Device's memory. The session cookie mechanism does not allow any personal data or confidential information to be downloaded from the User's Device.
  • Persistent cookies: are stored on the User's Device and remain there until they are deleted. The end of a browser session or switching off the Device does not cause them to be removed from the User's Device. The persistent cookie mechanism does not allow any personal data or confidential information to be downloaded from the User's Device.

Analytical and third-party tools:

  • The Controller uses various systems for monitoring User activity on the internet provided by third-party companies, such as Google Analytics, a web analytics service offered by Google Inc. Google Analytics uses "cookies", i.e. text files placed on the User's computer that enable analysis of how the Portals are used.
  • The Controller also uses standard web server log files to count visitors to the Portal and to assess its technical capabilities. The Controller uses this information to determine how many people visit the Portal, to arrange the Portal in the most user-friendly way, and to make it simpler and more user-friendly.
  • Information generated by cookies about the User's use of the Portals (including the User's IP address) is sent to, among others, a Google Inc. server located in the USA and stored in accordance with Google's privacy policy (available at: https://www.google.com/intl/pl/privacy/privacy-policy.html). Google uses this information to evaluate use of the Portals, to compile reports for website operators on Portal activity, and to provide other services related to the use of the Portals and the Internet.
  • The Website may contain links (e.g. in the form of third-party logos) which, when activated, redirect the User to an external website. The use of such links cannot be equated with the existence of a connection between the Controller and the entity to which the external website belongs. The Controller shall in no event be liable for the consequences of such redirections and has no influence over the content of such websites. The Controller is not responsible for the content of the privacy and security policies applicable on those websites, nor for the cookies used when browsing them.
  • We work with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
  • The Controller uses Cloudflare Turnstile (Cloudflare, Inc.) to verify users of the Live Demo form in invisible mode. This service processes technical device data (e.g. IP address, HTTP headers, browser data) to distinguish humans from bots, without presenting additional challenges to the user. Processing is carried out in accordance with the Cloudflare Privacy Policy and the Cloudflare Turnstile Privacy Addendum.

Processing of personal data for contact purposes (contact form)

Purpose of processing personal data and legal basis:

  • to respond to a question submitted via the contact form, i.e. to pursue our legitimate interest in communicating with website users, and to secure potential claims related to responding to the question — on the basis of Art. 6(1)(f) GDPR;
  • to establish, pursue and secure potential claims and to defend against such claims — on the basis of Art. 6(1)(f) GDPR.

Obligation to provide data:

The provision of your personal data is voluntary but necessary to respond to your enquiry submitted via the contact form.

Retention period:

Personal data will be retained for the period necessary to respond to the enquiry submitted via the contact form. Personal data may also, to an appropriate extent, be retained and processed to secure potential claims until the limitation period expires — for the period required by law.

Data recipients:

  • entities cooperating with the Data Controller under concluded data processing agreements and ensuring that those entities apply adequate technical and organisational measures to protect data;
  • entities to which the Controller is obliged to transfer data under applicable law.

Processing of personal data within Live Demo (AI agent call)

Purpose of processing personal data and legal basis:

  • Art. 6(1)(a) GDPR — consent of the data subject, expressed by voluntarily providing a phone number in the Live Demo form, for the purpose of establishing a telephone connection by the AI agent and conducting a presentation of the Xelto AI platform's capabilities;
  • Art. 6(1)(f) GDPR — the Controller's legitimate interest in presenting products and services, and in securing or pursuing potential claims.

Obligation to provide data:

Providing a phone number is voluntary but necessary to make the call. Failure to provide a number makes it impossible to use the Live Demo service.

Retention period:

The phone number and data provided during the call will be retained for the period necessary to complete the call and handle any further enquiries — for no longer than 12 months from the date of contact, unless legal provisions require longer retention or the data are necessary to pursue claims.

Data recipients:

  • entities cooperating with the Data Controller under concluded data processing agreements, including providers of telecommunications infrastructure and AI voice technology, ensuring that those entities apply adequate technical and organisational measures to protect data;
  • entities to which the Controller is obliged to transfer data under applicable law.

Personal data protection measures

The Controller applies technical and organisational measures to ensure the protection of processed personal data appropriate to the threats and categories of data covered by protection, and in particular secures data against disclosure to unauthorised persons, removal by an unauthorised person, processing in violation of applicable regulations, and alteration, loss, damage or destruction. When processing your personal data, we apply SSL certificate connection encryption.

Final provisions

Xelto Sp. z o.o., Xelto Digital Sp. z o.o., Xelto Czechia s.r.o. reserve the right to modify this Policy at any time without notifying Users. Any amendments to this Policy will always be published on the Controllers' website. Amendments enter into force on the date of publication of the Policy.

For any questions or suggestions regarding the information presented on the Website, as well as questions concerning the protection of personal data, please contact Xelto Sp. z o.o., Xelto Digital Sp. z o.o., Xelto Czechia s.r.o. We will do our best to address any concerns.