Privacy policy

Dear Sir or Madam,

We are committed to protecting the personal data we collect in accordance with national laws and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of May 4, 2016, p. 1, as amended by the corrigendum published in OJ EU L 127 of May 23, 2018, p. 2), hereinafter referred to as the “GDPR.”

We present this Privacy Policy so that every person with whom we establish a relationship is aware of:

This Privacy Policy may be supplemented with information provided when personal data is collected, for example in contact, recruitment, or newsletter subscription forms, or within a reasonable period—no later than one month—if data is collected from indirect sources, i.e., not directly from the data subjects.

1. Personal Data Controller

  1. The controller of personal data is GoNextStage spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, address: Przemysłowa 30, 00-450 Warsaw, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0000796674, NIP 7010937522, REGON 383973993, share capital: PLN 5,000.00.
  2. In certain cases, we may also process data as a recipient, joint controller, or processor.

2. Data Protection Officer (DPO)

  1. To oversee matters related to personal data protection and provide detailed information, we have appointed, as controller or joint controller, a Data Protection Officer (DPO): Maciej Strycharz.
  2. You may contact the DPO by email at io*@*********ge.com or in writing at the address of our registered office.

3. Data Subjects

  1. Business Customers
    1. As controller, we process personal data for the purpose of entering into and/or performing an agreement (Article 6(1)(b) GDPR where the party to the agreement is a sole proprietor; Article 6(1)(f) GDPR where the party to the agreement is a corporate customer) concerning the IT services and solutions we provide. In addition, data is processed for purposes arising from legitimate interests (Article 6(1)(f) GDPR), such as communication, responding to inquiries, conducting sales analyses (analytical profiling: sales or marketing profiling related to services), establishing, defending, and pursuing claims, as well as (Article 6(1)(c) GDPR) in connection with the performance of legal obligations incumbent on the controller, for example reporting, tax, or accounting obligations.
    2. The categories of data processed may include identification data, such as first and last name; business contact and address details, such as email address, phone number, address, position, function, NIP, REGON, KRS, etc.
    3. Data will be stored for at least 5 years, calculated from the end of the calendar year in which the tax payment deadline expired in connection with the performed agreement or service. After our relationship ends, data will be archived for the standard period of 6 years, ending on the last day of the calendar year, unless applicable law provides otherwise. In the event of an ongoing dispute or proceeding, the archiving period is calculated from the date on which the last such dispute or proceeding is finally concluded. If applicable law provides for a longer data retention period or limitation period for claims, we apply the longer period.
    4. Data subjects have the right to access their data, rectify it, erase it, restrict its processing, and object to the processing of their data. Data subjects also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed information about your rights is provided later in this Privacy Policy.
  2. Recipients of commercial information, including subscribers to the controller’s newsletters
    1. As controller, we process personal data on the basis of voluntarily given consent (Article 6(1)(a) GDPR). Consent may be given by selecting the appropriate checkbox or through an implied action, such as providing an email address or phone number in a form. We process data in order to send commercial information, in particular information about our IT services and solutions, news, events, and promotions. Consent may be withdrawn at any time by clicking the relevant link in the message received or by sending a request to io*@*********ge.com. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
    2. The categories of data processed may include identification data, such as first and last name, and contact details, such as email address or phone number.
    3. Data will be stored until consent is withdrawn.
    4. Recipients of commercial information, including newsletter subscribers, have the right to withdraw consent, access their data, rectify it, restrict its processing, object to its processing, and lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed information about your rights is provided later in this Privacy Policy.
  3. Job applicants employment contract, civil-law contract, B2B
    1. As controller, we process personal data for recruitment and employment purposes.
    2. The legal basis for processing personal data for recruitment and employment under an employment contract is Article 22(1) § 1 of the Act of June 26, 1974, the Labor Code, in conjunction with Article 6(1)(c) GDPR, which also defines the scope of data we are entitled to request from a candidate. Providing additional personal data in recruitment documents, including special categories of data sensitive data, beyond the scope specified by law, will be treated as consent to its processing Article 6(1)(a) GDPR. Giving consent is voluntary, and consent may be withdrawn at any time without affecting the lawfulness of processing carried out before its withdrawal.
    3. The legal basis for processing personal data for recruitment for employment under a civil-law contract B2B is the applicant’s consent Article 6(1)(a) GDPR, and, after the candidate is selected, Articles 734 et seq. of the Act of April 23, 1964, the Civil Code, in conjunction with Article 6(1)(b) of Regulation 2016/679 GDPR.
    4. If the applicant does not give additional consent to participate in similar recruitment projects for the period specified in the relevant clause, we will store the data for no longer than 3 months from the date the recruitment process ends or until consent is withdrawn, which we also understand to include withdrawal from participation in the recruitment process.
    5. Recipients of data, pursuant to Article 6(1)(f) GDPR, may include providers of IT support services, including email hosting, and business support services.
    6. In connection with the processing of their data, candidates have the right to request access to their personal data and rectification of that data, the right to lodge a complaint with the President of the Personal Data Protection Office ul. Stawki 2, 00-193 Warsaw, and, in certain cases, the right to restrict processing and the right to erasure.
    7. Providing data in order to participate in recruitment is voluntary.
    8. In the case of recruitment for employment under an employment contract, application documents should include, in accordance with Article 22(1) § 1 of the Act of June 26, 1974, the Labor Code, the following information: first name or names and last name, date of birth, contact details, education, professional qualifications, and employment history. Providing other personal data is not mandatory.
    9. In the case of recruitment for employment under a civil-law contract B2B, application documents should include the candidate’s basic data required for recruitment purposes.
  4. Suppliers of goods and services, contractors, and partners
    1. As controller, we process personal data for the purpose of performing an agreement or taking steps prior to entering into an agreement (Article 6(1)(b) GDPR where the party to the agreement is a sole proprietor; Article 6(1)(f) GDPR where the party to the agreement is a contractor or corporate partner) and for the purpose of pursuing legitimate interests (Article 6(1)(f) GDPR).
    2. The categories of data processed may include identification data, such as first and last name, PESEL, NIP, REGON, and KRS; and business contact and address details, such as email address, phone number, business address or registered office address, position, or function.
    3. Data will be stored for at least 5 years, calculated from the end of the calendar year in which the tax payment deadline expired. After our relationship ends, data will be stored for the standard archiving period of 6 years, ending on the last day of the calendar year, unless applicable law provides otherwise. In the event of an ongoing dispute or proceeding, the archiving period is calculated from the date on which the last such dispute or proceeding is finally concluded. If applicable law provides for a longer data retention period or limitation period for claims, we apply the longer period.
    4. Suppliers, contractors, or partners have the right to access their data, rectify it, erase it, restrict its processing, object to its processing, and lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed information about your rights is provided later in this Privacy Policy.
    5. Providing personal data is a contractual requirement. Failure to provide data may make it impossible to enter into or perform an agreement.
  5. Users of online forms
    1. As controller, we process personal data for the purpose of pursuing legitimate interests (Article 6(1)(f) GDPR), such as communication and responding to inquiries. In certain situations, for example when personal data is submitted through our forms, we may process data on the basis of consent expressed through the user’s implied action (completing the form and using the “send,” “subscribe,” or “apply” function), in accordance with Article 6(1)(a) GDPR.
    2. The categories of data processed may include identification data, such as first and last name, and contact or address details, such as email address or phone number.
    3. Data will be stored for the period necessary to fulfill the purposes for which it was collected. More information is available in our Terms and Conditions for the Provision of Electronic Services.
    4. Users of our forms have the right to access their data, rectify it, erase it, restrict its processing, object to its processing, and lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed information about your rights is provided later in this Privacy Policy.

4. Recipients of Personal Data

    1. Recipients of personal data may include independent controllers, joint controllers, or processors within the meaning of Article 28 GDPR, such as providers of IT, communication, marketing, and hosting services.
    2. Each partner to whom we entrust the processing of personal data (processor) or to whom we disclose data (separate controller) will process it in accordance with the relevant legal provisions and agreements, and for the purpose of performing an agreement, arrangement, or cooperation. Such processing will be carried out in accordance with applicable law and our internal policies, procedures, and standards.
    3. Public authorities may also have access to personal data in accordance with applicable law.

5. Transfers of Data Outside the European Economic Area (EEA)

  1. As a rule, we process personal data locally in Poland or within the European Economic Area. This also applies to partners whose services we use or may use in the future.
  2. If it becomes necessary to transfer data outside the EEA, we will ensure appropriate safeguards in accordance with Articles 44–49 GDPR.

6. Rights Related to the Processing of Personal Data

Right to withdraw consent at any time (Article 7(3) GDPR).

7. Collection of Personal Data

  1. As a rule, personal data is obtained directly from the data subjects (Section IV of this Privacy Policy). In certain cases, personal data may be obtained from other sources, such as:
    1. Employers or entities with which data subjects are affiliated — personal data may be obtained from an employer or from an entity with which the data subject is affiliated.
    2. Third parties — personal data may be obtained from third parties, for example when a supplier, contractor, or partner is referred by a person who knows them and recommends them for cooperation.
    3. Other business partners — personal data may be provided by business partners with whom we cooperate in connection with agreements, projects, or other undertakings or activities.
  2. Whenever we obtain data from other sources, we take steps to ensure that the data has been provided in accordance with applicable law and that the data subject has been properly informed about the processing of their personal data.

8. Types and Purposes of Cookies Used and Cookie Settings

  1. The user may choose which cookies they consent to, subject to certain exceptions indicated in the Cookie Policy.
  2. Detailed information is available in the Cookie Policy.

9. Changes to the Policy

  1. We reserve the right to update this Privacy Policy in the following cases:
    1. The need to adapt it to applicable law.
    2. A change in the interpretation of legal provisions.
    3. The need to adapt it to court rulings, decisions, recommendations, or guidelines issued by competent offices or authorities.
    4. The need to correct errors or typographical mistakes.
    5. Changes to identification or contact details.
    6. Changes to the services provided or to the channels through which personal data is collected.
  2. Any changes will be made available on our websites and will take effect immediately upon publication.

Last updated: July, 2026.