Privacy Policy

This Privacy Policy is for informational purposes and describes the principles of processing personal data of users of the glamwerk.pl website (“Website”), including in particular data provided via the contact form (e.g., in the form of job applications, CVs/portfolios, employer inquiries).

Last updated: February 1, 2026

§1. Basic Information

  1. The owner of the glamwerk.pl Website (“Administrator”) is the Controller of personal data.
  2. Contact the Controller:
    • email: kontakt[@]glamwerk.pl
    • phone: +48 600 377 659

§2. Principles of Data Processing

The Controller processes data:

  1. in accordance with the law and based on an appropriate legal basis;
  2. fairly and transparently;
  3. for specific, clearly defined purposes;
  4. to an adequate extent (data minimization);
  5. with due care for accuracy;
  6. no longer than necessary;
  7. ensuring appropriate technical and organizational safeguards.

§3. What Data We Collect

Depending on how you use the Website, we may process:

  1. Data provided in the contact form / correspondence:
    • first and last name,
    • contact details (e.g., email, phone number),
    • message content and data contained therein,
    • attachments and information voluntarily submitted (e.g., CV, cover letter, portfolio, photos, profile links, description of experience, education, qualifications, expectations, availability, work preferences, etc.).
  2. Data concerning employers / entities seeking cooperation (if provided):
    • contact details of the submitting person,
    • organizational data necessary to handle the inquiry (e.g., company/brand name, location, job description, requirements, terms of cooperation).
  3. Technical data:
    • IP address, device/browser identifiers, server logs,
    • data from cookies and similar technologies (details in §§8–10).

Note: The Controller does not encourage the submission of sensitive data (special categories), e.g., health data. However, if such data is submitted on your own initiative, the basis for its processing must generally be explicit consent or another legal ground; otherwise, it may be deleted or anonymized.

§4. Purposes and Legal Bases for Processing

The Controller may process personal data for the following purposes:

  1. Handling inquiries and contact (contact form, email, phone)
    • purpose: responding to messages, conducting correspondence, establishing cooperation details, documenting arrangements
    • basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR) or actions prior to entering into a contract (Art. 6(1)(b) GDPR), if the contact concerns cooperation/provision of services.
  2. Receiving and analyzing applications (“CV/portfolio”) and connecting employees and employers
    • purpose: verification of application, contact regarding an offer/cooperation, presenting the application to potential employers or partners (if applicable)
    • basis: actions prior to entering into a contract (Art. 6(1)(b) GDPR) and/or consent (Art. 6(1)(a) GDPR) — particularly when you provide data beyond the standard scope or when you request participation in future recruitment processes. In practice, consent is often appropriate especially for additional information and future processes.
  3. Conducting settlements and fulfilling legal obligations (if cooperation/agreement occurs)
    • purpose: settlements, accounting, tax obligations, archiving documents
    • basis: legal obligation (Art. 6(1)(c) GDPR) and performance of a contract (Art. 6(1)(b) GDPR).
  4. Pursuing claims and defending against claims
    • purpose: establishing, pursuing, or defending claims
    • basis: legitimate interest (Art. 6(1)(f) GDPR).
  5. Statistical, analytical, and marketing purposes based on cookies (if used and if you give consent)
    • purpose: statistics, Website improvement, measuring effectiveness of actions, advertising
    • basis: consent (Art. 6(1)(a) GDPR) and cookie regulations (details in §§8–10).

§5. Voluntariness of Data Provision

  1. The provision of data is generally voluntary, but may be necessary for:
    • receiving a response to an inquiry,
    • processing an application (CV/portfolio),
    • undertaking actions leading to cooperation/agreement.
  2. If you do not provide data marked as necessary, the Controller may not be able to achieve the given purpose (e.g., contact or evaluation of an application).

§6. Data Recipients

Depending on the purpose, data may be disclosed to the following categories of recipients:

  1. hosting, server, domain providers, and tools for Website maintenance;
  2. email and communication system providers;
  3. IT/technical administration and security entities;
  4. data storage tool providers (e.g., cloud/backup);
  5. entities supporting recruitment/cooperation matching processes (if used);
  6. employers or partners, if necessary for the purpose (e.g., submitting an application) and carried out under the terms described in correspondence or based on your decision/consent;
  7. entities authorized by law (public authorities), when the Controller is obliged to do so.

The Controller does not sell personal data.

§7. Transfer of Data Outside the EEA

  1. The Controller may use the services of providers whose infrastructure or affiliated companies are located outside the European Economic Area (e.g., in the case of selected analytical/marketing tools or cloud solutions).
  2. In such cases, the Controller applies legally required safeguards, in particular standard contractual clauses and — where appropriate — additional protection measures.

§8. Data Retention Period

  1. Contact data and correspondence content: for the time necessary to handle the matter, and then for the period needed to secure claims or until effective objection/request for deletion — unless there is another basis for further processing.
  2. Data from applications (CV/portfolio):
    • for the duration of interviews/recruitment or cooperation matching,
    • and in the case of consent for future processes — until its withdrawal or the expiry of the period indicated in the information provided when collecting data (if such a period was specified).
      (In practice, further storage after the process ends without a basis, e.g., without consent for future recruitment, should not occur).
  3. Billing data and documents: for the period required by law.
  4. Data from cookies: according to cookie validity periods or until their deletion / settings change (details in §9).

§9. Your Rights

In connection with data processing, you have the right to:

  1. access data;
  2. rectify data;
  3. erase data (“right to be forgotten”);
  4. restrict processing;
  5. data portability;
  6. object to processing (when the basis is legitimate interest);
  7. withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal).

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).

§10. Cookies and Similar Technologies

  1. The Website uses cookies and similar technologies to ensure proper operation, security, remembering settings, and — if you give consent — analytics and marketing.
  2. Cookies can be:
    • essential/technical (Website operation),
    • analytical/statistical (Website measurement and improvement),
    • marketing (advertisements, remarketing).
  3. If the Website uses Google solutions, it may apply standards such as Consent Mode v2 to transmit consent/denial signals to measurement/advertising tools.

§11. How to Manage Cookies

  1. You can give or refuse consent for cookies (other than essential ones) in the cookie banner/panel.
  2. Additionally, you can manage cookies in your browser settings (blocking, deleting, restricting).
  3. Disabling some cookies may affect the functionality of certain parts of the Website.

§12. Automated Decision-Making and Profiling

  1. The Controller generally does not make decisions concerning you solely by automated means, including not applying profiling that produces legal effects or similarly significantly affects you.
  2. If marketing/remarketing tools are implemented in the future, they may segment advertising recipients at a statistical level — based on the providers’ terms and in accordance with the given consents.

§13. Data Security

The Controller applies technical and organizational measures adequate to the risks, in particular: server security, access restrictions, backups, software updates, and permission control.

§14. Final Provisions

  1. The Controller may update the Privacy Policy, especially when the Website’s functions or data processing methods change.
  2. The current version of the Policy is published on the Website.