Privacy Policy
This notice explains how Westom processes personal data when you visit westom.eu, contact us or discuss a potential business engagement.
1. Controller and contact
The controller is Westom Tomasz Węsierski, ul. Stefana Żeromskiego 5/1, 81-346 Gdynia, Poland, NIP 5861433097, REGON 220141440 (“Westom”, “we”). Contact: biuro@westom.pl or +48 530 825 825.
Westom has not appointed a data protection officer. Privacy requests may be sent directly to the email address above with the subject “Data protection”.
2. Scope and data we process
This policy covers westom.eu and its English, French and Dutch versions. Depending on your interaction, we may process:
- identity and business contact data, such as name, work email, telephone, company and role;
- the information you choose to include in an enquiry, including project context, current markets, website address and timing;
- correspondence, meeting notes, proposals and contract-related records;
- technical security data, such as IP address, request time, URL, browser information and server logs;
- website usage data from Google Analytics only after you grant analytics consent.
Please do not submit special-category data, confidential credentials or production secrets through the public contact form.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Answering an enquiry and taking requested steps before a contract | Article 6(1)(b) GDPR; where you contact us for your organisation, our legitimate interest in B2B communication under Article 6(1)(f). |
| Preparing, performing and documenting an engagement | Article 6(1)(b), Article 6(1)(c) for legal and accounting duties, and Article 6(1)(f) for business administration. |
| Website security, fraud prevention, troubleshooting and evidence of incidents | Our legitimate interest in protecting the service and users, Article 6(1)(f). |
| Audience measurement through Google Analytics | Your consent, Article 6(1)(a). Analytics remains blocked until consent and can be withdrawn at any time. |
| Establishing, exercising or defending claims | Our legitimate interest, Article 6(1)(f), and applicable legal obligations. |
Where processing relies on legitimate interests, we balance the stated purpose against the rights and reasonable expectations of the affected person.
4. Sources and whether data is required
We usually receive data from you or from a colleague contacting us for your organisation. We may also use public business sources, such as a company website or professional profile, when needed to understand an enquiry or verify business details.
Providing form data is voluntary, but the marked fields are needed to answer the request. A contract may require additional data for identification, billing, security and delivery. We do not use the enquiry form to subscribe you to a marketing newsletter.
5. Recipients and international transfers
Data may be available to providers that support hosting, email, backups, security, accounting or authorised IT maintenance, only to the extent needed for their task. Professional advisers or public authorities may receive data where required by law or necessary for claims.
If you accept analytics, Google Analytics processes usage data. Google may process information outside the European Economic Area. The applicable safeguards and locations depend on the provider’s current service terms; see the Google Privacy Policy. You can use the site without consenting to analytics.
We do not sell personal data.
6. Retention
- Enquiries that do not become an engagement: normally up to 12 months after the last substantive contact, unless a longer period is needed for a requested follow-up or a claim.
- Contract, billing and tax records: for the periods required by applicable law and for the limitation period of relevant claims.
- Operational correspondence: for the engagement and a reasonable handover or claims period afterwards.
- Security logs: normally up to 90 days, longer when needed to investigate an incident.
- Consent choice stored in your browser: 180 days, after which the site asks again.
- Analytics cookies: up to two years, subject to browser limits and your earlier withdrawal.
Data is deleted or anonymised when the applicable purpose and retention requirement end.
7. Your rights
Subject to the conditions in the GDPR, you may request access, rectification, erasure, restriction, portability and objection to processing based on legitimate interests. You may withdraw consent at any time without affecting processing carried out before withdrawal.
Send a request to biuro@westom.pl. We may need to verify identity and clarify the scope. You may complain to the Polish supervisory authority, the President of the Personal Data Protection Office (UODO), or another competent EEA authority.
9. Security and changes
We use proportionate organisational and technical safeguards, including access control, supported software, backups and transport encryption where available. No internet service can promise absolute security; please use an appropriate channel before sharing sensitive project materials.
We update this notice when purposes, tools or legal requirements change. Material changes will be dated on this page. The GDPR text is available on EUR-Lex.
