Privacy policy

Welcome to naszekspert.pl – a Service owned by Emilia Kita, conducting business under the name Emilia Kita, with its registered office in Wrocław, ul. Mieszczańska 8/20, 50-201 Wrocław, Poland, NIP: 8971893967, REGON: 389522620.

The Privacy Policy is a set of rules intended to inform about all aspects of the process of obtaining, processing and securing personal data. The Policy is addressed to all persons using the Administrator’s Service and Users using Electronic Services, including account, contact form and feedback form.

Please read this Privacy Policy before using the services and functionality of the Service and before providing any personal data.

This Policy may be changed and updated in the event of changes in practices related to the processing of personal data, taking into account current case law and guidelines of the Polish data protection authority (PUODO) or changes in generally applicable law. The Administrator will duly inform Users of any changes to the Privacy Policy by placing relevant information in the Service and – in the case of Users with an account – by sending this information directly to the User’s email address.

Providing personal data to the Administrator is voluntary; however, in the case of processing data stored in essential cookies or for the purpose of creating an account, providing data will be a necessary condition for achieving the stated purposes.

Definitions:

• Administrator means the entity that decides how and for what purposes personal data are processed. The Administrator is responsible for compliance of processing with applicable data protection law. Processing means any operation performed on personal data, whether automated or not, such as: collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Administrator’s Fanpage on social media: Facebook at link: [.]; Instagram at: https://www.instagram.com/naszekspert.pl/; LinkedIn at: https://www.linkedin.com/company/naszekspert-pl/. The Administrator uses Fanpage-type profiles on social media. Public data shared by social media Users may be used to: respond to private messages addressed to us, conduct discussions in comments under posts, share posts with persons following the Administrator’s Fanpage, for marketing purposes (informing about the Administrator’s services and company via posts on the Fanpage, including sponsored posts), and for statistical purposes. Data provided by social media platform owners are statistical and are created on the basis of observation of behaviour on the Administrator’s Fanpage.
• Processor means any natural or legal person who processes personal data on behalf of the Administrator, other than an employee of the Administrator.
• Electronic Services – services provided through the Service. Electronic Services are provided to Users on the terms set out in the Privacy Policy.
• User – a natural or legal person concluding an agreement with the Administrator for the provision of an Electronic Service. For the purposes of this Privacy Policy, a User is both a person browsing the Service resources, using the Service to contact a mortgage expert, and mortgage experts who have concluded a service agreement with the Administrator, registered in the experts portal and have a profile.

1. Who is the personal data controller?

The personal data controller is Emilia Kita, conducting business under the name Emilia Kita, with its registered office in Wrocław, ul. Mieszczańska 8/20, 50-201 Wrocław, NIP: 8971893967, REGON: 389522620. Contact with the Administrator is possible: a) by e-mail: kontakt@naszekspert.pl, b) by phone: +48 797 326 533 (on business days from 8:00 to 16:00), c) via the contact form available in the Service.

2. Where do we get your personal data from?

• directly from you,
• from an entity that has concluded a service agreement with us on your behalf,
• from a partner/third party cooperating with us who has made your personal data available on the basis of your consent,
• from publicly available sources, e.g. the National Court Register, Central Registration and Information on Business,

The Administrator may obtain Users’ personal data in particular in the following cases:

• e) provision of personal data by Users, e.g. by email, phone, contact form or in any other way (Art. 6(1)(f) GDPR – legitimate interest – responding to messages, handling enquiries),
• f) pursuing claims and taking action in defence of the Administrator’s rights, conducting court proceedings, and e.g. enabling use of the Service via cookies, preventing fraud, operation, maintenance, improvement and provision of all functions, and preparing reports, analyses and statistics for the Administrator’s internal needs (Art. 6(1)(f) GDPR – legitimate interest),
• g) obtaining personal data of Users published on social media (Administrator’s Fanpage), where such information is visible as public (Art. 6(1)(f) GDPR – legitimate interest – promotion, running social profile, building relations, analytics, defence of claims),
• h) User’s consent to processing for sending commercial information (Art. 6(1)(a) GDPR, Art. 398 of the Electronic Communications Law),
• i) obtaining or requesting personal data when visiting the Service or using its functions – first-party and third-party cookies (Art. 6(1)(b) GDPR and Art. 399 Electronic Communications Law),
• j) account, registration form (Art. 6(1)(b) GDPR – performance of contract, account management, security, payments, complaints).

3. What personal data do we process?

We process data that you have provided or left when using the Service, including the following categories:

• contact data (name or business name if you run a business in your own name),
• verification data, including KNF register number, data from ID document scans – for mortgage experts,
• telephone data (landline or mobile),
• address data (postal, e-mail) of you or the entity you represent,
• location data (address of residence/registered office),
• data required for identification and for conclusion of the contract, invoicing,
• identification data necessary for Electronic Services,
• data obtained through use of technology,
• data needed to prepare the most suitable marketing and product offer,
• account data such as login, password,
• content of messages, enquiries, opinions published on the Administrator’s site or Fanpage,
• IP address, cookies and information on use of the Service and Newsletter,
• image (where shared), in the case of reviews, comments or “like” on the Administrator’s Fanpage,
• image – for mortgage experts who have set up a profile in the Service,
• User activity in the Service, ad clicks, time spent, interactions, IP, Facebook/Instagram/LinkedIn user ID, device type, browser, OS, language settings, advertising targeting data.

4. For what purposes will we use your personal data?

We will process your personal data for one or more of the following purposes:

• use of the Service based on your interest in our offer and performance of actions at your request,
• performance of a contract concluded with us on your behalf as a third party,
• compliance with a legal obligation, e.g. issuing VAT invoice, correction, note or receipt,
• marketing purposes,
• information purposes – sending commercial and other information by electronic means where you have consented,
• courtesy purposes – sending seasonal greetings, birthday wishes, gifts, if you consent,
• internal organisation – individual contact by phone,
• analytical purposes – tailoring services, optimising processes, handling complaints (legitimate interest),
• storing data in internal databases for more efficient management,
• archival (evidential) purposes (legitimate interest),
• establishing, pursuing or defending against claims (legitimate interest),
• where you consent – market and opinion research (quantitative, qualitative surveys and interviews).

5. Are you obliged to provide personal data?

Where processing is for the performance of a contract with our company, providing data is a condition for concluding that contract. Provision is voluntary but necessary for conclusion and performance. Providing data required for invoicing is a legal obligation under the Act on tax on goods and services of 11 March 2004.

6. How can you withdraw consent?

You may give all, some or no consents. You may at any time withdraw any consent given to us in relation to the processing of personal data without any negative consequences. Simply send an e-mail, call or write to the Administrator’s contact details given in the Privacy Policy. Withdrawal may be made in any form, provided it reaches us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. On what basis will we process your personal data?

Depending on the activity, the legal basis is:

• conclusion and performance of a contract with our company,
• compliance with a legal obligation (e.g. issuing an invoice),
• legitimate interest of our company (direct marketing or performance of a contract concluded on your behalf as a third party),
• your consent.

8. When and to whom may we disclose data, and to whom will we not?

We may disclose your data to recipients such as companies cooperating with us and performing tasks on our behalf (e.g. debt collection, accounting, courier, legal, IT), with whom we have concluded appropriate data processing agreements.

9. Where are data stored?

Collected personal data are stored within the European Economic Area (“EEA”).

10. What rights do you have?

• right of access: the Administrator shall provide information on processing, including purposes, legal bases, scope of data, recipients and planned erasure; you may also request a copy of your data,
• right to rectification: the Administrator shall correct or update inaccurate or incomplete data on request,
• right to erasure: the Administrator shall erase data where processing is no longer necessary, consent has been withdrawn or objection has been lodged (unless retention is required for claims),
• right to restriction and data portability: the Administrator shall restrict processing or provide data in a machine-readable format where applicable,
• right to lodge a complaint: you may lodge a complaint with the President of the Personal Data Protection Office if you consider that processing infringes the law,
• right to object: you may at any time object to processing; where data are processed for direct marketing, you have the right to object at any time,
• right to withdraw consent: you may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

A request to exercise the above rights may be submitted by post to the Administrator’s address or by e-mail as indicated in the Privacy Policy. The request should specify its subject, the applicant’s details and which right is being exercised. If the Administrator cannot determine the content of the request or identify the applicant, it will ask for the missing information.

11. How long will we store your data?

Your personal data will be stored for as long as necessary to perform the contract binding you with our company or a contract concluded by another entity on your behalf, and thereafter for the period corresponding to the limitation period for claims that we may assert or that may be asserted against us.

• Where processing is for a legal obligation, data will be stored for as long as required by that obligation. Data processed on the basis of consent will be processed until consent is withdrawn.
• Where processing is based on legitimate interest (performance of a contract on your behalf), data will be processed until that interest is fulfilled.
• Where processing is for direct marketing, your data will be processed until you object.
• For data processed on the Administrator’s Fanpage, storage continues until you object (“unlike”, remove comment, unsubscribe); for account data, until the service is performed or until you withdraw consent to electronic commercial communications.

12. Where can you lodge a complaint about our processing of personal data?

Such complaints should be submitted to the President of the Personal Data Protection Office.

13. How we will not process personal data

Your personal data are not subject to automated profiling, i.e. automated decision-making with legal or similarly significant effects. However, we use Cookies, Google Analytics and other traffic recording systems in our Service (profiling for marketing purposes). You may configure your browser to block Google Analytics cookies. Personal data will not be subject to automated profiling or automated decision-making.

14. What does personal data protection consist of?

The Administrator has implemented appropriate technical and organisational measures to protect personal data, including against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access and other unlawful processing, in accordance with applicable law. The Administrator is not responsible for the actions or omissions of Users. Users are responsible for ensuring that all personal data are transmitted to the Administrator securely.

15. Data security

We declare that we process your personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Polish Personal Data Protection Act of 10 May 2018 and the Electronic Communications Law of 12 July 2024. Your data are processed with appropriate technical and organisational measures. Despite safeguards in line with current knowledge and legal standards, the risk of misuse of personal data by unauthorised persons (e.g. through data theft) cannot be ruled out. The Service may contain links to other websites not covered by this Privacy Policy. The Administrator is not responsible for processing by independent website operators and service providers. For your security, we recommend that you read the relevant policy of each website you visit.

Details on cookies are set out in the Cookie Policy.

Document effective as of: 16 March 2026