Stay safe! Warning about fake requests for identity verification and sharing financial data



By visiting our website: (hereinafter referred to as: “Website”), you entrust your personal data to controllers which are jointly:

Kontomatik sp. z o.o. with its registered office in Warsaw at Prosta 51 Street, 00-838 Warsaw, entered into Register of Entrepreneurs maintained by the District Court for Warsaw in Warsaw, XII Commercial Division of the National Court Register, under number: 0000338706, identification number (NIP): 5213542911, statistical number (REGON): 142043500, holding share capital of PLN 250 000,00; and 

Kontomatik UAB with its registered office in Vilnius at Upes 23, LT-08128 Lithuania, company code: 304852516 and VAT registration number: LT100011837810, holding share capital of EUR 10 000,00

- hereinafter referred to as: “Joint Controllers” or separately “Controller”.

We process your personal data for specific purposes, but always with care to protect your privacy. This Privacy and Cookies Policy (hereinafter referred to as: “Policy”) serves as an aid in understanding what data we collect and for what purpose we use it.

The information set out in this document is very important to you, because it refers to the processing of your personal data, especially regarding the content of provisions on the protection of personal data, including Regulation of the European Parliament and of the Council (EU) 2016/679 of 27/04/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and the repeal of Directive 95/46/EC (General Regulation on the Protection of Personal Data), hereinafter referred to as: "GDPR". 

For this reason, in this Policy we inform you about the legal basis for processing of your personal data on our Website and among others about collection and usage of such data as well as about your rights as a data subject associated with it.

We recommend you to read this document with care.



Personal data consists of information about an identified or identifiable natural person (data subject), which can be identified, directly or indirectly, in particular by reference to an identifier such as name or especially an online identifier.  The processing of personal data is considered to be every action taken on personal data, irrespective of whether it is done in an automated manner or not, e.g. collecting, storing, fixing, ordering, modifying, browsing, using, sharing, limiting, deleting or destroying. 

Following document applies every time we process your personal data as Joint Controllers. We process your personal data set out in this Policy for various purposes and with the use of various collection methods described in separate sections below. Legal basis for the processing of your personal data, usage of your personal data, disclosure and retention periods are always determined in relation to the purpose and the scope of processed personal data.


Joint Controllers of your personal data are Kontomatik sp. z o.o. and Kontomatik UAB. 

We have designated Kontomatik sp. z o.o. as a contact point for the data subjects, therefore you have the right to contact us by sending a message on the following e-mail address: in case of any confusion regarding the processing of your personal data by us.

We protect your privacy, which is why we have also appointed a person dealing with the protection of personal data - Data Protection Officer, with whom you may contact via email ( in any matter regarding the processing of your personal data by us, especially in the case of exercising your rights as a data subject.

Details of the designated DPO:

Anna Walosińska

Data Protection Advisory Group Sp. z o.o.

Ul. Biedronki 68, 02-959 Warszawa


The personal data processing on this site applies to:

  • Website users – individuals visiting our Website to obtain information about the companies and services or products made available on the Website; 
  • clients or potential clients contacting us by an email/contact form in order to:

- obtain information about our offer;

- share suggestions about our services or products;

- conclude a contract.


Individuals visiting our Website or using the services provided via Website electronically, always have control over the personal data which they provide to us. In other words, our site restricts the collection and use of information about the users to the necessary minimum, required to provide the services at the desired level, pursuant to Article 18 of the Act of 18 July 2002 on the provision of electronic services, particularly:

  • making the content of the Website available to the users;
  • analyzing server work problems;
  • preventing possible violations;
  • ensuring security of the Website;
  • analyzing Website visits statistics, including analyzing demographic data of users visiting the Website (information about the region and device from which the connection was made);
  • actions taken by us on your request (e.g. if you want to use a question form provided on our Website, you may be asked to provide a specific scope of personal data).

The purpose and the legal basis of collecting personal data

We process (including automatic processing) your personal data for the following purposes, in order to:

  • manage our Website properly and deliver the content of our Website – for this purpose we process your personal data, because it is necessary for performance of a contract (provide services by electronic means) on the basis of Article 6 (1)(b) of GDPR;
  • tailor the content of the Website to your needs and interests – for this purpose we use cookies and process your personal data on the basis of your given consent to install certain types of cookies on your end device (Article 6 (1)(a) of GDPR), which you can withdraw at any time;
  • enable you to contact us and to give you a reliable answer depending on the content of the message, regarding: 

- present you with a commercial offer in the event of a request for an offer,

- consideration of a complaint if it is submitted,

- other, depending on the content of the message sent.

(For this purpose, we process your personal data on the basis of our legitimate interest (Article 6 (1)(f) of GDPR), consisting in handling submitted questions)

  • request contact from a sales representative - for this purpose we process your personal data on the basis of our legitimate interest (Article 6 (1)(f) of GDPR), consist in handling potential offer;
  • analyze and prepare statistics related to your activity on the basis of our legitimate interest (Article 6 (1)(f) of GDPR), consist in conducting our business;
  • handle email and traditional correspondence when we receive correspondence by email or traditional mail, unconnected with the services provided for the sender or another agreement executed with them, the personal data relevant to the issue that the correspondence is about shall be processed only for the purpose of communicating and resolving the issue which is the subject of the correspondence – the legal basis for the processing is our legitimate interest (Article 6(1)(f) GDPR) to carry on correspondence sent to us in connection with our business activity;
  • handling phone contact when you contact us by telephone about issues unconnected with an executed agreement or provided services – the legal basis for the processing is our legitimate interest (Article 6(1)(f) GDPR) involving the need to resolve an issue connected with its business activity;
  • establishing, exercise or defense of potential legal claims – the legal basis for the processing is our legitimate interest (Article 6(1)(f) GDPR) to pursue or defend against legal claims.

Additionally, we ask you not to provide information considered as special categories of personal data (such as information on race or ethnicity, political views, religious or philosophical beliefs, trade union membership, information about physical or mental health, genetic data, data biometrics, information about sexual life or sexual orientation and the criminal past). If you provide such information for any reason, we declare that as the Joint Controllers in order to ensure the transparency of data processing for a specific purpose, we will delete such content of the message

The scope of data processed on the Website, depending on the purpose for which the data is processed, concern:

contact form, email and phone contact (intended for clients and potential clients) in the scope of:

  • identification data (e.g. name and surname);
  • contact details (e.g. telephone number, e-mail address);
  • data resulting from the content being submitted.
  • website management (indicated for Website users), in the scope of:
  • personal data resulting from cookies installed on your end device, among others: 

- IP address;

- data of the device and the type of browser used;

- demographic data.

We can also process your personal data in so-called system logs - IP address, domain. This data is used to generate statistics that help to manage our Website. Logs are not disclosed to third parties, subject to the possibility of sharing information about the IP number, user data of the site at the request of the right authorized entities on applicable law or state authorities in connection with their proceedings.

Profiling of personal data

The information that we collect in connection with the use of our online services / products available on the Website may be processed in an automated manner (including the form of profiling), however, it will not cause any legal effects to an individual or have any other significant effect. We profile to analyze or forecast personal preferences and interests of people using our site or products or services and matching content found on our site, and also for marketing purposes, i.e. matching the marketing offer to www. preferences.

Change of the processing purpose

We do not anticipate, but we cannot rule it out. We know for certain that if the purpose of processing your data changes, we will inform you about this situation so that you are aware and able to exercise your rights accordingly.



In connection with conducting business activity which requires processing, personal data are disclosed to third parties, including in particular vendors responsible for the operation of IT systems and hardware, entities providing legal or accounting services, couriers and marketing agencies, including our Trusted Partners.

Basically, we process your personal data within the European Economic Areas ("EEA"). In the event of your personal data being transferred outside of the EEA, you will be separately informed of this fact. Whenever your data will be transferred to a third country which does not ensure the level of personal data protection, we will provide that your personal data is handled in accordance with applicable requirements, such as:

  • binding corporate rules approved by the competent supervisory authority;
  • consolidated contractual clauses, which are forwarded by the national supervisory authorities and approved by the European Commission;
  • approved code of conduct;
  • approved certification authorization or
  • based on the applicable supervisory recommendation.

As part of your rights to access to your personal data, you may request from us detailed information about the security used when your personal data are being transferred outside the EEA.


Our goal is to protect you against the negative consequences of processing your personal data. Therefore, we optimize storage time of your data collected via the Website. We concluded that:

  • if the Joint Controllers process your personal data on the basis of given consent, the processing period lasts until the withdrawal of the consent or completion of the purpose for which they were collected;
  • if the Joint Controllers process your personal data on the basis of their legitimate interest, the processing period lasts until the termination of the above-mentioned interest (e.g. the period of prescription for civil claims) or until the moment of your objection;
  • if the Joint Controllers process your personal data because it is necessary due to the applicable law, the periods of data processing for this purpose are defined by these provisions; 
  • in the absence of specific legal or contractual requirements, the basic storage period for records and other documentary evidence drawn up during the performance of the contract for a maximum of 6 years.


What are cookies?

Cookies are small text information in the form of text files, sent by the server and saved on the side of the person visiting the website (e.g. on the hard drive of the computer, laptop or on the smartphone's memory card - depending on which device the visitor uses our Website). That so-called cookie usually contains the name of the website it comes from, the "lifespan" of the cookie (that is, its lifetime), and the value that is usually accidentally generated unique number. Cookies contain information which can be considered as personal data which allow us to identify you as a data subject. 

Cookies, due to the fact that they are used for various purposes, can be generally divided into following types:

  • session cookies – temporary files, which are necessary for the proper functioning of the Website and are automatically installed on your end device by the moment of entering the Website. These cookies are stored in the temporary memory of the browser while you use our Website and expire after closing the browser (when the session is over). Session cookies do not retain any information about you after closing the session;
  • analytical cookies – files which help us to manage the Website. These cookies are used to track the activity of users on the Website in order to measure and determine the performance of the Website and to optimize its content. Analytical cookies retain information about you but only to the extent to allow you to use the website properly. You can choose whether to consent to these types of cookies;
  • marketing cookies – files which are used to determine a user's profile in order to target advertising to his preferences. By using these types of cookies, we can offer you maximally personalized and tailored service. Just like in the case of analyzing cookies, you may or may not consent to these types of cookies. 

Do we use third-party cookies? 

We may use the services of suppliers who may also store cookies when you visit the Website. These cookies allow them to provide you with the services tailored based on your preferences. When you visit the Website, you may receive cookies from third parties - their websites or domains (e.g. from Google). 

You can familiarize yourself with the complete list of our Trusted Partners and manage your cookies preferences in Appendix 1.

Google Analytics

Google Analytics cookies are files used by Google to analyze how you use our Website, to create statistics and reports on the operation of the Website. Google does not use the collected data to identify you as a user or combine this information to enable identification. Detailed information on the scope and rules of collecting data in connection with this service can be found at the following link:

Google Ads

Google Ads is a tool that allows you to measure the effectiveness of advertising campaigns carried out by us, allowing for the analysis of such data as e.g. keywords or the number of unique users. The Google Ads platform also allows our ads to be displayed to people who have visited our Website in the past. Information on the processing of data by Google in the scope of the above service is available at:

Social network plug-ins

On our Website, we use so-called social network plug-ins, which allow you to visit our profiles on selected social networks, such as LinkedIn, Twitter and YouTube. By clicking on those plug-ins, you will among others have an opportunity to share selected content on your profile on that social network. Using abovementioned plug-ins results in sharing your personal data with a given social network, which receives information about your use of the Website that can be assigned to your profile created in each social network. In this scope, controller of your personal data is controller of a given social network (e.g. Twitter). Detailed information about processing your personal data by these controllers can be found under the links below:


Can I control cookies or delete them?

In most browsers, the acceptance of cookies is set by default. By using our Website, you can choose the so-called cookies banner, whether to allow storage of cookies which are not necessary for the proper functioning of the Website on your end device. You can do it by choosing between “Accept” and “Manage cookies” buttons. 

Clicking the "Accept" button allows you to accept and install cookies in accordance with the settings of the browser used (in the case of default settings, all cookies are installed). 

By choosing the “Manage cookies” button, you will be transferred to the other website, where you can manage your cookies preferences by using cookie tool which allows you to consent or object to certain types of cookies. Moreover, on this side you can find specific information about the types of cookies we use (analytic and marketing ones) and our Trusted Partners. 

When you don’t express an active and explicit consent to a given type of cookies, any analytic or marketing cookies won’t be installed on your end device. 

Despite the above, you can always change the settings so that cookies are blocked or that you are alerted that they are sent to your devices. There are many ways to manage cookies. We ask you to refer to the instructions of your web browser or to display help to learn how to customize or change your browser settings. Here's how to do it on the most popular browsers:

- Internet Explorer:,box%2C%20and%20then%20select%20Delete.

- Mozilla Firefox: 

- Google Chrome:

- Opera: 

- Safari: 



As a data subject, with regards to your personal information, you have a number of rights under the GDPR provisions, which you can exercise by sending an email to our Data Protection Officer: It is important to let you know your rights in relation to the processing of your personal data: 

Right to be informed 

On this basis, we will provide you with information on data processing, including primarily the purposes and legal grounds for processing, the scope of data held, entities to which your data was disclosed, and the planned date of deletion of data.

Right of access the copy of data

On this basis, we will provide you a copy of your processed personal data.

Right to rectification

By receiving this kind of request, in some cases, we are obliged to remove any incompatibilities or errors of your personal data and supplement them if they are incomplete.

Right to be forgotten

On this basis, you can request the deletion of your personal data, processing of which is no longer necessary to achieve any of the purposes for which your data were collected.

Right to restrict processing

If such a request is made, we cease to carry out operations on your personal data – with the exception of operations to which you have consented, and to the storage of data in accordance with the adopted retention rules or until the reasons for limiting data processing cease to exist (e.g. a decision of the supervisory authority allowing further processing of data will be issued).

Right to data portability

On this basis - to the extent that data is processed in an automated manner in connection with the concluded contract or consent – we issue data provided by you, in a format that allows data to be read by a computer. It is also possible to request that the data be sent to another entity, however, if there are technical possibilities in this respect both on the part of the Joint Controllers and the indicated entity.


Right to object to the processing of data for marketing purposes

At any time, you can object to the processing of your personal data for marketing purposes, without the need to justify such an objection.

Right to object to other purposes of data processing

At any time, you may object - for reasons related to your special situation - to the processing of your personal data, which is based on the legitimate interest of the Joint Controllers (e.g. for analytical or statistical purposes or for reasons related with protection of the property); the opposition in this respect should include a justification.

Right to withdraw consent

If your data are processed on the basis of given consent, you have the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal.

Right to complain to the Data Protection Authority

If it is considered that the processing of your personal data violates the provisions of the GDPR or other provisions regarding the protection of personal data, you may file a complaint to the body supervising the processing of personal data, competent for yours habitual residence, your place of employment or place where the alleged violation took place. In Poland, the supervisory authority is the President of the Personal Data Protection Office, with its office at Stawki 2 Street, 00-193 Warsaw.


To ensure data integrity and confidentiality, we have implemented procedures making access to personal data possible only to authorized persons and only to the extent necessary for them to perform their tasks. We applied organizational and technical solutions to ensure that all the operations on personal data are recorded and performed only by authorized persons. 

We do our best to protect users from unauthorized access, unauthorized modification, disclosure and destruction of your personal information held by us. In particular we:

  • use SSL encryption;
  • control our methods of collecting, storing and processing personal data, including physical security measures, to protect against unauthorized access to the system;
  • provide access to personal data only to employees, contractors and representatives who must have access to them in order to process them for us. In addition, they are contractually required to maintain strict confidentiality.

In addition, we take any necessary actions so that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data on the Controller’s behalf. 

We perform risk analysis on an ongoing basis and monitor the adequacy of applied data protection mechanisms to the identified threats. If necessary, we will implement additional measures to increase data security. 



The Policy is verified on an ongoing basis and updated when needed. The present version of the Policy was adopted on 18.02.2022 and may be subject to change. Any changes to the Policy will be published on this Website.



Who is the Personal Data Controller?

The Controller of personal data of clients, former clients or potential clients is Kontomatik sp.z o.o. with its registered office in Warsaw (00-838) at Prosta 51.

The Controller can be contacted by email by writing to the following e-mail address: or via traditional mail by sending correspondence to the following address: Kontomatik sp.z o.o., ul. Prosta 51, 00-838 Warsaw, with the annotation "Personal Data Protection".


Has a Data Protection Officer been appointed?

The protection of processed personal data is extremely important to us, which is why we have appointed a Data Protection Officer who can be contacted on the subject of personal data protection by email by writing to the following email address: or via traditional mail by sending correspondence to the following address: Kontomatik sp. z o. o Prosta 51, 00-838 Warsaw, with the annotation "Personal Data Protection".

What are the purposes and legal grounds for the processing of personal data?

Personal data is processed by the Controller, in particular in order to present a commercial offer or in connection with conducted business talks, marketing activities, implementation of a signed contract for the provision of services or taking action at the request of the data subject, before concluding the contract, fulfilling the obligation resulting from the provision law, the need to retain the necessary information for the purposes of defending against or pursuing claims, responding to submitted letters and fulfilling requests resulting from the provisions of the GDPR.

Personal data is processed by the Controller primarily for the following purposes:

  • conclusion and performance of the contract, including contacting the client, in accordance with art. 6 sec. 1 lit. b) GDPR;
  • issuing and booking sales invoices, in accordance with art. 6 sec. 1 lit. c) GDPR;
  • handling payments and settlements, in accordance with art. 6 sec. 1 letter b) of the GDPR;
  • handling service activities, in accordance with art. 6 sec. 1 lit. b) GDPR;
  • conducting analyzes and statistics, in accordance with art. 6 sec. 1 lit. f) GDPR;
  • conducting marketing activities, in accordance with art. 6 sec. 1 lit. a) or f) GDPR;
  • establishing, defending and pursuing claims, in accordance with art. 6 sec. 1 lit. f) GDPR;
  • archiving data and documents, in accordance with art. 6 sec. 1 lit. f) GDPR;
  • replying to letters, in accordance with Art. 6 sec. 1 lit. b) GDPR;
  • responding to requests and complaints, in accordance with art. 6 sec. 1 lit. c) GDPR,
  • enabling communication with the Controller via the contact form, in accordance with art. 6 sec. 1 lit. a) GDPR.

The processing of personal data by the Controller is based on:

  • expressed consent, in accordance with art. 6 sec. 1 lit. a) GDPR;
  • on the basis of a contract to which you are a party or to take action at your request before concluding the contract, in accordance with art. 6 sec. 1 lit. b) GDPR;
  • the legal obligation incumbent on the Controller, in accordance with art. 6 sec. 1 lit. c) GDPR, including tax law, accounting law, payment services acts, provision of electronic services acts and others applicable to,
  • legitimate interest pursued by the Controller or by a third party, in accordance with art. 6 sec. 1 lit. f) GDPR.

How long are personal data stored (retention period)?

The period of storage of personal data depends on the purpose for which the data is processed. It results from legal provisions that require the storage of data for a specific period of time or is necessary for the performance of the contract or the protection of legitimate interests pursued by the Controller or by a third party.

Examples of periods during which personal data may be stored by the Controller:

  • retention data (e.g. correspondence, complaints) - up to 12 months;
  • data needed to issue an invoice and accounting documents, payment and settlement services - 5 years from the end of the calendar year in which the tax payment deadline expired;
  • data on the performance of the contract - up to 3 years, on the last day of the calendar year or until the expiry of another period of limitation of claims;
  • analysis and statistics - up to 10 years;
  • data on court judgments (abuse) - 10 years from the date of the judgment;
  • marketing activities - until consent is revoked or objection raised.

Does the Controller provide personal data and to whom?

Personal data may only be made available when:

  • recipients are other entities providing services to the Controller in the scope of the service provided in accordance with the concluded contract (e.g. accounting and accounting office, external advisors, IT solution providers),
  • recipients are entities from the Controller's capital group,
  • recipients are other entities in the field of:
  • detect and prevent fraud, and resolve other fraud, security and technical issues;
  • protect the property rights or safety of the Controller and other persons in a manner required or permitted by law.

The Controller does not intend to transfer personal data to the so-called third countries (i.e. outside the European Economic Area). The Controller may, however, commission the performance of specific IT services or tasks to service providers established outside the European Economic Area (e.g. in the scope of data processed via the website). In this case, personal data is transferred on the basis of binding corporate rules or standard contractual clauses adopted by the European Commission and only to entities that have undertaken to comply with specific principles of personal data protection.

In order to obtain additional information on the transfer of data outside the EEA and to obtain a copy of the adopted protection measures, you can contact the Data Protection Officer.


What rights are there in relation to the processing of personal data?

Each person whose personal data is processed by the Controller has the right to:

  • information on the processing of personal data;
  • obtain a copy of the processed personal data;
  • rectification of processed personal data if they are incorrect;
  • deletion of data ("right to be forgotten");
  • processing restrictions;
  • data portability;
  • object to data processing;
  • submit a complaint to the supervisory authority.

If the processing is based on Art. 6 sec. 1 lit. a) GDPR, the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

More information on the rights of data subjects can be found here: Information clause on the rights of a natural person pursuant to the GDPR.


How can certain rights be exercised?

The demands resulting from Art. 15-22 of the GDPR can be brought to the Controller at any time.More information on the fulfillment of requests can be found here: Information clause about submission of a request to execute the rights pursuant to the GDPR.

Is the data subject to automated processing?

The information collected by the Controller may be processed in an automated manner (including in the form of profiling), however, it will not cause any legal consequences for a natural person or similarly significantly affect it. In order to carry out marketing activities, the Controller uses profiling in some cases. This means that thanks to automatic data processing, the Controller assesses selected factors of persons in order to analyze their behavior or create a forecast for the future. 

Where is personal data collected from?

We obtain personal data mainly from the data subject. The Controller may, in justified cases, e.g. in order to confirm data or verify submitted declarations, obtain data, e.g. from the Register of Entrepreneurs of the National Court Register or the Central Register and Information on Economic Activity.