Testto

Privacy policy

Privacy and cookies policy of the Website available in the testto.com domain (the „Policy”).

This document is an English translation of the Polish original, provided for convenience. In case of any discrepancy, the Polish version prevails.

1. General provisions

This Policy sets out the rules for processing personal data obtained through the website (the „Website”) and in the course of providing the Services related to the Website by the Controller. Unless this Policy provides otherwise, capitalised terms defined in the Terms of service also apply to this Policy.

The controller of personal data within the meaning of personal data protection law is Exelo ITS sp. z o.o., entered in the register of entrepreneurs of the National Court Register (KRS) kept by the District Court in Bydgoszcz under KRS number: 0000739862; NIP (tax ID): 5272857846 (the „Controller”).

The legal basis for the processing of personal data by the Controller is:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC — General Data Protection Regulation (the „Regulation” or „GDPR”).
  • The Polish Personal Data Protection Act of 10 May 2018, Journal of Laws 2019, item 1781 (the „Act”).

All matters concerning personal data protection should be addressed directly to the Controller by e-mail at: kontakt@testto.com

The Controller takes particular care to respect the privacy of the Controller's customers (the „Users”). The Controller guarantees the confidentiality of all personal data provided and ensures that all security and data protection measures required by personal data protection law, including the Regulation and the Act, are in place. Personal data is collected with due diligence and appropriately protected against access by unauthorised persons.

The Controller does not make automated decisions in individual cases and does not profile Users. The Controller does not collect or process special categories of personal data. If a User submits sensitive data, the Controller will not process it and will delete it immediately.

2. User rights

The Website User has the following rights arising from the processing of their personal data:

  • the right to request access to their personal data — the User has the right to obtain confirmation of whether the Controller processes their personal data and, if so, is entitled to access the data and to receive information about it, such as: the purpose of processing, the categories of data, information about the recipients or categories of recipients to whom the data has been or will be disclosed, the planned retention period or the criteria for determining that period; this right also includes the right to receive a copy of the data free of charge (for any further copies requested by the User, the Controller may charge a reasonable fee based on administrative costs),
  • the right to rectification of personal data (where it is inaccurate), including the right to request that incomplete personal data be completed,
  • the right to erasure of personal data (the „right to be forgotten”) in the following circumstances: where the User's personal data is no longer necessary for the purposes for which it was collected, the User has withdrawn consent to its processing and there is no other legal basis for the processing, the User has objected to the processing, the personal data was processed unlawfully, the personal data must be erased to comply with a legal obligation under Union law or the law of the Member State to which the Controller is subject, or the personal data was collected in relation to the offer of information society services,
  • the right to restriction of processing where: the User contests the accuracy of the personal data (for a period enabling the Controller to verify its accuracy), the processing is unlawful and the User opposes the erasure of the data, the Controller no longer needs the personal data for the purposes of processing but the User needs it to establish, exercise or defend legal claims, or the User has objected to the processing — until it is determined whether the Controller's legitimate grounds override the grounds of the User's objection,
  • the right to object to processing where the User does not want the Controller to process the User's personal data,
  • the right to data portability, including the right to receive from the Controller, in a structured, commonly used, machine-readable format, the personal data the User has provided, and the right to request that the personal data be transmitted by the Controller directly to another controller (where technically feasible),
  • the right to withdraw consent to data processing at any time (withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal),
  • the right to lodge a complaint with the President of the Polish Personal Data Protection Office (UODO) if the User considers that the processing of their personal data infringes the Regulation.

For any questions related to the processing of personal data and to exercise the above rights, please contact the Controller by e-mail.

3. Data recipients

For the Website to function properly and for the Controller's Services to be provided professionally, the Controller needs to use the services of external providers. The Controller only uses providers that offer sufficient guarantees that appropriate technical and organisational measures are in place, so that the processing meets the requirements of the Regulation and protects the rights of data subjects.

The Controller may use, in particular, the following categories of recipients:

  • providers of accounting, legal and advisory services (in particular an accounting office, a law firm, a debt collection agency),
  • hosting providers,
  • cloud computing providers,
  • CRM system providers,
  • invoicing system providers,
  • providers supplying the Controller with technical, IT and organisational solutions (in particular providers of computer software for running the Website and providing services, including e-mail providers or chatbot tools, and providers of software for business management and technical support for the Controller),
  • other entities where the use of their services is necessary for the proper operation of the Website and the provision of services by the Controller.

All entities to which the Controller entrusts the processing of personal data guarantee the application of appropriate personal data protection and security measures required by law.

The Controller has a data processing agreement in place with each processor, in accordance with Article 28(3) of the Regulation.

The Controller may be obliged to provide information collected by the Website to authorised authorities on the basis of lawful requests, to the extent of the request.

4. Purposes of processing, retention period and scope of data

Purpose of processing: contacting the Controller via the contact form or chatbot on the Website.

Legal basis: Article 6(1)(b) of the Regulation.

Retention period: until the enquiry has been handled in accordance with its purpose, and for a period corresponding to the limitation period for claims that the Controller may raise or that may be raised against the Controller.

Scope of data: full name, e-mail address and data provided voluntarily, which may include: a phone number and any content voluntarily included in the User's message.

Not providing the above data may make it impossible to contact the Controller by e-mail.

Purpose of processing: establishing, exercising or defending claims that the Controller may raise or that may be raised against the Controller.

Legal basis: Article 6(1)(f) of the Regulation.

Retention period: The data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the data subject arising from the Controller's business activity. The limitation period is determined by law, in particular the Polish Civil Code.

Scope of data: first name, surname, e-mail address, home address.

Purpose of processing: marketing of the Controller's own services and ensuring the widest possible presence on the Internet.

Legal basis: Article 6(1)(f) of the Regulation.

Retention period: The data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the data subject arising from the Controller's business activity. The limitation period is determined by law, in particular the Polish Civil Code. The Controller may not process data for direct marketing purposes where the data subject has effectively objected to such processing.

Scope of data: e-mail address, full name or User's name.

5. Cookies

The Website uses cookies, i.e. small text files stored on the User's end device (e.g. a computer or smartphone) that can be read by the Controller's IT system.

On the first visit to the site, information about the use of cookies is displayed along with a request for consent to their use. The User can change cookie settings in their browser or delete cookies altogether. Please note that disabling cookies may make it harder to use the Website.

The Controller uses its own cookies to ensure the proper operation of the Website.

The Website uses features provided by third parties, which involves the use of cookies originating from those third parties.

Cookies are used to: identify Users; remember User activity on the Website; remember data from completed forms; and keep statistics.

Browser cookie settings are relevant to consent to the Website's use of cookies — under the law, such consent may also be expressed through browser settings. If no such consent is given, browser cookie settings should be changed accordingly.

6. Server logs

Using the Website involves sending requests to the server on which the Website is stored. Every request sent to the server is recorded in the server logs.

The logs include, among other things, the User's IP address, the server date and time, and information about the User's browser and operating system. The logs are saved and stored on the server.

The data recorded in the server logs is not associated with specific individuals using the Website and is not used by the Controller to identify Users.

The above data is used solely for server administration purposes. The server logs are only auxiliary material for administering the site, and their content is not disclosed to anyone other than persons authorised to administer the server.

7. Final provisions

This Privacy policy may change, of which the Controller will inform Users with appropriate advance notice.

This Privacy policy is effective as of 02.07.2026.