Privacy Policy

1. Introduction

This document constitutes the privacy policy (the Policy) of BPI Panoramiqa sp. z o.o. with its registered office in Warsaw, ul. Komitetu Obrony Robotników 48, registered in the entrepreneurs' register kept by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0000889923, REGON: 388482550, NIP: 5223199662 (the Controller or We).

The purpose of the Policy is to set out the rules and manner of processing personal data obtained from natural persons who are users of the websites administered by the Controller (the User). The Policy also contains information regarding the rights of natural persons in relation to the personal data they have provided.

The legal basis for the Policy is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (GDPR), as well as the Personal Data Protection Act of 10 May 2018 (Journal of Laws 2018, item 1000). The Policy implements the Controller's obligations arising from Articles 12 and 13 of the GDPR.

The Policy applies to every website, application or service that refers to this information, as well as to data transferred via them, by phone, electronically or in person at the Controller's registered office. Please note that when leaving the websites administered by the Controller (e.g. by following a link to a page in another domain), the User enters an area where the Policy does not apply. The Controller is not responsible for the privacy policies in force on websites operated by other entities.

2. Data Controller

BPI Panoramiqa sp. z o.o. is the Controller of personal data provided by Users of the websites who have visited and used the functionalities offered by the websites administered by the Controller (the Websites): www.panoramiqa.pl

When collecting personal data, the Controller records information about its source. Personal data of Users is obtained directly from the data subjects, as well as from third parties.

The Controller exercises particular care to ensure that personal data is processed in accordance with the purpose for which it was collected and used in line with the premises and categories of processed data permitted by law, in particular in accordance with the personal data processing principles set out in Article 5 of the GDPR.

3. Purposes and Legal Bases for Processing

Contact by phone, e-mail or live chat with the Customer Service Office

We process your contact details and other data you provide during the conversation or in the content of the correspondence. We obtained this data directly from you. Please note that all telephone calls conducted via the hotline are recorded.

We process your data for the purpose of pursuing the Controller's legitimate interest (Article 6(1)(f) GDPR), consisting of:

• handling current contacts, including answering your queries,
• ensuring proper Customer service – including improving the Customer service process and the quality of the services provided, monitoring e-mail and telephone conversations, as well as analytical and statistical purposes related to the Customer service process, establishing, asserting and defending against claims.

Providing personal data is voluntary but necessary for us to respond. Refusal to provide personal data will result in us being unable to handle your message and consequently deleting it.

Personal data is stored for the time the message sent to us is handled.

Receiving marketing content electronically

If you have consented to receive marketing content from us, we process the personal data necessary for such transmission, i.e. the e-mail address or telephone number you have provided and, optionally, your postal code. We obtained this data from you.

We process your data for the purpose of pursuing the Controller's legitimate interest (Article 6(1)(f) GDPR), consisting of marketing activities in the form of sending the requested commercial information to persons who have consented to receive commercial information.

Providing your e-mail address or phone number is voluntary, but their submission is necessary for sending marketing content – if you do not provide them, we will not be able to send them to you.

Personal data is stored until you withdraw your consent to receive marketing content, effectively object to marketing activities, or until our interest in conducting such activities ceases.

Use of our social media profiles

Because we want to stay in constant contact with you, we maintain accounts on social media platforms where you can visit us and interact with us (e.g. leave a comment, like or share a post). In such cases, your personal data is processed. Details regarding the processing of data on social media platforms can be found here.

Cooperation with our business partners

If you are a party to a contract concluded with us or intend to conclude one, the data we process about you constitutes contact data and other data necessary for concluding and performing the contract. This data was obtained directly from you. We may also obtain or verify your data using publicly available registers (e.g. CEIDG, KRS).

We process your data for the following purposes and on the following legal bases:

• establishing cooperation and concluding and performing the contract between us (Article 6(1)(b) GDPR),
• maintaining the Controller's accounting documentation relating to the cooperation, in accordance with the legal obligation incumbent on the Controller (Article 6(1)(c) GDPR), arising in particular from the Tax Ordinance Act of 29 August 1997, the Accounting Act of 29 September 1994 and the VAT Act of 11 March 2004,
• pursuing the Controller's legitimate interest (Article 6(1)(f) GDPR), consisting of:
  • carrying out activities that improve and coordinate the Controller's work, including keeping internal records (e.g. registering correspondence),
  • establishing, asserting and defending against claims.

Providing the data is a condition for concluding the contract; failure to provide it will result in the inability to conclude and perform it.

Personal data is stored for the period necessary to perform and settle the existing cooperation or to establish cooperation in the future, as well as until the expiry of periods resulting from relevant legal regulations (i.e. until the limitation period of tax obligations related to accounting documentation expires), which may, where applicable, be extended by the limitation period for civil-law claims. If cooperation is not established, personal data will be stored until a decision is made not to cooperate.

Representatives, contact persons, employees and proxies of our Clients or business partners

We process your contact details and data related to your function or relationship with the entity on behalf of which you act (typically: first name, last name, position, place of work, business e-mail address and business phone number, and possibly information indicating your authority to represent the entity). We obtained this data directly from you or received it from the entity on whose behalf you act. We may also obtain or verify your data using publicly available registers (e.g. KRS).

We process your data for the following purposes and on the following legal bases:

• pursuing the Controller's legitimate interest (Article 6(1)(f) GDPR), consisting of:
  • providing information and contacts necessary for conducting business activity, including establishing and pursuing cooperation with the entity on whose behalf you act, as well as handling and performing the actions you undertake,
  • carrying out activities that improve and coordinate the Controller's work, including keeping internal records (e.g. registering correspondence),
  • establishing, asserting and defending against claims.
• fulfilling our legal obligations (Article 6(1)(c) GDPR), including the obligation to maintain accounting documentation regarding cooperation with the entity on whose behalf you act, in accordance with the Tax Ordinance Act of 29 August 1997, the Accounting Act of 29 September 1994 and the VAT Act of 11 March 2004.

Providing the data is voluntary, but failure to provide it will result in the inability to cooperate with the entity on whose behalf you act.

Personal data is stored for the period necessary to perform and settle the existing cooperation or to establish cooperation in the future, as well as until the expiry of periods resulting from relevant legal regulations (i.e. until the limitation period of tax obligations related to accounting documentation expires), which may, where applicable, be extended by the limitation period for civil-law claims. If cooperation is not established, personal data will be stored until a decision is made not to cooperate.

Exercising rights under the GDPR

We process the data you provide for the purpose of handling your request, as well as the data we hold that is necessary to handle it.

We process your data for the following purposes and on the following legal bases:

• handling the request concerning personal data, in accordance with the legal obligation incumbent on the Controller (Article 6(1)(c) GDPR) arising from the GDPR provisions, including verifying your identity,
• pursuing the Controller's legitimate interest (Article 6(1)(f) GDPR), consisting of establishing, asserting and defending against claims, as well as handling any administrative proceedings related to exercising the rights of data subjects.

Providing the data is necessary to handle your request; failure to provide it will result in the inability to handle it.

The data is stored until the expiry of the limitation period for the claims of data subjects arising from exercising their rights under Articles 12-22 of the GDPR (i.e. the limitation period for claims relating to infringement of personal rights), as well as for the period necessary to handle any administrative proceedings related to exercising the rights of data subjects.

4. Recipients of Personal Data

Recipients of personal data provided to the Controller by the data subjects include the following entities, to whom personal data is transferred to the minimum extent necessary to achieve the purpose(s) for which the data was obtained:

• authorised personnel of the Controller,
• entities processing personal data on behalf of the Controller (e.g. accounting office, technical service providers, hosting providers),
• entities with which the Controller has concluded personal data processing agreements,
• competent authorities authorised in accordance with applicable laws.

The Controller declares that it does not sell, share or transfer the collected personal data to other persons or institutions, unless this is done with the express consent or at the request of the data subjects, or at the request of state authorities authorised by law for the purposes of proceedings or activities related to security or defence, for legally defined tasks performed for the public good, where this is necessary to fulfil the legitimate purposes of the Controller.

5. Transfers of Personal Data Outside the European Economic Area (EEA)

Because the Controller uses applications whose servers are located outside the EEA, personal data obtained in connection with Users' use of the websites may be transferred to third countries. Therefore, the Controller has ensured that only providers offering high standards of personal data protection are used.

6. Data Retention Period

The Controller processes the personal data obtained for the period necessary to achieve the purpose(s) for which they were provided. The processing period is related to the purposes and bases of processing, therefore:

• data processed on the basis of statutory (tax) requirements will be processed for as long as the law requires it to be retained;
• data processed on the basis of the Controller's legitimate interest will be processed until the data subject effectively objects or until that interest ceases. Data processed for the purpose of asserting or defending against claims will be processed for a period equal to the limitation period for those claims;
• data processed on the basis of consent will be processed until the data subject withdraws consent;
• personal data processed as part of the recruitment process will be processed until the end of that process.

7. Rights of Data Subjects

The Controller exercises the rights of data subjects related to the processing of their personal data. In particular, every data subject has the right to:

• access to their personal data,
• rectification of personal data,
• erasure of data (the "right to be forgotten"),
• restriction of processing of personal data,
• object to the processing of personal data.

Where the basis for the processing of personal data is the Controller's legitimate interest, the data subject has the right to object at any time to the processing of personal data, without justification, especially where the legitimate interest concerns direct marketing activities.

Consent given by data subjects through the Websites may be withdrawn at any time, which does not affect the lawfulness of processing carried out before its withdrawal.

The Controller informs that there is no obligation to erase data (i.e. to enforce the "right to be forgotten") where data processing is necessary for:

• exercising the rights and freedoms of expression and information,
• compliance with a legal obligation under EU or Polish law,
• archival purposes in the public interest, scientific or historical research purposes, or statistical purposes,
• establishing, asserting or defending against claims.

The above rights, as well as the intention to withdraw consent, may be exercised by submitting a relevant request electronically to the e-mail address: zgoda@bpi-realestate.com or by post to the Controller's registered address indicated in section 1.1 of the Policy.

8. Automated Decision-Making and Profiling

Your data will not be used for automated decision-making, including profiling.

9. Security and Storage of Information

The Controller ensures the security of personal data against unlawful disclosure to unauthorised persons, unauthorised acquisition, destruction, loss, damage or alteration, as well as processing of personal data in a manner that does not comply with the GDPR.

In order to secure personal data, the Controller implements technical and organisational measures that meet the requirements of the GDPR, in particular the measures listed in Articles 24 and 32 of the GDPR, ensuring the confidentiality, integrity and availability of the services for processing the personal data provided.

10. Social Plugins

So-called social plugins redirecting to the Controller's profiles maintained on social media platforms (Facebook, Instagram, LinkedIn, YouTube) are used on the Websites. With the functionalities offered by these plugins, Users can share individual content via social media. However, please note that using these plugins involves the exchange of data between the User and the relevant social media platform or website.

The Controller does not process this data and has no knowledge of which User data is collected. We therefore encourage you to review the terms and privacy policies of these social media services before using a given plugin.

11. Right to Lodge a Complaint

In any case where the rights of a natural person resulting from legal provisions and the Policy are deemed to be violated, Users have the right to lodge a complaint with the President of the Personal Data Protection Office, located in Warsaw at ul. Stawki 2.

12. Final Provisions

In matters not regulated by this Policy, EU and national personal data protection laws apply.

Date of last update of the Policy: 28 April 2026.