1. GENERAL INFORMATION

This Privacy Policy sets out the rules for processing and protecting personal data of users of the alvo.pl website by the personal data controller in connection with the use of the Website and the services provided.

ALVO Medical is a company specializing in the design, production and installation of innovative solutions for the healthcare sector. We provide equipment for operating rooms, hybrid operating rooms, intensive care units and neonatal intensive care units. Our activities also include the supply of equipment and hygienic modular infrastructure for specialized treatment rooms and hospital wards. Over 30 years of operations, we have completed more than 3,000 modular operating rooms in over 100 countries worldwide. Just as we prioritize the safety of our medical products, we treat the protection of personal data entrusted to us by our customers and business partners with equal seriousness.

The data controller is ALVO Medical Sp. z o.o., with its registered office in Śmigiel at ul. Południowa 21A, 64-030 Śmigiel, entered in the National Court Register under KRS number 0001007735, Tax Tax ID (NIP): 6981824501, National Business Registry Number REGON: 301592861 (hereinafter: “Controller”).

2. DATA PROTECTION OFFICER

The Controller has appointed a Data Protection Officer:

The Data Protection Officer can be contacted regarding all matters concerning the processing of personal data and the exercise of rights related to data processing.

3. PURPOSES, LEGAL BASES AND DATA RETENTION PERIODS

3.1 Contact Form

Purpose of processing: Providing information in response to questions submitted via the contact form and establishing business relationships.

Legal basis: Legitimate interest of the Controller (Article 6(1)(f) GDPR), which is to handle inquiries at the highest level and establish business contacts with potential customers and partners.

Retention period: 3 years from the date of last correspondence or until a valid objection is raised.

3.2 Performance of Commercial Contracts

Purpose of processing: Performance of concluded commercial contracts and ongoing contact within the framework of contract performance.

Legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR) – for the performance of the concluded contract
  • Legitimate interest of the Controller (Article 6(1)(f) GDPR) – for ongoing contact within the framework of contracts

Retention period: For the duration of the contract and 5 years from the end of the calendar year in which the last invoice related to the contract was issued.

3.3 Preparation of Commercial Offers

Purpose of processing: Preparation and presentation of commercial offers and contact with company representatives for business purposes.

Legal basis: Legitimate interest of the Controller (Article 6(1)(f) GDPR), which is conducting business activities and establishing business relationships with potential contractors.

Retention period: 5 years from the date of presentation of the last offer or until a valid objection is raised.

3.4 Establishment and Defense of Claims

Purpose of processing: Establishment of claims and defense against claims arising from business activities.

Legal basis: Legitimate interest of the Controller (Article 6(1)(f) GDPR), which is the establishment of due claims and defense against unjustified claims.

Retention period: Until the limitation of claims in accordance with the provisions of the Civil Code.

3.5 Compliance with Legal Obligations

Purpose of processing: Fulfillment of legal obligations arising from tax, accounting and other legal regulations.

Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR) – with respect to obligations arising from the Accounting Act, Tax Ordinance, VAT Act and other legal provisions.

Retention period: In accordance with legal provisions – accounting documents for 5 years, tax documents in accordance with the provisions of the Tax Ordinance.

3.6 Direct Marketing and Newsletter

Purpose of processing: Sending commercial information, newsletters and marketing materials concerning the Controller’s products and services.

Legal basis: Consent of the data subject (Article 6(1)(a) GDPR) expressed by checking the appropriate box when completing the form or in a separate statement.

Retention period: Until consent is withdrawn by the data subject.

3.7 Website Analytics and Statistics

Purpose of processing: Conducting website traffic analysis, visit statistics and optimization of the Website’s functionality.

Legal basis: Legitimate interest of the Controller (Article 6(1)(f) GDPR), which is analyzing the effectiveness of the Website and its optimization for better service delivery.

Retention period: In accordance with the lifetime of individual cookies for which consent has been given.

3.8 Whistleblower Reports

Purpose of processing: Handling reports concerning violations of law made by whistleblowers within the internal reporting system, conducting explanatory proceedings and fulfilling obligations arising from the whistleblower protection act.

Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR) – with respect to obligations arising from the Whistleblower Protection Act of June 14, 2024, including conducting internal explanatory proceedings and ensuring the operation of the violation reporting system.

Retention period: 3 years from the end of the calendar year in which the explanatory proceedings were completed or the report was forwarded to an external authority in accordance with the provisions of the Whistleblower Protection Act.

3.9 Management of Social Media Profiles

Purpose of processing: Administration and management of company profiles on social media, communication with users, building community around the brand, presenting the offer and achieving marketing objectives. Data is processed for the purpose of interacting with followers, answering questions, informing about products and services, organized events and creating engaging content tailored to the interests of the community.

Legal basis: Legitimate interest of the Controller (Article 6(1)(f) GDPR), which is conducting marketing activities on social media, building brand recognition, business communication with users of social media platforms, providing informational content about the Controller and its products and services, ensuring modern means of information and communication with users, as well as drawing visitors’ attention to offered products and services and enabling direct contact with the company.

Joint controllers: The Controller is a joint controller of personal data together with social media platform providers in accordance with Article 26 GDPR:

  • Meta Platforms Ireland Limited (Facebook, Instagram)
  • LinkedIn Ireland Unlimited Company (LinkedIn)
  • Google LLC (YouTube)

Division of joint controllers’ responsibilities: The Controller is responsible for content published on company profiles, communication with users, defining marketing objectives and fulfilling information obligations towards users with respect to its activities. Social media platform providers are responsible for ensuring the technical functionality of the platforms, processing analytical data, implementing security measures and exercising users’ rights with respect to the operation of the platforms. Detailed rules for the division of responsibilities are set out in agreements with platform providers and their privacy policies.

Social media platforms: The Controller maintains company profiles on the following platforms: Facebook, LinkedIn, YouTube, Instagram, where it may conduct marketing activities.

Retention period: For the duration of maintaining profiles on social media or until a valid objection is raised by the user.

Transfer of data to third countries: The use of social media platforms may involve the transfer of personal data to countries outside the European Economic Area, particularly to the United States, in accordance with the privacy policies of individual platforms and the legal mechanisms they apply.

4. RECIPIENTS OF PERSONAL DATA

The Controller may transfer personal data to the following categories of recipients:

  • Affiliated companies, including Reinsberg Group A.S. as the parent entity and other companies of the capital group, for the implementation of common business and administrative objectives
  • IT, hosting and technical service providers, including system providers
  • Providers of applications for whistleblower reporting (including Whistlelink) based on a data processing agreement
  • Accounting offices and law firms providing services to the Controller
  • Courier and postal companies performing deliveries
  • Banks and financial institutions for settlements
  • State authorities authorized by law
  • Entities providing marketing and analytical services
  • Social media platform providers and entities cooperating with them in providing advertising and analytical services

5. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

The transfer of personal data to countries outside the European Economic Area may occur in connection with the use of tools of an international nature, including Google tools (Google Analytics, Google Ads), Meta (Facebook, Instagram) and other social media platforms.

Data transfer to the United States is based on:

  • Adequacy decision regarding the safe and trusted data flow between the EU and the USA (Data Privacy Framework)
  • Standard contractual clauses approved by the European Commission in the absence of DPF certification

A copy of the contractual safeguards for data transfer is available from the Controller upon request by the data subject.

6. AUTOMATED DECISION-MAKING AND PROFILING

The Controller may use profiling to tailor marketing content and personalize offered services based on user consent. Profiling is carried out by analyzing:

  • Behavior on the website (visited subpages, visit duration)
  • Reactions to marketing materials (opening newsletters, clicks)
  • Preferences expressed in contact forms
  • Interactions on social media

The data subject has the right not to be subject to decisions based solely on automated processing, including profiling. In case of objection to profiling, the Controller will cease this type of processing.

7. RIGHTS OF THE DATA SUBJECT

The data subject has the following rights:

Right of access (Article 15 GDPR) – the right to obtain information about processed data and a copy of such data.

Right to rectification (Article 16 GDPR) – the right to request rectification of inaccurate data or completion of incomplete data.

Right to erasure (Article 17 GDPR) – the right to request erasure of data in certain cases, including when data is no longer necessary for the purposes for which it was collected.

Right to restriction of processing (Article 18 GDPR) – the right to request restriction of processing in certain situations.

Right to data portability (Article 20 GDPR) – the right to receive data in a structured, commonly used format when processing is based on consent or a contract.

Right to object (Article 21 GDPR) – the right to object to data processing, particularly when processing is based on the legitimate interest of the Controller.

Right to withdraw consent – in case of processing based on consent, the right to withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal of consent.

Right to lodge a complaint with the President of the Office for Personal Data Protection when the data subject believes that the processing of their data violates GDPR provisions.

To exercise the above rights, please contact the Controller at: rodo@alvo.pl or the Data Protection Officer – Magdalena Jacolik.

8. COOKIES AND TRACKING TECHNOLOGIES

The Website uses cookies and similar technologies for the following purposes:

  • Ensuring proper functioning of the Website (necessary cookies)
  • Traffic analysis and Website optimization (analytical cookies)
  • Personalization of content and advertisements (marketing cookies)

Detailed information about the cookies used, including how to manage them, can be found in the separate Cookie Policy available on the Website.

9. DATA SECURITY

The Controller applies appropriate technical and organizational measures to ensure the security of processed personal data, in particular:

  • Data encryption during transmission (HTTPS protocol)
  • Access control to personal data
  • Regular backups
  • System security monitoring
  • Employee training in data protection

10. CHANGES TO THE PRIVACY POLICY

The Controller reserves the right to make changes to this Privacy Policy. Information about significant changes will be published on the Website together with the effective date of the new version of the document.

The latest and current version of the Privacy Policy is effective as of 02.10.2025.