This Privacy Policy sets out in detail the principles governing the processing of personal data by OPEN‑UP Limited Liability Company Spółka komandytowa (hereinafter: the “Company”) in connection with:

• employment relationships (employment contracts);
• cooperation with contractors and service providers (B2B agreements, contracts of mandate, civil law agreements);
• handling business inquiries and correspondence;
• the use of the website available at https://www.open-up.pl.

The protection and security of personal data constitute a priority for the Company. Personal data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), the Polish Personal Data Protection Act, and other applicable legal provisions.

1. DATA CONTROLLER

The controller of personal data is:

OPEN‑UP LIMITED LIABILITY COMPANY SPÓŁKA KOMANDYTOWA

Registered office: ul. Bolesława Czerwińskiego 6/207, 40‑123 Katowice, Poland

KRS: 0000295953

NIP (Tax ID): 676‑23‑66‑949

REGON: 120604819

E-mail: biuro@open-up.pl

For all matters concerning the processing of personal data, data subjects may contact the Company at: biuro@open-up.pl.

2. SCOPE AND PURPOSE OF DATA PROCESSING

2.1 Employees (Employment Contracts)

Categories of personal data processed:

• identification data (name, surname, PESEL number, series and number of identity document);
• contact details (residential address, telephone number, e-mail address);
• employment-related data (position, remuneration, employment history, working time records);
• payroll and settlement data (bank account number, social security and tax contribution data);
• data required for accident insurance (NNW) provided to insurers (name, surname, PESEL, date of birth).

Legal basis and purposes of processing:

• performance of an employment contract (Art. 6(1)(b) GDPR);
• compliance with legal obligations under labour, social security and tax law (Art. 6(1)(c) GDPR);
• legitimate interest of the employer consisting in providing insurance protection to employees (Art. 6(1)(f) GDPR).

Retention period:

Employee documentation is retained for the period required by applicable labour law regulations (up to 50 years from termination of employment, unless shorter statutory periods apply). Payroll documentation is retained for 5 years from the end of the calendar year in which remuneration was paid or made available.

2.2 Contractors and Service Providers (B2B, Civil Law Agreements)

Categories of personal data processed:

• identification data (name, surname, business name);
• contact details (e-mail address, telephone number, correspondence address);
• financial and settlement data (Tax ID, REGON, bank account number);
• data relating to the conclusion and performance of agreements.

Legal basis and purposes of processing:

• conclusion and performance of contracts (Art. 6(1)(b) GDPR);
• compliance with tax and accounting obligations (Art. 6(1)(c) GDPR);
• establishment, exercise or defence of legal claims (Art. 6(1)(f) GDPR – legitimate interest).

Retention period:

Personal data are retained for the duration of the contract and thereafter for the period required by tax and accounting regulations (generally 5 years from the beginning of the year following the financial year to which the documentation relates).

2.3 Website Users (Cookies and Analytics)

Categories of data processed:

• IP address, browser type, operating system;
• information concerning browsing activity (page views, clicks, session duration);
• approximate geolocation data.

Legal basis and purposes of processing:

• ensuring proper functioning and security of the website (Art. 6(1)(f) GDPR – legitimate interest);
• statistical analysis and website optimisation (Art. 6(1)(f) GDPR);
• personalisation of content and marketing activities (Art. 6(1)(a) GDPR – consent).

Retention period:

Session cookies are stored until the browser session ends. Persistent cookies are stored for a maximum period of 24 months or until deleted by the user.

3. DATA RECIPIENTS

Personal data may be disclosed to the following categories of recipients, where necessary:

• accounting and payroll service providers;
• IT service providers (including Microsoft 365, hosting providers, CRM systems);
• legal advisors and law firms;
• insurance companies (for the purpose of arranging and servicing insurance coverage);
• courier and postal service providers;
• public authorities (including ZUS, tax offices, courts, labour inspectorate), to the extent required by law;
• providers of analytical tools (e.g. Google Analytics);
• advertising platform providers (where marketing cookies consent has been granted).

Where required, data are shared on the basis of data processing agreements compliant with Art. 28 GDPR.

4. TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

Personal data are primarily processed within the European Economic Area. In the event that services of entities located outside the EEA are used (in particular Microsoft Corporation, Google LLC, Meta Platforms), personal data may be transferred to third countries on the basis of:

• Standard Contractual Clauses approved by the European Commission; or
• an adequacy decision issued by the European Commission.

5. DATA SUBJECT RIGHTS

Data subjects are entitled to the following rights:

• the right of access to personal data (Art. 15 GDPR);
• the right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
• the right to erasure (“right to be forgotten”) where statutory conditions are met (Art. 17 GDPR);
• the right to restriction of processing (Art. 18 GDPR);
• the right to data portability (Art. 20 GDPR);
• the right to object to processing based on legitimate interest (Art. 21 GDPR);
• the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
• the right to lodge a complaint with the President of the Personal Data Protection Office (Poland).

6. EXERCISING YOUR RIGHTS

Requests regarding personal data may be submitted:

• by e-mail to: biuro@open-up.pl;
• by post to: OPEN‑UP Sp. z o.o. Sp.k., ul. Bolesława Czerwińskiego 6/207, 40‑123 Katowice.

The Company shall respond without undue delay and no later than within one month of receipt of the request. Where necessary, this period may be extended by a further two months, of which the data subject will be informed.

7. WHETHER PROVIDING DATA IS MANDATORY

Providing personal data is:

• voluntary in relation to website use (cookies);
• necessary for the conclusion and performance of contracts (contractors and service providers);
• required by law in the case of employees (labour, social security and tax regulations).

Failure to provide required data may result in the inability to conclude a contract, establish employment, or use certain website functionalities.

8. AUTOMATED DECISION-MAKING AND PROFILING

Personal data may be processed in an automated manner, including profiling, exclusively in connection with cookies and website analytics for the purpose of personalising displayed content and optimising website performance. Such processing does not produce legal effects or significantly affect data subjects.

9. AMENDMENTS TO THIS PRIVACY POLICY

This Privacy Policy may be updated from time to time. The current version is available on the Company’s website. https://open-up.pl/en/privacy-policy/

Last updated: 31 January 2026.