Privacy Policy

1. WHO WE ARE

  The Controller

    Your personal data is administered by:

    RHOYN SPOLKA Z OGRANICZONA ODPOWIEDZIALNOSCIA
    Al. Jerozolimskie 81/lok 7.10, 02-001 Warszawa
    NIP: 8971905989, REGON: 52201531600000
    KRS: 0000971421
    Share capital: 5 000 PLN
    Registry court: Sad Rejonowy dla Wroclawia-Fabrycznej we Wroclawiu,
    VI Wydzial Gospodarczy KRS

    ("Controller", "we", "us").

  Contact

    Post:  Al. Jerozolimskie 81/lok 7.10, 02-001 Warszawa
    Email: hello@rhoyn.com

  Definitions

    1. Personal Data - information identifying a natural person directly or
       indirectly.
    2. GDPR - Regulation (EU) 2016/679 on personal data protection.
    3. Website - rhoyn.com / rhoyn.pl.
    4. Policy - this document.
    5. User - anyone who visits our Website, reaches out to us, applies for a
       position, subscribes, or otherwise shares personal data.
    6. Services - electronic services delivered through the Website (contact
       forms, recruitment, newsletters, event sign-ups, etc.).


2. YOUR RIGHTS

  Under the GDPR you may:

    Access (Art. 15) - obtain confirmation and a copy of your data.

    Rectification (Art. 16) - correct inaccurate or incomplete data.

    Erasure (Art. 17) - request deletion where data is no longer needed or
    consent is withdrawn. Exceptions: legal obligations, claims defence,
    public interest.

    Restriction (Art. 18) - temporarily limit processing, e.g. pending
    accuracy verification.

    Portability (Art. 20) - receive data in a machine-readable format or have
    it sent to another controller (consent- or contract-based processing only).

    Object (Art. 21) - object to legitimate-interest processing; for direct
    marketing, objection is unconditional.

    No automated decisions (Art. 22) - not be subject to solely automated
    decisions producing legal or similarly significant effects.

    Withdraw consent (Art. 7(3)) - at any time, without affecting prior lawful
    processing.

  Exercising Your Rights

    Submit requests to hello@rhoyn.com. We reply within 1 month
    (extendable by 2 months for complex cases). Identity verification may be
    required. Manifestly unfounded or excessive requests may be refused with
    reasoning.

  Complaints

    Prezes Urzedu Ochrony Danych Osobowych (UODO)
    ul. Stawki 2, 00-193 Warszawa
    https://uodo.gov.pl
    kancelaria@uodo.gov.pl
    +48 22 531 03 00


3. DATA WE COLLECT AND WHY

  Contact inquiries
    Legal Basis:    Art. 6(1)(f) legitimate interest
    Data:           Name, email, phone, inquiry content

  Recruitment - internal
    Legal Basis:    Art. 6(1)(a)/(b)/(c)
    Data:           Name, DOB, contact info, education, work history, CV

  Recruitment - for clients
    Legal Basis:    Art. 6(1)(a)/(f)
    Data:           As above; anonymised profile shared with client

  Newsletters / promotions
    Legal Basis:    Art. 6(1)(a); e-privacy rules
    Data:           Name (if in email), email

  Events / webinars
    Legal Basis:    Art. 6(1)(a)/(b)
    Data:           Name, email, phone, organisation

  Social media / ads
    Legal Basis:    Art. 6(1)(f)
    Data:           Public profile data, interaction data, device IDs

  Business relations
    Legal Basis:    Art. 6(1)(f)/(b)
    Data:           Name, business email/phone, job title, organisation

  Legal claims
    Legal Basis:    Art. 6(1)(f)
    Data:           Data relevant to the claim

  Where we rely on legitimate interest, we have weighed our interests against
  your rights. These include: handling inquiries, recruiting, promoting
  services, maintaining business ties, and defending legal rights.


4. PROCESSING DETAILS

  Contact Inquiries

    Purpose: Handle your inquiry.
    Basis: Art. 6(1)(f).
    Data: Name, email, phone (optional), message.
    Providing contact details is voluntary but needed for a reply.
    Recipients: Hosting/IT providers, relevant staff.
    Retention: Until resolved plus the limitation period.

  Recruitment

    A. Internal Positions

      Purpose: Assess applications, conduct selection, prepare agreements;
      with consent, consider you for future openings.
      Basis: Art. 6(1)(b)/(c)/(a).
      Data: Name, DOB, email, phone, education, experience, qualifications,
      CV/cover letter/references.
      Sources: Website forms, job portals, unsolicited applications, referrals,
      professional-network sourcing.
      Employment-law data is mandatory; all else voluntary.
      Recipients: HR, hiring managers, IT providers, recruitment platforms.
      Retention: No future-consent - deleted within 90 days; with consent -
      up to 2 years or until withdrawn; successful candidates - transferred to
      personnel file under separate notice.
      Automated decisions: None; all decisions involve human review.

    B. Client Positions

      Purpose: Source candidates for client roles.
      Basis: Art. 6(1)(a)/(f).
      You will learn the client's identity and data scope before transfer; you
      may decline (ending participation). Once shared, the client becomes an
      independent controller.
      Retention: Process duration; up to 5 years if client contracts require
      it; deleted on consent withdrawal.
      Screening: Some clients require CV verification - you will be notified.
      Checks beyond CV data are the client's responsibility.

  Newsletters & Promotions

    Purpose: Deliver service updates, insights, and promotional content.
    Basis: Art. 6(1)(a); e-privacy law.
    Data: Name (if in email), email, phone (if given).
    Recipients: Email/marketing platforms, hosting providers.
    Retention: Until unsubscribe or objection. Direct-marketing objection is
    unconditional; we stop immediately.

  Events & Webinars

    Purpose: Manage registrations, deliver events, follow up.
    Basis: Art. 6(1)(a)/(b).
    Data: Name, email, phone, organisation, job title; in-person:
    dietary/accessibility needs.
    Retention: Event duration; limitation period if paid.

  Advertising & Social Media

    Purpose: Maintain public presence, engage audiences, analyse reach.
    Basis: Art. 6(1)(f).
    Data: Public profile info, interactions (likes, comments, shares),
    aggregated statistics.
    Sources: Social media profiles, platform analytics (LinkedIn, Facebook,
    Instagram, YouTube, X).
    Recipients: Platform operators, marketing tools, hosting providers.
    Retention: While legitimate interest persists or until objection; platform
    data follows each platform's policy.

  Business Partners, Clients & Vendors

    Purpose: Manage commercial relationships, perform contracts, ensure
    compliance.
    Basis: Art. 6(1)(f)/(b).
    Data: Name, business email/phone, job title, organisation; sole traders:
    tax/registration IDs.
    Sources: Representatives; public registers.
    Recipients: Cloud/IT providers, legal/accounting advisors, authorities,
    group affiliates.
    Retention: Relationship duration plus limitation period (typically
    3-6 years).


5. RETENTION PERIODS

  Data is kept only as long as needed or law requires, then securely deleted
  or anonymised.

  Contact inquiries
    Period: Until resolved + limitation period
    Reason: Handling; defence

  Recruitment - internal (no consent)
    Period: Up to 90 days post-process
    Reason: Selection completion

  Recruitment - internal (with consent)
    Period: Up to 2 years or until withdrawn
    Reason: Future openings

  Recruitment - for clients
    Period: Process duration; up to 5 years if required
    Reason: Non-resubmission clauses

  Newsletters / promotions
    Period: Until consent withdrawn or objection
    Reason: Consent

  Events / webinars
    Period: Event duration; limitation period if paid
    Reason: Contract; defence

  Social media / ads
    Period: While interest persists or until objection
    Reason: Brand promotion

  Business partners / vendors
    Period: Relationship + 3-6 years
    Reason: Contract; defence

  Legal claims
    Period: Applicable limitation period
    Reason: Legal obligation


6. SHARING AND TRANSFERS

  Recipient Categories

    We share data only to the minimum extent needed with:

    - IT/hosting providers operating our systems.
    - Recruitment platforms for candidate management.
    - Marketing/communication tools for email, analytics, campaigns.
    - Legal, accounting, and audit advisors.
    - Clients receiving candidate data (with candidate's knowledge/consent).
    - Public authorities where legally required.

  Disclosure vs. Entrustment

    Disclosure - data passed to an independent controller (e.g. candidate
    profile shared with a client).

    Entrustment - a processor acts under our instructions per Art. 28 GDPR
    (e.g. hosting provider).

    All processors must apply adequate safeguards and follow our instructions.

  International Transfers

    For transfers outside the EEA lacking an adequacy decision we use:
    Standard Contractual Clauses, Binding Corporate Rules (where applicable),
    or explicit consent (last resort, with risk disclosure).
    Contact hello@rhoyn.com for copies.


7. AUTOMATED PROCESSING AND PROFILING

  We may combine data you supplied (CV, preferences) with publicly available
  information (professional profiles) to improve job matching or tailor
  marketing. This constitutes profiling under Art. 4(4) GDPR, based on
  legitimate interest (Art. 6(1)(f)).

  This profiling does not produce legal or similarly significant effects. All
  material decisions - especially recruitment - are made by qualified
  personnel, never solely by automated means.

  Object at any time via hello@rhoyn.com. Objection stops profiling but
  may reduce personalisation. It does not affect processing under other legal
  bases.


8. DATA SECURITY

  Technical: TLS/SSL encryption in transit; encryption at rest for
  personal-data databases; regular vulnerability assessments and penetration
  tests; firewalls, intrusion detection, continuous monitoring.

  Organisational: Need-to-know access controls; confidentiality obligations
  and periodic data-protection training; documented breach detection,
  assessment, and notification procedures (Art. 33-34 GDPR); practices
  aligned with recognised standards.


9. COOKIES AND TRACKING

  Cookies are small text files stored on your device. Session cookies expire
  when you close the browser; persistent cookies last until expiry or
  deletion. Our Website uses:

    Strictly Necessary - core functionality (navigation, forms, security);
    cannot be disabled.

    Performance & Analytics - anonymous, aggregated usage data to improve
    the Website.

    Functionality - personalisation (language, region); disabling may limit
    features.

    Advertising & Targeting - placed by third parties to build interest
    profiles and serve relevant ads; identify your browser/device but do not
    directly store personal data.

  Blocking cookies may affect Website functionality.


10. THIRD-PARTY LINKS

  Our Website may link to external sites or apps outside our control; we are
  not responsible for their privacy practices. Social media plugins and
  embedded content follow the respective platform's terms and may collect data
  without interaction. Review third-party policies before engaging.


11. POLICY UPDATES

  We may revise this Policy to reflect legal, operational, or best-practice
  developments. Material changes will appear on the Website; where
  appropriate, we will notify you by email or prominent notice. Continued use
  after updates constitutes acknowledgement.

  Effective date: 16.05.2026