Last updated: 30 October 2025

1. Data Controller
The data controller is AlfaMedial, registered office: Os. Bohaterów Września 79a/16, 31-621 Kraków, Poland, NIP (Tax ID): 6771425568, REGON: 120607210 (hereinafter: the “Controller”).
Data protection contact: info@form.com.pl.
2. Scope and Purposes of Processing
Personal data are processed in connection with the use of forms available on the Form.com.pl website and the handling of online payments, in particular for the following purposes:
– handling enquiries submitted via contact forms and conducting related correspondence,
– accepting and settling payments for ordered services (including transaction verification),
– performing services ordered via the forms (e.g., reservations, transfers, event participation),
– issuing and sending accounting documents (invoices, receipts) and keeping accounting records,
– maintaining operational contact regarding service performance and complaint handling,
– complying with legal obligations (including tax and accounting regulations),
– ensuring service security, preventing abuse, and establishing, exercising or defending legal claims,
– conducting basic website analytics (traffic, form effectiveness) to improve service quality.
3. Legal Bases for Processing
Processing is carried out under Article 6(1) of the GDPR:
– point (b) – necessity for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract (e.g., form handling, order execution),
– point (c) – compliance with a legal obligation (e.g., tax and accounting laws),
– point (f) – legitimate interests pursued by the Controller (e.g., service security, fraud prevention, claims management, basic analytics),
– point (a) – consent (e.g., voluntary marketing or additional communications, where consent is given).
4. Categories of Personal Data
The Controller may process, in particular:
– contact identifiers: first and last name, e-mail address, phone number,
– transaction data: payment/operation ID, amount, currency, date and status (full payment card details are not stored; these are processed by the payment operator),
– order/reservation details (e.g., date, place, service variant),
– technical data: IP address, device/cookie identifiers necessary for the website to function,
– other data voluntarily provided in the form content.
5. Data Retention
Data are stored for as long as necessary to achieve the purpose for which they were collected, and thereafter:
– accounting and financial records – for the period required by law (as a rule, 5 years counted from the end of the relevant tax year),
– data related to claims – until the limitation period for such claims expires,
– data processed on the basis of consent – until consent is withdrawn.
6. Data Recipients
Personal data may be disclosed or entrusted to the following categories of recipients under appropriate agreements:
– payment operator: Paynow (mBank S.A.) – payment processing and verification,
– hosting and IT infrastructure providers, system maintenance partners,
– subcontractors delivering ordered services (service partners/contractors),
– communication providers (e-mail), analytics and security tool providers,
– public authorities – only to the extent required by applicable law.
The Controller does not sell personal data.
7. Rights of Data Subjects
Data subjects have the following rights:
– right of access and to obtain a copy of data,
– right to rectification (correction) of data,
– right to erasure (“right to be forgotten”) where no grounds for further processing exist,
– right to restriction of processing,
– right to data portability under Article 20 GDPR,
– right to object to processing based on Article 6(1)(f) GDPR (legitimate interests),
– right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal),
– right to lodge a complaint with a supervisory authority (in Poland: the President of the Personal Data Protection Office – PUODO).
Please send requests to: info@form.com.pl.
8. Transfers Outside the EEA
As a rule, data are not transferred outside the European Economic Area. Where such transfer is necessary (e.g., due to an IT provider’s location):
– the transfer is based on appropriate safeguards under Articles 46–49 GDPR (in particular EU Standard Contractual Clauses),
– the Controller implements additional data protection measures appropriate to the risk.
9. Automated Decision-Making
Personal data are not used for decisions based solely on automated processing, including profiling for marketing or decision-making purposes.
10. Final Provisions
The Controller exercises due care to ensure an adequate level of security (organizational and technical measures pursuant to Article 32 GDPR, including encrypted transmission, access control, backups, and operation logging). The Controller reserves the right to update this notice in the event of changes in law, technologies used, or processing activities. The current version is always available at: form.com.pl/rodo.

Additional information: Providing personal data is voluntary but necessary to achieve the purposes indicated in Section 2 (e.g., handling the form, concluding and performing a contract, settlements). Failure to provide data may prevent service delivery or payment acceptance.