Privacy Policy

Version: 4 June 2025

General Information
Controller and Contact Details
Scope of Personal Data Collected
Sources of Data
Purposes and Legal Bases for Personal Data Processing
Sharing of Personal Data
International Data Transfers
Use of Artificial Intelligence and Profiling
Cookies and Analytical Tools
Your Rights Related to Personal Data Processing
Personal Data Retention Period
Personal Data Security
Children's Data
Changes to the Privacy Policy
Contact
Data Protection Impact Assessments (DPIA) and Record of Processing Activities (RoPA)
List of Processors (Sub-processors)
Supervisory Authority
Glossary of Terms

1. General Information

This Privacy Policy defines the rules for processing personal data of users of the inteliq.pl website, candidates participating in recruitment processes, clients using our services, as well as other individuals whose data may be processed as part of the business activities conducted by Inteliq Group Sp. z o.o. (“Inteliq”, “we”, “Controller").

Our goal is to ensure full transparency, compliance with applicable personal data protection regulations, and to build trust based on responsible and secure data processing. This document has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR” – General Data Protection Regulation), as well as based on national law, including the personal data protection act and other applicable legal acts.

The Policy aims not only to fulfill the information obligations resulting from legal provisions but also to provide you with clear and understandable information about what data we collect, for what purposes we process it, on what legal bases, to whom we share it, how long we store it, and what rights are granted to data subjects. Inteliq takes all reasonable steps to protect personal data, taking into account the latest technological solutions and industry best practices.

For any questions regarding this Policy, please contact us at: office@inteliq.pl or directly with our Data Protection Officer: iod@inteliq.pl.

2. Controller and Contact Details

Data Controller – the controller of your data is Inteliq Group Sp. z o.o., registered in the National Court Register under KRS number: 0000969100, with VAT ID: 9512540135 and REGON: 522014999, with its registered office at ul. Dembego 10/181, 02‑796 Warsaw.

The operational office is located in the center of Warsaw, at ul. Marszałkowska 89, 00‑693 Warsaw. This office is the main place of operational activity and contact with candidates and clients.

Contact with us is possible in several ways:

by phone – contact number available on the inteliq.pl website,
by e‑mail – office@inteliq.pl,
in person – by prior appointment at the office at ul. Marszałkowska 89,
by correspondence – to the address of the registered office or office.

3. Scope of Personal Data Collected

Depending on the nature of the relationship and the purpose of contact, we process the following categories of personal data:

Identification data – in particular, first and last name;
Contact data – in particular, email address, phone number;
Data regarding education and professional experience – including information on qualifications, employment history, foreign language proficiency, certificates held, professional licenses;
Content of application documents – in particular, resumes (CVs), cover letters, portfolios, references, links to professional profiles (e.g., LinkedIn, GitHub), as well as information regarding professional preferences and financial expectations;
Data obtained during recruitment processes – including notes made during interviews, information provided by the candidate during meetings or phone contact, results of competency or language tests;
Technical data – including data from cookies;
Correspondence data – including the content of emails, contact forms, and records of phone calls conducted with candidates;
Event participant data – including data of individuals participating in conferences, training sessions, webinars, and other events organized by Inteliq;
Consent data – in particular, the date, form, and content of consents given, and the history of changes in user preferences.

We emphasize that the overriding value in our recruitment processes is the candidate's competence, experience, and professional potential. The collected personal data are used solely for the purpose of enabling contact with the candidate and do not form the basis for making decisions regarding the assessment of professional suitability.

In this regard, we attach particular importance to data anonymization, including limiting the exposure of information enabling direct identification of the candidate, if it is not necessary for the realization of a given recruitment purpose. Contact and identification data are treated as auxiliary elements, used only to the extent necessary to ensure efficient and secure communication.

At the same time, we inform that as part of our equality and non-discrimination policy, we do not intentionally collect or use personal data in a way that could lead to prejudice or unequal treatment of candidates due to gender, age, ethnic origin, religion, worldview, sexual orientation, health status, or other characteristics protected by law.

We do not intentionally collect special categories of data, as referred to in Article 9(1) of the GDPR (including data concerning health, religious beliefs, political views, or trade union membership), unless the candidate decides to voluntarily disclose them and gives explicit, separate consent for their processing.

4. Sources of Data

The personal data we process may come from various sources, depending on the nature of the cooperation and the stage of the recruitment process. These sources include, in particular:

Directly from the data subject – this data is provided voluntarily, e.g., by filling out a contact form, submitting an application (CV, cover letter, portfolio), participating in an event, contacting us by phone or email, and by interacting with our recruitment systems and online tools.
Publicly available sources – data may come from public professional profiles and social media (e.g., LinkedIn, GitHub, Behance), employer websites, industry registers, databases published in accordance with legal provisions, or from publicly available conference materials and publications.
Third parties providing recommendations – in special cases, we may obtain information from third parties, e.g., former employers, colleagues, or individuals indicated by the candidate as references. In such cases, we always ensure that this information is obtained in accordance with applicable law and with the candidate's knowledge and consent.
Business partners and cooperating institutions – we may receive data from entities cooperating with us as part of joint recruitment projects, internship programs, academic programs, or outplacement programs, e.g., employment agencies, universities, business incubators, foundations, or industry associations. In such cases, we always verify whether the entity providing the data has an appropriate legal basis for sharing it.

Regardless of the source, all acquired personal data are verified for their compliance with the purpose for which they were collected and are processed in accordance with the principle of minimization and adequacy, as defined in Article 5(1)(c) of the GDPR.

We do not use data obtained from unauthorized sources, nor do we collect personal data by covert monitoring methods, unless permitted by applicable law and necessary to protect the legitimate interests of the controller or a third party (Article 6(1)(f) of the GDPR).

Every data subject has the right to obtain information about the source of their personal data, in accordance with Article 14 of the GDPR, if such data has not been collected directly from them.

5. Purposes and Legal Bases for Personal Data Processing

Personal data are processed solely to the extent necessary for the realization of lawful purposes, as defined below. In each case, processing is carried out based on an appropriate legal basis provided for in Article 6(1) of the GDPR:

Purpose of Processing	Legal Basis (GDPR)
Conducting recruitment processes and presenting candidate profiles to the Client – includes application analysis, competency assessment, contact with the candidate, and forwarding selected profiles to the employer.	Article 6(1)(a) GDPR – consent of the data subject; Article 6(1)(b) GDPR – necessity for taking steps at the request of the data subject prior to entering into a contract.
Performance of contracts concluded with Clients and subcontractors – including handling recruitment orders, reporting progress, issuing billing documents.	Article 6(1)(b) GDPR – necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Direct marketing of the controller's services – sending information about job offers, industry events, publications, and platform updates.	Article 6(1)(a) GDPR – consent of the data subject; Article 6(1)(f) GDPR – legitimate interest of the controller consisting in promoting its own services.
Establishment, exercise or defense of legal claims – in particular in cases of legal disputes, complaints, or administrative proceedings.	Article 6(1)(f) GDPR – legitimate interest of the controller consisting in the protection of its rights and interests.
Fulfillment of legal obligations incumbent on the controller – e.g., in terms of document retention, providing information to authorized bodies, fulfilling tax or accounting obligations.	Article 6(1)(c) GDPR – legal obligation to which the controller is subject.

In cases where data processing is based on consent (Article 6(1)(a) GDPR), the data subject has the right to withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Sharing of Personal Data

Personal data may be disclosed to third parties only to the extent necessary for the realization of the purposes for which they were collected, and in accordance with applicable law. In particular, data may be shared with the following categories of recipients:

Potential employers and business clients – candidate data may be transferred to entities seeking employees or collaborators, solely within the scope of a specific recruitment process and with the candidate's consent. If necessary, such data are first limited to the essential scope and may be presented in an anonymized form.
Entities providing services to the data controller – including providers of ATS tools (recruitment systems), IT services, cloud infrastructure (hosting, servers, databases), security systems, and advisory and legal services. Each of these entities operates based on a separate data processing agreement and processes data solely on the controller's instruction and in accordance with its instructions.
Authorities authorized to receive data based on legal provisions – in particular, public administration bodies, courts, prosecutors, control and supervisory bodies, solely in cases provided for by law.
Substantive partners and cooperating institutions – in situations, where data are processed as part of joint projects (e.g., educational, internship, mentoring programs), data sharing may occur to the extent necessary for the realization of the purpose of such cooperation, based on appropriate agreements or consents.

Personal data are not transferred to third countries or international organizations, except where such transfer is necessary for the purposes of processing and occurs in accordance with the principles set out in Chapter V of the GDPR (in particular, based on standard contractual clauses approved by the European Commission or within the framework of the EU-US Privacy Shield, if applicable).

The controller takes due diligence to ensure that every entity to whom data is shared provides an adequate level of security and processes it in accordance with applicable personal data protection regulations.

7. International Data Transfers

Personal data processed by Inteliq are not transferred to third countries outside the European Economic Area (EEA) or to international organizations. All operations related to data storage and processing take place exclusively within the European Union.

Data are stored on secure servers located in data centers in Poland, Germany, Finland, and Ireland. The selection of server locations and infrastructure providers has been made in a manner ensuring compliance with personal data protection regulations, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR").

The Controller makes every effort to ensure that data are processed only in jurisdictions providing a high level of protection, and that entities processing data on behalf of Inteliq act in accordance with concluded data processing agreements and apply appropriate technical and organizational measures ensuring information security.

8. Use of Artificial Intelligence and Profiling

As part of our recruitment processes, we use a locally deployed Large Language Model (LLM), which operates exclusively locally on a secure Inteliq server located at Inteliq's premises. Candidates' personal data are not transferred to external AI tool providers (such as OpenAI, Anthropic, Google, or Microsoft).

The system using the LLM may be used for automatic analysis of the content of application documents (e.g., CVs) and job advertisements to pre-match the candidate's profile with the position requirements. Such activity may involve profiling, but it does not lead to decisions based solely on automated processing within the meaning of Article 22(1) of the GDPR. Every recruitment decision is made solely by a human, and the system only serves as a supporting function in the selection process.

The candidate has the right to object to the processing of data for profiling purposes, which will be considered immediately, no later than within 14 days. In the event of an objection, the candidate's data will not be subject to analysis using AI tools.

The technological solutions applied comply with the principles of transparency and data minimization, and the AI models used by Inteliq do not learn or archive personal data – they operate only within the scope of current analysis for the needs of a specific recruitment process.

9. Cookies and Analytical Tools

The Inteliq website uses cookies and similar technologies to ensure the proper functioning of the site, analyze traffic, and conduct marketing activities. In particular, the following categories of cookies are used:

Necessary cookies – enabling basic website functions, such as navigation, access to secured areas, maintaining user sessions. Their use does not require user consent.
Analytical cookies – enabling the collection of aggregated statistical information regarding website usage. The service uses, among others, Google Analytics, which may collect data such as IP address, browser information, and time spent on the site. The use of these files requires prior user consent.
Marketing cookies – enabling remarketing activities and measuring the effectiveness of advertising campaigns. For this purpose, tools such as Meta Pixel (Facebook) and LinkedIn Insight Tag are used. These files may be used for user profiling, provided that users give their consent.

During the first visit to the website, the user has the option to consent to the use of individual categories of cookies via a cookie banner. Consent can be withdrawn or changed at any time through browser settings or the consent management button available on the site.

Detailed information on the technologies used, cookie retention periods, and how to manage user preferences can be found in a separate document: Cookies Policy.

10. Your Rights Related to Personal Data Processing

In accordance with the applicable Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"), you have the following rights related to the processing of your personal data:

Right of access to data – you have the right to obtain confirmation as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and information concerning the purposes of the processing, the categories of personal data concerned, the recipients, the retention period, and your rights.
Right to rectification of data – you have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed, if they are outdated or incorrect.
Right to erasure of data ("right to be forgotten") – you have the right to obtain the erasure of personal data concerning you without undue delay where the personal data are no longer necessary in relation to the purposes for which they were collected, you withdraw consent and there is no other legal ground for the processing, or the personal data have been unlawfully processed.
Right to restriction of processing – you have the right to obtain restriction of processing where one of the cases specified in Article 18 of the GDPR applies, e.g., you contest the accuracy of the personal data or the processing is unlawful but you do not want the data to be erased.
Right to data portability – you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Right to object – you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on the legitimate interest of the controller or for direct marketing purposes, including profiling. After an objection is raised, we will cease processing the data unless we demonstrate compelling legitimate grounds.
Right to withdraw consent – where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of the above rights, you can contact us using the contact details provided in the Contact section. Requests are processed without undue delay, no later than within 30 days of receipt, in accordance with Article 12(3) of the GDPR.

You also have the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (UODO) – if you consider that the processing of your personal data infringes legal provisions.

11. Personal Data Retention Period

Personal data are stored no longer than necessary to achieve the purposes for which they were collected, taking into account the requirements resulting from legal provisions and the principles of archiving and accountability. Specific retention periods are as follows:

Candidate profile – personal data processed for recruitment purposes are stored for a period of up to 3 years from the end of a given recruitment process, unless the candidate has consented to a longer retention period for their profile in our database, e.g., for future recruitment processes.
Accounting and tax data – accounting documentation (e.g., invoices, bills) containing personal data is processed for a period of 5 years, counted from the end of the calendar year in which the tax obligation arose, in accordance with tax law and the accounting act.
Technical data and system logs – data collected as part of server logs, security logs, and technical data (e.g., IP addresses, timestamp, session data) are stored for a maximum period of 12 months, for the purposes of ensuring security, detecting incidents, and conducting technical statistics.

After the expiry of the above periods, data are permanently deleted or anonymized, unless there is another legal basis for their further storage (e.g., ongoing legal proceedings or archival obligations).

12. Personal Data Security

The Controller attaches the highest importance to the protection of personal data and ensuring its integrity, confidentiality, and availability. Data processing is carried out using current, best-practice information security standards, taking into account the risk associated with the nature of the processed information.

The following technical and organizational measures have been implemented, among others:

Data transmission using TLS/SSL encryption protocols – all connections to Inteliq systems are encrypted, which prevents unauthorized interception of data.
Multi-factor authentication (MFA) – access to administrative systems and server accounts requires multi-factor authentication (e.g., password + hardware key or mobile application).
Principle of Least Privilege (PoLP) – access to data and systems is granted only to the necessary extent, maintaining segregation of duties and access logging.
Use of separated environments – production, test, and development environments are logically and physically isolated from each other, preventing unauthorized cross-access.
Anomaly detection and automatic blocking systems – security solutions actively monitor network traffic, detect unusual behavior and block suspicious access attempts in real-time.
Layered security architecture (defense in depth) – data are stored and secured in multiple layers, meaning that even if one layer is breached, a massive leak or simultaneous download of all data is not possible.
Penetration tests and security audits – regular tests of system resistance to attacks and internal audits of data protection processes and infrastructure are conducted.

The Controller operates in accordance with the principle of continuous improvement of security systems, applying current industry standards (e.g., OWASP, CIS Benchmarks) and an update and access control policy consistent with the "zero trust" model.

In the event of a personal data breach, the controller undertakes to report the incident to the supervisory authority no later than 72 hours after its detection, in accordance with Article 33 of the GDPR, and to immediately inform the data subjects – if required.

13. Children's Data

Services provided by Inteliq are not directed at children or minors under the age of 16. We do not knowingly or intentionally collect personal data from individuals under 16 years of age, nor do we allow them to register, submit applications, or use recruitment services.

If the controller obtains credible information that data of a person below the indicated age is being processed without the required consent of their legal guardian, immediate steps will be taken to delete such data and inform the relevant individuals about the incident.

If you have reason to believe that a child under your care has provided us with their personal data without your knowledge or consent, please contact us immediately using the contact details provided in the Contact section.

14. Changes to the Privacy Policy

The Controller reserves the right to introduce changes to this Privacy Policy, particularly in the event of changes in applicable law, guidelines from supervisory authorities, service development, or the implementation of new technologies affecting the scope of personal data processing.

In the event of significant changes affecting the rights or obligations of data subjects, users will be informed with appropriate advance notice – at least 30 days before the changes come into effect – via the website, email, or other available communication channels.

It is recommended to regularly review the content of this Policy to stay updated on any changes. Each version of the document will be marked with its effective date.

15. Contact

The personal data controller is Inteliq Group Sp. z o.o. with its registered office in Warsaw, entered into the National Court Register under KRS number [KRS], VAT ID: [NIP], REGON: [REGON].

For all matters related to the processing of personal data, including the exercise of your rights, you can contact us:

by email: office@inteliq.pl
by mail: Inteliq Group Sp. z o.o., ul. Marszałkowska 89, 00-693 Warsaw, Poland
or: Inteliq Group Sp. z o.o., ul. Stefana Dembego 10 l.181, 02-796 Warsaw, Poland

We respond without undue delay, no later than within 30 days of receiving the inquiry, in accordance with Article 12(3) of the GDPR.

16. Data Protection Impact Assessments (DPIA) and Record of Processing Activities (RoPA)

Inteliq Group Sp. z o.o., as a personal data controller, fulfills its obligations under Articles 30 and 35–36 of the GDPR regarding the documentation and assessment of processing compliance with personal data protection regulations.

In particular:

A Record of Processing Activities (RoPA) is maintained, in accordance with Article 30(1) of the GDPR. The Register includes, among others, processing purposes, categories of data and data subjects, data recipients, retention periods, and a description of the technical and organizational measures applied to secure data.
In the case of processes that may result in a high risk to the rights and freedoms of natural persons – particularly those involving profiling with AI, large-scale processing of data, or sensitive categories of data – Inteliq conducts a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR.
If necessary, the controller consults planned processing operations with the supervisory authority – the President of the Personal Data Protection Office – in accordance with Article 36 of the GDPR.

The purpose of these activities is not only to ensure compliance with legal provisions but also to actively manage risk, increase process transparency, and ensure a high level of personal data protection at every stage of processing.

17. List of Processors (Sub-processors)

In order to provide services and ensure the continuity and security of personal data processing, Inteliq uses the services of external entities processing data on behalf of the controller, based on concluded data processing agreements compliant with Article 28 of the GDPR. All subcontractors meet security and confidentiality requirements, and data are processed only to the extent necessary for the provision of the given service.

The main categories of processors include:

AWS (Amazon Web Services) – cloud infrastructure and data storage, data center locations: EU (including Frankfurt, Ireland);
Cloudflare – content delivery (CDN), DDoS protection, TLS certificates, global locations with default routing through the EU;
Google Ireland Limited – email and office applications (Google Workspace), data location: European Union (Dublin, Hamina, Frankfurt).

18. Supervisory Authority

In matters related to the processing of personal data, you have the right to lodge a complaint with the supervisory authority, which in Poland is:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2
00‑193 Warszawa
Website: https://uodo.gov.pl/

A complaint may be lodged in particular if you consider that the processing of your personal data infringes the provisions of the General Data Protection Regulation (GDPR).

19. Supervisory Authority