Privacy Policy

What terms do we use?

Personal data — Data relating to an identifiable natural person. This policy explains how we use personal information you provide to us.
We / CodeSwift — CodeSwift (“we”, “us”). We decide why and how your personal data is processed when you use our website and services.
You / Yours — Any natural person whose personal data we process and to whom this Privacy Policy applies.
GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation).
Website — Our website and its subpages operated by CodeSwift.
Recipients — Entities we may engage to process data on our behalf under appropriate agreements. They only process data per our instructions and applicable law.
Cookies — Small text files stored on your device that help the site function, remember preferences, and understand usage.

Who does this policy apply to?

This policy describes how we collect, use, and store personal data for:

Job candidates
Employees
Contractors
Clients and suppliers
Employees or representatives of clients
Newsletter subscribers and people who complete forms, register for events, or download resources
People who correspond with us
Meetup or event participants

Who is the data controller?

The controller of your personal data is CodeSwift. We decide the purposes and means of processing data you provide when you use the Website or work with us.

For questions about this policy or your personal data, contact us at connect@codeswift.org.

How do we process personal data?

We process personal data in line with GDPR and applicable law. In summary, data will be:

Processed lawfully, fairly, and transparently
Collected for specified, lawful purposes and not further processed incompatibly
Adequate, relevant, and limited to what is necessary
Kept only as long as necessary for the purposes described below

Details for specific activities are in the tables below.

What data do we collect?

We collect data you give us (forms, downloads, email, contracts) and data from using our Website (including cookies where applicable). We may also receive data from public sources (such as professional profiles) or referrals. If you work with us, we process the data needed for that relationship.

For what purposes, on what legal grounds, and for how long do we process personal data?

Information for job applicants

Purpose of processing	Legal basis	Period of processing
Recruitment, including data required by labor law and steps to conclude a contract with a selected candidate.	Article 22¹ of the Polish Labor Code (where applicable) and Article 6(1)(b) GDPR.	Until the end of the recruitment, no longer than 12 months from receiving your application, or as stated in consent for future recruitment (no longer than one year after recruitment ends).
Additional recruitment data processed on the basis of your consent (beyond statutory minimum).	Article 6(1)(a) GDPR; Article 9(2)(a) GDPR for special categories of data where you explicitly consent.	Until the end of the recruitment, no longer than 12 months from receiving your application, or as stated in consent for future recruitment (no longer than one year after recruitment ends).
Participation in future recruitment based on your consent.	Article 6(1)(a) GDPR (consent).	Until the end of the recruitment, no longer than 12 months from receiving your application, or as stated in consent for future recruitment (no longer than one year after recruitment ends).

Providing personal data is mandatory where required by law; otherwise it is voluntary.

Information for employees

Purpose of processing	Legal basis	Period of processing
Conclusion and performance of an employment contract.	Article 6(1)(b) GDPR and Article 221 of the Polish Labor Code (where applicable).	For the time needed to perform the contract, applicable limitation periods for claims, and statutory retention for related records.
Accounting and tax documentation.	Article 6(1)(c) GDPR and applicable accounting and tax law (legal obligation).	As required by law for accounting, tax, and related settlement documentation.
Pursuing and defending claims.	Article 6(1)(f) GDPR (legitimate interests: establishing, exercising, or defending legal claims).	For the limitation period of potential claims (commonly up to three years from when a claim becomes due, unless a longer period applies).
Security of people and property and protection of confidential information.	Article 6(1)(f) GDPR (legitimate interests).	Until you raise an effective objection where applicable.
Employee training.	Article 6(1)(a) GDPR (consent), Article 6(1)(b) GDPR (contract), and/or Article 6(1)(f) GDPR (legitimate interests), as applicable.	Until objection where applicable, withdrawal of consent where processing is consent-based, end of contract terms, then limitation periods for claims where relevant.
Health and safety obligations, including recording work accident circumstances and causes.	Article 6(1)(c) GDPR (legal obligation).	As required by law (for example, up to 10 years from the end of the calendar year in which the employment relationship ended, where such rules apply).

Mandatory data is required where the law or contract requires it; without it, an employment relationship may not be possible.

Information for contractors

Purpose of processing	Legal basis	Period of processing
Conclusion and performance of a contract.	Article 6(1)(b) GDPR.	For the time needed to perform the contract, limitation periods for claims, and statutory retention for related records; longer where the law requires.
Accounting and tax documentation.	Article 6(1)(c) GDPR and applicable accounting and tax law.	As required by law until obligations are fulfilled.
Pursuing and defending claims.	Article 6(1)(f) GDPR (legitimate interests).	For applicable limitation periods (often several years, depending on the claim).

Mandatory data is required where the law or contract requires it; without it, we may not be able to conclude or perform the contract.

Information for clients / suppliers

Purpose of processing	Legal basis	Period of processing
Establishing commercial contacts and sales activities.	Article 6(1)(f) GDPR (legitimate interests).	Until you object in light of your particular situation.
Conclusion and performance of a sales or supply agreement.	Article 6(1)(b) GDPR.	Until termination or expiry of the agreement and applicable claim periods (often up to six years after termination, depending on jurisdiction).
Handling enquiries and complaints from prospective and existing clients.	Article 6(1)(f) GDPR (legitimate interests).	Until termination or expiry of the relationship and applicable claim periods.
Accounting and tax documentation.	Article 6(1)(c) GDPR and applicable accounting and tax law.	Typically five years after the end of the calendar year in which the tax became due (where such rules apply).
Debt collection.	Article 6(1)(f) GDPR (legitimate interests).	For the limitation or expiry period applicable to the claim (often up to six years from the relevant event, depending on jurisdiction).
Investigation and defence of claims.	Article 6(1)(f) GDPR (legitimate interests).	For the limitation period applicable to the relationship (often at least six years after cooperation ends, depending on jurisdiction).
Direct marketing of our own products and services (where consent or soft opt-in rules apply).	Article 6(1)(a) GDPR and/or Article 6(1)(f) GDPR, together with applicable marketing and e-privacy rules.	Until you withdraw consent or object, as applicable.

Mandatory data is required where the law or contract requires it; other processing depends on the relationship and your choices.

Information for employees or persons representing clients

Purpose of processing	Legal basis	Period of processing
Ongoing performance of an agreement with the client.	Article 6(1)(f) GDPR (legitimate interests).	For the term of the agreement.
Establishing, investigating, and defending claims.	Article 6(1)(f) GDPR (legitimate interests).	For the limitation period of potential claims (for example, up to six years after cooperation ends, depending on jurisdiction).

Data is usually provided via your organization; without it, we may not be able to contract with the client. If we did not obtain data directly from you, the source is typically your employer or the entity you represent.

Newsletter subscribers, form users, resource downloads, and similar Website interactions

Purpose of processing	Legal basis	Period of processing
Sending newsletters and direct marketing messages about our products or services.	Article 6(1)(a) GDPR (consent).	Until you withdraw consent. Withdrawal does not affect lawfulness of processing before withdrawal.
Email updates about offers or content (including commercial information where permitted).	Article 6(1)(f) GDPR (legitimate interests), within the scope of your consent or applicable law.	Until you object where applicable.
Other direct marketing activities (including electronic commercial communications where permitted).	Article 6(1)(f) GDPR (legitimate interests), within the scope of your consent or applicable law.	Until you object where applicable.
Event registration, updates, administration, and related communication about our products and services (where you have agreed).	Article 6(1)(a) GDPR (consent).	Until you withdraw consent.

If you submit a job application through a form, the “job applicants” section applies to that processing.

Information for correspondents

Purpose of processing	Legal basis	Period of processing
Recording correspondence and responding in a timely manner; quality of cooperation with partners and stakeholders.	Article 6(1)(f) GDPR (legitimate interests).	Until an effective objection where applicable, subject to limitation periods for claims (for example, up to six years after contact ends, depending on jurisdiction).

Information for meetup or event participants

Purpose of processing	Legal basis	Period of processing
Organization and delivery of meetups or events.	Article 6(1)(a) GDPR (consent).	Until you withdraw consent. Withdrawal does not affect lawfulness of processing before withdrawal.

Providing data is voluntary, but we may not be able to run the event without it.

Who can receive your data?

We may share personal data with processors who provide services to us under appropriate agreements (for example IT, hosting, HR tools, or recruitment platforms).

We may also disclose data where required by law to authorities or courts that have a valid legal basis to request it.

Is providing personal data voluntary?

Providing your data is largely voluntary. We ask for personal data when needed to enter into or perform a contract (for example a newsletter or downloadable resource), and for accounting, tax, or claim-related retention as described above.

Your rights

Under GDPR and applicable law, you may have the following rights (where they apply to your situation):

Access — confirm whether we process your data and obtain a copy in many cases.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion where applicable (subject to exceptions such as legal claims or legal retention).
Restriction — limit processing in certain situations (for example while we verify accuracy).
Data portability — receive data you provided in a structured, machine-readable format and transmit it to another controller where processing is based on consent or contract and is automated.
Object — object to processing based on legitimate interests, and to certain marketing processing.
Withdraw consent — where processing is consent-based, without affecting lawfulness before withdrawal.

To exercise your rights, email connect@codeswift.org.

You may lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, or your local authority if you live outside Poland.

Transfers outside the EEA

As a rule we do not transfer your personal data outside the European Economic Area (EEA).

If we use providers outside the EEA without an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, where required.

Automated decisions and profiling

We may use tools that involve automated processing or profiling for analytics or marketing, but we do not make decisions based solely on automated processing that produce legal or similarly significant effects for you without human involvement.

Marketing-related profiling may be used to tailor content; you can object or withdraw consent as applicable.

Cookies

We may use cookies and similar technologies. Types include:

Necessary — core site functionality and security.
Preferences — remember settings such as language.
Statistics — understand how the site is used (often in aggregate).
Marketing — relevant ads or campaigns where used.
Unclassified — cookies we are still classifying with providers.

Cookie duration depends on the cookie type. On first visit, details are often shown in a cookie banner; you can change preferences via your browser or our cookie settings where available.

Third-party tools

Analytics and product tools

We may use analytics or error-monitoring services (for example to understand usage or fix bugs). Those providers process data under their terms and as our processors where applicable.

Forms and marketing automation

If we use platforms to manage forms, email, or CRM, data is processed under our instructions and their privacy terms.

Other provisions

Where this policy does not address a matter, applicable laws apply (including GDPR and local e-privacy rules where relevant).

We may update this policy; material changes will be posted on the Website. Continued use after changes means you accept the updated policy where permitted by law.

Last updated: January 2025.