Privacy Policy of Carrotta
Privacy Policy of Carrotta
Last updated: 20.04.2026
This Privacy Policy contains information regarding the processing of personal data and other information concerning Users of the Carrotta website (hereinafter: the "Service"). This Privacy Policy aims to ensure compliance of personal data processing with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) — hereinafter "GDPR".
1. Data Controller
The controller of personal data is Michał Woźniak operating under the business name HEXGRID Michał Woźniak with its registered office in Szczecin (ul. Bagienna 36C, 70-772 Szczecin, Poland), registered in the Central Registry and Information on Business Activity (CEIDG) of the Republic of Poland maintained by the minister competent for economy, Tax ID (NIP): 9552112428, REGON: 320190228, email address: hello@carrotta.net, hereinafter the "Controller".
2. Contact with the Controller
- Email: hello@carrotta.net
- Address: ul. Bagienna 36c, 70-772 Szczecin
- Phone: +48 537 357 057
3. Data Protection Officer
Email: hello@carrotta.net
Address: HEXGRID Michał Woźniak, ul. Bagienna 36c, 70-772 Szczecin
Phone: +48 537 357 057
4. Personal Data Security
The Controller implements modern technical measures and organizational solutions to ensure the protection of processed personal data, in particular, the Controller secures data against disclosure to unauthorized persons, acquisition by an unauthorized person, processing in violation of applicable regulations, and alteration, loss, damage or destruction. The Controller ensures that the technical and organizational measures implemented by the Controller provide an appropriate level of security corresponding to the risk of violating the rights and freedoms of natural persons, taking into account the state of technical knowledge, costs of implementation, and the nature, scope, context and purposes of processing. The Controller processes personal data in accordance with the GDPR and Polish data protection regulations, including the Act of 10 May 2018 on the Protection of Personal Data.
5. Purposes, Legal Bases, and Period of Personal Data Processing
Each purpose of personal data processing is described below together with information on the scope of processed data, legal basis, processing period, and the voluntariness of providing data:
Scope of data: name, email address, password (encrypted). Legal basis: Article 6(1)(b) GDPR (performance of the account service agreement). Processing period: data is processed for the duration of the account's existence, and after its deletion — until the expiration of claims arising from the agreement (3 years). Voluntariness: providing data is voluntary but necessary to create and maintain an account in the Service.
Scope of data: first name, last name, email address, phone number, correspondence address, and in the case of entrepreneurs — additionally business name, Tax ID (NIP), and business address. Legal basis: Article 6(1)(b) GDPR (performance of the service agreement). Processing period: data is processed for the duration of the agreement, and after its termination — until the expiration of claims (3 years). Voluntariness: providing data is voluntary but necessary for the delivery of services.
Scope of data: email address, first name (optional). Legal basis: Article 6(1)(b) GDPR (newsletter delivery agreement) and Article 6(1)(f) GDPR (legitimate interest of the Controller — direct marketing). Processing period: data is processed until the newsletter subscription is cancelled or until an effective objection to processing is raised. Voluntariness: providing data is voluntary; subscribing to the newsletter is entirely voluntary.
Scope of data: first name, last name, email address, phone number, complaint content. Legal basis: Article 6(1)(c) GDPR (legal obligation arising from consumer rights regulations) and Article 6(1)(b) GDPR (performance of the agreement). Processing period: data is processed until the complaint procedure is completed, and then until the expiration of claims. Voluntariness: providing data is voluntary but necessary for the complaint to be considered.
Scope of data: first name, email address, message content, optionally phone number. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller — communication with Users). Processing period: data is processed until the inquiry is resolved, and then until the expiration of claims. Voluntariness: providing data is voluntary but necessary to receive a response to the inquiry.
Scope of data: first name, last name, address, Tax ID (NIP), transaction data. Legal basis: Article 6(1)(c) GDPR (legal obligation arising from tax and accounting regulations). Processing period: data is processed for a period of 5 years from the end of the calendar year in which the tax payment deadline fell. Voluntariness: providing data is a statutory requirement.
Scope of data: first name, last name, email address, data contained in the request. Legal basis: Article 6(1)(c) GDPR (legal obligation arising from GDPR — exercising data subject rights) and Article 6(1)(f) GDPR (legitimate interest of the Controller). Processing period: data is processed until the request is fulfilled, and then until the expiration of claims. Voluntariness: providing data is voluntary but necessary for the request to be fulfilled.
Scope of data: first name, last name, email address, correspondence address, transaction data, and any other data necessary to prove the existence of a claim or to defend against claims. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller — establishment, assertion, or defense of claims). Processing period: data is processed until the expiration of claims (as a rule, 3 years, and in the case of claims related to business activity — 3 years). Voluntariness: providing data is voluntary but necessary in the event of the need to assert or defend claims.
Scope of data: date and time of visits, IP address, device type, screen resolution, operating system type, approximate location (country, region, city), browser type, browser language, time spent on individual subpages, visited subpages, entry source (where the User came from to the Service), and other actions taken in the Service. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller — analysis of User activity and preferences in order to improve functionalities and services provided). Processing period: data is processed for a period of 26 months. Voluntariness: providing data is voluntary; data is collected automatically during the use of the Service.
Scope of data: IP address, server date and time, web browser information, operating system information — this data is automatically recorded in server logs each time the Service is accessed. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller — Service administration and ensuring security). Processing period: server logs are stored for no longer than 90 days and are automatically deleted, with the reservation that they may constitute evidence in ongoing proceedings — in which case logs may be stored until the proceedings are legally concluded. Voluntariness: this data is collected automatically; its recording is necessary for the proper functioning of the Service.
6. Profiling
The Controller declares that it does not make decisions regarding Users based solely on automated processing, including profiling, that would produce legal effects concerning them or similarly significantly affect their situation. However, the Controller may apply profiling for marketing purposes, i.e., adapting marketing content to User preferences based on their activity in the Service. Such profiling is carried out in an automated manner but does not produce legal effects and does not significantly affect the User's situation. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller — direct marketing).
7. Recipients of Personal Data
In connection with conducting activities that require the processing of personal data, Users' personal data may be disclosed to external entities, including in particular the following categories of recipients:
- Hosting company — for the purpose of storing data on a server
- Online payment system providers — for the purpose of processing payments for services
- IT service providers and technical solutions enabling business operations (including software providers, email service providers, SMS service providers)
- Entities providing analytical services (Google Analytics, Facebook Pixel, LinkedIn Pixel)
- Accounting firms and tax advisors — for the purpose of bookkeeping and tax services
- Law firms — for the purpose of pursuing or defending against claims
- Courier and postal companies — in the case of traditional correspondence
- State authorities and other entities authorized under applicable law — in the event of an obligation to disclose data arising from applicable law (e.g., Tax Office, Social Insurance Institution, law enforcement authorities)
8. Transfer of Data to Third Countries
Some Users' personal data may be transferred to third countries (outside the European Economic Area). This applies in particular to the following entities:
9. User Rights Related to Personal Data Processing
Each User whose personal data is processed by the Controller has the following rights under the GDPR:
- Right of access to personal data (Article 15 GDPR) — The User has the right to obtain from the Controller confirmation as to whether personal data concerning them is being processed, and if so, the User is entitled to access the data and information about the purposes of processing, categories of data, recipients, the planned retention period, as well as the rights of the User.
- Right to rectification of data (Article 16 GDPR) — The User has the right to request the Controller to immediately rectify inaccurate personal data concerning them, as well as to complete incomplete personal data.
- Right to erasure of data — "right to be forgotten" (Article 17 GDPR) — The User has the right to request the Controller to immediately erase personal data concerning them, and the Controller is obliged to erase the personal data without undue delay if one of the circumstances specified in Article 17(1) GDPR applies (e.g., data is no longer necessary for the purposes for which it was collected, consent has been withdrawn, objection has been raised, etc.).
- Right to restriction of processing (Article 18 GDPR) — The User has the right to request the Controller to restrict processing in the cases specified in Article 18(1) GDPR (e.g., contesting the accuracy of the data, objection to processing).
- Right to data portability (Article 20 GDPR) — The User has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used, machine-readable format, and has the right to transmit those data to another controller without hindrance.
- Right to object (Article 21 GDPR) — The User has the right to object at any time to the processing of personal data concerning them based on Article 6(1)(e) or (f) GDPR, including profiling. The Controller may no longer process this personal data unless the Controller demonstrates compelling legitimate grounds for processing.
- Right to withdraw consent (Article 7(3) GDPR) — The User has the right to withdraw consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR) — A User who considers that the processing of personal data violates the provisions of the GDPR has the right to lodge a complaint with a supervisory authority — the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland).
To exercise the above rights, the User should contact the Controller at the email address: hello@carrotta.net or in writing to the Controller's registered address. The Controller shall respond to the request without undue delay, no later than within one month of receiving the request.
10. Cookies and Analytical Data
The Service uses cookies, which are small text files stored on the User's end device (computer, tablet, smartphone). Cookies can be read by the Controller's IT system (own cookies) or by the IT systems of third parties (third-party cookies). The types of cookies used in the Service are presented below:
Essential cookies — necessary for the proper functioning of the Service; they enable the use of services, e.g., authentication cookies, session cookies. Retention period: until the end of the browser session or up to 1 year.
Google Analytics — analytical cookies from Google LLC, used to analyze how Users use the Service, create statistics and reports. Retention period: _ga — 2 years, _ga_* — 2 years, _gid — 24 hours, _gat — 1 minute.
Facebook Pixel (Meta Platforms) — marketing cookies from Meta Platforms, Inc., used to track conversions from Facebook ads, create audiences, and remarketing. Retention period: _fbp — 3 months, fr — 3 months.
LinkedIn Insight Tag — marketing cookies from LinkedIn Corporation, used for conversion tracking, remarketing, and visitor analysis. Retention period: bcookie — 1 year, li_sugr — 3 months, UserMatchHistory — 30 days, AnalyticsSyncHistory — 30 days, ln_or — 1 day.
The User can change cookie settings in their web browser at any time. Detailed information about the options and methods of handling cookies is available in the browser settings. Restricting the use of cookies may affect some functionalities available on the Service's web pages. Essential cookies necessary for the proper operation of the Service cannot be disabled.
11. Final Provisions
The Controller reserves the right to make changes to this Privacy Policy, of which Users will be notified no later than 7 days before the changes are introduced. Changes may result from changes in legislation, changes in the Service's functionalities, or changes in the scope of services provided. Matters not regulated by this Privacy Policy are governed by applicable Polish data protection laws, in particular the GDPR and the Act of 10 May 2018 on the Protection of Personal Data. This Privacy Policy is effective from 20 April 2026.