Cookie Policy – Cookies and similar technologies

1. Definitions

1. Controller – Transition Technologies MS S.A., with its registered office in Warsaw (00-801), at ul. Chmielna 69, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS No. 0000913657, REGON 360679205, NIP (Tax ID) 5272728327.
2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
3. PKE – the Act of 12 July 2024 – Electronic Communications Law (Journal of Laws of 2024, item 1221, as amended).
4. Website – the website operated by the Controller at ttms.com, together with all its subpages and language sections (in particular ttms.com/pl/).
5. User – any natural person visiting the Website or using its functionalities, including a person subscribing to the Newsletter or contacting the Controller through the Website.
6. Personal data – any information relating to an identified or identifiable natural person, including contact details, device identifiers (e.g. IP address, online identifier) and information collected through cookies and similar technologies.
7. Newsletter – a service provided by electronic means consisting in the periodic sending to the User, at the e-mail address provided by the User, of messages containing commercial information, educational materials, case studies and links to content published on the Website and on the Controller’s blog, in particular in relation to the AI4E-learning Authoring Tool.
8. Policy – this Privacy Policy.

2. Controller’s Contact Details

The Controller may be contacted on matters relating to the processing of personal data:

1. in writing – to the address: Transition Technologies MS S.A., ul. Chmielna 69, 00-801 Warsaw, marked “GDPR”;
2. by e-mail – to the address: rodo@ttms.pl;
3. by telephone – on +48 22 378 45 58.

The Controller has appointed a Data Protection Officer, who may be contacted on all matters relating to the processing of personal data at: rodo@ttms.pl.

3. Purposes and Legal Bases for the Processing of Personal Data

The Controller processes Users’ personal data for the purposes and on the legal bases set out below. The purposes and legal bases are presented separately for each category of processing operation.

3.1. Use of the Website

The personal data of Users visiting the Website are processed:

1. for the purpose of ensuring the proper functioning of the Website and the provision of services by electronic means – the legal basis being that processing is necessary for the performance of a contract for the provision of services by electronic means (Article 6(1)(b) GDPR);
2. for analytical and statistical purposes – the legal basis being the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in analysing how the Website is used and improving its functionalities;
3. for the purpose of the establishment, exercise or defence of legal claims – the legal basis being the Controller’s legitimate interest (Article 6(1)(f) GDPR);
4. for the purpose of ensuring the security of the Website and preventing abuse – the legal basis being the Controller’s legitimate interest (Article 6(1)(f) GDPR).

3.2. Contact Form and Requests for Proposals

The Controller enables contact through the forms available on the Website, including request-for-proposal forms relating to the Controller’s services and products. The personal data provided in the form are processed:

1. for the purpose of handling the enquiry, providing a response and – in the case of a request for proposal – taking steps at the User’s request prior to entering into a contract (Article 6(1)(b) GDPR); with respect to data provided on an optional basis, the legal basis is consent (Article 6(1)(a) GDPR);
2. for analytical and archival (evidentiary) purposes and for the establishment, exercise or defence of legal claims – the legal basis being the Controller’s legitimate interest (Article 6(1)(f) GDPR).

3.3. Newsletter

The Controller provides a Newsletter service concerning the AI4E-learning Authoring Tool product and – where applicable – the Controller’s other services and products. Subscription to the Newsletter is voluntary.
Within the Newsletter, the Controller periodically sends messages containing educational content, case studies and links to content published on the Website and on the Controller’s blog.
The personal data of Users subscribed to the Newsletter are processed for the following purposes:

1. Subscription to the Newsletter and provision of the service
   Legal basis: Article 6(1)(b) GDPR – processing necessary for the performance of a contract for the provision of the Newsletter service to which the User is a party, or to take steps at the User’s request prior to entering into that contract (including carrying out the double-verification procedure, i.e. double opt-in).
2. Sending marketing content within the Newsletter
   GDPR legal basis: Article 6(1)(f) GDPR – the Controller’s legitimate interest consisting in carrying out direct marketing of its own services and products (Recital 47 GDPR).
   Additional condition for the lawfulness of electronic communication: the User’s consent to receive commercial information by e-mail, granted pursuant to Article 398 PKE. Consent is voluntary and may be withdrawn at any time – withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.
3. Measuring Newsletter effectiveness and campaign analytics
   The Controller uses tools that allow the effectiveness of the messages sent to be measured, including information on message opens, link clicks and the device used by the User. These operations constitute marketing profiling within the meaning of Article 4(4) GDPR; however, they do not produce legal effects concerning the User or similarly significantly affect the User (they do not constitute automated decision-making within the meaning of Article 22 GDPR).
   Legal basis: Article 6(1)(f) GDPR – the Controller’s legitimate interest consisting in measuring the effectiveness of its marketing activities and improving the content of the Newsletter.
   The User has the right to object to such processing (Article 21(2) GDPR) – lodging an objection results in the cessation of tracking of interactions with Newsletter messages.
4. Handling the withdrawal of consent and maintaining a suppression list
   Following the withdrawal of consent or the lodging of an objection, the User’s e-mail address may be retained on a suppression list in order to ensure that no further marketing messages are addressed to that User. Legal basis: Article 6(1)(c) GDPR (compliance with obligations arising under the GDPR, including Articles 7(3) and 21 GDPR) and Article 6(1)(f) GDPR (the Controller’s legitimate interest consisting in ensuring the lawfulness of further marketing activities).
5. Establishment, exercise and defence of legal claims, and accountability
   Legal basis: Article 6(1)(f) GDPR – the Controller’s legitimate interest consisting in ensuring the ability to demonstrate consent (Article 7(1) GDPR) and in defending against potential claims.

3.4. Direct Marketing Through Other Channels

To the extent that the Controller carries out marketing activities outside the Newsletter – in particular contact by telephone or SMS – processing takes place only after the User’s appropriate consent has first been obtained. Consents are collected separately for each communication channel. The legal basis for processing is the Controller’s legitimate interest in marketing its own services and products (Article 6(1)(f) GDPR), together with consent granted pursuant to Article 398 PKE in respect of electronic communication or – as applicable – other provisions concerning the use of telecommunications terminal equipment.

3.5. Cookies and Similar Technologies

The rules for the use of cookies and similar technologies on the Website are described in detail in a separate Cookie Policy available at: ttms.com/cookies/. Cookies requiring the User’s consent (analytical, marketing) are used only after such consent has been obtained through the consent management platform (CMP).

4. Personal Data Retention Period

The personal data processing period depends on the purpose and legal basis for processing. As a rule, data are retained:

1. data provided in the contact form – for the period necessary to handle the enquiry and thereafter for the limitation period for any potential claims (in accordance with the Civil Code);
2. data provided in connection with a request for proposal – for the period necessary to take steps at the User’s request and, where a contract is concluded, for the term of the contract and the limitation period for claims;
3. data processed within the Newsletter – for the period during which the Newsletter service is provided, i.e. until consent is withdrawn or the User unsubscribes from the Newsletter; following the withdrawal of consent – to the extent necessary to demonstrate the lawfulness of the prior processing (usually 3 years) and, with respect to the entry on the suppression list – until an objection to processing for that purpose is lodged;
4. data processed for analytical and statistical purposes – for the period necessary to achieve those purposes, but no longer than 3 years from the User’s last activity;
5. data processed for the purpose of the establishment, exercise or defence of legal claims – for the limitation period for claims provided for by law;
6. data processed in cookies – in accordance with the rules set out in the Cookie Policy.

Upon expiry of the processing period, the data are irreversibly deleted or anonymised.

5. Recipients of Personal Data

Users’ personal data may be disclosed to the following categories of recipients:

1. entities processing data on behalf of the Controller under a personal data processing agreement, in particular: IT and hosting service providers, CRM system providers, providers of tools for handling enquiries and marketing, providers of analytics tools and providers of advisory services;
2. the Newsletter dispatch service provider – Brevo SAS, with its registered office in Paris (France), 17 rue Salneuve, 75017 Paris (formerly Sendinblue) – responsible for the technical handling of message dispatch, storage of the subscriber database and measurement of campaign effectiveness;
3. entities within the Transition Technologies group, for internal administrative and statistical purposes, on the basis of legitimate interest (Recital 48 GDPR);
4. entities authorised to obtain data under the law (e.g. public authorities), where a request based on an appropriate legal basis is addressed to the Controller.

The Controller does not make Users’ personal data available to third parties for their own marketing purposes, unless the User has given separate, voluntary consent to do so.

6. Transfers of Data Outside the European Economic Area

As a rule, Users’ personal data are processed within the European Economic Area (EEA). The Newsletter dispatch service provider – Brevo SAS – stores data on servers located in EEA countries (France, Germany and – with respect to cloud infrastructure – Belgium).
Where, in carrying out a specific processing operation, it becomes necessary to transfer data outside the EEA (e.g. in connection with the provider’s use of sub-processors located outside the EEA), the Controller will ensure appropriate safeguards as referred to in Chapter V of the GDPR, in particular by:

1. relying on a European Commission decision finding an adequate level of data protection in a third country (Article 45 GDPR), including the EU-U.S. Data Privacy Framework with respect to U.S. entities certified under that programme;
2. applying standard contractual clauses adopted by the European Commission (Article 46(2)(c) GDPR) together with additional safeguards resulting from a transfer impact assessment (TIA);
3. applying binding corporate rules approved by the competent supervisory authority (Article 47 GDPR).

At the User’s request, the Controller will provide information on the specific transfer mechanism applied to the User’s data and – where applicable – a copy of the relevant safeguards.

7. Rights of Data Subjects

In connection with the processing of personal data, the User has the following rights:

1. the right of access to data and to obtain a copy thereof (Article 15 GDPR);
2. the right to rectification of data (Article 16 GDPR);
3. the right to erasure of data (Article 17 GDPR), to the extent provided for by law;
4. dthe right to restriction of processing (Article 18 GDPR);
5. the right to data portability (Article 20 GDPR) – with respect to data processed by automated means on the basis of consent or a contract;
6. the right to object (Article 21 GDPR) – to processing based on the Controller’s legitimate interest, on grounds relating to the User’s particular situation; an objection to processing for direct marketing purposes (including profiling for that purpose) is honoured without the need to demonstrate a particular situation;
7. the right to withdraw consent at any time (Article 7(3) GDPR) – to the extent that processing is based on consent; withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal;
8. the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (UODO) – if the User considers that the processing of data infringes the provisions of the GDPR.

The above rights are exercised at the User’s request addressed to rodo@ttms.pl or by another means indicated in section 2 of the Policy. In the case of the Newsletter, unsubscribing from the service and withdrawing consent are also possible by clicking the “Unsubscribe” link included in the footer of each message.

8. Automated Decision-Making and Profiling

Users’ personal data are not used for automated decision-making that produces legal effects concerning the User or similarly significantly affects the User within the meaning of Article 22 GDPR.
To the extent indicated in section 3.3(c) of the Policy, the Controller may carry out profiling for marketing purposes (e.g. measuring Newsletter effectiveness). The User has the right to object to this (section 7 of the Policy).

9. Voluntary Nature of Providing Data

Providing personal data is voluntary; however, in certain cases it is necessary in order to use specific functionalities of the Website:

1. failure to provide data in the contact form will make it impossible to respond to the enquiry;
2. failure to provide an e-mail address when subscribing to the Newsletter will make it impossible to provide the Newsletter service;
3. failure to grant consent to receive commercial information by e-mail (Article 398 PKE) will make it impossible to dispatch the Newsletter.

10. Security of Personal Data

The Controller applies technical and organisational measures ensuring protection of the processed personal data appropriate to the risks and the categories of data protected, in particular safeguarding the data against disclosure to unauthorised persons, loss, damage or destruction. The Controller requires entities processing data on its behalf to maintain analogous security standards, including by concluding with them data processing agreements that meet the requirements of Article 28 GDPR.

11. Changes to the Privacy Policy

This Policy is reviewed on an ongoing basis and updated where necessary. The Controller will inform Users of material changes to the Policy in a manner appropriate to the nature of the change, in particular by posting information on the Website or – in the case of Newsletter users – by e-mail.

The current version of the Policy is effective as of 12 June 2026.