Booth sales are live! — secure the best location for the Autumn Expo
30th edition Warsaw - EXPO XXI
23rd October 2026

Personal data processing

Information on the processing of personal data (GDPR) – E-commerce Warsaw Expo

1. Information about the Data Controller

The Controller of your data is Infoguru Sp. z o.o. with its registered office in Poznań, ul. Truskawiecka 13, 60-478 Poznań, KRS 0000452046, NIP 7811883511.

Contact: hello@ecommercewarsaw.com or by post: Infoguru Sp. z o.o. ul. Truskawiecka 13, 60-478 Poznań (Poland).

The Controller has not appointed a Data Protection Officer. For data protection matters, please contact us through the channels indicated above.

2. Data categories and voluntary provision

We organize the E-commerce Warsaw Expo ("Fair"). Participation as a Visitor ("Participant") is paid (Standard / Provider ticket). When registering and purchasing a ticket, we ask for:

first name, last name,

e-mail address,

phone number,

position,

company/brand name (employer's or own),

NIP / VAT ID (if applicable),

invoice details (if different from the above).

We do not store payment card data – this is processed by the payment provider (Mollie B.V.).

We also run a "Call for Papers" Competition ("Competition"), in which individuals with an active LinkedIn profile can cast votes. In connection with the Competition, we process the voter's e-mail address (and technical anti-abuse data, if necessary).

Providing data is voluntary but necessary to conclude the agreement (ticket purchase) or to participate in the Competition. Failure to provide data makes it impossible, respectively: to purchase a ticket/participate in the Fair or to cast a vote in the Competition. Participation is intended for adults.

3. Purposes of processing

We process the data referred to above for the following purposes:

registration and generating a ticket for the Fair, identity verification at the entrance – performance of the contract (Visitor Regulations);

operational communication related to the Fair (confirmations, organizational information, significant changes, event safety);

sending e-mails necessary for the performance of the contract (e.g., ticket, payment confirmation, service issues);

direct marketing of the Controller's services regarding current and future editions of the Fair (see also points 12–13 regarding bases and communication channels);

handling complaints, inquiries, requests; establishing, asserting, or defending against claims;

handling the Competition (verifying cast votes, preventing abuse);

promoting the event on social media (e.g., publishing photo/video materials);

performing networking functions (see points 9–11).

4. Networking, "Connect" and QR scanning

As part of the "sponsored ticket" option, we provide the Exhibitor chosen by you exclusively with: first name, last name, company name – without contact details (no e-mail/phone).

In the Organizer's networking application (owned by Infoguru), we make non-contact profile data (first name, last name, position, company name) available to Exhibitors and registered Participants. Participants and Exhibitors can send each other "Connect" invitations. Upon acceptance of the invitation, both parties gain mutual access to contact details (e-mail/phone) – to the extent they were provided during registration.

During the Fair, Exhibitors and Participants can scan the QR code from the Participant's ticket (with their consent, using a smartphone). After scanning, the data provided during registration (point 4) is made available in the Organizer's application. This data can be downloaded by the scanning party.

5. Legal bases

We process data based on:

Art. 6(1)(b) GDPR – performance of a contract (registration, ticket, entry to the Fair, operational communication);

Art. 6(1)(c) GDPR – legal obligations (accounting, taxes, archiving sales documents);

Art. 6(1)(f) GDPR – our legitimate interest (organization and safety of the event, protection against abuse, establishing/asserting/defending claims, statistical analysis, own marketing);

Art. 6(1)(a) GDPR – consent, when applicable (e.g., QR scan, participation in the Competition, consent to the e-mail/SMS marketing communication channel, if required by non-GDPR regulations).

E-mail/SMS marketing. Processing data for direct marketing purposes may be based on Art. 6(1)(f) GDPR (legitimate interest). At the same time, sending commercial information through a specific channel (e-mail/SMS/phone) requires prior consent in accordance with Art. 10 of the Act on Providing Services by Electronic Means and Art. 172 of the Telecommunications Law. Therefore, during registration, we may ask for a separate consent for the channel. You can withdraw your consents at any time (unsubscribe).

Competition: processing of the voter's data is based on consent (Art. 6(1)(a) GDPR) and legitimate interest (Art. 6(1)(f)) in terms of preventing abuse and verifying votes.

6. Storage period

"Contractual" data (registration/ticket) – for the duration of the contract and the limitation period for claims (generally 3 years calculated from the end of the calendar year).

Data in accounting/tax documentation – 5 years (calculated in accordance with the regulations).

Data processed on the basis of legitimate interest – until an effective objection is raised or the expiry of appropriate time limits for asserting claims.

Data processed on the basis of consent – until the consent is withdrawn.

Technical/analytical and anti-fraud data – for the period necessary for security and accountability purposes.

7. Place of processing and data recipients

We store data on servers leased from Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (EEA). Hetzner legal information: https://www.hetzner.com/rechtliches/impressum?country=us

Recipients/Processors:

Hetzner Online GmbH – hosting provider (processor);

Fakturownia sp. z o.o. – invoicing system (processor);

IT/service providers (e.g., maintenance, backup), lawyers, and accountants – only to the extent necessary, based on data processing agreements.

Independent controllers:

Mollie B.V. – online payment operator (controller in the scope of payment data and settlements of its service). Card data does not reach us.

We do not transfer data outside the European Economic Area. If this were ever to happen, we will apply the mechanisms from Chapter V of the GDPR (e.g., standard contractual clauses).

8. Rights of data subjects

You have the right to:

  • access your data, obtain a copy of the data and information (Art. 15 GDPR),
  • rectification/completion (Art. 16),
  • erasure ("right to be forgotten") in cases under Art. 17,
  • restriction of processing (Art. 18),
  • data portability (Art. 20) – when the basis is consent or a contract and we process it automatically,
  • object to processing based on Art. 6(1)(f) (including objection to direct marketing – which results in immediate cessation),
  • withdraw consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal).

You have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).

9. Additional information

We do not engage in automated decision-making producing legal effects concerning Participants, nor profiling within the meaning of the GDPR.

Image: participation in the event involves the possibility of recording and publishing your image in the Organizer's materials (documentary/promotional purposes). If you consider that the publication excessively interferes with your personal rights, please contact us – we will consider the request to limit the scope of publication.

Participation/purchase of tickets and the rules of networking/QR are governed by the Visitor Regulations (available on the event website).

Participation is intended for adults; we do not knowingly collect data from persons <18 years of age.

10. Changes to this information

We regularly review this information and update it as necessary. We will inform you about changes on