I. Preliminary Provisions
This Privacy Policy (hereinafter: the “Policy”) sets out the principles for the processing of personal data by Miastoprojekt Wrocław Sp. z o.o., with its registered office in Wrocław, obtained through the website
https://heionenergy.pl/ (hereinafter: the “Website”).
By using the Website, the Client accepts the provisions of this Policy. The Website can be browsed without providing personal data; in such cases, only cookies as described in section IX are stored.
The Client may:
- send an inquiry via the contact form,
- browse offers,
- request a quotation or an energy consumption analysis,
- conduct technical or substantive communication,
- consult on possibilities for optimizing energy consumption,
- use functions available via the cloud platform,
- operate the cloud platform,
- access their data and energy consumption analyses.
This Policy has been drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and other applicable laws.
II. Data Controller
The Controller of personal data is Miastoprojekt Wrocław Sp. z o.o., with its registered office in Wrocław, Pl. Grunwaldzki 23, 50-365 Wrocław, NIP 8971684270 (hereinafter: the “Controller”).
Controller’s contact details:
III. Purposes and Legal Basis for Processing Data
- Responding to inquiries submitted via the contact form, including conducting correspondence – legal basis: Art. 6(1)(f) GDPR.
- Direct marketing of the Controller’s services – legal basis: Art. 6(1)(f) GDPR; for electronic channels (email, SMS, phone) – Art. 6(1)(a) GDPR (consent).
- Conducting statistical analyses, improving the Website’s operation, and adapting content to user preferences, including through cookies and similar technologies – legal basis: Art. 6(1)(a) GDPR (consent).
- Fulfilment of legal obligations incumbent on the Controller – legal basis: Art. 6(1)(c) GDPR.
- Establishment, exercise, or defence of legal claims – legal basis: Art. 6(1)(f) GDPR.
- Provision of services via the cloud platform, including granting the user access to an account, data, and energy consumption analyses – legal basis: Art. 6(1)(b) GDPR.
IV. Obligation to Provide Data
Browsing the Website’s content does not require providing personal data. Data provision is required only when using the contact form – in order to send a message to the Controller and enable a response to the User’s inquiry or matter.
The contact form may collect the following personal data: first name, last name, email address, phone number, as well as any other information voluntarily provided by the User in the message content.
V. Data Recipients
The recipients of processed personal data are entities providing services to the Controller, in particular IT and legal services, as well as the Controller’s collaborators involved in achieving the purposes of data processing.
VI. Transfer of Data Outside the European Economic Area (EEA)
In connection with the use of Microsoft 365 services, certain personal data may be transferred to countries outside the European Economic Area (including the United States). Microsoft applies standard contractual clauses approved by the European Commission and implements additional security measures to ensure an adequate level of data protection in compliance with the GDPR.
When using analytical and marketing tools such as Google Analytics, Meta Pixel, or other services provided by entities based outside the EEA, personal data may be transferred to such countries under similar conditions – through the application of standard contractual clauses and additional safeguards required by the GDPR.
VII. Data Retention Period
- Data provided via the contact form – for the time necessary to respond and conduct correspondence, and thereafter for up to 12 months for evidence purposes.
- Data processed on the basis of consent – until the consent is withdrawn or the processing purpose ends.
- Data processed to fulfil legal obligations – for the period required by relevant regulations (e.g., tax, accounting).
- Data may be stored longer if necessary to establish, pursue, or defend against claims.
After the above periods expire, the data is deleted or anonymized.
VIII. Rights of the Data Subject
You have the right to:
- access your data and obtain a copy thereof,
- rectify or supplement your data,
- erase your data (“right to be forgotten”),
- restrict processing,
- transfer your data in CSV or other machine-readable format,
- object to data processing based on Art. 6(1)(f) GDPR, including direct marketing,
- withdraw consent at any time (if processing is based on consent) – via email to biuro@miastoprojektwroclaw.pl or in writing to the Controller’s address; withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal,
- lodge a complaint with the President of the Personal Data Protection Office.
IX. Cookies and Similar Technologies
The Website uses cookies for the proper functioning of the site and for analytical and marketing purposes.
Types of cookies: essential, analytical/diagnostic, marketing.
Upon the first visit, a cookie banner is displayed, allowing the user to accept selected categories of cookies. Consent can be changed at any time via the cookie widget on the Website. The user can also manage cookies in browser settings; limiting cookies may affect the operation of certain Website functions.
| Name |
Provider |
Purpose |
Retention |
| PHPSESSID |
heionenergy.pl |
Maintain user session |
End of session |
| _ga |
Google Analytics |
Visit statistics |
2 years |
| _fbp |
Meta Pixel |
Advertising / e-marketing |
90 days |
X. Automated Decision-Making / Profiling
The Controller does not make automated decisions producing legal effects concerning individuals or similarly significantly affecting them. Personal data may be used for basic profiling, e.g., to present tailored product recommendations. The data subject has the right to object to such processing.
XI. Data Security
The Controller applies technical and organizational measures appropriate to the risk and category of data, in particular:
- use of encryption protocols (e.g., HTTPS),
- access control to data,
- regular updates of IT systems,
- employee training on personal data protection,
- implementation of security incident management procedures,
- antivirus and firewall protection.
Personal data is stored in secure locations, with access granted only to authorized persons.
XII. Changes to this Policy
The Controller reserves the right to change this Privacy Policy at any time. Changes will be published on the Website along with the update date. It is recommended to regularly review the Policy to stay informed about current personal data processing rules.
XIII. Contact
For questions regarding this Privacy Policy or the processing of personal data, please contact:
