NextGenPartners NextGen Partners

Privacy Policy and Cookies

Controller: NextGen Partners Sp. z o.o., ul. Bociana 22A L38A, 31‑231 Kraków, Poland; e‑mail: office@nextgenpartners.eu; tel.: +48 887 100 094; https://nextgenpartners.eu

Scope of document: nextgenpartners.eu website ("Site"), integrations (Calendesk, payments), electronic communication, newsletter, cookies and equivalent technologies.

1. Purpose and basis of the document

This Privacy and Cookie Policy ("Policy") transparently and comprehensively explains how NextGen Partners Sp. z o.o. ("Controller") collects, uses, stores, discloses and protects personal data in connection with the use of the Site and related services. The document implements the requirements of GDPR/UK GDPR, the Personal Data Protection Act, the Electronic Services Act, e‑privacy regulations and good practices of the European Data Protection Board. The Policy applies the principles of minimization, accountability and privacy by design/by default.

2. Definitions and roles

  • "Personal data" – any information about an identified or identifiable natural person.
  • "Processing" – operations performed on data (collection, recording, organization, storage, modification, sharing, deletion).
  • "Controller" – NextGen Partners Sp. z o.o. determining the purposes and means of processing.
  • "Processor" – an entity processing data on behalf of the Controller under Article 28 GDPR.
  • "User/Data subject" – a person visiting the Site, contacting us or using services.
  • "Services" – services described on the Site, including bookings (Calendesk), consultations, payments, newsletter.
  • "Cookies" – files or identifiers stored on the end device; also includes local storage, SDK, tags.
  • "CMP" – Consent Management Platform; in this service: Cookiebot CMP.

3. Scope of application; data categories and sources

The Policy applies to all processing operations within the Site, including contact forms, newsletter, bookings (Calendesk), online payments and handling inquiries.

  • identification and contact data (first name, last name, e‑mail address, phone);
  • contractual and billing data;
  • communication data (correspondence, metadata, timestamps);
  • operational and technical data (server logs, IP addresses, device identifiers – as necessary for security and statistics);
  • special categories of data – only when necessary for a given service and based on Article 9 GDPR (e.g. document scans in advisory services).

Sources: directly from the User (forms, e‑mail, phone), from external systems used for bookings/payments, and – in justified cases – from third parties acting on behalf of the User.

4. Purposes and legal bases for processing

We process only data necessary for the following purposes:

  • Service delivery and handling inquiries – Article 6(1)(b) GDPR (contract) / (f) (legitimate interest – communication); for special data – Article 9(2)(a) (consent) or other legal bases.
  • Bookings and meeting organization (Calendesk) – Article 6(1)(b) / (f); contact and organizational data to the minimum extent.
  • Payment/invoicing – Article 6(1)(b) / (c) (tax/accounting obligations).
  • Security and fraud prevention (logs, backups) – Article 6(1)(f) – ensuring service security and system evidence; limited retention.
  • Newsletter and marketing communication – Article 6(1)(a) (consent) or Article 6(1)(f) in connection with direct marketing regulations; right to object/withdraw consent.
  • Site visit statistics – Article 6(1)(a) (consent for statistical cookies) or – for strictly necessary, aggregated metrics – Article 6(1)(f); IP masking and pseudonymization.
  • Establishing, pursuing or defending claims – Article 6(1)(f); storing evidence for the limitation period.

5. Data recipients and processors

We share data only with authorized recipients and entrust processing under Article 28 GDPR to entities providing appropriate security measures. Categories of recipients and example providers:

  • hosting/IT and cloud (e.g. server infrastructure providers), mail and office tools;
  • booking system (Calendesk), payment operators, invoicing;
  • communication providers (e‑mail/SMS), videoconferencing platforms;
  • legal/accounting advisors, document archiving and destruction companies;
  • public authorities authorized by law.

We conclude processing agreements with processors, requiring confidentiality, access control, encryption, incident registers and support for data subject rights.

6. Transfers outside the EEA and safeguards

When transferring data outside the EEA, we use compliance mechanisms provided for in the GDPR, including adequacy decisions (e.g. EU‑US Data Privacy Framework), standard contractual clauses (SCC) with transfer impact assessment (TIA) and supplementary measures (encryption, minimization, access control). Information on safeguards is available on request.

7. Data retention (schedule)

We store data for the period necessary to achieve the purpose, and then for required evidence and tax/accounting periods. After expiry, data is deleted or anonymized. Details are indicated in Annex A.

8. Information security (technical and organizational measures)

  • privacy by design/by default; minimization and need‑to‑know; access rights management and periodic review;
  • encryption in transit (TLS) and – where possible – at rest; backups tested cyclically;
  • log monitoring, anti‑malware protection, updates and vulnerability testing;
  • staff training, confidentiality statements, offboarding procedures;
  • incident response plan and breach register; impact assessment (DPIA) for high‑risk operations.

9. Data subject rights; how to exercise them

  • right of access, copy, rectification, erasure, restriction, portability, objection;
  • right to withdraw consent at any time (without affecting prior processing);
  • right to lodge a complaint with PUODO (uodo.gov.pl).

Requests are processed without undue delay – in principle within 1 month. Contact: office@nextgenpartners.eu, tel. +48 887 100 094.

10. Electronic communication and direct marketing

Operational communication (service-related) is necessary for contract performance. Direct marketing is conducted only within the limits of law – based on consent or legitimate interest with the right to object. Unsubscribing from the newsletter is possible at any time via the link in the message or by contacting the Controller.

11. Cookies and similar technologies; role of Cookiebot CMP

We use only necessary cookies on the Site and – after obtaining consent – selected preference, statistical and marketing cookies. Consents are managed by Cookiebot CMP, which displays a banner and blocks non-essential scripts until consent is given.

Cookiebot CMP, before consent is given, processes only data necessary to operate the banner (site URL, browser language, user agent, IP address to determine country/region for proper consent layer). After consent, a consent identifier and status are generated and stored as a first-party cookie. The identifier is used only for evidence purposes and does not enable cross-site tracking.

Statistics are limited to necessary, aggregated/pseudonymized data, with IP masking and limited retention. The user can change choices at any time in Cookie Preferences.

12. Children, profiling and automated decisions

The service is not directed to children. We do not conduct profiling to produce legal effects or automated decision-making as defined in Article 22 GDPR.

13. Reporting data breaches and incident response

In case of suspected security breach, we initiate response procedures, assess risk and – if required by law – notify PUODO within 72 hours and data subjects if the breach may result in high risk.

14. Policy changes; versioning and contact

The Policy may change for important reasons (e.g. service modifications, legal changes). Changes are published on the Site, indicating the effective date. For Policy matters, please contact: office@nextgenpartners.eu, tel. +48 887 100 094.

Annex A – Retention schedule (table)

Data category Purpose Retention period
Contact data (form, inquiries) Responding to inquiry, preparing offer 3 years from end of year
Contractual and billing data Service delivery, settlements Contract duration + 6 years
Technical logs Security, diagnostics Up to 12 months
Newsletter (e‑mail) Newsletter delivery Until unsubscribed + up to 30 days for deactivation
Data in entrusted documents Advisory service delivery Until service completion and remedies

Annex B – Recipient categories and example processors

  • Infrastructure/hosting (e.g. cloud providers).
  • Bookings: Calendesk – calendar and booking form handling.
  • Online payments: payment operator (e.g. Stripe) – settlements and transaction handling.
  • Invoicing/accounting (e.g. invoicing system, accounting office).
  • E‑mail/SMS communication (e.g. message and SMS providers).
  • Videoconferencing (e.g. Google Meet/Microsoft Teams/Zoom).
  • Document archiving and destruction; legal/accounting advisors.
  • Cookiebot CMP – cookie consent management; consent register.

Annex C – Cookies and technologies (template)

Categories: Necessary / Preference / Statistical / Marketing. For each item, complete: file/technology name, provider, purpose, type (session/persistent), retention period, legal basis (consent/legitimate interest).

Note: statistics are limited to necessary metrics, with IP masking and no cross-site profiling.

Effective from: 1 September 2025 until change or revocation.

Not sure where to start?

We'll point you in the right direction.

Book a consultation