Hi!

If you have landed on this page, it means that the protection of your personal data is important to you. We would like to assure you that we take your privacy seriously at our studio and that it is important to us. To this end, we have implemented not only legal but also technical measures to further strengthen its protection.

In accordance with the GDPR, we set out below the principles governing our processing of your personal data. Please familiarise yourself with the key points regarding your personal data, and should you have any queries regarding our Privacy Policy, please do not hesitate to contact us.

Privacy Policy

§ 1 Definitions

Here, we explain the key principles of this Privacy Policy – what it covers, when it applies, and what information you will find in it.

Acting pursuant to Article 13 of the GDPR (and, where we obtain data from other sources, also Article 14 of the GDPR) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), hereinafter referred to as the “GDPR”, we set out below information regarding the processing of your personal data.

This Privacy Policy contains information regarding our processing of your personal data. Detailed information on the use of cookies and other similar technologies can be found in the Cookie Policy, available below.

§ 2 Who is the controller of your personal data?

In this section, we explain who determines the purposes and means of processing your data, i.e. who is responsible for ensuring that your data is used in accordance with the law. You will also find our contact details here if you wish to exercise your rights or ask a question regarding privacy.

The data controller is Siren Sisters Sp. z o.o., with its registered office in Hipolitów, ul. Bukowa 8, 05-074 Hipolitów, NIP: 8222418336, REGON: 542504100, registered in the National Court Register (KRS) under No. 0001189896 by the District Court for Lublin-Wschód in Lublin, sitting in Świdnik, 6th Commercial Division of the National Court Register, share capital PLN 5,000.

You can contact the Data Controller by emailing: kontakt@sirensisters.pl.

§3 Why do we collect your data and how long do we keep it?

In this section, we explain the purposes for which we process your data, the legal basis on which we do so, and how long we may retain it. The duration of processing depends primarily on the purpose for which the data was collected and on the legal obligations to which we are subject.

We may process your data for the following purposes:

1. Communicating with you to resolve or finalise the matter to which the correspondence relates, including responding to enquiries submitted via the contact form, email, etc. (Article 6(1)(f) of the GDPR)

   The data will be processed on the basis of the Controller’s legitimate interest, namely communication with you (Article 6(1)(f) of the GDPR). Your data will be processed no longer than until you object or the business purpose ceases to exist. Providing this data is voluntary, but at the same time necessary for communication with you. The data may also be processed during the archiving process for internal purposes, based on the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), until you object or the business purpose ceases to exist.
   
   

2. The conclusion and performance of the contract, as well as communications prior to the conclusion of the contract regarding matters relating to the contract (Article 6(1)(b) of the GDPR)
   
   

3. The establishment, defence and pursuit of legal claims, which constitutes the legitimate interests of the Controller (Article 6(1)(f) of the GDPR)
   
   

4. Compliance with legal obligations incumbent on the Controller, including tax and archiving obligations (Article 6(1)(c) of the GDPR).

The data necessary for the conclusion and performance of the contract will be processed for the duration of the contract, including for the duration of the exercise of rights arising from the contract (Article 6(1)(b) and (f) of the GDPR). The provision of this data is voluntary, but at the same time necessary for the conclusion and performance of the contract. Additional data provided for the purpose of, amongst other things, facilitating the performance of the contract, will be processed no longer than until you object or the business purpose ceases to exist, based on a legitimate interest in the form of customer service (Article 6(1)(f) of the GDPR).

The data will be processed for the limitation period for claims arising from the provisions of, inter alia, Article 118 of the Civil Code, and subsequently for an additional period of 12 months based on the Controller’s legitimate interest in defending against claims, as well as for the purpose of establishing and pursuing claims (Article 6(1)(f) of the GDPR).

Where data is processed to fulfil legal obligations, it will be processed for the period during which the Controller is required by specific provisions of generally applicable law to retain the data. Where data is necessary for the fulfilment of legal obligations incumbent on the Controller (such as issuing and storing invoices, archiving obligations) – the data processing period is 5 years from the end of the calendar year in which the tax obligation arose, unless the provisions indicate otherwise (Article 6(1)(c) of the GDPR). In other cases of compliance with legal obligations, the data retention period is determined by the regulations governing the aforementioned obligations (Article 6(1)(c) of the GDPR).

Data may also be archived for internal and statistical purposes until you object or the business purpose ceases to apply, based on the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

5. To provide marketing/commercial information (hereinafter referred to as ‘Marketing Information’); (Article 6(1)(a) or (f) of the GDPR) We process data on the basis of consent (Article 6(1)(a) of the GDPR) – when we ask you to subscribe to the newsletter or give consent to commercial communications – or on the basis of a legitimate interest (Article 6(1)(f) of the GDPR) to the extent permitted by law. This communication channel requires prior consent in accordance with the regulations on electronic communications. You may withdraw your consent at any time.

   Providing your data is voluntary, but necessary to receive marketing communications. Opting out of receiving marketing communications prevents us from sending you marketing communications.

   Data may also be archived for the purposes of any potential determination, investigation or defence of claims, including to ensure that marketing activities were conducted lawfully on the basis of Article 6(1)(f) of the GDPR. Data processed on the basis of Article 6(1)(f) of the GDPR will be processed no longer than until an objection is raised or the business purpose ceases – whichever occurs first.
   
   

6. Administering and managing the website on social media platforms (including Facebook (Meta), Instagram and TikTok), in the case of data processing on social media platforms, including communication and the targeting of marketing content (Article 6(1)(f) of the GDPR)

   Data provided for the purpose of using the platform will be processed no longer than until you object or the business purpose ceases – whichever occurs first – based on a legitimate interest in serving the platform’s users.

   This data will be processed only if you choose to: like the page, select the ‘Follow’ option, or otherwise leave your data on the platform managed by us, e.g. by posting a comment. The data will be processed for the duration of the page’s existence or until you object, which may be done by unclicking the “Like” or “Follow” option, deleting a comment, or by any other means provided for within the platform/page, or by contacting us. Please note that the rules relating to the website/fan page are set by the Administrator, whilst the rules for using the social media platform on which the website/fan page is hosted are set by the entity managing those platforms.
   
   

7. Analytical and statistical purposes (Article 6(1)(a) or (f) of the GDPR)

   We process data for analytical and statistical purposes to better understand how you use our products/services and how we can improve them. This data may come from various sources – for example, from analytics tools (if we use a website or app), from customer service systems, accounting software, booking or communication systems, as well as from summaries and reports created for our internal use.

   Where we use cookies or similar technologies, we only activate non-essential tools after you have given your consent (Article 6(1)(a) of the GDPR) via the cookie banner. We process data necessary for the proper operation, security and functionality of the website on the basis of our legitimate interests (Article 6(1)(f) of the GDPR). When we do not use cookies, analytical data comes from our own systems and is processed in our legitimate interest (Article 6(1)(f) of the GDPR) for the purposes of compiling statistics, analysing trends and improving our services.
   
   Where possible, we use pseudonymisation or anonymisation, and reports are aggregated (e.g. number of enquiries, average contact time, most frequently selected service categories), without the possibility of linking them to a specific individual. We process data until you object or the business purpose ceases – whichever comes first – and, in the case of consent, until it is withdrawn. You have the right to object to processing carried out on the basis of our legitimate interest, and, in the case of consent, to withdraw it at any time.
   
   

8. Promotion and marketing of products and services (Article 6(1)(a) or (f) of the GDPR)

   Where you provide us with your data, in particular in the form of feedback, it will be processed on the basis of the Controller’s legitimate interest in marketing, for the purpose of improving the quality of the Controller’s services and products and promoting the Controller’s services and products. This data will be processed for the period necessary to achieve the business objectives or until you object. The provision of data is voluntary.
   
   

9. Recruitment (Article 6(1)(b) and Article 6(1)(c) of the GDPR)

   Data may be processed for the time necessary for the recruitment process and the conclusion of a contract (Article 6(1)(b) of the GDPR). We process data required by labour law on the basis of Article 6(1)(c) of the GDPR in conjunction with Article 22(1) of the Labour Code. In the case of additional data provided voluntarily, the basis is your consent (Article 6(1)(a) of the GDPR).

   Your data may also be used for future recruitment purposes – on the basis of your consent – for a maximum period of 3 years due to the recruitment cycle in the industry (this period is calculated from the end of the year in which the application was received). The provision of personal data is voluntary; however, the provision of certain data may be necessary for the recruitment process as well as for the conclusion of a contract. Failure to provide this data will result in the aforementioned actions not being undertaken.
   
   In the case of data processed on the basis of Article 6(1)(f) for the purposes described above, we review the necessity of continued storage every 12 months and delete or anonymise data that is no longer required.

§4 Who might we share your data with?

In this section, we explain to which categories of recipients we may disclose your personal data if this is necessary for the provision of services, the operation of the website, contacting you, or the fulfilment of obligations arising from legal provisions or our contract.

We only share your data with other entities where this is necessary to achieve the processing purposes referred to in §3 and solely to the extent necessary to achieve that purpose. As a general rule, we collect and process only the data that you have provided to us yourself, subject to data collected automatically or semi-automatically (e.g. online identifiers, system logs, cookies and similar technologies). You can find out more about cookies in §8.

We may transfer your data to entities processing it on our behalf. Data is only shared with other companies or entities where necessary.

We entrust your data to a hosting provider, an IT company, a website management provider, an accounting and bookkeeping firm, an invoicing software provider, a newsletter service provider, subcontractors, lawyers, a social media platform, a customer service platform, and other entities that assist the Controller in achieving the purposes of processing. Personal data may be disclosed by the Controller to entities authorised to receive it under applicable law, including, amongst others, government agencies, ordinary courts and administrative courts, bailiff’s offices, notary’s offices, etc.

As a general rule, data will not be transferred outside the EEA, subject to the situations described below. In other cases, where data is transferred outside the EEA, this will be based on your consent, standard contractual clauses or other safeguards provided for in the GDPR, following the fulfilment of, amongst other things, the information obligation.

The services provided by Meta Platforms Ireland Limited (i.e. Facebook/Instagram), Google Ireland Ltd. and TikTok Technology Limited are carried out by an entity based in the EU; however, given the global nature of the entity’s operations, data may be transferred to the US on the basis of standard contractual clauses or other legal safeguards in accordance with the requirements of the GDPR. Regardless of this, these entities have implemented safeguards in accordance with the requirements of the GDPR, aimed at protecting personal data, through the use of, amongst other things, standard contractual clauses. Further information on the data processing policies of the aforementioned providers can be found in the privacy policies of each entity.

§5 What rights do you have?

In this section, we explain what rights you have regarding the processing of your personal data and how you can exercise them.

Under the GDPR, you have the right to access your personal data, to rectify personal data, to erase personal data, to restrict the processing of personal data, to object to the processing of personal data, to data portability, and to withdraw consent to data processing; Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal. Detailed information regarding the above rights can be found in the GDPR, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). We generally respond to your requests within 1 month (Article 12(3) of the GDPR).

If you believe that your personal data is being processed in breach of the law, you have the right to lodge a complaint with the President of the Office for Personal Data Protection. In such cases, however, I would encourage you to contact me first so that we can clarify any concerns you may have.

§6 Is your data being profiled?

In this section, we explain whether your data is processed automatically and whether decisions are made about you as a result.

The Controller analyses personal data automatically, using tools provided by software suppliers (e.g. statistics, history), solely to the extent that this does not give rise to any legal consequences for you or significantly affect your situation, including your guaranteed rights and freedoms. The purpose of automated data processing is to understand Users’ preferences (further information on analysis can be found in §8 – Cookie Policy).

§7 Legal provisions governing personal data

In this section, we set out the legal basis and regulations that apply to the processing of your personal data.

In matters not covered herein, the relevant legal provisions apply, including European law (such as the GDPR).

§8 Cookie Policy

Cookies and similar technologies may be used when you visit this website. In this section, we explain what they are used for, which ones are essential and which ones require your consent, and how you can manage your settings.

While using the Website, technical information and online identifiers may be collected automatically, in particular through the use of cookies and similar technologies. This data may constitute personal data.

Cookies are IT data, in particular text files, which are stored on the Website User’s device and are intended for use of the Website. Cookies usually contain the name of the website they come from, the duration of their storage on the device, and a unique number.

Cookies and similar technologies can serve various purposes – from ensuring the website functions properly to analysing statistics and carrying out marketing activities. Below, we outline the main purposes for which they are used.

• technical and functional – necessary for the proper functioning of the Website and the features available on it (e.g. session management, shopping basket, forms),

• analytical and statistical – enabling the analysis of how the Website is used, which helps to improve its structure and content (e.g. Google Analytics 4),

• marketing and advertising – enabling remarketing activities and the delivery of personalised advertising content (e.g. Google Ads, Meta Pixel, TikTok Pixel),

• communication and performance – supporting chat functionality, optimising website performance and improving the site’s efficiency.

The current list of cookies used on the Website, along with information about their categories, providers and retention periods, is available in the consent management tool (the cookie banner visible on the website).

You can change your cookie settings in your web browser yourself. In many cases, the browser allows cookies to be stored on the User’s device by default. Detailed information on the options and methods for managing cookies is available in your browser settings. Failure to consent to cookies may limit the functionality of certain features of the Website.

On the Website, we may use tools from external providers that help us analyse traffic, measure the effectiveness of marketing activities, manage tags or protect forms against abuse. We describe the most important of these below.

Google Analytics 4

In order to analyse and optimise the use of our website, we use Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies and similar technologies to collect information about user activity on the website (e.g. source of entry to the site, subpages visited, device type, web browser). We use this information to compile statistics that help us improve the website’s performance and tailor its content to users’ needs.

For essential technical purposes, we rely on legitimate interest (Article 6(1)(f)). We activate analytical tools other than those that are essential once consent has been given via the cookie banner (Article 6(1)(a) of the GDPR).

You can manage your consent or objection at any time in the banner settings or by using the browser add-on provided by Google (https://tools.google.com/dlpage/gaoptout).

Detailed information on data processing within Google Analytics can be found on the following pages: Google Privacy Policy: https://policies.google.com/privacy

Meta Conversion Pixel (Facebook Pixel)

We use the Meta Pixel (Facebook Pixel) tool on our website, provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

The Meta Pixel is a piece of code placed on the website that enables the analysis of user activity on the site and the targeting of personalised adverts to them on Meta platforms (including Facebook and Instagram). This allows us to reach people who have visited our website or shown similar interests with our adverts (remarketing).

The pixel also allows us to measure the effectiveness of our advertising campaigns, for example by checking whether a user has performed a specific action on the website (known as a conversion).

The legal basis for processing data for marketing tools is your consent (Article 6(1)(a) of the GDPR), which you provide via the cookie banner; these tools are activated once you have given your consent. You can manage your consent at any time via the settings in the cookie banner/preference centre on the Website. With regard to essential technical functions, we rely on a legitimate interest (Article 6(1)(f) of the GDPR) consisting of ensuring the security and proper functioning of the website. Detailed information on how the Meta Pixel works and Meta’s data processing policies can be found here: https://www.facebook.com/privacy/explanation Information about the Meta Pixel: https://www.facebook.com/business/help/742478679120153

Google Tag Manager (GTM)

We use Google Tag Manager (GTM), provided by Google Ireland Limited, on our website.

Google Tag Manager is a technical tool that enables the management of other tags and scripts placed on the website (e.g. Google Analytics 4, Google Ads, Meta Pixel, TikTok Pixel). GTM does not itself collect or process users’ personal data – it merely activates other tags that may collect data.

If specific tags have been enabled on the website via GTM (e.g. analytical or marketing tags), it is these tags that may collect user data in accordance with the principles described in this Privacy Policy.

The legal basis for the use of GTM is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), which consists in ensuring the proper functioning of the website and facilitating the management of tools. Tags requiring consent are only activated by GTM once consent has been given.

Information on data processing principles can be found in the Privacy Policy. Information on GTM can be found at: https://marketingplatform.google.com/about/tag-manager/

Google reCAPTCHA

On our website, we use the Google reCAPTCHA service, which is used to protect forms against spam and abuse and to distinguish between human and automated (bot) activity, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The use of Google reCAPTCHA involves the processing of data such as your IP address, device and browser information, as well as data regarding your behaviour on the website. This data is processed to ensure the security of the Website and to protect against abuse.

Data processing is carried out on the basis of Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the controller, which consists in securing the Website.

Detailed information regarding Google’s data processing principles is available in Google’s Privacy Policy and the terms of use for the reCAPTCHA service.

§9 Social media plugins

Due to the use of social media plugins and tools, your data may be transferred to the providers of these platforms, who process it as separate data controllers in accordance with their own policies.

The Website uses plugins, widgets and other social media tools provided by platforms such as Facebook (Meta), Instagram and TikTok. The policies regarding the processing of personal data are set out directly on the websites of the aforementioned service providers.

§10 Joint administration

In this section, we explain when we process data jointly with a social media platform provider (known as ‘joint control’) and where you can find the rules governing the division of responsibility in this regard.

Data processed for the purposes of statistics collected within the Facebook and Instagram (Meta) platforms is jointly controlled by the Controller and Meta Platforms Ireland Limited, with its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, hereinafter referred to as the Joint Controller. Detailed rules regarding joint data control, including information on your rights, are set out on the Privacy Policy page.

Data processed for the purposes of statistics collected within the TikTok platform is jointly controlled by the Controller and TikTok Technology Limited, with its registered office at 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, hereinafter referred to as the Joint Controller. Detailed rules regarding joint data control, including information on your rights, are set out on the TikTok Privacy Policy page.

The Controller processes data on the basis of the Controller’s legitimate interest, which consists of analysing Users’ activity and preferences in order to improve the functionality and services provided. In matters relating to personal data, you may contact both the Controller and the Joint Controller.

The division of responsibilities between the parties as joint controllers is set out in Article 26 of the GDPR, as published in the privacy policies of the relevant platform.

This Privacy Policy comes into effect on 8 April 2026.