Make an appointment 

Privacy Policy

PRIVACY POLICY

This Privacy Policy sets out the principles for the collection, processing and storage of personal data necessary for the performance of services provided through the website midnightissue.com.

The Controller reserves the right to amend this Privacy Policy at any time and for any reason. Any modifications will be announced by updating the effective date of this Policy. Users are encouraged to review this Privacy Policy periodically to remain informed of any changes. Continued use of the website following publication of the amended version shall constitute acknowledgment of, and consent to, the changes made.

1. Data Controller

  1. The Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”), is Midnight Issue LTD, having its registered office in London, United Kingdom, at 182–184 High Street North, Office 9630, E6 2JA.
  2. The Controller’s contact e-mail address: hello@midnightissue.com.
  3. Pursuant to Article 32(1) of the GDPR, the Controller observes the principles of data protection and applies appropriate technical and organisational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed in connection with its business activities.
  4. The provision of personal data is voluntary; however, it is necessary in order to conclude an agreement with the Controller.
  5. The Controller processes personal data to the extent necessary for the performance of a contract and/or the provision of services to the data subject.

2. Purpose, Scope, Legal Basis and Method of Data Collection

  1. Personal data are collected directly from users of the website, in particular through:
  • newsletter subscription forms,
  • contact forms,
  • forms for downloading digital content (so-called lead magnets such as e-books, reports, checklists, webinars),
  • marketing activities carried out via social media platforms.
  1. The Controller may process the following categories of personal data: name, surname, e-mail address, telephone number, and business information (such as company name or VAT identification number [NIP]).
  2. In addition, the Controller may process non-personal data concerning the user’s device to ensure the best and safest use of the website—such as the IP address, information stored in cookies or similar technologies, session data, browser type, pages visited, and, where separately consented to, geolocation data.
  3. The Controller processes personal data for the following purposes and on the following legal bases:
  4. a) Entering into and performing a contract for the supply of digital content (materials made available by the Controller in exchange for the provision of personal data, so-called lead magnet) — pursuant to Article 6(1)(b) GDPR;
  5. b) Provision of electronic services, including sending newsletters containing informational, educational and marketing content — pursuant to Article 6(1)(a) GDPR in conjunction with Article 10 of the Polish Act on the Provision of Electronic Services and Article 172 of the Telecommunications Law;
  6. c) Conducting direct marketing of the Controller’s or its partners’ products and services – pursuant to Article 6(1)(f) GDPR (legitimate interest of the Controller);
  7. d) Responding to user inquiries, including those submitted via electronic forms – pursuant to Article 6(1)(f) GDPR;
  8. e) Statistical and analytical purposes, and ensuring the security of the website – pursuant to Article 6(1)(f) GDPR;
  9. f) Archiving data for evidentiary purposes and for the establishment, exercise or defence of legal claims – pursuant to Article 6(1)(f) GDPR.
  10. Where processing is based on the user’s consent, such consent may be withdrawn at any time without affecting the lawfulness of processing prior to its withdrawal.

3. Newsletter and Provision of Digital Content (Lead Magnet)

  1. Subscribing to the newsletter or downloading materials made available by the Controller (e.g. e-book, report, checklist, participation in a webinar) constitutes the conclusion of a contract for the supply of digital content within the meaning of Article 2(5a) of the Polish Consumer Rights Act (ustawa o prawach konsumenta).
  2. This contract is gratuitous — the user does not pay a monetary consideration but provides personal data to the Controller and consents to receiving the newsletter.
  3. The Controller informs that access to the same content may alternatively be obtained by contacting the Controller directly via the e-mail address indicated in §1.
  4. The user may unsubscribe from the newsletter at any time by clicking the deactivation link contained in the footer of each message or by contacting the Controller directly.
  5. Consent to receive the newsletter is entirely voluntary and may be withdrawn at any time.
  6. Personal data processed in connection with the execution of the contract for the supply of digital content shall be retained for the period necessary for its performance and for such time as may be required for the establishment or defence of any related claims.

4. Data Recipients and Transfers to Third Countries

  1. The Controller may disclose personal data solely to entities with which it has concluded appropriate data processing agreements, including:
  2. a) providers of technical and IT services (e.g. hosting, mailing systems, CRM systems),
  3. b) legal advisers, accountants and tax consultants,
  4. c) providers of analytical and advertising tools (e.g. Google, Meta),
  5. d) persons authorised by the Controller (employees and associates),
  6. e) other entities engaged under data processing agreements.
  7. The Controller may be required to disclose personal data under applicable law, in particular to authorised public bodies or institutions.
  8. Given that the Controller and certain entities referred to in points (a) and (c) above are established outside the European Economic Area, the Controller informs that, for statistical, advertising optimisation and social plug-in functionality purposes, data may be transferred to third countries within the meaning of the GDPR. Such transfers are made solely to entities that are either certified under the EU-US Data Privacy Framework (formerly Privacy Shield) or are parties to the Standard Contractual Clauses adopted by the European Commission, ensuring an adequate level of protection.

5. Data Retention Periods

  1. The Controller retains personal data for the duration of the contractual relationship with the data subject and thereafter for the period necessary for the pursuit or defence of legal claims, compliance with statutory obligations, or until the expiry of limitation periods under applicable civil law.
  2. Data processed on the basis of consent (newsletter or marketing activities) are retained until such consent is withdrawn.
  3. Data processed for marketing purposes are retained for a maximum of ten (10) years or until withdrawal of consent or an effective objection to processing.
  4. Data processed for other purposes are retained for a period of one (1) year, unless consent is withdrawn earlier and there is no other lawful basis for further processing.

6. Rights of the Data Subject

  1. Every data subject shall have the following rights::
  2. a) right of access – to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed. Where such data are being processed, the data subject shall have the right to access such data and to obtain information regarding: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the data have been or will be disclosed; the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period; the right to request rectification, erasure or restriction of processing; and the right to lodge an objection to such processing (Article 15 GDPR);
  3. b) right to obtain a copy of the data – to receive a copy of the personal data undergoing processing. The first copy shall be provided free of charge, whereas for any further copies the Controller may charge a reasonable administrative fee corresponding to the costs incurred (Article 15(3) GDPR);
  4. c) right to rectification – to obtain from the Controller the rectification of inaccurate personal data or the completion of incomplete data (Article 16 GDPR);
  5. d) right to erasure (“right to be forgotten”) – to obtain the erasure of personal data where the Controller no longer has a legal basis for processing or where the data are no longer necessary for the purposes for which they were collected (Article 17 GDPR);
  6. e) right to restrict processing – to request restriction of the processing of personal data (Article 18 GDPR) in any of the following circumstances:
  • where the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of such data;
  • where the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
  • where the Controller no longer needs the data for the purposes of processing but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • where the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.
  1. f) right to data portability – to receive personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from the Controller to which the data have been provided, where the processing is based on the data subject’s consent or on a contract, and is carried out by automated means (Article 20 GDPR);
  2. g) right to object – to object, on grounds relating to their particular situation, to the processing of personal data concerning them based on the Controller’s legitimate interests, including profiling. In such case, the Controller shall assess whether there exist compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. Should the interests of the data subject prevail, the Controller shall cease processing the data for those purposes (Article 21 GDPR).
  3. To exercise any of the aforementioned rights, the data subject should contact the Controller using the contact details provided herein and specify which right they intend to exercise and to what extent.
  4. The data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) or another competent supervisory authority within the meaning of Article 77 GDPR.
  5. The Controller shall respond to data subject requests within one (1) month, extendable by up to three (3) months in complex cases or in the event of numerous simultaneous requests.
  6. In accordance with applicable legal bases, the Controller shall retain personal data for as long as its legitimate interest persists, but in no case longer than the applicable limitation period for claims that may be pursued by or against the Controller in relation to the data subject.

7. Automated Processing and Profiling

  1. Personal data obtained by the Controller may be processed by automated means, including profiling. Such profiling involves the evaluation of selected information about the data subject in order to analyse or predict personal preferences or interests, particularly for the purpose of delivering personalised offers.
  2. Automated processing shall not produce legal effects concerning the data subject nor significantly affect them. The data subject may object to profiling at any time.

8. Cookies

  1. A “cookie” is a small text file sent by a website to the user’s browser and returned on subsequent visits. The use of cookies, although subject to notification requirements, primarily enhances the user experience and supports the website’s technical and analytical development. Cookies are used to:
  2. a) identify the computer and browser used to access the website,
  3. b) adapt the website display to the user’s preferences by anonymous analysis of online behaviour,
  4. c) remember site settings such as language, colour or layout,
  5. d) enable account functionality within the service,
  6. e) facilitate login and navigation,
  7. f) prevent repetitive advertising by remembering displayed content.
  8. Cookies do not alter the functioning of user devices and are not harmful in any way. They do not modify browser settings and are not shared with third parties other than those identified in §4 above. The user may manage cookie settings in their browser, including blocking or deleting them, although this may limit certain functionalities of the website.

This Privacy Policy shall enter into force on 1/11/2025.



Back to top