Privacy Policy
Last updated: 22 June 2026
This Privacy Policy describes how Riwahu Yipuhu ("we", "us", "our"), operating from Warszawska 43, Katowice, Poland, collects, uses, stores, and protects personal data in connection with the website riwahu-yipuhu.info and related services. This policy is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018 poz. 1000).
The controller of personal data collected through this website is Riwahu Yipuhu, with its registered place of business at Warszawska 43, Katowice, Poland. For all data protection enquiries, the controller can be contacted by email at [email protected] or by post at the address above.
Where the GDPR requires a designated Data Protection Officer and where such an obligation applies to our organisation, contact details for the DPO function are available on request via the same contact channels.
We collect personal data only to the extent necessary for the purposes described in this policy. The categories of data we may collect include:
- Identification data: name or display name provided when using the contact form or registering an account.
- Contact data: email address and any postal address provided voluntarily through the contact form or account registration.
- Usage data: information about how you interact with the website, including pages visited, time spent, and browser type, collected via cookies and server logs.
- Payment data: where applicable, payment transaction data processed through third-party payment processors. We do not store full card details on our servers.
- Communication records: content of messages submitted through the contact form, retained for correspondence purposes.
We do not intentionally collect sensitive personal data as defined under Article 9 GDPR (such as data concerning health, racial or ethnic origin, or political opinions).
All processing of personal data is carried out on one of the following legal bases under Article 6 GDPR:
- Consent (Art. 6(1)(a)): where you have given explicit consent, including for the placement of non-essential cookies.
- Contract performance (Art. 6(1)(b)): where processing is necessary to provide access to purchased lesson content or to respond to a service request you have initiated.
- Legal obligation (Art. 6(1)(c)): where processing is necessary to comply with obligations under Polish law, including tax and accounting obligations.
- Legitimate interests (Art. 6(1)(f)): for purposes such as website security, fraud prevention, and improving the functionality of our platform, where such interests are not overridden by your rights and interests.
Where consent is the legal basis, you have the right to withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
Personal data collected through this website is used for the following purposes:
- To respond to enquiries submitted through the contact form.
- To create and manage user accounts where registration is required for lesson access.
- To process payments and maintain billing records in accordance with Polish accounting law.
- To deliver and improve the educational content and platform features.
- To analyse aggregated, anonymised usage patterns for the purpose of improving website structure and content.
- To comply with legal obligations including those under Polish tax law (Ustawa o podatku od towarów i usług) and data protection regulations.
We do not use personal data for automated decision-making or profiling as defined under Article 22 GDPR.
This website uses cookies and similar technologies. A cookie is a small text file placed on your device by the website. We use the following categories:
- Strictly necessary cookies: required for the website to function. These cannot be disabled.
- Functional cookies: remember your preferences and settings between visits.
- Analytics cookies: collect anonymised information about how visitors use the site to help us improve it. These are only set with your consent.
You can manage cookie preferences through the consent tool provided on this website or through your browser settings. For full details, see our separate Cookie Policy.
We do not sell personal data to third parties. We may share personal data with:
- Hosting and infrastructure providers who process data on our behalf as data processors under Article 28 GDPR agreements.
- Payment processing services where payment transactions are initiated.
- Legal and regulatory authorities where disclosure is required by applicable Polish or EU law.
Where we engage third-party processors, we ensure appropriate contractual safeguards are in place. Any transfers of personal data outside the European Economic Area are conducted only where appropriate safeguards exist under Chapter V of the GDPR, such as Standard Contractual Clauses approved by the European Commission.
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, subject to the following retention principles:
- Contact form enquiries: retained for up to 24 months from the date of submission, unless an ongoing correspondence or contractual relationship requires longer retention.
- Account data: retained for the duration of the account and for up to 12 months after account closure, unless legal obligations require longer retention.
- Billing and payment records: retained for a minimum of 5 years in accordance with Polish accounting law (Ustawa o rachunkowosci).
- Server logs: retained for up to 90 days for security and diagnostic purposes.
After the applicable retention period, data is securely deleted or anonymised.
As a data subject under the GDPR, you have the following rights in relation to your personal data:
- Right of access (Art. 15): to obtain confirmation of whether your data is processed and receive a copy of it.
- Right to rectification (Art. 16): to have inaccurate data corrected without undue delay.
- Right to erasure (Art. 17): to request deletion of your data where it is no longer necessary for the purpose collected, or where consent is withdrawn.
- Right to restriction (Art. 18): to request that processing be restricted in certain circumstances.
- Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): to object to processing based on legitimate interests.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzedu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl.
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encrypted connections (HTTPS), access controls on systems handling personal data, and regular review of security practices.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the UODO within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, affected individuals will also be notified.
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. The date at the top of this page indicates when the policy was last revised. Where changes are material, we will make reasonable efforts to notify users through the website. Continued use of the website after a revised policy is posted constitutes acceptance of the updated terms.
For any questions about this policy or its application, please contact us at [email protected].
All data protection enquiries, requests to exercise rights, or complaints relating to this Privacy Policy should be directed to:
Riwahu YipuhuWarszawska 43
Katowice, Poland
Email: [email protected]
Phone: +48 22 531 39 39
We aim to respond to all data protection enquiries within 30 days of receipt. For complex requests, this period may be extended by a further two months, in which case we will notify you of the extension within the initial 30-day period.