.svg)
Privacy Policy
Updated: June 15, 2026
Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: “EU GDPR”) and the United Kingdom General Data Protection Regulation as incorporated into UK law via the Data Protection Act 2018 (hereinafter: “UK GDPR”), we hereby inform you of how we collect, store, and process personal data across our group operations.
1. PERSONAL DATA CONTROLLER
1.1. The controller of your personal data depends on your geographic location and the specific contract or services you are engaging with: * **For operations, contracts, and data subjects within the United Kingdom:** The data controller is **ChargeEuropa UK LTD**, a company registered in Scotland under company number **SC892044**, with its registered office at **Unit 2 Queenslie Industrial Estate, Glasgow, United Kingdom, G33 4JJ** (hereinafter: “ChargeEuropa UK”). * **For operations, contracts, and data subjects within the European Union:** The data controller is **Charge Polska sp. z o. o.**, with its registered office in Przeźmierowo, ul. Rzemieślnicza 1, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court in Poznań – Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under KRS number: 000391078, NIP: 7811867417, with share capital of PLN 204,950 (hereinafter: “Charge Polska”).
1.2. Any questions regarding the processing and protection of personal data, including those related to this privacy policy, should be directed to our central privacy team at the following email address: info@chargeeuropa.com.
2. SCOPE, PURPOSE AND METHOD OF PERSONAL DATA PROCESSING
2.1. Due to the nature of the services provided by the Controller, it is not possible to provide them anonymously. The scope of processed personal data includes: full name, email address, phone number, and tax identification number (NIP/VAT number) and business address (in the case of individuals conducting business activity).
2.2. Your data will be processed for the following purposes under both the EU GDPR and UK GDPR frameworks:
- For contact with the Client and to enable the use of the CHARGEEUROPA mobile application (hereinafter referred to as the “App”) (Art. 6(1)(b) GDPR);
- To maintain and utilize the Client's contact details as part of a secure customer relationship management database (Art. 6(1)(f) GDPR);
- To fulfill legal and regulatory obligations imposed on the Controller, in particular for the purposes of submitting personal data in the event of court, administrative, or other governmental proceedings, as well as to meet mandatory accounting and tax law obligations (Art. 6(1)(c) GDPR);
- To send marketing newsletters to the Client – provided that the Client has given explicit, appropriate consent (Art. 6(1)(a) GDPR);
- To pursue the Controller's legitimate business interests (Art. 6(1)(f) GDPR), particularly for legal protection, including pursuing or defending against commercial claims.
2.3. Where data processing relies on user consent, the Controller ensures that such consent meets the highest standards of active, informed, and granular opt-in choice. Consent requests are kept completely independent of standard terms and conditions, and all given consents are securely recorded within an immutable digital ledger—capturing timestamps and system versions—to remain fully auditable.
2.4. Providing personal data is voluntary, however, refusal to provide data marked as mandatory in our forms or interfaces will prevent the Controller from providing the requested services, managing user accounts, or responding to inquiries.
2.5. Your data will be stored securely for the duration of service provision by the Controller, and thereafter, for the period necessary to ensure robust legal protection, particularly for the statute of limitations of potential claims, or as strictly required by statutory data retention obligations imposed on the Controller – whichever period is longer.
2.6. Our data architecture prioritizes processing and storage activities within the United Kingdom and the European Economic Area (EEA). Data flows legally between our UK and EU entities under established data adequacy regulations. If an operational requirement or verified third-party technical vendor necessitates transferring personal data outside these boundaries, such transfers are strictly legitimized using legal safeguards, including the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), and the completion of formal Transfer Risk Assessments (TRAs).
2.7. Personal data processed by the Controller will not be subject to automated decision-making processes, including profiling.
3. DATA RECIPIENTS
3.1. The Controller may entrust the processing of personal data to trusted third-party service providers to facilitate seamless operations. In such cases, data recipients are limited to: hosting providers, IT infrastructure and software service providers, CRM platforms, email service operators, invoicing and financial system providers, verified payment processors, professional accounting firms, and external tax or legal advisors.
3.2. Personal data collected by the Controller may also be shared with appropriate law enforcement, regulatory bodies, or governmental authorities if strictly required by applicable laws.
3.3. Every entity to which the Controller entrusts data processing operates under a strict Data Processing Agreement (DPA) or standard contractual terms that guarantee equivalent standards of confidentiality, data security, and compliance. Data processors acting on our behalf may not subcontract processing operations to another entity without the Controller's prior written consent.
4. RIGHTS OF THE DATA SUBJECT
4.1. Every User and data subject across our jurisdictions possesses the following legal rights:
(a) Right to Erasure (Right to be Forgotten): Request the deletion of personal data collected about them from our active systems and partner databases, exercisable via client account settings or by contacting the data controller;
(b) Right to Restriction: Restrict or temporarily pause the processing of their personal data under specified statutory conditions;
(c) Right to Access & Rectification: Request comprehensive confirmation and copies of personal data held about them, as well as the immediate correction of any inaccuracies;
(d) Right to Withdraw Consent:
Proactively withdraw processing consent at any time, without affecting the lawfulness of any processing carried out based on consent before its withdrawal;
(e) Right to Lodge a Complaint: Lodge a formal complaint against our processing activities with the appropriate national supervisory authority. For EU operations, this is the President of the Personal Data Protection Office (UODO) in Poland. For UK operations, this is the Information Commissioner’s Office (ICO);
(f) Right to Data Portability: Request the secure transfer of their personal data to another controller in a structured, commonly used, and machine-readable format, where technically feasible;
(g) Right to Object: Object to the processing of their personal data at any time where processing is justified under the lawful basis of the Controller's legitimate interests.
5. SECURITY
5.1. The Controller applies robust physical, technical, and organizational measures to ensure the ongoing confidentiality, integrity, availability, and operational resilience of processing systems and services. These controls are continuously scaled against perceived risk and include mandatory Multi-Factor Authentication (MFA) for personnel, role-based access control (Principle of Least Privilege), and advanced encryption standards applied to data both at rest (AES-256) and in transit (TLS 1.3). System data environments are backed up daily to secure, redundant storage facilities to maintain comprehensive disaster recovery and business continuity capabilities.
5.2. We operate under strict data-protection-by-design and data-protection-by-default principles. In compliance with Article 30 of the EU GDPR and UK GDPR, we maintain an active internal Record of Processing Activities (RoPA) that maps data categories, lawful bases, and exact retention schedules. Our security frameworks are maintained through scheduled internal compliance audits, Data Protection Impact Assessments (DPIAs) for new system deployments, regular technical vulnerability testing, and mandatory annual data security awareness training for all operational staff.
5.3. While we enforce rigid operational security measures, the Controller notes that electronic data transmission over the internet carries inherent baseline risks (such as unauthorized third-party malware or interception). Users are encouraged to maintain updated local technical safeguards on their own devices, such as antivirus software and secure credentials management.
6. FINAL PROVISIONS
6.1. We are committed to continuously optimizing our systems and ensuring alignment with evolving legislative standards. Consequently, the operational rules governing personal data processing may be updated periodically. Users will be formally notified via our digital platforms before any material changes to this Privacy Policy are implemented.