Wandoo

Information on the Processing of Personal Data – finansowaszkola.pl

Information on the processing of personal data for Users of the Finansowa Szkoła Service

1. Introduction

The purpose of this document is to provide any person who visits the websites of the service available at: https://finansowaszkola.pl/ (hereinafter: the "Service") with information on the processing of their personal data that may take place while visiting the Service's websites, as well as while using the services provided through it.

Before using the Service, including browsing its content, each person (hereinafter: the "User") is obliged to read this document.

2. Personal data controller

The controller of the personal data of Service Users is Wandoo Finance sp. z o.o., with its registered office in Warsaw, ul. Tytusa Chałubińskiego 8, 00-613 Warsaw, entered in the Register of Entrepreneurs of the National Court Register (KRS) kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division, under KRS number: 0000629774, REGON 365046670, NIP 5252670955 (hereinafter: the "Company").

Direct contact with the Data Protection Officer appointed by the Company is possible via e-mail: iod@wandoo.pl.

3. Purpose and legal basis for processing the personal data of Service Users

The personal data of Service Users are processed by the Company for the purpose of:

  • providing educational materials on financial topics, including sending a newsletter,
  • pursuing claims the Company may have against the User in connection with the use of the Service, or defending against claims the User may have against the Company in connection with the use of the Service,
  • data analysis and archiving, and for evidentiary purposes,
  • direct marketing of the Company's products and services and the products and services of entities for whom the Company provides credit brokerage services (hereinafter: the "Lenders").

The Lenders include: (i) Oreon sp. z o.o. with its registered office in Warsaw, (ii) Timbex sp. z o.o. with its registered office in Warsaw, and (iii) MSKredyt sp. z o.o. with its registered office in Warsaw.

The legal basis for processing the personal data of Service Users is:

  • for processing carried out for the purpose of providing educational materials on financial topics – Article 6(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the "GDPR"); processing by the Company of Users' personal data for the purposes specified in this point constitutes the exercise by the Company of its legitimate interests, including the interests of the Lenders cooperating with the Company, and takes place only if the User gives consent to the use of telecommunications terminal equipment and automated calling systems by the Company for direct marketing purposes;
  • for processing carried out in order to pursue claims the Company may have against the User in connection with the use of the Service or to defend against claims the User may have against the Company – Article 6(1)(f) GDPR; processing for the purposes described in this section constitutes the Company's legitimate interests,
  • for processing carried out for the purpose of data analysis and archiving, and for evidentiary purposes – Article 6(1)(f) GDPR; processing for the purposes described in this section constitutes the Company's legitimate interests,
  • for processing carried out for the purposes of direct marketing of the products and services of the entities for whom the Company provides credit brokerage services ("Lenders") – Article 6(1)(f) GDPR; processing for the purposes described in this section constitutes the Company's legitimate interests, including the interests of the Lenders cooperating with the Company, and takes place only if the User gives consent to the use of telecommunications terminal equipment and automated calling systems by the Company for direct marketing purposes.

The rules for processing the personal data of Service Users carried out with the use of Cookies have been set out in detail in the Cookie Policy, available here.

4. Sources of personal data

The personal data of Users are collected in the following ways:

  • data obtained directly from the User while using the Service,
  • automatically, while the User is using the Service.

Data is also collected automatically via cookies, web beacons, and similar technologies. More information on this is available in the Cookie Policy.

5. Scope of personal data collected

The personal data of Service Users are processed to the following extent:

  • identifying data, including first and last names,
  • data relating to financial situation,
  • contact data, including e-mail address and phone number.

The data controller also collects data while the User is using the Service. This data is collected automatically and relates in particular to:

  • technical information, i.e. information about the device the User uses when visiting the Service, information related to the User's network, software and internet connection, type and version of internet browser, time zone settings, types and versions of browser plug-ins, platform and operating system, screen resolution, location, font encoding;
  • information concerning the User's visits to the Service, including the full URL of the website (including date and time); products the User viewed or searched for, referring/exit pages, files viewed on the Service, website response time, download errors, length of visits to certain pages, information about interactions on the page (such as scrolling, clicks and mouse cursor movements) and methods of leaving the website, date/time stamp and/or data relating to the User's actions. More information about cookies can be found in the Cookie Policy.

6. Who may have access to the personal data of Service Users?

Access to the personal data of Service Users will be granted to authorised employees of the Company, as well as entities belonging to the capital group of which Wandoo Finance sp. z o.o. is a part, including in particular SIA Wandoo Finance with its registered office in Riga (Latvia), and external entities providing specific services to the Company, such as:

  • legal advisory services,
  • IT services,
  • accounting services.

Access to the User's personal data may also be granted to the Lenders cooperating with the Company:

  • Oreon sp. z o.o. with its registered office in Warsaw,
  • Timbex sp. z o.o. with its registered office in Warsaw,
  • MSKredyt sp. z o.o. with its registered office in Warsaw.

Each of the Lenders indicated in the preceding sentence will process the User's data as an independent controller, if the User decides to apply for a loan through the Company, in connection with concluding and performing the loan agreement.

The legal basis for processing the User's personal data by the relevant Lender will include, among others, Article 6(1)(b) GDPR, i.e. taking steps prior to entering into the loan agreement (verification of the application, assessment of creditworthiness) and the conclusion and performance of the agreement. Detailed information on the processing of personal data by the Lender in connection with applying for a loan, as well as its subsequent performance, is contained in the loan agreement, the draft of which is available here.

From the moment the User submits a loan application [and also during the performance of that agreement (i.e. the loan agreement)], the Company – acting as a credit broker – will process the User's personal data on the basis of entrustment by the relevant Lender.

The personal data of Users may also be transferred to entities entitled to request it under applicable law, including in particular judicial authorities, the Financial Ombudsman, or the President of the Personal Data Protection Office.

7. Transfer of personal data of Service Users to a third country

The Company does not intend to transfer the personal data of Service Users outside the European Economic Area.

8. How long will the personal data of Service Users be stored?

Personal data used for marketing purposes are processed until the User withdraws consent to their processing for that purpose or raises an objection to such processing.

Personal data provided by the User on the basis of consent given will be retained by the Company for as long as that consent has not been withdrawn.

The Company applies the principle of storage limitation of personal data, which protects data from being processed for an indefinite period. When the purpose of processing has been achieved, the Company deletes or anonymises the data. Exceptions apply where the Company is obliged to retain data by virtue of separate legal provisions.

9. Rights of Users in connection with the processing of their personal data

Under the conditions set out in the GDPR, the User has the right to access their data and the right to request its rectification, erasure, or restriction of processing.

To the extent that the legal basis for processing the User's personal data is the legitimate interest of the Controller, the User has the right to object to the processing of personal data. In particular, the User has the right to object to the processing of data for direct marketing purposes, including profiling for those purposes.

To the extent that the legal basis for processing personal data is the User's consent, the User has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

To the extent that the User's data are processed for the purpose of entering into and performing an Agreement for the provision of services by electronic means, or processed on the basis of consent – the User also has the right to data portability, i.e. to receive from the Controller personal data in a structured, commonly used electronic format. The right to portability covers data provided by the User to the Controller and processed in an automated manner. The User may transmit such data to another data controller.

The User also has the right to lodge a complaint with the supervisory authority responsible for the protection of personal data, i.e. the President of the Personal Data Protection Office.

To exercise the above rights or to obtain answers to questions related to the processing of personal data, please contact the Data Controller or the Data Protection Officer via e-mail: iod@wandoo.pl or in writing to the Company's registered office address.

10. Objection to the processing of personal data

Due to the fact that the User's personal data may be processed by the Company for the purposes of the Company's legitimate interests, including the pursuit of claims and/or defence against claims (i.e. Article 6(1)(f) GDPR), the User may object to such processing at any time for reasons related to the User's particular situation. Despite the objection, the Company will retain the right to continue processing the User's personal data for purposes related to pursuing or defending claims if the Company demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the User, or grounds for the establishment, exercise or defence of legal claims.

If the User's personal data are processed by the Company for direct marketing purposes, the objection may be lodged at any time. In such a case, the User's personal data will no longer be processed for that purpose.

An objection may be submitted by contacting the Company at: iod@wandoo.pl.

11. Complaint to the supervisory authority

The Service User has the right to lodge a complaint with the personal data protection supervisory authority, which in Poland is the President of the Personal Data Protection Office: www.uodo.gov.pl.

12. Voluntary provision of personal data

Providing data is voluntary; however, failure to provide certain information, generally indicated as mandatory in the Service, will result in the inability to perform a given service or achieve a specified purpose or take certain actions.

13. Automated decision-making and profiling

The personal data of Users processed for the purposes of the objectives set out in this Policy will not be subject to automated decision-making. However, these data may be profiled for direct marketing purposes.

Profiling referred to herein consists of selecting by the Company an appropriate marketing offer related to services provided by the Lenders for a given User who is interested in receiving marketing information.

Profiling referred to herein aims to present to the User only such offers which, with high probability, match the User's needs.

The legal basis for profiling for direct marketing purposes is the Company's legitimate interest, i.e. Article 6(1)(f) GDPR; this interest is to match the marketing content presented to the User as closely as possible, instead of providing information which—due to its nature or subject—may prove useless to the User.

The User may object to profiling of their personal data for direct marketing purposes at any time, which will result in the User's personal data no longer being profiled for direct marketing purposes. However, if the User does not withdraw consent to the use of telecommunications terminal equipment and automated calling systems by the Company for direct marketing purposes, and objects to profiling of their data for marketing purposes, the User may still receive marketing information from the Company which, due to its nature or subject, may not match the User's needs.

An objection to profiling may be submitted by contacting: iod@wandoo.pl.

14. Document date: 20 April 2026

The previous version of the document is available here.