Privacy Policy

Version effective from 1 January 2026

1. General provisions

The Data Controller is Yellows Sp. z o.o., headquartered in Warsaw (02-739) at ul. Wałbrzyska 11, Poland, registered under KRS: 0000654561, NIP: 5213760803, REGON: 366147930.
Data protection contact: e-mail: rodo@yellows.pl

2. Purposes and legal grounds

    Data is processed in accordance with GDPR for:
  • Software Development & IT Services: Contract performance and project support (Art. 6(1)(b) GDPR).
  • Business Development (B2B): Establishing business relationships (Art. 6(1) (f) GDPR – legitimate interest).
  • Talent Acquisition: Recruitment processes (Art. 6(1)(a) and (b) GDPR).
  • System Security: Log monitoring and infrastructure protection (Art. 6(1)(f) GDPR).

3. IT recruitment process

  • Scope: CVs, cover letters, public profiles (LinkedIn, GitHub).
  • Verification: Technical tasks and coding interviews.
  • Retention: Data is deleted after recruitment unless consent for future processes is provided (stored for 24 months).

4. Artificial intelligence (AI ACT COMPLIANCE)

    We utilize modern optimization technologies:
  • AI models are used for automated testing and code analysis.
  • No recruitment or decision-making process is solely automated without human oversight (Human-in-the-loop).
  • User data is not used to train external AI models without explicit consent.

5. Data recipients and tools (SAAS)

    We cooperate with trusted vendors (often involving transfers outside the EEA):
  • Infrastructure: AWS, Google Cloud Platform (GCP).
  • Management: Slack, Jira, Confluence, Microsoft 365, Redmine.
  • Analytics: Google Analytics 4 (including Consent Mode v2). Transfers are based on Standard Contractual Clauses and the Data Privacy Framework.

6. Cookies and tracking technologies

  • Necessary cookies: Installed automatically for website functionality.
  • Analytical and marketing cookies: Installed only upon voluntary consent (via cookie widget).
  • Management: Users can change settings or delete cookies in browser settings (Chrome, Firefox, Safari, Edge).
  • Duration: Session cookies are deleted upon closing the browser.

7. Data retention

  • Commercial/Invoicing data: 5 years (tax regulations).
  • CRM/Contact data: Until an objection or 3 years since last activity.
  • Server logs: Up to 180 days.

8. Your rights

You have the right to: access, rectify, erase, restrict, port, and object to processing. Complaints may be submitted to: President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych – UODO, ul. Stawki 2, 00-193 Warsaw, Poland).