Privacy Policy and Cookies Policy

Controller and contact details

The controller of your personal data is Pallotyński Dom Słowa (PDS). Address: Ołtarzew, ul. Kilińskiego 20; Email: info@domslowa.pl.

Please report any security incidents related to personal data processing without delay to: info@domslowa.pl.

Legal basis

We process personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”) and—where applicable to the controller— the General Decree of the Polish Episcopal Conference of 13 March 2018 on the protection of natural persons with regard to the processing of personal data in the Catholic Church.

More information on personal data protection: the Church Data Protection Inspector – kiod.episkopat.pl, and the Polish data protection authority (UODO) – uodo.gov.pl.

Scope and purposes of processing

We process personal data in connection with operating the websites: domslowa.pl, jednoslowo.com, janzpatmos.pl, and our profiles on social media platforms.

Categories of personal data

• Identification and contact data (e.g., name, email address, phone number—if provided).
• Content of correspondence (questions, messages, requests).
• Data related to participation in events (registrations, attendee list) and—where applicable—image/photographs.
• Technical and usage data (e.g., IP address, cookie identifiers, browser type, operating system, visit date and time).
• Data published in comments (display name, email address, comment content) and anti-spam data (IP, user agent).

Purposes and legal bases (GDPR)

• Handling correspondence and enquiries (contact form/email/post) – legal basis: the controller’s legitimate interest (Article 6(1)(f) GDPR) in communicating and handling enquiries, or—where we ask for explicit consent in a form—consent (Article 6(1)(a) GDPR).
• Organising events (retreats/weekends) – legal basis: taking steps at the data subject’s request prior to entering into an agreement / organising participation (Article 6(1)(b) GDPR), and additionally legitimate interest (Article 6(1)(f) GDPR) for organisational and accountability purposes (attendee list, security).
• Publishing event reports / images (where carried out) – legal basis: consent (Article 6(1)(a) GDPR). Consent may be withdrawn at any time.
• Post subscription – legal basis: consent (Article 6(1)(a) GDPR). You can unsubscribe at any time (e.g., via an unsubscribe link).
• Comments and prevention of abuse/spam – legal basis: legitimate interest (Article 6(1)(f) GDPR).
• Ensuring website operation and security – legal basis: legitimate interest (Article 6(1)(f) GDPR).
• Cookies and third-party tools (CookieYes, embedded YouTube, reCAPTCHA) – described in the sections below.

Providing data is generally voluntary, but it may be necessary to handle your enquiry, register for an event, subscribe, or use a particular feature (e.g., commenting).

Recipients and transfers outside the EEA

Data may be disclosed only to the extent necessary to achieve the purposes described above, in particular to the following categories of recipients:

• Website hosting and maintenance providers.
• Email and communication providers.
• Form and anti-spam providers: Google reCAPTCHA (Google LLC).
• Consent management platform (CMP) provider: CookieYes | GDPR Cookie Consent (including connection to app.cookieyes.com— as necessary to display the banner, manage preferences, and—depending on configuration—store consent logs).
• Embedded video provider: YouTube (Google) when embedded videos are loaded/played.
• Where content is published (e.g., comments/event reports): other Internet users may have access to that content.

Transfers outside the European Economic Area (EEA)

Some tools (in particular Google services such as reCAPTCHA and YouTube) and CookieYes may involve processing outside the EEA, depending on configuration, server locations and service delivery model. Where applicable, appropriate safeguards under the GDPR (e.g., Standard Contractual Clauses) are used.

Retention periods

• Correspondence – until the enquiry is handled and the matter is closed, and thereafter for as long as necessary to establish, exercise or defend claims (typically up to 3 years) or for justified archiving.
• Event registrations – for the duration of the event organisation and settlements, and then for the period required by law or until claims become time-barred; attendee list – for an organisational period: up to 30 days after the event.
• Images in reports – until consent is withdrawn or the material is removed, subject to technical/backup copies (where applicable).
• Subscriptions – until you unsubscribe; after unsubscribe, data are deleted or anonymised, unless minimal evidence data (e.g., consent logs) need to be retained—where applicable.
• Comments – for as long as the post/service exists or until the comment is removed; anti-spam technical data – as long as necessary to protect the service.
• Technical logs – for as long as needed for security and diagnostics.
• Cookie consents (CookieYes) – according to CMP configuration and accountability requirements.

Your rights

You have the right to access your data, rectify it, erase it, restrict processing, data portability, and to object to processing based on Article 6(1)(f) GDPR.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

You also have the right to lodge a complaint with the competent supervisory authority: the Church Data Protection Inspector (Skwer kard. Stefana Wyszyńskiego 6, 01-015 Warsaw, Poland) and—where provided by law—also with the President of the Polish Personal Data Protection Office (UODO) (ul. Stawki 2, 00-193 Warsaw, Poland).

Automated decision-making

The controller does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

Contact forms and communication

If you contact us via a form or email, we process the data necessary to handle your message. Recipients may include hosting and email service providers.

Events and images

Participation in events requires providing data necessary for organisation. We may maintain an attendee list for organisational and security purposes. Where we publish event reports containing images, we do so on the basis of consent, which may be withdrawn at any time.

Subscription

Subscription to new posts involves sending notifications to the email address provided. The legal basis is consent. You can unsubscribe at any time (e.g., via an unsubscribe link in the message).

Comments (WordPress) and Gravatar

When visitors leave comments on the site, WordPress collects the data shown in the comments form and may also collect the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string (hash) created from your email address may be provided to the Gravatar service (Automattic) to see if you are using it. Automattic’s privacy policy: automattic.com/privacy.

WordPress may save your name, email address and website in cookies to make it convenient for you to leave another comment. These cookies typically last for one year—if you choose that option.

Security

We apply technical and organisational measures appropriate to the risk, including access controls, backups, updates, server-layer security measures and event monitoring to the extent necessary for security.

Cookies Policy (CookieYes)

Cookies are small text files stored on a user’s device. They may be necessary for the website to function, improve features, or be used for analytics.

CMP (CookieYes) – consent management

• We use CookieYes | GDPR Cookie Consent to display the cookie banner, manage cookie preferences, and—depending on configuration—store consent logs.
• You can change your choices at any time by clicking “Cookie settings”.

Types of cookies

• Strictly necessary – required for the website to work properly (may be set without consent).
• Functional – remember settings and choices.
• Analytics/Statistics – help understand how the site is used (generally require consent if not strictly necessary).
• Marketing – if used, require consent.

Browser controls

You can delete cookies or block them in your browser settings. This may, however, limit some website functionality.

Embedded YouTube videos

The websites may contain embedded videos from YouTube (Google). Loading the player or playing a video may cause data to be transmitted to the provider (e.g., IP address, device/browser identifiers) and may involve storing/reading cookies or similar identifiers, depending on your settings and consents.

To reduce data sharing, we may use YouTube’s “privacy-enhanced mode” by embedding videos via the youtube-nocookie.com domain (where configured).

Provider policy: Google Privacy Policy.

Google reCAPTCHA

Our forms may be protected by Google reCAPTCHA to prevent spam and abuse. reCAPTCHA may collect information about the device and user activity (e.g., IP address, browser data, interaction signals) to assess the risk of abuse. The legal basis is the controller’s legitimate interest (Article 6(1)(f) GDPR) in protecting the website and forms.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Social media

We operate profiles on social media platforms (Facebook, Instagram, X). Your personal data may be processed by the platform providers under their terms and privacy policies. For our communication and moderation activities, the legal basis may be legitimate interest (Article 6(1)(f) GDPR), and for activities requiring consent—consent (Article 6(1)(a) GDPR).

Changes to this policy

We may update this policy by publishing a new version on PDS websites. We recommend reviewing this document periodically.