Sigma Clinic Logo

Privacy Policy

Last updated 2 October 2025

1. Definitions.

For the purposes of this privacy policy, the following terms shall have the following meanings:

Administrator means the company Sigma Clinic spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, ul. Młynarska 42, 01-171 Warsaw, entered into the register of entrepreneurs of the National Court Register, kept by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division od the National Court Register, under KRS number: 0001184102, TIN: 5273173475, statistical number: 542251538, with a share capital amounting to PLN 50,000.00.

Platform means the internet platform located at the domain .

Policy means this privacy policy.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

User means a natural person using the Platform.

2. General Provisions.

2.1. The Administrator is the controller of the personal data of Users using the Platform and other persons contacting the Administrator through the available channels.

2.2. The Administrator obtains personal data in particular through:

2.2.1. use of the Platform by the User to the extent of browsing its content and using the services available through it,

2.2.2. contact with the Administrator through the available channels indicated on the Platform’s website, including by telephone or via electronic messages (chat, e-mail).

2.3. The Administrator may receive personal data from third parties, in particular after it has been provided by the Administrator’s business partners.

2.4. The Administrator ensures the security of personal data. In view of the above, the Administrator takes technical and organizational measures in accordance with the GDPR, which are aimed at ensuring the security of personal data.

2.5. The Administrator has appointed a Data Protection Officer. The Data Protection Officer can be contacted by sending a message to: privacy@sigma.clinic or by post to the Administrator’s registered office address.

  1. Purpose and basis for the processing of personal data.

3.1. The personal data of Users using the Platform for the purpose of browsing its content is processed by the Administrator for the following purposes:

3.1.1. to provide the access to the Platform – the basis for processing is Article 6 sec. 1 letter (b) of the GDPR,

3.1.2. to ensure the proper functioning of the Platform – the basis for processing is Article 6 sec. 1 letter (f) of the GDPR,

3.1.3. for analytical and statistical purposes – the basis for processing is Article 6 sec. 1 letter (f) of the GDPR,

3.1.4. for the purpose of a possible investigation of claims or defense against claims – the basis for processing is Article 6 sec. 1 letter (f) of the GDPR.

The provision of data is necessary to use the Platform in the above scope.

3.2. The personal data of Users using the Platform to the extent of using the services available through it are processed by the Administrator for the purpose of:

3.2.1. providing the User account service – the basis for data processing is Article 6 sec. 1 letter (b) of the GDPR,

3.2.2. fulfilling legal obligations arising from tax law and accounting regulations – the basis for processing is Article 6 sec. 1 letter © of the GDPR,

3.2.3. for analytical and statistical purposes – the basis for processing is Article 6 sec. 1 letter (f) of the GDPR,

3.2.4. for the purpose of recording the User’s activity within the Platform – the basis for data processing is Article 6 sec. 1 letter (f) of the GDPR,

3.2.5. providing a teleconsultation service, including the initial organization of a teleconsultation service using a virtual assistant based on artificial intelligence – the basis for processing is Article 9 sec. 2 letter (a) and (h) of the GDPR,

3.2.6. storing medical records – the basis for processing is Article 9 sec. letter h of the GDPR,

3.2.7. offering additional services, including in the scope of health services – Article 9 sec. 2 letter (a) of the GDPR,

3.2.8. for the purpose of a possible investigation of claims or defense against claims – the basis for processing is Article 6 sec. 1 letter (f) of the GDPR.

The provision of data is necessary to use the Platform in the above scope.

3.3. The personal data of persons contacting the Administrator through the available channels indicated on the Platform’s website are processed by the Administrator for the purpose of:

3.3.1. contacting the Administrator in connection with a submitted enquiry or notification – the basis for data processing is Article 6 sec. 1 letter (f) of the GDPR,

3.3.2. carrying out the recruitment process – the basis for data processing is the provisions of the Labor Code Act and Article 6 sec. 1 letter (b) of the GDPR.

The provision of data is necessary to handle the enquiry or notification. The provision of the data indicated in Article 22(1) of the Labor Code Act is necessary for the recruitment process – the provision of data to a wider extent is voluntary and the basis for its processing is Article 6 sec. 1 letter (a) of the GDPR.

3.4. The personal data of persons whose data the Administrator has received from its business partners are processed by the Administrator for the purpose of:

3.4.1. carrying out cooperation with the Administrator – the basis for data processing is Article 6 sec. 1 letters © and (f) of the GDPR.

4. Recipients of personal data.

4.1. The recipients of personal data to whom data may be transferred to the necessary extent are:

4.1.1. providers of IT services and systems, including payment operators and analytical systems,

4.1.2. advisors cooperating with the Administrator, including entities providing legal, accounting and bookkeeping services,

4.1.3. authorized personnel of the Administrator,

4.1.4. entities entitled to access data on the basis of applicable laws.

  1. Transfer of data outside the European Economic Area (EEA).

The Administrator uses the services of entities whose servers may be located outside the European Economic Area. In view of the above, personal data obtained in connection with the use of the Platform may be transferred to the necessary extent outside the European Economic Area. The Administrator has made the necessary efforts to ensure that the entities referred to in this section provide a guarantee of a high level of data protection, in particular through participation in the Data Privacy Framework and the use of standard contractual clauses approved by the European Commission.

6. Rights of data subjects.

6.1. Data subjects whose personal data is processed by the Administrator have the following rights:

6.1.1. the right to request access to personal data,

6.1.2. the right to request the rectification of personal data,

6.1.3. the right to request the erasure of personal data,

6.1.4. to the extent that the data are processed in an automated manner – the right to request the portability of personal data,

6.1.5. to the extent that the data are processed on the basis of the data subject’s consent – the right to withdraw consent to the processing of personal data,

6.1.6. the right to request the restriction of the processing of personal data,

6.1.7. the right to object to the processing of personal data,

6.1.8. the right to lodge a complaint with a supervisory authority.

6.2. To exercise the above rights, please contact the Data Protection Officer at: privacy@sigma.clinic.

6.3. To exercise the right to lodge a complaint with a supervisory authority, please contact the President of the Personal Data Protection Office in Warsaw.

7. Automated decision-making and profiling.

Personal data may be processed in an automated manner, including through profiling. Decisions based on personal data processed in the manner indicated in the preceding sentence will not be taken in an automated manner.

8. Period of processing of personal data.

8.1. The Administrator processes personal data for the period necessary for the purposes for which the data were provided. Data processed:

8.1.1. on the basis of the Administrator’s legitimate interest will be processed until an objection is lodged by the data subject, or until that interest expires, provided that data processed on this basis for the purpose of pursuing or defending against claims will be processed until the statute of limitations for such claims has expired,

8.1.2. for the purpose of fulfilling statutory obligations will be processed for the period indicated in the relevant legal provisions, e.g. tax regulations, regulations concerning patients’ rights,

8.1.3. on the basis of consent will be processed until this consent is withdrawn,

8.1.4. for the purpose of carrying out a recruitment process will be processed until the end of the recruitment process. If a candidate has consented to the processing of his/her data for the purposes of future recruitment, the personal data will be processed until this consent is withdrawn.

9. Social media.

9.1. Within the Platform, the Administrator uses social plugins that redirect to the Administrator’s profiles on the following social networks: LinkedIn, Instagram, Facebook.

9.2. By using the above-mentioned plugins, data is exchanged between the User and the respective social network. In view of the above, the Administrator recommends the User to familiarize with the personal data processing policies of the individual social networks.

10. Cookies.

10.1. The Platform uses various types of cookies and similar technologies, which are listed in the table below.

10.2. Cookies are small text files sent by the Platform to the User’s web browser and stored on the User’s device. Storing or accessing cookies and similar technologies does not cause any changes to the User’s device or the software installed on it.

10.3. The Administrator uses the following categories of cookies:

10.3.1. functional – used by the Administrator and its partners to provide and improve the quality of services provided to the User by electronic means,

10.3.2. marketing – used by the Administrator and its partners for marketing purposes.

10.4. The use of cookies and similar technologies requires the User’s consent. The User’s consent is not required for cookies and similar technologies the use of which is necessary for the provision of a service by electronic means.

10.5. The User may change or withdraw their consent to the use of cookies and similar technologies at any time by clicking on the link in the footer of the Platform or on the following link: [LINK]

10.6. The User may delete cookies from User’s device at any time by following the instructions of the User’s web browser provider.

10.7. The Administrator uses the following analytical and marketing tools that use cookies and similar technologies: Google Tag Manager (tag management), Google Ads (advertising/remarketing), Meta Pixel (advertising/remarketing), Microsoft Clarity (UX analytics).