Sign up for the webinar

Privacy policy

Effective date: 01.12.2025

1. Who processes your data?

The controller of your personal data (the ‘Controller’) is XF Franchise sp. z o.o., with its registered office at Al. Jana Pawła II 29, 33-100 Tarnów, Poland, Tax ID (NIP): 8711771836, National Court Register (KRS): 0000594556.

You can contact the Data Protection Officer (DPO) at: iod@xtremefitness.pl or by writing to the Controller’s registered address above, with the note ‘DPO’.

2. Where we operate (websites and forms)

We process personal data, among others, through the websites and forms available at:

The above websites use cookie banners informing users about the use of cookies. Detailed information regarding cookies can be found in Section 11 of this Privacy Policy.

The content of these websites is the property of the Controller and is legally protected.

Key information on the use of our services:

  1. Scope of data and purpose of processing.
    In connection with the use of the websites, the Controller processes only data necessary for the provision of services, as well as information about user activity on the websites, including event logs and session data.
  2. Technical requirements.
    To use the websites, users should have a device with an up-to-date web browser capable of displaying web pages, and access to the Internet. The websites are supported by the most popular browsers (e.g. Chrome, Firefox, Safari, Edge) in their latest versions.
  3. External links.
    The websites may contain links to third-party websites. The operators of those websites are responsible for their own privacy policies and security practices. Once redirected to an external website, its respective privacy policy applies.
  4. IP address and technical logs.
    The Controller may collect IP addresses and other technical data related to the user’s device for the purpose of diagnosing and preventing system failures, ensuring security, generating aggregated traffic statistics (e.g. regional traffic sources), administering and improving the websites. This data is not used to identify users unless required for service provision, security purposes, or by law.

3. Which data do we collect?

3.1. Data provided by you

  • Always: first name, last name; e-mail address; phone number.
  • In selected forms: investment budget range, region (voivodeship) of the planned location, and city.

3.2. Data collected automatically

  • IP address; cookies (including advertising/pixel identifiers); device and tracking identifiers (e.g. Meta, Google, HubSpot, Hotjar); UTM parameters (source/campaign/medium) – including data collected by tools such as Google Analytics, HubSpot.

Please note: the scope and operation of cookies depend on the consents given via the cookie banner.

4. For what purposes and on what legal basis do we process data?

 

Purpose of Processing Scope of Data Legal Basis (GDPR)
Registration for an online presentation / franchise webinar first name, last name; e-mail; phone number; (optional: region/city) Art. 6(1)(b) GDPR (necessity for entering into/performance of a contract – venue reservation) or Art. 6(1)(f) GDPR (legitimate interest – event organisation

Handling inquiries about the franchise model / sales contact

 first name, last name; e-mail; phone number; (optional: available funds, region, city) Art. 6(1)(f) GDPR (legitimate interest – handling inquiries and B2C/B2B sales)

Newsletter / marketing communication (e-mail/SMS)

 e-mail; phone number; first name Art. 6(1)(a) GDPR (consent); additionally subject to the requirements of the Telecommunications Law and the Act on Provision of Electronic Services

Lead Magnet (e.g. PDF download)

 first name; e-mail; (occasionally phone number) Art. 6(1)(b) GDPR (performance of a service – delivery of material) and/or Art. 6(1)(a) (consent – marketing)

Traffic analytics and service improvement

 IP address, cookies, identifiers; UTM Art. 6(1)(a) GDPR (consent for cookies/analytics) – in accordance with applicable cookies regulations

Remarketing and online advertising

 cookie/pixel identifiers Art. 6(1)(a) GDPR (consent for marketing via cookies/pixels)

Establishment, pursuit or defence of claims, archiving

 selected contact and transactional data Art. 6(1)(f) GDPR (legitimate interest of the Controller) and/or Art. 6(1)(c) GDPR (legal obligation)

5. Is providing your data mandatory?

Providing your first name, last name, e-mail address and phone number may be necessary to register for a webinar, receive materials, or obtain a callback. Other fields (available funds/region/city) are optional and help us tailor our offer to your needs. Marketing data (newsletter/remarketing) is processed solely on the basis of your consent.

6. Data recipients and processors

We use trusted providers (data processors) based on data processing agreements:

  • HubSpot – CRM/marketing automation; data centre in the EU (Germany), AWS infrastructure; GDPR documentation: https://www.hubspot.com/data-privacy/gdpr.
  • Brevo (Sendinblue) – newsletter/e-mailing; Google Cloud – Belgium; GDPR documentation: https://help.brevo.com/hc/en-us (GDPR section).
  • Analytics and advertising tools (based on cookie/pixel consents): Google, Meta, LinkedIn, TikTok, Snapchat, Pinterest, Hotjar, Cookiebot (consent register).
  • Other categories of recipients: IT/hosting companies, law firms, advisors, postal operators/couriers – solely where necessary and based on agreements ensuring data security.

7. Pixels/web beacons

We use tracking technologies on our websites, such as pixels (web beacons) and tags, which – subject to your consent expressed via the cookie banner – allow us to:

  • measure the effectiveness of ads and content,
  • conduct traffic analytics (e.g. events, conversions),
  • run remarketing campaigns.

Pixels may transfer limited data (e.g. cookie/device identifiers, IP address, UTM parameters) to our trusted partners (e.g. Meta, Google, LinkedIn, TikTok, Snapchat, Pinterest, Hotjar) for the purpose of providing the aforementioned services.

The legal basis for processing is Art. 6(1)(a) GDPR (consent); you may withdraw or modify your consent at any time via the cookie banner settings. Where data is transferred outside the EEA (e.g. to the USA), we apply appropriate legal safeguards (SCCs) and minimisation measures (e.g. pseudonymisation).

8. How long do we store your data?

The data retention period applied by the Controller depends on the type of service provided and the purpose of the processing. As a general rule, data is processed for the duration of the service or the fulfilment of an order, until the withdrawal of consent, or until a valid objection to processing is raised in cases where the legal basis for the processing is the legitimate interest of the Controller.

The retention period may be extended where processing is necessary for the establishment, pursuit or defence of potential claims, and thereafter only where and to the extent required by applicable law.

Upon expiry of the retention period, data is irreversibly deleted or anonymised.

9. Your rights

You have the right to:

  • access your data,
  • rectification,
  • erasure,
  • restriction of processing,
  • data portability,
  • object to processing based on legitimate interest,
  • withdraw consent at any time (without affecting the lawfulness of processing carried out prior to withdrawal).

You also have the right to lodge a complaint with the supervisory authority:
President of the Personal Data Protection Office, ul. S. Moniuszki 1A, 00-014 Warsaw, https://uodo.gov.pl/pl/p/kontakt.

10. How can you exercise your rights?

You can do this in the following ways:

  • via the dedicated ‘Data Access Request’ page in HubSpot (following identity verification) – the link can be found in the website footer or cookie banner,
  • by e-mail: iod@xtremefitness.pl,
  • every e-mail from us contains an unsubscribe link. Unsubscribing sets the appropriate status in HubSpot and suspends all marketing communications (e-mail/SMS).

We respond to requests without undue delay, and no later than within 1 month; in complex cases, the deadline may be extended by a maximum of 2 months (you will be informed of this along with the reasons).

11. Cookies

We use first-party and third-party cookies for the following purposes:

  • essential (functional),
  • analytical,
  • marketing/remarketing.

We use a cookie banner on the websites franczyzafitness.pl, franczyza.xtremekids.pl and xtremebrands.pl.

You may modify or withdraw your cookie consents at any time via the banner (the ‘Change cookie settings’ link).

Cookies are files sent to your computer or other device while you browse the Website.

Cookies allow us to remember and verify your preferences, which enables us to, among other things:

  • improve your search results,
  • ensure the relevance of the information displayed to you.

Cookies do not make any modifications or changes to the settings of your device or any software installed on it.

Please note that you have the right to refuse consent to our use of cookies (you can block them).

If you wish to block cookies, we recommend adjusting the appropriate settings in your web browser. More information can be found at https://wszystkoociasteczkach.pl.

Cookies can typically be removed from your browser via the ‘clear history’ option by ticking the cookies checkbox, or by disabling the ability to download cookies in your browser settings.

Your use of the Website constitutes consent to our use of cookies. A relevant notice is displayed automatically upon each user’s first visit to the Website.

Blocking or deleting cookies may cause difficulties in using the Website, and some of its features may become unavailable.

Data collected automatically via cookies will be used by us to analyse user behaviour on the Website, which allows us to tailor the website content and display content relating to the Company on other websites you visit.

12. Data security

We implement technical and organisational measures appropriate to the level of risk, including:

  • data transmission encryption (HTTPS/TLS),
  • access controls and need-to-know principles,
  • event logging,
  • staff training,
  • access rights reviews,
  • data backups,
  • testing and audits of selected providers.

We select data processors that ensure security in accordance with Art. 28 GDPR.

13. Data minimisation and adequacy

We only ask for data that is necessary for the given purpose (e.g. contact, registration, tailoring the franchise discussion). The ‘available funds’ range is indicative and serves to match the appropriate stage of the conversation.

14. Changes to this policy

This policy may be updated, for example, in the event of changes to applicable law, tools, or processes. We will notify you of any material changes on the website (the date and version number are indicated in the header).

15. Contact

For matters relating to personal data, please contact us:

XF Franchise sp. z o.o., Al. Jana Pawła II 29, 33-100 Tarnów

or contact the Data Protection Officer at: iod@xtremefitness.pl.