PRIVACY POLICY

We are a group of companies under the name LemonTree, which includes, among others, LemonTree S.A., LemonTree PM Sp. z o.o., LemonTree Seed Sp. z o.o., and LemonTree DM Sp. z o.o. We take the protection of your personal data seriously.

The following information, in accordance with the Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), is addressed to individuals whose personal data is processed by our specific companies in connection with their business activities, i.e., as per point 2: 

a) To individuals who contact us, including by email, phone, post, etc.

b) To our current and potential business partners, contractors, and their representatives and contacts,

c) To entities that are the subject of our investment analyses, their representatives, and contacts.

If you are in one of these groups, we encourage you to read the following information.

1. DATA CONTROLLER

The Controller of your personal data, depending on which company is carrying out the operation, which company is a party to the contract, or with which company you are contacting, is:

    • LemonTree S.A. with its registered office in Warsaw, ul. Towarowa 28, 00-839 Warsaw,
    • LemonTree PM Sp. z o.o. with its registered office in Warsaw, ul. Towarowa 28, 00-839 Warsaw,
    • LemonTree Seed Sp. z o.o. with its registered office in Warsaw, ul. Towarowa 28, 00-839 Warsaw,
    • LemonTree DM Sp. z o.o. with its registered office in Warsaw, ul. Towarowa 28, 00-839 Warsaw.

(Hereinafter referred to as the "Controller")

You can contact the Controller regarding personal data either in writing at the above address or electronically at: iod@lemontree.realestate.

 
2. PROCESSING OF PERSONAL DATA
 
a) Individuals contacting us: The purpose of processing personal data is to correspond and communicate with individuals contacting the Controller.

The legal basis for processing personal data is the legitimate interest of the Controller (Article 6(1)(f) GDPR), which consists of enabling communication with the contacting individual, establishing a relationship, providing necessary information, and handling certain matters.

Processed personal data includes: first name, last name, email address, phone number, correspondence address, and other information provided by the individual contacting the Controller. Providing personal data is voluntary, but failure to provide all relevant personal data may hinder or prevent the communication process.

Data retention period: As long as it is necessary to carry out the legitimate interest of the Controller or a third party (depending on the purpose of the contact).

b) Current and potential business partners, contractors, and their representatives and contacts: The purpose of processing personal data is to enter into and/or perform, service contracts, and maintain relationships with contractors, such as service providers, suppliers, and other partners of the Controller.

The legal basis for processing is:

I. Necessity for the performance of a contract (Article 6(1)(b) GDPR),

II. Necessity to comply with a legal obligation of the Controller (Article 6(1)(c) GDPR),

III. Necessity for the legitimate interests pursued by the Controller (Article 6(1)(f) GDPR), such as enabling communication with you, properly executing the contract and business objectives, verifying identity, determining or enforcing claims, and defending against such claims.

Processed personal data includes: first name, last name, email address, phone number, place of employment, position, business address, NIP, REGON, PESEL, bank account number, and potentially other necessary data. Providing personal data is necessary to maintain relationships or to conclude/perform a contract when a relationship already exists (or when the contract is concluded) with a natural person or when it concerns persons representing a legal entity formally. In the case of individuals who are contact persons for a legal entity, providing their data is not mandatory but facilitates contact with the Controller.

Data retention period: The duration of the contract with the contractor and the period necessary to allow the parties to enforce claims arising from such a contract, but no shorter than the period required by law, or as long as necessary to carry out the legitimate interest of the Controller or a third party.

AML OBLIGATIONS LemonTree S.A.

As LemonTree S.A. is an obligated institution under the relevant anti-money laundering and terrorist financing regulations (the "AML regulations"), it may additionally process personal data to comply with the obligation to assess the risk of money laundering and terrorist financing related to its business activities, in order to apply financial security measures to its clients, i.e., conducting client identification and verification, identifying the beneficial owner, assessing and monitoring business relationships with the client, and making notifications and reports to the appropriate authorities.

The personal data that LemonTree S.A. may process in this regard includes: first name, last name, nationality, PESEL number or date of birth, series and number of identification document, address data, tax identification number (NIP), and, in the case of self-employed individuals, identification and address data related to the business. Additionally, LemonTree S.A. may make copies and process data contained in identity documents.

The legal basis for processing personal data in this context is Article 6(1)(c) GDPR – fulfillment of a legal obligation of the Controller under the AML regulations.

Personal data, document copies, and information obtained through financial security measures will be stored for 5 years after the termination of the business relationship with the contractor.

c) Entities related to our investment analyses: The purpose of processing personal data is to establish a relationship, contact, and possibly prepare and execute a contract with the subject of our investment analyses.

In this context, processing personal data of representatives, contact persons, or owners of entities we analyze is based on: necessity for the performance of a contract (Article 6(1)(b) GDPR), necessity for the legitimate interests of the Controller (Article 6(1)(f) GDPR), such as enabling communication with you, properly executing the contract and business objectives, and verifying identity.

Processed personal data includes: first name, last name, email address, phone number, place of employment, position, business address, NIP, REGON, PESEL, bank account number, and potentially other necessary data.

Data retention period: Only as long as necessary for the analysis and possibly later for the duration of the contract with the contractor and the period necessary to allow the parties to enforce claims arising from such a contract, but no shorter than the period required by law or as long as necessary to carry out the legitimate interest of the Controller or a third party.


3. SHARING PERSONAL DATA

Data may be shared with entities and authorities authorized to process such data under the law (e.g., public authorities). Your personal data may also be transferred to technical and organizational service providers, such as managers, IT service providers, and advisory service providers, with these entities processing the data under an agreement with the Controller and according to its instructions.

4. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

The Controller may process personal data in countries outside the European Union and the European Economic Area only when necessary and justified by the conditions (e.g., providers of essential software). The transfer of data is based on appropriate security measures (e.g., standard contractual clauses), and we ensure that it will be legal and secure.

5. RIGHTS OF THE DATA SUBJECTS

In connection with the processing of personal data, individuals whose data is processed are entitled (under certain conditions) to:

a) Request access to their personal data from the Controller,
b) Request rectification of their personal data,
c) Request erasure of their personal data,
d) Request restriction of the processing of their personal data,
e) Object to the processing of their personal data,
f) Data portability,
g) Lodge a complaint with the supervisory authority (President of the Personal Data Protection Office).

You can submit your request to exercise these rights by contacting the Controller. 


6. SOURCE OF PERSONAL DATA

If we have obtained personal data from entities other than the individual concerned, it means that we have received them from other entities with which the Controller is affiliated, from its contractors (and/or their representatives), or from publicly available sources.

If you have any questions regarding the personal data processed by the Controller, please feel free to contact us as outlined in point 1.