Personal Data Controller
- The personal data controller (hereinafter called the Controller) is TISA LAB Sp. z o.o with its seat in Wrocław at ul. Powstańców Śląskich 7a, 53 – 332 Wrocław, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław – Fabryczna in Wrocław, VI Commercial Division of the National Court Register as KRS number 0000746298, Taxpayer Identification Number (NIP): 5242871847, National Business Registry Number (REGON): 38111489500000, for and on behalf of which act Mateusz Piotr Lentowczyk – President of the Management Board.
- Our priority is to process your personal data in a safe and lawful manner. The Controller processes Users’ personal data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data (hereinafter referred to as “GDPR”), the Act of 18.07.2002 – on the provision of electronic services and other generally applicable provisions of law.
- In matters related to the User’s data, please contact the following e-mail address: firstname.lastname@example.org.
- We provide you with basic information about the processing, including the purposes for which your personal data is processed, at the time it is collected from you. Notwithstanding the above, below you will find information on the most common cases where we process your personal data.
The guarantee of the protection of privacy and confidentiality of the Website Users’ personal data
The Controller and its affiliated companies attached great importance to the protection of privacy and confidentiality of the Website Users’ personal data, with due diligence selects and applies appropriate technical and organizational measures ensuring the protection and processing of personal data.
What are the purposes of processing your personal data?
|Name of the purpose||Description of the purpose||Legal basis for personal data processing|
|Pre-contractual actions (including inquiries)||Taking, at your request, actions necessary before concluding an agreement concerning the Controller’s services; this applies in particular to presenting the Controller’s offer, conducting talks in order to conclude an agreement.||Personal data is necessary in order to take steps prior to entering into a contract (Art. 6 sec. 1 letter b) of the GDPR)|
|Conclusion and performance of a contract||Conclusion and performance of a contract for the services provided by the Controller (in particular a) managing our services, b) providing services via apptension.com, c) respond to your questions, d) fulfil our obligations with agreement binding us with you, e) providing you with customer support, f) communicating with you regarding technical notices, updates, security alarms, information about changes to our Terms and Conditions or Data Protection Policies.||Personal data is necessary for conclusion and performance of a contract (Art. 6 sec. 1 letter b) of the GDPR)|
|Inquiries, complaints, requests||Handling and responding to your inquiries, complaints or requests by the Controller.||Personal data is necessary for performance of a contract (Art. 6 sec. 1 letter b) of the GDPR) or fulfilment of the Controller’s legitimate interest consisting in opportunity to consider and respond to your inquiry, complaint or request (Art. 6 sec. 1 letter f) of the GDPR) or fulfilment of a legal obligation related to the handling of your complaint (Art. 6 sec. 1 letter c) of the GDPR)|
|Legal obligations||Fulfilment of the Controller’s legal obligations pursuant to generally applicable laws, including in particular:
||Personal data is necessary for fulfilment of a legal obligation of the Controller (Art. 6 sec. 1 letter c) of the GDPR)|
|the Controller claims||Establishment and exercise of legal claims by the Controller or defence against legal claims.||Personal data is necessary for fulfilment of the Controller’s legitimate interest consisting in possibility to establish and exercise legal claims by the Controller or defend legal claims made against the Controller (Art. 6 sec. 1 letter f) of the GDPR)|
|Evaluation of satisfaction with the Controller’s products and services||Evaluation of satisfaction with our products and services and the quality of customer service and to help and protect security of our services.||Personal data is necessary for fulfilment of the Controller’s legitimate interest consisting in possibility to evaluate satisfaction with the Controller’s products and services (Art. 6 sec. 1 letter f) of the GDPR)|
|Analysis (among others statistical and concerning relevant characteristics of recipients of our services and products)||Analysis conducted in order to better prepare our offer or information or to ensure a more effective reach to a selected group of recipients and in connection with affiliate marketing conducted by the Controller.||Personal data is necessary for fulfilment of the Controller’s legitimate interest consisting in possibility to analyse relevant characteristics of recipients of the Controller’s services and products (Art. 6 sec. 1 letter f) of the GDPR)|
|Use of the website||Processing of personal data of users using the website (including their IP address or other identifiers collected through cookies or other similar technologies) for statistical purposes and/or for the provision of electronic services consisting in making available to users the content gathered on the website||Personal data is necessary for fulfilment of the Controller’s legitimate interest consisting in possibility to examine users’ activity on the website in order to improve the functionalities used on the website (Art. 6 sec. 1 letter f) of the GDPR) and/or personal data is necessary for performance of a contract (Art. 6 sec. 1 letter b) of the GDPR)|
|Information about the Controller ‘s activities, marketing activities||Providing information about the Controller’s activities, marketing of the Controller’s services and products, and sometimes also the sponsors and partners of the Controller and entities associated with the Controller, including the provision of information and offers prepared especially for you on the basis of an analysis of your information (e.g. offers addressed solely to you in connection with your specific characteristics, e.g. place of residence, gender, age group, etc.).||Personal data is necessary for fulfilment of the Controller’s legitimate interest consisting in possibility to provide information about the Controller’s activities and direct marketing (Art. 6 sec. 1 letter f) of the GDPR)
To some extent, the processing of your personal data will be based on your consent. (Art. 6 sec. 1 letter a) of the GDPR)
|Social media||We also process personal data in connection with our social media activities. You can find more information in this respect on our pages on individual portals such as Facebook, Twitter or Instagram.|
What information do we collect?
- Users’ personal data is processed on servers that ensure their security. We make every effort to ensure that the data is processed in accordance with the purpose and scope of using our services available through the Website, including subpages, applications and other functionalities made available, so as to make the use of the Website as safe and convenient for Users as possible.
- The website uses the Facebook Pixel, LinkedIn Insight Tag, Twitter Analytics, Hotjar, Google Ads and Google Analytics services that collect anonymous information about the website pages visited by its individual Users using cookies.
- Providing data is voluntary, however failure to do so may prevent the use of the Controller’s or its affiliated companies offer.
- The data will be processed for purposes related to the use of services available through the Website.
- The user has the right to lodge a complaint with the supervisory body – the President of the Data Protection Office, if he considers that the processing of his personal data violates the provisions on the protection of personal data.
- Based on the provisions of the GDPR, the Controller and/or its affiliated companies are entitled to process the User’s personal data in the following circumstances:
- The User agrees to the processing of the personal data;
- The processing of the User’s personal data will be necessary to fulfil the legal obligation incumbent on the Controller;
- When it is necessary for the purposes of the legitimate interests pursued by the Controller or by third parties.
- Period of personal data storage:
- Cookies: depending on the nature of the data, but no longer than 2 years from the moment the User gives his consent,
- Analytical data: in the case of consent until its withdrawal, restriction or other actions on your part limiting this consent,
- Other data: in the case of necessary data for the performance of the contract, for the duration of its performance and until the expiry of the limitation of claims under this contract.
In order to pursue our legitimate interests, i.e. to establish and exercise our claims or to defend against claims – for the period of limitation of your claims against us or our claims against you under the law (e.g. the limitation period for business-related claims is 3 years, and the general limitation period for claims is 6 years); the above mentioned periods of storage of personal data may change along with the amendment of generally applicable laws) or the statute of limitations of tax obligations related to business events (purchase of services or goods) to which you were a party and for the duration of court, arbitration, etc. proceedings related to such claims.
To pursue our legitimate interests, i.e. to answer your question, complaint, request or suggestion – for the period necessary to answer, not exceeding 30 days, however, we may extend this period by the statute of limitations for your or our claims under the law, if processing of this personal data is necessary to establish or exercise claim, as well as to defend against such claims.
For the purpose of fulfilling our obligations under the law (e.g. accounting or tax or product liability regulations) – for the period resulting from such regulations (e.g. for billing purposes your personal data will be stored for 5 years starting from the end of the calendar year in which the contractual tax payment deadline expired).
If you object at any time for reasons related to your specific situation – to the processing of your personal data on the basis of our legitimate interest (based on Art. 6 sec. 1 letter f) of the GDPR), 7 including profiling, we will cease processing your personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims
- Users’ personal data may be shared with the following entities:
- Employees and associates of the Controller who have been authorized for the processing of personal data;
- Entities processing data on behalf of the Controller;
- public authorities to whom the data will be transferred due to the conducted proceedings and on the basis of applicable law, including courts, upon their legitimate request or for the purpose of defending or exercising legal claims, or if such obligation arises under the law,
- The Controller also informs that the user’s data may be transferred within the corporate group that includes TISA LAB Sp. z o.o. with its registered office in Wrocław, HERODOT Sp. z o.o. with its registered office in Wrocław and TISA AG Ltd. with its registered office in Switzerland on the basis of agreements on personal data processing. In these cases, the data are processed in accordance with the Decision of the Commission of the European Communities of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (2000/518/EC).
For the avoidance of doubt, your personal data may be provided by us to service providers to the Controller, in particular, IT service providers (in particular Google – Google Analytics, Google Adwords remarketing service, Facebook – Facebook Pixel, Hotjar, Amazon Web Services, including the maintenance and operation of our website and providers of IT systems, entities providing accounting, legal, auditing, consulting, advisory, insurance, security and delivery services, destruction or archiving of documents, agencies providing marketing services to the Controller, as well as online payment processors, banks, business partners (e.g. subcontractors), technological partners (e.g. providers of IT services, marketing tools), logistics partners (e.g. courier companies) and organizational partners (e.g. consulting companies, accounting companies, accounting firms) of the Controller, as well as entities which process data on the basis of generally applicable law.
- Our website and services are not intended for children under 13 years of age, and no one under age 13 may provide any personal information to us or through the website or our services. We do not knowingly collect personal information from children under age 13. If you are under 13, do not use or provide any information on our website or on or through our services. If we learn that we have collected personal information from a child under age 13, we will delete it. If you believe we might have any personal information from or about a child under age 13, please contact us.
The Controller informs that it uses services offered by global service providers that are part of global organizations such as Notion Labs, Inc., Slack Technologies, Inc., Google LLC, Calamari sp. z o.o. sp. k., Dropbox, Inc., COING Inc. operating in the European Economic Area (“EEA”), which may transfer data to the United States. These companies offer cloud solutions to the Company and declare that they have implemented an adequate level of protection and appropriate safeguards under the GDPR. The processing of personal data also takes place on the basis of the European Commission’s standard contractual clauses, which are part of the agreements on data processing concluded between the Employer and the service providers. In relation to the above, the transfer of personal data to processors located outside the EEA takes place on the basis of one of the prerequisites set out in Article 49 of the GDPR, i.e. for the purpose of implementing the agreement concluded between the Contractor and the Principal, as well as contractual obligations arising from the agreement concluded by the controller in the interest of the persons whose data are processed in the aforementioned systems, including via email and using the IT solutions offered by the aforementioned providers. Due to the cancellation of the so-called Privacy Shield (“Privacy Shield”) on EU-US data flows and determining the adequate level of protection and due to the lack of adequate safeguards, the Employer informs that in the above cases it does not provide an adequate level of protection for personal data.
Taking above into account, the level of personal data protection outside the EEA differs from that provided by Polish and European law. We therefore only transfer your personal data outside the EEA if necessary and with an adequate level of protection of your personal data. You have the right to obtain copies of standard contractual clauses or other appropriate safeguards for the transfer of personal data outside the EEA through the Controller.
External social networks links
On our website there are links to external social networks (Linekdin, Clutch, Behance, Instagram, Facebook, Dribble, Twitter). The functions assigned to each link, in particular the transfer of information and personal data, are only activated when you click on the link. In this case, the so-called plugins of the individual social networks are activated and your browser establishes a direct connection to the servers of the social network and you are redirected to the website of the social network. The portal provider will receive information that you have visited our site before visiting the site of this portal (even if you are not registered or logged in to this portal). Such information (including your IP address) will be sent directly from your browser to the social networking servers (usually located in the United States) and stored there. If you are logged in, this portal will immediately associate your visit to the portal with your account on the portal. If you do not wish your personal data to be transferred to social networking providers, do not click on the links of these social networking sites. If you do not wish the provider to link your visit to this portal to your profile, make sure that you have logged out of the portal beforehand. More information about the processing of personal data by individual portals can be found on their websites.
What rights are the Users entitled to?
The user is authorized to:
1. Requests to obtain a copy of personal data or make it available at the headquarters of HeroDOT (Article 15 GDPR);
You have the right to request access to your personal data, including in particular information on whether the Controller is processing your personal data and the scope of personal data held by the Controller, the purposes of the processing of personal data, the categories of recipients of your personal data, the planned period of storage of personal data, your rights concerning personal data, as well as information on the sources of obtaining your personal data by the Controller, if they were not collected from you. You also have the right to obtain a copy of your personal data, provided that obtaining the first copy of your personal data is free of charge, and obtaining any subsequent copy may involve payment of a reasonable fee taking into account the administrative costs of preparing such a copy of the personal data.
2. Request for rectification of personal data (Article 16 of the GDPR);
You have the right to request the immediate rectification of inaccurate personal data or, taking into account the purposes of the processing, supplementation of incomplete personal data.
3. Request to delete your personal data (Article 17 of the GDPR), the so-called “The right to be forgotten”);
You have the right to request immediate erasure of your personal data if one of the following circumstances applies: a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b. you have raised an effective objection to processing; c. personal data were unlawfully processed; d. personal data must be erased in order to comply with a legal obligation; e. you have withdrawn your consent to the processing of personal data and your personal data has been processed on the basis of your consent and there is no other legal basis for processing it, f. personal data were collected in connection with the offer of information society services referred to in Art. 8 sec. 1 of the GDPR.
However, you will not be able to exercise your right to erase your personal data if, among other things, such personal data is necessary to establish or exercise claim or to defend against claim.
4. Request to limit the processing of your personal data (Article 18 of the GDPR);
You have the right to request restriction of the processing of your personal data, for example when:
- you question the accuracy of your personal data processed by us – in this case, you may request that the processing be restricted for a period of time to verify the accuracy of your personal data;
- in your opinion, the processing of your personal data by us is unlawful, but at the same time you object to the erasure of this personal data by requesting that its use be restricted instead;
- we no longer need your personal data for our purposes, but you need it to establish, exercise your claims or defend against claims;
- you have objected to our processing of your personal data due to your specific situation – in this case you may request that the processing be restricted until it is determined whether our legitimate interests in processing personal data take precedence over the grounds for your objection.
If the processing of your personal data is restricted, we will only be able to store it and, in addition, use it for the purpose of establishing, exercising or defending a claim, to protect the rights of another natural or legal person or for important public interest reasons of the European Union or a Member State. We will only be able to take other actions if you have given your consent.
5. Request to transfer your own personal data in a commonly used format to another Data Controller indicated by you (Article 20 of the GDPR);
You have the right to receive, in a structured, commonly used machine-readable format, the personal data that you have provided to the Controller and you have the right to transmit this personal data to another controller without hindrance from the Controller, if:
a. processing is carried out on the basis of your consent or on the basis of a contract with you, and at the same time
b. the processing is carried out by automated means.
In the situation indicated above, you also have the right to request that the personal data be transmitted by the Controller directly to another personal data controller, if technically possible.
6. Raising an objection to the processing of personal data (Article 21 of the GDPR);
You have the right to object at any time – for reasons connected with your specific situation – to the processing of your personal data if the legal basis for the processing is the legitimate interest of the Controller. In this case, you should indicate the specific situation that you believe justifies our discontinuation of the processing of your personal data you have objected to. As a result of an objection, the Controller will cease processing your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If personal data is processed for the purposes of direct marketing, you may at any time object to such processing, including profiling, without having to demonstrate reasons related to your specific situation, and the Controller is required to immediately cease such processing.
7. Withdrawal of consent to the processing of personal data, provided that the processing takes place on the basis of a prior consent (Article 7.3 of the GDPR).
Whenever the processing of personal data is based on the User’s consent the User has the right to withdraw consent to the processing of data provided by the User at any time. The Controller, in the event of becoming aware of the withdrawal of consent, will immediately take steps to delete the stored data. Withdrawal of consent does not affect the lawfulness of the processing of personal data which was carried out on the basis of consent before its withdrawal.
To exercise these rights or to obtain additional information in this regard, we encourage you to contact us, in particular by e-mail: email@example.com.
If you request us to exercise your rights, in case of reasonable doubt about your identity, we may request additional information necessary to confirm your identity. We will respond to requests without undue delay, possibly within one month of receiving the request. If we demonstrate that your requests are manifestly unjustified or excessive, in particular due to its continuing nature, we may:
a. charge a reasonable fee, taking into account the administrative costs of providing information, communicating or taking the requested action; or
b. refuse to act on the request.
8. The right to lodge a complaint with a supervisory authority (Article 77 of the GDPR).
You have the right to lodge a complaint with the competent supervisory authority – in Poland, with the President of the Personal Data Protection Office, if you believe that the processing of personal data concerning you is in breach of the provisions of the GDPR.
Profiling, targeting and cookies policy
Data on website traffic is used for profiling and targeting advertisements on external websites – Facebook, Google, Instagram, Linekdin, Clutch, Behance, Dribble, Twitter. They are based on non-specific criteria that make it impossible to identify a single user.
The website automatically collects data in cookie files;
- Cookies should be understood as IT data, in particular text files, stored in Users’ end devices intended for the use of websites;
- Cookies are used by the Controller only to operate the Website, including to recognize the User’s device and display the Website pages in a manner that is delivered to his individual needs, as well as to create anonymous Website statistics and improve the efficiency and effect of using the Website;
- Cookies are not used to obtain any personal data of Users;
- The user may consent to the storage of cookies by selecting consent.
Controlling and deleting cookies
The user can change the way cookies are used at any time. Most browsers offer the option of accepting or rejecting all cookies, only accepting certain types, or informing the user each time a website tries to save them. The user can also easily delete cookies that have already been stored on the device by the browser. The options for managing and deleting cookies vary depending on the browser used. You can find all the necessary information by using the Help function in your browser or by visiting the website http://www.aboutcookies.org/, where it is explained how to control and delete cookies in the most popular browsers. Remember that blocking all cookies may cause difficulties in operation or completely prevent the use of some of the website’s functionalities.