TABLE OF CONTENTS:
1. GENERAL PROVISIONS
2. GROUNDS OF DATA PROCESSING
3. PURPOSE, GROUNDS AND PERIOS OF DATA PROCESSING ON WEBSITE
4. RECEIVERS OF DATA ON WEBSITE
5. PROFILING ON WEBSITE
6. RIGHTS OF THE PERSON TO WHOM DATA PERTAIN
7. COOKIES ON THE WEBSITE AND ANALYTICS
8. FINAL PROVISIONS
PRIVACY POLICY OF QRMAINT WEBSITE
1) GENERAL PROVISIONS
1. This privacy policy of the Website is informational in nature, meaning that it is not a source of obligations for Service Receivers of the Website. The Privacy Policy contains, above all, principles concerning processing of personal data by the Administrator on the Website (and, accordingly, in the Mobile Application) as well as in the QRmaint System, including the grounds, purposes and period of processing personal data as well as the rights of persons to whom data pertain, as well as information concerning the use on the Website of cookies files and analytical tools.
2. The administrator of personal data gathered through the Website is QRMAINT SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (LLC) with registered seat in Kraków (address of registered seat and address for correspondence: os. Oświecenia 55/92, 31-636 Kraków); registered in the Business Register of the National Court Registry under number KRS 0000794833; court of registration where the company’s documentation is kept: District Court for Kraków – Śródmieście in Kraków, 11th Commercial Department of the National Court Register; initial capital in the amount of: PLN 5,000.00; NIP (Taxpayer ID No.) 6783180641, REGON 383934585, e-mail address: kontakt@qrmaint.pl and contact telephone number: (+48) 12 39 50 216 – hereinafter referred to as the “Administrator” and simultaneously being the Service Provider.
3. Personal data in the Website are processed by the Administrator in accordance with binding laws, in particular, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. Official text of the GDPR Regulation:
http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
4. Use of the Website, including concluding of contracts, is voluntary. Similarly, the provision of personal data by the Service Recipient using the Website associated with this is voluntary, with the reservation of two exceptions: (1) concluding of contracts with the Administrator – refusal to provide, in the cases and within the scope indicated on the Website and in the Terms and Conditions of the Website and in this privacy policy, of personal data indispensable for concluding and performance of a contract with the Administrator results in the lack of a possibility to conclude this contract. Provision of personal data in such a case is a contractual requirements, and if the person to whom data pertain wishes to conclude a given contract with the Administrator, this person is obliged to provide the required data. In every instance, the scope of data required for concluding of a contract is specified, in advance, on the Website and in the Terms and Conditions of the Website; (2) Administrator’s statutory obligations – provision of personal data is a statutory requirement arising from generally binding laws imposing on the Administrator the obligation to process personal data (e.g. data processing for the purpose of keeping tax or accounting ledgers), and failure to provide these data will make it impossible for the Administrator to fulfill these obligations.
5. The Administrator makes special efforts to protect the interest of persons to whom the personal data processed by the Administrator pertain, and in particular, is responsible and ensures that the data gathered by it are: (1) processed according to the law; (2) gathered for defined, legally compliant purposes and are not subject to further processing that is not compliant with such purposes; (3) substantively correct and adequate to the purposes for which they are processed; (4) stored in a form enabling identification of the persons to whom they pertain, no longer than necessary for achieving the purpose of processing and (5) processed in a manner ensuring the appropriate security of personal data, including protection against prohibited or legally non-compliant processing as well as against accidental loss, destruction or damage, by means of the appropriate technical or organizational measures.
6. Considering the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with a varying probability and gravity of risk, the Administrator implements the appropriate technical and organizational measures so that processing is done in accordance with GDPR and can be demonstrated as compliant with GDPR. These measures are reviewed and updated as necessary. The Administrator applies technical measures preventing acquisition and modification by unauthorized entities of personal data sent by electronic means.
7. Any words, expressions and acronyms in this privacy policy starting with a capital letter (e.g. Service Provider, Website, Electronic Service, QRmaint System) should be understood according to their definitions given in the Website Terms and Conditions, available on pages of the Website.
2) GROUNDS OF DATA PROCESSING
1. The Administrator is authorized to process personal data in cases where – and within the scope in which – at least one of the following conditions is met: (1) the person to whom data pertain has expressed consent to the processing of their personal data for one or more defined purposes; (2) processing is indispensable for performance of a contract to which the person to whom data pertain is a party, or for taking actions at the request of the person to whom data pertain, prior to concluding of a contract; (3) processing is indispensable for fulfillment of a legal obligation with which the Administrator has been charged; or (4) processing is indispensable for purposes arising from legally justified interests realized by the Administrator or by a third party, with the exception of situations in which the interests or basic rights and freedoms of the person to whom data pertain, requiring protection of personal data, override such interests, particularly if the person to whom data pertain is a legal minor.
2. Processing of personal data by the Administrator requires, in every instance, the existence of at least one of the grounds indicated in subsection 2.1 of the privacy policy. Specific grounds for processing of the personal data of Service Recipients of the Website by the Administrator are indicated in the next section of the privacy policy – in reference to the given purpose of personal data processing by the Administrator.
3) PURPOSE, GROUNDS AND PERIOS OF DATA PROCESSING ON WEBSITE
1. In every instance, the purpose, grounds and period as well as receivers of personal data processed by the Administrator arise from actions taken by a given Service Recipient on the Website.
2. The Administrator may process personal data on the Website for the following purposes, on the following grounds and for the following period:
Purpose of data processing | Legal grounds of data processing | Period of data storage |
---|---|---|
Performance of a contract for rendering of an Electronic Service, contract for use of the QRmaint System, other contract or taking of actions at the request of the person to whom data pertain, prior to concluding of the aforementioned contracts Direct marketing | Article 6 par. 1 letter b of GDPR (performance of contract) – processing is indispensable for performance of a contract to which the person to whom data pertain is a party, or to take actions at the request of the person to whom data pertain prior to concluding of a contract Article 6 par. 1 letter f) of GDPR (legally justified interest of the administrator) – processing is indispensable for purposes arising from legally justified interests of the Administrator – involving care for the interests and good image of the Administrator, its Website, Mobile Application and QRmaint System as well as for the pursuit of extending the range of rendered services | Data are stored for the period required for performance, termination or expiration by other means of a concluded contract.
Data are stored for the period of existence of a legally justified interest realized by the Administrator, but for no longer than the period until lapse of the Administrator’s claims with respect to the person to whom data pertain, on account of the commercial activity conducted by the Administrator. The period until lapse is defined by legal regulations, particularly by the Civil Code (the base period until lapse for claims related to conduct of commercial activity is three years). The Administrator may not process data for direct marketing purposes in the case where an effective objection is expressed in this regard by the person to whom data pertain. |
Use of the Website or Mobile Application and ensuring their proper functioning | Article 6 par. 1 letter f) of GDPR (legally justified interest of the administrator) – processing is indispensable for purposes arising from legally justified interests of the Administrator – involving management and maintenance of the Website, Mobile Application and QRmaint System | Data are stored for the period of existence of a legally justified interest realized by the Administrator, but for no longer than the period until lapse of the Administrator’s claims with respect to the person to whom data pertain, on account of the commercial activity conducted by the Administrator. The period until lapse is defined by legal regulations, particularly by the Civil Code (the base period until lapse for claims related to conduct of commercial activity is three years). |
Statistics and analysis of traffic on the Website or Mobile Application | Article 6 par. 1 letter f) of GDPR (legally justified interest of the administrator) – processing is indispensable for purposes arising from legally justified interests of the Administrator – involving keeping of statistics and analysis of traffic on the Website for the purpose of improving the functioning of the Website | Data are stored for the period of existence of a legally justified interest realized by the Administrator, but for no longer than the period until lapse of the Administrator’s claims with respect to the person to whom data pertain, on account of the commercial activity conducted by the Administrator. The period until lapse is defined by legal regulations. |
Mobile Application and QRmaint System and acquiring new Service Recipients | Particularly by the Civil Code (the base period until lapse for claims related to conduct of commercial activity is three years). |
4) RECEIVERS OF DATA ON WEBSITE
1. For proper functioning of the Website, including for proper rendering of Electronic Services by the Administrator, it is necessary for the Administrator to use the services of external entities (such as, e.g. entities handling payments). The Administrator uses solely services of such processing entities that provide sufficient guarantees of implementation of the appropriate technical and organizational measures so that processing fulfills the requirements of GDPR and protects the rights of the persons to whom data pertain.
2. Personal data may be transferred by the Administrator to a third country, where the Administrator assures that, in such a case, such transfer will be done to a country ensuring the appropriate level of protection – compliant with GDPR, and the person to whom data pertain has the ability to receive a copy of their data. The Administrator transfers gathered personal data solely in the case and within the scope indispensable for realizing a given purpose of data processing in compliance with this privacy policy.
3. Transfer of data by the Administrator does not occur in every case and not to every receiver or receiver category indicated in the privacy policy – the Administrator transfers data only when this is indispensable for realization of a given purpose of personal data processing and only within the scope indispensable for its realization.
4. Personal data of Service Recipients may be transferred to the following receivers or receiver categories:
a. entities handling electronic payments or card payments – in the case of a Service Recipient who uses the method of electronic payments or card payments, the Administrator makes gathered personal data of the Service Recipient available to a selected entity supporting the aforementioned payments at the Administrator’s order within the scope indispensable for handling payments realized by the Service Recipient.
b. suppliers of services providing the Administrator with technical, informatic and organizational solutions enabling the Administrator to conduct commercial activity, including the Website, Mobile Application and Electronic Services rendered by their means (in particular, suppliers of computer software for management of the QRmaint System, providers of electronic mail and hosting, as well as suppliers of software for management of the company and provision of technical assistance to the Administrator) – the Administrator makes available gathered personal data of the Service Recipient to a selected supplier acting on the Administrator’s order only in the case and within the scope indispensable for realization of a given purpose of data processing in compliance with this privacy policy.
c. providers of accounting, legal and consulting services providing the Administrator with accounting, legal or consulting support (particularly accounting office, legal firm or debt collection firms) – the Administator makes gathered personal data of the Service Recipient available to a selected supplier acting on the Administrator’s order only in the case and within the scope indispensable for realization of a given purpose of data processing in compliance with this privacy policy.
d. suppliers of social media plug-ins, scripts and tools enabling integration of the Website and Electronic Services rendered by means of the Website with electronic services of external social media platforms, including:
• Facebook Ireland Ltd. – the Administrator uses social media plug-ins of Facebook (e.g. “Like” or “Share” button) and in relation to this, gathers and makes available the personal data of the Service Recipient using the page of the Website to Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) within the scope and according to the privacy principles available here: https://www.facebook.com/about/privacy/ (these data include information on actions on the page of the Website – including information about the device, pages visited, purchases, displayed advertisements and method of using services – regardless of whether the Service Recipient has an account on Facebook or is logged into Facebook).
5) PROFILING ON WEBSITE
1. The GDPR Regulation imposes upon the Administrator the obligation to give notice of automated decision-making, including profiling, as mentioned in art. 22 par. 1 and 4 of GDPR, and – at least in those cases – of significant information concerning the rules of making such decisions, as well as of the significance and predicted consequences of such processing for the person to whom data pertain. Considering the above, in this section of the privacy policy, the Administrator provides information concerning potential profiling.
2. The Administrator may use profiling for direct marketing purposes, but decisions made on the basis of such profiling by the Administrator do not concern concluding or refusal to conclude a contract or the capability of using Electronic Services on the Website. The effect of the application of profiling on the Website may be, e.g. granting a discount to a given person, reminder of unfinished actions on the Website, sending of proposals of services that may correspond to the interests or preferences of a given person or proposal of better terms in comparison to the Website’s standard offer. Despite profiling, a given person makes decisions freely with respect to whether they wish to take advantage of a discount received in this manner or better terms, and whether to make a purchase on the Website.
3. Profiling on the Website is based on automatic analysis or forecasting of a given person’s behavior on a page of the Website, or analysis of the history of actions taken on the Website. The condition for such profiling is possession by the Administrator of the personal data of the given person, in order to be able to then send that person, e.g. a discount.
4. The person to whom data pertain has the right to not be subject to a decision based solely on automated processing, including profiling, and gives rise with respect to this person of legal consequences or significantly impacts this person in a similar manner.
6) RIGHTS OF THE PERSON TO WHOM DATA PERTAIN
1. Right to access, rectify, restrict, delete or transfer – the person to whom data pertain has the right to demand from the Administrator access to their personal data, rectification, deletion (“right to be forgotten”) or restriction of processing of their personal data, and has the right to raise an objection against processing, as well as the right to transfer their data. Detailed conditions of exercising the rights indicated above are defined in art. 15-21 of GDPR.
2. Right to revoke consent at any time – a person whose data are processed by the Administrator on the grounds of expressed consent (pursuant to art. 6 par. 1 letter a) or art. 9 par. 2 letter a) of GDPR) has the right to revoke consent at any time without influence on the legal compliance of processing performed on the grounds of consent prior to its revocation.
3. Right to file a complaint to the monitoring body – a person whose data are processed by the Administrator has the right to file a complaint to the monitoring body in the manner and mode defined in the provisions of GDPR and Polish law, particularly the Act on personal data protection. The monitoring body in Poland is the President of the Personal Data Protection Office.
4. Right to objection – the person to whom data pertain has the right to raise an objection at any time – for reasons related to such a person’s individual situation – against processing of their personal data on the grounds of art. 6 par. 1 letter e) (interest or public tasks) or f) (legally justified interest of the administrator), including profiling on the grounds of these provisions. In such a case, the Administrator will not longer be permitted to process these personal data, unless the Administrator demonstrates the existence of valid, legally justified grounds for processing, overriding the interests, rights and freedoms of the person to whom data pertain, or grounds for determination, pursuit of or defense against claims.
5. Right to objection against direct marketing – if personal data are processed for the purposes of direct marketing, the person to whom data pertain has the right, at any time, to raise an objection against processing with respect to their personal data for the purposes of such marketing, including profiling, within the scope in which processing is associated with such direct marketing.
6. For the purposes of exercising the rights stated in this section of the privacy policy, the Administrator can be contacted by sending the relevant message in writing or via electronic mail to the Administrator’s address indicated in the introduction of the privacy policy or using the contact form available on the Website.
7) COOKIES ON THE WEBSITE AND ANALYTICS
1. Cookie files are small text files sent by the server and saved on the device of the person visiting the Website (e.g. on the hard disk of a computer, laptop, or on the memory card of a smartphone – depending on which device is used by the visitor to our Website). Detailed information concerning cookies as well as the history of their creation can be found here, for example: http://pl.wikipedia.org/wiki/Ciasteczko.
2. The Administrator may process data contained in cookie files during use by visitors of the Website for the following purposes:
a. identification of Service Recipients as logged into the Website and displaying that they are logged in;
b. saving data from forms, surveys that have been filled out or login data for the Website;
c. adaptation of the Website’s content to the Service Recipient’s individual preferences (e.g. concerning colors, font size, page layout) and optimization of use of pages of the Website;
d. remarketing, i.e. study of behavioral features of visitors to the Website through anonymized analysis of their actions (e.g. repeating visits to specific pages, key words, etc.) for the purpose of forming their profile and providing them with advertisements adapted to their predicted interests, also when they visit other websites in the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. For remarketing purposes, the Administrator also uses services rendered by Criteo GmbH (Gewurzmuhlstr. 11, 80538 Munich, Germany) and Belboon GmbH (Weinmeisterstraße 12-14, 10178 Berlin, Germany);
e. keeping anonymous statistics presenting the method of use of a page on the Website.
3. By default, most internet browsers available on the market accept saving of cookies. Every user has the possibility of defining the conditions of using cookies by means of the settings of their own internet browser. This means that saving of cookies can be, e.g. partially (e.g. temporarily) or entirely disabled – in the latter case, however, this may affect certain functionalities of the Website.
4. Internet browser settings concerning cookies are significant from the perspective of consent to use of cookies by our Website – according to legal regulations, such consent may also be expressed through internet browser settings. In the absence of such consent, the internet browser’s settings with regard to cookies should also be changed accordingly.
5. Detailed information on the subject of changing settings concerning cookies and their independent deletion in the most popular internet browsers are available in the help section of the internet browser and on the pages below (just click on the given link): in Chrome browser, in Firefox browser, in Internet Explorer browser, in Opera browser, in Safari browser, in Microsoft Edge browser.
6. The Administrator may use, on the Website, services from Google Analytics, Universal Analytics, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), as well as Hotjar services provided by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta). These services help the Administrator to analyze traffic on the Website. Gathered data are processed within the framework of the aforementioned services for the purposes of generating statistics that are helpful for administration of the Website. These data are collective in nature. Using the above services on the Website, the Administrator gathers such data as the sources and medium of acquisition of visitors to the Website as well as their behavior on pages of the Website, information on the subject of devices and browsers used to visit pages, IP and domain, geographic data and demographic data (age, sex) and interests.
7. It is possible for a given person to easily block sharing with Google Analytics of information on their activity on a page of the Website – for this purpose, one can install a browser plug-in provided by Google Ireland Ltd., available here: https://tools.google.com/dlpage/gaoptout?hl=pl.
8. Detailed information on the functioning of Hotjar can be found at the following internet address: https://www.hotjar.com/tour.
8) FINAL PROVISIONS
The Website may contain links to other websites. After navigating to other websites, the Administrator recommends reading their respective privacy policies. This privacy policy pertains only to the Administrator’s website.