PRIVACY POLICY

What are personal data, what does it mean to process the data and who is the Administrator of the data?

‘Personal data’ means any information relating to an identified or identifiable natural person. ‘Processing’ means any operation which is performed on personal data, whether or not by automated means, e.g. collection, storage, recording, organisation, alteration, consultation, use, sharing, restriction, erasure or destruction.

Personal data is collected by AI Factory sp .z o.o. with headquarters in Gdynia, Poland and processed for various purposes. Depending on the purpose, there may be differences in methods of collection, legal bases for processing, use, disclosure as well as retention periods.

The personal data administrator is AI Factory Sp. z o.o., a limited liability company headquartered at Plac Kaszubski 8 Street, Gdynia, Poland with the tax identification number (NIP) 5862322419 and REGON number 368239925. The Administrator is entered in the Register of Entrepreneurs of the National Court Register, maintained by the District Court of Gdańsk, VI Commercial Division, under KRS number 0000694591 (hereinafter: Administrator).

Contact details of the Administrator: AI Factory Sp. z o.o. headquarters, Plac Kaszubski 8 Street, Gdynia, Poland; tel. +48508206348; email: kontakt@ai-factory.pl.

When does the Privacy Policy apply?

It applies when the Administrator processes personal data irrespective of whether they were obtained directly from the data subject or obtained from other sources.

When collecting and using personal data, the Administrator wishes to maintain transparency regarding the basis and method of processing personal data.

The Administrator treats seriously the security of all held data. This is demonstrated through, among others, the implementation of relevant policies and procedures, training, and regular audits of the measures put in place and their adequacy to maintain the security of all held data.

What types of personal data are processed by the Administrator and on what legal basis?

Individuals visiting a website or using services provided by the Administrator are in control of the personal data they provide to the Administrator. The Administrator limits the collection and use of information about their users to the minimum necessary in order to provide their services at the desired level.

Types of information collected:

  1. For information received by the Administrator from natural persons visiting the website and using Facebook messenger, or using services provided by the Administrator, including persons creating an account or ordering a newsletter: the Administrator receives and stores all information provided by visitors to the website or using the services provided by the Administrator. The person may opt out of providing certain information, however, this may result in them not having access to many of the services offered by the Administrator.
  2. This information is obtained as follows:
    1. during contact with the Administrator by telephone, email or other channels, including in person;
    2. when filling out registration forms, applications or contact forms.

    The visitor may send an email to the Administrator via the website. These types of messages contain an email address and additional information the person sending the message chooses to include in its content.

    In the cases of the Administrator processing personal data in order to provide services within the scope of the Administrator’s business, the Administrator asks persons using the services to provide personal data only as is absolutely necessary. In this regard, the Administrator receives, specifically and depending on need, the following personal data: first name, surname, email address and telephone number. This data is provided by the user during the creation of their account.

  3. For information, received by the Administrator from persons making contact to obtain information about offerings, or share comments about the products and services of the Administrator, as well as those persons making contact to conclude a contract with the Administrator: the Administrator receives and stores all information provided by persons who contact the Administrator to obtain information about offerings, or share comments about the products and services of the Administrator, as well as those persons making contact to conclude a contract with the Administrator.

    This information is obtained during contact with the Administrator by telephone, email or other channels, including in person.

    From persons who contact the Administrator to obtain information about offerings, or share comments about the products and services of the Administrator, as well as those persons making contact to conclude a contract with the Administrator, the Administrator receives the following personal data: first name, surname, email address and other information the person chooses to provide.

    In cases where the Administrator intends to enter into a contract, the Administrator asks persons contacting the Administrator for this purpose to provide personal data only as is absolutely necessary. In this regard, the Administrator receives, specifically and depending on need, the following personal data: first name, surname, parents’ names, PESEL number, date and place of birth, residential address, registered address, series and number of national identity card, email address and telephone number.

  4. For information received automatically: the Administrator automatically receives and stores certain types of information when persons use the services offered by the Administrator.

    The Administrator uses “cookies” and collects specific types of information while using a web browser or device to access services offered by the Administrator.

    Information about some of the behaviours of users is logged in the server layer. The Administrator only uses these data to administer the website and ensure the most efficient use of hosting services.

    Examples of information gathered and analysed by the Administrator include:

    1. the internet protocol (IP) address used to connect a computer or other device to the Internet;
    2. information about the computer, device and connection; such as the application on the device, type and version of the browser, types and versions of browser plug-ins, operating system or time zone settings;
    3. location of the computer or device;
    4. history of using the content;
    5. a full list of Uniform Resource Locators (URLs) used during a session, cookie file number, content viewed or searched, page response times, download errors, information about interactions on a page (scrolling, clicking, changing graphics after hovering the mouse cursor (mouse-over));

    The above data are not associated with any individual browsing the site.

    The above data are only used for the purpose of administering the website.

    Cookies

    Cookies are small text files which are stored on a user's computer or mobile device. These files service the purpose, among others, of supporting various functions on a given website or confirm that a particular user has viewed certain content on a website.

    Cookies usually contain the name of the website from which it comes, its time of expiry, a unique number generated to identify the browser connected to the website and other required data.

    The Administrator uses cookies for the following purposes:

    1. to ensure the website functions responsively and is easy to use;
    2. matching the content and advertisements on the website to the expectations and interests of the users;
    3. collecting statistical data that allows the Administrator to understand how their website is used so they may improve its structure and content.

    The entity that places cookies on the end device of persons using the website, and who has access to them, is the Administrator.

    Two basic types of cookies can be used on the website:

    1. session cookies - temporary files that remain on the user’s device only as long as they are using the website. They are removed when the user logs out, leaves the website, or terminates the software accessing the website (web browser);
    2. persistent cookies - remain on the user’s device until their defined expiry time or until the user deletes them.

    Cookies placed on the user’s end device may also be used by advertisers and partners cooperating with the Administrator.

    Cookies may be used by advertising networks, specifically the Google network, to display advertisements tailored to the way a user utilises the website. Information about a user’s navigation path or time staying on a particular page may be recorded for this purpose.

    The user preference information collected by the Google advertising network from cookies can be viewed and edited using the tool: https://www.google.com/ads/preferences/. https://www.google.com/ads/preferences/.

    The user can manage cookies by changing the settings of their web browser. The Administrator states that if cookies are disabled, some features offered by the Administrator may not work properly, and in some cases may not work at all.

Automatic processing of personal data

The Administrator does not perform automated processing on personal data, including in the form of profiling.

Legal bases for processing

In the case of personal data processing related to users utilising the services offered by the Administrator, there are a number of legal bases.

Personal data received from natural persons visiting the website and using Facebook messenger are processed on the following legal bases:

  1. article 6, paragraph 1(a) of the General Data Protection Regulation (hereinafter: “GDPR”), i.e. the consent of a person visiting the website to the processing of his or her personal data when using Facebook messenger, or using services provided by the Administrator;
  2. article 6, paragraph 1(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. article 6, paragraph 1(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Administrator (e.g. direct marketing of the Administrator’s products and services, securing documentation for the purpose of pursuing claims).

Processing of the personal data of natural persons using the services of the Administrator is based on the following legal bases:

  1. article 6, paragraph 1(a) of the GDPR, i.e. the consent of a person visiting the website to the processing of his or her personal data;
  2. article 6, paragraph 1(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. article 6, paragraph 1(c) of the GDPR, i.e. processing is necessary for compliance with a legal obligation to which the Administrator is subject (e.g. tax law or accounting regulations);
  4. article 6, paragraph 1(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Administrator (e.g. direct marketing of the Administrator’s products and services, securing documentation for the purpose of pursuing claims).

For personal data, received by the Administrator from natural persons making contact to obtain information about offerings, or share comments about the products and services of the Administrator, as well as those persons making contact to conclude a contract with the Administrator, the Administrator processes the data on the following legal bases:

  1. article 6, paragraph 1(a) of the GDPR, i.e. the consent of a person visiting the website to the processing of his or her personal data;
  2. article 6, paragraph 1(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. article 6, paragraph 1(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Administrator (e.g. direct marketing of the Administrator’s products and services, securing documentation for the purpose of pursuing claims).

For what purposes are data processed?

Personal data received from natural persons visiting the website and using Facebook messenger are processed for the following purposes:

  1. taking necessary actions before concluding a contract (e.g. accepting orders, order and application processing);
  2. investigating complaints;
  3. arising from legitimate interests pursued by the Administrator (e.g. direct marketing of its own products, securing and pursuing its own claims, and securing and protecting against claims by users and third parties);
  4. marketing, not as a result of legally justified interests carried our by the Administrator (e.g. marketing of products and services of third parties, own marketing that is not direct marketing);
  5. monitoring and enforcing compliance with the website’s terms of use;
  6. managing and administering the website;
  7. aggregating data for analysis and improvement of the website.

Personal data of natural persons using the services of the Administrator are processed for the following purposes:

  1. relating to the signing of a binding contract between parties, the performance of the contract, as well as fulfilling the rights and obligations associated with the contract;
  2. monitoring the correctness of contract performance;
  3. fulfilling the Administrators legal obligations (e.g. tax obligations);
  4. as a result of legally justified interests carried out by the Administrator (e.g. securing and pursuing its own claims, securing and protecting against claims by users and third parties, protecting the Administrator’s property, and for the purpose of terminating the contract);
  5. managing and maintaining relationships;
  6. administration, management and development of activities and services;
  7. analysis regarding, for example, market trends or sales opportunities.

Personal data, received by the Administrator from natural persons making contact to obtain information about offerings, or share comments about the products and services of the Administrator, as well as those persons making contact to conclude a contract with the Administrator, are processed for the following purposes:

  1. replying to messages and proper handling of cases;
  2. relating to the signing of a binding contract between parties;
  3. resulting from legally justified interests carried out by the Administrator (e.g. direct marketing of own products and services);
  4. managing and maintaining relationships;
  5. administration, management and development of activities and services;
  6. analysis regarding, for example, market trends or sales opportunities.

How long does the Administrator process personal data?

The period during which the Administrator may process personal data depends on the legal basis that applies as follows:

  1. in the case of personal data collected on the basis of consent (legal basis: article 6, paragraph 1 (a or f) of the GDPR): from the moment of consenting to processing personal data (which may occur during performance of the contract) to implementation of an application for withdrawal of consent, in the case of withdrawal, or until a notice of objection;
  2. in the case of collecting personal data for the purposes of concluding or performing a contract (legal basis: article 6, paragraph 1 (b) of the GDPR): from the time of data collection before concluding the contract, or from the time of data collection during conclusion of the contract, or from the time of data collection during the term of the contract (in the event of data being supplemented or updated during the term of the contract) until the contract is terminated, or the contract is performed after its termination (e.g. the processing of complaints);
  3. in the case of collecting personal data in order to fulfil legal obligations or in connection with the performance of tasks in the public interest (legal basis: article 6, paragraph 1 (c) of the GDPR) for the period of fulfilling obligations and performing tasks resulting from respective legal provisions;
  4. in the case of processing personal data for the legitimate interests of the Administrator (legal basis: article 6, paragraph 1 (f) of the GDPR) data will be stored no longer than the period necessary for the Administrator to pursue claims in connection with their business, or defend against claims directed at the Administrator, on the basis of generally applicable laws including claim limitation periods, or for a period of no longer than 10 years from the date of obtaining personal data for the purposes of direct marketing of own products and services, or until a substantiated objection to processing personal data for direct marketing has been lodged;
  5. in addition to the above cases, personal data may be stored during a period of restricted processing requested by the data subject or supervisory body - as provided for in article 18 and article 58 of the GDPR.

Does the Administrator transfer personal data to third countries? When and how does the Administrator provide personal data to third parties?

The Administrator does not transfer personal data to third countries (outside the European Union) or international organisations. In the event such an intention arises, the Administrator will make all efforts to transfer the data to a third party or international organisation the European Commission (in accordance with the GDPR) has decided ensures an adequate level of protection. In other cases, the transfer may only occur if the Administrator has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects apply as referred to in the GDPR, as well as the means by which the data subject can obtain a copy of their personal data, or where it has been made available to them.

The Administrator transfers personal data to other third-party entities only where it is permitted by law. In such cases, a personal data entrustment agreement is made with the entity. The Administrator ensures the agreement contains provisions and security mechanisms to protect data and maintain the Administrator’s standards for data protection, confidentiality and security. The Administrator has control over how and to what extent the entrusted entity processes identified personal data. In relation to the above, the Administrator states that recipients of personal data processed by the Administrator may be as follows:

  1. people authorised and employed by the Administrator;
  2. entities processing data instructed by and on behalf of the Administrator as well as authorised persons employed by these entities (e.g. debt collection and the pursuit of claims using third party services);
  3. entities conducting payment activities and intermediary payment activities (e.g. banks and payment institutions);
  4. entities operating post or courier services;
  5. third parties - in cases of the Administrator using their entitled rights (e.g. in the event of selling debt, together with the transfer of personal data related to the debt);
  6. public authorities that may receive data in cases other than those within the specific proceedings conducted in accordance with European Union and Polish law.

What are the rights of data subjects and how are implemented?

Data subjects have the following rights:

  1. the right to obtain from the Administrator confirmation as to whether or not personal data concerning him or her are being stored, and where that is the case, what information is stored and for what purpose;
  2. the right to request from the Administrator access to and rectification or erasure of personal data or restriction of processing concerning the Participant or to object to processing as well as the right to data portability. Implementation of the rights mentioned in this paragraph takes place in accordance with the provisions of the GDPR - based on the definitions and mechanisms described in that regulation;
  3. the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  4. the right to lodge a complaint to the supervisory authority under the terms of the GDPR, specifically article 77 of the regulation. In Poland, the supervisory authority from the 25th of May 2018 is the President of the Office for Personal Data Protection;
  5. the right to object to automated processing, including profiling, if any;

The Administrator is responsible for implementing these rights in accordance with applicable law. In the case of any questions or requests regarding the scope or implementation of these rights, as well as to exercise any of the rights related to their personal data, the Administrator asks that contact be made by sending an email to the address kontakt@ai-factory.pl

Data subjects have the right to restrict the processing or object to the processing of their personal data at any time, due to their particular situation, unless processing is required by law.

A data subject may object to the processing of their personal data in the following cases:

  1. justified on grounds relating to his or her particular situation in the processing of personal data concerning him or her which is based on Article 6, paragraph 1 (e or f) of the GDPR, including profiling based on those provisions;
  2. dane osobowe są przetwarzane na potrzeby marketingu, w tym profilowania, w zakresie, w jakim przetwarzanie jest związane z takim marketingiem bezpośrednim.

A data subject may obtain from the Administrator restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the Administrator no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to processing pursuant to Article 21, paragraph 1 of the GDPR, pending the verification whether the legitimate grounds of the Administrator override those of the data subject.

The right to erasure of personal data (“right to be forgotten”) applies, for example, when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Administrator, or when the data subject withdraws their consent to data processing by the Administrator, or when the personal data have been unlawfully processed. Additionally, if a data subject objects to the processing of their personal data, or if their data will be processed unlawfully the right to erasure applies. Personal data should also be erased to comply with any legal obligations to which the Administrator is subject.

The right to data portability applies when the processing of a data subject’s personal data takes place on the basis of consent or on a contract concluded with them, and when such processing is carried out automatically.

Questions, concerns and complaints

In the case of any questions, concerns or complaints regarding the content of this Privacy Policy or the way in which the Administrator processes personal data, please send an email with detailed information to kontakt@ai-factory.pl

The Administrator will consider any complaints received and respond to them.

Persons whose personal data are processed by the Administrator may also file a complaint to the supervisory body, which is the President of the Office for Personal Data Protection (address: 2 Stawki street, 00-193, Warsaw, Poland).

The Administrator may also be contacted directly at the Administrator’s office, by letter through the postal service, or by telephone.

The Administrator undertakes to review this Privacy Policy regularly. The Administrator will update it when necessary or desirable due to new legal regulations, new guidelines from supervisory bodies or new best practices applied in the area of personal data protection. The Administrator also reserves the right to change this Privacy Policy in the following cases: a change in technology through which personal data is processed (if the change affects the content of this document) or in the event of changes in the methods, purposes or legal grounds for processing personal data.

AI FACTORY SP. Z O.O.
PLAC KASZUBSKI 8/311
81-350 GDYNIA
NIP: 5862322419
TEL: +48 508 206 348