Privacy notice of data controller regarding processing of customers’ personal data

1. Introduction

In the light of the principles of, and rules on the protection of natural persons with regard to the processing of their personal data, Smultron is acting as a Data Controller of your personal data. This means that all your personal data collected in connection with the entering into the contract or during its execution should be processed by us in a manner that ensures appropriate security of your personal data, in accordance with the provisions of the contract and in compliance with the applicable laws. In order to ensure a consistent and high standard of processing your personal data, we would like to provide you with the most important information regarding the processing of personal data collected as a result of the cooperation with Smultron sp. o.o. We confirm that we have taken every possible step to make sure that this privacy notice adheres to EU and local laws requirements in regards to protection of personal data, in particular to fully complies with the REGULATION (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (further “General Data Protection Regulation” or “GDPR”).

2. What is included in the privacy notice?

This privacy notice sets out how we protect and use your personal data. Please read this document carefully

3. Who is a data controller for your personal data?

Smultron sp. z o.o., with registered office at 31-014 Krakow, ul. Sławkowska 12, registered in the Register of Entrepreneurs of the National Court Register run by the District Court in Krakow, XI Commercial Division of the National Court Register under No. KRS 0000004335, REGON (the National Official Register of the Economy Units): 360370011, NIP (Tax Identification Number): 6762482785, with share capital: PLN 50.000,00 (further ”Smultron” or “we”) is acting as a Data Controller.

4. What personal data is being collected on you by Smultron?

4.1. Smultron may collect various categories of Customers’ personal data, depending on the purposes of processing. 4.2. By concluding a contract with you, we require you to provide us with your personal details, such as name and surname (in the case of individuals) or the company details and place of residence or your company’s registered office location as well as the tax identification number. We may also collect personal data of the company’s representatives, who may take part in the negotiations phase and/ or participate in the conclusion and execution of the contract (name, email address or telephone number). Provision of such personal data is a contractual requirement necessary to perform contractual obligations, without which we cannot provide services to you (the contract will not be concluded). Sometimes we can also ask for optional data such as: mailing address (for deliveries), e-mail address and contact number. Provision of those kind of personal data is not mandatory however it will certainly facilitate cooperation and the implementation of the contract.

5. How your personal data is collected/gathered by Smultron?

5.1. Smultron collects certain information provided directly from you either during negotiations and entering into the contract as well as during the execution of it.

5.2. Smultron may also collect certain information indirectly, 3 in particular: • in the scope of personal data used in court proceedings, in dispute resolution and required by statutory and regulatory bodies; • from banks or other financial institutions (in connection with payments specified in contract) regarding account details which is a source of the payment.

6. For what purpose does Smultron use your personal information and what is the legal basis for do so?

6.1. In accordance with article 6 GDPR, Smultron only collects personal data when it has a clear legal basis to process that data. The conditions which justify the collection of your personal data are as follows:

• the processing is necessary for the performance of a contract or in order to take steps at the request of the prospective Customer (data subject) prior to entering into a contract (lawful basis: Contractual undertaking; Article 6 paragraph 1 point (b) of the GDPR)

• Smultron has a clear and foreseeable legitimate interests in the processing of your personal data connected with its business activities, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (individuals) which require protection of personal data (lawful basis: legitimate interests of Smultron acting as Data Controller; Article 6 paragraph 1 point (f) of the GDPR);

• the processing is necessary for compliance with a legal obligation to which Smultron acting as the Data Controller is subject (lawful basis: Legal requirements; Article 6 paragraph 1 point (c) of the GDPR); • the processing is necessary in order to protect your vital interests (Article 6 paragraph 1 point (d) of the GDPR);

• you have given us a specific and freely given consent to the processing of your personal data (lawful basis: Consent; Article 6 paragraph 1 point (a) of the GDPR); 4 6.2. Your personal data collected during the conclusion of the contract and during its term, Smultron uses for the following purposes:

a) the conclusion and execution of the contract – for the duration of the contract and after it completion (lawful basis: Contractual undertaking; Article 6 paragraph 1 point (b) of the GDPR)

b) where necessary, processing designed to enable Smultron to perform its legal obligations, such as issuing and storing invoices and accounting documents in so far as it is required by applicable laws – for the period in which we should perform legal obligations and for the retention period in which laws require us to store certain data, e.g. tax documentation (lawful basis: Legal requirements; Article 6 paragraph 1 point (c) of the GDPR) or for the period during which we may face the legal consequences of non-performance of this obligation (lawful basis: legitimate interests of Smultron; Article 6 paragraph 1 point (f) of the GDPR);

c) detection and prevention of a fraud – for the duration of the contract (lawful basis: Contractual undertaking; Article 6 paragraph 1 point (b) of the GDPR) and after that for a claims’ period of prescription in regards to claims arising from the contract, and in the case of Smultron claims or notifications by the public and governmental authorities – for a period necessary for potential legal proceedings or other investigation activities (lawful basis: legitimate interests of Smultron; Article 6 paragraph 1 point (f) of the GDPR);

d) establishment, exercise or defense of legal claims – for claims’ period of prescription in regards to claims arising from the contract (lawful basis: legitimate interests of Smultron; Article 6 paragraph 1 point (f) of the GDPR);

e) conducting analyzes, audit, customer research, satisfaction surveys, and other statistics for internal needs or for needs of Smultron Customers – for the duration of the contract (lawful basis: Contractual undertaking; Article 6 paragraph 1 point (b) of the GDPR) and after that for a claims’ period of prescription in regards to claims arising from the contract (lawful basis: legitimate interests of Smultron; Article 6 paragraph 1 point (f) of the GDPR);

f) direct marketing – for the duration of the contract (lawful basis: 5 legitimate interests of Smultron; Article 6 paragraph 1 point (f) of the GDPR);

7. How long will your personal data be stored for?

7.1. Smultron will retain your personal data for a period required by applicable laws or for a period in which process personal data is necessary to fulfill the purposes outlined in this Privacy Notice. 7.2. After the expiration of the above period, personal data and any copies of them will be anonymised or deleted from any electronic devices and/or the hard copies of such personal information will be destroyed as well.

8. Will your personal data be shared with any third parties?

8.1. Smultron shall not disclose your personal data to third parties unless:

• personal data is processed by an external entity based on a written Data Processing Agreement; Smultron shares the personal data with companies which cooperate with us and with other trusted companies or individuals who process personal data on behalf of Smultron in accordance with our instructions and the Information Security Policy and take appropriate technical and organizational measures to protect the confidentiality and information security; the entities processing data on our behalf and participating in the performance of our activities are, among others:

a) Service providers that provide and maintain our ICT systems and companies that provide us with tools to collect and store personal data;

b) Our subcontractors that support us in the performance of our services and products;

c) Intermediaries that assist in the sale of our services;

d) Companies that provide us with services in areas of consulting, 6 audit, legal, tax, financial and payroll accounting and business advisory and other entities who act as our contractors.

• the legal requirements exist: We will be obliged to provide personal data if the applicable laws or court order require to do so, in particular in connection with legal process, litigation, and/or requests from public and governmental authorities – to the extent defined by these bodies.

8.2. Smultron will ensure that the transfer of personal data to a third country located outside the European Economic Area is conducted in compliance with General Data Protection Regulation and the appropriate and/or suitable safeguards. you have right at any time to obtain a copy of your personal data processed by such companies and to obtain the list of companies to which your personal data has been made available by sending a request to the e-mail address: hello@smultron.pl

8.3. Such entities and business partners have implemented at least the same privacy standards as used by Smultron with respect to the use of this data and they are bound by appropriate confidentiality agreements.

9. How will your personal data be secured?

9.1. We have taken every possible step to protect your personal data against unauthorized access, unauthorized modification, disclosure and destruction of personal data held by Smultron. For this purpose we: • use SSL encryption; • make internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data • grant access to your personal data only to those Smultron employees, contractors and representatives with a clear “need to know” for business and who are subject to confidentiality 7 obligations, and in the event of data breach, liability provisions indicated in the applicable data privacy regulations will apply to them.

10. Will your personal data be subject to automated decisionmaking, including profiling?

10.1. Your personal data is not subject to automated decision-making, including profiling.

11. How will you control your personal data? What rights do you have?

11.1. In general Smultron, acting as a Data Controller, has to enable you to execute your rights in accordance with the applicable data privacy regulations, including:

• the right to access the data collected by us, i.e. the access to certain information about: the purpose(s) of processing, the recipients of your personal data, the scope (the categories of personal data concerned) and the right to receive the copy of personal data concerning you (data portability). It is important for us that you will have easy access to personal data processed by Smultron. In case you require information about personal data processed by us, then please send your subject access request by an e-mail address: hello@smultron.pl . In response, we will inform you about the scope of personal data processed by Smultron concerning your person.

• the right to rectification, i.e. right to correct the personal data we processed, to supplement incomplete data or to update it. If the personal data processed by Smultron are incorrect, incomplete or out of date please contact us at: hello@smultron.pl. We will do our best to quickly make the necessary modifications, update them or remove inaccuracies.

• the right to erasure („right to be forgotten”’), i.e. the right to request immediate deletion of your personal data if unlawfully 8 processed or used by us on our website or social profiles. Please note that we will not be able to delete all data about you. Some data – due to legitimate interests or legal requirements of Smultron – we will have to retain. Each time we will notify you whether your personal data included in the request has been removed, and if not – in addition we will inform you about the reasons why we cannot meet your demand.

• the right to restriction of processing, i.e. temporarily remove your personal data from our databases or suspend any processing activities on your personal data, e.g. if the accuracy of the personal data is contested (for a period enabling Smultron to verify the accuracy of such data) or when you have objected to the processing (pending verifications whether the objection is valid).

• the right to receive the personal data concerning you (right to data portability) and right to transmit those data to another data controller.

12. Right to object – what is this?

12.1. Regardless of the rights specified in point 11 of this Privacy Notice, you also have the right to object at any time to the processing of your personal data used for direct marketing purposes. After accepting your objection in this case sent to the e-mail address: hello@smultron.pl, we will not use your personal data for direct marketing purposes.

12.2. In specific situations, you may object to the processing of your personal data at any time if the lawful basis for the processing of your data is the legitimate interests of Smultron or the public interest. In this case, after considering your objection, we will no longer be able to process your personal data on this basis, unless we prove that there are: • compelling legitimate grounds for the processing of your personal data which override the interests, rights and freedoms of the Customer 9 or • grounds for the establishment, exercise or defense of legal claims.

13. Consent – as a legal basis for processing your personal data

13.1. If the processing of your personal data is not connected with the performance of a contract, the compliance with a legal obligation or does not constitute our legitimate interests, Smultron may request you to give the consent to use certain personal data. You can withdraw your consent at any time by sending us an appropriate request. However, the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

14. How to contact Smultron?

14.1. In case you require more information about how Smultron processes and uses the personal data, then please go to the following website: www.smultron.pl or contact us at: hello@smultron.pl or please use the contact form located on the above website.

Smultron sp. z o.o. has the exclusive right to use and dispose of this document. The use of the content published here, in particular copying and distribution without the consent of Smultron sp. z o.o. or any other legal basis is prohibited and may result in civil or criminal liability on the part of the user.

Contact with Us

* Required fields.





Smultron Software Lab

12 Slawkowska Street
31-014 Krakow, Poland

+48 12 30 700 30
hello@smultron.pl

TAX ID: PL6762482785

Jakub Kozak - avatar
Let's talk

Jakub Kozak