Privacy and Cookies Policy

1. General information

   1. This Privacy Policy (hereinafter: "Policy") sets out the rules for the processing of personal data of users of the website (hereinafter: "Users") operating at: https://orbify.com/ (hereinafter: "Website") and other categories of persons indicated in the Policy, by Orbify Poland sp. z o. o., with its registered office in Kraków, ul. Kurniki 9 (31-156 Kraków), entered in the register of entrepreneurs under KRS: 000906360, REGON: 389222443, NIP: 6762598737. The Policy also contains a description of the basic principles related to the use of cookies within the Website.

2. Information on the processing of personal data

   Who processes personal data and for what purposes?

   1. The administrator of the personal data is Orbify Poland sp. z o. o., with its registered office in Krakow, ul. Kurniki 9 (31-156 Krakow), entered in the register of entrepreneurs under KRS no.: 000906360, REGON no.: 389222443, NIP no.: 6762598737 (hereinafter: the "Company"), which is the service provider of the Website, to the following extent:

      THE DATA SUBJECT	PURPOSES AND LEGAL BASES OF DATA PROCESSING
      Website User	the performance of the contract for the provision of electronic services through the Website on the basis of Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter: the "GDPR"; analytical and statistical purposes to improve the applied functionalities and services provided through the Website, to ensure the smooth functioning of the Website and to clarify the circumstances of unauthorised use of the Website, which arise from the legitimate interests pursued by the Company, on the basis of Article 6(1)(f) the GDPR.
      Newsletter subscriber	to inform you about the Company's activities, relevant events, etc. - in the event that you voluntarily consent to the processing of your data on the basis of Article 6(1)(a) the GDPR.
      An individual visiting our account / funpage, within Youtube channel, or the social network: Twitter / Linkedin.	purposes deriving from the legitimate interests pursued by the Company, in particular in connection with the management of the Company's channel / account, including the provision of communication with the user, answering questions / comments, on the basis of Article 6(1)(f) the GDPR.
      A sole trader who has entered into a contract with the Company or has had pre-contractual action taken against him at his request	necessity for the performance of the contract concluded by that person with the Company or to take action at that person's request prior to the conclusion of the contract on the basis of Article 6(1)(b) of the GDPR; the necessity to fulfil the Company's legal obligations, in particular under tax law and accounting regulations on the basis of Article 6(1)(c) of the GDPR; purposes deriving from the legitimate interests pursued by the Company, in particular to ensure contact prior to the conclusion of the contract and during the term of the contract, as well as to establish, assert or defend against possible claims on the basis of Article 6(1)(f) the GDPR.
      Authorised representative, contact person or other person on the part of the entity that has entered into the contract with the Company or other person involved in the execution of the contract with the Company	purposes deriving from the legitimate interests pursued by the Company, in particular, ensuring contact with an entity that is party to a contract concluded with the Company, verifying that the person who contacts the Company is authorised to take action on behalf of that entity, the proper execution of a contract concluded with the Company and the establishment, investigation or defence against possible claims on the basis of Article 6(1)(f) the GDPR; the necessity to fulfil the Company's legal obligations, in particular under tax law and accounting regulations on the basis of Article 6(1)(c) of the GDPR.
      Applicant for employment with the Company / cooperation with the Company	Necessity for the implementation of the recruitment process pursuant to Article 22(1) of the Act of 26 June 1974. - Labour Code (Journal of Laws of 2018, item 917, as amended) - in the case of employment under an employment contract; the necessity to carry out the recruitment process and to take action at the request of the data subject prior to the conclusion of the contract on the basis of Article 6(1)(b) of the GDPR - in the case of employment under a civil law contract; Necessity for future recruitment processes on the basis of Article 6(1)(a) of the GDPR - in case you voluntarily consent to the processing of your personal data for the purposes necessary for future recruitment processes.
      Applicant for an internship with the Company	the necessity to carry out the recruitment process and to take action at the data subject's request before entering into a contract on the basis of Article 6(1)(b) of the GDPR; Necessity for future recruitment processes on the basis of Article 6(1)(a) of the GDPR - in case you voluntarily consent to the processing of your personal data for the purposes necessary for future recruitment processes.

   How can you contact us about data protection issues?

   2. In matters relating to the processing of personal data, the Company may be contacted electronically at: privacy@orbify.com.

   To whom will personal data be transmitted?

   3. Recipients of personal data may be - only when necessary and to the necessary extent - entities cooperating with the Company in the scope of services provided to the Company and in support of the Company's current business processes, in particular entities providing IT services, accounting, postal or courier services.

   How long will we process personal data?

   4. If the processing is based on freely given consent, the personal data will be stored until you withdraw your consent to process your personal data for specific, explicit and legitimate purposes. Consent to the processing of personal data may be withdrawn at any time. The withdrawal of consent to the processing of data shall be made by contacting the Company as indicated in Section II, point 2 above. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.
   5. If the processing of the data is necessary for the performance of a contract or to take action at the request of the data subject prior to entering into a contract, the personal data will be processed for the duration of the contract and, thereafter, for the period of limitation of possible claims under generally applicable law.
   6. If the processing is necessary for the fulfilment of a legal obligation incumbent on the Company, the personal data will be processed for a period of time resulting from generally applicable legislation.
   7. If the processing is necessary for purposes deriving from legitimate interests pursued by the Company or by a third party, the personal data will be processed for no longer than is necessary for the purposes for which the data are processed or until an objection is raised to the processing of the personal data for such purposes, on grounds related to the particular situation of the data subject, unless the Company demonstrates the existence of compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject or grounds for the establishment, assertion or defence of claims.

   Is it compulsory to provide personal data?

   8. Where personal data is processed on the basis of the data subject's consent, the provision of personal data is voluntary. Failure to provide data will result in the impossibility of fulfilling the purpose in question, if consent is a condition for fulfilling that purpose.
   9. If the personal data are processed for purposes necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to entering into a contract, the provision of personal data is voluntary, but necessary to enter into a contract with the Company.
   10. If the processing of personal data is necessary for the fulfilment of a legal obligation incumbent on the Company, the provision of personal data is a statutory requirement.
   11. If the personal data are processed for purposes arising from legitimate interests pursued by the Company or by a third party, the provision of personal data is voluntary, but necessary for these purposes.

   What rights do you have in relation to the processing of your personal data?

   12. The data subject has the right to:
       1. Access to his/her personal data, including the right to obtain confirmation as to whether or not his/her personal data are being processed and, if so, the right to obtain access to them, the information indicated in Chapter III, point 8 of the Policy and to obtain a copy of the personal data being processed;
       2. Rectification of personal data, which includes the right to request the Company to immediately rectify personal data concerning him/her that is inaccurate;
       3. Deletion of personal data;
       4. Restrictions on the processing of personal data;
       5. Data portability, which includes the right to receive the data and send it to another controller or to request, where technically possible, that the data be sent directly to another controller - insofar as the data is processed on the basis of consent and for the purposes necessary for the performance of the contract and the processing of data by automated means;
       6. Object to the processing of personal data to the extent of processing for purposes arising from the legitimate interests pursued by the Company on the basis of Article 6(1)(f) GDPR, unless the Company demonstrates the existence of valid legitimate grounds for processing overriding the interests, rights and freedoms of the data subject or grounds for the establishment, assertion or defence of claims;
       7. Lodge a complaint with the supervisory authority for the protection of personal data - the President of the Office for the Protection of Personal Data - if it considers that the processing of data is not in compliance with the law.

   How do we secure the personal data we process?

   13. In order to prevent unauthorised or unlawful access, accidental loss, damage or destruction of personal data, the Company uses appropriate technological solutions and security measures in compliance with the requirements established by the GDPR and other generally applicable legislation.
   14. Access to personal data is granted to the Company and to persons authorised by the Company who have undertaken to maintain the confidentiality of such personal data.
   15. The Company keeps a register of persons authorised to process personal data.

   What do we do in the event of a breach?

   16. In the event of a personal data protection breach that may cause a risk of infringement of the rights and freedoms of an individual, the Company shall, without undue delay, and if possible no later than 72 hours after the discovery of the breach, notify the breach to the competent supervisory authority (President of the Office for Personal Data Protection). Where a personal data breach is likely to result in a high risk of infringement of the rights and freedoms of an individual, the Company shall, without undue delay, also notify the individual of such breach, as required under the GDPR.
   17. The Company shall document all data protection breaches, including the circumstances of the breach, its consequences and the remedial action taken.

3. Procedure for the exercise of data subjects' rights

   1. Any individual (hereinafter referred to as the "Applicant") shall have the right to apply to the Company for the exercise of the rights set out in Section II(12) of the Policy.
   2. The above requests will be processed by the Company taking into account the provisions of the GDPR. The above means that in the cases mentioned in the provisions of the GDPR, the rights indicated in Chapter II, point 12 of the Policy may not be granted to the data subject, or the request will be carried out against payment to cover the costs of its implementation.
   3. The application must be submitted as indicated in Chapter II, paragraph 2 of the Policy.
   4. If the Company does not process the Applicant's personal data (excluding the processing of personal data for the purposes of the application itself), the Applicant will be informed and the Applicant's data obtained as a result of the application will be deleted immediately.
   5. The Company shall inform the Applicant immediately upon receipt of the application and include information about the application in the records it maintains.
   6. The Company shall be entitled to verify the identity of the Applicant. Failure to successfully verify the identity of the Applicant for reasons for which the Applicant is responsible may mean that the Company is unable to process the submitted application, of which the Applicant will be informed immediately.
   7. The Company shall provide the Applicant with a response to the request within one (1) month at the latest from the date of its receipt. In cases of objective complexity (i.e. requiring a lot of work on the part of the Company), the above time limit may be extended to 2 (two) months, of which the Applicant shall be immediately notified.
   8. In exercising the right of access to personal data, the Applicant shall be indicated his/her personal data subject to processing, to the extent requested in the request, and the following information:
      1. purpose of processing;
      2. categories of personal data subject to processing;
      3. information on the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
      4. where possible, the intended period of retention of the personal data and, if this is not possible, the method of determining that period;
      5. information about automated decision-making, including profiling, and relevant information about the modalities of such decision-making, as well as the significance and the envisaged consequences of such processing for the data subject;
      6. of the right to request the Company to rectify, erase or restrict the processing of your personal data and to object to such processing (where such right exists);
      7. if the personal data has not been collected from the data subject, any available information about its source;
      8. about the right to lodge a complaint with a supervisory authority.
   9. Where the right of access to data and the right to data portability is exercised, a copy of the personal data concerning him/her in commonly known and accessible machine-readable formats shall be attached to the response given to the Applicant.
   10. Please submit any complaints relating to the implementation of this procedure in writing or electronically, in the manner indicated in Chapter II, point 2 of the Policy.
   11. The complaint shall be investigated promptly, but no later than 7 (in words: seven) days after its receipt, of which the Applicant shall be informed immediately. The Applicant shall also be informed of the fact that the complaint has been received. Information about the complaint shall be included in the records kept by the Company.

4. Cookies and system logs

   1. From the moment the User connects to the Website, information on the number (including IP) and type of the User's terminal equipment from which the User connects to the Website appears in the system logs of the Website. The Company will also process, in accordance with the provisions of the applicable law, data concerning the number (including IP) and type of the User's terminal equipment, as well as the time of the User's connection to the Website and other exploitation data concerning the User's activity. This data is processed, in particular, for technical purposes and to collect general statistical information.
   2. The Website may use cookies (i.e. small text files sent to a User's device, identifying it in a manner necessary to simplify or cancel a given operation) to collect information related to the use of the Website by the User. Cookies make it possible, in particular, to maintain a User's session, adjust the functioning of the Website pages to the User's preferences and needs, create statistics on viewing the Website pages.
   3. You may change your cookie settings at any time. In order to do so, you need to change your browser settings concerning cookies. These settings can be changed, in particular, in such a way as to block the automatic handling of cookies in the settings of the web browser or inform on their each time they are placed on the User's device. Detailed information on the possibility and methods of changing the settings concerning cookies in the most popular web browsers can be obtained at the following addresses:
      1. Google Chrome
         https://support.google.com/chrome/answer/95647?hl=pl;
      2. Firefox
         https://support.mozilla.org/pl/kb/ciasteczka?esab=a&s=ciasteczka&r=0&as=s;
      3. Internet Explorer
         https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies;
      4. Microsoft Edge
         https://support.microsoft.com/pl-pl/help/4027947/microsoft-edge-delete-cookies
      5. Opera
         http://help.opera.com/Windows/12.10/pl/cookies.html
      6. Safari
         https://support.apple.com/pl-pl/guide/safari/sfri11471/mac

5. Final provisions

   1. The Company shall endeavour to provide Users with a high level of security in the use of the Website. Any incidents affecting the security of the transmission of information must be reported in the manner indicated in Chapter II, point 2 of the Policy.
   2. The Company reserves the right to disclose selected information concerning the User to the competent authorities or to third parties who request such information, on the appropriate legal basis and in accordance with the provisions of the applicable law.
   3. Except as indicated in the Policy, personal information will not be disclosed to any third party or authority without the consent of the data subject.
   4. The Company reserves the right to change the Policy, of which Users will be informed by means of a notice posted on the website at https://orbify.com/ at least 3 days before the change takes effect.