SellTime

Privacy Policy of the SellTime System

Definitions

Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as name and surname, identification number, location data, device IP number, online identifier and information collected through cookies and other similar technologies, or by reference to one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.

Policy means this Privacy Policy.

Data Processing means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Terms means the SellTime System Terms available at: …

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

System means the comprehensive IT solution named SellTime used to manage working time in entities employing personnel, the operating framework of which is defined by the Terms.

User means an entity using the System.

I. General Provisions

Data Controller - the controller of personal data of natural persons using the System, i.e. the entity that decides on the purposes and methods of using such data, is SELL TIME spółka z ograniczoną odpowiedzialnością with its registered office in Białystok, ul. Świętojańska 15m, 15-277 Białystok, entered in the register of entrepreneurs by the District Court in Białystok under KRS number 0001203466, NIP: 5423507281, REGON: 543177554.

Subject scope of this Policy - the provisions of the Policy apply to all natural persons using the System whose data is or may be processed by the Controller for the purposes specified in the Policy.

II. Scope of Data Collected

The scope of collected data is related to the purposes for which the Controller uses personal data (more information on the purposes of data processing is provided in Section III. Purposes for which data is used).

The Controller collects data to the extent necessary to use the System. Such data includes: first name, surname, email address, telephone number, access data, delivery address, and data necessary to issue a VAT invoice, e.g. tax identification number (NIP).

If persons using the System provide any Personal Data of other persons, they may do so only if such action does not infringe the rights of those persons or applicable laws.

III. Purposes for Which Data Is Used

The data indicated in Section II. Scope of Data Collected may be used by the Controller for the purposes described below.

Provision of offered services. As part of the proper provision of offered services, the Controller may process data for the following purposes:

Pursuing or defending against claims. The Controller may process data when necessary due to the need to establish and pursue claims by the Controller or to defend against claims made against the Controller.

Marketing purposes. The Controller may process collected data to promote goods or services offered by it. Such marketing may include various forms of activity, such as sending Users messages about current promotions or offers (newsletter), presenting information about promotions and new services.

Compliance with legal obligations. The Controller may process personal data to comply with obligations resulting from applicable law, e.g. obligations concerning the handling of complaints or claims arising in connection with the services provided. Compliance with legal obligations also means that data may sometimes be transferred, to a specific extent, to entities authorized to obtain it under such laws, e.g. state authorities such as the Police or inspection authorities. Such disclosure, in addition to a legal provision, is also based on an official request from the entity authorized to receive the data.

Analytical and statistical purposes. The Controller may use data for analytical and statistical purposes related to the functioning of the System.

Automated decision-making and profiling. In connection with performing the agreement with Users and for the purpose of improving the System, the Controller may use tools enabling automated decision-making and User profiling. This means that, through automated processing of their data, the Controller may in certain cases assess selected factors concerning Users in order to analyze their behavior or create a forecast for the future.

Persons whose data is processed in the above manner may object at any time to the use of their data for the indicated purposes. Detailed information on exercising this right is available in Section VII. Control over data and rights granted to Users.

Cookies and other similar technologies. Cookies are small text information in the form of text files sent by the server and stored in the memory of the User’s device (e.g. on the hard drive of a computer or laptop, or on a phone memory card). Cookies may be deleted from the device memory through appropriate configuration of web browser settings.

Cookies are used in the System only with the User’s consent. Consent is expressed by clicking the “X” field in the information box while using the System or through appropriate software settings by the User, in particular web browser settings. Restrictions on the use of cookies may affect some functionalities of the System.

The User may at any time withdraw or change the scope of previously given consent to the use of cookies. Information on changing cookie settings and deleting them independently in the most popular web browsers is available in the browser help section.

The System uses “session” cookies, which are related to the session and are stored on the User’s device until leaving the website.

Cookies collect data concerning the User’s use of the System, and their main purpose is to make it easier for the User to use the System and to adapt the System to the User’s needs and expectations. Cookies are used for functional, analytical, and marketing purposes.

Data collected by “analytical” and “marketing” cookies is not linked to other information that the User provides while using the System. They enable the delivery of content adapted to the User’s preferences.

The Controller collects and uses data only when it has an appropriate legal basis. The legal bases for data processing may differ depending on the purpose for which data is processed and include:

Necessity of processing personal data for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR), e.g. creating and maintaining a User account in the System, providing services, or handling complaints submitted by the User and returning benefits. Processing certain data is necessary to conclude and properly perform the agreement and is mandatory in this respect.

Compliance with a legal obligation (Article 6(1)(c) GDPR). On this basis, the Controller may process, for example, User data for the purpose of handling submitted complaints/claims relating to the services provided. Detailed information in this respect is contained in the Act of 18 July 2002 on the provision of electronic services (consolidated text: Journal of Laws of 2020, item 344) and the provisions of the Terms. In this respect, providing the required data is mandatory.

Processing is necessary for the purposes of legitimate interests pursued by the Controller (Article 6(1)(f) GDPR). Such interests may include, in particular, conducting analyses and statistics regarding Users’ use of the System, direct marketing concerning services offered by the Controller, and the possibility of pursuing claims or defending against possible claims by Users.

Consent of the person to the processing of their data for one or more specified purposes (Article 6(1)(a) GDPR). The Controller may collect personal data voluntarily provided by Users, e.g. when they complete surveys concerning the quality of services provided or provide optional data. Users who have consented to the collection or use of their personal data may withdraw that consent at any time. Detailed information on withdrawal of consent is provided in Section VII. Control over data and rights granted to Users. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

V. Data Sharing

Use of the System may involve sharing certain User data with other entities, e.g. entities delivering goods ordered by them (e.g. couriers), payment operators, and service providers, including those providing the Controller with IT, accounting, or legal services. In addition, the Controller may also share data with other service providers, including marketing service providers. The Controller does not share any Users’ personal data with third parties unless this is necessary to ensure proper activity related to the functioning of the System, constitutes its obligation, or there is another legal basis for sharing certain data. Data sharing may concern in particular:

Data may be transferred to third countries (countries outside the European Economic Area).

VI. Data Retention Period

Processed data is stored only for the period necessary to achieve the purposes for which it was collected, in particular:

The data processing period may be extended if processing is necessary to establish and pursue claims or defend against claims.

After the processing period expires, the Controller will permanently delete the acquired data.

VII. Control Over Data and Rights Granted to Users

Data subjects have the following rights:

Right of access to data. The data subject has the right to obtain confirmation as to whether the Controller processes their personal data. If processing takes place, that person is entitled to access such data (a copy of the data) and the following information: the purposes of processing, categories of processed data, information about data recipients, planned data retention period, information about rights related to processing of their data, and the possibility of lodging a complaint with the competent supervisory authority for data protection.

Right to rectification of data. The data subject has the right to request that the Controller immediately rectify inaccurate personal data concerning them. Taking into account the purposes of processing, the data subject has the right to request completion of incomplete personal data.

Right to erasure of data. The data subject has the right to request that the Controller immediately erase personal data concerning them, and the Controller is obliged to erase personal data without undue delay if one of the circumstances listed in Article 17 GDPR occurs, in particular where personal data is no longer necessary for the purposes for which it was collected or where processing was based on consent that was subsequently withdrawn.

Right to restriction of processing. The data subject has the right to request that the Controller restrict processing of their data in the cases specified in Article 18 GDPR, e.g. where the person has objected as referred to in section 6 below. If a request to restrict processing is successfully submitted, the Controller will stop performing operations on personal data concerning the person making such request.

Right to data portability. The data subject has the right to receive the personal data concerning them that they provided to the Controller and has the right to transmit such personal data to another controller without hindrance from the Controller to whom the personal data was provided, if one of the circumstances listed in Article 20 GDPR occurs, in particular where processing is based on that person’s consent.

Right to object to data processing. The person whose data is processed has the right to object at any time to the processing of personal data concerning them. The objection may concern processing based on the Controller’s legitimate interest (Article 6(1)(f) GDPR), including profiling and direct marketing. After an objection is submitted, the Controller may no longer process such personal data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for establishing, pursuing, or defending claims.

Right to lodge a complaint with a supervisory authority. If it is considered that the processing of personal data infringes data protection laws, the person whose data is processed has the right to lodge a complaint with the competent supervisory authority, the President of the Personal Data Protection Office.

Right to withdraw consent. If data processing is based on the consent of the data subject, that person has the right to withdraw such consent at any time. Any withdrawal of consent does not affect processing activities carried out before consent was withdrawn.

The rights related to data processing by the Controller may be exercised:

The Controller responds to a request without undue delay, no later than within one month of receiving the request. If necessary, this period may be extended, of which the Controller will inform the person making the request, stating the reasons for such action.

The Controller also seeks to ensure that data subjects have access to and control over processed data. For this purpose, the Controller enables such persons in particular to:

VIII. Controller Contact Details

If you have any questions or doubts related to the processing of personal data, you may contact the Controller by traditional mail at: … or by email at: …

IX. Policy Updates

This Policy is reviewed on an ongoing basis and updated when necessary. The current version of the Policy is effective from … .