Privacy Policy of the UpWayData.com Website

TABLE OF CONTENTS:

1. GENERAL PROVISIONS
2. LEGAL BASIS FOR DATA PROCESSING
3. PURPOSE, LEGAL BASIS, AND PERIOD OF DATA PROCESSING ON THE WEBSITE
4. DATA RECIPIENTS ON THE WEBSITE
5. PROFILING ON THE WEBSITE
6. RIGHTS OF DATA SUBJECTS
7. COOKIES AND ANALYTICS ON THE WEBSITE
8. FINAL PROVISIONS

1. GENERAL PROVISIONS

This Privacy Policy of the Website is for informational purposes only, meaning it does not impose any obligations on the Users of the Website. The Privacy Policy primarily sets out the principles for the processing of personal data by the Administrator on the Website, including the legal bases, purposes, and duration of processing, as well as the rights of individuals whose data are processed. It also provides information on the use of Cookies and analytical tools on the Website.
The controller of personal data collected through the Website is UPWAYDATA Spółka z ograniczoną odpowiedzialnością, with its registered office in Łomża (registered address and correspondence address: ul. Gen. Władysława Sikorskiego 166, suite 0.03), entered in the Register of Entrepreneurs of the National Court Register under number KRS 0001200882; the registry court holding the company’s documentation is the Sąd Rejonowy w Białymstoku, XII Wydział Gospodarczy Krajowego Rejestru Sądowego; share capital: PLN 5,000.00; NIP: 7182175995, REGON: 543038060; email address: office@upwaydata.com — hereinafter referred to as the “Administrator”, who is also the Service Provider of the Website.
Personal data on the Website are processed by the Administrator in compliance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) — hereinafter referred to as the “GDPR” or the “Regulation.”
Official text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
The use of the Website, including the conclusion of an Agreement for access to the UpWayData Application, is voluntary. Likewise, providing personal data by a User of the Website is voluntary, except in two cases:
(1) Conclusion and performance of a contract – when a User wishes to enter into an Agreement for access to the UpWayData Application and use the Electronic Services provided by the Administrator, failure to provide the personal data required on the Website, in the Terms of Service, and in this Privacy Policy makes it impossible to use these services. In such cases, providing personal data is a contractual requirement, and if a person wishes to enter into an Agreement for access to the UpWayData Application, they are obliged to provide the required data;
(2) Statutory obligations – when a User makes a payment, data processing is also a legal requirement resulting from generally applicable laws that impose on the Administrator the duty to process personal data for accounting purposes.
The Administrator exercises particular care to protect the interests of individuals whose personal data it processes and ensures that the collected data are:
(1) processed lawfully;
(2) collected for specified, legitimate purposes and not further processed in a way incompatible with those purposes;
(3) accurate and adequate in relation to the purposes for which they are processed;
(4) stored in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing; and
(5) processed in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical and organizational measures.
Taking into account the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the GDPR and to be able to demonstrate such compliance. These measures are reviewed and updated as necessary. The Administrator also applies technical safeguards to prevent unauthorized access to or modification of personal data transmitted electronically.
All terms, expressions, and acronyms used in this Privacy Policy and beginning with a capital letter (e.g., Service Provider, Website, Electronic Service) shall have the meanings assigned to them in the Terms of Service available on the Website.

2. LEGAL BASIS FOR DATA PROCESSING

The Administrator is entitled to process personal data when — and to the extent that — at least one of the following conditions is met:
(1) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(2) processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject’s request prior to entering into a contract;
(3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or
(4) processing is necessary for the purposes of legitimate interests pursued by the Administrator or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly where the data subject is a child.
The processing of personal data by the Administrator requires that at least one of the legal bases listed above is met. The specific legal bases for processing Users’ personal data by the Administrator are indicated in the following section of this Privacy Policy — depending on the purpose of processing.

3. PURPOSE, LEGAL BASIS, AND PERIOD OF DATA PROCESSING ON THE WEBSITE

Each time, the purpose, legal basis, duration, and recipients of personal data processed by the Administrator depend on the actions undertaken by the individual User on the Website.
The Administrator may process personal data on the Website for the following purposes, on the following legal bases, and for the corresponding periods:
(The detailed purposes and processing durations would be listed in the following subsections of the Privacy Policy.)

Purpose of data processing

Legal basis for data processing

Data retention period

Conclusion and performance of the Agreement for access to the UpWayData Application or another agreement concluded with the Administrator

Article 6(1)(b) of the GDPR (contract) – processing is necessary for the conclusion and performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.

Data are stored for the period necessary to perform, terminate, or otherwise expire the contract concluded with the Administrator.

Article 6(1)(f) of the GDPR (legitimate interests of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party (e.g., its partners), such as direct marketing — aimed at protecting the Administrator’s interests and reputation, ensuring proper functioning of the Website, and striving to provide its services. This includes, for example, situations in which the data subject has previously given consent (e.g., when making a purchase or signing up for a newsletter) to receive commercial information via telecommunications terminal equipment, such as email or telephone, depending on the scope of the consent provided.

Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims the Administrator may have against the data subject in connection with the Administrator’s business activities. The limitation period is defined by applicable law, in particular the Civil Code (the basic limitation period for business-related claims is three years).

The Administrator may not process data for direct marketing purposes if the data subject has effectively objected to such processing.

Additionally, where the legal basis for processing is the data subject’s consent to receive commercial information, including direct marketing, via telecommunications terminal equipment, the data are stored until the consent is withdrawn by the data subject. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Keeping accounting records

Article 6(1)(c) of the GDPR (legal obligation) in connection with Article 74(2) of the Accounting Act of 30 January 2018 (Journal of Laws 2018, item 395, as amended) – processing is necessary to comply with a legal obligation to which the Administrator is subject.

Data are stored for the period required by the laws obliging the Administrator to retain accounting records (5 years, counted from the beginning of the year following the financial year to which the data relate).

Establishing, pursuing, or defending claims that may be raised by the Administrator or against the Administrator

Article 6(1)(f) of the GDPR (legitimate interests of the controller) – processing is necessary for the purposes of the Administrator’s legitimate interests, consisting of establishing, pursuing, or defending claims that may be raised by the Administrator or against the Administrator.

Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims that may be raised against the Administrator (the basic limitation period for such claims is six years).

Use of the Website, including the Application and its Electronic Services, and ensuring their proper functioning

Article 6(1)(f) of the GDPR (legitimate interests of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, consisting of operating and maintaining the Website, the Application, and its Electronic Services.

Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims the Administrator may have against the data subject in connection with the Administrator’s business activities. The limitation period is defined by applicable law, in particular the Civil Code (the basic limitation period for business-related claims is three years).

Conducting statistics and analyzing traffic on the Website

Article 6(1)(f) of the GDPR (legitimate interests of the controller) – processing is necessary for the purposes of the Administrator’s legitimate interests, consisting of compiling statistics and analyzing traffic on the Website in order to improve its functioning.

Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims the Administrator may have against the data subject in connection with the Administrator’s business activities. The limitation period is defined by applicable law, in particular the Civil Code (the basic limitation period for business-related claims is three years).

4. RECIPIENTS OF DATA IN THE WEBSITE

1. For the proper functioning of the Website, including the proper provision of Electronic Services by the Administrator and the operation of the UpWayData Application, the Administrator must use the services of external entities (such as software providers, payment processors, etc.). The Administrator uses only those processors who provide sufficient guarantees of implementing appropriate technical and organizational measures so that processing complies with the GDPR and protects the rights of data subjects.
2. Personal data of individuals visiting the Website may be transferred by the Administrator to a third country, provided that such transfer complies with the GDPR — either to a country ensuring an adequate level of data protection or, for other countries, on the basis of standard contractual clauses. The Administrator also ensures that the data subject has the possibility to obtain a copy of their data. The Administrator transfers collected personal data only when and to the extent necessary to fulfil a given processing purpose in accordance with this Privacy Policy.
3. Data transfers by the Administrator do not occur in every case and not to all recipients or categories of recipients listed in this Privacy Policy — data are transferred only when necessary for the specific processing purpose and only to the extent required for its fulfilment.
4. Personal data of Users may be transferred to the following recipients or categories of recipients:
  a. entities processing electronic or card payments – in the case of a User who makes a purchase and uses electronic or card payments, the Administrator provides the collected personal data to a selected payment processor acting on behalf of the Administrator to the extent necessary to process the User’s payment.
  b. service providers supplying the Administrator with technical, IT, and organizational solutions, enabling the Administrator to conduct business operations, including the Website, the UpWayData Application, and Electronic Services provided through it (in particular providers of computer software, email and hosting services, business management software, and technical support solutions) – the Administrator provides the User’s personal data to such providers only when and to the extent necessary for the given processing purpose, in accordance with this Privacy Policy.
  c. providers of accounting, legal, and advisory services supporting the Administrator in accounting, legal, or consulting matters (in particular an accounting office, law firm, or debt collection company) – the Administrator provides the User’s personal data to such providers only when and to the extent necessary for the given processing purpose, in accordance with this Privacy Policy.

5. PROFILING ON THE WEBSITE

1. The GDPR requires the Administrator to inform data subjects about automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and — at least in those cases — to provide meaningful information about the logic involved, as well as the significance and expected consequences of such processing for the data subject. In light of this requirement, the Administrator provides information on potential profiling below.
2. The Administrator may use profiling on the Website for direct marketing purposes, but decisions made on this basis do not concern entering into or refusing to enter into an Agreement with the Administrator, nor the ability to use Electronic Services. The result of profiling on the Website may include reminders about unfinished actions, sending offers tailored to the User’s interests or preferences, granting a discount or promotional code, or offering more favorable terms compared to the standard Website offer. Despite profiling, it is always the data subject who freely decides whether to take advantage of such an offer or discount.
3. Profiling on the Website consists of the automated analysis or prediction of a person’s behavior on the Website, for example by analyzing their purchase history, viewed pages, or other activities on the Website. Profiling requires the Administrator to hold personal data of the individual in order to subsequently send them, for example, an offer or discount.
4. A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

6. RIGHTS OF THE DATA SUBJECT

1. Right of access, rectification, restriction, erasure, and data portability – the data subject has the right to request access to their personal data, rectification, erasure (“right to be forgotten”), restriction of processing, to object to processing, and to data portability. Detailed conditions for exercising these rights are set out in Articles 15–21 of the GDPR.
2. Right to withdraw consent at any time – where data are processed on the basis of consent (Article 6(1)(a) or Article 9(2)(a) GDPR), the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
3. Right to lodge a complaint with a supervisory authority – the data subject may lodge a complaint with a supervisory authority in accordance with the GDPR and applicable Polish law, in particular the Personal Data Protection Act. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
4. Right to object – the data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public tasks) or Article 6(1)(f) (legitimate interests of the controller), including profiling on these grounds. In such a case, the Administrator may no longer process the data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject or for establishing, exercising, or defending legal claims.
5. Right to object to direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to such processing, including profiling related to direct marketing.
6. To exercise any of the rights mentioned above, the data subject may contact the Administrator by sending a written or electronic message to the address indicated at the beginning of this Privacy Policy.

7. COOKIES AND ANALYTICS ON THE WEBSITE

1. Cookies are small text files sent by a server and stored on the device of the person visiting the Website (e.g., on the hard drive of a computer, laptop, or smartphone memory card — depending on the device used). Detailed information on cookies and their history is available, among others, here:
  https://pl.wikipedia.org/wiki/HTTP_cookie.
2. The Administrator may provide a tool on the Website that allows easy and active management of Cookies — available upon the first visit to the Website and later accessible via a button in the bottom corner of the page. This tool allows Users to see which Cookies are or may be stored, as well as choose and later modify the scope and purposes of Cookies used for their device. Upon starting to use the Website, Users will be asked to select their Cookie preferences. These settings may be modified later using the Cookie management tool.
3. Below, the Administrator provides detailed information about the use of Cookies on the Website, their types, purposes, and how to manage them using browser settings and/or the Website’s Cookie management tool. The Administrator encourages Users to use the Cookie management tool. If it is unavailable, Users should consult the information below on managing Cookies via the browser.
4. Cookies used by the Website can be classified according to the following criteria:

By their provider:
1) first-party cookies (created by the Administrator’s Website), and
2) third-party cookies (created by entities other than the Administrator).

By the duration of storage on the device of the Website visitor:
1) session cookies (stored until the User logs out of the Customer Panel or closes the web browser), and
2) persistent cookies (stored for a specified period defined by the parameters of each file or until manually deleted).

By their purpose:
1) necessary cookies (enable the proper functioning of the Website),
2) functional/preference cookies (allow the Website to be tailored to the visitor’s preferences),
3) analytical and performance cookies (collect information on how the Website is used),
4) marketing, advertising, and social cookies (collect information about the visitor in order to display advertisements, personalize them, and conduct other marketing activities — including on websites other than the Administrator’s Website, such as social media platforms or other sites belonging to the same advertising network).

The Administrator may process data contained in Cookies while visitors use the Website for the following specific purposes:

Purposes of using Cookies on the Administrator’s Website

identifying Users as logged in and displaying their login status (necessary cookies)

remembering data entered into forms, surveys, or login fields on the Website (necessary and/or functional/preference cookies)

adjusting the Website’s content to the User’s individual preferences (e.g., colors, font size, page layout) and optimizing the User’s experience (functional/preference cookies)

compiling anonymous statistics on how the Website is used (analytical and performance cookies)

displaying and rendering advertisements, limiting the number of ad impressions, suppressing ads the User does not want to see, measuring ad effectiveness, and personalizing ads — this includes analyzing visitor behavior (e.g., repeated visits to specific pages, keywords used) to create user profiles and deliver ads tailored to their predicted interests, including when they visit other websites within the advertising networks of Google Ireland Ltd. or Meta Platforms Ireland Ltd. (marketing, advertising, and social cookies)

6. It is possible to check which Cookies are being sent by the Website at any given moment, regardless of the web browser used, by using tools available, for example, at: https://www.cookiemetrix.com/ or https://www.cookie-checker.com/.

7. By default, most web browsers available on the market accept the storage of Cookies. Every user may define the conditions for the use of Cookies through their browser settings. This means that Cookies can be partially limited (e.g., temporarily) or completely disabled — although in the latter case, this may affect certain functionalities of the Website.

8. Browser settings regarding Cookies are important in terms of granting consent to the use of Cookies by our Website — according to the law, such consent may also be expressed through browser settings. Detailed information on how to change Cookie settings and delete Cookies manually in the most popular web browsers is available in their help sections and at the following links (simply click the desired browser):

in Chrome
in Firefox
in Internet Explorer
in Opera
in Safari
in Microsoft Edge

9. The Administrator may use Google Analytics and Universal Analytics services on the Website, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Administrator compile statistics and analyze traffic on the Website. The collected data are processed within these services to generate aggregated statistics useful for administering and analyzing Website traffic. These data are aggregated. When using these services, the Administrator collects information such as: traffic sources and acquisition medium, visitor behavior on the Website, device and browser details, IP address and domain, geographic data, demographic data (age, gender), interest categories.

10. Users can easily block Google Analytics from collecting data about their activity on the Website — for example, by installing the browser add-on provided by Google Ireland Ltd., available here: https://tools.google.com/dlpage/gaoptout?hl=pl.

11. In connection with the Administrator’s use of advertising and analytical services provided by Google Ireland Ltd., the Administrator notes that full information regarding the processing of visitors’ data (including data stored in Cookies) by Google Ireland Ltd. is available in Google’s Privacy Policy at: https://policies.google.com/technologies/partner-sites.

8. FINAL PROVISIONS

The Website may contain links to other websites. The Administrator encourages users to review the privacy policies applicable on those external websites after navigating to them. This Privacy Policy applies solely to the Administrator’s Website