PRIVACY AND COOKIES POLICY
§ 1. General provisions
- This Privacy and Cookies Policy (hereinafter referred to as the ‘Policy’) is established for:
- the website operated at https://developress.io/ (hereinafter referred to as the ‘Website’) for the purposes of DeveloPress sp. z o.o., having its registered office in Lublin, Poland, address: ul. Świerkowa 24, 20-834 Lublin, entered into the Register of Businesses of the National Court Register by the District Court Lublin-East in Lublin, based in Świdnik, 6th Commercial Division of the National Court Register, under KRS no: 0000895160, National Court Register (NIP): 7123418232, with its share capital amounting to PLN 27,000.00 (hereinafter referred to as the ‘Controller’);
- the services provided through the Website in the form of: a contact form, an online meeting scheduling tool and an application document upload tool (collectively referred to as the ‘Services’);
- other activities undertaken by the Controller on the Internet, including, for example, the social media profiles it maintains (LinkedIn, Facebook and others) or the information and marketing activities it undertakes using e-mail.
- This Policy defines:
- the rules for processing personal data obtained in connection with the Controller’s activities within the scope set out in item 1 above, whereby:
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter referred to as the ‘Personal Data’ or ‘Data’);
- the Controller also recognises as personal data such as the number (including IP) and type of terminal equipment, as well as the data contained in the cookies used within the Website, as they may carry Personal Data;
- Processing of Data is understood to mean operations performed on Personal Data such as collection, recording, storage, processing, alteration, sharing, back-up, etc., related to the fulfilment of the needs indicated in item 1 above (hereinafter: ‘Processing’);
- the rules on the use of cookies for purposes of the Website.
- the rules for processing personal data obtained in connection with the Controller’s activities within the scope set out in item 1 above, whereby:
- The purpose of this Privacy Policy is to provide clear information regarding the processing of their Personal Data, including the purposes of the processing, the means of collection, the assurance of the security of the Personal Data and the respect of their rights, in compliance with the applicable legislation, including in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/56/EC (General Data Protection Regulation), hereinafter referred to as ‘GDPR’:
- to users of the Website, i.e. persons using the Website (hereinafter referred to as ‘Users’), including recipients of Services provided using the Website (hereinafter referred to as ‘Service Recipients’);
- to recipients of other activities of the Controller on the Website, including visitors to the Controller’s social media profiles (LinkedIn, Facebook, etc.) and recipients of the Controller’s information and marketing communication via e-mail or LinkedIn (hereinafter ‘Other Recipients’);
§ 2. Basic rules for the Processing of Personal Data
- The Controller, in the operation of the Website and the Services provided using it, as well as in undertaking other activities using the Internet that involve Data Processing, undertakes to ensure the implementation of the basic principles of Personal Data protection arising from Article 5 of the GDPR, i.e.:
- lawfulness, fairness and transparency, both by implementing appropriate instruments and internal regulations to ensure the lawfulness and security of the Personal Data entrusted and by providing all relevant information regarding the Personal Data processed to those concerned;
- Purpose limitation, by collecting Personal Data only for specific, explicit and legitimate purposes, not processing further in a manner incompatible with those purposes, Processing Data only for the purpose of cooperating with Users and Other Recipients, and not selling collected Personal Data;
- Data minimisation, by Processing only those Personal Data which are necessary for the realisation of the purposes for which they are processed, thus not collecting Personal Data unnecessary for the Controller from the point of view of activities undertaken by it as part of cooperation with Website Users and Other Recipients, or other legally justified purposes (e.g. connected with vindication and defence against claims); no so-called sensitive data (according to the GDPR: special categories of personal data) of Website Users and Other Recipients are processed;
- accuracy, by taking appropriate measures so that Personal Data that is inaccurate in the light of the purposes of its Processing is promptly deleted or rectified;
- storage restriction, by keeping the Data in a form which permits the identification of the Data Subject for no longer than is necessary for the purposes for which the Data is stored;
- integrity and confidentiality, by processing the Data in a manner that ensures its adequate security, including protection against unauthorised and unlawful processing and accidental loss, destruction or damage, by means of appropriate technical and organisational measures, based on the internal procedures implemented at the Controller.
§ 3. Need for and purposes of collecting Personal Data
- In connection with the operation of the Website and the use of the electronically provided Services using it, Personal Data is processed in the following cases:
- when connecting to the Website, information on the number (including IP) and type of terminal equipment is collected; this applies to all Website Users and the Data is collected automatically for technical purposes only;
- when using the Website, after prior acceptance of cookies, Personal Data may be collected using cookies, in accordance with § 17 of the Policy; this applies to all Website Users;
- In connection with submitting the contact form, Service Recipients’ Personal Data is processed, including: full name, e-mail address, telephone number, possibly other Data provided by the Service Recipient, and this Data is processed exclusively for the purpose of using the Contact Form Service;
- in connection with the use of the Calendly, LinkedIn, Facebook (Meta) tools external to the Website, the Service Recipients’ Personal Data is processed, including: full name, e-mail address, telephone number, possibly other Data provided by the Service Recipient, and this Data is processed both by the Controller and by the operator of the external Calendly, LinkedIn, Facebook (Meta) tools, and is processed exclusively for the purpose of arranging a meeting between a Website User and a representative of the Controller;
- in connection with the submission of application documents via a Google tool external to the Website, the following Personal Data of the Service Recipients is processed: full name, e-mail address, telephone number, age, address of residence, mailing address, PESEL, NIP, education, previous professional career, possibly other Data provided by the Service Recipient, and this Data is processed both by the Controller and by the operator of an external tool (Google LLC), and its processing is carried out exclusively for the purpose of the recruitment process for a vacancy applied for by the Service Recipient.
- The Personal Data of Website Users, including Service Recipients, is processed for the following purposes and according to the following conditions, as per the GDPR:
- to take pre-contractual action at the request of the data subject according to Article 6(1)(b) of the GDPR;
- to conclude and perform a service contract concluded with a user of the Website as Service Recipient according to Article 6(1)(b) of the GDPR;
- for the purposes of complying with the Controller’s legal obligations according to Article 6(1)(c) of the GDPR;
- for purposes arising from the legitimate interests pursued by the Controller (such as data analysis and profiling for marketing purposes) according to Article 6(1)(f) of the GDPR.
- Website Users are responsible for the accuracy of the Personal Data they provide.
- In addition to the activities of the Website, the Controller processes Personal Data of Other Recipients in particular in the following cases:
- in connection with visiting the Controller’s social media profiles, the Controller processes Personal Data exclusively in connection with the operation of these profiles, in particular for analytical and promotional purposes (data analysis and profiling for marketing purposes), which represent a legitimate interest pursued by the Controller according to Article 6(1)(f) of the GDPR;
- in connection with engaging in e-mail correspondence on the Controller’s initiative or via LinkedIn with individuals or entities for the purpose of establishing potential cooperation; in this case, the Personal Data of Other Recipients is obtained independently by the Controller from publicly available sources, including websites, public records, etc., and includes in particular: name, email address, telephone number; the basis for the processing of Data in this case is the legitimate interest pursued by the Controller, pursuant to Article 6(1)(f) of the GDPR.
§ 4. Potential recipients of Personal Data
- The Controller takes appropriate measures to limit access to Personal Data as much as possible and to ensure that only authorised persons with adequate protection of the information have access to it and only if this is necessary for the purposes for which the Personal Data is processed.
- Access to the Personal Data being processed is granted only to authorised employees and associates of the Controller.
- In addition to the Controller’s authorised employees and associates, access to certain Personal Data may also be granted, in particular, to:
- entities which own the external tools used on the Website, as indicated in § 3(1)(d) and (e) – exclusively to the extent relating to the operation of these tools;
- entities working with the Controller responsible for hosting services, IT service providers, etc. – only to the extent necessary for the performance of the services contracted to them;
- the accounting firm working with the Controller – only to the extent necessary for the provision of commissioned services, including ensuring the fiscal and accounting correctness of the Controller’s activities;
- the law firm working with the Controller – only to the extent necessary for the provision of legal assistance to the Controller;
- other entities (e.g. banks, postal operators, etc.) – only to the extent necessary for the purposes of the cooperation with the Controller.
- The Controller does not intend to transfer personal data to a third country (i.e. outside the European Union and the European Economic Area) or an international organisation, with the proviso that the use of certain external tools on the Website, in particular Google tools, involves transferring data to a third country.
§ 5. Personal Data storage period
- The Controller takes appropriate measures to ensure that Personal Data is processed only for the period necessary for the purposes for which it was collected, while preserving the Controller’s right to further process it in situations where this is permitted or required by applicable law, e.g. for the establishment and assertion of claims, for the defence against claims, etc.
- Once the purposes for which the Data was processed have ceased to exist, the Controller will delete the Data, unless there is a separate purpose for the Processing that is distinct from the original purpose.
§ 6. Requirement to provide Personal Data
- The provision of personal data by Website users as per § 3(1)(c), (d) and (e) is voluntary, but failure to do so at all times will prevent the use of the relevant Service provided electronically. In other cases of Processing, the Data is collected automatically, and in the cases referred to in § 3(4)(b) the Data is collected by a representative of the Controller.
§ 7. Data Subjects’ rights in relation to the processing of Personal Data
- In relation to the Processing of Personal Data, the Data Subject has the following rights:
- the right of access to the Personal Data, including obtaining a copy of the data;
- the right to request rectification of the Data;
- the right to request, in certain cases, the erasure of the Data (‘right to be forgotten’);
- the right to restrict the processing of Data;
- the right to data portability;
- the right to object to the processing of Data on the basis of Article 6(1)(f) of the GDPR, including profiling;
- the right to lodge a complaint with a supervisory authority.
§ 8. Right to access Personal Data
- The Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data relating to him or her is being processed and, if this is the case, he or she is also has the right to obtain access to such Data, in addition to the following information: the purposes of the Processing, the categories of Data, information about the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, in particular recipients in third countries or international organisations, where possible, the intended period of storage of the Personal Data and, where this is not possible, the criteria for determining this period, information about the right to request the Controller to rectify, erase or restrict the Processing of Personal Data concerning him or her and to object to such Processing, information on the right to lodge a complaint with a supervisory authority, where the Personal Data has not been collected directly from the Data Subject any available information on its source, information on automated decision-making, including profiling, and relevant information on the modalities of such decision-making, as well as the significance and foreseeable consequences of such Processing for the Data Subject.
- The Controller will provide the Data Subject with a copy of the Personal Data concerning him/her. For any additional copies, the Controller has the right to demand a reasonable fee.
§ 9. Right to request rectification of Data
- The Data Subject has the right to obtain without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the Processing, the Data Subject has the right to have incomplete personal data completed, including by means of providing an additional statement
§ 10. Right to request erasure of Data (‘right to be forgotten’)
- The Data Subject has the right to request from the Controller the immediate erasure of Personal Data concerning him or her, and the Controller is obliged, without undue delay, to erase the Personal Data, but only if any of the following circumstances arise:
- the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the Data Subject has withdrawn the consent on which the Processing is based (Article 6(1)(a) of the GDPR) and there is no other legal basis for the Processing;
- the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing or objects to the Processing of the Data for direct marketing purposes (including profiling);
- the Personal Data was unlawfully processed;
- the Personal Data has to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- The Personal Data has been collected in connection with the offering of information society services as referred to in Article 8(1) of the GDPR.
- Where the Controller has made the Personal Data public and is obliged to erase the Personal Data, the Controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the Personal Data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that Personal Data.
- The provisions of items 1 and 2 above do not apply to the extent that the Processing is necessary:
- for exercising the right to freedom of expression and information;
- for fulfilling a legal obligation requiring Processing under Union law or the law of a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes according to Article 89(1) of the GDPR, insofar as the ‘right to be forgotten’ is likely to prevent or seriously impede the achievement of the purposes of such Processing;
- for establishing, asserting or defending claims.
§ 11. Right to restrict Data Processing
- The Data Subject has the right to request the Controller to restrict the Processing, but only if any of the following circumstances arise:
- the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
- the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead;
- the Controller no longer needs the Personal Data for the purposes of the Processing, but it is required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to the Processing – until it is established whether the Controller’s legitimate grounds override the Data Subject’s grounds for objection.
- Where Processing, in the circumstances under item 1, has been restricted, Personal Data may only be processed, with the exception of storage, with the consent of the Data Subject or for the purpose of establishing, pursuing or defending claims, or for the protection of the rights of another natural or legal person, or for compelling reasons of public interest of the Union or a Member State.
- Before cancelling the restriction of Processing, the Controller will inform the Data Subject.
- The Controller is obliged to inform any recipient to whom Personal Data has been disclosed of any rectification or erasure of Personal Data or restriction of Processing carried out in accordance with § 9, § 10 and this section, as appropriate, unless this is impossible or requires an unreasonable effort. The Controller will inform the Data Subject about those recipients if the Data Subject requests it.
§ 12. Right to portability of Personal Data
- The Data Subject has the right to receive in a structured, commonly used machine-readable format the Personal Data concerning him or her that he or she has provided to the Controller, and has the right to send such Personal Data to another controller without hindrance from the Controller, if:
- the processing is carried out on the basis of consent (Article 6(1)(a) of the GDPR) or on the basis of a contract (Article 6(1)(b) of the GDPR); and
- the processing is automated.
- The Data Subject also has the right to request that the Personal Data be sent by the Controller directly to another controller, insofar as this is technically possible.
§ 13. Right to object
- The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her based on Article 6(1)(f) of the GDPR, including profiling. The Controller is no longer allowed to process such Personal Data unless the Controller demonstrates that there are compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the Data Subject or grounds for establishing, asserting or defending claims.
- If Personal Data is Processed for direct marketing purposes, the Data Subject has the right to object at any time to the Processing of Personal Data concerning him or her for such marketing purposes, including profiling, to the extent that the Processing is related to such direct marketing.
- If the Data Subject objects to the Processing for direct marketing purposes, the Personal Data may no longer be processed for such purposes.
- The Data Subject has the right not to be subject to a decision which is based solely on automated Processing, including profiling, and produces legal consequences for him or her or similarly significantly affects him or her, except where:
- such decision is necessary for the conclusion or performance of a contract between that person and the Controller;
- such decision is permitted under Union law or the law of a Member State to which the Controller is subject and which provides for suitable measures to safeguard the rights, freedoms and legitimate interests of the Data Subject;
- it is based on the express consent of the Data Subject.
§ 14. Right to withdraw consent where Data Processing is performed based on Article 6(1)(a) of the GDPR
- Where the Processing of Personal Data takes place based on expressed consent (marketing consents), i.e. under the conditions arising from Article 6(1)(a) of the GDPR, the Data Subject has the right to withdraw consent at any time.
- Withdrawing the consent will not affect the lawfulness of Data Processing based on the consent before its withdrawal.
- Consent can be withdrawn in the same way (using the same options) as it is given.
- The Controller’s performance of the contract cannot be made contingent on marketing consent.
§ 15. Right to lodge a complaint with a supervisory authority
- According to Article 77 of the GDPR, the Data Subject has the right to lodge a complaint with a supervisory authority if he or she believes that the processing of Personal Data concerning him or her violates the applicable provisions of the GDPR.
- The right to lodge a complaint with a supervisory authority is independent of other administrative and judicial remedies available to the Data Subject.
- The supervisory authority in the Republic of Poland is the President of the Personal Data Protection Office (address: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa).
§ 16. Protection of Personal Data collected
- All Personal Data is collected and processed by the Controller in compliance with applicable law, in particular the GDPR.
- Personal Data is protected in a way that prevents access to it by third parties, according to the principles resulting from the Controller’s internal regulations, in particular the Personal Data Privacy Policy and the IT Systems Management Manual.
- The Controller takes appropriate security measures to prevent any incidents involving Personal Data, including loss or disclosure to unauthorised parties.
- Anyone who has access to the Personal Data processed by the Controller is obliged to maintain confidentiality, and possible violations in this respect are subject to certain sanctions, but the above assurance of the Controller does not extend to entities operating external tools used in connection with the operation of certain Website functionalities.
- The Controller ensures the right to control the processing of Personal Data within the scope of the applicable legislation.
§ 17. Cookies
- The Website uses cookies. Cookies are small files saved and stored on a computer or another device (tablet, smartphone, etc.) of the User when visiting webpages. Cookies typically contain the name of the webpage from which they originate, a lifespan (i.e. duration of existence) and a randomly generated unique number to identify the browser used to connect to the webpage.
- In particular, the Website uses cookies to:
- ensure that the pages work faster and are easier to use;
- better match the content and advertising to Users’ expectations and interests;
- collect anonymous, aggregated statistics which help improve the functionality and content of the pages and applications.
- The following types of cookies are used on the Website:
- mandatory cookies (necessary for the proper functioning of the site):
- CookiesYes – used to manage consent to the use of cookies, ensuring compliance with Data Protection legislation;
- Sentry – they monitor and fix malfunctions and problems in real time to improve site stability;
- WordPress – they are used to provide basic functionality of the Website;
- analytical and performance cookies:
- Google Analytics – they track site traffic and user interactions to improve site performance;
- Microsoft Clarity – they analyse user interactions (heat maps, session recordings) to improve usability;
- marketing and advertising cookies:
- Google Ads – they measure the effectiveness of advertisements and help optimise marketing campaigns;
- Facebook Pixel – they track user conversion rates and interaction to personalise advertising.
- LinkedIn Pixel – they track user conversion rates and interaction to personalise advertising.
- mandatory cookies (necessary for the proper functioning of the site):
- When using cookies, the Website does not, in principle, establish Users’ identity on the basis of the information stored in these files. At the same time, cookies are safe for computers and software, and in particular they cannot be used by viruses or other undesirable or malicious software to access computers.
- Cookies are used with the prior consent of the user of the relevant terminal equipment, whereby consent shall be deemed to be the use of the Website with default cookie settings, without any modifications that can be made by the user in this respect.
- Cookies can be modified in the individual web browsers, and the option of modifying the cookie settings varies depending on the browser used.
- Restricting (modifying) or disabling the use of cookies may affect certain functionalities of the Website.
§ 18. Policy amendments
- The Controller has the right to amend this Policy as necessary, of which the Users will be informed through the publication of the amended Policy on the Website.