I. PERSONAL DATA CONTROLLER
- The Controller of personal data of persons using the Services and Hype Me is the Service Provider, i.e. Hype Me sp. z o.o. with its registered office in Warsaw, ul. Kolejowa 5/7, entered in the Register of Businesses of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, 12th Business Division of the National Court Register, under KRS [National Court Register] No.: 0000759647, NIP [VAT No.]: 5272872892, REGON [National Official Business Register No.]: 381890458 (e-mail email@example.com).
- The Controller has also appointed a Data Protection Officer. Contact details of the Data Protection Officer: (e-mail: firstname.lastname@example.org).
II. DATA PROCESSING METHOD
- The purpose and scope of the processed personal data is as specified in consents and completed data sent using a form. The processing of personal data of Users or Recipients may involve name, e-mail address, telephone number, IP address of a computer, IP address of a mobile device, NIP or VAT No., business address, image and data collected by Google Analytics, as well as other data necessary to perform services provided in accordance with the Terms of Service.\
- Provision of personal data is voluntary, but failure to give consent to the processing of personal data marked in the form as obligatory shall prevent the performance of Services and agreements by the Service Provider. The nature of services provided by the Service Provider makes it impossible to provide them anonymously.
- Personal data of Users shall be processed for the following purposes:
a) implementation of the law – the legal basis is the statutory authorisation to process data necessary to act lawfully (pursuant to article 6(1)(c) of GDPR);
b) performance of agreements and provision of services by electronic means via Hype Me – the legal basis is the statutory authorisation to perform processing necessary for the performance of the agreement where the data subject is a party to this agreement or where it is necessary to take steps prior to the conclusion of the agreement at the request of the data subject (pursuant to article 6(1)(b) of GDPR);
c) handling of complaints and optimisation of Hype Me services – the legal basis for the processing is a legitimate interest pursued by the Service Provider (pursuant to article 6(1)(f) of GDPR) involving the proper conduct of business activity;
d) promotional and commercial activities carried out by the Service Provider – the legal basis for the processing is a legitimate interest pursued by the Service Provider (pursuant to article 6(1)(f) of GDPR) or freely given consent (pursuant to article 6(1)(a) of GDPR).
- Personal data of Recipients shall be processed for the following purposes:
a) making Videos and sharing these Videos – the legal basis for the processing is the statutory authorisation to perform processing necessary for the performance of the agreement where the data subject is a party to this agreement or where it is necessary to take steps prior to the conclusion of the agreement at the request of the data subject, in connection with the obligation to perform the Agreement concluded with the User who provided the Recipient's data (pursuant to article 6(1)(b) of GDPR);
b) providing Hype Me functionalities – the legal basis for the processing is the statutory authorisation to perform processing necessary for the performance of the agreement where the data subject is a party to this agreement or where it is necessary to take steps prior to the conclusion of the agreement at the request of the data subject, in connection with the obligation to perform the Agreement concluded with the User who provided the Recipient's data (pursuant to article 6(1)(b) of GDPR);
- If the Service Provider learns that the User uses the Services in violation of the Terms of Service or applicable regulations (unauthorised use), the Service Provider may process the User’s personal data to the extent necessary to determine the scope of their liability.
- The User’s personal data shall be processed for a period of time necessary to prove the proper performance of the Service (this period corresponds to the length of the limitation period for claims) or, in the case of a paid Agreement – for a period of time specified in the accounting regulations, and when this period ends, they shall be erased unless their processing is necessary on another legal basis. In the case of marketing activities, personal data shall be processed until the User objects to further processing of personal data for marketing purposes or withdraws their consent to receive marketing content.
- Personal data of the Recipient shall be processed until they are erased by the User or until the Recipient files an objection.
- The Service Provider shall not transfer personal data to third countries.
- Personal data collected to provide the Services will be processed for the duration of the provision of these services by the Administrator, and after their completion - not less than for the period specified by relevant provisions of generally applicable law, especially for tax purposes (5 years).
III. DATA PROCESSING FOR MARKETING PURPOSES
- The Administrator processes Users and Recipients personal data also in marketing purposes, in particular using tools such as: Facebook Ads, Google Ads, Google Analytics, sending messages electronically to e-mail address, analysis checking the reading of messages.
- The processing of personal data by the Administrator for the marketing purposes is based on: a) separate consent to the processing of personal data for marketing purposes (pursuant to article 6(1)(a) of GDPR, or b) the legitimate interest of the Service Provider in the form of its marketing activities (pursuant to article 6(1)(f) of GDPR.
- The Administrator provides during the registration process technological solutions enabling explicit and unambiguous consent to the processing of data for marketing purposes and to read the accompanying information clause.
- Personal data collected on the basis described above will be processed for the duration of the Administrator's marketing activities until the time of expression by the person whom the data relate of his objection or withdrawal of consent.
IV. RECIPIENTS OF DATA
- The Service Provider may entrust the processing of personal data to third parties in order to perform the activities specified in the Terms of Service and to provide services to the User. Then the recipients of the User’s and the Recipient’s data may be as follows: the Influencer, an entity providing hosting services to Hype Me, technical support company (software company), accountancy firm, online payment system provider, invoice management system provider, law firm and companies providing Video delivery services, e.g. a printing house or post office.
- Personal data collected by the Service Provider may also be made available to State authorities at their request under applicable regulations or to other persons and entities in cases provided for by the law.
- Each entity to which the Service Provider entrusts the processing of personal data of the User or the Recipient under a personal data processing agreement (hereinafter referred to as the “Personal Data Processing Agreement”) shall ensure an appropriate level of security and confidentiality of personal data processing. The processor of personal data of the User or the Recipient under the Personal Data Processing Agreement may process these personal data of the User or the Recipient through another entity only with the prior consent of the Service Provider.
V. RIGHTS OF THE DATA SUBJECT
- Each User and Recipient shall have the right:
a) to erase personal data collected about them both from the system owned by the Service Provider and from databases of entities with which the Service Provider cooperates or has cooperated;
b) to restrict data processing;
c) to transfer personal data collected by the Service Provider about them, including to receive them in a structured format;
d) to request from the Service Provider access to their personal data and their rectification;
e) to object to the processing;
f) to withdraw the consent given to the Service Provider at any time without affecting the lawfulness of processing based on consent before its withdrawal;
g) to lodge a complaint against the Service Provider with the supervisory authority (President of the Personal Data Protection Office).
VI. PERSONAL DATA OF CHILDREN
- Where article 6(1)(a) of GDPR applies, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. If the User is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
- Persons under the age of 13 are not allowed to use Hype Me.
VII. OTHER DATA
- The Website may store http requests. Therefore, some information may be stored in server log files, including the IP address of the computer from which the request was received, the IP address of the mobile device from which the request was received, the name of the User’s station – identification by the http protocol, if possible, date and system time of registration on Hype Me and receipt of the request, number of bytes sent by the server, URL of the page previously accessed by the User if they used the link to access this page, information about the User’s browser, and information about errors that occurred during the provision of the Service.
- Logs may be collected in order to ensure proper administration of the Website.
- Only persons authorised to administer the IT system shall have access to information.
- Log files can be analysed in order to compile Hype Me traffic and errors statistics. Summary of such information does not identify the User.
- The Service Provider implements technical and organisational measures to protect the processed personal data to ensure a level of security appropriate to the risks and category of the personal data to be protected. Such technical and organisational measures are taken in particular to safeguard personal data against unauthorised access, being taken away by an unauthorised person, processing against the Act, as well as alteration, loss, damage or destruction. These measures include the use of SSL certificates. The set of collected personal data of Users and Recipients is stored on a secured server and the data are also protected by internal personal data processing and information security policy procedures of the Service Provider.
- The Service Provider has also implemented appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner, and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects.
- The Service Provider notes that the use of the Internet and services provided by electronic means may involve the risk of malicious software (malware) gaining access to the User’s IT system and the User’s device, as well as the risk of third parties gaining unauthorised access to the User’s data, including personal data. In order to minimise these risks, the User should use appropriate technical security measures, for example use up-to-date antivirus software or software that protects the User’s identity on the Internet. In order to obtain detailed and professional information about security on the Internet, the Service Provider recommends contacting entities specialising in this type of IT services.
- The Website uses two types of cookies: (a) session cookies which are deleted permanently at the end of the User’s browser session; and (b) persistent cookies which remain on the User’s device after the end of the browser session until they are deleted.
- It is not possible to identify the Users using session and persistent cookies. Cookies do not allow the collection of any personal data.
- Hype Me cookies are safe for the User’s device, in particular they do not allow viruses or other software to gain access to the device.
- Files generated directly by the Service Provider cannot be read by other websites. Third-party cookies (i.e. cookies placed by entities cooperating with the Service Provider) can be read by an external server.The User can change cookies settings at any time, specifying the conditions of their storage, using the settings of the web browser or by configuring the services.
- The User can disable cookies on their device following the instructions of the browser manufacturer, but this may make some or all of Hype Me functionalities unavailable.
- The User can also at any time, following the instructions of the browser manufacturer, delete the cookies stored on their device.
- The Service Provider uses their cookies for the following purposes:
a) authentication of the User on the Website and maintenance of the User’s session;
b) Hype Me configuration and tailoring the content of the pages to the User’s preferences or behaviour;
c) analysis and research concerning the audience, number of clicks and a path taken on the website to improve the layout and arrangement of content on the page, time spent on the page, number of visitors to the Website and frequency of visits to the Website, as well as display of relevant content by external partners providing affiliation services.
- The Service Provider uses third-party cookies for the following purposes: to compile statistics (anonymous) in order to optimise the usability of Hype Me using analytical tools such as Google Analytics, Firebase or Segment; and to use interactive functions via social networking services, including facebook.com and instagram.com.
- Detailed information about management of cookies is available in the settings of the User’s browser.
X. FINAL PROVISIONS