PRIVACY POLICY -

PROCESSING OF PERSONAL DATA

BY DBB SOFTWARE SP. Z O.O.

1. Dictionary:

1.1. Data Controller - DBB Software Sp. z o. o. with its registered office in Cracow (address:
aleja Powstania Warszawskiego 15, 31-539 Cracow Poland) listed in register
of entrepreneurs of National Court Register (KRS) under KRS number 0000926192, REGON 52016831, NIP 6772469438, tel. +48 694 769 312, email: in@dbbsoftware.com

1.2. Personal Data – information about natural person, already identified or identifiable through one or several specific factors determining physical, physiological, genetic, psychological, economic, cultural or social identity, including image, voice record, contact details, localization data, information included in the correspondence, information gathered with recording technology or other similar technology.

1.3. Policy –this Policy of processing private data

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)

1.5. Data Subject – natural person, to whom personal data processed by Administrator applies to, e.g. person who uses Administrator’s services or who send inquiries to him through email.

2. Processing of Personal Data by Data Controller:

2.1. Data Controller, due to running economic activity, gathers and processes Personal Data in accordance with relevant regulations of law, including especially GDPR, and rules of processing data specified in these regulations.

2.2. Data Controller:

2.2.1. provides clarity of data processing;

2.2.2. always informs about processing data at the moment of gathering them, especially about purpose and legal grounds of personal data processing, unless he is not obliged to do so under separate regulations;

2.2.3. cares for data being gathered only to the extent necessary for given purpose and processed only in necessary period.

2.3. While processing data, Data Controller ensures its safety and confidentiality and access to information about processing to data subjects. If, despite application of safety measures, breach of personal data protection takes place (e.g. „data leak” or their loss) and such breach could bring high risk of violation of law or data subjects liberty, Data collector will inform subjects of data about such incident in accordance to legal regulations.

3. CONTACT WITH DATA CONTROLLER AND DATA PROTECTION OFFICER:

3.1. Contact with Data Controller is possible through e-mail address: in@dbbsoftware.com or correspondence address DBB SOFTWARE Sp. z o. o., al. Powstania Warszawskiego 15, 31-539 Cracow.

3.2. Data Controller is not obliged to appoint Data Protection Officer

Data Controller made an analysis involving this matter.

4. PERSONAL DATA SAFETY:

4.1. In order to provide data integrity and confidentiality, Data Controller implemented procedures enabling access to personal data only to authorized persons and only in extent that is essential due to tasks that they perform. Data Controller applies organizational and technical solutions in order to ensure that all operations on personal data are registered and performed by authorized persons.

4.2. Data Controller takes all necessary actions to have his subcontractors and other cooperating subjects also guarantee implementation of appropriate safety measures in all circumstances of processing personal data on commission of Data Controller.

4.3. Data Controller makes up-to-date analysis of risk and monitors adequacy of applied data protection to identify threats. In case of necessity Data Controller applies additional measures to increase data safety.

5. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING:

PRECONTRACTUAL RELATIONSHIPS , CONTACT IN ORDER TO DI SCUSE CONDITIONS OF COLLABORATION , SIGNING CONTRACT AND ITS REALISATION .

5.1. Personal data delivered by Data Controller's Client is processed in order to enter into a contract, including identification of Client, discuss conditions of collaboration, sign contract and realize it. Legal ground for data processing is article 6 paragraph 1 letter b of GDPR

KEEPING AND DEVELOPING RELATIONS WITH CLIENTS AND PARTNERS, SUPPLY OF SERVICES

5.2. For this purpose personal data are processed regarding realization of entered contracts, association of companies with software developers and IT specialists, exchange of data/information, invoicing. Legal ground for data processing is article 6 paragraph 1 letter b of GDPR.

E-MAIL AND REGULAR MAIL CORESPONDENCE

5.3. In case of directing inquiries to Data Controller via e-mail or regular mail nonrelevant to services provided to sender or other contract entered with him, personal data included in this correspondence is processed only for communication and solving issue which correspondence refers to.

Legal ground for processing is legally justified interest of Data Collector (article 6 paragraph 1 letter f of GDPR) based on correspondence that is directed to him regarding to his economic activity.

Data Controller processes Personal Data important for issue which correspondence refers to. Whole correspondence is stored in the way providing safety of personal data (and other information) contained in it and disclosed only to authorized persons.

TELEPHONE CONTACT

5.4. In case of contacting with Data Controller via telephone in matter nonrelevant to entered contract or provided services, Data Controller is allowed to demand disclosure of Personal Data only if it is necessary to solve an issue which contact refers to. legal ground is in this matter legally justified interest of Data Controller (article 6 paragraph 1 letter f of GDPR) based on necessity to solve reported issue regarding to his economic activity.

SOCIAL MEDIA PORTALS PROFILES

5.5. Data Controller has public profiles profile in social media portals e.g. Facebook

Due to it he processes data left by people who visit these profiles (incl. comments, likes, online identifiers).

Personal Data of these people are processed:

- In order to enable them activity on these profiles;

- for effective running profiles, through presenting to users informative portals about initiatives and other activity of Data Controller and for promoting various events, services and products;

- for statistic and annalistic purposes;

- for promoting own brand and improving quality of provided services.

Legal ground for processing Personal Data is legally justified interest of Data Controller (article 6 paragraph 1 letter f of GDRP).

ATTENTION: abovementioned information does not apply to processing personal data by Administrators of social media portals ( e.g. Facebook).

PROCESSING PERSONAL DATA OF STAFF MEMBERS, CONTRACTORS OR CLIENTS

5.6. Due to entering into contracts regarding to running economic activity, Data Controller obtains data of people involved in performance of the agreement (e.g. persons authorized to contact, persons executing orders etc.) from contractors/clients. The scope of the data transmitted is in any event limited to what is necessary for the performance of the agreement and normally does not include information other than the first name and surname and official contact details.

Such personal data are processed for realization of legally justified interest of Data Controller and his Contractor (article 6 paragraph 1 letter f of GDPR), based on enabling him to properly and effectively perform the contract. Such data may be disclosed to the third parties involved in performance of a contract.

Data are processed for the period necessary to realize abovementioned interests and fulfill legal obligations.

GATHERING DATA AS A MATTER OF BUSINESS CONTACTS

5.7. Due to running economic activity, Data Controller gathers personal data also in other cases - e.g. during business meetings or via exchange of business cards - for initiating and maintaining business contacts. Legal ground for processing data is in this matter justified interest of Data Controller (article 6 paragraph 1 letter f of GDPR) based on creating network of contact regarding running economic activity.

Personal data gathered in these circumstances are processed only for the purpose for which they were gathered - Data Controller guaranties their proper protection.

CONTACT FORMS

5.8. Data Controller provides possibility of contact with him via electronic contact forms available on websites of Data Controller. Usage of form requires enclosure of Personal Data essential to contact with Subject of Data and answer an inquiry. Subject of Data may also disclose other data in order to ease contact or handling inquiry. Disclosure of data marked as obligatory is required for acceptance and handling inquiry - not disclosing these information equals with impossibility of handling inquiry. Disclosing other data is voluntary.

5.9. Personal data is processed for identification of sender and handling his inquiry send via provided form – legal ground for processing is its indispensability to fulfill service agreement (article 6 paragraph 1 letter b of GDRP); For data disclosed facultatively legal ground for processing is approval (article 6 paragraph 1 letter a of GDRP).

INVOICING OR BILLING FOR REALISATION OF CONTRACT :

5.10. For this purpose personal data is processed only in extent necessary for invoicing or billing. Legal ground for processing is its indispensability to fulfill the contract (article 6 paragraph 1 letter b of GDRP).

VINDICATION OF CLAIMS RELATED TO FULFILMENT OF CONCTRACT

5.11 . For this purpose personal data is processed only in extent necessary for vindication of claims. Legal ground for processing is its indispensability to realize legally justified interest of Data Controller (article 6 paragraph 1 letter f of GDRP);

6. DATA RECIPIENTS:

SERVICE PROVIDERS

6.1. Due to running economic activity that requires processing of personal, personal data may be disclosed to external entities, including especially providers of IT and technical support services, entities providing accounting services, postal operation, couriers, marketing or recruitment agencies, legal offices

STATE AUTHORITIES

6.2. Data Controller reserves the right to disclose or provide given information about Subject of Personal Data to competent state authorities or third parties that request such data only on the basis of proper legal grounds and in compliance with the applicable provisions of the law.

6.3. Personal data will be also provided to competent state authorities, in particular to Courts, Prosecutors, Police, President of the Data Protection Office. (formerly: Inspector General for Personal Data Protection,), President of the Office for Competition and Consumer Protection and others that request such data from Data Controller.

7. DATA TRANSMISSION OUTSIDE THE EEA:

7.1. Level of protection of Personal Data outsider European Economic Area („EEA”) differs from the one guaranteed by European law. For this reason Data Controller transfers Personal Data outsider het EEA only if it is necessary and with appropriate level of protection. Data Controller always informs about intention to transfer Personal Data outside EEA at the stage of gathering them.

8. PERIOD OF PERSONAL DATA PROCESSING:

8.1. The period of data processing by Data Controller depends on type of provided service and purpose of processing. The period of data processing may also be due to legal regulations, when they are grounds for processing. If basis of processing is justified interest of Data Controller – e.g. due to safety reasons – data is processed for a period enabling realization of this interest or until effective objection regarding data processing is submitted. If data is processed on basis of approval, data is processed until the approval is revoked. If basis of processing is its indispensability to enter into a contract and fulfill it, the data is processed until contract termination.

8.2. The period of data processing may be extended if processing is necessary to establish or assert claims or defend against claims; after this period - insofar as it is required by law. After this period of processing, the data are irrevocably deleted or anonymized.

9. RIGHTS TELATED TO THE PROCESSING OF PERSONAL DATA:

Subjects of Personal Data have a right to:

9.1. right to receive information about processing personal data – on this basis Data Controller provides to natural person, who requests it, information about processing data, mainly including information about purposes and legal grounds of processing, scope of stored data, subjects whose data is being disclosed and planned date of data erasure.

9.2. right to obtain a copy of data – on this basis, the Controller provides a copy of processed data concerning a person who submits such a demand. Data Controller does not fulfill this request if it could breach obligation related to professional secrecy of advocate or legal counsel.

9.3. right to rectification – Data Controller is obligated to remove any non-compliance or errors in personal data processed and supplement them if they are incomplete;;

9.4. right to erasure – on this basis you may demand to have your data, which processing is not necessary anymore to realize any of purposes for which they were gathered, removed (erased)

9.5. The right to limit processing – in the event of such a request, Data Controller ceases to conduct operations on personal data, except for operations agreed to by the Data Subject and their storage, in accordance with accepted retention rules or until causes of data processing restrictions ceases (e.g. decision of supervisory authority enabling further data processing is issued).

9.6. right to transfer your personal information – on this basis - in the scope in which the data is automatically processed in connection with the concluded agreement or given consent - Data Controller issues data provided by the data subject in a format that allows its reading by the computer. Demanding the transfer of such data to another subject is also possible, however, subject to the existence in this scope of technical possibilities both on the side of the Controller and also indicated entity;

9.7. right to object to processing data for the marketing purposes – Data Subject have the right to object at any time to processing their personal data for the marketing purposes; An objection within this scope does not need to include a justification.

9.8. Right to object to other data processing purposes - a data subject may at any time - on grounds relating to their particular situation - object to processing personal data based on the Controller's legitimate interest (e.g. for analytical or statistical purposes or in view of safeguarding of assets); An objection within this scope should include a justification.

9.9. the right to revoke consent - if the data is processed under a granted consent, data subject is entitled to revoke it at any time which, however, will not affect the legality of the processing before the revocation of such consent

9.10. The right to file complaints - if you believe that our conduct in the processing of Personal Data violates GDPR or any other applicable laws, you can complain to the data-processing supervisory authority. In Poland such authority is the President of the Office of Personal Data Protection.

BRINGING DEMANDS RELATED TO THE EXECUTION OF RIGHTS:

10.1. A request about exercising the rights of Data Subjects may be filed:

- in writing to the following address: aleja Powstania Warszawskiego 15, 31-539 Cracow.

- via e-mail at in@dbbsoftware.com.

10.2. If the Collector will not be able to identify a person submitting the proposal basing on the submission he will seek supplementary information from the applicant. Indication of such data is not obligatory, however failure to indicate them shall result in refusal to realize the given demand.

10.3. Such a request may be made personally or through proxy. (e.g. family member). For reason of data safety, Data Controller encourages to use notarized proxy statement or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request's authenticity..

10.4. A reply to a request shall be send within a month from the date of the receipt.
Where necessary to extend the period, the Data Controller shall advise the applicant of the causes of this action.

10.5. In case request is directed to Data Controller electronically, reply to it is provided in the same form, unless requestor asked for reply in other form. In other cases answer is provided by written means. If the deadline for the execution of the request renders it impossible to provide an answer in writing and the scope of the applicant's data processed by the Controller enables contact by electronic means, the answer shall be provided by electronic means.

10.6 Data Controller stores information about both the request and person, who made it, in order to guarantee possibility of proving conformity and in order to establish, defend or pursue eventual claims of Data Subjects. Database of requests is stored in way providing integrity and confidentiality of contained data.

11. CHANGES IN THE POLICY OF PROCESSING PERSONAL DATA:

11.1. This Policy is reviewed on a regular basis and amended according to the needs.

11.2. The current version of the Policy has been in force since the 12th of October 2021.