PRIVACY POLICY
PREFACE
For Rite NRG sp. z o.o. (Ltd.) the most important value is the protection of your personal data as well as your privacy. Thus, for the purposes of providing you with our website services and software-as-a-services, we decided to be bound by the principles included in this Protection Policy.
Please read this Policy carefully as it defines basic principles and mechanisms of how we process your personal information. This is a legal document, yet, we have tried to prepare it in a clear and transparent manner in order to enhance protection of your rights, which is one of the top priorities of the Your Extended Team sp. z o.o. (Ltd.) – not only in the virtual reality.
This Data Protection Policy (“Policy”) has been prepared by Rite NRG sp. z o.o. (Ltd.) with its registered office in Wroclaw, Poland. (“Your Extended Team”, “us”, “we”, or “our”).
In order to clarify we would like to indicate that you could use the principles of the GDPR if you are a citizen of one of the EEA states. In the following part of this Policy, all persons covered by the GDPR principles on processing of personal data are going to be jointly referred to as “the EU persons”. Should you have any doubts on your rights – please do not hesitate to contact us, we are here to help you!
If the GDPR does not concern you, we strongly invite you to carefully read the entire Data Protection Policy document. Even if the GDPR does not apply in your case (as, for example, due to the fact that you are the citizen and resident of the US), we would like to protect your privacy and personal information just as well and safely.
SIGNIFICANT CONCEPTS
Be aware that on the relevant legal acts, our Protection Policy, as well as in other documents that we may apply while processing data, there are a number of concepts important to the protection of your rights.
By processing of your personal data we understand the following key concepts as follows:
PERSONAL DATA – mean any information relating to an identified or identifiable natural person. The identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name and surname, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The term ‘personal information’ is most commonly used in the US and Canada in order to indicate personal data. Further in this document, we would like to use the term ‘personal data’ or simply ‘data’ uniformly.
Typical examples of personal data are as follows: home and work addresses, telephone number, e-mail address, social security number, birthdate, gender, marital status, mother’s maiden name, and health data.
PROCESSING OF DATA – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Processing of data involves in particular: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data;
CONTROLLER OF PERSONAL DATA – within the framework of the EU law means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the European Union or Member State law, the controller or the specific criteria for its nomination may as well be provided for by the European Union or Member State law;
The controller processing personal data for the purpose of providing our website is Rite NRG sp. z o.o. (Ltd.) with its registered office in Wrocław, Poland, Gen. W. Sikorskiego Street no. 3/2, 53-659 Wrocław, Polnad. In all matters concerning the protection of your privacy and personal data you are welcome to contact us through the following contact details: hanaj@hpkm.pl
At the same time, we would like to kindly inform persons from the EU that we have not appointed a data protection officer (see: Articles 37-39 of GDPR).
THE BASIS OF DATA PROCESSING – legally defined grounds for the processing of personal data by us. In principle, we process your data on the basis of your consent, or because we need it to provide you with the website.
It may happen that we would be forced by law to transfer your personal data to public services – yet we always remain committed to act in accordance with the law. We are allowed to use your data to develop Your Extended Team through, for example, customer profile analysis, preparation of marketing strategies. In this case, the basis for the processing of your data are our legitimate business interests – the possibility to make market analysis, advertising, implementation of sales strategies, etc. as it remains a part of the fundamental right of economic freedom and the freedom to conduct a business. Nevertheless, we renounce such processing which would excessively interfere your rights and freedoms. In the case of EU citizens, the legal grounds for data processing of personal data are explicitly set forth in the GDPR. In that case, depending on the circumstances that would be the following:
1) Article 6(1)(a) of GDPR – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2) Article 6(1)(b) of GDPR – processing is necessary for the performance of the agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the agreement;
3) Article 6(1)(c) of GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject;
4) Article 6(1)(f) of GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
PROFILING – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to natural person, (in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements). Examples of profiling are, e.g. automatic credit rating or displaying advertisements based on previous Internet activity.
Currently we do not use your personal data to make automated decisions using the available technologies. If we change it in the future, we will update this Policy to let you know more.
PROCESSOR – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. It may happen that the controller of your data, acting legally, entrusts data to third party.
Acting in compliance with the law, we may transfer your personal data to our contractors and service providers. We always provide at least the same level of security of your data and are constantly committed to choose our contractors who can guarantee a high level of protection of your privacy.
The controller of your personal data is the Your Extended Team, however it may transfer personal data to its affiliates. We are also allowed to transfer data to entities such as companies providing accounting and tax services, our lawyers, payment companies, banks, companies providing analytical services (e.g. for the purposes of market analysis) or marketing and PR services.
CONSENT TO DATA PROCESSING – extremely significant concept, as most frequently we process your data based on your consent. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Please remember that your consent to the processing of your personal data by us is and would always remain voluntary. You can also withdraw your consent at any time, however without your consent to data processing we might be unable to provide you with our website.
LAW
The principles of protection of your personal data and privacy may result from both state as well as federal law.
In case of the EU citizens, the principles for the processing of personal data arise primarily from the so-called General Data Protection Regulation. It is an act of the EU law, which means that it is a regulation common to all of the EU Members. The same principles apply to all of the EU entrepreneurs.
The full name of this act is as follows: Regulation of the European Parliament and of The Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR).
REASONS AND TYPES OF DATA
In our organization, we process variety of data and different categories of personal data – all for specific purposes. If we ask you for consent to process information, we inform you about the processing principles. Please do not hesitate to familiarize yourself with them carefully.
Please remember that your consent is always voluntary and you can withdraw your consent at any time without stating any reason. Please note, however, that occasionally it may turn out to be impossible to provide you with services as it might not be possible without your personal data. Therefore, you are kindly asked to fully consider whether you consciously would like to authorize us to process your personal data.
By using Your Extended Team website, you consent to the processing of your personal data for the purpose of providing services by us.
In the case of our website we collect and process the following data for the purposes indicated below:
SOURCE OF DATA: Website contact form, any other communications between us
TYPE OF DATA: required: name, surname, e-mail address; optional: telephone number
PURPOSE: communications with you, negotiations of contracts, presentation of our offers and services, handling your requests
SOURCE OF DATA: any agreement between you and Your Extended Team
TYPE OF DATA: name and surname (if applicable), business name, contact address, email address, tax ID
PURPOSE: execution and performance of an agreement
SOURCE OF DATA: data collected during the use of website
TYPE OF DATA: IP address, number of pages visited at the website, time spent on particular pages, any server requests, cursor position
PURPOSE: analytical purposes
SOURCE OF DATA: cookies files (please see the information below)
TYPE OF DATA: identity of website
PURPOSE: user identification, authentication and authorization during the session
BASIC PRINCIPLES OF PERSONAL DATA PROTECTION
Processing of your personal data may each time look different, depending on what data we process, for what purpose, by what means, on what legal basis, etc. In each case, however, we are guided by a few fundamental values and principles:
I. LAWFULNESS – we always process your data in accordance with the applicable law;
II. RELIABILITY – we process your data reliably, in the organized and thoughtful manner;
III. TRANSPARENCY – we are committed to make the data processing processes transparent;
IV. PURPOSEFULNESS – we always collect and process data for a specific legal purpose or purposes; we do not collect data unnecessarily;
V. ADEQUACY – we process data adequate to the purposes for which we do it; we limit the processing of data to what is necessary to achieve a specific purpose beyond which we do not cross;
VI. CORECTNESS – we take reasonable care to process only personal data which are correct and up-to-date;
VII. LIMITATION OF STORAGE – in accordance with the GDPR, storage in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; we store personal data no longer than reasonably needed;
VIII. INTEGRITY AND CONFIDENTIALITY – we process personal data in the manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. We use appropriate technical or organizational measures;
IX. ACCOUNTABILITY – the controller of your data is responsible for compliance with the rules listed above. We keep records of how we process your personal data in order demonstrate that, if necessary.
INFORMATION ON YOUR RIGHTS (GDPR)
The GDPR regulation confer persons from the European Union with a number of rights that they can use while we process their personal data. If you are the person from the EU or EEA you are vested in with the following rights:
(a) the right to access and receive copies of your data. You have the right to receive from us one copy of your personal data, which we process, and another – for a fee;
(b) the right to rectify (to amend) your personal data;
(c) the right to erase data. If you think there are no grounds for us to process your data further and you are right, you can demand erasure;
(d) limitations on data processing. If you think that we have inaccurate data about you, and you do not request to erase these data, you can demand that we limit ourselves only to store this data, or to other undertake other activities that we would agree with you;
(e) the right to object to the processing of personal data;
(f) the right to data portability;
(g) if we process your data on the basis of your consent, you have the right to withdraw your consent for processing at any time without giving any reason. This does not affect the legality of the previous processing;
(h) the right to complain to the appropriate supervisory authority for our actions.
In order to exercise your rights, you must first let us know. As a first step you are kindly requested to contact in a convenient way for you with the Your Extended Team – the controller of your personal data. To facilitate this process, we have prepared a form of your request (or statement) that you can use to communicate with us – you will find this form at the very end of this Data Protection Policy.
Regardless of how, when and in what form you would like to contact Your Extended Team in matters relating to your privacy, please do not hesitate to read the following information, containing the rules for handling inquiries from people from the European Union resulting from the provisions of the GDPR, which we would use:
Information shall be provided in writing or otherwise, including, where appropriate, electronically. In case of explicit request of the data subject, the information shall be given orally, provided that the identity of the data subject is confirmed by other means. The controller shall refuse to request if the identification of the data subject is not possible. The controller without undue delay – and in any case within one month from receipt of the request – provides the data subject with the information on actions taken in conjunction with the request. If necessary, this period may be extended by another two months due to the complex nature of the request or the number of requests. Within one month from the receipt of the request, the controller shall inform the data subject about such extension, stating the reasons for the delay. If the data subject has forwarded his request electronically, if possible, the information is also transmitted electronically, unless the data subject requests a different form. If the controller fails to take action in relation to the request of the data subject, the controller shall immediately – no later than within one month from the receipt of the request – inform the data subject of the reasons for failure to take action and the possibility of lodging a complaint to the supervisory authority and to exercise available legal remedies before the court. Information provided by the controller as well as communication and actions taken in conjunction with handling requests are free of charge. If the data subjects’ requests are manifestly unjustified or excessive, in particular, because of their continuing nature, the controller shall charge a reasonable fee, including administrative costs of providing information, communication or undertaking specific actions, or refusing to take actions in relation to the request. If the controller has reasonable doubts regarding the identity of the natural person submitting the request, the additional information necessary to confirm the identity of the data subject shall be requested.
INFORMATION ON YOUR RIGHTS (PERSONS FROM OUTSIDE OF THE EU AND THE EEA)
We would like to look after the security of all our Clients and website visitors. If the provisions of GDPR do not apply to you, you can still request that your personal data to be rectified if they are incorrect; to abandon processing them – if there is no grounds for it; to amend personal data – if they are changed. Should you like to amend anything or you simply wish to find out more, please do not hesitate to contact Rite NRG.
PROCESSING OF PERSONAL DATA BELONGING TO CHILDREN
Our website is designed and reserved for adults only. It is the law of the country you are a citizen of which determines if you are an adult. Usually, depending on the country you are the citizen of, you must be at least 18 or 21 years old in order to be able to use our services. If you are not an adult – you are not allowed to enter into. Under no circumstances such agreements shall be concluded by persons who are not at least 16 years old. We do not collect or process personal data of children, including, in particular, personal data of persons under 16 years of age.
COOKIES
As part of our Internet services we are allowed to use cookies. It is a standard practice. These are, in principle, small files saved in the memory of your device which you are using while visiting our website. Cookies collect various information, which – depending on their character or content – may enable us to perform a number of actions, e.g. automatic login to the website, automatic filling out of forms, return to the place on the website where the reading has ended, etc.
Information about the cookies we use on our website:
(a) AspNetCore.Antiforgery – a temporary cookie file used to verify correctness of sent HTML forms in order to protect against breaking into the website service with a use of machine methods;
(b) ARRAffinity – a cookie file used by a server to connect user sessions with a specific server instance. It aims to evict a situation in which a user is automatically redirected to a server instance to which has no authorization;
(c) Anyvision.Session – user session information cookie file, allowing to identify a user during a session;
(d) Token – JWT token, used to authenticate a user after a login. Together with a session cookie allows to identify a user in the system.
WHO IS BOUND BY THIS DATA PROTECTION POLICY
We strive to familiarize all our staff with this policy, in particular those who have access to any personal data. Our employees and fellows are obliged to observe rules and principles which we apply in order to protect your data and we are committed to process your data with full respect of the law and in accordance with the main principles of our Policy indicated above. Only selected employees of Your Extended Team have access to your data.
We follow these principles, you use them.
TRANSFER OF DATA TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS
Your Extended Team is the company incorporated under the Poland law system. The data you provide to us shall be processed primarily in Poland. Your Extended Team may also have affiliates in various countries around the World. In this case, your data shall also be processed in the country in which we have affiliates. For its correct or enhanced operation, we can take advantage of various possibilities offered by technology and IT infrastructure, which may involve the temporary transfer of your data to servers, end devices, etc. located in other countries. No matter where your data is processed, we are striving to provide equal level of data security everywhere. In particular, we select our contractors – providers of infrastructure and IT services – choosing only those who can guarantee the high level of protection of your privacy.
SECURITY OF YOUR DATA AND DATA RETENTION
We use appropriate to the level of risk (which may involve processing of your data) technological, organizational and physical safeguards. Depending on the circumstances, we may use different types of security: IT security, encryption, pseudoanonymization, physical security or well-organized internal principles of processing of personal data only by concretely authorized persons. We protect your data in particular against accidental loss, modification or unauthorized disclosure to third parties. We protect your data best as we can.
We store and process your data for as long as it is necessary for the purposes for which we do it. We might be obliged by law to keep data for a specific minimum period – we comply with such requirements. In principle, we process your data as long as it is necessary to provide and settle our services.
PERSONAL DATA BREACH
In the case where there would be a breach of the personal data protection of a person from the European Union, we would inform this person if this breach may actually have a serious impact on his/her rights, freedoms as well as privacy. In principle, legal provisions require us to inform two entities in the event of the breach of personal data protection: the appropriate supervisory authority and the personal data subject. At the same time, if the privacy of such a person and its other rights are not at risk (the law directly indicates the following cases: the controller implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data the breach relates to, in particular measures such as encryption, preventing from reading by persons without authorized access to these personal data; the controller applied measures to eliminate the probability of the high risk of violation of the rights or freedoms of the data subject) there is no need to worry and in accordance with provisions of law we do not have to inform this person separately.
If a notification of the breach of data protection which concerns person from the European Union would involve a disproportionate effort, a public communication is issued or a similar measure whereby the data subjects are informed about the breach in an equally effective manner.
LINKS TO OTHER SITES
Our Service may, from time to time, contain connections with or links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site or service. We advise you to review the privacy policy of every third-party service provider. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
CHANGES TO THIS PRIVACY POLICY
This Policy is effective as of 1 June 2020 and will remain in effect in its current wording until we amend or change it in any manner. In case of any changes – we will let you know about, either by email message or by posting the new Policy on our website, as reasonably practicable. We reserve the right to update or change our Policy at any time. If you continue to use our services after any change of Policy, it means that you agree with such changes.
STANDARD FORM ENABLING YOU TO EXERCISE YOUR RIGHTS
Please find below the useful form that you can apply in contacts with us in order to exercise your rights related to the processing of personal data by us. You do not have to use it, but it would facilitate to process of handling and resolving your matter in a reliable and quick way. It is primarily designed for persons from the European Union. You can send them to the collector’s contact details provided above.
INFORMATION FOR PERSONS FROM THE EUROPEAN UNION WITHIN THE MEANING OF THE YOUR EXTENDED TEAM DATA PROTECTION POLICY
Information shall be provided in writing or otherwise, including, where appropriate, electronically. In case of explicit request of the data subject, the information shall be given orally, provided that the identity of the data subject is confirmed by other means. The controller shall refuse to request if the identification of the data subject is not possible. The controller without undue delay – and in any case within one month from receipt of the request – provides the data subject with the information on actions taken in conjunction with the request. If necessary, this period may be extended by another two months due to the complex nature of the request or the number of requests. Within one month from the receipt of the request, the controller shall inform the data subject about such extension, stating the reasons for the delay. If the data subject has forwarded his request electronically, if possible, the information is also transmitted electronically, unless the data subject requests the different form. If the controller fails to take action in relation to the request of the data subject, the controller shall immediately – no later than within one month from the receipt of the request – inform the data subject of the reasons for failure to take action and the possibility of lodging a complaint to the supervisory authority and to exercise available legal remedies before the court. Information provided by the controller as well as communication and actions taken in conjunction with handling requests are free of charge. If the data subjects’ requests are manifestly unjustified or excessive, in particular, because of their continuing nature, the controller shall charge a reasonable fee, including administrative costs of providing information, communication or undertaking specific actions, or refusing to take actions in relation to the request. If the controller has reasonable doubts regarding the identity of the natural person submitting the request, the additional information necessary to confirm the identity of the data subject shall be requested.