Privacy Policy for users of the Wrzutka mobile application

Privacy Policy is addressed to every user of the Wrzutka mobile application, hereinafter referred to as the User and includes information on the purposes and methods of collecting, assembling and processing their personal data. It is recommended that persons downloading, installing and using the Wrzutka mobile application read this Privacy Policy before providing any personal data or completing any electronic forms available in the application.

1. Personal data controller

The personal data controller ("Controller") is Grupa Sławomir Chełmiński with its registered office at 83-021 Przejazdowo, ul. Główna 26, Poland, tax identification number (NIP) 9570985581, REGON number 221634966, email address [email protected]

2. Legal basis for data processing

The legal basis for data processing is:

  1. consent expressed by the User, or
  2. fulfillment by the Controller of the obligations under the law, including:
    • The Personal Data Protection Act of May 10, 2018,
    • Act of July 18, 2002 on the Provision of Electronically Supplied Services,
    • Act of July 16, 2004 Telecommunications Law,
    • with subsequent amendments to the above laws.

3. Collection and use of data

The provision of personal data is voluntary but necessary to operate the parcel machine Wrzutka. The Controller processes only the data that is needed for the purpose for which it is collected (data minimization). The application expects entering the telephone number, e-mail address, password and any name with which the User will identify, e.g. first name. This data is processed for the purposes of registering the User in the ordering system of parcel machine Wrzutka and for using it. The User's contact data may also be used by the Controller to offer the Controller's products and services. The Controller shall not transfer, sell or grant the collected personal data to other persons or institutions, except to enable the fulfillment of obligations under the law or with the consent of the data subject. The Controller may entrust personal data to other entities for processing under the conditions set out in the applicable law.

4. User rights related to the personal data being processed

The User has the right to:

  1. obtain information on whether the Controller processes the User's personal data, and about the purpose for which it is processed, the categories of User data they retain, the categories of recipients and the planned period of storage of the User's data,
  2. access the data being processed, rectify the data, complete incomplete data or delete the data processed by the Controller,
  3. withdraw, at any time, their consent to the processing of their data by the Controller, provided that the basis for its processing is the consent expressed by the User (data processing will be legal until consent is withdrawn),
  4. request restriction of the personal data being processed, whether for a definite or indefinite period of time, but within a defined scope, which the Controller will be obliged to grant (this request shall not affect actions performed previously),
  5. submit a complaint to the supervisory authority for data protection, i.e. President of the Personal Data Protection Office, should the User find that the processing performed by the Controller violates the GDPR.

5. Information security

The Controller accepts full responsibility for the security of the User's data being processed. The points of logging in and entering personal data are protected in the transmission layer (SSL certificate). This enables personal data and login data entered through the application are encrypted on the User's device. This data can only be read on the destination server. User passwords are stored hashed. The hashing function works in one direction and cannot be reversed, which is the modern standard for storing user passwords. The Controller periodically changes their administrative passwords. To protect the data, the Operator regularly makes backup copies. An important element of data protection is the regular update of all software used by the Operator for the processing of personal data, which in particular means regular updates of programming components. It is ensured that the User's data is processed only by authorized persons and entities.

6. Data retention periods

The Data Controller shall process and store the User's data for the shortest time possible. On a case-by-case basis, the data retention periods are as follows:

  1. If the User has consented to the processing of data for a specific purpose, the data will be kept until the User withdraws their consent or the purpose disappears.
  2. Data processed as part of the implementation of a legally justified marketing interest will be kept as long as this interest lasts or until the User raises an objection.
  3. Data processed in order to meet the Controller's obligations under the applicable law will be retained for as long as such legislation requires.

7. Collecting data using cookies

The Data Controller does not collect data in the Wrzutka mobile application by using cookies.

8. Summary

The Controller may make changes to this Privacy Policy at any time. A new Privacy Policy becomes binding each time it is published in the Wrzutka mobile application, and applies to any collected and processed data resulting from the User's activity after the updated version is placed.