Privacy Policy
Privacy Policy
DESCRIBING
THE PRINCIPLES OF PROCESSING PERSONAL DATA OF CUSTOMERS AND USERS BY ASTRAFOX SP. Z O.O. FOR THE WEBSITES https://amodit.pl/ AND https://amodit.com/
AND REGULATING THE ISSUES OF ENTRUSTING THE PROCESSING OF PERSONAL DATA BY THE CUSTOMER
We place great importance on the protection of personal data processed in connection with the provision of services within Amodit and collected through the websites https://amodit.pl/ and https://amodit.com/, as well as ensuring the privacy and confidentiality of data and ensuring that their processing complies with the relevant legal regulations.
Below, we provide information on how we process personal data obtained directly from you or in another legally permissible manner, how we ensure their security, and what rights you have as a data subject.
In Chapter II of this Policy, we present the regulations regarding the entrustment of personal data processing to us.
Chapter I
PRINCIPLES OF PROCESSING PERSONAL DATA OF CUSTOMERS AND USERS BY ASTRAFOX SP. Z O.O. FOR THE WEBSITES WWW.AMODIT.PL AND WWW.AMODIT.COM
1. BASIC INFORMATION
1.1. This privacy policy describes the principles of processing personal data by Astrafox of Clients and Users using the websites https://amodit.pl/ and https://amodit.com/ (hereinafter collectively referred to as the “Website”), and also regulates the issues of entrusting the processing of personal data (if applicable).
1.2. The administrator of the personal data of Clients and personal data collected through the Website is:
Astrafox Sp. z o.o., headquartered in Warsaw,
ul. Poloneza 93, 02-826 Warszawa,
KRS: 0000193522, NIP: 525-21-71-560, REGON: 016263968,
hereinafter referred to as the “Administrator,” “Astrafox,” or “We.”
1.3. You can contact us:
1.3.1. By phone at: +48 22 355 21 60,
1.3.2. By email at: office@astrafox.pl,
1.3.3. Through the electronic form available on the website at the link: https://amodit.pl/kontakt/,
1.3.4. And by traditional mail to the Administrator’s headquarters address.
1.4. Every entity using the Website is a “Website User.”
1.5. For the purposes of this Policy, the term “Client” means a natural person entering into an Agreement with Astrafox or a natural person representing a legal entity entering into an Agreement with Astrafox. A Client is also a person registering an Account on the Amodit Platform through the website: https://register.amodit.com.
1.6. We process your personal data in accordance with applicable law, in particular, with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR.”
1.7. The Administrator has appointed a Data Protection Officer (DPO), whom you can contact in all matters related to the processing and protection of personal data by writing to the email address: iod@astrafox.pl.
1.8. Unless explicitly stated otherwise in this Policy, the terms have the meanings assigned to them in the Amodit Terms of Service and GDPR.
1.9. We carefully select and apply appropriate technical and organizational measures to ensure the protection of processed personal data. Only properly trained and authorized individuals have full access to the databases.
1.10. We protect personal data against unauthorized access, as well as against other cases of disclosure, loss, destruction, or unauthorized modification, by using appropriate organizational, technical, and software security measures, in particular, through the use of data encryption systems. Passwords are encrypted in a way that makes them unreadable by Astrafox and persons acting on its behalf.
1.11. Data transmission is carried out using a secure SSL protocol, with Astrafox not responsible for the part of the data transmission that takes place within independent email systems through which the Client or User sends or receives a message.
2. PURPOSES AND LEGAL BASES FOR DATA PROCESSING
2.1. Personal Data of Clients
2.1.1. The personal data of Clients who are natural persons or natural persons conducting business activities will be processed for the purpose of concluding and executing the Agreement based on Art. 6(1)(b) GDPR, including the agreement for the provision of electronic services in accordance with the Amodit Terms of Service (if applicable).
2.1.2. The personal data of natural persons legally authorized to represent a Client who is a legal entity will be processed for the purpose of concluding and executing the Agreement, including the agreement for the provision of electronic services in accordance with the Amodit Terms of Service (if applicable), based on the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which is the conclusion and execution of the agreement.
2.1.3. The personal data of Clients will be processed to fulfill the Administrator’s legal obligations, such as handling complaints, accounting and tax obligations (financial and tax settlements), archiving, and obligations to courts and law enforcement agencies.
2.1.4. The personal data of Clients will also be processed to enable the Administrator to pursue potential claims or defend against claims based on the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which is the pursuit of claims and defense against claims.
2.2. Personal Data of Client’s Employees and Associates Indicated by the Client for Contact Purposes
2.2.1. The personal data of individuals designated by the Client for contact purposes in connection with the concluded agreement will be processed to contact them regarding the conclusion and execution of the Agreement. The legal basis for processing personal data for this purpose is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which is communication related to the concluded or concluded agreement.
2.2.2. The personal data of the individuals indicated in point 2.2.1 above may also be processed to enable the Administrator to pursue potential claims or defend against claims based on the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which is the pursuit of claims and defense against claims.
2.2.3. The personal data of individuals designated by the Client for contact purposes may be provided to Astrafox directly by the individuals concerned or by the Client.
2.3. Personal Data of Website Users Submitted via the “Write to Us” Contact Form
2.3.1. If you write to us using the “Write to Us” contact form, your personal data will be processed to respond to your question and address the issue you contacted us about using the contact details you provided in the form. The legal basis for processing your personal data is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), which is responding to the messages of the Website User and conducting communication.
2.3.2. If you request Astrafox to provide a commercial offer, your personal data will be processed for this purpose based on Art. 6(1)(b) GDPR, i.e., to take steps at the request of the data subject before concluding the contract (if you are the party to the contract) or based on our legitimate interest in providing the requested offer (Art. 6(1)(f) GDPR) if you represent a legal entity.
2.4. Personal Data of Website Users Submitted via the “Schedule a Free Consultation” Form
2.4.1. The personal data provided via the “Schedule a Free Consultation” form will be processed to select the appropriate consultant for you depending on the challenge you contact us with, to contact you to schedule a free consultation, and then to conduct it.
2.4.2. The legal basis for processing your data for the above purposes is our legitimate interest (Art. 6(1)(f) GDPR), which is to conduct the free consultation you requested, discuss your needs, and select appropriate solutions.
2.5. Personal Data of Website Users Submitted via the Amodit DEMO Access Request Form
2.5.1. The personal data provided via the Amodit DEMO access request form will be processed to select the appropriate advisor for you, contact you to understand your business needs, and then send a link to register for the Amodit DEMO.
2.5.2. The legal basis for processing your data for the above purposes is our legitimate interest (Art. 6(1)(f) GDPR), which is to contact you, discuss your business needs, and send you the link to register for the Amodit DEMO.
2.6. Personal Data of Website Users Submitted via the “Let’s Get to Know Each Other Better” Form
2.6.1. The personal data provided via the “Let’s Get to Know Each Other Better” form will be processed to respond to your message and contact you to provide detailed information about potential partnership opportunities with us.
2.6.2. The legal basis for processing your data for the above purposes is our legitimate interest (Art. 6(1)(f) GDPR), which is to respond to your message and contact you to discuss the topic you contacted us about.
2.7. Access to Free Webinars
2.7.1. As a User of our Website, you have the opportunity to sign up for free webinars. To do so, you are required to provide your email address and name. A confirmation link will be sent to the provided email address, and upon clicking it, you will receive access to the webinar.
2.7.2. The legal basis for processing your personal data for this purpose is the execution of the contract, i.e., the electronic service (Art. 6(1)(b) GDPR) of providing access to free materials.
2.7.3. Your personal data will also be processed for statistical purposes, which constitutes our legitimate interest (Art. 6(1)(f) GDPR).
2.8. Marketing Consents
2.8.1. If you tick the optional consents located under the form (for email marketing or phone marketing) while submitting your data using one of the available forms on the Website, your personal data, depending on the consents given and the data provided, will be processed for the purposes of:
a. Sending marketing and commercial content about our offer via email to the email address you provided in the form;
b. Contacting you by phone to present marketing and commercial content about our offer to the phone number you provided in the form.
2.8.2. Please note that marketing contact from us will certainly not be intrusive and will occur, for example, when we have a new product, functionality, or service to present to you.
2.8.3. Remember, you can withdraw your marketing consents at any time.
2.8.4. The legal basis for processing personal data for the marketing purposes described in point 2.8.1 above is the legitimate interest of the Administrator (Art. 6(1)(f) GDPR in connection with the given marketing consents), which is the marketing and promotion of its services, products, and activities.
3. DATA SUBJECT RIGHTS (RIGHTS OF THE DATA SUBJECT)
3.1. Under the principles described in GDPR, you have the following rights regarding the processing of your personal data by Astrafox:
3.1.1. The right to access your data and request a copy of it (Art. 15 GDPR);
3.1.2. The right to request the correction of your personal data (Art. 16 GDPR);
3.1.3. The right to request the deletion of your personal data (Art. 17 GDPR);
3.1.4. The right to request the restriction of data processing (Art. 18 GDPR);
3.1.5. The right to data portability, i.e., to receive your personal data from the Administrator in a structured, commonly used, machine-readable format, to the extent that the data is processed based on consent or for the purpose of concluding and performing an agreement in an automated manner (Art. 20 GDPR);
3.1.6. The right to object to the processing of personal data based on a legitimate interest, including for marketing purposes (Art. 21 GDPR);
3.1.7. The right to withdraw consent – if data is processed based on the consent given, you have the right to withdraw it at any time, which does not affect the lawfulness of processing based on consent before its withdrawal;
3.1.8. The right to withdraw consent for email or phone marketing – if you have given consent to be contacted for marketing and commercial purposes at the email address or phone number provided in the form, you have the right to withdraw such consent at any time.
3.1.9. You also have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that the processing of your personal data violates GDPR provisions.
3.2. How to exercise your rights?
3.2.1. To exercise your rights, please send a request with your demands to the email address: office@astrafox.pl, or to the email address: iod@astrafox.pl.
3.2.2. If you do not receive a response from us within 14 days (sometimes emails do not arrive or end up in spam), please call: +48 22 355 21 60 or +48 500 492 209.
3.2.3. If you are receiving marketing and commercial messages by email, you always have the option to unsubscribe from the mailing list (cancel your subscription) and thus withdraw your marketing consent by clicking the link available at the bottom of the message.
4. DATA RECIPIENTS
4.1. For the proper functioning of Astrafox and the Website, it is necessary for us to use the services of external entities. The Administrator uses the services of such entities that provide sufficient guarantees for implementing appropriate technical and organizational measures so that the processing complies with GDPR and protects the rights of data subjects.
4.2. Data recipients may include:
4.2.1. Entities processing personal data based on processing agreements concluded with the Administrator, including, in particular, accounting offices, companies providing IT services, hosting services, advisory services, courier services,
4.2.2. Entities cooperating with the Administrator, including, in particular, in the areas of legal and debt collection services, insurance, postal services,
4.2.3. Entities entitled to obtain personal data based on legal provisions (other administrators), e.g., tax offices, courts, and law enforcement agencies.
5. STORAGE PERIOD
5.1. Personal data processed based on a legitimate interest (Art. 6(1)(f) GDPR) will be processed for as long as this interest exists or until a successful objection to data processing is made.
5.2. Data processed for marketing contact purposes will be processed until an objection to processing for this purpose is made or until marketing contact consents are withdrawn.
5.3. Data processed based on an agreement (Art. 6(1)(b) GDPR) will be processed for the duration of the agreement and subsequently for the period of limitation of mutual claims.
6. INFORMATION ON THE REQUIREMENT/VOLUNTARY NATURE OF PROVIDING DATA
6.1. Providing personal data is voluntary but may be necessary to achieve a specific processing purpose.
6.2. For Clients, failure to provide data may result in the inability to execute the Agreement.
6.3. In the forms provided on the Website, required fields are marked with an asterisk. Entering other data into the forms is voluntary.
7. INFORMATION ON PROFILING AND DATA TRANSFER OUTSIDE THE EEA
7.1. Personal data will not be subject to automated decision-making, including profiling.
7.2. Personal data may be transferred to third countries, particularly to the USA, in connection with our use of electronic services and tools provided by foreign suppliers. These service providers (e.g., email systems) have their servers, among others, in the USA, where your data may be stored. Data transfer takes place based on Standard Contractual Clauses or binding corporate rules approved by the relevant supervisory authority, ensuring an adequate level of personal data protection.
Chapter II
ENTRUSTING THE PROCESSING OF PERSONAL DATA
If the Client entrusts the processing of personal data, the provisions of this chapter, constituting the Agreement on the entrustment of personal data processing referred to in Article 28(3) and following of GDPR, apply. The Client may contact Astrafox to negotiate and amend the content of these provisions; any changes must be in writing to be valid.
1. DEFINITIONS
1.1. Astrafox – Astrafox Sp. z o.o., headquartered in Warsaw, ul. Poloneza 93, 02-826 Warsaw, registered in the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register, in the Register of Entrepreneurs under the number 0000193522, NIP 525-21-71-560, with share capital of PLN 131,200, which processes personal data entrusted by the Client in connection with providing services to the Client, based on the Amodit Terms of Service, any submitted order, or signed agreement;
1.2. Personal Data – personal data as defined in Article 4(1) GDPR, i.e., any information relating to an identified or identifiable natural person;
1.3. Client – a natural person, legal entity, or organizational unit without legal personality, which has legal capacity under the law, entering into an agreement with Astrafox and entrusting Astrafox to process personal data in connection with the use of Astrafox Services;
1.4. Processing – means any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
1.5. Amodit Terms of Service – the Terms of Use of the Amodit Platform available at: https://amodit.pl/regulamin-platformy-amodit;
1.6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
1.7. Other capitalized terms used in this Chapter and not defined in paragraph 1 above have the meanings assigned to them in the Amodit Terms of Service and GDPR.
2. SUBJECT OF ENTRUSTMENT
2.1. Under the conditions specified in this chapter, the Client entrusts Astrafox with the processing of personal data, for which the Client is the Administrator or Processor under GDPR, to provide Services to the Client based on the Amodit Terms of Service, any submitted order, or signed agreement.
2.2. Astrafox undertakes to process the entrusted personal data in accordance with this Chapter, GDPR, and other generally applicable legal provisions that protect the rights of data subjects.
3. NATURE, SCOPE, AND PURPOSE OF DATA PROCESSING ENTRUSTMENT
3.1. The Client entrusts Astrafox with processing personal data of the following categories of persons: Amodit Platform Users who are employees or associates of the Client, employees, associates, contractors of the Client, and other persons whose personal data are included in documents stored on the Amodit Platform and Amodit Trust Center servers (if applicable).
3.2. The type of personal data entrusted for processing includes ordinary personal data in the scope of: identification data (e.g., name and surname, position, PESEL), address data (e.g., residence address, correspondence address, registration address), contact data (e.g., phone number, email address), financial data (salary amounts, invoice and bill data, bank account numbers), and other personal data entered by the Client on the Amodit Platform or Amodit Trust Center servers (if applicable).
3.3. The purpose of entrusting Astrafox with the processing of personal data is to provide Services to the Client based on the Amodit Terms of Service, any submitted order, or signed agreement.
3.4. Astrafox is authorized to process personal data in electronic form.
3.5. The entrustment of personal data processing is continuous for the duration of the provided Services.
3.6. The Client is obliged to notify Astrafox of any and all other categories of persons, beyond those specified in paragraph 3.1, and any other types of data, beyond those specified in paragraph 3.2, if they exist, before entrusting personal data. This notification should be made via the order form or to the email address: iod@astrafox.pl.
4. OBLIGATIONS OF ASTRAFOX AS A PROCESSOR
4.1. Processing by Astrafox of the entrusted personal data is permitted only for the purpose specified in paragraph 3.3 above.
4.2. Access to the personal data entrusted to Astrafox may only be granted to employees or associates of Astrafox who have been authorized by Astrafox to process such data, preceded by the submission of a declaration by these persons to keep such data and the means of securing it confidential.
4.3. Astrafox undertakes to process the entrusted personal data only on the documented instructions of the Client. The acceptance of the Amodit Terms of Service, any separate agreement concluded with the Client, orders, and additional instructions provided in writing or by email are considered documented instructions of the Client.
4.4. Astrafox is obliged to ensure the security of the entrusted personal data by implementing appropriate technical and organizational measures, adequate to the type of entrusted data and the risk of violation of the rights of the persons concerned.
4.5. Astrafox is obliged to cooperate with the Client in responding to the requests of the data subject, as described in Articles 12-22 GDPR, in a manner that guarantees compliance with the response deadlines provided in these provisions. Astrafox is obliged to inform the Client of any request made by the entitled person in the exercise of their rights under GDPR and to provide the Client with all necessary information in this regard.
4.6. Considering the nature of the processing of the entrusted data and the information available to Astrafox, Astrafox is obliged to support the Client in fulfilling their obligations in terms of data security, managing personal data protection breaches, and reporting them to the supervisory authority and the data subject, conducting data protection impact assessments, and consulting with the supervisory authority, in accordance with GDPR provisions, particularly Articles 32-36 GDPR.
4.7. Astrafox is obliged to immediately notify the Client of any complaints, letters, inspections by the supervisory authority, court, and administrative proceedings related to the entrusted personal data and to cooperate with the Client in this regard, particularly by providing the Client with all related documentation.
4.8. Astrafox is obliged to immediately, but no later than within 36 hours, inform the Client of any identified personal data protection breach. The information provided to the Client should include at least:
4.8.1. A description of the nature of the breach and – if possible – an indication of the categories and approximate number of persons whose data has been breached and the amount and type of data concerned;
4.8.2. The name and contact details of the data protection officer or other unit or person whom the Client can contact in connection with the breach;
4.8.3. A description of the possible consequences of the breach;
4.8.4. A description of the measures taken or proposed to be taken by Astrafox to address the breach, including minimizing its negative effects.
5. OBLIGATIONS OF THE CLIENT
5.1. The Client is obliged to cooperate with Astrafox in providing services to the Client.
5.2. If Astrafox has any doubts regarding the legality of the instructions issued by the Client concerning the entrusted personal data, Astrafox will inform the Client of these doubts, and the Client will be obliged to provide Astrafox with written explanations in this regard. The Client’s explanations should be provided immediately, but no later than within 3 days of becoming aware of the doubts.
6. RIGHT TO CONTROL
6.1. The Client has the right to control Astrafox regarding the processing of the entrusted personal data from the perspective of compliance with legal regulations and the provisions of this chapter. The control is carried out in the form of an audit conducted by the Client or an auditor authorized by the Client. Conducting the audit must not cause undue burden to Astrafox. In particular, the Client may exercise the right to control only during Astrafox’s working hours. Information about the audit date and scope will be provided to Astrafox at least 30 days in advance, in writing or by email, indicating the audit scope, the tools to be used by the Client, and the persons authorized by the Client to conduct the audit.
6.2. The Client’s right to conduct an audit includes one control per calendar year. This limitation does not apply if the data protection authority requires the Client to conduct an additional audit. All provisions of this paragraph apply to any additional audit.
6.3. The Client will obligate the auditor conducting the control to maintain confidentiality indefinitely regarding all information obtained during or in connection with the audit, especially regarding Astrafox’s confidential data, its employees, or clients.
6.4. If the audit scope or tools presented by the Client could lead to a violation of data protection regulations by Astrafox, Astrafox is entitled to object to the audit and is obliged to immediately inform the Client in writing, providing detailed reasons for the objection, and indicating potential violations that could result from the audit.
7. SUB-PROCESSING OF PERSONAL DATA
7.1. The Client grants Astrafox general consent to sub-process personal data for which the Client is the administrator or processor, provided that the intention to sub-process personal data requires prior notification to the Client to enable them to express any objections. The Client’s lack of written objection within 24 hours of receiving the notification is considered acceptance of the sub-processor. Astrafox reserves the right that an objection may result in the inability to continue providing services to the Client.
7.2. The list of sub-processors of Personal Data is available upon the Client’s request at the following address: iod@astrafox.pl. Astrafox will update the list referred to in the preceding sentence upon each inquiry, depending on the type of data processing.
8. LIABILITY OF ASTRAFOX
8.1. Astrafox is liable to the Client for the proper performance of data protection obligations by the third party to whom it has sub-processed the personal data.
8.2. Astrafox is liable for damages, excluding lost profits, caused by its culpable action in connection with the failure to fulfill obligations imposed by law, including GDPR, directly on the Processor or when acting outside the lawful instructions of the Client or contrary to those instructions.
9. TERMINATION OF PERSONAL DATA PROCESSING
9.1. Astrafox is entitled to process the entrusted personal data until the day the provision of services to the Client is terminated.
9.2. After the termination of the provision of services to the Client, Astrafox will return or permanently delete all personal data to which it had access while providing services to the Client unless legal provisions require further storage of personal data.
Chapter III
FINAL PROVISIONS
1. Astrafox reserves the right to change this Privacy Policy, especially in the event of changes in the law and new guidelines from the authorities responsible for data protection supervision.
2. In the event of changes to Chapter II of this Privacy Policy, concerning the provisions governing the entrustment of personal data processing, Astrafox will inform the Client of the planned changes no later than 14 (fourteen) days before the proposed date of entry into force of the changes to Chapter II.
3. If the Client does not submit a written objection to the changes in Chapter II of the Privacy Policy before the proposed date of entry into force, the changes are considered accepted.
4. The Client has the right to negotiate changes to Chapter II of the Privacy Policy.
5. Matters not regulated by this Privacy Policy are subject to the provisions of the Civil Code, as well as GDPR and other generally applicable legal provisions in the field of personal data protection.
6. Astrafox and the Client declare that in the event of disputes arising from the implementation of the provisions regarding the entrustment of personal data processing, they will strive to resolve them amicably. If the dispute cannot be resolved in this way, the common court with jurisdiction over the registered office of Astrafox will have jurisdiction to resolve it.
This version of the Privacy Policy is effective from April 27, 2023.