Privacy policy

 

Privacy policy

PRIVACY POLICY DESCRIBING THE PROCESSING PRINCIPLES OF PERSONAL DATA BY ASTRAFOX SP. Z O.O. OF CUSTOMERS AND USERS OF THE WEBSITES WWW.AMODIT.PL and WWW.AMODIT.COM AND REGULATING THE ISSUES OF ENTRUSTING THE PROCESSING OF PERSONAL DATA BY THE CUSTOMER

We attach great importance to the protection of personal data processed in connection with the provision of services within Amodit, as well as those collected through the websites www.amodit.pl and www.amodit.com. We also prioritize ensuring the privacy and confidentiality of data and ensuring compliance with the relevant legal regulations regarding their processing.

Below, we present information on how we process personal data obtained directly from you or in any other lawful manner, how we ensure their security, and what rights you have as a data subject.

In Chapter II of this Policy, we present regulations concerning the entrustment of personal data processing to us.

CHAPTER I

PROCESSING PRINCIPLES OF PERSONAL DATA BY ASTRAFOX SP. Z O.O. OF CUSTOMERS AND USERS OF THE WEBSITES WWW.AMODIT.PL and WWW.AMODIT.COM

1. BASIC INFORMATION
1.1. This privacy policy describes the principles of processing personal data by Astrafox of Customers and Users using the websites https://amodit.pl/ and https://amodit.com/ (hereinafter collectively referred to as the “Website”), as well as regulates the issues of entrusting the processing of personal data (if applicable).
1.2. The administrator of personal data of Customers and data collected through the Website is: Astrafox Sp. z o.o., with its registered office in Warsaw, ul. Poloneza 93, 02-826 Warsaw, KRS: 0000193522, NIP: 525-21-71-560, REGON: 016263968, hereinafter referred to as the “Administrator,” “Astrafox,” or “We.”
1.3. You can contact us:
1.3.1. by phone at: +48 22 355 21 60,
1.3.2. by email at: office@astrafox.pl,
1.3.3. through an electronic form available on the website at the link: https://amodit.com/contact/,
1.3.4. or by traditional mail to the Administrator’s registered office address.
1.4. Any entity using the Website is a “User of the Website.”
1.5. For the purposes of this Policy, the term “Customer” refers to an individual who concludes an Agreement with Astrafox or a natural person representing a legal entity who concludes an Agreement with Astrafox. A Customer also includes a person registering an Account on the Amodit Platform through the website: https://register.amodit.com.
1.6. We process your personal data in accordance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the “GDPR.”
1.7. The Administrator has appointed a Data Protection Officer (DPO), who can be contacted for all matters related to the processing and protection of personal data by writing to the email address: iod@astrafox.pl.
1.8. Unless otherwise expressly stated in this Policy, the terms used have the meaning assigned to them in the Amodit Terms and Conditions and the GDPR.
1.9. We carefully select and apply appropriate technical and organizational measures to ensure the protection of processed personal data. Full access to the databases is granted only to properly trained and authorized individuals.
1.10. We protect personal data from unauthorized access, as well as from any other unauthorized disclosure, loss, destruction, or unauthorized modification by implementing appropriate organizational, technical, and programmatic security measures, including the use of data encryption systems. Passwords are encrypted in a way that prevents their reading by Astrafox or individuals acting on its behalf.
1.11. Data transmission is carried out using a secure SSL protocol, although Astrafox is not responsible for the transmission of data that takes place within independent email systems not controlled by Astrafox, in which the Customer or User sends or receives messages.

2. PURPOSES AND LEGAL BASIS OF DATA PROCESSING
2.1. Personal data of Customers
2.1.1. Personal data of Customers who are natural persons or natural persons conducting business activities will be processed for the purpose of concluding and performing the Agreement based on Article 6(1)(b) of the GDPR, including agreements for the provision of services electronically in accordance with the Amodit Terms and Conditions, if applicable.
2.1.2. Personal data of individuals legally authorized to represent a Customer who is a legal entity will be processed for the purpose of concluding and performing the Agreement, including agreements for the provision of services electronically in accordance with the Amodit Terms and Conditions, if applicable, based on the legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which include concluding and performing the agreement.
2.1.3. Personal data of the Customer will be processed for the purpose of fulfilling the Administrator’s obligations arising from legal provisions, such as handling complaints, accounting obligations, tax obligations (financial and tax settlements), archiving obligations, as well as obligations towards courts and law enforcement authorities.
2.1.4. Personal data of Customers will also be processed for the purpose of enabling the Administrator to assert any claims or defend against claims based on the legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which include asserting claims and defending against claims.
2.2. Personal data of employees and collaborators of the Customer designated by the Customer as individuals for work-related contacts
2.2.1. Personal data of individuals designated by the Customer as work-related contacts in connection with the concluded agreement will be processed for the purpose of communication related to the conclusion and performance of the Agreement. The legal basis for processing personal data for this purpose is the legitimate interest pursued by the Administrator (Article 6(1)(f) of the GDPR), which includes conducting communication in connection with the concluded or ongoing agreement.
2.2.2. Personal data of individuals mentioned in point 2.2.1 above may also be processed for the purpose of enabling the Administrator to assert any claims or defend against claims based on the legitimate interests pursued by the Administrator (Article 6(1)(f) of the GDPR), which include asserting claims and defending against claims.
2.2.3. Personal data of individuals designated by the Customer as work-related contacts may be provided to Astrafox directly by the individuals whose data is concerned or by the Customer.
2.3. Personal data of the Website User provided through the “Contact us” form
2.3.1. If you contact us through the “Contact us” form, we will process your personal data for the purpose of responding to your inquiry and handling the matter you have contacted us about using the contact information you provide in the form. The legal basis for processing your personal data is the legitimate interest pursued by the Administrator, which includes responding to the User’s messages and conducting communication (Article 6(1)(f) of the GDPR).
2.3.2. If you request Astrafox to provide a commercial offer, your personal data will be processed for this purpose based on Article 6(1)(b) of the GDPR, i.e., taking steps at the request of the data subject prior to entering into a contract (if you will be a party to the contract), or based on our legitimate interest in presenting the requested offer (Article 6(1)(f) of the GDPR) if you represent a legal entity.
2.4. Personal data of the Website User provided through the “Schedule a Free Consultation” form
2.4.1. The personal data provided through the “Schedule a Free Consultation” form will be processed for the purpose of matching you with a suitable consultant based on the challenge you are contacting us about, contacting you to schedule a free consultation, and then conducting the consultation.
2.4.2. The legal basis for processing your data for the purposes mentioned above is our legitimate interest (Article 6(1)(f) of the GDPR) in conducting the requested free consultation, discussing your needs, and providing appropriate solutions.
2.5. Personal data of the Website User provided through the “Request Access to Amodit DEMO” form
2.5.1. The personal data provided through the “Request Access to Amodit DEMO” form will be processed for the purpose of matching you with a suitable advisor, contacting you to understand your business needs, and then sending you a link to register for the Amodit DEMO.
2.5.2. The legal basis for processing your data for the purposes mentioned above is our legitimate interest (Article 6(1)(f) of the GDPR) in contacting you, discussing your business needs, and providing you with the link to register for the Amodit DEMO.
2.6. Personal data of the Website User provided through the “Let’s Get to Know Each Other” form
2.6.1. The personal data provided through the “Let’s Get to Know Each Other” form will be processed for the purpose of responding to your message and contacting you to provide detailed information about the possibility of partnering with us.
2.6.2. The legal basis for processing your data for the purposes mentioned above is our legitimate interest (Article 6(1)(f) of the GDPR) in responding to your message and contacting you to discuss the topic you are contacting us about.
2.7. Accessing free webinars
2.7.1. As a user of our website, you have the option to sign up for free webinars. To do this, you are required to provide your email address and first name. We will send a confirmation link to the provided email address, and upon clicking it, you will gain access to the webinar.
2.7.2. The legal basis for processing your personal data for the above purpose is the performance of a contract, namely the electronically provided service (Article 6(1)(b) of the GDPR), which involves providing access to free materials.
2.7.3. We will also process your personal data for statistical purposes, which is our legitimate interest (Article 6(1)(f) of the GDPR).
2.8. Marketing consents
2.8.1. If you select the optional consents located under the form on the website (for email marketing or telephone marketing) when submitting your data through one of the available forms, your personal data, depending on the provided consents and information, will be processed for the following purposes:
a. Sending marketing and commercial content related to our offer by Astrafox Sp. z o.o. via email to the email address provided by you in the form.
b. Contacting you by telephone to present marketing and commercial content related to our offer to the phone number provided by you in the form.
2.8.2. We would like to emphasize that our marketing communication will not be intrusive and will occur, for example, when we have a new product, feature, or service to present to you.
2.8.3. Remember that you can withdraw your marketing consents at any time.
2.8.4. The legal basis for processing personal data

3. DATA SUBJECT RIGHTS (RIGHTS OF THE INDIVIDUAL WHOSE DATA IS PROCESSED)
3.1. In accordance with the provisions of the GDPR, you have the following rights regarding your personal data processed by Astrafox:
3.1.1. The right to access your data and request a copy of it (Article 15 of the GDPR).
3.1.2. The right to request the correction of your personal data (Article 16 of the GDPR).
3.1.3. The right to request the erasure of your personal data (Article 17 of the GDPR).
3.1.4. The right to request the restriction of processing of your data (Article 18 of the GDPR).
3.1.5. The right to data portability, which means to receive personal data from the data controller in a structured, commonly used, machine-readable format, and transmit it to another data controller, where the processing is based on consent or on a contract (Article 20 of the GDPR).
3.1.6. The right to object to the processing of personal data based on a legitimate interest, including for marketing purposes (Article 21 of the GDPR).
3.1.7. The right to withdraw consent – if your data is processed based on your consent, you have the right to withdraw it at any time. However, this does not affect the lawfulness of the processing based on consent before its withdrawal.
3.1.8. The right to withdraw consent for email or telephone marketing – if you have provided consent to be contacted for marketing and commercial purposes using the email address or phone number you provided in the form, you have the right to withdraw that consent at any time.
3.1.9. You also have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that the processing of your personal data violates the provisions of the GDPR.
3.2. How to exercise your rights?
3.2.1. To exercise your rights, please send a request stating your demands to the email address: office@astrafox.pl, or to the email address iod@astrafox.pl.
3.2.2. If you do not receive a response from us within 14 days (sometimes emails do not reach their destination or end up in spam), please contact us by phone at +48 22 355 21 60 or +48 500 492 209.
3.2.3. If you receive marketing and commercial messages to your email address, you always have the option to unsubscribe (cancel your subscription) and withdraw your marketing consent by clicking on the link available at the bottom of the message.

4. DATA RECIPIENTS
4.1. For the proper functioning of Astrafox’s activities and website, it is necessary for us to use the services of external entities. The data controller only utilizes the services of entities that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the individuals whose data is processed.
4.2. The recipients of personal data may include:
4.2.1. Entities processing personal data on behalf of the data controller based on data processing agreements, including but not limited to: accounting offices, IT service providers, hosting providers, consultants, courier companies.
4.2.2. Entities cooperating with the data controller, including but not limited to: legal service providers, debt collection agencies, insurance companies, postal service providers.
4.2.3. Entities authorized to obtain personal data based on legal provisions (other data controllers), such as the tax authorities, courts, and law enforcement agencies.

5. DATA RETENTION
5.1. Personal data processed based on a legitimate interest (Art. 6(1)(f) of the GDPR) will be processed for as long as this interest exists or until an effective objection to the processing of the data is raised.
5.2. Data processed for marketing contact purposes will be processed until an objection to such processing is raised or until the withdrawal of consent for marketing contact.
5.3. Data processed based on a contract (Art. 6(1)(b) of the GDPR) will be processed for the duration of the contract and then for the period of limitation of mutual claims.

6. INFORMATION ABOUT THE REQUIREMENT/VOLUNTARINESS OF PROVIDING DATA
6.1. Providing personal data is voluntary, but it may be necessary to achieve a specific processing purpose.
6.2. In the case of customers, failure to provide data may result in the inability to fulfill the contract.
6.3. In the forms provided on the website, required fields have been marked with an asterisk. Providing additional data in the forms is optional.

7. INFORMATION ABOUT PROFILING AND TRANSFER OF DATA OUTSIDE THE EEA
7.1. Personal data will not be subject to automated decision-making, including profiling.
7.2. Personal data may be transferred to third countries, particularly to the USA, in connection with our use of electronic services and tools provided by foreign suppliers. These service providers (e.g., email delivery systems) have their servers, including in the USA, where your data may be stored. The transfer of data is based on Standard Contractual Clauses or Binding Corporate Rules approved by the competent supervisory authority, ensuring an adequate level of data protection.

CHAPTER II
DATA PROCESSING SUBCONTRACTING

If the Client entrusts the processing of personal data, the provisions of this chapter shall apply, constituting a Data Processing Agreement as referred to in Article 28(3) and subsequent provisions of the GDPR. The Client may contact Astrafox to initiate negotiations and amend the content of these provisions. Any changes for their validity require written form.

1. DEFINITIONS
1.1. Astrafox – Astrafox Sp. z o.o., with its registered office in Warsaw, ul. Poloneza 93, 02-826 Warsaw, registered in the District Court for the Capital City of Warsaw, XIII Economic Division of the National Court Register, in the Register of Entrepreneurs under the number 0000193522, Tax Identification Number (NIP) 525-21-71-560, share capital of 131,200 Polish złoty, which processes the personal data entrusted by the Client in connection with the provision of Services to the Client, based on the Amodit Terms and Conditions, any order placed in any form, or a signed agreement.
1.2. Personal Data – personal data as defined in Article 4(1) of the GDPR, i.e., any information relating to an identified or identifiable natural person.
1.3. Client – an individual, legal person, or organizational unit without legal personality but having legal capacity under the law, who enters into an agreement with Astrafox and entrusts Astrafox with the processing of Personal Data in connection with the use of Astrafox’s Services.
1.4. Processing – means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.5. Amodit Terms and Conditions – Terms and Conditions for Using the Amodit Platform available at: https://amodit.com/terms-of-service/
1.6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.7. Other capitalized terms used in this Chapter and not defined in paragraph 1 above shall have the meaning assigned to them in the Amodit Terms and Conditions and the GDPR.

2. SUBJECT OF THE DATA PROCESSING AGREEMENT
2.1. Subject to the terms specified in this chapter, the Client entrusts Astrafox with the processing of Personal Data for which the Client acts as the Data Controller or Data Processor under the GDPR, for the purpose of providing Services to the Client by Astrafox, based on the Amodit Terms and Conditions, any order placed in any form, or a signed agreement.
2.2. Astrafox undertakes to process the entrusted Personal Data in accordance with this chapter, the GDPR, and other applicable laws that protect the rights of the individuals whose data is being processed.

3. NATURE, SCOPE, AND PURPOSE OF DATA PROCESSING
3.1. The Client entrusts Astrafox with the processing of Personal Data concerning the following categories of individuals: Users of the Amodit Platform who are employees or collaborators of the Client, employees, collaborators, contractors of the Client, and other individuals whose personal data is stored on the Amodit Platform and Amodit Trust Center servers (if applicable).
3.2. The type of Personal Data entrusted for processing includes ordinary personal data, such as identification data (e.g., name, position, national identification number), address data (e.g., residential address, mailing address, registered address), contact information (e.g., phone number, email address), financial data (e.g., salary amounts, invoice and billing data, bank account numbers), and other Personal Data provided by the Client on the Amodit Platform or Amodit Trust Center servers (if applicable).
3.3. The purpose of entrusting Astrafox with the processing of Personal Data is to provide Services to the Client based on the Amodit Terms and Conditions, any order placed in any form, or a signed agreement.
3.4. Astrafox is authorized to process Personal Data in electronic form.
3.5. The data processing entrusted to Astrafox is continuous for the duration of the contracted Services.
3.6. The Client is obliged to inform Astrafox about any additional categories of individuals beyond those specified in point 3.1, as well as any other types of data beyond those specified in point 3.2, if applicable, prior to entrusting the Personal Data. This information should be provided on the order form or sent to the email address: iod@astrafox.pl.

4. ASTRAFOX’S OBLIGATIONS AS A DATA PROCESSOR
4.1. Astrafox is permitted to process the entrusted Personal Data solely for the purpose specified in point 3.3. above.
4.2. Only employees or collaborators of Astrafox who have been authorized by Astrafox and have provided a declaration regarding the confidentiality and security measures of the data are granted access to the entrusted Personal Data.
4.3. Astrafox undertakes to process the entrusted Personal Data only on documented instructions from the Client. Documented instructions from the Client include, in particular, the acceptance of the Amodit Terms and Conditions, any separate agreement with the Client, the order placed, and additional instructions provided in writing or by email.
4.4. Astrafox is obliged to ensure the security of the processing of entrusted Personal Data by implementing appropriate technical and organizational measures that are suitable for the nature of the entrusted data and the risks of infringement upon the rights of the individuals to whom the data relates.
4.5. Astrafox is obligated to cooperate with the Client in responding to requests from individuals whose Personal Data is processed, as described in Articles 12-22 of the GDPR, in a manner that ensures compliance with the deadlines for responding specified in those provisions. Astrafox is obliged to inform the Client of any requests made by individuals exercising their rights under the GDPR and to provide the Client with all necessary information in this regard.
4.6. Taking into account the nature of the entrusted data and the information available to Astrafox, Astrafox is obligated to assist the Client in fulfilling their obligations regarding data security, managing personal data breaches, notifying the supervisory authority and the individuals whose data has been affected, conducting data protection impact assessments, and consulting with the supervisory authority, in accordance with the provisions of the GDPR, particularly Articles 32-36.
4.7. Astrafox is obliged to promptly notify the Client of any complaints, letters, supervisory authority inspections, and judicial or administrative proceedings related to the entrusted Personal Data, and to cooperate with the Client in this regard, including providing the Client with all relevant documentation.
4.8. Astrafox is obliged to inform the Client without undue delay, but no later than within 36 hours after becoming aware of a personal data breach, about the occurrence of such a breach. The notification to the Client regarding the breach should include, at least:
4.8.1. a description of the nature of the breach, and, if possible, the categories and approximate number of individuals affected and the quantity and type of data involved in the breach;
4.8.2. the name, surname, and contact details of the data protection officer or other person or entity that the Client can contact regarding the breach;
4.8.3. a description of the potential consequences of the breach; and
4.8.4. a description of the measures implemented or proposed to be implemented by Astrafox to address the breach, including measures to mitigate any negative effects.

5. CLIENT’S OBLIGATIONS
5.1. The Client is obliged to cooperate with Astrafox in the provision of services to the Client.
5.2. In the event that Astrafox has doubts about the legality of the instructions issued by the Client regarding the processing of entrusted Personal Data, Astrafox will inform the Client of these doubts, and the Client will be required to provide Astrafox with written explanations in relation to these matters. The Client’s explanations should be provided promptly, but no later than within 3 days from the day of being informed about the doubts.

6. RIGHT OF AUDIT
6.1. The Client has the right to audit Astrafox regarding the processing of entrusted Personal Data to ensure compliance with applicable laws and the provisions of this chapter. The audit is conducted by the Client or an auditor authorized by the Client. The audit should not impose excessive burdens on Astrafox. In particular, the Client may exercise the right of audit only during Astrafox’s working hours. Information regarding the date and scope of the audit shall be provided to Astrafox at least 30 days in advance, in writing or by email, specifying the scope of the audit, the tools to be used by the Client, and the individuals authorized by the Client to conduct the audit.
6.2. The Client’s right to conduct an audit is limited to one audit per calendar year. This limitation does not apply if the data protection authority requires the Client to conduct an additional audit. All provisions of this paragraph apply to any additional audits.
6.3. The Client shall ensure that the auditor conducting the audit maintains confidentiality indefinitely regarding any information obtained during or as a result of the audit, particularly any confidential information concerning Astrafox, its employees, or clients.
6.4. If the scope of the audit presented by the Client or the tools used during the audit could potentially violate data protection laws by Astrafox, Astrafox has the right to object to the audit and is obliged to promptly notify the Client in writing, providing detailed justification for the objection and indicating the potential breaches that could result from the audit.

7. SUBPROCESSING OF PERSONAL DATA
7.1. The Client grants Astrafox general consent to subcontract the processing of Personal Data for which the Client is the data controller or data processor, with the condition that the intention to subcontract the processing of personal data requires prior notification to the Client to allow the Client to express any objections. In the absence of written objection from the Client within 24 hours of receiving the notification, it is deemed as acceptance of the subprocessor. Astrafox reserves the right to discontinue the provision of services to the Client if an objection is raised.
7.2. The list of subprocessors of Personal Data is available upon request at the following address: iod@astrafox.pl. Astrafox will update the list, as referred to in the preceding sentence, in response to each request, depending on the nature of the data processing.

8. LIABILITY OF ASTRAFOX
8.1. Astrafox is responsible to the Client for the proper performance of obligations regarding the protection of personal data by any third party to whom it has subcontracted the processing of Personal Data.
8.2. Astrafox is liable for damages, excluding lost profits, caused by its culpable actions in connection with a failure to fulfill obligations imposed directly on the Data Processor by applicable laws, including the GDPR, or when it acted outside the lawful instructions of the Client or contrary to such instructions.

9. TERMINATION OF PROCESSING OF ENTRUSTED PERSONAL DATA
9.1. Astrafox is authorized to process the entrusted Personal Data until the completion of the provision of services to the Client.
9.2. Upon termination of the provision of services to the Client, Astrafox will return or permanently delete all personal data to which it had access in the course of providing services to the Client, unless the law requires further retention of personal data.

CHAPTER III
FINAL PROVISIONS

1. Astrafox reserves the right to modify this Privacy Policy, particularly in the event of changes in the applicable laws and new guidelines issued by the authorities responsible for data protection oversight.
2. In the event of changes to Chapter II of this Privacy Policy, which regulate the provisions regarding the processing of personal data, Astrafox will inform the Client of the planned changes no later than 14 (fourteen) days before the proposed effective date of the changes to the content of Chapter II.
3. If the Client has not submitted written objections to the changes in the content of Chapter II of the Privacy Policy before the proposed effective date, the changes will be deemed accepted.
4. The Client has the right to negotiate changes to the content of Chapter II of the Privacy Policy.
5. Matters not regulated by this Privacy Policy shall be governed by the provisions of the Civil Code, as well as the provisions of the GDPR and other applicable laws regarding the protection of personal data.
6. Astrafox and the Client mutually declare that, in the event of disputes arising from the implementation of the provisions concerning the processing of personal data, they will strive for an amicable resolution. If the dispute cannot be resolved amicably, it shall be subject to the jurisdiction of the competent common court for the registered office of Astrafox.
7. This version of the Privacy Policy is effective from April 27, 2023.