applicable as of 21st September 2018
Perfect Dashboard Sp. z o. o. seated in Cracow, owner of the Internet portal perfectdashboard.pl and a set of software (programs, applications, plugins, APIs) which form the Perfect Dashboard service, in particular AutoUpdater, providing automation services for website management, protects privacy of persons using its services/Internet portal and their personal data.
- Controller – Perfect Dashboard seated in Cracow, al. Juliusza Słowackiego 39, 31-159 Kraków, National Court Register (KRS) No.: 550535;
- Application– computer program AutoUpdater (Perfect Dashboard) developed by the Controller for automation of website management, available on the Website;
- Account – electronic service created and provided by the Controller to Users as a part of the Website, which is an area of a User’s exclusive access in the ICT system provided by the Controller;
- Personal data– all information on an identifiable User, i.e. a person that may be indirectly or directly identified, especially by an identifier such as first name and surname, ID number, location data, online ID or one or one or several special factors defining physical, genetic, mental, economic, cultural or social identity of a natural person;
- Clients– all entities cooperating with the Controller, its contractors, to whom the Controller provides its services and directly related marketing services;
- Service Providers– all entities cooperating with the Controller, its contractors, providing the Controller with their services and directly related marketing services;
- Profiling– each form of automated processing of personal data by the Controller consisting in the use of the data collected by the Controller for the evaluation of certain personal factors concerning a natural person, especially their analysis or projections regarding aspects of a User’s data or inference about personal features and factors elating to a User, other than the ones collected by the Controller;
- Regulations – Regulations on service provision through the Website;
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Website – Internet portal belonging to and managed by the Controller, as a part of which the Controller provides its services, available at the address: perfectdashboard.com, including all its subpages and subdomains;
- User’s Website– Internet portal connected to the Application and covered by the Services provided by the Controller;
- Settings– Account function which allows a User taking advantage of Services to appropriately manage Services, including to independently modify their scope, and to set preferences regarding the scope and purposes of the processing of his personal data;
- User – natural person who holds an Account and uses Services or does not hold an Account but uses Services through an external hosting service provided by the Client;
- Services– group of services provided electronically by the Controller, in particular through the Website, including the Application, as well as direct marketing services;
II. Personal data Controller
The Controller of Users’ personal data shall be the Controller.
In case of any questions on the personal data processing and rights of Users or non-logged Users, it is possible to contact the Controller via email, at the address: email@example.com.
Legal ground:disclosure obligation under Art. 13(1) letter a GDPR.
III. Scope and purposes of processing Users’ personal data
Since the Controller provides various services to Users, User personal data are processed for different purposes, in a different scope and under different legal grounds as specified in the GDPR. To ensure transparency of information, we grouped them according to the purpose of data processing.
Purpose 1: Setting up the Account, User access to the Website
Scope of data: For that purpose, the Controller processes the following User personal data:
- data submitted by Users in the registration form on the Website, i.e. email address and first name (facultative). If registration on the Website was made through an external authentication service (made available by Facebook, Google or GitHub), also the User’s first name and surname may be processed;
- data submitted by Users on the Website or in the Application, both as a part of the Services used by a User and in the Account or its Settings.
Legal ground: necessity for the performance of a contract for the provision of Services to a User (Art. 6(1) letter b GDPR).
Purpose 2: Use of Services by Users holding an Account
Scope of data: For this purpose, the Controller processes personal data collected by the Application and the Website, including the session of a User’s device and data on the operating system, Internet browser, location and unique ID, as well as all other personal data collected on the User’s Website, both on its visual level (front-end) and in the software responsible for the management of its contents (back-end), including backup copies of Users’ Websites.
Legal ground: necessity for the performance of a contract for the provision of Services to a User (art. 6(1) letter b GDPR).
Purpose 3: Use of Services by Users who are not Account holders
Types of Services: The Controller processes personal data of Users who do not hold an Account, submitted to the Controller by Clients, to provide them with Services indirectly, through services supplied by Clients.
Scope of data: For this purpose, the Controller processes personal data collected by the Application and the Website, including the session of a User’s device and data on the operating system, Internet browser, location and unique ID, as well as all personal data collected on a User’s Website, both on its visual level (front-end) and in the software responsible for the management of its contents (back-end), including backup copies of Users’ Websites.
If a User expresses intention to receive email notifications, the Controller processes also such Users’ personal data.
Legal ground: legitimate interest of the Controller (Art. 6(1) letter f) consisting in due performance of the obligations to Clients under concluded contracts, including contracts for personal data processing and providing access to the Service to a User without an Account.
Purpose 4: Statistics of use of specific functions and parts of the Website, product/service popularity and facilitation of the Website’s use
Scope of data: For these purposes, personal data are processed by the Controller in respect of User activity on the Website, such as: the visited pages, subpages and subdomains of the Website and the amount of time spent on each of them, as well as data regarding the IP address, location, device ID and information on the browser and operating system.
Legal ground: legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in improvement of the Website’s functionality, increase of conversion and facilitation of access to the Account
Purpose 5: Establishment, assertion and enforcement of claims. Clearances and payments
Scope of data: For this purpose, the Controller may process certain personal data submitted in the Account, during order placement, or necessary for issuance of accounting documents, such as: first name, surname, address for correspondence, details and number of the credit card, bank account or PayPal account, information on the scope of use of Services, other data necessary to prove a claim, including the size of the loss suffered.
Legal ground: legal obligation imposed on the Controller with regard to keeping accounts (Art. 6(1) letter c GDPR), and legitimate interests of the Controller (Art. 6(1) letter f GDPR) consisting in collection of payments and establishment, assertion and enforcement of claims as well s defence from claims in legal proceedings before courts or other state authorities.
Purpose 6: Processing requests and complaints
Scope of data: For this purpose, the Controller processes personal data submitted by a User in the Account, i.e. name, email address, and data on the use of Services subject to the complaint or request, data included in documents annexed to a request or complaint.
Legal ground: necessity of the processing for the fulfilment of a legal obligation imposed on the Controller (Art. 6(1) letter c GDPR) and legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in improvement of operation of Services and building positive relationships with Users.
Purpose 7: Collection and answering requests for proposal
Scope of data: For this purpose, the Controller processes personal data submitted by a User in the contact form on the sitehttps://perfectdashboard.typeform.com/to/NRCHEw, i.e. name, name of the employer or represented entity, email address, telephone number, and other facultative data submitted by a User
Legal ground: necessity to take action before concluding a contract at the request of a potential User (Art. 6(1) letter b GDPR) and legitimate interests of the Controller (Art. 6(1) letter f GDPR) consisting in the provision of answers to inquiries from potential Users
Purpose 8: Marketing i remarketing
Type of Services: The Controller processes Users’ personal data for the purposes of direct or indirect marketing (remarketing) of its own services or products.
Scope of data: For this purpose, the Controller processes personal data submitted in the Account, i.e. first name, surname, email address(where consent has been given to the use of telecommunication terminal equipment for direct marketing purposes by means of electronic communication), telephone number, workplace, and data on a User’s activity on the Website, registered and stored by means ofcookies(also for non-logged Users), in particular the history of accessed subpages of the Website, clicks on the Website, login and registration dates, information on accessing and use of specific parts of the Website, activity relating to communication with the Controller, IP address, location, device ID and data of the Internet browser and the operating system.
Remarketing: To reach Users by means of marketing communications outside the Websites, the Controller takes advantage of services provided by external suppliers. Such services consist in displaying the Controller’s marketing communications, including commercial information, on pages other than the Website. For that purpose, external suppliers (such as Google, Facebook) install, e.g., an appropriate code or pixel to collect information on User activity on the Website. That information relates in particular to the fact of visiting the Website and the history of accessing subpages within the Website.
Legal ground: consent from the data subject (Art. 6(1) letter a GDPR and Art. 22(2) letter c GDPR) and legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in direct marketing of the Controller’s services or products.
In order to facilitate the Website’s use, the Controller may, through the Website, install on User’s terminal text files, referred to as cookies, destined for the storage of information for User identification or remembering the history of activities of a User on the Website.
Provision by a User of the data covered by cookies is voluntary, and such intention on a User’s part is expressed by appropriate settings of the User’s Internet’s browser by which the Website is accessed.
Legal basis: Art. 11 GDPR.
Types of cookies
According to their lifecycle, cookies are divided into:
- session cookies – erased upon closing the Internet browser,
- persistent cookies – erased after a period of time determined in advance, regardless of closing the Internet browser.
According to the Internet domain of their origin, cookies are divided into:
- own cookies – set by the Internet servers of our Websites,
- third party cookies – set by Internet servers of sites other than out Websites.
Purposes for which cookies are used
Optimization of the Websites’ use (necessary and analytical cookies)
Statistics of site and subpage views of the Websites (analytical cookies)
The controller uses third party cookies (e.g. Google Analytics, Google Analytics 360) to calculate the number of views on the Website, their duration, and to determine what functions or parts of the Website were most frequently used or visited. The information so collected allow the Controller to analyse efficiency of the Website and determine the directions for development of new functions and services.
Tracing activities on the Websites (analytical cookies)
The Controller uses its own cookies to identify a User for the purposes of User activity analysis on the Websites, to determine what the User’s activities at the Website addresses were, in particular what subpages were viewed by a User and where he spent most of his time. The information so collected allow the Controller to evaluate whether the information addressed to Users through the Website is clear and whether the Website does not require any changes in the arrangement of contents.
Cancellation of cookies
A User may fix the conditions of storage or accessing cookies by the Internet browser settings or service configuration. In the menu bar of an Internet browser, in the “Help” section, information can be found on how to reject saving of new cookies, how to remove the cookies saved thus far, how to request notification of a new cookie being saved, and how to block the operation of cookies.
V. The obligatory character of personal data submission and consequences of omission to do so
Submission of certain personal data makes a precondition for the use of Services or conclusion of a distance contract with the Controller (obligatory data). The obligatory data regarding Users holding an Account are the email address and the data enabling issuance of an accounting document, as specified in Purpose 5, subject to entry with the Controller into a contract for the provision of Services. As far as Users without an Account are concerned, no data are obligatory. A consequence of an omission to submit such data is the User’s impossibility to use Services. Apart from the above situations, provision of other personal data is voluntary.
In respect of personal data collected automatically, their submission is also voluntary, and the expression of such intention on the part of a User is appropriate setup of the Internet browser by which the Website is accessed.
VI. Automated decision-making and Profiling
The Controller shall make all reasonable efforts to adjust the offer of its own services and all marketing communications addressed to Users to their interests and preferences. For that purpose, it undertakes automated processing of personal data, which may also take the form of Profiling.
At the same time, the Controller points out that targeting and personalization of the Controller’s marketing communications, especially offers and trade information, based on the collected behavioural data (relating to a User’s behaviour and his activity on the Website, in particular the history of subpages viewed), as long as it is not a consequence of inference about other features and personal factors of a User based on the data collected by the Controller, does not amount to Profiling.
The above activities and decision-making constitute automated processing of personal data – and take place when a specific action or omission by a User on the Website triggers a specific commercial communication – identical for all Users who have acted in a similar way. Such communication is not addressed to a User on the basis of any assumptions made by the Controller by automated means, but in connection with specific User-submitted information.
Upon weighing the Controller’s interests against Users’ interests, rights and freedoms, the Controller concluded that presentation to Users of contents related to automated decision-making, including on the basis of the Profiling carried out, will not excessively interfere with Users’ privacy or amount to excessive nuisance to Users. As a part of the weighing of interests, rights and freedoms, especially the following was taken into account:
- the Controller does not collect sensitive data, relating to Users’ private life or their activities on other websites;
- as a part of Profiling, the Controller does not make any conclusions on the results of a User’s work, his financial standing or health;
- decisions based on automatic processing, including Profiling, do not substantially affect the legal situation of Users and do not modify the functionality scope of the Application.
The above allows to assume that automated processing of personal data and decision-making, including Profiling, does not pose any substantial threat to Users’ rights and freedoms, does not produce any substantial legal consequences to users and is not an excessive nuisance, and, consequently – there are no reasons which would preclude affording priority to the Controller’s interests.
The consequence of automated processing of Users’ personal data will be exclusively provision to Users of the Application in a specific language version, which, in extreme cases, may be incomprehensible to a User. By the option to change the language version, a User has an opportunity to easily adjust the Application to his needs.
In connection with the above, Users shall have additional rights, specifically referred to in section X.
VII. Processing of children’s personal data
To take advantage of Services, a User must be at least 16 years of age or obtain consent from a person exercising parental authority or guardianship over the child. The Controller does not intend to consciously collect any personal data from children under 16 years of age without obtaining consent of a parent or guardian.
VIII. Data recipients
Users’ personal data may be disclosed by the Controller to other entities. Depending on the circumstances, such entities may be under Controller’s instructions as to the purposes and methods of processing such data (processors), or independently establish the purposes and methods of processing Users’ personal data (controllers). The Controller shares Users’ personal data with the following categories of recipients:
Users’ personal data may be disclosed to the Controller’s affiliates. Such affiliates shall apply the same protective measures in relation to the personal data, as well as the terms and purposes of their processing, as the Controller, and with regard to the disclosed data they shall act ascontrollers/processors.
Location.Affiliates are mainly domiciled in Poland and other countries of the European Economic Area (EEA) and in the United States.
Users’ personal data may be disclosed to entities which provide to the Controller services supporting its activities, e.g. to suppliers of marketing tools, accountants, legal advisors.
Processors. The Controller takes advantage of services by entities processing Users’ personal data only upon its request. Those include, among others, providers of hosting services, drive space in a cloud, marketing systems (e.g. for distribution of newsletters and other emails), systems analysing Website traffic or effectiveness of marketing campaigns, etc.
Presently, the Controller cooperates with the following Service Providers which are personal data processors:
– Polekspert Sp. z o. o., contact details: ul. Lea 6A/7 30-048 Kraków;
– inFakt Sp. z o. o. seated in Cracow (KRS: 325203), contact details: ul. Kącik 4, 30-549 Kraków;
– Mailgun Technologies, Inc., company incorporated under the laws of Delaware, contact details: 535 Mission St. San Francisco, CA 94105, United States of America;
– H88 S.A. seated in Poznań (KRS: 612359), contact details: ul. Franklina Roosevelta 22, 60-829 Poznań;
– DigitalOcean, LLC contacts details: 101 Avenue of the Americas, 10th Floor
New York, NY 10013, United States of America;
– RightHello Sp. z o. o., contact details: ul. Aleksandra Ostrowskiego 13D/5, 53-238 Wrocław;
– ProsperWorks, Inc., contact details: 301 Howard St. #600 San Francisco, CA 94105, United States of America;
– ZenDesk, Inc., contact details: 1019 Market St. San Francisco, CA 94103, United States of America;
– TypeForm S.L., contact details: Carrer Bac de Roda, 163, 08018 Barcelona, Spain;
– Zapier, Inc., contact details: 548 Market St #62411
San Francisco, California 94104, USA;
– GetResponse Sp. z o.o. (KRS: 187388);
– The Rocket Science Group LLC, 675 Ponce de Leon Avenue NE Suite 5000, Atlanta, Georgia 30308, United States of America – MailChimp service operator.
Controllers. The Controller uses also services of entities that do not act exclusively on its instruction and by themselves establish the purposes and methods o utilization of Users’ personal data. These are entities which mainly provide services of remarketing campaigns and undertake statistical research.
Currently, the Controller cooperates with the following Service Providers which are personal data controllers:
– Google LLC, contact details: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA;
– Alior Bank S.A. contact details: ul. Łopuszańska 38D, 02- 232 Warszawa;
– PayPal (Europe) S.à r.l. & Cie, S.C.A, 22-24 Boulevard Royal, 2449 Luksemburg, Grand Duchy of Luxembourg.
Location. Service Providers are domiciled both in Poland and other countries of the European Economic Area (EEA). However, some of the Service Providers may be domiciled outside the EEA. In connection with personal data transfers outside the EEA, the Controller attended that service providers guarantee high level of personal data protection. Such guarantees follow in particular from participation in the "Privacy Shield" program put in place under the implementing decision of the Comission (EU) 2016/1250 of 12 July 2016 on the adequacy of protection afforded by the EU-US Privacy Shield. A User may obtain by email a copy of the personal data transferred from the Controller to a third country, in the same way as he may request access to personal data. Where the above requirement has not been fulfilled, the Controller shall ensure compliance of the data processing with the GDPR by obtaining User consent to such transfer, and in the absence of such consent – exclusion of the personal data of such User from transfers to a third country.
- Persons authorized by the Controller to process data
The Controller shall disclose personal data to all persons authorized by the Controller to process data on its behalf, which follows from the fact that on everyday basis these are people that are responsible for the Controller’s actions. :)
Personal data are disclosed also when authorized state authorities so request, in particular organizational units of the prosecutor’s office, the Police, or the supervision authority responsible for data protection issues (President of the Data Protection Authority (PUODO)).
IX. Data storage period
Users’ personal data are stored by the Controller for the entire duration of the active use of Services. After 12 months of a User’s inactivity, the User’s data shall be erased, and the email address shall become anonymized (subject to irreversible pseudonymization by a hash change), excluding the following cases. Data necessary for the Purpose 5, i.e. financial clearances and issuance of accounting documentation – after 18 months of their last use, unless it is necessary to issue an accounting document in that period. Data entrusted to Service Providers for processing may be subject to other dates of removal, pseudonymization or anonymization.
Personal data of Users who do not take advantage of Services are stored for a period corresponding to the validity of the cookies saved on their devices.
X. Rights of data subjects
The Controller shall ensure execution of the above rights to Users by contacting the Controller in one of the ways indicated in section II. Additionally, certain rights may be exercised by an appropriate change of Settings. All rights explained below in reference to Users holding an Account shall refer as well to Users without an Account.
Right to withdraw consent
A User shall have the right to withdraw each consent that he expressed upon registration on the Website, and during the use of Services and Account functions. Withdrawal of consent shall be effective as of the moment of the consent’s withdrawal. Withdrawal of consent shall not affect the processing legally performed by the Controller before such withdrawal.
Withdrawal of consent shall not entail any negative consequences. However, it may disable further use of Services. Withdrawal of consent shall be without prejudice to the processing performed under a legal ground other than consent from the data subject, for instance for the purpose of performing the contract between the Controller and a User.
Legal basis: Art. 7(3) GDPR.
Right of objection to the use o data
A User may, at any time, lodge an objection to the processing of his personal data, including automated processing, and in particular Profiling, where the data are processed on the basis of the Controller’s legitimate interest.
Regardless of the above, a data subject may, at any time, lodge objection to the processing of his personal data for the purposes of direct marketing, including Profiling, insofar as the processing relates to such direct marketing.
Such resignation shall be treated as objection to the processing of personal data, including Profiling, for marketing purposes, and shall guarantee cessation of any further processing for that purpose.
Where the Controller is unable to indicate any other legal ground for the processing of personal data of a User who lodged a complaint which would be precedent to the interests, rights and freedoms of a User or grounds for the establishment, assertion or defence of claims, the Controller shall promptly erase the personal data of such User.
Legal basis: Art. 21 GDPR
Right to data erasure (“right to be forgotten”)
A User may request erasure of all or certain personal data. The request for erasure of all personal data shall be treated as a request to remove the Account.
This right exists if at least one of the following conditions has been met:
- personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- A User withdrew the consent on which the processing was based, and the Controller does not have any other ground for the processing;
- A User lodged an objection to the processing and there are no precedent legitimate grounds for the processing or a User lodged an objection to the processing of data for direct marketing purposes;
- personal data was processed contrary to the law;
- personal data must be erased to achieve compliance with a legal obligation prescribed by applicable legal provisions;
Despite a request for erasure of personal data, in connection with a submission of objection or withdrawal of consent, the Controller may keep certain personal data to the extent necessary for the establishment, assertion or defence of claims. This relates in particular to personal data covering: first name, surname, email address and order history, which data are kept for the purposes of processing complaints and claims relating to the use of Services.
Legal basis: Art. 17 GDPR
Right to restrict data processing
A User may request restriction of processing of his personal data. This right shall exist if at least one of the following conditions is met:
- the User questions accuracy of the personal data – restriction is made for a period which allows the Controller to verify accuracy of the data;
- the processing is contrary to law, and the User objects to erasure of the personal data, requesting restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of processing, but they are necessary to the User for the establishment, assertion or defence of claims;
- the User lodged an objection to the processing of personal data – restriction is made pending the determination if the Controller’s legitimate interests are precedent to the grounds for the objection of the data subject.
Legal basis: Art. 18 GDPR
Right of access to data
Everyone may obtain confirmation from the Controller whether the Controller processes personal data of any given person, and if so, such person may:
- gain access to his personal data;
- obtain information on the purposes of processing, categories of the processed personal data, recipients or categories of recipients of such data, the planned storage period of the personal data or the criteria of determination of such period, on data subject’s rights under the GDPR and the right to lodge a complaint to a supervisory authority, on the sources of such data, automated decision-making, including Profiling, and the securities used in connection with the transfer of such data to a third country;
- obtain a copy of his personal data.
Legal basis:Art. 15 GDPR
Right to rectify data
A User may rectify or supplement the personal data which he submitted. It is possible to exercise that right in the Account, by an independent change of Settings and verification of the scope of the data submitted in the Account.
As regards personal data which cannot be accessed from the Account, a User may request from the Controller rectification of that data (if inaccurate) or their supplementation (if incomplete).
Legal basis:Art. 16 GDPR
Right to data portability
A User may receive his personal data which he submitted to the Controller, and then send them to another personal data controller of his choice.
A User may also request that the personal data be sent by the Controller directly to such another controller as far as this is technically possible.
The Controller sends data as a file in the *.[•] format. This format is in general use, machine-readable and permits the transfer of the received data to another personal data controller.
Legal basis:Art. 20 GDPR
Right to obtain human intervention from the Controller
In each situation of automated processing of personal data (automated decision-making, including Profiling), a User may question the decision made exclusively by automated means, express his opinion about the decision made and request human intervention from the Controller. Human intervention is made by repeated evaluation of the features, factors and premises that have been taken into account in the automated decision-making by a person authorized by the Controller and issuance of a decision other than the previous one or its upholding. With regard to Profiling, the Controller should disregard any personal features and factors that were inferred from the data collected by the Controller, and the decision concluding the human intervention should be made on the basis of the data collected by the Controller which are not an evaluation, analysis or forecast of the data submitted by a User.
This right shall be excluded where such decision does not produce any legal consequences to the User or the impact on his situation is minimal.
However, where the decision made by automated means: (i) is not necessary for the conclusion or performance of a contract between a User and the Controller; (ii) is not permitted by the law of the European Union or the law of a Member State applicable to the Controller which provides for appropriate measures safeguarding rights, freedoms and legitimate interests of a data subject; (iii) is not based on clear consent from a data subject – the manifestation of the above User’s right shall be the right not to be entirely subject to decisions made exclusively by automated means. When a request is submitted in exercise of such right, the Controller shall take all reasonable measures so that the decision-making process is not entirely automated, i.e. to ensure presence of a human factor in at least one of its stages.
Legal basis: Art. 22 GDPR.
XI. Reaction time
If a User, in exercise of the rights specified in section IX, submits an appropriate request to the Controller, the Controller shall promptly consider that request positively or negatively, however, not later than within a month of its receipt. However, if, as a result of a complex nature of the request or number of requests – it is impossible to comply with the monthly deadline, the Controller shall fulfil its obligation to process the request within the following two months, upon prior notification of the circumstances to the User.
XII. Requests and complaints
The Controller invites questions and requests in respect of the processing of Users’ personal data and exercise of their rights.
Each person shall have the right to lodge a complaint with the supervisory authority responsible for issues of personal data protection (President of the Data Protection Authority (PUODO)) if such person believes that his right to personal data protection or other rights granted to him under the GDPR have been violated by the Controller.
XIII. Security of personal data
The Controller and entities with whom it cooperates shall make every effort to ensure security to the personal data processed on the Website, including but not limited to, by the use of encrypted data transmission (SSL) during registration and login processes, which ensures protection of the submitted authentication data and considerably hinders interception of the Account by unauthorized systems or persons.