PRIVACY POLICY OF TURBODASH.CO

1. DEFINITIONS

1. Administrator – Turbodash spółka z ograniczoną odpowiedzialnością with its registered office at ul. Gospodarcza 26, 20-213 Lublin, entered into the Register of Entrepreneurs under KRS number 1133480, maintained by the District Court Lublin-Wschód in Lublin with its seat in Świdnik, 6th Commercial Division of the National Court Register, with share capital of PLN 10,000.00, NIP (Tax ID): 9462746247, REGON: 529950568
2. Personal Data – any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including image, voice recording, contact details, location information, information contained in correspondence, information collected through recording equipment or other similar technology.
3. Data Subject – a natural person whose Personal Data is processed by the Administrator, in particular a person directing an inquiry to the Administrator through the form on the Website.
4. Policy – this document.
5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
6. Website – the Administrator’s website available at turbodash.co

2. PROCESSING OF PERSONAL DATA

1. In connection with its business activities and the possibility for Data Subjects to contact the Administrator through the Website, the Administrator collects and processes Personal Data in accordance with applicable regulations, in particular the GDPR and the principles of data processing provided therein.
2. The Administrator:

1. ensures transparency in the processing of Personal Data;
2. informs about the processing of Personal Data at the time of collection, in particular about the purpose and legal basis for processing Personal Data, unless it is not obliged to do so under separate regulations;
3. ensures that Personal Data is collected only to the extent necessary for the stated purpose and processed only for the period in which it is necessary.
4. When processing Personal Data, the Administrator ensures their security and confidentiality, as well as access by Data Subjects to information about their processing. Should a breach of Personal Data protection occur despite the security measures applied (e.g., data “leak” or loss) and such breach could result in a high risk to the rights or freedoms of Data Subjects, the Administrator shall inform the Data Subjects of such an incident in accordance with the regulations.

3. GENERAL PRINCIPLES OF PERSONAL DATA SECURITY

1. The confidentiality and security of Personal Data is a priority in the Administrator’s activities.
2. The Administrator may use data and information other than Personal Data needed to contact the Data Subject only when such data is anonymized, i.e., when it cannot be attributed to a specific Data Subject, in particular for the purpose of creating anonymous reports and collective statistics.
3. To ensure the integrity and confidentiality of Personal Data, the Administrator has implemented procedures allowing access to Personal Data only to authorized persons and exclusively to the extent necessary due to their tasks.
4. The Administrator applies organizational and technical solutions to ensure that all operations on Personal Data are registered and performed only by authorized persons.
5. The Administrator takes necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Administrator.
6. The Administrator continuously conducts risk analysis and monitors the adequacy of applied Personal Data safeguards against identified threats. If necessary, the Administrator implements additional measures to increase data security.

4. PURPOSES AND LEGAL BASES OF PROCESSING

1. ANALYTICAL, STATISTICAL, AND RESEARCH PURPOSES

• The Administrator may process Personal Data of Data Subjects for analytical, statistical, and research purposes, in particular through analyzing their activity on the Website, as well as their preferences to improve the Website’s functionalities.
• The legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) GDPR).

2. CORRESPONDENCE THROUGH WEBSITE FORM, EMAIL, AND TRADITIONAL MAIL

• In the case of Data Subjects directing correspondence to the Administrator via form, email, or traditional mail, Personal Data contained in this correspondence is processed solely for the purpose of communication and resolving the matter to which the correspondence relates.
• The legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) GDPR), consisting of conducting correspondence directed to it in connection with its business activities.
• Furthermore, in the case of using a link on the Website to an external third-party site, the legal basis for processing Personal Data is the consent of the Data Subject to such processing (Article 6(1)(a) GDPR), consisting of the possibility to transfer their Personal Data and receive feedback from the third party regarding the interaction and its result with the third party using data including Personal Data from the Administrator.

3. TELEPHONE CONTACT

• In case of contacting the Administrator by telephone, in matters not related to a concluded contract or provided services, the Administrator may request Personal Data only when it is necessary to handle the matter to which the contact relates.
• – The legal basis in such a case is the legitimate interest of the Administrator (Article 6(1)(f) GDPR), consisting of the necessity to resolve the reported matter related to its business activities.

4. PURSUIT OF CLAIMS

• For the purpose of establishing, pursuing, and enforcing any claims arising from the way the Data Subject uses the Website or communicates with the Administrator, the Administrator may process certain Personal Data if it is necessary to prove the existence of the Administrator’s claim, including the extent of damage suffered.
• The legal basis in such a case is the legitimate interest of the Administrator (Article 6(1)(f) GDPR), consisting of establishing, pursuing, and enforcing claims and defending against claims in proceedings before courts and other state authorities.

5. IMPLEMENTATION OF DATA SUBJECTS’ RIGHTS

• To enable the exercise of rights under the GDPR, in particular regarding the possibility of submitting complaints, inquiries, and requests, the Administrator has the right to process certain Personal Data for this purpose.
• The legal basis in such a case is the legitimate interest of the Administrator (Article 6(1)(f) GDPR), consisting of enabling the Data Subject to exercise rights under the GDPR.

6. MARKETING OF SERVICES OFFERED BY THE ADMINISTRATOR

Sending commercial information:

• Based on consent specifying the communication channel, the Administrator has the right to send messages to the email address and, potentially, make telephone contact to present services.
• The legal basis is the consent of the person to whom the Personal Data relates (Article 6(1)(a) GDPR).
• In case of consent to sending information via electronic mail, the legal basis for processing personal data will also be Article 398 of the Act of July 12, 2024, on Electronic Communications Law.
• In case of consent to telephone contact for the purpose of providing information, the legal basis for processing personal data will be Article 398 of the Act of July 12, 2024, on Electronic Communications Law.

5. NECESSITY TO PROVIDE PERSONAL DATA

The provision of Personal Data is voluntary, although it may be necessary in the scope of correspondence with the Administrator.

6. FACEBOOK AND LINKEDIN PROFILES
   1. The Administrator maintains public profiles on social media platforms Facebook and LinkedIn. In connection with this, it processes Personal Data left by people visiting these profiles (e.g., comments, likes, internet identifiers).
   2. Personal Data of Data Subjects visiting the Administrator’s profiles is processed:
      1. for the purpose of effectively managing the profiles, by presenting portal users with information about the Administrator’s initiatives and other activities, and in connection with promoting various events, services, and products;
      2. for statistical and analytical purposes;
      3. possibly for the pursuit of claims and defense against claims.
   3. The legal basis for processing Personal Data is the legitimate interest of the Administrator (Article 6(1)(f) GDPR), consisting of:
      1. promoting its own brand and improving the quality of services provided,
      2. if necessary – pursuing claims and defending against claims.
   4. The above information does not apply to the processing of Personal Data by the administrators of the services (Facebook and LinkedIn). The purpose and scope of Personal Data processing by social media platform operators is described in detail in the privacy policies of the aforementioned social media platforms, available on their websites.
   5. A Data Subject can always delete their comments under the Administrator’s posts, stop following the Administrator, or resign from having an account on the aforementioned social media platforms.

7. DATA RECIPIENTS

1. In connection with conducting business activities requiring the processing of Personal Data, Personal Data may be disclosed to external entities, including in particular providers of financing for commercial entities, entities responsible for the maintenance of IT systems and equipment, postal operators, couriers, providers of accounting, legal and advisory services, and marketing agencies.
2. The Administrator may share anonymized data (i.e., data that does not identify specific Data Subjects) with external service providers to better understand the attractiveness of advertisements and services offered by the Administrator.
3. The Administrator reserves the right to disclose selected information concerning the Data Subject to relevant authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
4. The Administrator will share data, including Personal Data left in the form on the Website, with entities that may be interested in potentially providing financing for the entity on whose behalf the Data Subject provided data, including their Personal Data. The purpose and scope of data processing, including Personal Data, will be separately and independently communicated by these entities as part of the relationship established between the Data Subject and that entity.

8. TRANSFER OF DATA OUTSIDE THE EEA

1. The Administrator may transfer Personal Data to third countries, i.e., countries outside the European Economic Area (“EEA”). Personal Data may be transferred only to third countries or entities for which the European Commission has issued a decision confirming an adequate level of data protection. The list of countries for which the European Commission has issued decisions confirming that a third country ensures an adequate level of protection can be found at this link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#relatedlinks.
2. In the absence of a European Commission decision establishing an adequate level of protection as specified in Article 45(3) GDPR, Personal Data may be transferred to a third country only on the basis of: standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by the Polish supervisory authority and approved by the Commission, approved code of conduct, or approved certification mechanism (Article 46 GDPR).
3. In the absence of a European Commission decision establishing an adequate level of protection as specified in Article 45(3) GDPR or appropriate safeguards specified in Article 46 GDPR, we will separately request explicit consent for such transfer to a third country or international organization, informing about the prior risks associated with such transfer pursuant to Article 49(1)(a) GDPR.
4. In connection with the transfer of data outside the EEA, you may request information about appropriate safeguards in this regard, obtain a copy of these safeguards, or information about where they are made available by contacting us at the address indicated in point 1 above.

9. AUTOMATED DECISION-MAKING, INCLUDING PROFILING

The Administrator does not use automated decision-making systems, including profiling.

10. PERSONAL DATA PROCESSING PERIOD

1. Excluding cases that impose a different Personal Data retention period on the Administrator, the Administrator stores Personal Data for a period of 2 years.
2. The Personal Data processing period may be extended in cases where processing is necessary for establishing or pursuing claims or defending against claims, and after this period – only in cases and to the extent required by law.
3. Data related to fiscal, accounting, and financial documentation is retained by the Administrator in accordance with the terms specified by law, i.e., no longer than 6 years.
4. In cases where Personal Data is processed based on the legitimate interest of the Administrator, the Administrator processes such data until an effective objection is raised against the processing of Personal Data for the aforementioned purposes.
5. In cases where Personal Data is processed based on consent expressed by the Data Subject, such consent may be withdrawn at any time. Personal Data will be processed until the consent is withdrawn. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

11. RIGHTS OF DATA SUBJECTS

Data Subjects have the following rights:

1. right to information about personal data processing – on this basis, the Administrator provides the natural person submitting the request with information about the processing of Personal Data, including primarily the purposes and legal bases for processing, the scope of possessed data, entities to which they are disclosed, and the planned data deletion date;
2. right to obtain a copy of data – on this basis, the Administrator provides a copy of the processed Personal Data concerning the natural person submitting the request;
3. right to rectification – the Administrator is obliged to remove any inconsistencies or errors in the processed Personal Data and complete them if they are incomplete;
4. right to erasure – on this basis, one can request the deletion of Personal Data whose processing is no longer necessary for any of the purposes for which it was collected;
5. right to restriction of processing – in case of such a request, the Administrator ceases performing operations on Personal Data – except for operations agreed to by the Data Subject – and their storage, in accordance with adopted retention principles or until the reasons for limiting data processing cease to exist (e.g., a supervisory authority decision allowing for further data processing is issued);
6. right to data portability – on this basis – to the extent that Personal Data is processed in an automated manner in connection with a concluded contract or expressed consent – the Administrator issues data provided by the person to whom it relates in a format allowing for computer reading. It is also possible to request the transfer of this data to another entity, 
7. right to object to data processing for marketing purposes – the Data Subject may at any time object to the processing of Personal Data for marketing purposes, without the need to justify such objection;
8. right to object to other purposes of data processing – the Data Subject may at any time object – for reasons related to their particular situation – to the processing of Personal Data that is based on the legitimate interest of the Administrator (e.g., for analytical or statistical purposes or for reasons related to property protection); objection in this regard should include justification;
9. right to withdraw consent – if data is processed based on expressed consent, the Data Subject has the right to withdraw it at any time, which however does not affect the lawfulness of processing carried out before its withdrawal;
10. right to complaint – if it is determined that the processing of Personal Data violates the provisions of GDPR or other provisions regarding the protection of Personal Data, the Data Subject may submit a complaint to the supervisory authority overseeing Personal Data processing, competent for the Data Subject’s habitual residence, place of work, or place of the alleged violation. In Poland, the supervisory authority is the President of the Personal Data Protection Office.

12. SUBMITTING REQUESTS RELATED TO THE EXERCISE OF RIGHTS
13. Requests concerning the exercise of Data Subjects’ rights can be submitted:

1. in written form to the address: ul. Gospodarcza 26, 20-213 Lublin Poland;
2. via email to the address: [email protected].

2. If the Administrator is unable to identify the natural person based on the submitted request, it will ask the applicant for additional information. Providing such Personal Data is not mandatory, however, failure to provide it will result in a refusal to fulfill the request.
3. The request may be submitted personally or through a proxy (e.g., family member). Due to data security, the Administrator encourages the use of a power of attorney in the form certified by a notary or authorized legal counsel or attorney, which will significantly speed up the verification of the request’s authenticity.
4. The response to the submission should be provided within a month of its receipt. If it is necessary to extend this deadline, the Administrator informs the applicant of the reasons for this action.
5. In cases where the request was directed to the Administrator electronically, the response is provided in the same form, unless the applicant requested a response in a different form. In other cases, the response is provided in writing. If the deadline for fulfilling the request makes it impossible to provide a response in writing, and the scope of the applicant’s data processed by the Administrator enables electronic contact, the response should be provided electronically.
6. The Administrator stores information about the submitted request and the person who submitted it to ensure the ability to demonstrate compliance and to establish, defend, or pursue possible claims of Data Subjects.

13. DATA PROTECTION OFFICER

The Administrator has not appointed a Data Protection Officer.

14. EXTERNAL ENTITY LINKS

1. In the case of placing external links on the Website, the Policy does not apply to the processing of Personal Data by external entities.
2. When placing links, the Administrator makes efforts where possible to ensure that they refer only to entities that process Personal Data in accordance with data protection and security standards. However, the Administrator has no influence on the compliance with data protection and security regulations by other providers or third parties. Therefore, one should seek information from other providers or third parties about their data protection regulations.

15. COOKIES

1. Cookie files (also called cookies) are text information sent by a WWW server and saved on the user’s side (usually on the hard drive). The default parameters of cookies allow the information contained in them to be read only by the server that created them. Cookies are most commonly used in counters, polls, online stores, pages requiring login, advertisements, and to monitor visitors’ activity.
2. Purposes of storing and accessing cookie files:

1. personalizing the website (for example: remembering the selected font size, selection of version for the visually impaired or color version);
2. remembering user data and choices (for example: no need to enter login and password each time on each subpage, remembering login during subsequent visits);
3. enabling interaction with social media portals (for example: displaying friends, fans, or publishing posts on Facebook and Google+ directly from the website);
4. customizing advertising content displayed on the website;
5. creating website statistics and user flow statistics between different websites;
6. The Administrator uses technical, analytical, and marketing cookies.
7. Technical cookies are necessary for the proper functioning of the Website. We use them to:

• optimize the Website for devices and browsers most commonly used by visitors – thanks to this, tablets and phones will display it correctly and legibly;
• remember whether the Data Subject has consented to display selected content on the Website.

2. The Administrator uses analytical cookie files to improve the Website’s functionality and measure, without identifying Personal Data, the effectiveness of marketing activities undertaken. These activities allow us to continuously improve the structure and content of the Website to meet the needs of our current and potential customers to the greatest extent possible.
3. Marketing cookie files are used to customize the content and forms of advertisements to the needs and preferences of Data Subjects.
4. Below are links to resources showing how to specify the conditions for storing or accessing Cookies through the settings of the most popular web browsers:

• Firefox
• Chrome
• Opera
• Safari

5. However, please note that deleting or blocking “cookies” may result in some sections of the Website not functioning properly. If as a result of changing cookie settings, a so-called opt-out cookie is placed (which serves only to identify the Data Subject’s objection – lack of consent), please remember that the opt-out cookie works only in the browser in which it was saved. If you delete all cookies or use a different browser or different end device, you will need to opt-out again.

16. PRIVACY POLICY UPDATES

This Privacy Policy may be subject to changes resulting either from changes in generally applicable regulations or as a result of changes in the scope of services provided by the Administrator. The Administrator will inform about changes to the Privacy Policy on websites, indicating the date of implementation of the changes, so that you can exercise your rights under GDPR, in particular withdraw consent or raise an objection.