§ 1. GENERAL PROVISIONS AND DEFINITIONS

1. 1. INXY PL Sp. z o.o. with registered office in Warsaw (00 – 682), Hoża 86/210 Street, for which District Court for the capital city Warsaw in Warsaw, XII Commercial Division of the National Court Register maintains registration files under the following number: 0001010901, NIP (tax identification number): 7011123359, REGON (statistical identification number): 524094544 with the share capital of 5.000,00 PLN, with status of micro entrepreneur within the meaning of the Act on combating excessive delays in commercial transactions of 8 March 2013. is the Controller of the personal data collected by Platform.
2. 2. Controller may be contacted via email at [email protected].
3. 3. Definitions:
   1. 1) Cookies – refer to IT data, particularly small text files that are saved and stored on the devices through which the User uses the services of Platform;
   2. 2) Personal data – information about an identified or identifiable natural person. An identifiable natural person is a person that may be directly or indirectly identified, and in particular on the basis of an identifier such as their name and surname, identification number, location data, Internet identifier or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
   3. 3) Profiling - means any form of automated processing of personal data that consists in using personal data to assess certain personal factors of a natural person, in particular to analyse or forecast aspects relating to the work effects of that natural person, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement;
   4. 4) Processing – means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collection, recording, organising, arranging, storage, adaptation or modification, downloading, viewing, use, disclosure by transmission, distribution or any other means of making available, matching or merging, limiting, deleting or destroying;
   5. 5) Platform – electronic services available at: https://inxy.io , providing Services indicated in Terms and Conditions;
   6. 6) Device – an electronic device that allows data to be processed, received and sent such as a smartphone, tablet, and mobile phone used by the User to access the Platform;
   7. 7) User – means an entity to the benefit of whom services may be provided by electronic means in accordance with the law or with whom a contract on the provision of services by electronic means may be concluded.
   8. 8) Terms and Conditions – refer to the document that sets out the terms and conditions of use of the Platform, available at https://inxy.io .
   9. 9) Providers - third parties that provide content available on Platform consisting in particular of offers, surveys and advertisements;
   10. 10) Payment Providers – third parties that processes payment by Users of means of payment to the Service Provider for exchange into virtual currencies.

§ 2. LEGAL BASIS AND PURPOSES OF USER’S DATA PROCESSING

1. 1. Personal data collected by Controller shall be processed in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”), the Act of 10 May 2018 on the protection of personal data (Journal of laws from 2019, item 1781) and the Act of 18 July 2002 on the provision of services by electronic means (OJ L 2020, item 344).
2. 2. Controller processes personal data provided or made available by User in connection with the use of Platform, for the purposes of:
   1. 1) the conclusion and execution of a contract on the provision of services by electronic means and Platform functionalities (scope of data: name and surname, IP addresses, e-mail address, telephone number) - pursuant to Article 6(1)(b) of the GDPR, i.e. due to the fact that the processing is necessary for the performance of a contract, to which the data subject is a party,
   2. 2) informing Users of the matters related to the functioning of Platform (scope of data: e-mail address, details of the Device used by the User) - pursuant to Article 6(1)(b) and (f) of the GDPR, i.e. due to the fact that the processing is necessary for the performance of a contract, to which the data subject is a party, and due to the fact that it facilitates the pursuit of objectives arising from legitimate interests pursued by Controller or by a third party,
   3. 3) asserting claims and defending rights (scope of data: any and all data obtained from the User necessary to prove the existence of a claim or to defend a right - pursuant to Article 6(1)(f) of the GDPR, i.e. due to the fact that the processing is necessary for the purposes of legitimate interests pursued by Controller or by a third party,
   4. 4) the fulfilment of the legal obligations incumbent on Controller in connection with running a business activity (scope of data: any and all data received from the User) - pursuant to Article 6(1)(c) of the GDPR, i.e. due to the fact that the processing is necessary to fulfil the legal obligation incumbent on Controller,
   5. 5) conducting own marketing and promotional activities (scope of data: any and all data received from the User), pursuant to Article 6(1)(f) of the GDPR,
   6. 6) marketing and promotional activities on the basis of separate consent (Article 6(1)(a) of the GDPR),
   7. 7) electronic transmission of commercial information in accordance with article 10(2) of the Act of 18 July 2002 on the provision of services by electronic means (OJ 2017, item 1219, as amended), including sending notifications (scope of data: any and all data received from the User), on the basis of separate consent (Article 6(1)(a) of the GDPR).

§ 3. DATA COLLECTED BY CONTROLLER

1. 1. Platform Controller collects or may collect the following personal data through Platform or when contacting User directly:
   1. 1) details of the Device used by the User (IP)
   2. 2) identification and contact details (e-mail address, telephone number, name and surname, type of identity document, period of validity of the identity document, date of birth, country, address of residence)
2. 2. Platform Controller also collect or may collect other data voluntarily provided by User when contacting Controller, including the details of the User’s device, correspondence data, and other data not listed above
3. 3. Browsing the content of Platform does not require User to provide personal data other than the automatically retrieved connection parameters.
4. 4. Due to the functionality of the provided services, Controller collect the following personal data from User who:
   1. 1) has not signed up yet:
      1. a) details of the Device used by the User (IP);
   2. 2) signed up but did not complete the verification process:
      1. a) details of the Device used by the User (IP),
      2. b) identification and contact details (e-mail address, telephone number);
   3. 3) signed up and completed the verification process:
      1. a) details of the Device used by the User (IP),
      2. b) identification and contact details (e-mail address, telephone number, name and surname, type of identity document, period of validity of the identity document, date of birth, country, address of residence).
5. 5. Due to executions of duties imposed by Act on Combating Money Laundering and the Financing of Terrorism of 1 march 2018, pursuant to article 36 of aforementioned Act, the Administrator may collect the following personal data:
   1. 1) Name, surname,
   2. 2) Citizenship,
   3. 3) PESEL number or birth date if no PESEL number is available,
   4. 4) The series and the number of the person’s identity card,
   5. 5) Address of residence,
   6. 6) the company name, tax identification number and address of the principal place of business - in the case of a sole trader.
6. 6. Controller warns that, in the course of using the Platform’s functionality, Providers may also process User’s personal data based on their own privacy policies.

§ 4. COOKIES PROFILING OF DATA COLLECTED

1. 1. Controller collects cookies related to User's activity on Platform, in particular essential and performance cookies.
2. 2. Controller uses profiling of the processed data based on Article 6(1)(c) of the GDPR in connection with the duties arising from the Act on Combating Money Laundering and the Financing of Terrorism of 1 march 2018
3. 3. While using Platform, small files, in particular text files, are stored on User's device, which are used to remember User's decisions, maintain User's session, remember the data entered, collect information about User's device and his/her visit for security purposes, as well as to analyse visits and adapt content.
4. 4. Cookies do not contain User’s identifying data, which means that it is not possible to establish a User's identity on their basis. The cookies used by the Platform are not in any way harmful to the User or the device and do not interfere with the User's software or settings.
5. 5. A cookie is assigned to User upon access to Platform's home page or any of its subpages.
6. 6. The cookie system does not interfere with the operation of User's Device and can be disabled.
7. 7. User has the option to set the browser to block certain types of cookies and other technologies by specifying the permissible extent of information collection.
8. 8. The use of Platform without changing the browser settings, i.e. with the default acceptance of cookies and similar technologies, implies consent to their use for the specified in this Privacy Policy.
9. 9. Controller uses cookies in the following ways:

FILE NAME	PURPOSE	ORIGIN OF FILE	FLAG (type)	DURATION
inxy-payments-18n	storing information about user language preferences	INXY	Essential	1 year
inxy-payments-auth-token	storing user authentication data, maintaining user session	INXY	Essential	7 days
amp_#	statistical data	Amplitude	Performance	1 year
amplitude_unsent_#	storing unsent data on user’s browser	Amplitude	Performance	Persistent
amplitude_unsent_identify_#	session analytics	Amplitude	Performance	Persistent
_ga	differentiation of visitors	Google	Performance	2 years
_ga#	recognizing unique visitors	Google	Performance	2 years
_hjSessionUser_#	ensuring data from subsequent visits	Hotjar	Performance	1 year
_hjid		Hotjar	Performance	1 year
_hjFirstSeen	identifying new user first session	Hotjar	Performance	30 minutes
_hjHasCachedUserAttributes	noticing update of data	Hotjar	Performance	Session
_hjUserAttributesHash	noticing when user attributes changes	Hotjar	Performance	2 minutes
_hjUserAttributes	storing user attributes	Hotjar	Performance	Persistent
_hjViewportld	storing user viewport details	Hotjar	Performance	Session
_hjSession_#	holding current session data	Hotjar	Performance	30 minutes
_hjSessionTooLarge	stopping data collecting	Hotjar	Performance	Session
_hjSessionResumed	reconnection with Hotjar	Hotjar	Performance	Session
_hjCookieTest	proper use of cookies	Hotjar	Performance	Persistent
_hjLocalStorageTest	proper use of local storage	Hotjar	Performance	Session
_hjSessionStorageTest	proper use of session storage	Hotjar	Performance	2 minutes
_hjIncludedInPageviewSample	site pageview limit	Hotjar	Performance	2 minutes
_hjIncludedInSessionSample	site daily session limit	Hotjar	Performance	30 minutes
_hjAbsoluteSessionInProgress	first page view	Hotjar	Performance	Session
_hjTLDTest	setting cookie path	Hotjar	Performance	Session
hjRecordingEnabled	recording User performance on website	Hotjar	Performance	1 year
_hjRecordingLastActivity	recording User performance on website	Hotjar	Performance	1 year
_hjClosedSurveyInvites	Surveys	Hotjar	Performance	1 year
_hjDonePolls	Surveys	Hotjar	Performance	1 day
_hjMinimizedPolls	minimising Surveys	Hotjar	Performance	1 year
_hjShownFeedbackMessage	Feedback widget	Hotjar	Performance	1 day

10. 10. The browser settings of Users' device should allow the storing of cookies and should allow them to give their consent by clicking on the "ok" option in the window that appears after accessing Platform website with the information: "This website uses cookies to ensure the correct provision of services. By continuing to use the site, you agree to their use - these cookies will be stored on your device."
11. 11. Providers, including payment providers, may collect cookies based on the severally granted User’s consent.

§ 5. THE PROCESSING TIME OF PERSONAL DATA

1. 1. Personal data will be processed for the period of time:
   1. 1) necessary for the performance of a contract on the provision of services by electronic means as defined in Terms and Conditions, concluded through Platform, including after the contract execution due to the fact the parties may exercise their contractual rights as well as due to possible recovery of receivables - until the expiry of the limitation period for any such claims;
   2. 2) until the revocation of the consent granted or the objection to the processing of data - in cases where the personal data of the User have been processed on the basis of separate consent;
2. 2. Controller shall also store the personal data of the Users when it is necessary to fulfil Controller’s legal obligations, resolve disputes, enforce Users’ obligations, maintain security, prevent fraud and abuse, especially duties arising from the Act on Combating Money Laundering and the Financing of Terrorism of 1 march 2018

§ 6. USER RIGHTS

1. 1. Controller shall ensure that Users may exercise the rights referred to in item 2 below. In order to exercise the rights, User shall send an appropriate demand (an appropriate request) via e-mail to: [email protected].
2. 2. User shall have the right:
   1. 1) of access to the data content - pursuant to Article 15 of the GDPR,
   2. 2) to rectify/update the data - pursuant to Article 16 of the GDPR,
   3. 3) to erasure of the data- pursuant to Article 17 of the GDPR,
   4. 4) of restriction of processing of the data - pursuant to Article 18 of the GDPR,
   5. 5) to transfer the data - pursuant to Article 20 of the GDPR,
   6. 6) to object to the data processing - pursuant to Article 21 of the GDPR,
   7. 7) to withdraw the consent granted at any time, provided that the withdrawal of consent shall not affect the lawfulness of the processing, which has been done on the basis of the consent prior to its withdrawal - pursuant to Article 7(3) of the GDPR,
   8. 8) to file a complaint to the supervisory authority, i.e. the President of the Office for the Protection of Personal Data - pursuant to Article 77 of the GDPR.
3. 3. Controller shall process the requests without undue delay, however not later than within one month from their receipt. If, however - due to the complexity of a request or the number of requests - the Controller is unable to process User's request within the specified time limit, Controller shall inform User of the intended extension of the time limit and shall indicate the time limit for processing the request, however not longer than 2 months.
4. 4. Controller shall inform each and every recipient, to whom personal data have been disclosed, of the rectification or erasure of personal data or of the restriction of processing, as requested by User, unless this proves impossible or requires disproportionate efforts.

§ 7. NECESSITY OF DATA PROVISION

1. 1. Submission of personal data through Platform is voluntary, yet necessary if the User wants to benefit from the full functionality of Platform.
2. 2. Where personal data are provided for the purpose of concluding a contract with Controller, the data provision constitutes the condition for concluding such a contract. The submission of personal data in this case is voluntary, however failure to provide such data will disable the possibility to conclude a contract with Controller.

§ 8. DATA SHARING

1. 1. For the purpose of executing the contract, Controller may share data collected from Users with various entities, including employees, co-workers, legal and IT service providers, and Providers. Furthermore, Controller shall make the personal data collected available to the entity, with which it has concluded an agreement on the entrustment of personal data processing.
2. 2. In such cases, the amount of the data transmitted shall be limited to the minimum necessary. Additionally, the information provided by the Users may be made available to the relevant public authorities, limited to the situation where it is required by applicable laws.
3. 3. The personal data processed shall not be provided externally to recipients not indicated above in a form that would allow any identification of the Users, unless the User has granted consent to the specific sharing of the data.

§ 9. TECHNICAL MEASURES

1. 1. Controller shall use its best efforts to secure and protect User data from any actions by third parties, and shall supervise the data safety throughout the entire period of owning such data in such a manner as to protect the data against unauthorised access, damage, distortion, destruction or loss.
2. 2. Controller uses the necessary server, connection, and Website security measures. Nevertheless, the actions taken by Controller may not be sufficient if Users do not follow the security rules.

§ 10. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

1. 1. The personal data of Users shall not be transferred to countries outside the EEA. Controller uses servers located in the EEA countries for the purpose of storing such data.
2. 2. Controller warns that Providers including Payment Providers may process and transfer personal data outside the European Economic Area.

§ 11. DATA PROCESSORS ACTING ON BEHALF OF THE CONTROLLER

1. 1. The personal data of the Users may be entrusted to portals running the Controller’s marketing campaign for the purpose of being processed on behalf of the Controller. Each processor shall be obliged to ensure the security of data processing and the compliance with the rules for personal data processing to the extent identical to that of Controller.

§ 12. CHANGE OF THE PRIVACY AND COOKIE POLICY

1. 1. Controller has the right to change this document and Users shall be notified of any such changes in a manner allowing Users to familiarise themselves with the changes before they enter into force, for example by posting the relevant information on Platform and on Controller's website, and in the case of substantial changes, by sending a notification to the e-mail address specified by User.
2. 2. Should the User have any objections to the changes made, User may request the deletion of their personal data on Platform. The continued use of Platform after the publication or notification of changes to this document shall be considered to be consent to the collection, use and sharing of User personal data according to the updated content of the document.
3. 3. This document shall not restrict any rights granted to User in accordance with generally applicable laws.