1. The Data Controller of the online service available at: trustisto.com, hereinafter referred to as the Online Service, is Trustisto sp. z o.o. with its registered office in Warsaw at the address: Al. Jerozolimskie 181B, 02-222 Warsaw, entered into the register of entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register, under KRS number: 0000954806, NIP: 7011075703, REGON: 52129854200000, hereinafter referred to as the Data Controller.
2. Any inquiries, requests, complaints regarding the processing of personal data by the Data Controller, hereinafter referred to as Submissions, should be directed to the following email address: iod@trustisto.com or in writing to the address Al. Jerozolimskie 181B, 02-222 Warsaw. The content of the submission should clearly indicate:
- the data of the person or persons to whom the Submission pertains,
- the event that is the reason for the Submission,
- present your demands and the legal basis for these demands,
- indicate the expected way of resolving the matter.
3. In our Online Service, we collect the following personal data:
a) first and last name – may be processed when, as a user of our Online Service, you provide it to us via email, during a phone call, through the contact form available on our Online Service, or by traditional mail,
b) phone number – may be processed in case of phone contact, as well as when you provide it to us via email, the contact form available on our Online Service, or by traditional mail,
c) email address – may be processed when, as a user of the Service, you provide it to us via email, the contact form available on our Online Service, by traditional mail, or during a phone call,
d) IP address of the device and potential personal data contained in Cookies – information resulting from general principles of connections made on the Internet, such as the IP address (and other information contained in system logs), is used for technical and statistical purposes, including in particular to collect general demographic information (e.g., about the region from which the connection is made). This type of data is also used for marketing and analytical purposes if consent is given under Article 173(1) of the Telecommunications Law,
e) NIP and company name – data necessary for issuing any invoices and other documents related to the use of our Online Service,
f) possibly other data may be collected as part of handling specific matters or may be provided by users of our Online Service via email, the contact form available on the Online Service, traditional mail, or during a phone call.
4. Every person using our Online Service has the option to choose whether and to what extent they want to use our services and share information and data about themselves, as specified in this Privacy Policy.
5. We process personal data for the purpose of:
a) concluding and performing contracts in connection with the services we offer (Article 6(1)(b) of GDPR) – in this scope, the data will cease to be processed upon the execution of the given contract,
b) managing an individual user account (Article 6(1)(b) of GDPR) – in this scope, personal data will cease to be processed upon the deletion of the account by the user,
c) fulfilling legal obligations imposed on the Data Controller, in particular maintaining documentation, issuing invoices, etc. (Article 6(1)(c) of GDPR) – in this scope, personal data will be deleted after fulfilling the specified legal obligations,
d) directing marketing content related to the Data Controller and conducting website analytics in connection with the use of cookies (Article 6(1)(a) of GDPR) – in this scope, personal data is processed until the session ends or cookies are deleted by the user, consent is withdrawn, or until an effective objection to processing for this purpose is submitted,
e) operating the website (Article 6(1)(f) of GDPR in conjunction with Article 173(1) of the Telecommunications Law) – in this scope, personal data will cease to be processed in the event of cookie expiration, cookie deletion, or upon the end of the given session,
f) ongoing communication related to the functioning of the Online Service (Article 6(1)(f) of GDPR, i.e., the legitimate interest of the Data Controller) – in this scope, your personal data will cease to be processed upon responding to the given question or questions,
g) establishing and pursuing claims or defending against such claims (Article 6(1)(f) of GDPR, i.e., the legitimate interest of the Data Controller) – in this scope, personal data will be deleted upon the expiration of the claims, but generally after a 3-year limitation period for claims.
6. The source of the personal data processed by the Data Controller is the individuals to whom the data pertains.
7. In the case of a button or function that is a link to an external service, application, or social media, there is a co-administration relationship between the Administrator of this Online Service and the administrator of the external site. Co-administration is limited solely to data necessary for operations related to the functioning of the given button or function. The Administrator is not responsible for the policies regarding further processing of personal data by other entities, organizations, or social media providers. Our Co-Administrators within this Online Service are:
- Google Ireland Ltd. (Google Account) with its registered office at: Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland,
- Help Scout Inc. (Live Chat) with its registered office at: 100 City Hall Plz, 5th Floor Boston, Massachusetts 02108, USA.
8. The Administrator uses tools: Google Ireland Ltd (Google Analytics, Google Ads), Microsoft Ireland Operations Ltd. (MS Office), Meta Platforms Ireland Operations Ltd (Facebook Pixel), Amazon Ireland Ltd (AWS). As a rule, data processed as part of the use of these tools is processed on servers located within the EEA. However, entities providing these tools may be required to transfer data to third countries if such an obligation is imposed on them by law or is necessary due to the nature of the services provided (SaaS, hosting, etc.). The scope of personal data transferred in this regard refers to all personal data specified in point 3 of this Privacy Policy. The transfer of personal data to the United States is based on the European Commission's Decision of July 10, 2023, ensuring an adequate level of protection under the EU-US Data Privacy Framework (Article 45(1) of GDPR). Our personal data importers, i.e., Google LLC, Microsoft Corporation, Microsoft Ireland Operations Ltd. (MS Office), Meta Platforms, Inc., Amazon, Inc., and The Rocket Science Group LLC., Peaberry Software Inc., Stripe Inc., PostHog Inc., meeting the criteria of the decision and participating in the Data Privacy Framework program, are listed at: https://www.dataprivacyframework.gov/s/participant-search. The entity Help Scout Inc. transfers data to third countries based on Standard Contractual Clauses adopted by this entity.
9. We do not share personal data with third parties without the explicit consent of the person to whom the data pertains. Personal data without the consent of the person to whom the data pertains may only be shared with public law entities, i.e., authorities and administration bodies (e.g., tax authorities, law enforcement agencies, and other entities authorized by generally applicable laws).
10. Personal data may be entrusted for processing to entities processing such data on our behalf as the Data Controller. In such a situation, as the Data Controller, we enter into a data processing agreement with the processing entity. The processing entity processes the entrusted personal data solely for the purposes, scope, and objectives specified in the data processing agreement mentioned in the preceding sentence. Without entrusting personal data for processing, we would not be able to conduct our activities within the Online Service. As the Data Controller, we entrust personal data for processing, in particular, to the following entities:
a) providing hosting services for the website on which our Online Service operates,
b) providers of marketing or analytical tools,
c) CRM service providers.
11. Personal data is not subject to profiling by us as the Data Controller within the meaning of GDPR regulations.
12. In accordance with GDPR regulations, every person whose personal data we process as the Data Controller has the right to:
a) access their personal data, as referred to in Article 15 of GDPR,
b) be informed about the processing of personal data, as referred to in Article 12 of GDPR,
c) correct, supplement, update, rectify personal data, as referred to in Article 16 of GDPR,
d) withdraw consent at any time, as referred to in Article 7(3) of GDPR,
e) delete data (right to be forgotten), as referred to in Article 17 of GDPR,
f) restrict processing, as referred to in Article 18 of GDPR,
g) data portability, as referred to in Article 20 of GDPR,
h) object to the processing of personal data, as referred to in Article 21 of GDPR,
i) in the case of a legal basis in the form of consent – the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal,
j) not be subject to profiling, as referred to in Article 22 in conjunction with Article 4(4) of GDPR,
k) lodge a complaint with the supervisory authority (i.e., the President of the Personal Data Protection Office), as referred to in Article 77 of GDPR.
13. If you wish to exercise your rights mentioned in the preceding point, please send a message via email to the address or in writing to the correspondence address mentioned in point 2 above.
14. Every identified case of a security breach is documented, and in the event of one of the situations specified in GDPR or the Act, individuals whose data is affected, as well as – if applicable – the Personal Data Protection Office, are informed about such a breach of data protection regulations.
15. The Cookie Policy is a separate document available at: https://socialproof.local/pl/panel/cookies_policy.
16. In matters not regulated by this Privacy Policy, the relevant provisions of generally applicable law shall apply. In the event of inconsistencies between the provisions of this Privacy Policy and the above-mentioned regulations, the latter shall prevail.