This document (hereinafter referred to as the “Policy”) contains information on the processing by HEADLOGIC Sp. z o.o. of Rzeszów, ul. Podwisłocze 2, 99 B, 35-309 Rzeszów, entered into the Register of Entrepreneurs of the National Court Register by the District Court of Rzeszów, XII Commercial Division of the National Court Register, under entry No. 0000844300, VAT PL: 8133839622, with share capital of PLN 5,000.00 (hereinafter referred to as the “Administrator”), of Personal Data of the persons using the Application named after: Hrily available at the following address: hrily.com (hereinafter referred to as the “Application”).
The Policy shall be made available in order to provide the persons whose Personal Data is processed by the Administrator with the widest possible information about the scope of the data processed, ways and principles of data processing and about their rights. The basic legal regulation concerning the protection of Personal Data is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to Personal Data Processing and on the free movement of such data and the repeal of Directive 95/46/EC (hereinafter referred to as “FDPA”).
1. Agency – User who is an Entrepreneur and uses the Application to collect and analyse Employees’ data.
2. Application – the Hrily web application, addressed to the HR industry and other entities that may use the functionality of the Application in their business.
3. Cookies – text files placed by the server on the device on which the browser operates. Cookies are IT data, especially text files, which are stored in the User’s device.
4. Personal data – any information relating to an identified or identifiable natural person, in particular on the basis of an identifier such as name, identification number, location data, internet identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
5. Account – an individual profile of the Agency created in the Application during the registration process.
The account enables the use of the Services provided within the Application.
6. Third country – any country outside the European Economic Area.
7. Profiling – any form of automated Personal Data Processing that involves the use of Personal Data to evaluate certain personal factors of an individual, in particular to analyse or forecast aspects relating to said individual’s performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
8. Browser – any IT program used to display websites (e.g. Chrome, Firefox, Safari).
9. Entrepreneur – shall mean an entrepreneur within the meaning of Polish law and, in particular, as designated Article 4 of the Act of 6 March 2018. – The right of entrepreneurs (i.e. Journal of Laws of 2019, item 1292 as amended) and Article 43 of the Civil Code of 23 April 1964 (i.e. Journal of Laws of 2019, item 1145 as amended)
10. Processing – any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other form of provision, alignment or combination, restriction, deletion or destruction.
11. Agreement – an agreement concluded between the Administrator and the Agency, the subject of which is the provision of Services.
12. Services – services provided by the Administrator via the Application to Users in accordance with these Terms.
14. Users – Agencies, persons to whom the Agency has granted access to the account, employees or other natural persons, legal persons or entities without legal personality, to whom the Act grants legal capacity, using the Services provided by the Administrator via the Application.
II. THE LEGAL BASIS, PURPOSES, PRINCIPLES AND DURATION OF PERSONAL DATA PROCESSING IN THE APPLICATION
1. Users may send the Administrator Personal Data when using the Application, completing the forms available in the Application (enabling, among other things, registration), as well as through any exchange of information with the Administrator by e-mail or in any other way, as well as when reporting problems concerning the Application. Moreover, the Administrator may obtain Personal Data from, among others, business partners.
2. Personal data is processed by the Administrator for the purpose of:
1) exercising rights and obligations resulting from the Agreement concluded between the User being the Agency and the Administrator or making necessary settlements in connection with its conclusion, (Article 6(1)(b) of the TCO), as well as providing the User being the Agency with information about the Services ordered by him/her, which is necessary for the performance of mutual obligations under the Agreement and for handling complaints and claims related to the concluded Agreements (processing is necessary to fulfil the legal obligation of the Administrator – Article 6(1)(c) of the TCO) – for the time necessary for the performance of the Agreement, and after its termination, the data shall be stored for the time necessary to prove the proper performance of the obligations arising from the Agreement, until the lapse of the deadlines indicated in the archiving regulations and the expiry of the deadlines for claiming under the Agreement;
2) processing the Personal Data until there is an additional legal basis (e.g. allowing for their processing for the purpose of performing the Agreement) – if the Administrator loses this basis, the Personal Data shall be anonymised or deleted;
3) enabling the User to communicate and exchange information, which involves the exercise of reciprocal rights and obligations arising out of the mutual agreement between the User who is the Agency and the Administrator of the Agreement (Article 6(1)(b) of the TTE) – for the time necessary for the execution of the Agreement, and after its termination, the data will be stored for the time necessary to prove the correctness of the execution of the obligations arising from the Agreement until the expiry of the deadlines indicated in the archiving regulations;
4) ensuring that the Administrator performs the Services in accordance with the applicable laws, including in particular the Application Rules and this Policy, which is necessary for the Administrator to fulfil its contractual obligations (Article 6.1(b) of FYROM), fulfil its statutory obligations (Article 6.1(c) of FYROM) and perform and defend claims resulting from the concluded Agreement (Article 6.1(f) of FYROM) – for the time necessary for the performance of the Agreement, and after its termination, the data shall be stored for the time necessary to prove the correctness of the performance of the obligations arising from the Agreement until the lapse of the time limits indicated in the archiving regulations; in the event that the Administrator performs his statutory duties, Personal Data Processing shall be performed for the time necessary to perform the Administrator’s statutory duties; in the event that the Administrator defends and performs claims arising from the Agreement for the time necessary to perform the Administrator’s legally justified interest or until the User submits a justified objection;
5) providing the User (in a manner consistent with the applicable regulations) with marketing materials and information, instructions and guidelines necessary to improve the performance of the Services and news about promotions, new available functionalities of the Application – the processing of the User’s Personal Data shall then take place with the User’s consent (Article 6(1)(a) of the TCO) and/or in the Administrator’s legitimate interest, i.e. improvement of the Services provided and direct marketing (Article 6(1)(f) of the TCO) – for the time necessary to pursue the Administrator’s legitimate interest or until the User submits a justified objection, and in the case of direct marketing no longer than until the objection is expressed;
6) In this case, the basis for the processing of the User’s Personal Data shall be the Administrator’s legitimate interest in ensuring the security of the Services provided (Article 6(1)(f) of the TABL); said Personal Data shall be processed for the time necessary to satisfy the Administrator’s legitimate interest or until the User submits a justified objection;
7) making any necessary improvements to the Application and the Services provided, as well as ensuring that their content is communicated to the User in an appropriate manner, in particular taking into consideration the devices by means of which the User uses the Application, which constitutes the Administrator’s legitimate interest (Article 6(1)(f) of the TAB); in this case, Personal Data shall be processed for the time necessary to pursue the Administrator’s legitimate interest or until the User submits a justified objection;
8) enabling the User to use the interactive functions of the Application, which is necessary for the performance of mutual contractual obligations (Article 6(1)(b) of the TCO), and in certain situations shall or may be based on the User’s consent (Article 6(1)(a) of the TCO) – for the time necessary for the execution of the Agreement, and after its termination, the data will be stored for the time necessary to prove the proper performance of the obligations arising from the Agreement until the expiry of the deadlines indicated in the archiving regulations, and in the case of consent until its withdrawal;
9) ensure security of using the Services available in the Application, which is necessary to perform mutual contractual obligations, prepare, perform or defend claims resulting from the Agreement (Article 6.1(b) of FAMILY), fulfil the Administrator’s statutory obligations (Article 6.1(c) of FAMILY), as well as in the Administrator’s legitimate interest (Article 6.1(f) of FAMILY) – for the time necessary for the performance of the Agreement, and after its termination, the data shall be stored for the time necessary to prove the correctness of the performance of the obligations arising from the Agreement until the expiry of the time limits indicated in the archiving regulations; in the event that the Administrator performs his or her statutory duties, Personal Data Processing shall be performed for the time necessary to perform the Administrator’s statutory duties in the event that security is ensured for the time necessary to perform the Administrator’s legally justified interest or until the User submits a justified objection;
10) performing other statutory duties of the Administrator, in particular tax and reporting duties (Article 6(1)(c) of the TCO) – for the time necessary to perform the Administrator’s statutory duties, in particular until the expiration of the limitation period for tax liabilities.
11) in the case of voluntary and optional consents, also on the basis of separate consents expressed by e-mail or by telephone [Article 6(1)(a) RODO and Article 10 of the Act of 18 July 2002 on the provision of services by electronic means and Article 172 of the Act of 16 July 2004. – Telecommunications law] data shall also be processed for marketing purposes consisting in providing commercial information concerning the Administrator and his partners.
3. After the processing period has expired, the Personal Data shall be immediately deleted or rendered anonymous.
4. The Administrator will process the following Personal Data provided by the User:
1) in case of registration of the Agency’s Account (the User having the status of an Entrepreneur:
a) company name,
b) NIP number
c) the name of the person authorised to represent,
d) e-mail address,
e) telephone number.
2) in case of registration to the Partnership Programme (the User having Consumer status):
a) name and surname,
b) e-mail address,
c) telephone number,
B. A User with the status of an Entrepreneur:
a) company name,
b) the NIP number,
c) the person authorised to represent,
d) e-mail address,
e) telephone number
f) data necessary to issue an invoice,
g) company name,
h) the NIP number,
i) the address of the seat,
C. if you order the newsletter service:
b) e-mail address,
3) records concerning all types of correspondence between the User and the Administrator and/or other Users
4) data concerning visits to the Application and the resources used by the User;
5) answers to any surveys or questionnaires concerning the Services provided (these data may be used for the purpose of analyses, including those concerning the Users’ behaviour);
6) data and information that the Administrator may require from the User in case of reporting problems with the use of the Application.
5. With regard to Personal Data concerning your visits to the Application, the Administrator may (where required and obtained your consent to do so), obtain data concerning the devices and networks used by you to access the Services. Such data may include: the User’s IP address, login data, browser type and version, types and versions of plug-ins used by the web browsers, operating system and platform, advertising identifier, information about the visits, including the URL of the site where the link leading to the Application was selected, data download errors, time of visits to specific sites, interaction with other sites. These data are collected by the Administrator, in particular by means of cookies.
6. The Administrator does not store confidential data such as Users’ credit card numbers or bank account access data.
7. The scope of the data indicated is consistent with the principle of adequacy. Lack of indication of the above data prevents the conclusion of the Agreement and use of the Services.
8. In connection with the provision of the Services, Personal Data will be disclosed to external recipients:
1) the Administrator’s business partners,
2) the Administrator’s service providers (in particular as regards technical issues,
IT, payments, analytical tools, accounting services),
3) persons cooperating with the Administrator under the Application on the basis of the authorisations issued,
4) state authorities, prosecutor’s office, police (when required by law).
The Administrator informs that the transfer of Personal Data to external recipients will take place when:
1) This is necessary to use the services of a third party,
2) This is necessary for the implementation of contracts concluded with external parties,
3) This is necessary for the proper performance of the Services;
4) This is necessary for analytical and statistical purposes;
5) This is due to the provisions of generally applicable law;
6) This is necessary to defend the Administrator’s claims or rights, including in connection with a possible ongoing trial;
7) there is a circumstance that poses a threat to life, health, property or safety;
10. Taking into account the scope of the Administrator’s activities, the Administrator’s service providers, e.g. in the area of servers, hosting, software, analytical tools, may possibly be located in a third country. The User’s Personal Data will then be transferred outside the European Economic Area – in such a case all transfers of Personal Data will be made on the basis of so-called standard contractual clauses, adopted by the European Commission, to ensure an appropriate level of security in accordance with the applicable regulations.
11. The transfer of Personal Data by the Administrator may also take place in the event that the User orders a Service requiring the transfer of Personal Data to a third country, including the use of the available option to indicate the servers on which the Personal Data are to be processed. In this case, the transfer of Personal Data may be based on a decision of the European Commission stating the appropriate level of protection. In contrast, where Personal Data is transferred to a third country in respect of which the European Commission has not issued an adequacy decision, the controller shall apply the appropriate safeguards as set out in Article 46 of the TYRO – in particular the standard contractual clauses set out in paragraph 9 above. If the European Commission has not issued a decision stating an adequate level of protection or if the Administrator does not provide adequate legal safeguards, Personal Data may be transferred to a third country on the basis of one of the prerequisites listed in Article 49(1) of the TYPS, including in particular on the basis of the express consent of the User.
12. In case of transfer of personal data to an entity located in a third country (outside the European Economic Area), each transfer of Personal Data will be recorded in the Register of Data Processing Activities.
13. In accordance with the applicable regulations and if required, after obtaining the User’s consent, the Administrator may use the information provided by the User for the purposes of direct marketing using electronic means of communication (e.g. sending informants or other messages which the Administrator believes may be of interest to the User or sending advertisements addressed to a specific User).
14. With regard to marketing messages sent by electronic means of communication: You may withdraw your consent at any time by sending an e-mail to the following address:
III. Personal Data Processing BY AUTOMATED MEANS
The Administrator uses Personal Data for automated decision making, including profiling, including information contained in cookies or other technologies. Profiling will have an impact on the functionality and quality of the Application, the content of a specific User’s profile, and the offer of actions to increase the User’s activity in the Application. Moreover, the profiling is carried out in order to achieve the aforementioned objectives described in point II of the Policy. Profiling has an impact on the User’s use of the Application, as on this basis the Administrator will be able to improve the quality of use of the Application, and also assess the Users’ personal preferences. Therefore, profiling also includes monitoring and tracking the Users’ individual behaviour.
IV. USER RIGHTS
(1) In accordance with the provisions of TODO, you the User has the following rights to control the processing of his or her Personal Data:
1) the right to access the content of the Personal Data (including the right to obtain information regarding the type of Personal Data processed by the Administrator and to receive a copy of their Personal data);
2) the right to request that Personal Data be corrected, updated or rectified;
3) the right to demand the deletion of Personal Data if it is incomplete, outdated, untrue or has been collected in violation of the law or is unnecessary for the purpose for which it was collected; regardless of the above, the User has the right to delete the Account in the Application (however, this is not equivalent to the deletion of Personal Data);
4) the right to lodge a complaint to the supervisory body dealing with the protection of Personal Data – i.e. the President of the Office for the Protection of Personal Data (e.g. in case Personal Data Processing is considered to be in breach of the provisions of the PDPA or other regulations concerning the protection of Personal Data);
5) the right to request a restriction on Personal Data Processing;
6) the right to object to Personal Data Processing if the processing is based on the Administrator’s legitimate interest or for direct marketing purposes.
7) If the Personal Data is processed on the basis of consent, the User is entitled to:
a) withdraw consent at any time;
b) transfer Personal Data.
In order to exercise his or her rights, the User may contact the Administrator via the communication channels indicated in point 2. VII “Contact details”.
1. The application uses the information contained in the cookies.
2. Cookies are used for the following purposes:
1) to enable Users to navigate the Application and use its functionality,
2) to identify the User during the next visit to the Application,
3) to maintain the User session,
4) to determine the number of people using the Application and obtain information on how to use it,
5) to conduct marketing activities (sending advertising and information),
6) to remember login data in the Application,
7) to adjust the content of the Application to the User’s individual preferences (e.g. adjusting the layout of the Application page),
8) to keep statistics anonymous to enable the Administrator to improve the functionality of the Application,
9) to determine the source of the User’s origin in the Application,
The following types of cookies are used in the Application:
1) Session cookies – files placed and read from the User’s device during one session of a given device. After a session, files are deleted from the device;
2) Permanent Cookies – files placed and read from the User’s device. Files are not deleted automatically after the end of the device session, unless the configuration of the User’s device is set to delete cookies after the end of the device session.
3) Cookies necessary for the use of Google Analytics – in order to analyse the user’s behaviour when visiting the App and the source of traffic on the App.
4) Cookies necessary to use the Google Search Console – to analyse the passwords entered by Users in the Google search engine.
5) Cookies necessary to use Google Ads – to display ads for users who have previously visited Hrily.com
5. Detailed information on the settings of cookies and their self-deletion in the most popular web browsers should be available in the “Help” section (or any similar) web browser.
VI. PERSONAL DATA SECURITY
The controller shall provide appropriate security measures to ensure that Personal Data are processed in a secure manner, ensuring in particular that only authorised persons have access to the data and only in so far as this is necessary for the performance of their tasks. The Administrator shall take all steps to ensure that the entities cooperating with him or her guarantee the application of appropriate security measures in each case when they process Personal Data upon the Administrator’s order.
In particular, these are the following safety measures:
1. securing data against unauthorised access;
2. frequent software updates;
3. access to an individual Account in the Application only after logging in with a login and password; the passwords are secret and are saved in the database as a so-called hashe;
4. the SSL certificate.
VII. CONTACT DETAILS
In case of any questions or requests concerning Personal Data or the desire to exercise a specific right, the User may contact the Administrator via one of the channels indicated below:
e-mail: firstname.lastname@example.org telephone: +48 530 248 264
VIII. PARTNERSHIP AND REDIRECTION PROGRAMMES
1. The e-mail address provided by the user is used to send the newsletter. The User’s confirmation is required here by his or her voluntary consent to receive the newsletter as the owner of said e-mail address.
2. The user may terminate the newsletter service agreement at any time by deactivating the subscription. You can unsubscribe from the newsletter by sending a declaration of intent to the following address: email@example.com or via the appropriate link in the footer of each message sent as part of the newsletter.
The Administrator shall strive to ensure that this Policy is up to date and updated in the event of changes in the provisions of law, court rulings, guidelines of the authorities responsible for supervising Personal Data Processing, introduction of codes of good practice (if the Administrator is bound by such codes), change of technology, ways, purposes or legal basis for Personal Data Processing.