LegacyApp P.S.A.

Table of Contents

1. Preliminary Information

2. Glossary of Terms

3. Information about the Data Controller

4. Legal Basis for Processing

5. Rights of the Data Subjects

6. Security of Using the Website

7. Cookies

8. Final Provisions

1. Preliminary Information

Aiming to ensure the highest standards of personal data processing security and compliance with applicable data

protection laws, LegacyApp P.S.A. has prepared this privacy policy pursuant to the requirements of the European

Parliament and Council Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard

to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General

Data Protection Regulation), and the standards contained in national regulations. The information presented in the

Policy allows you to familiarise yourself in detail with the principles of personal data processing by LegacyApp P.S.A.

2. Glossary of Terms

● Application – means the mobile application “LegacyApp” made available by the Data Controller on the

Google and Apple online app stores for use on Android and iOS mobile devices.

● Cookies – means small packets of data, called cookies, sent by a website that’s visited by a user and stored

on such user’s end device (e.g. computer, laptop, smartphone).

● Data Cloud – means the data cloud provided by Google Ltd. or Apple Inc.

● Data Controller – means the entity deciding the purpose and means of personal data processing. LegacyApp

P.S.A. is the Data Controller.

● Data Recipient – means a natural or legal person, public authority, agency, or another body, to whom the

personal data isa disclosed, whether a third party or not.

● EEA – means the European Economic Area, a free trade zone and common market comprising the European

Union member states and the European Free Trade Association (EFTA) countries, excluding Switzerland. It is

an area where free movement of personal data is ensured.

● Electronic Services Act – means the Act of July 18, 2002, on providing services by electronic means (Polish

Journal of Laws No. 144, item 1204, as amended).

● GDPR – means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27,

2016, on the protection of natural persons with regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC.

● Personal Data – means any information about an identified or identifiable natural person (“data subject”); an

identifiable natural person is one who can be identified, directly or indirectly, based on such data.

● Policy – means the privacy policy of LegacyApp P.S.A.

● President of the Personal Data Protection Office – means the supervisory authority within the meaning of

the GDPR, overseeing the compliance with data protection laws in Poland.

● Processing – means any operation or set of operations performed on personal data or on sets of personal

data, whether or not by automated means, such as the collection, recording, organisation, structuring,

storage, adaptation or alteration, retrieval, consultation, use, or disclosing by transmission, dissemination or

otherwise making available, alignment or combination, restriction, erasure, or destruction.

● Profiling – means any form of automated processing of personal data consisting of using personal data to

evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects

concerning that natural person's performance at work, economic situation, health, personal preferences,

interests, reliability, behaviour, location, or movements..

● SSL Protocol – means a network protocol used for secure internet connections, adopted as the standard for

encryption on WWW pages. An SSL certificate ensures the confidentiality of data transmitted over the

Internet.

● Telecommunications Law – means the Act of July 16, 2004, Telecommunications Law (Polish Journal of

Laws No. 171, item 1800, as amended).

● Third Countries – means any countries that are not part of the EEA.

● User – means a person using the Application, website and social media profiles of the Data Controller. [chyba

tez chodzi o apke czy ja to wszystko zle rozumiem?]

3. Information about the Data Controller

The Data Controller has appointed a Data Protection Officer (“DPO”), who is Mateusz Borkiewicz. The Data Controller

and the DPO can be contacted via email on: iod@legacyapp.rip.4. Legal Basis for Processing Personal Data

Purpose of

Processing

Legal Basis

Data Recipients

Processing Time

Responding to

messages sent via

email and telephone

contact.

Article 6(1)(f) GDPR i.e., the

legitimate interest of the Controller in

handling correspondence and

telephone conversations.

IT service providers;

Internet providers;

Hosting providers;

Microsoft Ltd.

For the period necessary to

address the issue raised in the

message.

User registration

and account

creation

Article 6(1)(b) GDPR i.e., processing

is necessary for taking steps at the

request of the data subject prior to

entering into a contract.

IT service providers;

Internet providers;

Hosting providers;

Google Ltd.; Apple Inc.

Until the completion of the

contract

Provision of service

– paid account (user

account

management and

service support)

Article 6(1)(b) GDPR i.e., processing

is necessary for the performance of

a contract to which the data subject

is party.

IT service providers;

Internet providers;

Hosting providers;

progreso.pl sp. z o.o.;

MobilitySoft sp. z o.o.

Until the completion of the

contract extended by the period

for pursuing or defending

against claims until the issuance

of a final court verdict.

Provision of service

– free account (user

account

management and

service support)

Article 6(1)(a) GDPR i.e., processing

is based on the user's voluntarily

given consent.

IT service providers;

Internet providers;

Hosting providers;

Business partners;

progreso.pl sp. z o.o.;

MobilitySoft sp. z o.o.

Until the completion of the

contract extended by the period

for pursuing or defending

against claims until the issuance

of a final court verdict.

Marketing - SMS and

telephone contact

Article 6(1)(f) GDPR i.e., the

legitimate interest in conducting own

marketing activities based on

consent in accordance with the

Telecommunications Law and the

Electronic Services Act.

IT service providers;

Internet providers;

Hosting providers.

Until objection is raised or

consent is withdrawn based on

the Telecommunications Law

and the Electronic Services Act.

Marketing -

newsletter

Article 6(1)(f) GDPR i.e., the

legitimate interest in conducting own

marketing activities based on

consent in accordance with the

Telecommunications Law and the

Electronic Services Act.

IT service providers;

Internet providers;

Hosting providers.

Until an objection is raised or

consent is withdrawn based on

the Telecommunications Law

and the Electronic Services Act.

Marketing –

homepage and

mobile application

Article 6(1)(a) and (f) GDPR i.e., 1.

Consent for displaying ads as part of

access to the free version of the app;

2. The legitimate interest in

conducting own marketing activities.

IT service providers;

Internet providers;

Hosting providers;

Google Ltd.;

progreso.pl sp. z o.o.;

Business partners

1. Until consent is withdrawn

2. Until an objection is raised.

Purpose of

Processing

Legal Basis

Data Recipients

Processing Time

Complaints (defense

and pursuit of

claims)

Article 6(1)(f) GDPR The legitimate

interest in establishing, pursuing, or

defending against claims.

IT service providers;

Hosting providers;

Until the expiration of the claim

period under civil law provisions

and the issuance of a final court

verdict.

Seeking to conclude

and perform a

contract

(contractors)

Article 6(1)(b) GDPR Taking

necessary actions to conclude a

contract with clients.

IT service providers;

Internet providers;

Hosting providers; Law

firms and legal

advisors;

For the duration of the contract,

its termination, and until the

expiration of the period for filing

potential claims

Contract

performance

(contractor's

employees).

Article 6(1)(f) GDPR The legitimate

interest of the Controller in

coordinating actions with the

contractor.

IT service providers;

Internet providers;

Hosting providers; Law

firms and legal

advisors;

For the duration of the contract,

its termination, and until the

expiration of the period for filing

potential claims

Acceptance and

consideration of

requests based on

GDPR

Article 6(1)(c) GDPR The obligation

arising from GDPR to provide the

data subject with information on

actions taken in connection with the

request.

IT service providers;

Internet providers;

Hosting providers; Law

firms and legal

advisors;

Until the expiration of claims.

Conducting

statistics and

profiling (website

and mobile

application)

Article 6(1)(f) GDPR The legitimate

interest of the Controller in collecting

and using statistics to improve the

range and quality of offered services.

IT service providers;

Internet providers;

Hosting providers,

Google Ltd.

Until an objection is raised.

Provision of

services and

processing of

Trusted Friend’s

data

Article 6(1)(a) GDPR – consent

IT service providers;

Internet providers;

Hosting providers;

Google Ltd

Until consent is withdrawn or

until deleted by the User.

Provision of

services and

processing of

Beneficiary’s data

Article 6(1)(d) GDPR – necessity in

order to protect the vital interests of

the Beneficiary or of the User;

IT service providers;

Internet providers;

Hosting providers;

Google Ltd

Until deleted by the User.

A User may voluntarily provide any Personal Data; however, it may be necessary for a User to provide such

Personal Data to effectively use the Data Controller's services or communicate with the Data Controller.

ADDITIONAL INFORMATION FOR UK RESIDENTS

The reference to GDPR should also be read as a reference to UK GDPR.

Data Cloud – Google and Apple

The Application provides each User with the option to link their user account to one of the two data clouds

provided by Google Ltd. or Apple Inc. The User can voluntarily associate and register the Application with the chosen

Data Cloud provider.

To use the Data Cloud, the User must have a previously registered and active account on one of the platforms of the

aforementioned providers.

The Application allows the input of various data, including Personal Data, which is stored in the Data Cloud associated

with the account registered on the platform of Google Ltd. or Apple Inc.

● Google account linking

● Apple account linking

The Data Controller does not have access to the data saved in the Data Cloud through the Application,

including Personal Data, and in this respect, the proper controller is Google Ltd. or Apple Inc.

What Personal Data will be collected in the Cloud?

The User voluntarily and independently determines the categories and level of detail of any data, including Personal

Data, entered into the Application and saved in the Data Cloud. The Personal Data can include data such as phone

number, email address, home address, or health information. Therefore, a User should familiarise themselves with the

● Google Ltd. Privacy Policy

● Apple Inc. Privacy Policy

META

Recognising the importance of User privacy, the Data Controller also protects Users who have provided Personal

Data to the Data Controller using other communication channels, i.e., websites and any sites marked or co-branded

by Meta (including subdomains, international versions, applications, widgets, and mobile versions), whose operating

rules are based on regulations provided particularly at Meta Platforms Inc. or Meta Platforms Ireland Limited Terms

(“Meta Products”), including in connection with conducting advertising campaigns and configuring the SDK (Software

Developer Kit) with the application, which enables reaching interested Users, tracking actions taken by Users in the

Application, and measuring advertising campaign results.

The principles of protection and use of Personal Data by Meta Products are available, for example, at: Meta Privacy

Policy. The Data Controller has no influence on the content of the legal regulations of Meta Products, including those

concerning Personal Data.

5. Rights of the Data Subjects

Every person whose data is processed has a number of rights under the GDPR.

● Right to access personal data: You have the right to obtain from us (as the Data Controller) confirmation as

to whether or not your Personal Data is being processed, and, if that is the case, access to the Personal Data

and a range of related information.

● Right to rectification: You have the right to have us rectify your personal data that is incorrect without undue

delay. You also have the right to have incomplete personal data completed, including by means of providing a

supplementary statement.

● Right to erasure: You have the right to have us erase your data without undue delay, and we are obliged to

erase personal data without undue delay if one of the following grounds applies:

● Your personal data are no longer necessary in relation to the purposes for which they were collected

or otherwise processed;

● You have withdrawn consent on which the processing is based and there is no other legal ground for

the processing;

● You object to the processing and there are no overriding legitimate grounds for the processing;

● Your personal data have been unlawfully collected or processed;

● Your personal data have to be erased for compliance with a legal obligation in Union or Member State

law to which the controller is subject;

● Your personal data have been collected in relation to the offer of information society services.

● Despite the above grounds for erasure, under the GDPR, your data may not be erased if their processing is

necessary:

● For exercising the right of freedom of expression and information;

● For compliance with a legal obligation which requires processing by Union or Member State law to

which the controller is subject or for the performance of a task carried out in the public interest or in

the exercise of official authority vested in the controller;

● For reasons of public interest in the area of public health;

● For archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes in so far as the right to erasure is likely to render impossible or seriously impair the

achievement of the objectives of that processing;

● For the establishment, exercise, or defence of legal claims.

● Right to restriction of processing: You have the right to request the Data Controller to restrict processing

where one of the following applies:

● You contest the accuracy of the Personal Data, for a period enabling the Data Controller to verify the

accuracy of the Personal Data;

● The processing is unlawful and you oppose the erasure of the Personal Data and request the

restriction of their use instead;

● The Data Controller no longer needs the Personal Data for the purposes of the processing, but they

are required by you for the establishment, exercise or defence of legal claims;

● You have objected to processing pending the verification whether the legitimate grounds of the

controller override those of the data subject.

● Right to object: You have the right to object at any time, on grounds relating to your particular situation, to

the processing of Personal Data concerning you based on the legitimate interest of the Data Controller or

when the processing is necessary for the performance of a task carried out in the public interest or in the

exercise of official authority vested in the Data Controller, including profiling based on those provisions. In the

event of an objection, we shall no longer process the Personal Data unless we demonstrate compelling

legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or

for the establishment, exercise or defence of legal claims.

● Right to data portability: You have the right to receive your Personal Data, which you have provided to us, in

a structured, commonly used and machine-readable format and have the right to transmit such data to

another data controller without hindrance from us if:

● the processing is based on consent or on a contract, and

● the processing is carried out by automated means. The right to have the personal data transmitted

directly from one data controller to another, where technically feasible, shall be exercised without

adversely affecting the rights and freedoms of others.

● Right to withdraw consent: If your Personal Data is processed based on consent, you have the right to

withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing

based on consent before its withdrawal. In case of withdrawal of consent, we have the right to continue

processing Personal Data if it is necessary:

● For exercising the right of freedom of expression and information;

● For compliance with a legal obligation which requires processing by Union or Member State law to

which the Data Controller is subject or for the performance of a task carried out in the public interest

or in the exercise of official authority vested in the controller;

● For reasons of public interest in the area of public health;

● For archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes in so far as the right to erasure is likely to render impossible or seriously impair the

achievement of the objectives of that processing;

● For the establishment, exercise or defence of legal claims.

● Right to lodge a complaint: You are entitled to lodge a complaint to the relevant supervisory authority

regarding our actions as a Data Controller in relation to your Personal Data. You can find a list of local

authorities responsible for data protection across the EU and their contact details

at: https://edpb.europa.eu/about-edpb/board/members_en. The relevant public authority in the UK is the

Information Commissioner’s Office https://ico.org.uk/global/contact-us/. The relevant public authority in

Switzerland is the Federal Data Protection and Information Commissioner

(FDPIC) https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html. Of course, we encourage you

to first contact us at iod@legacyapp.rip.

Information on Data Processing Outside the EEA (European Economic Area)

Your Personal Data may be processed outside the EEA in specific cases. In the case of LegacyApp P.S.A., such data

may be transferred to the USA in connection with the use of Microsoft 365 services for electronic communication; data

may also be transferred to the provider's servers in the USA.

Additionally, Personal Data may be processed by entities operating under the Meta brand, as well as by Google Ltd..

or Apple Inc. if the User uses their individual account to collect data and log into the Application or when a User

creates a back-up copy of the notes saved in the Application on the relevant Data Cloud. The Data Controller is not

responsible for Personal Data processed by Google Ltd., Apple Inc., and their partners. In every case, any data

transfer is legally based on the Data Privacy Framework document, and in specific cases, on the basis of Standard

Contractual Clauses. Each of the providers ensures an adequate level of security for such transfer. More information

on this subject below:

● Google Ltd. - https://support.google.com/adspolicy/answer/10042247?hl=en

● Apple Inc. - https://www.apple.com/legal/privacy/en-ww/

● Microsoft Ltd. - https://www.microsoft.com/en-us/trust-center/privacy/gdpr-faqs

● META - https://www.facebook.com/privacy/policy

6. Security of Using the Website

We inform you that LegacyApp P.S.A. applies all necessary technical and organisational measures to ensure the

maximum level of protection for individuals using the company's website and Application. To guarantee the highest

level of security for using the websites, these are accessed with SSL code. The website may contain appropriate links

to other websites, especially in terms of making payments for our services (websites) or other means of

communication (radio, television, press, outdoor advertising, etc.). Therefore, the Data Controller is not responsible for

the privacy practices that will apply on these websites or any other means of communication, other than its own

website and its own communication with you. The Data Controller is not responsible for the availability of any services

or goods provided through websites or other means of communication to which links may be found on its website. The

Data Controller is also not responsible for any damages resulting or which may result from the use of such websites or

other means of communication.

7. Cookies

When using our website, Cookies are processed. We use Cookies for the following purposes:

● Maintaining and improving the functionality of the website and the Application.

● Conducting statistics of users visiting the website and using Application. Data collected via Cookies by Google

Analytics (including the User's IP address) are transferred to Google and stored by Google on servers in the

United States. If the Services anonymize IP addresses, the User's IP address will be truncated by Google

within the territory of a European Union member state or another European Economic Area state before the

address is sent to the United States. Only in exceptional cases will the full IP address of the User be sent to

Google servers in the United States and truncated there. Google will use this information to evaluate the

User's use of the services, to compile reports on website traffic for website operators, and to provide other

services related to website traffic and internet usage. Google will not associate the User's IP address with any

other data held by Google. Like many other services, Google Analytics and Facebook use their own cookies

to analyse User actions. These cookies are used to store information, e.g., the time of the start of the current

visit and whether the User has been to the website before, from which website the User came to our page,

what is the resolution of his device screen, what information was of interest to them on our page, etc. By using

the website, the User consents to the processing of their data by Google in the manner and for the purposes

set out above. We inform you that implementing restrictions on the use of the technologies described above

may negatively affect the functioning of the Application or website.

For detailed information on the Google Analytics solution used, we suggest you click the following link:

https://support.google.com/analytics/answer/6004245 The legal basis for the transfer of data outside the EEA

is the European Commission's decision on the Data Privacy Framework, and in specific situations, Standard

Contractual Clauses.

8. Cookie Management

You can change the way Cookies are used at any time by managing the consents provided within the privacy settings

on our website or through your browser's features. To do this, you need to change the privacy settings on our website

or within your browser. In particular, you can withdraw previously given consent; however, this will not affect the

legality of actions taken based on the consent before its withdrawal.

You can configure your browser to receive information about the use of Cookies and decide on their acceptance or

rejection manually in specific cases. If you do not accept the use of specific cookies, the functionality of our website

may not be displayed correctly. Below we provide instructions for configuring each of the browsers.

● Internet Explorer

● Microsoft Edge

● Mozilla Firefox

● Chrome

● Opera

● Safari

8. Final Provisions

The use of the Data Controller's website and Application and the provision of your Personal Data is entirely voluntary..

LegacyApp P.S.A. reserves the right to change this Policy at any time due to any change in the scope of services it

provides and to adapt to any changes in applicable law. In each case, we will endeavour to inform you about any

update, or changes, to this Policy before its introduction.

Last update of the Privacy Policy: 23/07/2024.