I. DEFINITIONS

Administrator: ePM Sp. z o.o., with head office in Cracow, 60, Podole Street (30-394), entered as entrepreneur into the National Court Register held by the District Court for Kraków-Śródmieście in Cracow, 11th Trade Department under the number KRS 0000777645, with share capital of 100,000.00 PLN fully paid, tax identity number NIP 6762563650, e-mail address: biuro@epmflow.com.
User: Natural person, legal person, and business unit with no legal identity, who visits the Website or uses the Website services.
Website: Internet Pages and Websites operated by the Administrator on fixed and mobile terminal devices, by means of which the Administrator provides the Users with the contents, digital or electronic files, as well as other services defined individually in the Website Regulations.
File: Electronic or digital file which holds a content (in particular: application; electronic library; plugin; e-book; audiobook; e-press; multimedia applications), designed to be used, read, listened or otherwise reproduced (in compliance with description on Website) by means of Electronic Device.
Electronic Device: In general, a device designed for downloading and saving digital files (e.g. PC, smartphone, tablet, reader).
File Availability: Free-of-charge accessibility of a File made available by the Administrator to User’s order via the Website; it allows using the File with no time limits by means of Electronic Devices, subject to the rules defined individually in the Website Regulations.
Additional services: Services provided by the Administrator to the Users registered with the Webpage (i.e. having Accounts).
Account: Individual web page of a User registered with the Webpage, by means of which a registered User may use additional Services, subject to the rules defined individually in the Website Regulations.
GDPR: General Data Protection Regulation (GDPR) No. 2016/679 issued by the European Parliament and Council on 27 April, 2016, concerning the protection of natural persons in connection with personal data processing and the free flow of such data.

II. PRIVACY POLICY.

II.1. Data processing in connection with the use of the Website.
In connection with User’s activities on the Website, the Administrator collects data to the extent necessary for provision of particular services offered by the Website as well as to the extent of information on User’s activities on the Website. Shown below are detailed rules and purposes of processing personal data which are collected for the period of User’s activities on the Website.

II.2. Purpose and legal basis for data processing on the Website. 
II.2.1. Use of Website.
Personal data on all the persons using the Website (including IP address or other identification and information collected by means of cookies or other similar technologies), other than registered Users (i.e. persons having no Accounts), are processed by the Administrator for the purposes specified below:

  • Provision of services by electronic way to the extent of presentation and sale of a File as well as maintenance of the contents placed by the Users on the Website (e.g. posts; comments): in this case, legal basis for processing shall be the necessity for processing in order to perform the agreement (GDPR, art. 6.1.b);
  • Analyses and statistics: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in analyses of User’s activities and preferences in order to improve the functionalities and quality of service provision;
  • Identification, vindication of, or defence against potential claims: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in protection of Administrator’s rights;
  • Administrator and other persons’ marketing, in particular connected with presentation of behavioural promotion; for the rules of personal data processing for marketing purposes, go to section II.2.5. “Marketing”.

User’s activities on the Website, including their personal data, are entered into the system logs (special computer software for storage of chronological records of information on events and activities concerning the IT system dedicated to the provision of services by the Administrator). Information contained in the logs is processed mostly for the purposes connected with the service provision procedure. Furthermore, the Administrator will process the said data for technical and administrative purposes in order to ensure IT system safety as well as to serve analytical and statistical purposes: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f).

II.2.2. Registration with the Website.
The persons who register with the Website are asked to give, of their own accord, data necessary for creation and operation of Account or to make available such data via their profiles in facebook.com social media. Data must contain the e-mail address, otherwise the Account shall not be created. Personal data are processed for the purposes specified below:

  • Provision of services connected with the operation of an Account on the Website: in this case, legal basis for processing shall be the necessity for processing in order to perform the agreement (GDPR, art. 6.1.b) whereas in the case of optional data, legal basis for processing is the consent (GDPR, art. 6.1.a);
  • Analyses and statistics: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in analyses of User’s activities and preferences on the Website as well as of the way of using the Website, in order to improve actual functionalities;
  • Identification, vindication of, or defence against potential claims: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in protection of Administrator’s rights;
  • Administrator and other persons’ marketing; for the rules of personal data processing for marketing purposes, go to section …

Subject to User’s consent, if a User registers with the Website or logs in the Account via Facebook, the Website will collect such data only which are necessary for account registration and operation from that User’s account in social media. If the User places any personal data on other persons (including first and last name, address, phone number or e-mail address) on the Website, the User will be allowed to do so only on the understanding that no applicable law and personal interests of such persons are thereby infringed.

II.2.3. Order placing (use of charged and free-of-charge services on the Website).
File sale and/or File Availability to the User is connected with his or her personal data processing. To place an order, the User should have their Account on the Website or give their e-mail address in the process of File sale and/or availability. Address data are necessary to issue and deliver the invoices. Personal data are processed for the purposes specified below:

  • Completion of the order: in this case, legal basis for processing shall be the necessity for processing in order to perform the agreement (GDPR, art. 6.1.b) whereas in the case of optional data, legal basis for processing shall be the consent (GDPR, art. 6.1.a);
  • Consistency with statutory obligations of the Administrator, resulting in particular from fiscal and accounting regulations: in this case, legal basis for processing shall be the legal liability (GDPR, art. 6.1.c);
  • Analyses and statistics: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in analyses of User’s activities and purchasing preferences on the Website as well as the way of using the Website, in order to improve actual functionalities;
  • Identification, vindication of, or defence against potential claims: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in protection of Administrator’s rights.

II.2.4. Contact forms.
The Administrator gives the Users the option to contact with them via the forms in electronic format. To use the form, the applicant should give their personal data which are necessary for contacts, and answer the questions. No response will be made in the case of failure to give personal data. Personal data are processed for the purposes specified below:

  • Identification of senders and answering their questions asked via the forms: in this case, legal basis for processing shall be the necessity for processing in order to execute the service provision agreement (GDPR, art. 6.1.b);
  • Analyses and statistics: in this case, legal basis for processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f), the said interest consisting in statistical analyses of questions raised by the User via the Website in order to improve its functionalities.

II.2.5. Marketing.
The Administrator shall process Users’ personal data for the purposes of marketing which may consist in:

  • Displaying marketing contents to the User, such contents being irrelevant to his or her preferences (including context-specific promotion);
  • Displaying marketing contents to the User, such contents being relevant to his or her preferences (behavioural promotion);
  • Delivery of e-mail notifications of interesting offers or contents which may contain commercial information in certain cases (newsletter service);
  • Other activities connected with goods and services direct marketing (delivery of commercial information by electronic way).

In certain cases, the Administrator will use profiling for the purpose of marketing activities. This means that the Administrator will use automatic data processing in order to evaluate purchase preferences and match the offer the best in the future.

II.2.6. Promotion.
The Administrator shall process Users’ personal data for the purposes of marketing in connection with providing the Users with promotion, including context-specific promotion (i.e. promotion irrelevant to Users’ preferences). In this case, legal basis for personal data processing shall be the legitimate interest of the Administrator (GDPR, art. 6.1.f).

II.2.7. Behavioural promotion.
The Administrator shall process Users’ personal data, including personal data collected by means of cookies and other similar technologies, for marketing purposes, in connection with provision of behavioural promotion to the Users (i.e. promotion relevant to Users’ preferences). In this case, personal data processing contains also user profiling.

II.2.8. Direct marketing.
Furthermore, User’s personal data may be used by the Administrator for the purpose of providing the User with marketing contents via e-mail. This type of activity shall be undertaken by the Administrator only in the case a User has agreed to the same and has the righ to withdraw the consent any time.

II.2.10. Social media.
The Administrator shall process personal data of the Users who visit ePMflow profile managed in Facebook and/or LinkedIn social media. Personal data shall be processed only in connection with profile management, including the purpose of informing the Users of Administrator’s activities, Website promotion, as well as answering short questions sent via Facebook and/or LinkedIn communicator. In this case, legal basis for personal data processing by the Administrator shall be the Administrator’s legitimate interest (GDPR, art. 6.1.f), the said interest consisting in promotion of Administrator’s own brand and necessity for processing to perform the duty (GDPR, art. 6.1.b), to the extent the inquiries sent via the Facebook messenger apply to complaints.

II.2.11. Cookies and similar technology.
Cookies are small text files installed on the device of the User who views the Website. Typically, cookies contain the name of the website domain they originate from, the period of storage on the terminal device, and the unique number. Subject to the present Policy, information concerning the cookies shall also apply to other similar technologies used on the Website.

II.2.11.1. “Service” cookies.
The Administrator shall use “service” cookies mostly for the purpose of providing the User with electronic services and improving the quality of such services. Consequently, the Administrator and its other analytical and statistical service providers shall use the cookies to store information or acquire the access to information already stored on User’s telecommunication terminal device (computer, phone, tablet, etc.). Cookies used for such purposes are specified below:

  • User input cookies, containing data entered by the User (session identification) for the period of session;
  • Authentication cookies, used in the case of services which require authentication for the period of session;
  • User centric security cookies, designed for ensuring safety, e.g. to detect abusive authentication;
  • Multimedia player session cookies (e.g. flash player cookies), for the period of session;
  • User interface customisation cookies, designed for User interface personalisation for the period of session or longer;
  • Cookies designed for internet site activity monitoring, i.e. data analytics, including:

* Google Analytics cookies (files used by Google, personal data processor company charged with data processing by the Administrator, in order to analyse the ways of using the Website by the Users, including development of statistics and reports on Website functioning).

II.2.11.2. “Marketing” cookies.
Furthermore, the Administrator shall use the cookies for marketing purposes, including cookies connected with provision of behavioural promotion to the Users. In this case, the Administrator shall store information or acquire the access to information already stored on User’s telecommunication terminal device (computer, phone, tablet, etc.). Use of cookies and of personal data collected by means of cookies for marketing purposes, specifically in the area of third party goods and services promotion, requires the User’s consent. The said consent may be withdrawn any time.

II.3. Personal data processing period.
The period of personal data processing by the Administrator depends on the period of maintenance of the User’s Account. All data shall be processed for the period of validity of the Account; upon the liquidation of the Account, data shall be immediately deleted or irrevocably anonymised.
The anonymization leads to the irreversible unfeasibility to identify a person. All data which could allow the identification shall turn black; consequently, a data file shall be created with no likelihood of detaching a defined natural person. Identifications, i.e. information such as e.g. last name, first name, address, date of birth, personal identity number and tax identity number shall be removed from the document. Given that personal data processing laws do not apply to anonymised documents such documents may be made available to the applicants or made public without the consent of data subject. The purpose of anonymization consists in prevention of potential use of personal data or special personal data categories in order to identify a natural person by means of “any and all methods which data administrator or a third party may employ”.
Moreover, data shall be removed or irrevocably anonymised upon the submission of effective objection to data processing in the case the legal basis for data processing is the legitimate interest of the Administrator.

II.4. Data processing period.
Data processing period may be extended if the processing is necessary to identify, vindicate, or defend against potential claims as well as if requested by competent public authorities; upon the expiration, the period may be extended only in the case and to the extent required by the provisions of the law. Upon the expiration of processing period data shall be irrevocably removed or anonymised.

II.5. User’s rights.
The rights mentioned below shall be vested in the User: to access to data content and to request the adjustment of the same; to remove data; to restrict the processing; to transfer data; to lodge objection to data processing; to submit complaint to the supervising authority responsible for personal data protection. In the case of User’s data processed on the basis of User’s consent, the consent may be withdrawn any time by way of request to the Administrator via the communication channels specified in the Website Regulations.

II.6. Right to object.
The User shall have the right to object to their data processing for the purposes of direct marketing at any time, including the profiling, if data are processed in connection with legitimate interest of the Administrator.
Furthermore, the User shall have the right to object to their data processing at any time for the reasons resulting from their specific situation in the case the legal basis for data processing is the legitimate interest of the Administrator (e.g. in connection with analytical and statistical purposes, including profiling).

II.7. Data recipients.
In connection with provision of services, personal data shall be disclosed to third parties, in particular to the providers responsible for support of IT systems which are used for service provision, as well as to the banks and payment operators, research institutions, accounting and analytical service providers, couriers (in connection with the orders) as well as to the companies associated with the Administrator.
In the case of acquisition of User’s consent, their data may be also made available to other persons for their own purposes, including the marketing.
The Administrator shall have the right to disclose information on the User to competent agencies or third parties who request such information, on the basis of relevant legal provisions and in compliance with the applicable laws.

II.8. Data transfer outside the European Economic Area.
Outside the European Economic Area (EEA), the level of protection may be different from the one ensured by the European laws. For this reason, the Administrator will transfer personal data outside the EEA only if it is necessary and subject to suitable level of protection, mostly by means of:

  • Co-operation with personal data processing parties in the countries coming under the applicable decision of the European Commission;
  • Use of standard provisions in the agreements, in compliance with the guidelines issued by the European Commission;
  • Use of binding corporate rules approved by competent supervision agency;
  • In the case of data transfer to the USA, co-operation with the participants in the Privacy Shield scheme approved by way of decision of the European Commission. The Administrator shall always communicate the intention to transfer personal data outside the EEA at the stage of data collection.

II.9. Personal data safety.
The Administrator shall currently analyse the risk in order to ensure that personal data are processed by the Administrator securely, that data are made available only to the persons authorised by the Administrator and only to the extent necessary to let such persons comply with their duties. The Administrator shall care for registering any and all operations on personal data and shall orer the said operations with such authorised persons and co-workers only who have acquired relevant individual permissions issued by the Administrator.
The Administrator shall take any and all necessary measures to ensure that all Administrator’s subcontractors and other co-operating persons guarantee the use of suitable safety procedures in each case of processing personal data to the order of the Administrator.

II.10. IOD [Information on Demand].
Contact with the Administrator in each matter concerning personal data processing; send your message to the e-mail address: biuro@epmflow.com.

III. FINAL PROVISIONS.

III.1. The present Privacy Policy is available on the Website and at Administrator’s head office.
On User’s request sent to the e-mail address: biuro@epmflow.megiteam.pl, the document containing the Privacy Policy shall be sent to the User by electronic mail free of charge, in electronic format, to the e-mail address given by the User.

III.2. The present Privacy Policy may be changed by the Administrator.
The Administrator shall notify registered Users of the intention to change the Privacy Policy 14 days in advance of such change. Within 14 days from receipt of notification of change in provision of Additional Services the User may refuse to accept the same by e-mail sent to the address: biuro@epmflow.megiteam.pl. In this case, the User’s Account shall be cancelled on the effective date of the change.

III.3. Privacy Policy.
The content of the present Privacy Policy is consistent with the provisions of the Regulation No. 2016/679 issued by the European Parliament and Council (EU) on 27 April, 2016, concerning the protection of natural persons in connection with personal data processing, the free flow of such data, and the revocation of the Directive No. 95/46/WE (data protection general regulation), valid since 30 May, 2019.