The Compass Privacy Policy

1. GENERAL PROVISIONS

1.1. The Compass mobile application privacy policy is informative and indicates the rights and obligations of users in connection with the use of the mobile Application. The privacy policy primarily contains a set of rules concerning the processing of personal data by the Controller, including the basis, purpose and period of the personal data processing and the rights of data subjects, as well as information on the use of Cookies and analytical tools.

1.2. The Controller of the personal data collected via The Compass mobile application is the company Associated Apps Sp. z.o.o. with its registered office at: ul. Aleksandra Lubomirskiego 27/1, 31-509 Kraków, registered in the District Court for Kraków-Śródmieście, 11th COMMERCIAL DIVISION OF THE NATIONAL COURT REGISTER under KRS number 0000790150, NIP: 5252792121, hereinafter referred to as the “Controller”.

1.3. Personal data in the Application shall be processed by the Controller in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the “GDPR” or the “GDPR Regulation”.

1.4. The use of the Application, in particular the provision of data when creating a user account and through the contact form is voluntary.

1.5. In some cases, the provision of personal data may be necessary for the proper functioning of the application or for the proper provision of the service, or in connection with the obligations imposed on the Controller. In particular, these could be the following situations:

(1) a contract is concluded with the Controller – the processing of personal data is then necessary and based on Article 6(1)(b) of the GDPR and the fact of not providing them results in an inability to conclude a contract. The provision of personal data in such a case is a contractual requirement and if the data subject wants to conclude a contract with the Controller, they are obliged to provide the required data. Each time the scope of data required to conclude a contract is indicated in advance by the Controller.
(2) e.g. the processing of data for the purpose of issuing an invoice, keeping tax or accounting books – these are the Controller’s statutory obligations – the provision of personal data is a requirement resulting from generally applicable legal regulations, imposing on the Controller the obligation to process personal data and the lack of provision of such data will prevent the Controller from performing these obligations.

1.6. The Controller shall take special care to protect the personal rights of persons by respecting the protection of personal data. Therefore, the following principles deriving from the rules of the GDPR and good practices apply:

(1) the processing is always lawful;
(2) the collection of data is carried out in connection with marked, lawful purposes and the data is not further processed in a manner that is incompatible with those purposes;
(3) the data collected is relevant and adequate in relation to the purposes for which they are processed;
(4) the storage takes place in a form which permits identification of the persons concerned and is continued for no longer than is necessary to achieve the purpose of the processing and
(5) the processing is carried out in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate organisational and technical measures.

1.7. Taking into account the nature, scope, context and purposes of the processing and the risk of infringement of rights or freedoms of natural persons with different probability and gravity of the risk, the Controller implements appropriate technical and organisational measures in order for the processing to be carried out in accordance with this regulation and to be able to demonstrate it. The said measures shall be reviewed and updated if required. The Controller applies technical measures to prevent the acquisition and modification by unauthorised persons of personal data sent electronically.

2. BASIS FOR PROCESSING PERSONAL DATA

2.1. The processing of personal data in The Compass mobile application is lawful if it is based on the relevant premise of legality expressed in Article 6(1) of the GDPR:

(1) a voluntary consent to have the personal data processed for one or more specified purposes has been obtained;
(2) data processing is necessary for the performance of a contract to which the person concerned is a party, or for taking action prior to entering into such a contract;
(3) The Controller has an obligation to process the data, resulting from a specific legal provision
(4) the processing is necessary for the purposes of the legitimate interests pursued by the Controller and does not harm the personal interests of any person.

2.2. The processing of personal data by the Controller requires each time at least one of the basis indicated in point 2.1 of the privacy policy. The specific bases for the processing of personal data of clients and users of the Application by the Controller are indicated in the next section of the privacy policy – in relation to a given purpose of the processing of personal data by the Controller.

3. SCOPE, PURPOSE AND STORAGE PERIOD OF PERSONAL DATA

3.1. The scope of the data collected, the storage period and the categories of recipients of the data may vary depending on the purpose of the processing and its legal basis. As part of transparency, this Privacy Policy describes as many possible situations as possible with respect to the purpose of the processing – with the proviso that it is not possible to indicate all the scopes and purposes.

3.2. The Controller may process personal data within the mobile Application and in relations with the users for the following purposes, on the bases and during the periods indicated in the list below:

3.2.1. The performance of a contract or taking action at the request of the data subject in connection with the intention to conclude contracts, pursuant to Article 6(1)(b) of the GDPR (performance of a contract) – the processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject before the conclusion of the contract. The data is stored for the period necessary to perform, terminate or otherwise expire the Contract.
3.2.2. Marketing of own services (sending information on new offers, changes in the services offered and other information related to the Controller’s activity), pursuant to Article 6(1)(f) of the GDPR (a legitimate interest of the Controller) – the processing is necessary for the purposes resulting from the legitimate interest of the Controller – consisting in taking care of the Controller’s interests and good image, the Application and striving to sell the services offered by the Controller. The data is stored for the period of existence of legitimate interest pursued by the Controller, however, not longer than for the limitation period of the Controller’s claims against the data subject in respect of the Controller’s business activity. The limitation period is determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims connected with conducting business activity is three years, and for the Sales Agreement two years).
3.2.3. Marketing (sending commercial and marketing information, including offering services of the Controller’s partners and related entities) – in accordance with Article 6(1)(a) of the GDPR (consent) – a data subject has given a consent to process their personal data for marketing purposes by the Controller. The data is stored until the data subject has withdrawn his or her consent to further processing of his or her data for that purpose.
3.2.4. The expression of the Client’s opinion contained in the contract or on the service offered or on the quality of service – the data processed pursuant to Article 6(1)(f) of the GDPR – the legitimate interest of the Controller, which is to improve the offer and services offered. The data is stored for the existence of legitimate interest or until the data raises objection.
3.2.6. Determining, investigating or defending any claims that the Controller may raise or may be raised against the Controller. The basis for data processing is Article 6(1)(f) of the GDPR (legitimate interest of the Controller) – the processing is necessary for the purposes resulting from the legitimate interests of the Controller – consisting in determining, investigating or defending claims that may be raised by the Controller or be raised against the Controller. The data is stored for the period of existence of a legitimate interest pursued by the Controller, but not longer than for the limitation period of claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years).
3.2.7. The use of The Compass Application and ensuring its proper operation – the basis for data processing is Article 6(1)(f) of the GDPR (the legitimate interest of the Controller) – the processing is necessary for the purposes resulting from the legitimate interests of the Controller – consisting in running and maintaining the Application. The data is stored for the period of existence of a legitimate interest pursued by the Controller, however not longer than for the limitation period of the Controller’s claims against the data subject in respect of the Controller’s business activity. The limitation period is determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims connected with conducting business activity is three years and for Commercial Contracts two years).
3.2.8. Keeping statistics and traffic analysis in the application, in accordance with Article 6(1)(f) of the GDPR (legitimate interest of the Controller) – the processing is necessary for the purposes resulting from the legitimate interests of the Controller – consisting in keeping statistics and traffic analysis in the application in order to improve the functioning of the application and increase sales of the Products.

4. DATA RECIPIENTS

4.1. For the proper functioning of The Compass Application, including efficient communication between the Controller and the users, as well as ensuring proper functionality, it is necessary for the Controller to use the services provided by third parties (such as e.g. a software provider, hosting provider, or entities supporting Internet marketing). The Controller uses only the services of such processing entities, that provide sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the data subjects.

4.2. The transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only if it is necessary for a given purpose of personal data processing and only to the extent necessary for its achievement. In case of data processing on behalf of the Controller, appropriate entrustment agreements of personal data processing are concluded.

4.3. Personal data of the Service Recipients and Users of the Application may be transferred, among others, to the following recipients or categories of recipients:

4.3.1. the service providers which provide the Controller with technical, IT and organisational solutions enabling the Controller to conduct business activities, including the Application and the services provided through it (in particular, computer software providers, e-mail and hosting providers, as well as the providers of business management software and technical support for the Controller) – the Controller makes the collected User’s personal data available to a selected provider acting on their behalf only if and to the extent necessary to achieve a given purpose of data processing in accordance with the privacy policy.
4.3.2. the providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular, these may be: an accounting office, a law firm or a debt collection company) – the Controller makes the collected User’s personal data available to a selected entity acting on their behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with the privacy policy.
4.3.3. the providers of the social plug-ins implemented in the application, scripts and other similar tools that enable the user’s browser to download content from the providers of the above-mentioned plug-ins (e.g. logging in to the social network with the login details) and to provide the providers with the visitor’s personal data, including:

4.3.3.1. Facebook Ireland Ltd. – The Controller uses Facebook social plugins in the Application (e.g. the Like button, Share or logging in with Facebook login data) and therefore collects and shares the personal data of the Service Recipient using the Application with Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) to the extent and in accordance with the privacy principles available here: https://www.facebook.com/about/privacy/ (this data includes information about the activities in The Compass Application – including information about your device, the sites you visit, the services you are interested in, the advertisements you see and the way you use the services – regardless of whether you have a Facebook account and are logged into Facebook.
4.3.3.2. Google.pl –The Controller uses plugins in the Application that allow you to sign in to The Compass using your Google account.
4.3.3.2. Twilio – The Controller uses a tool to communicate with the Application Users, in particular to send notifications.
4.3.3.4. Indoor Alas – The Controller uses this tool in The Compass Application for the purposes related to navigation in the buildings where the User uses The Compass.

5. PROFILING IN ASSOCIATED APPPLICATIONS

5.1. The provisions of the GDPR impose an obligation on the Controller to inform in the case of automated decision making, including the profiling referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, to provide relevant information about the profiling rules, as well as about the significance and possible consequences of such processing for the data subject. Taking this into account, we point to the use of solutions leading to automatic decision making about the users.

5.2. The Controller may use profiling in The Compass application for direct marketing purposes, but the decisions made by the Controller on its basis do not concern the possibility of using the services offered within the Application, and the effect is in any way to limit the functionality of the application. The effect of using profiling in AssociatedApps.com can be e.g. a hint for the services offered, a reminder of omitted solutions, sending a service proposal that may correspond to the interests or preferences of a given person or offering better conditions compared to the standard functionality available through the application. Despite profiling, each time a person (the Application user) decides freely whether they want to use the proposed service or other offered solutions.

5.3. Profiling in the Application consists in automatic analysis or forecast of a person’s behaviour in the Application, e.g. by adding a specific location, browsing the website of a specific service, or by analysing the previous history of use of the Application. The condition for such profiling is that the Controller has the personal data of a given person in order to be able to send them e.g. information about individual conditions of a given offer.

5.4. The data subject has the full right not to be subject to a decision which is based solely on automated processing, including profiling, and produces legal effects toward that person, or substantially affects them in a similar manner.

6. RIGHTS OF DATA SUBJECTS

6.1. Any person whose data is processed within the application has the right of access, rectification, restriction, deletion or transfer. The detailed conditions for exercising the aforementioned rights are set out in Articles 15-21 of the GDPR. Naturally these rights are only valid if there is no other obligation on the Controller or if the basis of data processing does not exclude the right in question. You can contact the Data Controller at any time to obtain information about your individual rights.

6.2. The right to withdraw consent at any time – the person whose data is processed by the Controller on the basis of their consent (pursuant to Article 6(1)(a) or 9(2)(a) of the GDPR) is entitled to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing that was carried out on the basis of the consent before its withdrawal. You can contact the Data Administrator at any time to obtain information about your individual rights.

6.3. The person whose data is processed by the Controller (e.g. the user of the application) has the right to lodge a complaint with the supervisory body in the manner and procedure specified in the provisions of the GDR and Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland is the President of the Office for Personal Data Protection. Before filing a complaint, we encourage you to contact directly the Controller of the Application in order to draw attention to possible irregularities or omissions – we will be happy to clarify any doubts.

6.4. The right to object – the data subject has the right to object at any time – on the grounds related to their particular situation – to the processing of personal data that concerns them, based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the Controller), including profiling under those provisions. In such a case, the Controller shall no longer process the personal data unless they demonstrate that there are legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject or grounds for establishing, pursuing or defending claims.

6.5. The right to object to the marketing of own services – if personal data is processed for the purposes of the marketing of the Controller’s own services, the data subject has the right at any time to object to the processing of personal data concerning them for the purposes of such marketing, including profiling, to the extent that the processing is related to such direct marketing. The Controller will then stop sending information about novelties or changes in their offer.
6.6. In order to exercise the rights referred to in this section of the privacy policy, you may contact the Controller by sending an appropriate message in writing or using the contact form available in the Application.

7. COOKIES AND ANALYTICS

7.1. Cookies are small information in the form of text files, sent by the server and saved on the user’s side of the Application (e.g. on the hard drive of a computer, laptop or smartphone memory card – depending on which device the visitor uses). Detailed information about Cookies, as well as their history can be found here: https://pl.wikipedia.org/wiki/HTTP_cookie.

7.2. Cookies that can be sent by the Application may be divided into different types, according to the following criteria:

7.2.1.1. Depending on their supplier:

1) own (created by the Controller in the mobile Application) and
2) belonging to third persons/entities (other than the Controller.

7.2.2. Depending on their storage period on the User’s device in The Compass application:

1) session (stored until logging out or switching off the Application) and
2) fixed (stored for a specified period of time, defined by the parameters of each file or until manually deleted).

7.2.3. Depending on the purpose of their application:

1) necessary (to enable proper functioning of the mobile Application),
2) functional/preference (allowing to adjust the Application to the preferences of the person using The Compass),
3) analytical and performance (gathering information on how to use the Application),
4) marketing, advertising and social (gathering information about the person using the Application to display personalised advertisements and other marketing activities, including for example on social networking services.

7.3. The Controller may process the data contained in the Cookies when using the Application for the following specific purposes:

Purposes for using Cookies

identification of Service Recipients as logged in users and showing that they are logged in (Cookies necessary)

remembering the Products added to the basket (Cookies necessary)

remembering data from the completed forms, questionnaires or login data to the mobile Application (necessary and/or functional/preference cookies)

adjusting the content of the Application to the Service Provider’s individual preferences (e.g. concerning colours, font size, page layout) and optimising the use of the Application (functional/preference cookies)

keeping anonymous statistics, which show how the Application is used (statistical cookies)

remarketing, i.e. researching the characteristics of Users’ behaviour through an anonymous analysis of their actions (e.g. repeated visits to specific services, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their anticipated interests, also when they visit other services in the advertising network on the Google Ireland Ltd. and Facebook Ireland Ltd.  (marketing, advertising and social cookies)

7.4. Most web browsers on the market accept cookies by default. Everyone has the possibility to determine the conditions of the use of the cookies by using their own web browser settings. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the possibility of saving cookies – in the latter case, however, it may affect some functionalities of the Application.

7.5. The cookie settings of your web browser are relevant to your consent to the use of cookies by the Application – according to the law, such consent may also be given by your web browser settings. Detailed information on changing the settings for cookies and removing them yourself in the most popular web browsers is available in the help section of your web browser and on the following pages (just click on the link):

in the Chrome browser
in the Firefox browser
in Internet Explorer browser
in the Opera browser
in the Safari browser
in the Microsoft Edge browser

7.7. The Controller may use in the Application the services from the Google Ads, Google Analytics, Universal Analytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Hotjar services provided by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta). These services help the Controller keep statistics and analyse traffic in the Application. The collected data is processed within the framework of the above services to generate statistics that are helpful in the administration and analysis of traffic in the Application. These data is of collective nature. By using the above services, the Controller collects such data as the sources and medium of obtaining Users and the way they behave, information about devices and browsers from which they log into the Application, IP and domain, geographical data and demographic data (age, gender), as well as their interests.

7.8. It is possible for a given person to easily block the sharing of information to Google Analytics regarding their activity in the Application – for example, you can install the browser add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=en

7.9. The Controller may use in the Compass Application the services of Facebook Pixel provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Controller measure the effectiveness of advertisements and find out what actions the Users are taking, as well as display matching advertisements to these persons. You can find detailed information about the operation of Facebook Pixel at the following web address: https://www.facebook.com/business/help/742478679120153?helpref=page_content. 

7.10. Management of the Facebook Pixel is possible by setting up advertisements in your Facebook.com account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.

8. FINAL PROVISIONS

8.1. The Compass application may contain links to other websites. The Controller encourages you to read the privacy policy set out there when you go to other sites. This privacy policy applies to The Compass applications only.