en
PRIVACY AND COOKIE POLICY
This Privacy and Cookie Policy sets out the rules for the processing of personal data by INVESTLY prosta spółka akcyjna, hereinafter referred to as the "Controller", as well as the rights of persons whose data is processed.
The Controller attaches particular importance to ensuring a high level of privacy protection and security of the personal data processed. All operations related to data processing are carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as the "GDPR".
Rules for the processing of personal data
This Policy applies to persons visiting the Administrator's websites, persons contacting the Administrator, as well as persons using (including representing entities using) the services provided by the Administrator.
Providing personal data is, as a rule, voluntary, but in the case of some services provided by the Administrator, it may be a condition for their performance – for example: account registration, order processing, identity verification or responding to a request. Failure to provide certain data may result in the inability to conclude a contract or use certain services.
The Administrator takes the utmost care to ensure that personal data is processed in a fair, transparent and lawful manner, in particular in accordance with the principle of data minimisation. This means that data is collected only to the extent necessary to achieve clearly defined, legitimate purposes and is not stored longer than necessary. Before commencing any processing, the Controller shall identify its purpose and legal basis on a case-by-case basis, ensuring that the data will not be used in a manner inconsistent with those purposes.
The Controller exercises the rights of data subjects in accordance with the applicable provisions of the GDPR. All requests and notifications related to data processing are considered without undue delay, with respect for the principles of transparency and fairness towards the notifying party.
In order to ensure the integrity, confidentiality and availability of the data being processed, the Controller has implemented appropriate technical and organisational measures to protect personal data against accidental destruction, loss, modification, unauthorised disclosure or access. Access to the data is restricted to duly authorised persons who are bound by confidentiality obligations and trained in information security principles.
The Administrator does not process personal data in a manner that leads to automated decision-making that could have legal effects on a person or otherwise significantly affect them, including through profiling, without obtaining separate consent or meeting other requirements under the law. If such solutions are implemented, transparency of operation and the possibility of human intervention in the decision-making process will be ensured in each case.
Sources of personal data
The controller obtains personal data directly from the data subjects, in particular when registering a user account on the controller's website, using the services available on the website, submitting contact enquiries, communicating with customer service, and participating in identity verification processes.
Personal data may come from other sources, in particular from a representative, a principal in the case of a power of attorney, data providers, employers, including parties to contracts concluded with the Administrator.
Basis for the processing of personal data
The Controller may process personal data for the purposes and on the legal bases described in this Policy, including contract performance, legitimate interests, and compliance with legal obligations, together with the specified data retention periods.
Recipients of personal data
Personal data may be transferred to entities authorised to receive it under applicable law, including competent state authorities, in particular judicial authorities.
Personal data may also be transferred to trusted recipients such as: payment operators, partners providing technical services (development and maintenance of IT systems and websites), identity verification service providers, entities whose products are offered for sale on the controller's websites, entities providing accounting and bookkeeping services.
Transfer of data outside the European Economic Area (EEA)
Personal data may be transferred outside the EEA in accordance with applicable law and appropriate safeguards.
Rights of data subjects
Data subjects have the rights described in this Policy, including access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and lodging a complaint with a supervisory authority.
Contact details
The personal data controller is INVESTLY prosta spółka akcyjna (Aleja Jana Pawła II 27/38a, 02-815 Warsaw).
Email: privacy@investly.pro
This section supplements the existing Privacy and Cookie Policy and applies solely to users who choose to register or log in to the services using Google Single Sign-On ("Google Sign-In").
When a user chooses to authenticate using Google Sign-In, the Administrator may access the following Google user data, depending on the scopes granted by the user:
The Administrator does not request access to Google user data beyond what is strictly necessary to enable authentication and account management.
Google user data obtained through Google Sign-In is used exclusively for the following purposes:
Google user data is not used for advertising purposes, profiling, automated decision-making, product analytics, service optimization based on user behavior, or statistical analysis, and is not combined with data obtained from other sources in a manner inconsistent with the purposes described above.
Google user data is stored securely within the Administrator’s IT systems, using appropriate technical and organisational security measures consistent with industry standards.
Google user data is retained only for as long as the user maintains an active account or as otherwise required by applicable law. Upon account deletion, Google user data is deleted or irreversibly anonymised, unless further retention is required to comply with legal obligations.
Google user data accessed via Google Sign-In is processed primarily within the European Economic Area (EEA). If such data is transferred outside the EEA, the transfer is carried out in accordance with applicable data protection laws and appropriate safeguards, including standard contractual clauses or adequacy decisions.
Google user data accessed via Google Sign-In is not sold, rented, or shared with third parties for their own purposes.
Data may be shared only with trusted service providers acting on behalf of the Administrator (such as IT infrastructure or hosting providers), solely to the extent necessary to provide the services, and subject to appropriate data processing agreements ensuring compliance with applicable data protection laws.
Google user data obtained via Google Sign-In is not shared with payment providers, marketing partners, or identity verification service providers, unless the user independently provides such data within the scope of a separate service.
The Administrator’s use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
Users may revoke the Administrator’s access to their Google account data at any time by changing their settings in their Google Account or by deleting their account with the Administrator. Revocation of access may affect the ability to log in using Google Sign-In, but will not affect the lawfulness of prior data processing.
Cookies and similar tracking technologies
The Administrator uses cookies and similar technologies in accordance with this Policy.
Changes to the Privacy Policy
The administrator reserves the right to update the Privacy Policy and cookie policy. The current version will always be available on the administrator's website.