TERMS AND CONDITIONS OF THE
BTRUSTUP.EU SERVICE AND APPLICATION

§ 1

Definitions

1. Mobile Application or Application – software developed by the Service Provider, including software accessible via mobile devices, requiring installation on the User’s mobile device, enabling the User, in particular, to access the API, search the internal database and public data sources for information on entities defined by the User, in accordance with these Terms. Further details on the Application are available on the Website.
2. Civil Code – the Act of 23 April 1964, Civil Code.
3. Consumer – a consumer as defined in the provisions of the Civil Code.
4. Account – an individual User account within the Application, intended for Users, maintained by the Service Provider and constituting a dedicated space in the Service Provider’s ICT system, comprising resources in which the User’s data and activity information within the Application are stored. Access to the Account is provided via the e-mail address supplied by the User during registration and the password set by the User.
5. Error – a Critical Error or Standard Error.
6. Critical Error – an error in the Application resulting in the complete inability to use the Application, arising solely due to the fault of the Service Provider.
7. Standard Error – any error other than a Critical Error that limits the use of the Application, including unavailability of specific functions of the Application, caused solely by the fault of the Service Provider.
8. Pricing – a schedule available in the Application/Website containing information on subscription fees and billing periods, forming an integral part of the Terms.
9. Trial Access – a service provided by the Service Provider free of charge, enabling the User to access the features of the Application in trial mode, under the terms set forth in these Terms.
10. Business Day – any day from Monday to Friday, excluding public holidays in the Republic of Poland, between 8:00 a.m. and 4:00 p.m.
11. Offer – a proposal of the terms of the Agreement presented to the User, at least in documentary form, particularly specifying the amount of Fees for Services provided to the User.
12. Subscription Period – a period of 1 month commencing upon conclusion of the Agreement.
13. Grace Period – a period during which the possibility to restore access to Services, including previous configuration and data entered by the User, is maintained.
14. Fee – the amount indicated in the Offer, payable to the Service Provider for the use of the Services during the Subscription Period, under the terms specified in these Terms and the Offer.
15. Terms – these Terms of Service specifying the rules for using the Application addressed to Users, available on the Website.
16. Website – the website operating at https://btrustup.eu, administered and maintained by the Service Provider.
17. Subaccount – a resource created within the User’s Account, enabling persons representing the User to use the Services under the Agreement concluded between the Service Provider and the User. The Subaccount allows the User to manage access to the Application and the use of Services within their organizational structure.
18. Agreement – the agreement concluded between the Service Provider and the User under which the Service Provider provides paid Services to the User in accordance with the Terms.
19. Services – all services provided by the Service Provider to the User electronically via the Website and through the use of the Application.
20. User – an entity acting as an entrepreneur within the meaning of Article 43(1) of the Civil Code of 23 April 1964, having full legal capacity, using or intending to use the Services, including Application functionalities, on the basis of the Agreement or the Trial Access agreement under the rules described in these Terms.
21. Service Provider / BTrust – the owner of the Website and the Application: BTRUST.PL spółka z ograniczoną odpowiedzialnością, with its registered office in Żory, ul. Rozwojowa 2, 44-240 Żory, entered into the Register of Entrepreneurs maintained by the District Court in Gliwice, 10th Commercial Division of the National Court Register under number KRS 0001127518 , with a share capital of PLN 50,000.00, NIP: 6511748234, REGON 529678630 , e-mail address: [email protected].

§ 2

General Provisions

1. These Terms also constitute the terms and conditions for the electronic services provided by the Service Provider.
2. These Terms define the terms and conditions under which the Service Provider provides Services to the User within the Application.
3. The conditions for concluding the Agreement and provision of Services include:
   1. reviewing and accepting these Terms by the User;
   2. completing and submitting the registration form and creating an Account by the User or their authorized representative;
   3. for provision of Services under a Subscription and Agreement – payment of the full applicable Fee by the User;
   4. successful verification of the User by the Service Provider.

   The Agreement is concluded upon the User fulfilling all required conditions – upon the Service Provider sending confirmation to the email address provided by the User or directly via the Application.

4. To use the Application, the following are required:
   1. a device (e.g., laptop, smartphone, tablet) with Internet access, equipped with an up-to-date browser (Google Chrome or Safari), supporting JavaScript and cookies, and enabling the download and saving of electronic documents including PDF format;
   2. an active email account.
5. The User shall bear the cost of Internet access in accordance with the rates of their telecommunications provider.
6. By accepting these Terms, the person acting on behalf of or for the User declares that they are authorized to represent the User in the context of the Agreement. The Service Provider may request proof of such authorization at any time. If the person acts without proper authorization, they shall be liable to the Service Provider for any resulting damages.
7. The User is obligated to use the Application in accordance with applicable law and principles of social conduct, and in a manner that does not disrupt the functioning of the Application. In particular, the User is prohibited from entering any unlawful content.
8. By completing and submitting the registration form, the User agrees to comply with the Terms, including ensuring compliance by persons authorized to act on their behalf. The User is liable for actions or omissions of such persons as if they were their own.
9. The content of these Terms may be accessed, reproduced, and saved by the User at any time free of charge in electronic form via the Website.
10. Depending on their choice, the User may use the Application under Trial Access (according to these Terms) or under a paid Subscription. Trial Access is available only once. A Subscription may be purchased during or after the Trial Access period.
11. Under Trial Access, the User is granted limited access to the Application’s functionalities for an indefinite period with a set limit on searches. The purpose of the Trial Access Agreement is to allow the User to explore the features of the Website and Application. It does not grant full access to Services. The User should not rely on the information, data, or reports generated during Trial Access for business decisions or processing personal data.

    The User may terminate the Trial Access Agreement at any time by sending an email requesting Account deletion to the Service Provider’s address indicated in §2(14), which is equivalent to termination of the agreement.

12. Contact with the Service Provider is available via:
    1. Postal address: ul. Rozwojowa 2, 44-240 Żory
    2. Email address:  [email protected]
13. The Service Provider will contact the User regarding the execution of the Agreement, including use of the Application, using the contact details assigned to the Account. The User may specify contact persons and their details through the relevant function in the Application.

§ 3

Registration in the Application and Account Login

1. If the User intends to use the Application under the Agreement or the Test Access Agreement, they must contact Trust using the contact details indicated in §2(14) or via the form made available on the Website or in the Application.
2. To use the Application, registration is required, which is carried out by completing and submitting the registration form available on the Website or in the Application.
3. The registration form must be completed in accordance with the guidelines provided within the form and submitted to the Service Provider via the appropriate function.
4. After completing and submitting the registration form, a message containing an activation link required for the verification of the User and confirmation of Account creation, along with other legally required information, will be sent to the email address provided in the form. The User must click the link to verify the email address. During the verification process, the Service Provider may refuse to conclude the Agreement, create an Account or Subaccount.
5. The Agreement between the Service Provider and the User, concerning the provision of Services under the Terms, is concluded upon:
   1. payment of the applicable subscription Fee and its receipt by the Service Provider,
   2. successful verification of the User and confirmation of Account creation, as described in section 4 above.
6. The person entering data in the Application, including during registration, declares that the data provided is true and accurate and undertakes to update it in case of any changes.
7. Access to the Application is secured with a password set by the User or the Subaccount holder when filling out the registration form. The password must meet the requirements specified in the form.
8. If, after completing all the verification steps provided under Test Access, the User fails to pay the subscription Fee required to continue using the Services under the Agreement:
   1. access to the Account will be suspended, meaning that after logging in, the User will no longer be able to use the Application’s functions, enter new data, or view, edit, or delete previously entered data,
   2. provision of Services other than Account maintenance (as described above) will be suspended,
   3. the Grace Period begins.
9. Within the Account, the User may grant access to persons acting on their behalf. For this purpose, the User may use a dedicated feature of the Application to create separate Subaccounts within the limit agreed with the Service Provider.
10. To create a Subaccount, the User must provide the required data in the Application, and a message containing an activation link necessary to verify and confirm the Subaccount, along with other legally required information, will be sent to the provided email address of the Subaccount holder.
11. The User is responsible for all actions taken by persons to whom they have granted access to the Account and Subaccounts.
12. The User may not use Subaccounts to share the Application’s or Website’s functionalities in a manner that enables other entities – in particular, those who have not paid the appropriate Fees – to use the Application or Website on their own behalf.
13. The User may modify the number of Subaccounts assigned to their Account at any time by making the corresponding payments as specified in the Price List.

§ 4

Functionalities of the Application and the Website

1. The Service Provider provides the User with Services, including maintaining the Account and granting access to the functionalities of the Application. Within the Application, the User may in particular use features enabling:
   1. searching, via the Website and the Application, for data concerning entities conducting business activity;
   2. receiving from BTrust information regarding entities conducting business activity, in particular in the form of reports;
2. As part of the Website and Application, the Service Provider may also make additional functionalities available free of charge. The Service Provider may remove such features from the Website at any time.
3. Functionality updates are carried out at times unilaterally determined by the Service Provider.
4. Specific functionalities of the Application and Website are available to the User under the Subscription.
5. Detailed information regarding the standard features of the Application and additional paid features is available on the Website.

§ 5

Payments and Settlements

1. The provision of Services under the Agreement and the Subscription is conditional upon prior (advance) payment of the relevant Fee, in the amount specified in the applicable Price List and depending on the scope of Services selected by the User within the Subscription provided by the Service Provider.
2. Access to the Services will be enabled once the Fee has been credited to the Service Provider’s bank account.
3. The User may make Subscription Fee payments to the Service Provider within the deadlines indicated by the Service Provider, only using the methods made available by the Service Provider in the Website or the Application, or by paying any Fees within 3 days from the date of issuance of a pro forma invoice by the Service Provider. The moment of payment shall be deemed to be the moment the full Fee is credited to the Service Provider’s bank account. The Service Provider informs about the currently available payment methods in the Website or the Application.
4. By using the Services under the Agreement, the User accepts the use of electronic invoices by the Service Provider. The User has the right to withdraw this acceptance.
5. The Fees indicated in the Price List are provided as net amounts. The User is informed of the total Subscription Fee amount, including value-added tax at the rate applicable on the date of invoice issuance, via the Website or the Application, or directly by the Service Provider – in particular during the process of ordering the Services and selecting the Subscription scope, before proceeding to the payment step.

§ 6

Grace Period

1. The Grace Period begins:
   1. on the first day after the end of the Subscription Period for which the Fee was paid – if no payment has been made for the next Subscription Period; or
   2. on the first day after all verification actions available within the Services under the Test Access have been exhausted.
2. The Grace Period lasts until:
   1. the Test Access is converted into paid Services and the Fee is credited to the Service Provider’s bank account, enabling the provision of Services under the Subscription; or
   2. proper payment is made for the Services if the transition to the Grace Period was due to non-payment for the next Subscription Period, and the Fee is credited to the Service Provider’s bank account,

   depending on which of the above applies, but never longer than 12 months from the date indicated in paragraph 1 above.

3. The Grace Period:
   1. is not a period in which the User is guaranteed access to the full scope of Services;
   2. provided the Account has not previously been deleted by the Service Provider or the User – allows the User to resume use of the Services while maintaining their Account configuration and data.
4. After the end of the Grace Period, the Service Provider has the right to permanently delete the User’s Account and any associated Subaccounts. This shall be deemed termination of the Agreement or the Test Access agreement, and all data associated with the Account and Subaccounts will be deleted.

§ 7

Support Services and Technical Downtime

1. Under the Agreement and the Test Access agreement, the Service Provider shall also provide the User with Services including support, in particular:
   1. providing guidance regarding the Application and Website;
   2. sharing information, system notices and educational materials related to using the Application and Website (e.g., available features, extensions);
   3. verifying the User’s satisfaction with the Services;
   4. collecting feedback about the Website and Application.
2. The Service Provider undertakes to take steps to eliminate Errors properly reported in the Application.
3. The Service Provider shall attempt to remove Errors within the following timeframes:
   1. for Critical Errors – within 24 hours from receipt of the report from the User;
   2. for Regular Errors – within 3 Business Days from receipt of the report from the User.
4. Efforts to remove Errors are part of the Services.
5. In the case of Errors caused by circumstances other than the sole fault of the Service Provider – including User actions or User reports that are not actual errors (false positives) – the Service Provider is entitled, but not obligated, to attempt resolution.
6. Errors may only be reported electronically via email to the following address:
7. Error reports are accepted only on Business Days, which means in particular that reports received outside of Business Days are treated as received on the next Business Day.
8. An error report should contain a detailed description enabling proper classification of the error type and appropriate action by the Service Provider.
9. The Service Provider is entitled to extend the response deadlines indicated in this paragraph in the event of force majeure or other events not attributable to the Service Provider, or if the User fails to provide sufficient information necessary to identify the error.
10. The Service Provider shall make every effort to ensure the correct and uninterrupted operation of the Website and Application. Due to the complexity of the Website and Application, and external factors beyond the Service Provider’s control, errors or technical failures may occur, preventing or limiting the functionality of the Website or Application. In such cases, the Service Provider will take all reasonable steps to limit the negative effects of such incidents as much as possible.
11. In addition to interruptions caused by errors or technical failures, there may also be scheduled technical breaks, during which the Service Provider performs activities aimed at improving or securing the Website or Application, as well as repair or maintenance work, particularly for the purposes of updates or expansion.
12. The Service Provider plans technical breaks in such a way as to make them as minimally disruptive to Users as possible, and only for the time necessary to perform essential actions.

§ 8

Complaints

1. Complaints regarding the functioning of the Website or Application and the concluded Agreement may be submitted by the User:
   1. in writing, to the following address: BTRUST.PL sp. z o.o., ul. Rozwojowa 2, 44-240 Żory, Poland, or 
   2. electronically, via email to: [email protected]
2. The complaint should include the details of the individual or entity submitting the complaint (full name or company name, full postal address or email address, username), as well as a description of the reason for the complaint and the requested remedy.
3. A response to the complaint shall be provided via email, sent to the email address indicated in the complaint or from which the complaint was submitted, within 30 days from the date of receipt of the complaint.
4. The complaint procedure is voluntary and free of charge.

§ 9

Personal Data

1. The Data Controller of the User’s personal data is the Service Provider – as the owner and administrator of the Website and Application, providing services electronically based on these Terms.
2. Detailed information on the processing of personal data by the Service Provider as the Data Controller – including other purposes and legal bases for data processing, as well as data recipients – is provided in the privacy policy available on the Website (https://btrustup.eu/privacy-policy), in accordance with the transparency principle under the General Data Protection Regulation (GDPR).
3. The purpose of processing the User’s data provided in connection with the use of the Application is the provision of Services through the Application. The legal basis for processing personal data in this case is:
   1. the agreement or actions taken at the User’s request to enter into it (Art. 6(1)(b) GDPR);
   2. compliance with legal obligations imposed on the Service Provider (accounting, financial settlements related to the Agreement) (Art. 6(1)(c) GDPR);
   3. the legitimate interest pursued by the Service Provider (Art. 6(1)(f) GDPR), in particular the ability to pursue potential claims.
4. Providing personal data is voluntary but necessary to conclude the Agreement or the Test Access agreement with the Service Provider. Failure to provide data will make it impossible to conclude such agreement.
5. The Service Provider applies organizational and technical measures compliant with applicable law to process User data securely, including the use of TLS/SSL encryption from the moment the User logs into the Application.
6. The User’s data will be processed until the earliest of the following occurs:
   1. the Agreement or Test Access agreement expires;
   2. the ability to pursue claims related to the Agreement or Test Access agreement expires;
   3. the Service Provider is no longer legally obliged to process the User’s data;
   4. the User successfully objects to the processing of their personal data, where the basis for processing was the Service Provider’s legitimate interest.
7.   The User has the right to:
   1. access their personal data, including receiving a copy (Art. 15 GDPR),
   2. rectify their data (Art. 16 GDPR),
   3. delete their data (Art. 17 GDPR),
   4. restrict processing (Art. 18 GDPR),
   5. transfer their data (Art. 20 GDPR), and also 
   6. object at any time, for reasons related to their particular situation, to processing based on the Service Provider’s legitimate interests (Art. 21(1) GDPR).
8. To exercise these rights, a message can be sent to the following email address:
9. If the User believes their personal data is being processed unlawfully, they have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO).
10. Using the Application or Website may require the User, acting as the Data Controller, to entrust the Service Provider with the processing of personal data of third parties. In such cases, the Service Provider processes such data under the Data Processing Agreement attached as Appendix 1 to the Terms.
11. If, as a result of using the Application, the User obtains and begins processing personal data, they will act as the Data Controller of such data in accordance with the GDPR and are responsible for fulfilling their resulting obligations, in particular providing proper notice to data subjects.

§ 10

Disclaimers

1. The Application and Website, including their features, do not guarantee the correctness of searched or transmitted data and do not guarantee compliance, accuracy, or completeness of the User’s actions or procedures with the applicable law or internal or corporate regulations binding the User.
2. To the extent permitted by mandatory provisions of law, any liability of the Service Provider towards the User is excluded. In other cases, the Service Provider’s liability is limited to the amount of the Fee received from the User for the three months preceding the month in which the damage occurred.
3. Within the above limits, the Service Provider shall not be liable in particular for:
   1. actions of third parties, including the effects of hacking, computer viruses, or malware;
   2. consequences of using the Application by the User or Subaccount holder contrary to its intended purpose or outside the provided functionalities, including failure to comply with the guidelines or instructions published on the Website, in the Application or in these Terms;
   3.    consequences of using materials or information provided by the User;
   4. functioning of the User’s IT environment;
   5. consequences of disclosing Account or Subaccount access credentials by the User;
   6. damages and failure to perform obligations resulting from any technical errors, failures, or downtimes referred to in § 7 of the Terms;
   7. consequences of force majeure events.
4. The User is obliged not to disclose login credentials to unauthorized persons and not to make the Account or Subaccounts available to third parties.
5. The User is responsible for the accuracy and legality of content generated via the Application.
6. The User shall bear full responsibility for any actions or omissions taken within the Application in connection with the use of its features.
7. To the extent permitted by mandatory provisions of law, the Service Provider shall not be liable for any lost profits incurred by the User.
8. Any claims regarding the proper performance of the Service shall be addressed by the User directly to the Service Provider.
9. The Service Provider may refuse to create an Account or Subaccount, or may terminate the Agreement or the agreement for the provision of Services under Trial Access with immediate effect, if the User violates or has violated, during previous use of the Services, the provisions of the Terms, mandatory provisions of law, or generally accepted principles of social coexistence.
10. The Service Provider communicates with the User in Polish. The Service Provider may also communicate with the User in other languages, depending on its actual capabilities.
11. Agreements concluded with the Service Provider are executed in Polish or in a bilingual version, whereby the Polish version shall always prevail in the event of any discrepancy.
12. The Service Provider does not guarantee that the information transmitted through the Service and Application is complete, accurate, or precise. Under no circumstances does the Service Provider provide any warranty, representation, or confirmation of the accuracy of such information, and shall not be held liable for the truthfulness, completeness, timeliness, and/or reliability of information obtained from official registers and/or publicly available sources.
13. The interpretation of information provided by the Service Provider as part of the Services shall be the responsibility of the User, and the User uses the information obtained via the Service and Application at their own risk. The Service Provider shall not be held liable for any decisions made based on information obtained by the User through the Service or the Application, or under the Agreement.
14. The User shall have no claims for damages against the Service Provider in connection with the use (or non-use) of information obtained through the Application and the Website.

§ 11

Copyright and Intellectual Property Rights

1. All rights to the Application and the Website, including proprietary copyrights, intellectual property rights to the name, domain, software, and databases – excluding data provided by Users – are held by the Service Provider or entities with whom the Service Provider has concluded relevant agreements and are protected under copyright and other applicable laws.
2. The User may use the Application and the Website, as well as their individual elements, solely for the purposes specified in the Terms and for the duration of the Agreement.
3. The User is obliged to refrain from any actions that could infringe upon the intellectual property rights of the Service Provider or third parties, in particular:
   1. copying, modifying, adapting, distributing, or reverse engineering any part of the Application or Website;
   2. removing or altering any notices related to ownership or intellectual property rights;
   3. using trademarks, logos, or other designations belonging to the Service Provider without prior written consent.
4. Any use of the Website or the Application in a manner inconsistent with these Terms or applicable law constitutes an infringement of the Service Provider’s rights and may result in liability, including contractual or criminal liability.

§ 12

Term and Amendments to the Terms and Conditions

1. The Agreement is concluded for a period of one month. The agreement for the provision of Services under Trial Access is concluded until all verification actions available under Trial Access have been used.
2. The User may terminate the Agreement at any time, without stating a reason, with effect at the end of the Subscription Period – by sending a corresponding termination notice to the Service Provider at: [email protected] or by using the relevant form in the Application or the Service. Such termination does not affect Fees already paid for the Subscription during which the Agreement was terminated. Paid Fees are non-refundable, in whole or in part, even if the User ceases to use the Services entirely.
3. The Service Provider may terminate the Agreement with immediate effect if the User continues to violate the provisions of the Terms despite being requested by the Service Provider – with at least 7 days’ notice – to cease such violations. The Service Provider’s notice must be given in at least documentary form.
4. The Service Provider may suspend the provision of Services or terminate the Agreement with immediate effect if the User fails to pay the required Fees or remains in arrears with payment.
5. The Agreement shall be automatically renewed for a subsequent month unless the User terminates it in accordance with paragraph 2 above.
6. The Terms and the Price List may be subject to change.
7. The Service Provider is entitled to amend the Terms for valid reasons indicated in the following paragraph, provided that the User being an Entrepreneur is informed in advance about the planned changes via an email sent to the address assigned to the Account, at least 14 days prior to the effective date of the changes.
8. Valid reasons for amending the Terms include:
   1. adjusting the Services to legal provisions affecting them;
   2. changes in or introduction of new public charges affecting the provision of Services;
   3. development, modification or improvement of the functionalities of the Services, or measures aimed at enhancing the competitiveness of the Website or the Application, including the introduction of new electronically supplied services;
   4. improvement of the security of the Website or the Application;
   5. recommendations, guidelines, notices, instructions or similar documents issued by public administration authorities, including in particular the General Inspector of Financial Information (GIIF), affecting the provision of Services;
   6. changes in the cost of Services provided by third-party suppliers, infrastructure maintenance costs or operating costs related to the Services;
   7. changes in the technical conditions for providing electronic services;
   8. the need to correct ambiguities, errors or clerical mistakes in the Terms;
   9. changes in contact details, names, identification numbers, email addresses or links included in the Terms.
9. Before the proposed effective date of the amended Terms, the User has the right to terminate the Agreement or the agreement for the provision of Services under Trial Access with immediate effect. Submitting an objection to the changes to the Terms shall be deemed a termination of the Agreement or the agreement for Trial Access, as applicable. The Subscription Fee paid for the current Subscription Period shall not be refunded.
10. If the Agreement is not terminated within the time limit referred to in paragraph 9 above, the User is deemed to have accepted the changes, and the new version of the Terms shall be binding.
11. The termination referred to in paragraph 9 must be submitted in documentary form to the Service Provider’s email address: [email protected]
12. The amended Terms shall enter into force on the date specified in the notice regarding the change.
13. In the event of a change to the Price List, the new Price List shall not apply to Agreements already concluded with respect to ongoing Subscription Periods – until the end of the Subscription Period for which the Subscription Fee was paid prior to the change.

Annex No. 1 to the Terms and Conditions – Personal Data Processing Agreement

PERSONAL DATA PROCESSING AGREEMENT
(“Processing Agreement“)

concluded between the Service Provider, referred to in the Processing Agreement as the Processor,
and the User, referred to in the Processing Agreement as the Data Controller.

§ 1

GENERAL PROVISIONS

1. Terms capitalized in this Processing Agreement (including those used to identify the Parties) shall have the meanings assigned to them in the Terms and Conditions of the Application.
2. This Processing Agreement is concluded in connection with the conclusion by the Data Controller and the Processor of either the Agreement or the Test Access agreement.
3. Under this Processing Agreement – under the terms and within the scope set forth herein – the Data Controller entrusts the Processor with the processing of personal data contained in the data or information entered into the Application (in particular employees and collaborators of the Controller authorized to act on its behalf) (“Data”), and the Processor undertakes to process the Data within the limits specified in this Processing Agreement and the generally applicable provisions of law.
4. The Processor shall process the Data solely based on documented instructions from the Data Controller.
5. The provisions of this Processing Agreement shall apply accordingly in cases where the User processes personal data as a processor within the meaning of Article 4(8) of the GDPR and entrusts the Data to the Service Provider, who then acts as a sub-processor. Such a situation may occur in particular when the User entrusts the Service Provider with the processing of personal data of Clients.

§ 2

REPRESENTATIONS OF THE PARTIES

1. The Data Controller declares that it holds the status of Data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”), with respect to the Data, subject to § 1 sec. 5.
2. The Data Controller declares that it has a valid legal basis for processing the Data and that the entrustment of the Data to the Processor will not infringe the rights of third parties.
3. The Processor ensures that persons authorized to process the Data on its behalf shall be bound by a confidentiality obligation or be subject to an appropriate statutory duty of confidentiality.
4. The Processor ensures that it will implement all measures required by applicable law, in particular Article 32 of the GDPR, which requires the Processor to implement appropriate technical and organizational measures taking into account the state of the art, implementation costs, nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

§ 3

SCOPE OF PROCESSING

1. The Processor shall process the Data solely for the purpose of performing the relevant Agreement or Test Access agreement.
2. Under this Processing Agreement, the Processor shall process so-called ordinary data, i.e., data not subject to additional regulations, such as:
   1. full name of individuals authorized to act on behalf of the Data Controller,
   2. email address and phone number of individuals authorized to act on behalf of the Data Controller,
   3. information about how the Application is used by individuals authorized to act on behalf of the Data Controller.
3. The Data Controller agrees not to provide the following types of data for processing:
   1. data revealing racial or ethnic origin,
   2. data revealing political opinions, religious or philosophical beliefs,
   3. data revealing membership in trade unions,
   4. genetic data,
   5. biometric data,
   6. health data, sexual orientation, or data related to a person’s sexuality.

§ 4

METHOD OF EXECUTING THE PROCESSING AGREEMENT

1. In processing the Data, the Processor undertakes to implement all measures required by applicable law (including the GDPR), including appropriate technical and organizational measures to ensure the level of security of personal data processing commensurate with the risk of infringing the rights and freedoms of natural persons. When implementing these measures, the Processor shall take into account the state of the art, cost of implementation, nature, scope, context, and purposes of processing, as well as the risk referred to above.
2. Considering the nature of the processing, the Processor shall, as far as possible, assist the Data Controller through appropriate technical and organizational measures in complying with the obligation to respond to requests from data subjects in relation to exercising their rights under Chapter III of the GDPR, provided that such obligations lie with the Data Controller in each case.
3. Considering the nature of the processing and the information available to it, the Processor shall assist the Data Controller in fulfilling its obligations under Articles 32-36 of the GDPR, where these obligations lie with the Data Controller in each case.
4. The Processor may use the services of another processor (a “Sub-Processor”) only with the prior specific or general written consent of the Data Controller. In case of a general written consent, the Processor shall inform the Data Controller of any intended changes regarding the addition or replacement of other Sub-Processors, thereby giving the Controller the opportunity to object to such changes.
5. In its agreement with a Sub-Processor, the Processor shall impose the same data protection obligations as those imposed on the Processor under this Processing Agreement. These obligations shall include, in particular, ensuring sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing complies with the requirements of the GDPR.
6. If the Sub-Processor fails to meet its data protection obligations, the Processor shall remain fully responsible to the Data Controller for the performance of the Sub-Processor’s obligations.
7. The Data Controller consents to the Processor using Sub-Processors as listed in Annex No. 1 to this Processing Agreement and also to the transfer of data outside the European Economic Area, provided that such transfer complies with the provisions of the GDPR, including to countries or entities for which the European Commission has determined an adequate level of data protection. Changes to this annex do not constitute a change to the Processing Agreement, and the provisions of this paragraph apply accordingly.
8. The Processor shall provide the Data Controller with all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and shall enable the Data Controller or an auditor authorized by the Data Controller to conduct audits, including inspections, and assist in them – where such obligations fall on the Data Controller.
9. The provisions of this paragraph shall apply accordingly to the actions of the Data Controller regarding the Sub-Processors mentioned in section 4 above.
10. In relation to the obligation under section 8, the Processor shall promptly inform the Data Controller if, in its opinion, an instruction given to it constitutes a breach of the GDPR or other applicable laws of the European Union or Poland regarding data protection.

§ 5

DURATION OF THE PROCESSING AGREEMENT

1. The Processing Agreement is concluded upon the conclusion of the relevant Agreement or Test Access agreement, provided that the personal data is entrusted to the Processor at that time; if not, the Processing Agreement shall be concluded upon the conclusion of the relevant Agreement or Test Access agreement, at the time the personal data is entrusted to the Processor, and shall terminate upon the termination of the relevant Agreement or Test Access agreement.
2. Data processing shall occur during the term of the Processing Agreement.
3. Upon termination of the Processing Agreement, the Processor shall delete or return all personal data to the Data Controller (depending on the Data Controller’s decision) and delete all existing copies of such data, unless Union or Polish law requires the retention of the personal data.
4. In the case of termination of the Processing Agreement, the Data Controller must inform the Processor of their decision, as referred to in the previous section, no later than on the last day of the term of the Processing Agreement. If such a decision is not communicated by this date, it will be deemed that the Data Controller has instructed the Processor to delete the Data, and all related consequences shall be borne solely by the Data Controller.
5. Matters not regulated by the Processing Agreement shall be governed by the applicable provisions of Polish or European law, as well as the provisions of the relevant Agreement or Test Access agreement.

Annex No. 1 to the Personal Data Processing Agreement – List of Sub-Processors

The Data Controller consents to the Processor’s use of the following Sub-Processors:

1. OVH Sp. z o.o.
   ul. Powstańców Śląskich 9
   53-332 Wrocław
   NIP: 8992520556
   REGON: 933029040
2. GetResponse S.A.
   al. Grunwaldzka 413, 80-309 Gdańsk
   NIP: 9581468984
   REGON: 192998251
3. Google Ireland Limited
   Gordon House, Barrow Street, Dublin 4, D04 E5W5, Irlandia
   VAT UE: IE6388047V
4. Google Cloud Poland Sp. z o.o.
   Rondo Daszyńskiego 2C
   00-843 Warszawa
   NIP: 5252822767
   REGON: 386040256