Privacy Policy — Well of Art

This document defines the conditions for processing personal data (hereinafter also referred to as "data") within the scope of the Glaze app, hereinafter referred to as the "Service".

§1. HOW TO CONTACT THE DATA CONTROLLER 
The data controller for personal data processed within the Service is the company PAINTERS Spółka z ograniczoną odpowiedzialnością with its registered office in Krakow (30-868) at ul. Kurczaba 1/30, registered in the National Court Register under KRS number: 0000808203, Tax Identification Number (NIP): 6793191103, and REGON: 384602916. You can contact the Data Controller at telephone number: +48 500 370 929, and via email address: contact@wellofart.com.

§2. ON WHAT BASIS DO WE PROCESS YOUR DATA 
When collecting personal data, we always inform about the legal basis for their processing. It derives from the provisions of the GDPR (General Data Protection Regulation) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation). When we inform about: 
• Art.6 para. 1 lit. a) GDPR – it means that we process personal data based on received consent, 
• Art.6 para. 1 lit. b) GDPR – it means that we process personal data because they are necessary for the performance of a contract or for taking steps at the request of the data subject prior to entering into a contract, 
• Art.6 para. 1 lit. c) GDPR – it means that we process personal data for compliance with a legal obligation, 
• Art.6 para. 1 lit. f) GDPR – it means that we process personal data for the purposes of legitimate interests pursued by the data controller or by a third party.

§3. INFORMATION ON PROCESSING DATA FOR CONCLUSION AND PERFORMANCE OF CONTRACTS, POTENTIAL CLAIMS, AND DEFENSE AGAINST THEM
1. We may process personal data necessary to fulfill the contract concluded with you. However, even before its conclusion, we may process personal data necessary to take action upon your request. The processing of this data is based on Art. 6(1)(b) of the GDPR.
2. In the case of executing a contract for the provision of paid services, we may process your data to fulfill accounting and tax obligations. The processing of this data is based on Art. 6(1)(c) of the GDPR.
3. During the execution of the contract and after its performance, we process personal data of the contracting parties to potentially resolve claims and to pursue them. Our legitimate interest, for instance, might include the ability to respond to any potential complaints, as required by separate civil law provisions. In such cases, we will process personal data based on our legitimate interest, which is to defend against potential claims or pursue them. The processing of this data is based on Art. 6(1)(f) of the GDPR.
4. We will retain this data for a period necessary to achieve specific purposes, but no later than the expiration of claims under separate legal provisions.
5. You have the right to access your data, rectify, erase, restrict processing, data portability, and the right to lodge a complaint with the supervisory authority. If data is processed for the purposes specified in point 3, you also have the right to object to their processing.
6. Providing this data is voluntary, but failure to provide it will prevent the conclusion or performance of the contract.
7. Recipients of this data include: our hosting provider, email service provider, IT service provider, accounting service provider and software used for invoice handling, electronic payment service provider, legal, advisory, and debt collection service providers, as well as other service providers we engage for specific purposes.

§4. INFORMATION ON PROCESSING DATA FOR NEWSLETTER TRANSMISSION
1.We enable subscribing to our newsletter recipient list. If you use this functionality, we process your personal data specifically for newsletter transmission. The newsletter may contain advertising, commercial, or marketing content.
2.The processing of this data is based on your consent and, therefore, Art. 6(1)(a) of the GDPR.
3.You have the right to withdraw your consent at any time. However, withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.We will retain your data until the consent is withdrawn. If you never withdraw it, we will process your data until we cease newsletter transmissions.
5.You have the right to access your data, rectify, erase, restrict processing, data portability, and the right to lodge a complaint with the supervisory authority.
6.Providing this data is voluntary, but failure to provide it will prevent the transmission of the newsletter.
7.Recipients of this data include: our hosting provider, IT service provider, email service provider, and newsletter delivery service provider.

§5. INFORMATION ON PROCESSING DATA FOR DIRECT MARKETING
1. We may process your personal data for direct marketing purposes. This occurs, for instance, when we respond to your message, presenting details of our offer.
2. The processing of this data is based on Art. 6(1)(f) of the GDPR.
3. We will retain your data for as long as necessary for the purpose of processing.
4. You have the right to access your data, rectify, erase, restrict processing, data portability, the right to object to data processing, and the right to lodge a complaint with the supervisory authority.
5. Providing this data is voluntary, and failure to provide it will prevent the execution of direct marketing activities.
6. Recipients of this data include: our hosting provider, IT service provider, and email service provider.

§6. INFORMATION ON DATA PROCESSING FOR SECURITY PURPOSES
1. From the moment you access our app, to ensure service security, we process data such as: 
• Public IP address of the requesting device 
• Browser type and language 
• Date and time of the request 
• Bytes sent by the server 
• URL of the previously visited page, if accessed through a link 
• Information about errors during request execution.

2. Our legitimate interest in this processing involves maintaining server logs and securing the Service against potential hacking attacks and other abuses. This includes the ability to determine the IP address of individuals engaging in unauthorized activities within the Service, such as attempting to breach security or publish prohibited content, or conducting unauthorized actions using our servers.
3. The processing of this data is based on Art. 6(1)(f) of the GDPR.
4. We will retain this data for a period necessary to achieve the specified purposes, no later than the expiration of claims arising from separate legal provisions.
5. You have the right to access your data, rectify, erase, restrict processing, object to processing, and lodge a complaint with the supervisory authority.
6. Providing this data is a condition for using the Service. Failure to provide this data will prevent the use of the Service.
7. Recipients of this data include our hosting provider, IT service provider, and telecommunications service provider.

§7. INFORMATION ABOUT DATA RECIPIENTS
When processing personal data, we use external services. Therefore, third-party entities may be recipients of your personal data. While we always inform about these recipients when collecting personal data, for the sake of readability, we do so in a summarized manner.
Thus, we explain that when we mention specific categories of recipients, they refer to the following entities:
• Hosting provider: OVH Sp. z o.o., ul. Swobodna 1, 50-088 Wrocław; Microsoft Ireland Operations Limited, Attn: Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
• Email service provider: Twilio Inc., 375 Beale Street Suite 300 San Francisco, CA 94105 United States.
• Accounting services provider: Good Care OPS spółka z ograniczoną odpowiedzialnością, ul. Generała Kiwerskiego 9, 31-341, Kraków, Poland.
• Legal / advisory / debt collection service providers - these service providers are individually appointed as the need arises.
• Newsletter delivery service provider: Twilio Inc., 375 Beale Street Suite 300 San Francisco, CA 94105 United States.
• Electronic payment services provider: PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulavard Royal L-2449 Luxembourg.

§8. INFORMATION ON TRANSFERRING DATA TO THIRD COUNTRIES
1. Due to our use of services provided by other suppliers, your personal data may be transferred outside the European Economic Area, specifically to the country: United States of America (USA).
2. The European Commission has determined that some countries outside the European Economic Area (EEA) adequately protect personal data.
3. As the country to which we transfer personal data has not been recognized as a safe country, the transfer of data is based on an agreement containing standard data protection clauses adopted by the European Commission.

§9. UNCONDITIONAL RIGHTS OF PERSONS WHOSE DATA IS PROCESSED
When discussing the rights related to the processing of your personal data, we refer to the rights described below. The ability to use the following rights is independent of the legal basis for processing personal data. Right to access data You have the right to obtain confirmation from us whether we are processing your personal data. If so, you have the right to access this data and receive additional information about: 
• the purposes of processing, 
• categories of relevant data, 
• recipients or categories of recipients to whom the data has been or will be disclosed, especially recipients in third countries or international organizations, 
• the planned storage period of the data, or if not possible, the criteria for determining this period, 
• the right to request rectification, erasure, or restriction of processing, to object to such processing, and to lodge a complaint with the supervisory authority, 
• the source of data if your data was not collected from you, 
• automated decision-making, including profiling, and the logic involved, as well as the significance and anticipated consequences of such processing for you. 

Upon receiving such a request, we are obligated to provide a copy of the personal data subject to processing. If such a request is made electronically and unless we receive other reservations, we will also provide information electronically. 

Right to rectification of data 
You have the right to request immediate rectification by us of your personal data that is incorrect. Considering the purposes of processing, you have the right to request the completion of incomplete personal data, including by providing additional statements. 

Right to erasure of data (right to be forgotten) 
You have the right to request immediate erasure by us of your personal data. We are obliged to promptly erase personal data if one of the following circumstances occurs: 
• you have withdrawn your consent to the processing of your personal data, and we do not have any other legal basis for processing them, 
• you have raised a successful objection to the processing of your data, 
• your personal data have been processed unlawfully, 
• your personal data must be erased to comply with a legal obligation, 
• your data was collected concerning the offer of information society services.

Right to restriction of processing 
You have the right to request restriction of processing by us in the following cases: 
• when you question the accuracy of the data - for a period allowing us to verify its accuracy, 
• processing is unlawful, and you oppose the erasure of data, instead requesting the restriction of their use, 
• we no longer need personal data for processing purposes, but you require them to establish, assert, or defend legal claims, 
• you have objected to the processing of your data - until it is determined whether our legal grounds prevail over the basis for your objection. 

Automated decisions, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right does not apply if the decision: 
• is necessary for entering into or performing a contract between you and us, 
• is permitted by Union law or Polish law and provides adequate measures to safeguard your rights, freedoms, and legitimate interests, or 
• is based on your explicit consent.

Right to lodge a complaint 
You have the right to lodge a complaint related to the processing of your personal data with the supervisory authority: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, tel. 22 531 03 00, fax. 22 531 03 01, e-mail: kancelaria@uodo.gov.pl.

§10. RELATIVE RIGHTS OF PERSONS WHOSE DATA IS PROCESSED
When discussing the rights related to the processing of your personal data, we refer to the rights described below. The ability to exercise them depends on the legal basis for processing personal data each time.

Right to withdraw consent for processing
If we process your personal data based on your consent, you have the right to withdraw that consent at any time. Naturally, withdrawing consent does not affect the lawfulness of prior processing of personal data.

Right to data portability 
You have the right to receive your personal data provided to us in a structured, commonly used, machine-readable format. You also have the right to transmit this personal data to another controller without hindrance from us if the processing is: 
• based on consent or on a contract, and 
• carried out by automated means. 

When exercising the right to data portability, you have the right to request that your personal data be transmitted directly by us to another controller, if technically feasible. This right cannot adversely affect the rights and freedoms of others.

Right to object 
If we process your personal data based on Article 6(1)(f) of the GDPR, you have the right to object to the processing of such data for reasons related to your particular situation. In this case, we may no longer process this personal data unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. Also, if you object to the processing of your personal data for direct marketing purposes, we will no longer be able to process it for such purposes.

§11. COOKIES - INTRODUCTION 
The app of the Service uses cookies. These are commonly used small files containing a string of characters that are sent and stored on the end device (e.g., computer, laptop, tablet, smartphone) used when visiting the Service. This information is sent to and stored in the memory of the browser, which sends it back on subsequent visits to the app. Cookies can be categorized based on three division methods.

In terms of the purposes of using cookies, we distinguish three categories: 
• Essential cookies - these cookies enable the proper functioning of the app and its functionalities, e.g., authentication or security cookies. Without storing them on your device, using the app would be impossible. 
• Analytical cookies - these cookies enable monitoring of visited web pages, traffic sources, time spent on the app. Without storing them, the functionality of the app will not be limited.

In terms of their validity period, we distinguish two categories of cookies: 
• Session cookies - existing until the end of a given session, 
• Persistent cookies - existing after the session is completed.

In terms of distinguishing the entity managing the cookies, we distinguish: 
• Our cookies, 
• Third-party cookies.

§12. DATA ADMINISTRATOR'S COOKIES
The cookies managed by us allow for: 
• access authentication, 
• maintaining sessions after logging in, 
• securing the Service against hacking attacks, 
• "remembering" the content of fields in completed forms by the browser (optional). This makes using the Service's functionalities easier and more enjoyable.

§13. THIRD-PARTY COOKIES
The use of third-party cookies is subject to the privacy and cookies policy applied by these entities. GOOGLE We use cookies managed by Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043, United States, as part of the services: The data collected by Google Inc. is anonymous and aggregate. In particular, they do not contain identifying features (understood as personal data) of Service users. By using these services, we collect data such as sources of user acquisition visiting the Service, their behavior on the Service's site, information about the devices and browsers they use, IP address, domain, demographic data (age, gender), interests, and geographic data. More information on this can be found here: Google's Cookie Policy The use of third-party cookies is subject to the privacy and cookies policy applied by these entities. The current policies of these third-party entities in this regard can be found on their respective websites and here: Privacy Policies and Cookies Files.

§14. CONSENT TO THE USE OF COOKIES AND COOKIE MANAGEMENT 
Except for essential cookies, their processing is based on the user's consent. Consent to the processing of cookies is voluntary and can be withdrawn at any time. However, it should be noted that refusing to consent to the use of certain cookies may result in limitations in using the Service and its functionalities, and may even make it impossible to use the Service.

Consent to the processing of cookies may be given: 
• through the settings of the software installed on the user's telecommunications end device, 
• by using a button containing a statement of consent to the processing of cookies or confirming familiarity with its terms, 
• through settings available on the app. 

§15. CACHE MEMORY
When using the Service's app, we may automatically use the cache memory installed on your device. Within the local memory, it's possible to store data between sessions, i.e., between successive visits to the Service's app. The purpose of using cache memory is to speed up the use of the Service by eliminating situations in which the same data would be repeatedly downloaded from the app, thereby burdening the user's internet connection. The cache memory may also store data such as login passwords.

§16. LINKS TO OTHER WEBSITES OR SOFTWARE
The Service may contain links to other websites or software. We are not responsible for the privacy policy and cookie processing rules applicable on those sites or in that software. We recommend familiarizing yourself with the privacy policy and cookie rules of those websites or software upon entering or before installing them.

§17. CHANGES TO THE PRIVACY POLICY AND COOKIES
1. The privacy policy and cookies come into effect on the date of publication on the Service's app.
2. Changes to the privacy policy and cookies occur by publishing new content on the Service's app.
3. Information about changes to the privacy policy and cookies will be published on the Service's app, no later than 3 days before the new version takes effect.