Affector

Privacy Policy

Last updated: Apr 11, 2026

Hello!

Read this short guide before you start working with the document! The Privacy Policy is a showcase of your approach to data. A well-prepared document builds trust, so it is worth ensuring that the content fully aligns with how your application actually operates.

  1. Review the document and fill in all the […] (application name, website/store address, link to the terms and conditions). Empty spaces suggest that the implementation process is still ongoing, and we want to demonstrate full professionalism from day one.
  2. In the section “Data Controller,” enter the full registration details (KRS, NIP, REGON, address, capital) and ensure they are identical to those in the terms and conditions, website footer, and sales documents.
  3. In the Contact section, leave only the channels that you actually handle (include a phone number only if someone actually answers it and it is not a “ghost number”).
  4. In the part about the DPO, decide whether a Data Protection Officer will be appointed at all—if not, remove the entire block, as a “pretend DPO” is asking for trouble.
  5. In the “purposes–data–legal basis” tables, match the lists of data to what you actually collect in forms/registration/payments. If you don’t ask for a phone number in the form, don’t include it “just in case.” This way, the document will be short, specific, and understandable for the user.
  6. Check whether each purpose has a reasonable legal basis: contract (art. 6(1)(b)), legal obligation (art. 6(1)(c)), legitimate interest (art. 6(1)(f))—and whether the description of voluntariness/consequences does not contradict what the user sees in the application.
  7. Verify retention periods: “until the expiration of claims” is fine, but for logs/analytics/marketing and cookies, enter realistic timeframes (in practice, this is often where the policy diverges from tool settings).
  8. If you have a Profiling section, specify where the profile data comes from (e.g., activity, account attributes), how the user can object, and how it affects marketing (whether it’s “less tailored” or “no marketing at all”).
  9. In Data Recipients, instead of generalities (“hosting company”), it’s best to list categories + provider names (hosting/payments/newsletter/analytics/accounting), and if you use AI subcontractors or support tools (helpdesk, chat), include them right away.
  10. Finally, handle the “cookies + transfers combo”: complete the tools table (duration, functions, data), ensure the consent banner actually distinguishes categories (necessary/analytics/marketing), and that the section on transfers to third countries matches what you actually use (e.g., Google/Meta) and the transfer mechanisms you apply.

PRIVACY POLICY OF THE APPLICATION […]

This Privacy Policy (hereinafter: “Policy”) contains information about the processing of your personal data in connection with the use of the application “[…]”, operating at the internet address […]/on mobile devices (hereinafter: “Application”).

All terms written with a capital letter that are not otherwise defined in the Policy have the meaning assigned to them in the Terms and Conditions, available at: […].

Data Controller

The controller of your personal data is […] company […] with its registered office in […] (registered office address: ul. […]), entered into the register of entrepreneurs of the National Court Register maintained by the District Court […], […] Commercial Division of the National Court Register under KRS number: […], holding NIP: […], REGON number: […], with share capital of […] PLN ([…] zlotys) fully paid up (hereinafter: “Controller”).

Contact with the Controller

For all matters related to the processing of personal data, you can contact the Controller via:

  1. email - at the address: […];
  2. traditional mail - at the address: […];
  3. phone - at the number: […].

Data Protection Officer

You can contact the Data Protection Officer appointed by the Controller (Mr./Ms. […]) via:

  1. email - at the address: […];
  2. traditional mail - at the address: […];
  3. phone - at the number: […].

Data Protection Measures

The Controller applies modern organizational and technical safeguards to ensure the best possible protection of your personal data and guarantees that it processes them in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “GDPR”), the Act of 10 May 2018 on the Protection of Personal Data, and other data protection regulations.

Information on Processed Personal Data

Using the Application requires the processing of your personal data. Below you will find detailed information about the purposes and legal bases of processing, as well as the retention period and the obligation or voluntariness of providing the data.

Purpose of Processing

Processed Personal Data

Legal Basis

Conclusion and performance of the Account Service Agreement
  1. first and last name
  2. email address
  3. […]

art. 6(1)(b) GDPR

(processing is necessary for the performance of the Account Service Agreement concluded with the data subject or to take steps to conclude it)

Providing the above personal data is a condition for concluding and performing the Account Service Agreement (providing them is voluntary, but failure to provide them will result in the inability to conclude and perform the aforementioned agreement, including creating an Account).

The Controller will process the above personal data until the expiration of claims arising from the Account Service Agreement.


Purpose of Processing

Processed Personal Data

Legal Basis

Conclusion and performance of the Application Usage Agreement
  1. first and last name
  2. email address
  3. phone number
  4. residential/business address (street, house number, apartment number, city, postal code, country)
  5. optionally - company name and NIP (if the Service Recipient is an Entrepreneur or an Entrepreneur with Consumer Rights)
  6. […].

art. 6(1)(b) GDPR

(processing is necessary for the performance of the Application Usage Agreement concluded with the data subject or to take steps to conclude it)

Providing the above personal data is a condition for concluding and performing the Application Usage Agreement (providing them is voluntary, but failure to provide them will result in the inability to conclude and perform the Application Usage Agreement).

The Controller will process the above personal data until the expiration of claims arising from the Application Usage Agreement.


Purpose of Processing

Processed Personal Data

Legal Basis

Conclusion and performance of the Newsletter Service Agreementemail address

art. 6(1)(b) GDPR

(processing is necessary for the performance of the Newsletter or Digital Content Service Agreement concluded with the data subject or to take steps to conclude it)

and

art. 6(1)(f) GDPR

(processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case, informing about news and promotions available in the Application)

Providing the above personal data is voluntary but necessary to receive the Newsletter or Digital Content (failure to provide them will result in the inability to receive the Newsletter or Digital Content).

The Controller will process the above personal data until the effective objection is raised or the purpose of processing is achieved, or until the expiration of claims arising from the Newsletter or Digital Content Service Agreement (whichever occurs first).


Purpose of Processing

Processed Personal Data

Legal Basis

Handling complaint procedures
  1. first and last name
  2. email address

art. 6(1)(c) GDPR

(processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case, obligations:

  • to respond to a complaint – art. 7a of the Consumer Rights Act;
  • to fulfill the Client's rights arising from the provisions on the liability of the Controller in case of non-compliance of the physical Goods with the Sales Agreement or the Digital Content with the relevant Agreement)

Providing the above personal data is a condition for receiving a response to a complaint or exercising the Service Recipient's rights arising from the provisions on the liability of the Controller in case of non-compliance of the Digital Content with the relevant Agreement (providing them is voluntary, but failure to provide them will result in the inability to receive a response to the complaint and exercise the aforementioned rights).

The Controller will process the above personal data for the duration of the complaint procedure, and in the case of exercising the aforementioned Client's rights – until their expiration.



Purpose of Processing

Processed Personal Data

Legal Basis

Conducting verification procedures and handling appeals against decisions regarding the handling of illegal content
  1. first and last name/name,
  2. contact details, including email address

art. 6(1)(c) GDPR

(processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case, obligations:

  • to provide a mechanism for reporting illegal content (art. 16 of Regulation 2022/2065 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (hereinafter: “DSA”),

to handle complaints (art. 20 DSA).

Providing the above personal data is a condition for receiving a response to the report or exercising the User's rights arising from the provisions of the DSA (providing them is voluntary, but failure to provide them will result in the inability to receive a response to the report and exercise the aforementioned rights).

The Controller will process the above personal data for the duration of the complaint procedure, and in the case of exercising the aforementioned User's rights – until their expiration.


Purpose of Processing

Processed Personal Data

Legal Basis

Handling inquiries submitted by Users
  1. first name
  2. email address
  3. other data included in the message to the Controller

art. 6(1)(f) GDPR

(processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case, responding to received inquiries)

Providing the above personal data is voluntary but necessary to receive a response to the inquiry (failure to provide them will result in the inability to receive a response).

The Controller will process the above personal data until the effective objection is raised or the purpose of processing is achieved (whichever occurs first).


Purpose of Processing

Processed Personal Data

Legal Basis

Sharing Opinions about services
  1. first name
  2. optionally – other data included in the Opinion

art. 6(1)(f) GDPR

(processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case, sharing Opinions for informational and promotional purposes)

Providing the above personal data is voluntary but necessary to add an Opinion (failure to provide them will result in the inability to add an Opinion).

The Controller will process the above personal data until the effective objection is raised or the purpose of processing is achieved (whichever occurs first).


Purpose of Processing

Processed Personal Data

Legal Basis

Fulfilling tax obligations (e.g., issuing VAT invoices, storing accounting documentation)
  1. first and last name/company name
  2. residential/registered address
  3. NIP

art. 6(1)(c) GDPR

(processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case, obligations arising from tax law)

Providing the above personal data is voluntary but necessary for the Controller to fulfill its tax obligations (failure to provide them will result in the inability of the Controller to fulfill the aforementioned obligations).

The Controller will process the above personal data for a period of 5 years from the end of the year in which the tax payment deadline for the previous year expired.




Purpose of Processing

Processed Personal Data

Legal Basis

Fulfilling obligations related to data protection
  1. first and last name
  2. contact details provided by you (email address; correspondence address; phone number)

art. 6(1)(c) GDPR

(processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case, obligations arising from data protection regulations)

Providing the above personal data is voluntary but necessary for the proper performance of the Controller's obligations under data protection regulations, including the exercise of rights granted to you by GDPR (failure to provide the above data will result in the inability to properly exercise the aforementioned rights).

The Controller will process the above personal data until the expiration of the limitation periods for claims arising from violations of data protection regulations.




Purpose of Processing

Processed Personal Data

Legal Basis

Establishing, pursuing, or defending against claims
  1. first and last name/company name
  2. email address
  3. residential/registered address
  4. PESEL number
  5. NIP

art. 6(1)(f) GDPR

(processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case, establishing, pursuing, or defending against claims that may arise in connection with the performance of Agreements concluded with the Controller)

Providing the above personal data is voluntary but necessary for establishing, pursuing, or defending against claims that may arise in connection with the performance of Agreements concluded with the Controller (failure to provide the above data will result in the inability of the Controller to undertake the aforementioned actions).

The Controller will process the above personal data until the expiration of the limitation periods for claims that may arise in connection with the performance of Agreements concluded with the Controller.




Purpose of Processing

Processed Personal Data

Legal Basis

Analyzing your activity in the Application
  1. date and time of visits
  2. IP address of the device
  3. type of device operating system
  4. approximate location
  5. type of internet browser
  6. time spent in the Application
  7. visited subpages and other activities undertaken within the Application

art. 6(1)(f) GDPR

(processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case, obtaining information about your activity in the Application)

Providing the above personal data is voluntary but necessary for the Controller to obtain information about your activity in the Application (failure to provide them will result in the inability of the Controller to obtain the aforementioned information).

The Controller will process the above personal data until the effective objection is raised or the purpose of processing is achieved.




Purpose of Processing

Processed Personal Data

Legal Basis

Administering the Application
  1. IP address
  2. server date and time
  3. information about the internet browser
  4. information about the operating system

The above data is automatically recorded in so-called server logs each time the Application is used (administering it without the use of server logs and automatic recording would not be possible).

art. 6(1)(f) GDPR

(processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case, ensuring the proper functioning of the Application)

Providing the above personal data is voluntary but necessary to ensure the proper functioning of the Application (failure to provide them will result in the inability to ensure the proper functioning of the Application).

The Controller will process the above personal data until the effective objection is raised or the purpose of processing is achieved.

Profiling

To create your profile for marketing purposes and to direct personalized direct marketing to you, the Controller will process your personal data in an automated manner, including profiling—it will not, however, have any legal effects on you or similarly significantly affect your situation.

The scope of profiled personal data corresponds to the scope indicated above concerning the analysis of your activity in the Application and the data you save in the Account.

The legal basis for processing personal data for the above purpose is art. 6(1)(f) GDPR, according to which the Controller may process personal data to pursue its legitimate interests, in this case, conducting marketing activities tailored to the preferences of recipients. Providing the above personal data is voluntary but necessary to achieve the aforementioned purpose (failure to provide them will result in the inability of the Controller to conduct marketing activities tailored to the preferences of recipients).

The Controller will process personal data for profiling purposes until the effective objection is raised or the purpose of processing is achieved.

Recipients of Personal Data

The recipients of personal data will be the following external entities cooperating with the Controller:

  1. hosting company;
  2. online payment system providers;
  3. newsletter service provider;
  4. companies providing tools for analyzing activity in the Application and directing direct marketing to its users (e.g., Google Analytics);
  5. accounting service provider;
  6. […].

Additionally, personal data may also be transferred to public or private entities if such an obligation arises from generally applicable laws, a final court judgment, or a final administrative decision.

Transfer of Personal Data to a Third Country

In connection with the Controller's use of services provided by Google LLC, your personal data may be transferred to the following third countries: the United Kingdom, Canada, the USA, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia, and Australia. The basis for transferring data to the aforementioned third countries is:

  • in the case of the United Kingdom, Canada, Israel, and Japan - decisions of the European Commission determining an adequate level of personal data protection in each of the aforementioned third countries;
  • in the case of the USA, Chile, Brazil, Saudi Arabia, Qatar, India, China, South Korea, Singapore, Taiwan (Republic of China), Indonesia, and Australia - contractual clauses ensuring an adequate level of protection, in accordance with the standard contractual clauses specified in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council.

You can obtain a copy of the data transferred to a third country from the Controller.

Rights

In connection with the processing of personal data, you have the following rights:

  1. the right to information about what personal data concerning you is processed by the Controller and to receive a copy of this data (so-called right of access). The first copy of the data is free of charge; for subsequent copies, the Controller may charge a fee;
  2. if the processed data becomes outdated, incomplete (or otherwise incorrect), you have the right to request its rectification;
  3. in certain situations, you may request the Controller to delete your personal data, e.g., when:
    1. the data is no longer needed by the Controller for the purposes it has informed you about;
    2. you have effectively withdrawn your consent to data processing—provided the Controller has no right to process the data on another legal basis;
    3. the processing is unlawful;
    4. the necessity to delete the data arises from a legal obligation imposed on the Controller;
  4. if personal data is processed by the Controller based on your consent to processing or to perform an Agreement concluded with it, you have the right to transfer your data to another controller;
  5. if personal data is processed by the Controller based on your consent to processing, you have the right to withdraw this consent at any time (withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal);
  6. if you believe that the processed personal data is incorrect, its processing is unlawful, or the Controller no longer needs certain data, you may request that for a specified, necessary time (e.g., to verify the correctness of the data or pursue claims), the Controller does not perform any operations on the data but only stores it;
  7. you have the right to object to the processing of personal data, where the basis for processing is the Controller's legitimate interest. If the objection is effectively raised, the Controller will cease processing personal data for the aforementioned purpose;
  8. you have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) if you believe that the processing of personal data violates GDPR provisions.

Cookies

  1. The Controller informs that the Application uses “cookies” installed on your end device. These are small text files that can be read by the Controller's system, as well as by systems belonging to other entities whose services the Controller uses (e.g., Facebook, Google).
  2. The Controller uses cookies for the following purposes:
    1. ensuring the proper functioning of the Application – thanks to cookies, the Application can operate efficiently, its functions can be used, and navigation between subpages can be smooth;
    2. enhancing the user experience – cookies allow for detecting errors on certain subpages and continuously improving them;
    3. creating statistics – cookies are used to analyze how users use the Application. This allows for continuous improvement of the Application and adapting its operation to user preferences;
    4. conducting marketing activities – thanks to cookies, the Controller can direct advertisements tailored to users' preferences.
  3. The Controller may place both persistent and temporary (session) cookies on your device. Session cookies are usually deleted when the browser is closed, while closing the browser does not delete persistent cookies.
  4. Information about cookies used by the Controller is displayed in a panel located at the bottom of the website/footer of the Application. Depending on your decision, you can enable or disable cookies of specific categories (except for necessary cookies) and change these settings at any time.
  5. Data collected through cookies does not allow the Controller to identify you.
  6. The Controller uses the following cookies or tools utilizing them:

TOOL

PROVIDER

FUNCTIONS AND SCOPE OF COLLECTED DATA

DURATION

Necessary cookiesControllerThe operation of these cookies is essential for the proper functioning of the Application/website of the Application, so you cannot disable them. Thanks to these cookies (collecting, among others, the IP number of your device), it is possible, among other things, to inform you about the cookies operating in the ApplicationMost necessary cookies are session-based, but some remain on your end device for […] months or until they are deleted;
Google AnalyticsGoogleThis tool allows collecting statistical data on how Users use the Application, including the number of visits, duration of visits, browser used, and location. The collected data helps improve the Application and make it more user-friendlyup to 2 years or until they are deleted (whichever occurs first)
Facebook PixelFacebookThis tool allows determining that you have opened the Application, directing advertisements to you displayed on social media platforms Facebook and Instagram, and measuring their effectiveness.up to 3 months or until they are deleted (whichever occurs first)
[…][…][…][…]
  1. Through most commonly used browsers, you can check whether cookies have been installed on your end device, as well as delete installed cookies and block their future installation by the Application. However, disabling or limiting the handling of cookies may cause significant difficulties in using the Application, such as the need to log in on each subpage, longer loading times for the Application, or limitations in using certain functionalities.

Final Provisions

In matters not regulated by the Policy, generally applicable data protection regulations shall apply.

The Policy is effective as of […].