top of page

Privacy Policy

This Privacy Policy (hereinafter: the "Policy") contains information regarding the processing of personal data by the Controller in connection with the performance of the Agreement concluded between the Controller and the Service Recipient.

All capitalized terms that have not been otherwise defined in the Policy shall have the meaning assigned to them in the Terms and Conditions of the "Tap-stamp" application.

Personal Data Controller

The controller of personal data of Service Recipients who are natural persons is Tap Stamp,  Goszczynskiego 3/103, 30-724 Kraków - Poland, conducting business activity referred to in Article 5(1) of the Act of 6 March 2018 – Entrepreneurs' Law (hereinafter: the "Controller").

Contact with the Controller

In all matters relating to the processing of personal data, you may contact the Controller via email at: info@tap-stamp.com.

Personal Data Protection Measures

The Controller applies state-of-the-art organizational and technical safeguards to ensure the best possible protection of your personal data and guarantees that it processes such data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the "GDPR"), the Act of 10 May 2018 on the Protection of Personal Data, and other personal data protection regulations.

Information on Processed Personal Data

Detailed information on the purposes and legal bases for the processing of personal data by the Controller, as well as the processing period and whether the provision of such data is mandatory or voluntary, can be found in the tables below.

The provision of the above-mentioned personal data is a condition for concluding and performing the Agreement (their provision is voluntary, however, failure to provide them will result in the inability to conclude and perform the Agreement).

The Controller shall process the above-mentioned personal data until the expiry of the limitation period for claims arising from the Agreement.

The provision of the above-mentioned personal data is voluntary, but necessary for the Controller to fulfill its applicable tax obligations (failure to provide them will result in the Controller's inability to fulfill the above-mentioned obligations).

The Controller shall process the above-mentioned personal data for a period of 5 years from the end of the year in which the deadline for tax payment for the previous year expired.

The provision of the above-mentioned personal data is voluntary, but necessary for the Controller to properly fulfill its obligations arising from personal data protection regulations, including the exercise of rights granted to natural persons by the GDPR (failure to provide the above-mentioned data will result in the inability to properly exercise the above-mentioned rights).

The Controller shall process the above-mentioned personal data until the expiry of the limitation periods for claims arising from violations of personal data protection regulations.

The provision of the above-mentioned personal data is voluntary, but necessary for the establishment, exercise or defense of claims that may arise in connection with the performance of Agreements concluded with the Controller (failure to provide the above-mentioned data will result in the Controller's inability to undertake the above-mentioned actions).

The Controller shall process the above-mentioned personal data until the expiry of the limitation periods for claims that may arise in connection with the performance of Agreements concluded with the Controller.

Profiling

The Service Recipient's personal data will not be used by the Controller for automated decision-making, including profiling.

Recipients of Personal Data

The recipients of personal data shall be the following external entities cooperating with the Controller:

  1. hosting company;

  2. IT service provider;

  3. mailing system provider;

  4. company providing accounting services;

  5. company providing legal services.

In addition, personal data may also be transferred to public or private entities if such an obligation arises from generally applicable laws, a final court judgment, or a final administrative decision.

Transfer of Personal Data to Third Countries

In connection with the Controller's use of services provided by entities based outside the European Union (including Google, Amazon), the Service Recipient's personal data may be transferred to the United States. The basis for the transfer of personal data is Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.

The Service Recipient may obtain from the Controller a copy of the data transferred to the United States.

Rights

In connection with the processing of personal data, the Service Recipient is entitled to the following rights:

  1. the right to information about what personal data concerning the Service Recipient is processed by the Controller and to receive a copy of such data (the so-called right of access). The issuance of the first copy of the data is free of charge; for subsequent copies, the Controller may charge a fee;

  2. if the processed data becomes outdated or incomplete (or otherwise incorrect), the Service Recipient has the right to request its rectification;

  3. in certain situations, the Service Recipient may request the Controller to erase their personal data, e.g., when:

    1. the data is no longer necessary for the Controller for the purposes for which it was informed;

    2. the processing is unlawful;

    3. the need to erase the data arises from a legal obligation to which the Controller is subject;

  4. in the event that personal data is processed by the Controller on the basis of consent granted to processing or for the purpose of performing an Agreement concluded with the Controller, the Service Recipient has the right to transfer their data to another controller;

  5. if the Service Recipient considers that the processed personal data is incorrect, its processing is unlawful, or the Controller no longer needs certain data, they may request that, for a specified necessary period (e.g., to verify the accuracy of the data or to pursue claims), the Controller refrain from performing any operations on the data and only store it;

  6. the Service Recipient has the right to object to the processing of personal data the basis for the processing of which is the Controller's legitimate interest. In the event of an effective objection, the Controller will cease processing personal data for the above-mentioned purpose;

  7. the Service Recipient has the right to lodge a complaint with the President of the Personal Data Protection Office if they consider that the processing of personal data violates the provisions of the GDPR.

Final Provisions

In matters not regulated by the Policy, generally applicable personal data protection regulations shall apply.

 

The Policy shall be effective as of 1 January 2025.

bottom of page