Privacy policy

  1. 1 General information

  2. 1.1 Controller of personal data: NOMAGIC Sp. z o.o. with its registered seat in Warsaw, Poland, 36 Rakowiecka Street, 02-532 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register, under KRS number 0000675685, having statistical REGON number: 367171444, Tax Identification Number NIP: 5252709137, e-mail: gdpr@nomagic.ai (hereinafter referred to as the " Controller").

  3. 1.2 This Privacy Policy sets out the rules of processing and protection of personal data of Controller's customers and contractors, obtained in connection with any cooperation between the Controller and these persons (hereinafter referred to as: " Clients"). This Privacy Policy is also an informative document regarding the processing of personal data of Clients by the Controller.

  4. 1.3 In a meaning of this Privacy Policy, Controller's Clients are in particular:

    1. 1.3.1 natural persons being customers and/or contractors of the Controller (including Controller's sub-contractors);
    2. 1.3.2 employees and other natural persons acting in the name and on behalf of Controller's customers and/or contractors (including Controller's sub-contractors);
    3. 1.3.3 natural persons using or intending to use Controller's website available at www.nomagic.ai (hereinafter referred to as: " Website"), including in particular natural persons subscribing to the newsletter or completing the contact form on the Website.
  5. 1.4 Controller collects personal data:

    1. 1.4.1 directly from the Clients as part of providing services to them or in connection with the provision of services;
    2. 1.4.2 from publicly available sources such as court or business registers, including National Court Register or Central Business Record and Information.
  6. 1.5 Controller processes personal data in compliance with Polish and European law, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119 p. 1, hereinafter the " GDPR").

  7. 2 Types of personal data processed

  8. 2.1 Within the cooperation with the Clients, the Controller processes the following Clients' personal data:

    1. 2.1.1 name and surname / business name;
    2. 2.1.2 contact phone number;
    3. 2.1.3 email address;
    4. 2.1.4 residential address, correspondence address or business address: street, house / flat number, zip code, city, country;
    5. 2.1.5 NIP;
    6. 2.1.6 REGON;
    7. 2.1.7 IP number of a computer or other device with internet access;
    8. 2.1.8 Web browser name and type
  9. 2.2 Providing personal data indicated above is completely voluntary, but it may be necessary to conclude or perform an agreement with the Controller. Each Client has the rights set out in this Privacy Policy regarding his personal data in accordance with applicable law.

  10. 2.3 Personal data indicated in point 2.1.7 above is collected automatically upon the visit at the Website. This data is stored in a log file on the server. This data is collected for technical reasons.

  11. 3 Purposes of personal data processing

  12. 3.1 Clients' personal data is processed by the Controller in order to establish and maintain commercial relations with the Customer, in particular to:

    1. 3.1.1 conclude, implement and/or terminate the agreement with the Client, including in particular to take action before the conclusion of the agreement or to provide services or to provide goods;
    2. 3.1.2 establish and maintain ongoing business contacts with the Client, including in particular to ensure effective customer service;
    3. 3.1.3 provide newsletter and enable contact with the Website user;
    4. 3.1.4 handle complaints or claims;
    5. 3.1.5 comply with the legal obligations imposed on the Controller, in particular regarding to, e.g. taxes.
  13. 3.2 In addition, Clients' personal data may be processed for marketing purposes related to the Controller's own products and services or for other purposes to which Client gives consent.

  14. 3.3 The Controller does not use personal data to make decisions based solely on its automated processing, including profiling.

  15. 4 Legal basis for personal data processing

  16. 4.1 Providing personal data by the Clients is voluntary, but in some cases it may be required to use services provided by the Controller.

  17. 4.2 Processing of personal data by the Controller is based on the provisions of law, in particular when:

    1. 4.2.1 it is necessary for the performance of an agreement or to carry out activities before the conclusion of the agreement;
    2. 4.2.2 it is necessary to fulfil legal obligation imposed on the Controller (e.g. tax obligation);
    3. 4.2.3 it is necessary for the purposes of the legitimate interests pursued by the Controller (e.g. Controller's marketing activities, pursuing claims in court proceedings).
  18. 4.3 Further, processing of personal data by the Controller might be based on Client's consent. In such cases, each Client in every time has a right to withdraw the consent for the processing of personal data. Withdrawal of the consent does not affect the lawfulness of the processing carried out before the consent was withdrawn and it does not affect the processing of personal data which relies on a basis other than the consent.

  19. 4.4 Clients may grant consent for personal data processing only if they are over 16 years old. In case of Clients who are below 16, parents' and/or legal guardian's consent is required.

  20. 5 Retention period for personal data

  21. 5.1 Clients' personal data will be kept for a period necessary to carry out the purposes of processing, in particular for the period:

    1. 5.1.1 required to carry out activities before the conclusion of the agreement, aimed to its conclusion;
    2. 5.1.2 f execution of the agreement concluded with the Controller and for a period in which the Client or the Controller has any rights and/or claims regarding its execution, in particular for the limitation period and one year after the expiry of the limitation period;
    3. 5.1.3 execution of legal obligations imposed on the Controller.
  22. 5.2 At the end of the retention period, personal data will be immediately erased by the Controller, except personal data provided to the Controller for marketing purposes – which will continue to be processed until the Client withdraws the relevant consent or objects to the processing of such data.

  23. 6 Recipients of personal data

  24. 6.1 Clients' personal data may be shared with the following categories of recipients:

    1. 6.1.1 individuals employed at the Controller or working with the Controller under civil-law agreements and authorised by the Controller;
    2. 6.1.2 processors of personal data acting for and on behalf of the Controller, as well as authorised individuals employed in such entities (e.g. external service providers, subcontractors, legal advisers, financial consultants or accountants, IT service providers, etc.), in particular the following entities:
    3. (1)Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as: " Google");
    4. (2)com, inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA (hereinafter referred to as: " SalesForce");
    5. 6.1.3 entities affiliated with the Controller, including companies from Controller's capital group, including NOMAGIC, Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA (hereinafter referred to as: „ NOMAGIC INC.");
    6. 6.1.4 governmental authorities or other public bodies, in order to comply with legal requirements.
  25. 6.2 Clients' personal data may be transferred outside the territory of European Economic Area (EEA) and may processed there with adequate protection of Clients' rights. This applies in particular to the transfer of Clients' personal data to such entities as Google, SalesForce or NOMAGIC INC. The above entities are based in the United States of America and use technical infrastructure that is located outside the EEA. At the same time, these entities ensure an adequate level of personal data protection, including in particular the fact that Google and SalesForce joined the EU-US-Privacy Shield program.

  26. 6.3 Clients' personal data sharing or disclosure takes place only with respect to Clients' rights and in compliance with the applicable laws and regulations.

  27. 7 Data protection measures

  28. 7.1 The Controller protects Clients' personal data against unauthorised third-party access, as well as the Controller implements appropriate technical and organisational measures to ensure confidentiality of Clients' personal data and their use without access of an unauthorised third parties.

  29. 7.2 The Controller implements and uses proper technical solutions to protect Clients' personal data. The Controller uses only highest quality technical and IT solutions, as well as physical security.

  30. 8 Clients' rights in respect of personal data

  31. 8.1 Each Clients may at any time file a complaint on the processing of his personal data – in writing or in electronic form on addresses specified in point 9 below.

  32. 8.2 Each Clients also has a right:

    1. 8.2.1 to obtain from the Controller confirmation whether his personal data is being processed, and, where that is the case, access to that personal data and to obtain following information:
    2. (1)purposes of processing;
    3. (2)categories of personal data;
    4. (3)recipients or categories of recipients of personal data to whom personal data has been or will be disclosed, in particular about recipients in third countries or international organisations;
    5. (4)if it is possible – information on intended retention period, and if it is not possible, criteria for setting up such retention period;
    6. (5)right to file a complaint to the supervisory authority;
    7. (6)if the personal data has not been collected from a person to which it applies – any possible information about their source;
    8. (7)about automated way of making decisions, in particular about profiling and important information of the rules of making such decisions, as well as on the significance and anticipated consequences of such processing for the data subject;
    9. 8.2.2 to file a complaint to the supervisory authority;
    10. 8.2.3 to request the Controller to immediately rectify or complete any personal data concerning the Client; taking into account the purposes of processing, the Client also has the right to request supplementing incomplete personal data, including by providing an additional statement;
    11. 8.2.4 not to be the subject of automated decision making, in particular profiling;
    12. 8.2.5 to object, on grounds relating to Client's particular situation, against processing of personal data concerning where so permitted by the applicable laws;
    13. 8.2.6 to request the Controller to immediately erase any personal data concerning the Client ("right to be forgotten") if one of the following applies:
    14. (1)personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
    15. (2)the Client has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
    16. (3)the Client objects to the processing and this objection is based on applicable law;
    17. (4)personal data has been processed unlawfully;
    18. (5)personal data must be deleted to comply with a legal obligation under Union law or the law of the Member State to which the Controller is subject;
    19. (6)personal data has been collected in connection with offering information society services to children in accordance with applicable regulations;
    20. 8.2.7 to request the Controller to restrict the processing of personal data if:
    21. (1)the Client questions the correctness of personal data – for a period enabling the Controller to check the correctness of this data;
    22. (2)the processing is unlawful, and the Client objects to the deletion of personal data, demanding instead the restriction of their use;
    23. (3)the Controller no longer needs personal data for processing purposes, but they are needed by the Customer to determine, pursue or defend claims;
    24. (4)the Client lodged an objection in accordance with the applicable regulations regarding processing – until it is determined whether legally justified grounds on the part of the Controller prevail over the grounds of the Client's objection;
    25. 8.2.8 to request the Controller to provide the Client with the personal data concerning the Client which he has given to the Controller, in a structured, commonly used and machine-readable format and to transmit that data to another controller without any obstacles from the Controller, if:
    26. (1)the processing is based on consent or on a contract; and
    27. (2)the processing is carried out by automated means.
  33. 9 Complaint procedure

  34. 9.1 A complaint may be filed:

    1. 9.1.1 in writing, to the address of the Controller's registered office, i.e. NOMAGIC Sp. z o.o., 36 Rakowiecka Street, 02-532 Warsaw, Poland; or
    2. 9.1.2 electronically to the following email address: gdpr@nomagic.ai.
  35. 9.2 Complaint shall include at least:

    1. 9.2.1 description of how the personal data breach has occurred and what that breach involves; and
    2. 9.2.2 details allowing to communicate the outcome of the complaint.
  36. 9.3 If any of the requests listed above in section 8 is made, a complaint must include:

    1. 9.3.1 the statement of the request;
    2. 9.3.2 the substantiation – where applicable; and
    3. 9.3.3 details allowing to communicate the outcome of the complaint.
  37. 9.4 The Controller may ask the Client to provide further details if such details are required to process the request.

  38. 9.5 If any of the requests listed above in section 8.2 is made, such request is handled in accordance with the provisions on the complaint procedure. In this case, the Controller may ask Client to prove his identity in order to verify if he has the authority to make such request.

  39. 9.6 The complaint is investigated immediately but no later than within 14 days of the date of the request.

  40. 9.7 Where the complaint requires an additional procedure, the period for handling the complaint may be extended.

  41. 9.8 Client may at any stage seek from the Controller information on the status of the complaint.

  42. 9.9 The Controller will inform the Clients about how the complaint has been resolved and what measures have been taken to address the complaint promptly upon resolution of the complaint.

  43. 9.10 The Controller communicates with the Client electronically – to the email address provided by the Client. If the Client provided no email address, the Controller communicates in writing.

  44. 9.11 If no response to the complaint is issued within 30 days, the complaint shall be considered to be accepted. If the Controller takes no action on the complaint, then the Controller will inform immediately, no later than within a month of the request, about the reasons for not acting and of the possibility to complain to the supervisory authority or to seek legal remedies in court.

  45. 9.12 If an investigation of a complaint reveals that a personal data breach has occurred, the Controller will undertake actions specified in applicable legislation.

  46. 10 Cookies policy on the Website

  47. 10.1 On the Website, the Controller uses the so-called "cookies", i.e. IT data, in particular text files saved by servers on the Client's end device, which servers can read each time they connect to this terminal device.

  48. 10.2 Software for browsing websites (web browser) by default allows cookies to be stored on the Client's end device. Clients can change their cookie settings at any time, in particular in such a way as to block the automatic handling of cookies in the web browser's settings or to inform them whenever they are placed on the website's customer's device. As the effect of such change difficulties related to the operation of the Website may occur.

  49. 10.3 Detailed information about the possibilities and ways of handling cookies are available in the web browser settings.

  50. 10.4 Most cookies are so-called session cookies, which are automatically deleted from the hard disk after the session, i.e. after logging out or closing the browser window. Some of the cookies allow the Client to be identified when visiting the site again because they are not deleted automatically.

  51. 10.5 The Controller uses the cookie mechanism only for information purposes to improve and facilitate the operation of the Website, to better match the appearance of the Website and to collect anonymous, aggregated statistics on how customers use the Website, which is to improve functionality and content of the Website.

  52. 11 Amendments of Privacy Policy

  53. 11.1 This Privacy Policy applies as of April 1, 2019.

  54. 11.2 The Controller reserves the right to amend this Privacy Policy for an important reason, in particular in case of:

    1. 11.2.1 the need to adapt the Privacy Policy to legal provisions or decisions and judgments of courts or public authorities;
    2. 11.2.2 changes of data, including names, addresses, identification numbers, contained in the Privacy Policy;
    3. 11.2.3 improving customer service.
  55. 11.3 The Client will be notified of a change in the Privacy Policy by means of a message posted on the Website or by sending a notification to the Client's email address about a change in the Privacy Policy.

  56. 11.4 Amendment of the Privacy Policy does not affect the processing of personal data carried out before making this change.

  57. 12 Final provisions

  58. 12.1 All inquiries or concerns relating to the processing and protection of personal data shall be directed to the Controller in writing, by email or by phone to the following addresses:

    NOMAGIC Sp. z o.o.with its registered seatin Warsaw, Poland
    36 Rakowiecka Street, 02-532 Warsaw, Poland
    contact email address: gdpr@nomagic.ai

  59. 12.2 The Controller may place links on the Website enabling Clients to directly switch to other websites. This Privacy Policy does not apply to websites operated by other entities independent from the Controller, and the Controller is not responsible for the processing of personal data by these other entities operating other websites.

  60. 12.3 In the event of a conflict of this Privacy Policy with the provisions of generally applicable law regarding the protection of personal data, the Controller shall take steps to adapt the Privacy Policy to the requirements of applicable law – however, even in the period preceding such a change in the provisions, the Controller will apply the principles of personal data protection resulting from these provisions of law.