1. DATA PROCESSED BY WHISBEAR
1.1. Personal data provided by Users is processed by Whisbear (i.e. Whisbear spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw at Zielona 32, entered in the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS (National Court Register) number 0000555169, with NIP (taxpayer identification number) 7010481536 and REGON (business ID number) 36137404, with a share capital of PLN 5,000), which is the controller of the personal data.
1.2. The data controller can be contacted by email at firstname.lastname@example.org.
1.3. The scope of the processed personal data is determined by the scope of the data supplied by the User and sent to Whisbear via the relevant form. The processing of Users’ personal data may include email address, forename and surname, sex, date of birth, physiological characteristics and medical condition.
1.4. The application also stores information obtained while the User is utilising the application Services. This applies to information from the device (e.g. the average humming time of E-zzy the Sloth, the length of time without humming during CRYsensor monitoring, the number of times E-zzy the Sloth is switched on, and the E-zzy the Sloth password, stored in order to prevent other mobile devices connecting to the toy), as well as location information (the Application may collect and process information about the User’s current location). This information is collected for statistical purposes, to provide the Statistics service and to protect the Services from unauthorised persons. The summation of this information does not identify the User.
1.5. The application can store http queries, meaning that some information may be saved in the server log files, including the IP address that the query came from, the name of the User’s workstation – identification performed via http, where possible, the date and system time of the registration and arrival of the query, and information on errors that occurred during the http transaction. The logs may be collected as material for the correct administration of the Application. Only persons authorised to administer the computer system have access to this information. The log files may be analysed for the compilation of traffic statistics and any errors within the Application. The summation of this information does not identify the User.
1.6. Whisbear does not transfer personal data to countries outside the European Union, or transfers personal data to countries outside the European Union while retaining the security of the personal data, in accordance with the requirements of the relevant legal acts.
2. PURPOSE AND LEGAL BASIS FOR DATA PROCESSING
2.1. Users’ personal data will be processed in order to: (a) implement legal regulations, (b) execute Agreements, provide services electronically – specifically, Account maintenance, as well as the other activities indicated in the Terms of Service, and (c) carry out Whisbear’s promotional or marketing activities. The information and personal data provided by the User is used in particular to adjust the content of the Application and to adapt the Services to the User – for example, to display information based on date of birth, or personalised notifications.
2.2. Users’ personal data will be processed for a period of 5 years and after this time it will be deleted, unless its processing is necessary according to another legal basis.
2.3. The provision of personal data is voluntary, but failure to give consent for the processing of the personal data marked as mandatory will prevent the performance of services provided electronically via the Application, as well as the implementation of the Agreements.
2.4. The legal basis for the processing of personal data in the case referred to in paragraph 2.1 (a) is the statutory authorisation to process data necessary for the purpose of acting in accordance with the law; in the case referred to in paragraph 2.1 (b), the legal basis is the statutory authorisation for processing necessary for the execution of an agreement, where the data subject is party to the agreement, or where it is necessary to take action before the conclusion of an agreement at the request of the data subject; in the case referred to in paragraph 2.1 (c), the legal basis is the voluntary consent of the User.
3. RECIPIENTS OF PERSONAL DATA
3.1. Users’ personal data may be entrusted for processing to the entities that enable the provision of the Services to Users. These recipients of personal data are: Whisbear’s accounting firm, the company providing hosting services, and the company providing maintenance and development services for the Application.
3.2. Personal data collected by Whisbear may also be made available to: the relevant state authorities at their request, on the basis of relevant legal provisions, or other persons and entities, in cases provided for by law.
3.3. Whisbear uses the services of third-party payment processors. When a User makes a payment, they provide certain information (including identifying information) to the payment processors: forename and surname, address and credit card details. The transfer of data occurs solely to enable the execution of payment transactions.
3.4. Each entity to which Whisbear entrusts the processing of Users’ personal data based on an agreement of entrusting the processing of personal data (hereinafter: Entrustment Agreement) guarantees an adequate level of security and confidentiality for personal data processing. From 25 May 2018, under an Entrustment Agreement, Whisbear shall entrust the processing of Users’ personal data to entities applying the applicable corporate rules. Following the entry into force of the GDPR, entities processing Users’ personal data based on an Entrustment Agreement shall process Users’ personal data by means of another entity solely on the basis of the prior written consent of Whisbear.
3.6. The Application allows the sharing of information and data with other Users, at the request of the User who owns the data. Whisbear neither interferes with nor controls this data sharing.
4. RIGHTS OF THE PERSONAL DATA SUBJECT
4.1. Users’ personal data shall be processed automatically, in the form of profiling, including via ________. The User will be able to refuse permission for profiling to be conducted, resulting in the automatization of decision-making for this User, and to express their opposition to the profiling of others, which will result in a lack of profiled messages addressed to the User.
4.2. Users have the right to monitor the processing of the data relating to them – specifically, the right: to access their personal data; to supplement and correct data by addressing a request to Whisbear; to demand the temporary or permanent suspension of its processing, or the removal of the data if it is incomplete, outdated, untrue, if it was collected in violation of the law, or if it is no longer necessary to achieve the purpose for which it was collected; and to object to the processing of their personal data, in cases provided for by law.
4.3. On the day of entry into force of the GDPR, i.e. from 25 May 2018, Users obtain the right: to delete personal data collected about them, both from the system belonging to Whisbear and from the database of entities with whom Whisbear cooperates or has cooperated; to restrict the processing of the data; to transfer the personal data collected by Whisbear about the User, including obtaining it in structured form; to lodge a complaint with the supervisory body in the situation where the User determines that their data is being processed unlawfully; and to bring a legal measure of protection before a court against the supervisory authority and the infringing entity.
4.4. If Whisbear obtains information that a User is using a service provided electronically in violation of the Terms of Service or the applicable regulations (unauthorised use), Whisbear may process the User’s personal data to the extent necessary to determine the User’s liability.
5. PERSONAL DATA OF PERSONS BELOW 13 YEARS OF AGE
5.1. Whisbear processes the personal data of persons below 13 years of age. This data is provided to the Application by the person’s legal guardian, who manages this data exclusively and fully.
6. INFORMATION SECURITY
6.1. As of 25 May 2018, the appointed data protection officer is Ms Zuzanna Sielicka. The data protection officer can be contacted by email at email@example.com.
6.2. Whisbear uses technical and organisational measures to ensure a level of protection of processed personal data that is appropriate for the risks and the categories of data protected. Specifically, data is technically and organisationally protected against unauthorised access, interception by an unauthorised person, processing in violation of the law, and alteration, loss, damage or destruction. The measures used include SSL (Secure Socket Layer) certificates. Users’ personal data is stored on a secure server and is also protected by Whisbear’s internal procedures relating to personal data processing and information security policy. Additionally, as of 25 May 2018, Whisbear will use all the necessary technical measures specified in art. 25, 30, 32-34, and 35-39 of the GDPR to ensure the increased protection and security of the processing of Users’ personal data.
6.3. To log in to the Account, you must enter your login and password. To ensure an adequate level of security, the password to access the Account exists only in encrypted form in the Application. In addition, registering and logging in to the Account take place over a secure https connection. Communication between the User’s device and the servers is encrypted using SSL.
6.4. Whisbear also points out that the use of the Internet and services provided electronically, especially the use of publicly available Wi-Fi networks, may involve specific ICT risks, such as: the presence and operation of worms, spyware or malware, including computer viruses, the possibility of being exposed to cracking or phishing (password hunting), and so on. To obtain detailed, professional information regarding online security, Whisbear recommends consulting entities specialising in these types of IT services.