Privacy policy 4fund.com
I. Introduction
In the interests of being transparent regarding our activities, we have prepared a comprehensive privacy policy detailing when and what personal data we collect, how we process them, and what rights you have in this regard. We also indicate cases in which we may share your personal data with third parties.
Zrzutka.pl sp. z o.o., as the owner of 4fund.com, takes great care in providing the highest security standards, particularly in the field of personal data protection. We conduct risk analysis on an ongoing basis to ensure that all collected personal data is processed by us in a lawful, secure manner, as well as ensuring only authorised persons have access to the data and only to the extent necessary for the proper performance of their tasks. We do our best to ensure that all operations regarding personal data are duly recorded and carried out with the greatest care.
First, here is an explanation of the terms that will appear later in this document:
- The Controller – Zrzutka.pl sp. z o.o., a limited liability company (spółka z ograniczoną odpowiedzialnością) with its registered office in al. Karkonoska 59, 53-015 Wrocław, Poland, with Tax Identification Number (NIP) 8992796896, and entered into the Companies Registry (KRS) under the number 0000634168, acting as a payment services provider licensed by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego) with licence number IP48/2019.
- Personal data – any information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data and online identifiers/aliases.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- the Website – the website run under the domain www.4fund.com and all subdomains under which the Controller provides electronic services for the purpose of providing space for creating Fundraisers by Users and payment services necessary for the transfer of funds between Users.
- User – an adult natural person with full legal capacity using the Website.
- the Organiser - a User that has organised a Fundraiser.
- The Beneficiary - any person (natural or legal) that is ultimately to benefit from a Fundraiser, but is not its Organiser.
- Supporters - Users of the Website who make Donations to the Organiser’s Fundraiser.
Any capitalised term used in this document that is not defined above has meaning given to it in 4fund.com’s terms of use (“the Regulations”).
II. Responsibilities related to counteracting money laundering and financing of terrorism.
By mediating in transferring money from Supporters to the Organiser and maintaining payment accounts for Fundraisers, we provide payment services. We operate as a licensed payment services provider on the basis of the appropriate authorization of the Polish Financial Supervision Authority. Due to the nature of our activity, we must perform the obligations defined in the Act of March 1, 2018 on counteracting money laundering and financing terrorism (Journal of Laws of 2022, item 593, as amended - hereinafter referred to as: "AML Act") which is an implementation of EU AML/CTF law into Polish law. This has an impact on our processing of Users' personal data, which in some cases we have not so much the right as the obligation to process in a specific way:
a). We need to verify the Organiser's identity
The process of setting up and verifying the Organiser's User Account is described in detail in our Regulations. As part of it, we must ask the Organiser to provide personal data, which we are then obliged to verify. We must collect the following data: name and surname, citizenship, date of birth (or personal identification number - PESEL - for Users associated with Poland that have been assigned such a number), and the series and number of the national identity card or other valid identity document.
The User types in the data in the self-identification form available on the Website. This data must then be verified. This is done with the help of the Onfido Ltd. widget, where the User provides their identity document photo and performs a liveness check (makes a short video of them turning their face around). The results of the check are later forwarded to us, together with the photos of the document and video acquired in the process.
b). We need to apply customer due diligence
The AML Act requires us to apply the so-called customer due diligence, i.e. methods by which we are to detect possible attempts to use our Website for money laundering or terrorist financing. For this purpose, we must analyse transactions carried out on our portal in this respect and, in certain cases, obtain additional explanations or documents from the Organiser.
c). We need to store the data for a legally designated period
We are obliged to store all data obtained as a result of applying customer due diligence, as well as data identifying the Organisers and data on transactions carried out on the Website, for a period of 5 years from the moment of termination of business relations with a given Organiser (closing the User's Account). After this time, the data is automatically deleted, unless we receive a request from the relevant authority for their longer storage in a specific case.
d). In certain cases, we are required to provide transaction data to the relevant authorities
If we have a reasonable suspicion that funds derived from crime are being collected on our website, or if we notice a case of suspected money laundering or terrorist financing, we are obliged to report it to the relevant authorities. We must then provide them with all the data we have about the suspicious transaction and the Organiser. In the course of investigating a specific case, we may also exchange information with other payment service providers involved in a given transaction (e.g. the bank from which we received the transfer).
When it comes to countering money laundering and terrorist financing, the legal basis on which we base the processing of personal data are the statutory regulations that are binding on us - in such cases, therefore, you may not withdraw consent to the processing of personal data (the processing takes place on the basis of a statutory obligation, not consent) or request us to delete them (we have a legal obligation to retain data for a certain period of time, as detailed in point c). On the other hand, the data we collect as part of the customer due diligence process is protected by additional statutory secrecy resulting from the AML Act, independent of the protection based on the GDPR. Violation of this secrecy would result in high penalties for us. This data is additionally secured and encrypted, and only employees directly responsible for counteracting money laundering and terrorism financing have access to it.
The obligations arising from the AML Act are independent of the other grounds on which we base the processing of personal data. In the following part of the privacy policy, you will learn how we process data in other cases.
III. What personal data do we collect and process? What are the purposes and legal grounds for their processing?
Due to the fact that Users use the Website for various purposes and in different ways, we collect and process personal data to a different extent and on different legal grounds.
1. Using the Website without creating a User Account
The personal data of non-registered Users, who are neither Supporters nor Organisers, are not processed by the Controller.
Data other than personal data obtained in connection with the use of the Website by Users is used by us for analytical, statistical and marketing purposes and to ensure the proper operation of the Website and measure its performance. You can read about how we use cookies - and for what purposes - in the relevant section below.
You can suggest to us an organization that in your opinion we should list as a Fixed Beneficiary. While doing so, you can give us your e-mail address so we can later notify you when we accept the organization you indicated. In this case, your e-mail address will only be used for such purposes – we won’t process your data in any other way unless you give consent by checking the appropriate checkbox, or you later decide to create an account on the Website and then give the appropriate consent.
2. Registering a User Account
Users who register a User Account on the Website are asked to provide the following pieces of personal data necessary to create and maintain the account: name, surname, and e-mail address.
Failure to provide this data results in the inability to set up an account. The above data is collected and processed on the basis of the consent to the processing of personal data expressed when setting up the account (Article 6.1 a) of the GDPR) and, if the User starts using any services offered by the Website, also for the purpose of performing the contract for provision of services offered by the Controller (Article 6.1 b) of the GDPR).
If, after registering a User Account, you do not take any further action on the Website (supporting Fundraisers, organising them, using paid additional functions, etc.), your data is stored, but is not used for any other purpose, except for creating business statistics by us.
If a User gives us separate consent for processing data for marketing purposes, we will be able to send them information about new, interesting actions and functions within the Website, delivered in the form of a newsletter to the User’s email address. However, this is not mandatory, and Users can withdraw their consent at any time.3. Creating and supporting Fundraisers
3. Creating and supporting Fundraisers
3.1. The Organiser
Organising Fundraisers involves the processing of a wider range of personal data. The name, surname, e-mail address, date of birth (or personal identification number for Users associated with Poland), citizenship, series and number of the identity document, as well as its expiry date, image on the document, address details, bank account number and IP number of the Organiser are subject to processing.
In addition to the above-mentioned basis for processing, due to the need to fulfil the obligations assigned to us by the AML Act (in particular, the proper identification and verification of the identity of our customers), we process this data for the following purposes:
a). In order for us to provide services related to the functioning of a Fundraiser, the legal basis of which is the necessity of data processing in order to perform the contract;
b). In order to fulfil our legal obligations. In addition to the above-mentioned obligations arising from the AML Act, there are also particular tax and accounting obligations (e.g. issuing and posting an invoice for premium services the User purchased);
c). For analytical and statistical purposes, the legal basis of which is the legitimate interest of the Controller in analysing Users' activities in order to improve our services;
d). In order to possibly determine and pursue claims or defend against them, the legal basis of which is the legitimate interest in protecting our rights;
e). For marketing purposes, the legal basis of which is the Controller's legitimate interest. You can find out when and how exactly we process this data in the section entitled "Marketing, analytics and social networks".
Additional data concerning the health and life situation (including the financial situation) of the Organiser or the Beneficiary may be processed in order to confirm the veracity of the Fundraiser’s purposes in the situations indicated in the Regulations (see their point 5). In the event that the documents used to verify the Fundraisers contain data included in the so-called special category of personal data in accordance with the GDPR, in particular health data, the Controller processes them on the basis of a separate acquired consent. Such consent should be given by the data subject (the Organiser, if the documents concern their own data, and the Beneficiary of the Fundraiser, if the Fundraiser is organised for a third party). In the case of minors or persons without legal capacity, the consent should be signed by a parent or legal guardian.
Expressing a separate consent to the processing of personal data included in a special category of personal data is a prerequisite for verification based on documents in which such data are contained. If a User intends to organise a Fundraiser for a Beneficiary. where the submission of such documents may prove necessary to check its veracity, the User must ensure that the Beneficiary consents to us processing this information - the lack of such consent will result in us being unable to verify the Fundraiser.
Personal data and other data included in the documents sent by the Organisers as part of the verification procedures described in point 5 of the Regulations may be disclosed to entities appearing as issuers of such documents in order to confirm that the documents are original, as well as to law enforcement authorities in the event that we have a reasonable suspicion a User is committing fraud or using a forged document. Apart from these cases, we treat all data included in these documents as strictly confidential, and the documents themselves are used by us only for the Fundraiser’s verification process and stored on external, secured data carriers, accessible only by employees conducting the verification process.
In addition, the Organizer's country (determined by the residence country provided by them during the verification process) will also appear on the Organizer's fundraisers, next to their name, and on their account. This feature will allow users to filter fundraisers by country.
3.2. The Beneficiary
In order for a User to be able to organise a Fundraiser for a third party, it will be necessary for the Beneficiary to fill in the appropriate consent form, on the basis of which we will process their personal data, such as their name, surname, ID number and series, as well as the image visible on their document. In addition to the consent form, we will also need a scan of that person's ID. This data will only be used to verify the credibility of a Fundraiser. We will check whether you actually have an authorization from a specific person to conduct a Fundraiser for them and, in order to do this, we need to know their personal data. We do this on the basis of their consent, which the Organiser must obtain from the Beneficiary. For this reason, Organisers must ensure that the person for whom they are organising a Fundraiser understands how it works and agrees to it - we do not allow Fundraisers for anonymous Beneficiaries. Important note: this does not mean that you have to publish the Beneficiary's full personal data in the Fundraiser’s description - only that we need to know them.
3.3. Supporters
Users do not need to set up a User Account with us if they only want to donate to any of the Fundraisers organised on our Website. Nevertheless, due to the obligations arising from the AML Act and Regulation 2015/847 of May 20, 2015 on information accompanying transfers of funds, we may process the User’s name, surname, e-mail address, bank account number and other details related to the transaction, such as the date and time of the payment and the financial amount of the payment made.
Due to the fact that, for most of the payment methods we offer, we use the payment services of a third party, PayU S.A., choosing a method of making a Donation offered by PayU S.A. means that PayU S.A will be a separate Controller of User’s personal data and they will process it in order to provide payment services necessary for the transaction, notify the User about the status of the payment, consider complaints, and fulfil all legal obligations incumbent on them.
Information that a given payment method is supported by PayU can be found at the bottom of the payment screen after selecting the chosen option. Like us, PayU S.A. is a licensed payment services provider, supervised by the Polish Financial Supervision Authority, entered into the Register of payment services providers under the number IP1/2012, with Tax Identification Number (NIP) 7792308495, entered into the Companies Registry (KRS) under the number 0000274399, with the registered office at ul. Grunwaldzka 186, 60-166 Poznań, Poland. You can read about their privacy policy here.
The Organizer of the Fundraiser to which the User makes a donation will have access to that User’s personal data that we hold (indicated by the User in the payment form and/or provided to us by payment intermediaries, including data obtained by us from the web payment systems, such as Google Pay and Apple Pay). By making a Donation, Users enter into a legally binding contract with the Organizer. This data is made available to the Organizers in order to enable them to perform the contract concluded with the Supporters, as well as to perform other obligations provided for by law (e.g. tax, accounting). In addition, if the Organizer offers Offers in return for the Donations, we may also provide the Organiser with the Supporter’s address details and telephone number in order to enable the Organiser to ship the Offer. If the Organizer stated that such data is necessary to conclude the shipment, there will be a space in the Donation form for Users to enter such data.
The Organiser may contact the Supporters, in order to thank them for the Donations made, inform them about other Fundraisers that may be of interest to them, or update them on the fulfilment of the Fundraiser’s purpose, for example. However, the Organiser should have a legitimate interest in the processing of the personal data of Supporters in accordance with Article 6.1 f) of the GDPR.
The contact described above should not be obtrusive or continued if the Supporter stated that they do not wish it. It may be used for one-time messages (e.g. in order to thank the Supporters for the Donations) or for periodic ones. However, it should be ceased if the Supporter didn’t respond to any messages received in the last 6 months or specifically demanded the Organiser to stop messaging them.
If the Organiser decides to use the personal data provided in the Fundraiser’s panel for another purpose (designated by the Organiser), in such cases the Organiser hence becomes a separate controller of personal data and bears the obligations indicated in the GDPR towards the persons whose data the Organiser has started to process.
As stipulated in article 20 of the GDPR, the Organiser has the option of directly downloading and directly sending the data available in the Fundraiser's panel to another controller using the application programming interface (API). If the Organiser decides to exercise this right, they are obliged to exercise it without prejudice to the rights of others. If the data transferred at the Organiser’s request also includes the personal data of Supporters, the Organiser must ensure that they are processed in accordance with the law - after the transfer of data, we are no longer responsible for the processing carried out by the Organiser or by another controller receiving personal data in this way.
4. Offering and buying Offers
On our Website, we enable offering and purchasing Offers in return for Donations to a Fundraiser. Offers may be offered both by the Organiser of the Fundraiser and by a third party (the Founder) - more information on them can be found in point 8 of our Regulations.
The person offering an Offer, when completing the form describing the details of their offer, may stipulate that the User will need to provide their address or contact details (telephone number or e-mail address) to purchase the Offer. In this case, this data is submitted by the User when making the payment for the Offer and is provided to the Organiser (or Founder) in order to enable them to perform the contract. The person offering the Offer may contact the User to arrange the details of the Offer's shipment or send it to the address provided by the User.
In order to fulfill the obligations arising from the Act of 23 May 2024 amending the Act on the exchange of tax information with other countries and certain other acts, which implements Council Directive (EU) 2021/514 of 22 March 2021 amending Directive 2011/16/EU on administrative cooperation in the field of taxation, The Controller - acting in accordance with Article 6. 1 c) of the GDPR - may ask the User to provide their tax identification number (TIN number). TIN (Tax Identification Number) is a general term used in the context of tax identification, which refers to the tax identification number in various countries, e.g. in Poland, the TIN is PESEL and NIP, in Italy Codice Fiscale (CF), in France Numéro Fiscal de Référence (NIF), in Ireland Personal Public Service Number (PPS) etc.
In the case that the User who bought the Offer informs us that, even though they paid for it, the person offering the Offer didn’t deliver it, we may ask the person offering the Offer to provide us with proof of delivery. If we don’t acquire it, we may forward the data of the person offering the Offer to the buyer in order to enable them to pursue their claims outside of our Website. Such action is based on the necessity of processing to protect the buyer's interests (Article 6. 1 f) of the GDPR).
On the other hand, if the person offering the Offer delivered it, and - for any reason - the Donation that was considered a payment for it gets returned to the buyer, the person offering the Offer may contact us and include proof of the Offer's delivery in their message. In that case, we may forward the buyer's personal data to the person who delivered the Offer in order to enable them to pursue their claims outside of our Website. Such action is based on the necessity of processing to protect the Offer seller’s interests (Article 6. 1 f) of the GDPR).
5. Contacting us with the contact form
We provide the opportunity to contact us using the electronic form available on the Website. Using the form requires the provision of an email address. The User may also provide their other personal data.
Providing an email address is necessary for us to handle a User’s inquiry. This data is processed:
In order to identify the sender and handle their inquiry, wherein the legal basis for processing is the necessity of processing to perform the contract for the provision of the service (Article 6. 1 b) of the GDPR);
For analytical and statistical purposes, wherein the legal basis for processing is the Controller's legitimate interest, consisting in keeping statistics of inquiries submitted by Users via the Website in order to improve its performance (Article 6.1 f) of the GDPR).
6. Marketing, analytics and social networks
If a User gives us separate consent (by ticking the "Inform me about interesting actions and new functions" button when creating a User Account), we can also process their data for marketing purposes, which may consist of sending email notifications about interesting content that may include advertising content. Users can withdraw this consent at any time.
For all Fundraisers, where the Organiser will leave the "allow search engines to index this Fundraiser" option checked during their editing, cookies will be created using marketing solutions provided by Facebook and Google dynamic remarketing ads.
The Controller also uses the tools available on Facebook and provided by Facebook Inc., 1601 S. California Ave. Palo Alto, CA 94304, USA. The Controller implemented the Facebook Pixel service on the Website in order to personalise ads based on the analysis of actions taken by Users visiting the Website. The Organiser may also implement their own Facebook Pixel to receive automatically collected information (but only within the Fundraisers in which their Facebook Pixel was installed), which will enable them to track and analyse the effects of promotional activities for their Fundraiser. The information obtained in this way is transferred to a Facebook server in the United States and stored there. We would like to emphasise that the information collected as part of Facebook Pixel is anonymized and prevents both the Controller and Organiser from identifying specific Users and tracking their interaction on the Website.
In addition, Facebook Pixel, while tracking the User's interactions with the Website, searches among information contained on other sites where it was installed. Such data is anonymized on the User's browser side before being sent to Facebook’s servers. It is noted, however, that Facebook may combine the indicated information with other information about the User collected as part of their use of Facebook and use it for their own purposes. Such actions taken by Facebook are fully independent of the Controller. We recommend that you read the Facebook privacy policy in this regard, which you can find here.
We also use TikTok Ads services provided by TikTok Technology Limited and TikTok Information Technologies UK Limited for advertising purposes. This platform enables us to advertise our brand by sharing short video formats. With the help of TikTok Ads Manager, we have the opportunity to reach a wider audience. In addition, thanks to TikTok Pixel, we can measure the actions taken by ads recipients, such as examining what actions were taken by Users who were redirected from the TikTok platform to the Website via advertisements. The data we obtain in this way is anonymized and aggregated, and we are therefore unable to identify specific Users on this basis. Such data is used only to analyse the behaviour of advertising recipients, which in turn allows us to adjust the direction of communication to the needs of visitors to our Website. More information on the privacy policy functioning on the TikTok platform can be found here.
In addition, we use Microsoft Ads services provided by Microsoft Corporation for advertising purposes. This platform enables us to advertise our brand on the Bing search engine. With the help of Microsoft Ads, we have the opportunity to reach a wider audience. Additionally, thanks to the Universal Event Tracking (UET) tag, we can measure the actions taken by these recipients, such as examining what actions were taken by Users who were redirected from the Bing search engine to the Website via advertisements. The data we obtain in this way is anonymized and aggregated, and we are therefore unable to identify specific persons on this basis. Such data is used only to analyse the behaviour of advertising recipients, which in turn allows us to adjust the direction of communication to the needs of visitors to our Website. More information on the privacy policy functioning in Microsoft Ads can be found here.
We use the Microsoft Clarity tool, which enables the analysis of User behaviour on the Website based on such functionalities as: playback of recorded sessions or the so-called page heatmaps. The data obtained using this tool allows us to identify areas of the Website that require improvement. As a result, we can constantly improve the quality of our services.
This tool uses cookies and other technologies to collect information about the behaviour of Users and their end devices, in particular the IP address of the device recorded and stored in an anonymized form, screen resolution, device type, information about the browser used, and geolocation (country). This information is then stored in a pseudonymised user profile. The data obtained as described above is not used by Microsoft Clarity or by us to identify individual Users.
Microsoft Clarity is provided by Microsoft Corporation with its registered office at 1 Microsoft Way, Redmond, WA 98052-6399, United States - you can read more about Microsoft Clarity here, while more information about the privacy policy in this regard can be found here.
In addition, we use the Sentry tool, which enables recording and analysis of users’ behavior before an error occurred on the Website. The data obtained using this tool allows us to identify the reasons for errors in our system and, as a result, improve our code.
This tool uses cookies and other technologies to collect information about the behavior of users and their end devices, in particular the device's IP address, screen resolution, device type, information about the browser used, geolocation (country). The data obtained in the manner described above is used by us only to identify the reasons for errors in the system.
Sentry is provided by Functional Software Inc. with its registered office at 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States - you can read more about Sentry here, additional information about the privacy policy in this regard can be found here.
The Controller also uses analytical tools offered by Google Analytics. They enable the tracking of User activity on the Website on the basis of anonymized data, which does not allow the Controller to determine the identity of specific persons (in particular data regarding the channel from which the website is accessed and further activity of Users on it, including any payments made). On this basis, we can examine the effectiveness of advertising campaigns organised by us and the operation of the services we offer, as well as plan the development of the Website. The data obtained using the Google Analytics tool is not used by us to identify specific visitors to the website
The Google Analytics tool can also be used by the Organiser by implementing the appropriate code in their Fundraiser by using the panel offered by this tool. In this way, they can track the activity within their Fundraiser, including analysing the points of entry to their Fundraiser in order to plan appropriate marketing campaigns. The data is also anonymized in this case.
The information obtained in this way is transferred to Google’s servers in the United States and stored there. It is noted that Google may combine this information with other information about the User, collected as part of the User's use of other Google services, and use it for its own purposes. Such actions taken by Google are fully independent of the Controller. We recommend that Users familiarise themselves with the content of Google's privacy policy in this regard and check the appropriate privacy settings of the browser and services used.
The Website contains links to websites administered by entities independent of the Controller. These entities may apply different legal solutions in the field of privacy policy.
With regard to any websites to which links are contained within the Website, and which are neither owned nor controlled by the Controller, the Controller bears no responsibility for their content, including the rules of protection of confidentiality of information applicable to Users.
In order to support projects we find particularly valuable or interesting, we can decide to advertise a given Fundraiser on our social media channels (Facebook, Twitter, Instagram, TikTok, and LinkedIn) or to buy ads in which such a Fundraiser would be mentioned, and to present it on any subpage of our Website, in our newsletter or through push notifications. By organising a Fundraiser on our Website, the Organiser consents to us using it in the previously described way. As part of this, we may publish a link to the Organiser’s Fundraiser together with our description indicating why we found it interesting or worth supporting, or use elements contained on the Fundraiser’s page (including photos) to promote both the Fundraiser and our Website.
We take such action on the basis of our legitimate interest, namely informing Users about interesting initiatives available on our Website. The Organiser can object to it if they want - then their Fundraiser will not be taken into account when we plan such advertising. However, take into account that this situation is beneficial for both the Controller and the Organiser, because it allows us to promote ourselves as a portal where valuable initiatives are undertaken, while the Organiser will get advertising for their Fundraiser free of charge, which can certainly translate into its popularity among Supporters. If the Organiser’s objection reaches us after we have taken the actions described above - we will not take new actions, but this will not affect the legality of the actions we took before receiving the objection.
As part of the Website, we also use profiling (Article 22 of the GDPR), which consists in processing User’s personal data (also in an automated manner) for the purpose of analysis or forecasting the personal preferences, interests or behaviour of Users.
Based on the information about the content displayed to the User, we can deduce which of the services we provide will be interesting or useful. Thanks to profiling, the advertisements that are displayed to the User when using a web browser are tailored to that person and their needs.
Profiling will not result in decisions having legal effects on the User or affect their situation in a similarly significant way. Profiling carried out by us does not apply to the conclusion or refusal to conclude a framework contract, or the User’s ability to use our services. Users can disable profiling in your account settings at any time. This action will not affect the number of displayed ads, but will only reduce their adaptation to individual preferences.
We are committed to constantly improving the quality of the service we provide, but to make this possible, we need your feedback! For this reason, after you make a successful withdrawal of the funds you collect on your fundraiser, we may ask you to provide feedback on the Trustpilot A/S platform. In this case, we are acting on the basis of legitimate legal interest. We use the automated services offered by Trustpilot A/S to collect reviews - in the process, we will only provide our partner with your email address. Adding feedback is completely voluntary.
Please note that if you choose to create an account on the aforementioned platform, Trustpilot A/S will become a separate controller of your personal data, independent of us. You can find more information about Trustpilot A/S' data processing here.
IV. Who do we share your data with?
- Services providers
We use specialised services provided by external entities, to whom - if necessary - we disclose Users' personal data in compliance with appropriate security procedures. These entities provide, among others:
- customer identity verification services
- accounting, legal, tax and auditing services;
- online payment processing services;
- advertsing, marketing and analytical services
- IT services.
By establishing cooperation with service providers, we conclude appropriate agreements to entrust the processing of personal data. This means that these entities processing Users' personal data on our behalf are obliged to protect Users’ personal data while maintaining the highest security standards. We use only the services of reputable entities, and the issue of protection of personal data that will be transferred during the performance of a given contract is an important factor when choosing a contractor.
2. State authrities
If it is required by law, we will disclose personal data to the authorities in response to a court order, subpoena or other legal request or inquiry carried out in the exercise of public authority and only if this request is based on an appropriate legal basis.
3. Data transfer outside the EEA
We transfer personal data outside the EEA only when it is necessary, while ensuring an appropriate level of protection, primarily through:
- cooperation with entities processing personal data in countries for which a relevant decision of the European Commission has been issued;
- the use of standard contractual clauses issued by the European Commission;
- application of binding corporate rules approved by the competent supervisory authority
Apart from the instances described above, we do not transfer personal data to third parties.
4. Tax authorities
In the instances specified in the Act of 23 May 2024 amending the Act on the exchange of tax information with other countries and certain other acts, we are obliged to provide your identification data, including your TIN, to the Head of the National Revenue Administration together with data on the sales of goods made by you in a given calendar year. This obligation arises if you sell at least 30 goods in a given year by listing them as Offers on our Website, or if you achieve a total remuneration of more than EUR 2,000 from their sale. If this happens, we will inform you by the 31st of January of the following year exactly what data we have provided in this way.
V. How long do we store your personal data?
The period of processing a User’s personal data depends on the type of service we provided that User with and the purpose of processing. As a rule, data is stored for the duration of the service, until the consent on which we base the processing is withdrawn or an effective objection to data processing is made in cases where the basis for data processing is our legitimate interest, unless data processing may prove necessary to establish, pursue or defend claims made against us, in which case the data is stored until the expiry or limitation of any such claims. This does not apply to data processing to which we are obliged under the AML Act, where the law provides for the obligation to store them for a period of 5 years after the end of business relations with the client.
VI. What rights do you have concerning your personal data processing?
If we process your personal data, you have the following rights:
- the right to access their data (Article 15 of GDPR) – on this basis, the User can find out whether we process their personal data and gain access to them, as well as obtain information about the purposes of processing, categories of the personal data that we process, recipients or categories of recipients of the personal data, the planned period of storage of the personal data or criteria determining this period, the User’s rights under the GDPR, the right to lodge a complaint with the supervisory authority, the source of obtaining the personal data (unless they have been collected directly from the User) automated decision-making, and the security measures used in connection with the transfer of personal data outside the area EEA. The User can also receive a copy of their personal data that is subject to processing.
- the right to rectify data (Article 16 of the GDPR) - on this basis, the User can request us to supplement, update or correct their personal data.
- the right to delete data, i.e. the so-called "right to be forgotten" (Article 17 of the GDPR) - on this basis, the User can request the deletion of your personal data, if:
1). The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
2). The User has withdrawn their consent on which the processing is based, pursuant to Article 6.1 a) or Article 9.2 a) if the GDPR, and there is no other legal basis for processing.
3). The User has filed an objection pursuant to Article 21.1 or 21.2 if the GDPR and there is no other justified basis for personal data processing;
4). Personal data has been processed unlawfully;
5). Personal data must be deleted in order to comply with a legal obligation provided by EU law or the law of a Member State which we are subject to;
- the right to limit processing (Article 18 of the GDPR) - if the User submits a request on this basis, we will cease to perform operations on their personal data until the request is considered, unless the data is processed on another legal basis as well. The exercise of this right may be associated with a temporary restriction of certain functionalities of the Website, if they involve the processing of data covered by the request.
- the right to transfer data (Article 20 of the GDPR) - on this basis, User may request that we transfer their data to an entity or person they pointed.
- the right to receive their personal data, which we process on the basis of the User’s consent, in a format that allows them to be read by a computer. It is also possible to request this data to be sent to another entity - provided, however, that there are technical possibilities in this respect both on our part and the additional entity’s.
- the right to object to other data processing purposes (Article 21 of the GDPR) - Users can object to the processing of their personal data at any time on the basis of the Controller's legitimate interest (e.g. for analytical or statistical purposes), including profiling. If we have no other legal basis for processing a User’s personal data, it will be deleted.
- the right to withdraw consent (Article 7.3 of the GDPR) - if the data is processed on the basis of the User’s consent, the User has the right to withdraw it at any time. However, this does not affect the lawfulness of the processing carried out before the withdrawal of this consent.
- the right to complain - if a User believes that we process their personal data in a way that violates the provisions of the GDPR or other provisions regarding the protection of personal data, they can submit a complaint to the Office for Personal Data Protection - more information is available here.
You can exercise the rights stated above:
- in writing by sending a letter to the following address: Zrzutka.pl sp. z o.o., al. Karkonoska 59, 53-015 Wroclaw, Poland
- by email sent to
- in some cases (e.g. withdrawal of consent to the processing of personal data) through dedicated functions in the User's Account directly on the Website.
Your message should, if possible, precisely indicate what your request concerns, in particular:
- which of the rights listed in Chapter VI you want to exercise
- which process does your request concern (e.g. using a specific service or functionality within the Website, receiving a newsletter)
- what processing purposes your request concerns (e.g. analytical purposes).
If the submitted request is formulated in such a way that it will not be possible to determine what you demand, we will ask you to provide additional information.
Your request will be answered within 1 month of its receipt. If it is necessary to extend this period, we will inform you of the reasons for such extension.
The answer will be provided to the e-mail address from which the request was sent. In the case of requests sent to the address of the Controllers's registered office, the answer will be provided by post to the address indicated by you, unless clearly stated in the request that you want to receive a reply to the e-mail address that you provided.
Please note that most of the rights listed above apply to situations where we process your personal data solely on the basis of your consent or our legitimate interest. You will not be able to effectively demand that we remove or limit the processing of your personal data if we are obliged to process them by a specific provision - in particular the AML Act.
VII. Cookies policy
- What are cookies?
Cookie files (“cookies”) are pieces of IT data - most often text files - that are stored on the User’s device when they visit our Website or another domain where the Controller's widget has been placed. These files usually contain the domain name of the website from which they come and information on how long such a file will be stored on the User’s computer, as well as a randomly generated, unique number used to identify the browser from which the connection to the Website is made.
Cookies are usually used in the course of optimizing the process of using websites. In addition, they enable the collection of statistical data, thanks to which we can learn how Users use the Website. On this basis, we gain valuable information that allows us to constantly improve the Website, its structures and functionalities.
2. Cookies’ types
On our Website we use the following types of cookies:
- session - they are stored on the User’s device until they log out of the Website or turn off their web browser;
- permanent - they are deleted after a predetermined period of time, regardless of the User turning off their web browser or logging out of the Website;
these may be
- our own - set by our own Website servers
- third party cookies - set by the servers of other websites.
The cookies store the following information:
- the history of logging in to the User Account and whether the User is currently logged in
- information about Users’ activities on the Website (e.g. whether a User consented to cookies, whether you interacted with messages appearing on the main page of the Website, etc.)
- Fundraisers that the User found interesting;
- session ID to identify the logged in User
- tracking ID.
3. Why do we use them?
We use cookies to provide Users’ with fully comfortable, uninterrupted access to the Website, as well as to its basic functionalities, such as logging in, or the proper performance of our services. These cookies are always active, and obtaining the User's consent in this case is not required - without them, the use of the Website would not be technically possible.
In other cases, you can decide whether you agree to the cookies indicated below:
- functional - thanks to these files, we can personalize the services provided in order to offer Users solutions tailored to their needs, e.g. in terms of Website presentation
- performance - these files allow us to examine how Users use our Website, i.e. which of the available functions Users use most often, how often they visit the Website, etc.
- advertising - based on these files, we can present Users with Fundraisers that may be of individual interest;
- analytical - these files are used by us to conduct analyzes and keep statistics regarding visits to the Website.
4. Other information
Users have full freedom in managing optional cookies - Users can make changes to their cookie preferences at any time using the appropriate settings of their web browser.
Each browser provider provides rules for managing cookies - these are available on the dedicated websites of individual providers.
Remember that withdrawing consent or expressing objection to the processing of cookies may make it difficult or even impossible to use our Website.
VIII. Any questions? Contact us.
You can contact us via the e-mail address [email protected] or the correspondence address: Zrzutka.pl sp. z o.o., al. Karkonoska 59, 53-015 Wroclaw, Poland. You can also write to our Data Protection Officer - Ms. Oliwia Salachna at .
This Privacy Policy may be updated. The effective date stated below will then change. Any prior versions of the Privacy Policy will be available upon request.
Effective date: [August 27, 2024]