Unia Europejska Informacje o projektach realizowanych ze środków Unii Europejskiej

Privacy Policy for the Stado application and web site

Privacy Policy for the Stado application and web site

Wersja polska


I. DEFINITIONS 

Controller – STADO Spółka z ograniczoną odpowiedzialnością with its registered office in Międzyrzec Podlaski, ul. Nadbrzeżna 7, 21-560 Międzyrzec Podlaski, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court Lublin Wschód in Lublin with its seat in Świdnik, 6th Commercial Division of the National Court Register under KRS number: 0000993689, REGON: 523196171, NIP: 5372669618, with a share capital of PLN 5,000.
Application / Stado – the mobile software “Stado” available in the App Store (for iOS), Google Play (for Android), as well as in the web version (WEB) at https://stado.app, which enables the creation of and participation in sports activities available in the Application. The mobile version also enables the purchase of the Stado+ subscription, whereas the WEB version does not provide the option to purchase subscriptions.

Personal Data – any information relating to an identified or identifiable natural person, in particular: e-mail address, username, contact details, GPS location data, sports preferences, device identifiers, image, voice recording, information contained in correspondence, as well as data collected through cookies or similar technologies.

Data Subject – a natural person whose Personal Data is processed by the Controller, in particular a User of the Application, a visitor of the Website, a person using its functionalities or otherwise contacting the Controller.

Privacy Policy – this Privacy Policy.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Website – the Controller’s website available at https://stado.app/.

Account – a user account created in the Application.

Agreement – an agreement for the provision of digital services concluded between the User and the Controller.
Consent – a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they signify agreement to the processing of their Personal Data.

Cookies – small text files or similar technologies (e.g. local storage, mobile device identifiers) stored on the User’s device by the Application or the Website, enabling, among others, proper functioning, personalization, analytics and security of the services.

II. PROCESSING OF PERSONAL DATA 

  1. In connection with its business activity and the provision of the Application and the Website, the Controller collects and processes Personal Data in accordance with applicable law, in particular GDPR, and with the principles of data processing set out therein.
  2. The Controller:
    1. ensures transparency of Personal Data processing;
    2. informs about the processing of Personal Data at the time of their collection, in particular about the purpose and legal basis of processing – through notices in the Application, the Website and in this Privacy Policy; Personal Data are collected in particular:
      • during account registration – e-mail address, username, sports preferences,
      • when GPS location is enabled – location data (only if the User has consented),
      • when PUSH notifications are enabled – device token,
      • when using the Website or Application – cookies, IP address, device data;
    3. ensures that Personal Data are collected only to the extent necessary for the indicated purpose and are processed only for the period necessary to achieve it;
    4. ensures the security and confidentiality of Personal Data and enables Data Subjects to exercise the rights granted by GDPR.
  3. The Controller may process, in particular, the following categories of Personal Data:
    • registration data (e-mail address, username),
    • data regarding activity in the Application (sports preferences, participation in events),
    • GPS location data (if the User has consented to share them in the Application),
    • technical device data and identifiers (e.g. operating system, mobile device identifier, IP address),
    • data concerning communication with the Controller (e.g. messages sent to [email protected]),
    • data collected via cookies and similar technologies during the use of the Website and the Application,
    • data voluntarily disclosed by the User within the content published in the Application (e.g. comments, activity descriptions, group messages). The Controller does not use such data for its own purposes and is not responsible for their scope; they are made available according to the functionalities of the Application.
  4. In the event of a Personal Data breach (e.g. “data leak” or loss of data) which may result in a high risk to the rights or freedoms of Data Subjects, the Controller will inform the Data Subjects of such incident in a manner consistent with applicable law.

 

III. GENERAL RULES ON PERSONAL DATA SECURITY 

  1. Confidentiality and security of Personal Data are the Controller’s priority.
  2. The Controller may use data and information other than Personal Data needed to contact the Data Subject only if such data are anonymized, i.e. when they cannot be attributed to a given Data Subject, in particular for the purpose of creating anonymous collective reports and statistics.
  3. In order to ensure the integrity and confidentiality of Personal Data, the Controller has implemented procedures that allow access to Personal Data only to authorized persons and only to the extent necessary for the performance of their tasks.
  4. The Controller applies organizational and technical measures to ensure that all operations on Personal Data are recorded and performed only by authorized persons.
  5. The Controller takes the necessary steps to ensure that its subcontractors and other cooperating entities provide adequate security measures whenever they process Personal Data on behalf of the Controller.
  6. The Controller continuously conducts risk analysis and monitors the adequacy of the security measures applied to the identified threats. Where necessary, the Controller implements additional measures to enhance data security.

IV. PURPOSES AND LEGAL BASIS FOR PROCESSING 

ANALYTICAL, STATISTICAL, AND RESEARCH PURPOSES

  • The Controller may process Personal Data of Data Subjects for analytical, statistical, and research purposes, in particular by analyzing their activity on the Website or the Application, as well as their preferences, in order to improve functionalities.
  • The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

EMAIL AND TRADITIONAL CORRESPONDENCE

  • If a Data Subject contacts the Controller by e-mail or traditional mail, the Personal Data contained in the correspondence are processed solely for the purpose of communication and resolving the matter to which the correspondence relates.
  • The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

TELEPHONE CONTACT

  • If a Data Subject contacts the Controller by phone in matters not related to an Agreement or Services provided, the Controller may request Personal Data only if necessary to handle the matter.
  • The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

PURSUING CLAIMS

  • In order to establish, pursue, or defend potential claims arising from the way a Data Subject uses the Website or communicates with the Controller, the Controller may process certain Personal Data if it is necessary to prove the existence of a claim, including the extent of damage suffered.
  • The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

EXERCISING DATA SUBJECT RIGHTS

  • To enable Data Subjects to exercise their rights under the GDPR, in particular the right to lodge complaints, queries, or requests, the Controller may process certain Personal Data for this purpose.
  • The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

MARKETING OF SERVICES OFFERED BY THE CONTROLLER

  • The Controller may send commercial information based on the consent of the Data Subject, specifying the communication channel. This includes sending messages to the e-mail address, displaying PUSH notifications in the Application, or contacting by phone to present the Controller’s services.
  • The legal basis for processing is the consent of the Data Subject (Article 6(1)(a) GDPR).
  • In the case of consent to receive commercial information via e-mail or phone, the legal basis for processing is also Article 398 of the Polish Act of 12 July 2024 – Electronic Communications Law.

 

V. NECESSITY OF PROVIDING PERSONAL DATA

Providing Personal Data is voluntary, but may be necessary to use certain features of the Application or Website. In particular:

  • providing an email address is necessary to register an Account and use the Application,
  • providing contact details may be necessary for correspondence with the Administrator,
  • consent to share GPS location or PUSH notifications is voluntary, but failure to consent will prevent the use of these functionalities.

VI. SOCIAL MEDIA PROFILES

  1. The Controller has public profiles on the Facebook, Instagram and LinkedIn social networks. In connection with this, it processes Personal Data left by visitors to these profiles (comments, likes, internet identifiers).
  2. The personal data of Data Subjects visiting the Controller’s profiles is processed:
    1. in order to effectively manage profiles, by providing portal users with information about the Controller’s initiatives and other activities, and in connection with the promotion of various types of events, services, and products;
    2. for statistical and analytical purposes;
    3. possibly for the purpose of pursuing claims and defending against claims.
  3. The legal basis for the processing of Personal Data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in:
    1. promoting its own brand and improving the quality of services provided, 
    2. if necessary, pursuing claims and defending against claims.
  4. The above information does not apply to the processing of Personal Data by website administrators (Facebook, Instagram and LinkedIn). The purpose and scope of the processing of Personal Data by social media operators is described in detail in the privacy policies of the above-mentioned social media platforms, available on their websites.
  5. The data subject may always delete their comments under the Controller’s posts, stop following the Controller, or cancel their account on the above-mentioned social media platforms.

 

VII. DATA RECIPIENTS 

  1. In connection with conducting activities that require the processing of Personal Data, Personal Data may be disclosed to external entities, in particular:
    • IT and cloud service providers (e.g., hosting, maintenance, and development of the Application),
    • providers responsible for the operation of IT systems and equipment,
    • postal operators and courier companies,
    • providers of payment, accounting, legal, and consulting services,
    • marketing agencies and providers of analytical services supporting the functioning of the Application and the Website.
  2. The controller may also share anonymized data (i.e., data that does not identify specific data subjects) with external service providers for the purpose of analyzing the effectiveness of marketing activities and improving the quality of services.
  3. The Controller reserves the right to disclose selected information about the Data Subject to competent public authorities or third parties who request such information on a legal basis and in accordance with applicable law.

 

VIII. TRANSFER OF DATA OUTSIDE THE EEA 

  1. As a rule, Users’ personal data is stored and processed on servers located within the European Economic Area (EEA).
  2. However, the use of the Application may involve the transfer of data outside the EEA, in particular in connection with:
    1. the processing of payments made through external providers,
    2. the use of IT and analytical services provided by IT tool providers (e.g., Google Firebase – PUSH notification service),
    3. sending e-mails via external communication service providers (e.g., SendGrid),
    4. other services supporting the operation of the Application
    5. other tools supporting the development of the Application (e.g., analytical tools, crash reporting).
  3. In each case, data is transferred only when:
    • the European Commission has determined that the third country ensures an adequate level of protection of personal data (Article 45 of the GDPR),
      or
    • appropriate safeguards have been implemented, in particular standard contractual clauses adopted by the European Commission (Article 46 of the GDPR).
  4. The user has the right to obtain additional information on the safeguards applied to the transfer of data outside the EEA by contacting the Controller at [email protected] .

IX. AUTOMATED DECISION-MAKING, INCLUDING PROFILING

The Controller does not use profiling within the meaning of Article 22 of the GDPR, i.e., it does not make decisions that produce legal effects in an automated manner. Marketing cookies may use content matching mechanisms (e.g., ad personalization), but these do not produce legal effects nor do they similarly significantly affect the User.

X. PERIOD OF PERSONAL DATA PROCESSING 

  1. Except in cases where the law imposes a longer period of storage of Personal Data on the Controller, Personal Data is stored for as long as the Account remains active. After deleting the Account, the Data is stored for the period of limitation of claims related to the Agreement, in accordance with applicable law (as a rule, up to 6 years).
  2. The period of processing of Personal Data may be extended if the processing is necessary to establish, pursue, or defend against claims. After this period, the data may only be stored to the extent required by law.
  3. Data related to fiscal, accounting, and bookkeeping documentation is stored in accordance with the law, but for no longer than 6 years.
  4. Where Personal Data is processed on the basis of the Controller’s legitimate interest, it is processed until an effective objection to such processing is lodged.
  5. If Personal Data is processed on the basis of the User’s consent, it is processed until such consent is withdrawn. Withdrawal of consent does not affect the lawfulness of the processing that was carried out before its withdrawal.

 

Purpose of processing Data Legal basis Storage period
Registration and maintenance of the Account Email,, login details, username, favourite sports Article 6(1)(b) of the GDPR (contract) for the duration of the Account and 6 years thereafter
Analyses and statistics activity in the Application, cookies Article 6(1)(f) of the GDPR (legitimate interest) until objection is lodged
Marketing (newsletter) e-mail, preferences Article 6(1)(a) of the GDPR (consent) until consent is withdrawn
Complaint handling data provided in the complaint Article 6(1)(c)/(f) of the GDPR 6 years
Pursuing claims data related to the account/contract Article 6(1)(f) of the GDPR until the expiry of the limitation period

XI. RIGHTS OF DATA SUBJECTS 

Data subjects have the following rights: 

  1. the right to information about the processing of personal data – on this basis, the Controller provides the natural person making the request with information about the processing of Personal Data, including, in particular, the purposes and legal grounds for processing, the scope of data held, the entities to which it is disclosed, and the planned date of deletion of the data;
  2. the right to obtain a copy of the data – on this basis, the Controller provides a copy of the Personal Data being processed concerning the natural person making the request;
  3. the right to rectification – the Controller is obliged to remove any inconsistencies or errors in the Personal Data being processed and to supplement it if it is incomplete;
  4. the right to erasure – on this basis, you may request the erasure of Personal Data whose processing is no longer necessary for any of the purposes for which it was collected;
  5. the right to restrict processing – if such a request is made, the Controller shall cease to perform operations on Personal Data – with the exception of operations to which the Data Subject has consented – and their storage, in accordance with the accepted retention rules or until the reasons for restricting data processing cease to exist (e.g., a decision is issued by a supervisory authority allowing further data processing);
  6. the right to data portability – on this basis – to the extent that Personal Data is processed in an automated manner in connection with a contract or consent – the Controller shall provide the data supplied by the data subject in a format that allows the data to be read by a computer. It is also possible to request that this data be sent to another entity, provided that both the Controller and the indicated entity have the technical capabilities to do so;
  7. right to object to data processing for marketing purposes – The data subject may object to the processing of Personal Data for marketing purposes at any time, without having to justify such objection;
  8. right to object to other purposes of data processing – The data subject may at any time object – on grounds relating to his or her particular situation – to the processing of Personal Data that is based on the legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); objections in this regard should include justification;
  9. right to withdraw consent – if the data is processed on the basis of consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal;
  10. right to lodge a complaint – if it is considered that the processing of personal data violates the provisions of the GDPR or other provisions regarding the protection of personal data, the data subject may lodge a complaint with the supervisory authority responsible for the processing of personal data, competent for the place of habitual residence of the data subject, his place of work or the place where the alleged infringement was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office. 

 

XII. SUBMITTING REQUESTS RELATED TO THE EXERCISE OF RIGHTS 

  1. Requests regarding the exercise of Data Subjects’ rights may be submitted:
    1. in writing to the following address: STADO Spółka z ograniczoną odpowiedzialnością with its registered office in Międzyrzec Podlaski at ul. Nadbrzeżna 7, 21-560 Międzyrzec Podlaski;
    2. by e-mail to the following address: [email protected]
  2. If the Controller is unable to identify the natural person on the basis of the request submitted, it will ask the applicant for additional information. Providing such Personal Data is not mandatory, but failure to do so will result in the request being refused.
  3. The request may be submitted in person or through a representative (e.g., a family member). For data security reasons, the Controller recommends the use of a power of attorney certified by a notary public or an authorized legal advisor or attorney, which will significantly speed up the verification of the authenticity of the request.
  4. A response to the request should be provided within one month of receipt. If it is necessary to extend this period, the Controller shall inform the applicant of the reasons for doing so. 
  5. If the request was sent to the Controller electronically, the response will be provided in the same form, unless the applicant has requested a response in a different form. In other cases, the response shall be provided in writing. If the deadline for fulfilling the request makes it impossible to provide a written response, and the scope of the applicant’s data processed by the Controller allows for electronic contact, the response shall be provided electronically.
  6. The Controller shall store information concerning the request and the person who made the request in order to ensure compliance and to establish, defend or pursue any claims of Data Subjects. 

 

XIII. DATA PROTECTION OFFICER 

The Controller has not appointed a Data Protection Officer. 

 

XIV. EXTERNAL LINKS 

  1. In the event of external links being placed on the Website, this Policy does not apply to the processing of Personal Data by external entities. 
  2. When placing links, the Controller makes reasonable efforts to ensure that they only refer to entities that process Personal Data in accordance with data protection and security standards. However, the Controller has no influence on the compliance of other providers or third parties with data protection and security regulations. Therefore, you should obtain information from other providers or third parties about the data protection regulations they have made available.

 

XV. COOKIES

  1. Cookies are small text files sent by a server and stored on the User’s device (usually on the hard drive). The default parameters of cookies allow only the server that created them to read the information contained in them. Cookies are most often used for counters, polls, online stores, websites requiring login, advertisements, and to monitor visitor activity.
  2. Purposes of storing and accessing cookies:
    1. personalization of the website (for example: remembering the selected font size, choosing a version for the visually impaired or a color version);
    2. remembering user data and choices (e.g., not having to enter your login and password each time on each subpage, remembering your login when you visit again);
    3. enabling interaction with social media (e.g., displaying friends, fans, or posting on Facebook directly from the website);
    4. customizing advertising content displayed on the website;
    5. creating website statistics and statistics on user traffic between different websites;
  3. The Controller uses technical, analytical, and marketing cookies.
    1. Technical cookies are necessary for the proper functioning of the Website. We use them to:
      • optimize the Website for the devices and browsers most commonly used by visitors – this ensures that the Website is displayed correctly and legibly on tablets and phones;
      • remember whether the Data Subject has consented to the display of selected content on the Website.
    2. The Controller uses analytical cookies to improve the functioning of the Website and to measure, without identifying Personal Data, the effectiveness of marketing activities. These activities allow us to continuously improve the structure and content of the Website so that it meets the needs of our current and potential customers as much as possible.
    3. Marketing cookies are used to tailor the content and form of advertisements to the needs and preferences of Data Subjects. 
  4. Below are links to resources showing how you can specify the conditions for storing or accessing cookies using the settings of the most popular web browsers
  5. However, please note that deleting or blocking cookies may result in some sections of the Website not functioning properly. If, as a result of changing your cookie settings, an opt-out cookie is placed (which is used solely to identify the Data Subject’s objection – lack of consent), please note that the opt-out cookie only works in the browser in which it was saved. If you delete all cookies or use a different browser or end device, you will need to set the opt-out again.

 

XVI. UPDATING THE PRIVACY POLICY 

This Privacy Policy may be subject to changes resulting either from changes in generally applicable regulations or from changes in the scope of services provided by the Controller. The Controller will inform about changes to the Privacy Policy on the Website, informing about the date of introduction of the changes, so that the data subjects can exercise their rights, in particular, withdraw their consent or raise an objection. In the event of significant changes, the Controller may also inform about this by sending an e-mail or a notification in the Application.