GDPR & Privacy Policy

GDPR & Privacy Policy

I. General Information

The purpose of this privacy policy is to set out the principles under which Waytogrow collects and processes personal information. This Privacy Policy also sets out the purpose for which we collect this information and why we need it. The Controller participates in IAB (Interactive Advertising Bureau – the Internet Industry Employers’ Association), i.e. the organization that associates entities from the Internet industry, whose aim is to undertake activities aimed at representing the interests of these entities, promotional activities, and legal protection. Waytogrow participates in and accepts the assumptions and principles adopted by the IAB within the IAB Europe Transparency & Consent Framework, which is the structure with the aim to create a standard for personal data processing and unify the principles of the processing in order to better protect it.

II. Definitions

Controller/Company/Waytogrow – the controller of personal data of Users as per GDPR: the Controller of personal data is Waytogrow Spółka z ograniczoną odpowiedzialnością (limited liability company) with its registered office in Warsaw, in Al. Ujazdowskie 13, 00-567 Warsaw, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Department of the National Court Register under KRS number 0000706495, NIP 6751517416, REGON 361397727, with share capital of: PLN 5,000;

Personal Data – it is the information which allows for an individual (User) to be identified, it is gathered by the Controller as specified within this Privacy Policy; the scope of the Personal Data gathered with regards to a User is detailed in section VI of this Privacy Policy; Cookie Files, Identifiers – this refers to small data files which consist a User identifier allowing for the User to be separated and distinguished from other users of the given website and to determine the way this User is accessing the website; Cookie Files and other Identifiers are sent through the website to the User and installed on their end device, e.g. a computer, laptop, smartphone or tablet;

User – refers to a person whose Personal Data is being gathered and processed with the use of Cookie FIles or other Identifiers by the Controller; Publisher – the owner or operator of a website through which Cookie Files or other Identifiers belonging to the Publisher or Controller are installed on the User’s device, who collects Personal Data on behalf of Waytogrow and fulfills the information obligation on behalf of Waytogrow.

III. Details of the Controller – contact information

the Controller of personal data is Waytogrow Spółka z ograniczoną odpowiedzialnością (limited liability company) with its registered office in Warsaw, in Al. Ujazdowskie 13, 00-567 Warsaw, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Department of the National Court Register under KRS number 0000706495, Tax ID (NIP) 6751517416, REGON 361397727, with share capital of: PLN 5,000; You can contact the Controller through:

• traditional mail – address: Waytogrow Sp. z o.o., Al. Ujazdowskie 13, 00-567 Warsaw;
• electronic mail – address: [email protected].

In order to ensure the security of Personal Data and to facilitate communication, the Controller appointed the Data Protection Inspector. You can contact the Data Protection Inspector by email: [email protected].

IV. The Purpose of Personal Data processing and the legal grounds for the processing of Personal Data

Cookies or other Identifiers may be installed in Users’ terminal devices, upon their consent, to collect Personal Data within the framework of Waytogrow’s cooperation with Publishers or within its own marketing activities. Depending on the content and scope of the consent given by the User, their Personal Data may be collected and processed for the following purposes:

1. adapting the advertisements displayed on websites based on the current activity of Users; The Controller adapts the advertisements displayed to the User by the Publisher, including any advertisements displayed in cooperation with the Publisher, while optimizing and suggesting to the Publisher, among others, the time of presenting the ad, number of displayed ads, using the data regarding the User’s end device, their operating system, web browser usage, without the need to create and process any marketing profiles of the Users;
2. identifying Users and creating their marketing profiles based on their activity on websites – including information regarding their interests, demographics, and purchase intent profiles; marketing profiles are created based on any interactions undertaken by Users on websites, the sites which they view, the ads which they see, any forms which they fill; marketing profiles are created by the Controller with the purpose of optimizing the display of personalized ads and non-advertising content (such as articles, rankings, products or services) on websites (purpose indicated in item 3) below);
3. adaptation and optimization of the individualized advertisements and non-advertising content displayed to Users by the Publisher based on Users’ marketing profiles;
   Based on the marketing profiles created by the Publisher and in cooperation with the Publisher, the Controller will optimize the process of displaying personalized advertisements and non-advertising content to Users by the Publisher, so that the process of displaying those advertisements is as effective as possible and adapted to the individual profile and interests of the User;
4. support the development of Controller’s programming tools;
5. gathering statistics, including:
   • statistics on the accuracy and effectiveness of advertising messages addressed to users,
   • statistics of relevance and effectiveness of non-advertising content addressed to Users,
   • statistics of interest in particular pieces of content displayed on websites by particular groups of Users;
   • creating reports and market studies;
6. ensuring the security of websites, preventing fraud, identifying and solving technical problems related to the functioning of the website and the presentation of content and advertising on the site;
7. technical emission of website content;
   In order to display content correctly, websites must gather certain data about the User – e.g. their IP address, Internet browser, screen resolution;
8. establishing contact through the contact form – for the purpose of delivering responses to your questions,
9. conducting of own marketing activities;

The personal data processing activities indicated in items 1) to 5) and 10) are based on each User’s consent to process data for these purposes and to install Cookies or other Identifiers on the User’s end device. Consent to this activity is granted by marking the proper items on the Publisher’s website for items 1) to 5) and on Waytogrow’s website for item 10).

The Controller will process the Personal Data of Users exclusively in accordance with the content of their consent to the processing of Personal Data, which means that any personal data processing operations not based on the consent given by the User will not be performed by the Controller unless the Controller carries them out on a legal basis other than the User’s consent, e.g. based on a legitimate interest. The basis for the personal data processing operations referred to in points 6) – 9) is the legitimate interest of the Controller:

• in the case of point 6) it is the possibility to create and maintain anonymous statistics on the effectiveness of marketing activities undertaken by the Controller and Publishers, e.g. optimization of displayed advertisements; these activities do not affect the rights and freedoms of Users in any way, but only enable evaluation of the effectiveness of the functioning of the website in the context of the displayed content and advertising, which is understood as measuring of the reach of the given content (e.g. popularity of an article or advertisement);
• in the case of point 7) it is the obligation of the Controller to ensure the resilience and security of the website, programming tools and systems for collecting personal data against unauthorized third-party access, as well as the obligation to remove errors related to the functioning of the website;
• in the case of point 8) is the necessity to display websites correctly, i.e. in a way in which all elements of the web page are displayed in an intended and correct manner, e.g. they are of an appropriate size, they enable the User to interact correctly and effectively with the website, e.g. by filling in forms;
• in the case of point 9) consisting of the possibility of contacting you in order to answer any questions you might have asked and to maintain business relations

For the purposes of the above-mentioned processing, the Controller may use the default settings of the browser installed on the User’s device and the information sent by them, to identify the User and their device among other users of a given website.

Using the Cookie File functionality or other identifiers the Controller may also download additional information about the User and their device, which are not sent by default, in order to identify the User on the basis of a unique set of individual information about the device – e.g. the fonts installed and used, screen resolution.
Providing Personal Data and enabling the installation of Cookies or other Identifiers is entirely voluntary and is not a contractual or statutory requirement, however, the lack of consent to the processing of Personal Data and the installation of Cookies or other Identifiers will result in the inability to adjust the content and advertising displayed to the User’s preferences on Publishers’ websites and to create marketing profiles and individualize the displayed content.

V. Cookie Files, Identifiers

Cookie Files and other Identifiers are used by the Publisher and by Waytogrow to recognize and identify Users, when they visit the Publishers’ websites, in order to allow more effective tailoring of the advertising and content of those websites to their interests and expectations. These identifiers are also used by Waytogrow to gather anonymous statistics regarding website visits and to verify which content has been of interest to Users.

Cookie Files also make it much more convenient to use the website interface, e.g. they allow for storing preference settings for the displayed content and any interactions with the website.
The User may individually change their Cookie settings and set the conditions for storing Cookie Files and accessing the User’s device by any such Cookies.
Such changes can be made through the settings of their internet browser. The settings can be changed particularly to block automated Cookie use by the browser and to inform the user each time Cookie Files are installed on their device. Detailed information about the possibility of setting Cookie File preferences is available in the settings section of the software (the User’s internet browser).

The User may delete Cookie Files at any time using the functionality provided in the internet browser which they use.

VI. What data is being gathered?

The Controller acquires Personal Data using Cookies or other Identifiers installed on devices of the Users through the Publishers’ websites.
Personal Data relates to the way users act on websites, which includes: the scope, frequency, and duration of their visits, the subject fields of the articles which they read, categories of the services which they visit, information regarding instances when Users clicked on ads, the type of those ads, their content and character of the creative material used, information regarding the types of advertisements displayed to the User. Information gathered by the Controller also includes the IP address of the device used, the type of the device, version of the internet browser used, screen resolution, any fonts installed, information regarding the used operating system, geolocation data.
In the case of a contact form (for which the purpose of processing Personal Data is defined in item IV point 3) the gathered data includes e-mail, telephone number, first and last name.

VII. Recipients of the Personal Data

The Personal Data gathered by the Controller may be transferred to entities cooperating with the Company, including the following:

1. Publishers – in relation to their cooperation regarding processing and optimization of the content of the websites which belong to them – as separate personal data controllers;
2. technology providers – providers of server services, hosting, entities offering IT solutions allowing for displaying of advertisements and content on websites and gathering statistics of interactions and visits – as entities processing personal data upon the Controllers order;
3. IAB – in relation to participation in IAB Europe Transparency & Consent Framework, for the purpose of evaluation of compliance of the way data is processed with the standards set by IAB Europe Transparency & Consent Framework.
   In each instance, the Controller ensures that the Personal Data transferred to any of the recipients takes place in a safe manner, with respect to any technical requirements.

VIII. Transferring Personal Data outside of the European Economic Area

Your Personal Data may be disclosed to third parties outside the EEA or to international organizations, provided that such disclosure respects the security of the personal data processed in each case. Personal Data is transferred to partners and contractors of the Company located outside the EEA, only if:

1. such entity is established in a country which, according to the decision of the European Commission, ensures an adequate level of protection of personal data;
2. standard EU data protection clauses have been applied in the contract concluded by the Controller with this entity; in order to obtain copies of the standard EU data protection clauses applied by the Company, please contact the DPO or the Company.

IX. Duration of the period through which the Personal Data is to be processed

Personal Data is processed by the company:

• until you exercise your rights which result in an obligation to stop any further processing of your personal data;
• until you set the appropriate browser settings for storing or accessing Cookies or other identifiers that prevent the possibility of the processing;
  Notwithstanding the above, Personal Data will not be processed by the Controller for more than 18 months.

X. Rights of the Users

1. The User has the right to obtain a confirmation from the Controller of whether their Personal Data is being processed by the Controller, and if so, they are entitled to access to the following information:
   1. the purpose of processing;
   2. the category of the data which is being processed;
   3. information regarding any recipients or categories of recipients, to whom the personal data has been or is to be disclosed, particularly any recipients located in third countries or any international organizations;
   4. as far as possible, the planned retention period for personal data and, where this is not possible, the criteria for determining that period;
   5. information on the right to demand that the Controller corrects erases or limits the processing of personal data concerning the person who is the subject of the data, and to object to such processing;
   6. information in the right to lodge a complaint with the supervisory body;
   7. in case the personal data has not been obtained from the person whom they are regarding – any available information regarding the source of the data;
   8. information regarding any automated decision-making, having legal effects (or similarly significant impact on Users) as per Article 22(1) and (4) of the GDPR, and – at least in those particular cases – any crucial information regarding the terms upon which those decisions are made, as well as the meaning and foreseen consequences of such processing for the person, whom they are regarding – currently the Controller does not participate in any such activity.
2. The User has the right to demand that the Controller immediately corrects any incorrect Personal Data which concerns them. Considering the purposes of the processing, the User has the right to demand their incomplete personal data to be supplemented, including by presenting any additional statements.
3. The User has the right to demand that the Controller immediately erases any data concerning them, and the Controller is obliged to erase such personal data without any undue delay in case any of the following circumstances occur (“the right to be forgotten”):
   1. the Personal Data is no longer required for the purposes for which they were gathered or is not otherwise processed;
   2. the User has revoked their consent which constituted the grounds on which the processing was based in accordance with Article 6(1)(a) of the GDPR and no other grounds for such processing exist;
   3. the User lodges an objection to the processing under Article 21(1) of the GDPR and no other legally superior legitimate grounds exist, or the User lodges an objection under Article 21(2) of the GDPR for the processing;
   4. the Personal Data is being processed unlawfully;
   5. the Personal Data must be erased in order to comply with a legal obligation under EU legislation or under the law of a Member State, to which the Controller is subject;
   6. the Personal Data has been gathered in relation to the offer of information society services, as per Article 8(1) of GDPR.
4. The User has the right to demand from the Controller to limit the processing of their Personal Data in the following cases:
   1. the Users question the correctness of the Personal Data – for a period allowing the Controller to verify the correctness of such data;
   2. the processing is unlawful and the User objects to erasing of the Personal Data and demands in return that the use of the Personal Data is restricted;
   3. the Controller does not further require the Personal Data for the purpose of processing but the data is required by the person whom it is regarding in order to establish, enforce or defend a claim;
   4. the User has raised an objection under Article 21(1) of the GDPR against the processing – until it is determined whether legally justified grounds for such processing exist and are superior to the objection of the user, whom the data is regarding.
5. In case the Personal Data is processed for the purposes of direct marketing, the User whom the data is regarding has the right to object against the processing of the data processed for such purpose at any time, including profiling, in the scope in which the data is processed with the purpose of direct marketing (“right to object”).
6. The User has the right to receive a structured, machine-readable file in a commonly used format including the Personal Data relating to them which they have supplied to the Controller, and they have the right to transfer this data to another Controller without any hindrance from the Controller to whom their personal data has been initially supplied, if: the processing takes place on the basis of consent as per Article 6(1)(a) of the GDPR or on the basis of a contract as per Article 6(1)(b) and the processing is automated.
7. By exercising the right to transfer their data, the User is entitled to demand for their Personal Data to be sent by the Controller directly to another Controller, unless it is technically impossible.
8. The User has the right to revoke their consent to the processing of Personal Data disclosed pursuant to Article 6(1)(a) of GDPR at any time. Revoking consent has no effect on the legality of processing conducted before the consent is revoked.
9. In order to exercise the other rights mentioned above, please contact the Controller using the contact information provided in the “Details of the Controller – contact information” section.
10. The User has the right to lodge a complaint with the national supervisory authority established for the purpose of protecting personal data.

XI. Safety Provisions

The Controller does not collect sensitive data, such as any information regarding race, ethnicity, religious beliefs, philosophical beliefs, trade union membership, biometric information, health information, sexuality or sexual orientation. The Controller’s cooperation with Publishers is not based on any websites which offer content for persons below 16 years of age, thus the Controller does not purposefully gather any personal data of any individuals below 16 years of age. The Controller also does not gather any information which could result in moral or material damages if processed. The Controller’s system is only used to process the data indicated in section VI. “What data is being gathered?”.
The gathered Personal Data is stored on secure dedicated servers, and it can only be accessed by authorized employees and partners of the Controller.
Information regarding Users, which do not include any data which allows for the Users to be directly identified, are made available only to entities indicated in section VII, with the highest level of care for safety and security of processing.