Blend Daily Banking and Crypto in One Powerful Business Account

Privacy Policy

Date of the last update of the Policy: 25/08/2022

DATA PROTECTION POLICY OF P100 APPLICATION

This policy is addressed to P100 users. The Policy describes the rules for the collection and use of P100 users' data obtained directly from them or via cookies and similar technologies.

We assure each user that we will exercise the utmost diligence when caring for the protection of personal data. We do not transfer personal data without the consent of our users. We enable users to familiarize themselves with the personal data collected and processed by us, with their consent, and to change them or withdraw their consent.

Personal data controller

The controller of data collected in connection with the use of the P100 application is P100 Sp. z o. o. (limited liability company) with its registered office in RzeszĂłw, 14/2 Adama Matuszczaka Street, phone +48 537 615 155, e-mail [email protected] In matters related to the processing of your data by the Controller, you can contact the above address data or the Data Protection Officer appointed by the Data Controller, at the following e-mail address: [email protected]

Scope of collected personal data

1. P100 enables users to contact the Controller and provide it with identification and contact data, as well as data related to the content of their message or transaction made.
2. The Data Controller collects data related to user activity, such as the time spent in the application, date, source of visit, geolocation data, device data and other data that may affect the transaction risk analysis or user identification.

Data source

1. If the user contacted the Data Controller, the data was made available to us directly from the user.
2. If the user's data has been provided by a third party, the source of the data is that third party. In this case, the Data Controller may receive identification, address, and inquiry-related data.

Purpose and legal basis for the processing of personal data

User data may be processed for the purpose of:
- network traffic analysis, ensuring security as part of the provision of services by P100 and adapting the content to the user's needs based on the legitimate interest of the Data Controller (Article 6 (1) (f) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as the GDPR);
- analytical activities related to the functioning or optimization of Services or applications and other available services, including their optimal selection, as well as for the purposes of building knowledge about the Customer's needs, researching their satisfaction, including obtaining market opinions, qualitative information, conducting after-sales research. For this purpose, the processing is carried out on the basis of the premise specified in Article 6 sec. 1 (f) of the GDPR, i.e. in the legitimate interest of the Controller, which manifests itself in the gainful activity conducted by it,
- marketing activities undertaken, in particular in the field of promotion of goods and services of the company or its cooperating entities, including sending commercial information. For this purpose, the processing is carried out on the basis of the premise specified in Article 6 sec. 1 (f) of the GDPR, i.e. in the legitimate interest of the Controller, which manifests itself in the commercial activity conducted by it and the consent granted to receive commercial information,
- establishing, investigating or defending against claims. For this purpose, the processing is carried out on the basis of the premise specified in Article 6 sec. 1 (f) of the GDPR, i.e. in the legitimate interest of the Controller, which manifests itself in the right of every person to assert their rights,
- sharing data with other entities cooperating with the Controller, for marketing purposes - the basis for data processing is voluntary consent, provided that such consent has been granted; if consent is not given, personal data is not processed for this purpose. The basis for data processing is the consent referred to in Article 6 sec. 1 (f) of the GDPR,
- offering products and services according to customer needs, i.e. profiling. The basis for data processing is the consent referred to in Article 6 sec. 1 (f) of the GDPR,
- exercise of rights arising from complaints. The basis for processing is the performance of the controller’s obligations arising from the rights of consumers, and in the other category of customers in the legitimate interest of the controller, which is the right to establish, assert and defend claims. For this purpose, the processing is carried out on the basis of the premise specified in Article 6 sec. 1 (f) of the GDPR.

Right to withdraw consent

1. The consent to the processing of contact data may be withdrawn by the user at any time by contacting the Data Controller. Withdrawal of consent may make it difficult or impossible to contact the user and provide the service or make the ordered product available to the user.
2. In justified situations referred to in Article 17 sec. 3 of the GDPR, the right to withdraw consent may not be available to the user. The Data Controller may decide that the data is necessary due to, inter alia, compliance with a legal obligation that requires processing under the law of the European Union or the law of the Member State to which the Data Controller is subject, to establish, assert or defend claims, and in other cases specified by law.

Obligation or voluntary provision of data

1. Providing data by the user for purposes related to setting up an account is voluntary, but necessary. Failure to provide them may make it difficult or impossible to use P100.
2. Providing the data necessary to verify the identity of the P100 user is voluntary. iDenfy is responsible for verifying the identity of the P100 user (website: www.idenfy.com), whose privacy policy separately regulates the rules for the protection of users' personal data.

Rights resulting from the GDPR in the field of data processed

The user has the right to:
- request the Data Controller to provide the user with access to their data, as well as a copy of it (Article 15 of the GDPR);
- request the Data Controller to rectify or correct their data (Article 16 of the GDPR) - in reference to the request for rectification of data when the user notices that their data is incorrect or incomplete;
- request the Data Controller to delete their data (Article 17 of the GDPR);
- request the Data Controller to limit processing (18 GDPR) - e.g. when the user notices that their data is incorrect - the user may request the restriction of the processing of their data for a period that allows to check the correctness of this data);
- lodge a complaint in connection with the processing of their personal data by the Controller to the supervisory body dealing with the protection of personal data of the President of the Personal Data Protection Office.

Office of the President of the Personal Data Protection
Address: 2 Stawki Street 2, 00-193 Warsaw

Recipients of the user's personal data

The recipients of the user's personal data may only be entities that are authorized to receive it under the law. In addition, user data may be made available to couriers, postal and telecommunications operators, hosting providers, and mail servers.

We reserve the right to share and receive information with the affiliated company Fintegence s.r.o., Staromestská 3, Bratislava, Slovakia, exclusively for the purpose of verifying data associated with the transfer of funds, encompassing both fiat and cryptocurrency, during the processing of your withdrawal requests. This collaborative exchange of information ensures the accuracy and legitimacy of the transaction, aligning with our commitment to secure and transparent financial operations.

Duration of personal data storage

1. The user's personal data will be kept for the period necessary to achieve the purposes of processing, but not shorter than the period specified in the provisions of law, including the provisions on archiving.
2. Personal data processed in connection with the concluded Agreement are stored for the period of its validity and until the claims in this respect are time-barred. Personal data processed on the basis of consent or the legitimate interest of the Controller - until an objection is raised or the consent is withdrawn by the data subject or the purpose of processing ceases to exist. Personal data processed for the purpose of a complaint - until the end of its consideration or until the dispute in this respect is resolved. Personal data processed in order to exercise consumer rights - for the period necessary to assert them.
3. Data related to the analysis of network traffic collected through cookies and similar technologies may be stored until the cookie expires. Some cookies never expire, therefore the data storage time will be equivalent to the time necessary for the Data Controller to achieve the purposes related to data collection, such as ensuring security and analyzing historical data related to website traffic.

Co-administration of personal data

1. The Data Controller, in the scope of personal data processing by itself, allows for the possibility of adopting a model of co-administration of personal data in accordance with Article 26 of the GDPR.
2. Co-administration of data may take place if the Data Controller and at least one other entity jointly determines the purposes and methods of personal data processing. This means that in a given process of personal data processing, three conditions must be met simultaneously, i.e. the Data Controller and at least one other entity must:
- be a controller within the meaning of Article 4 point 7 of the GDPR,
- jointly determine the purposes of data processing,
- jointly determine the methods (technical and organizational) of data processing.
3. If the conditions referred to in sec. 2 are met, the Data Controller and at least one other entity become joint data controllers in the scope of a given personal data processing process.
4. In the case of adopting the data co-administration model, the data co-controllers, by way of joint arrangements, transparently define the respective scopes of their responsibility regarding the fulfillment of obligations under the GDPR.

Transfer of data to a third country or an international organization

1. The user's personal data may be transferred to third countries outside the European Economic Area in justified situations, when it is necessary in order to use the services or obtain the product and on the basis of relevant legal provisions.
2. The Data Controller will assess the admissibility of data transfer to third countries based on whether the entity from a third country provides adequate safeguards for the protection of personal data.

Disclosure of personal data to public authorities

1. The user's personal data may be made available to public authorities, including financial institutions, tax institutions, law enforcement agencies, etc. Such disclosure of personal data does not violate the provisions on the protection of personal data.
2. Due to the fact that pursuant to Article 4 point 9 of the GDPR, public authorities are not considered recipients, the Data Controller is not obliged to inform the P100 users about disclosing their personal data to these authorities.

Risk-based approach

As regards the applied solutions relating to the processing of personal data, in particular with regard to security, the Data Controller applies the risk-based approach.

Use of cookies and similar technologies

1. P100 enables the collection of information about the user via cookies and similar technologies, the use of which most often involves the installation of this tool on the user's device (computer, smartphone, etc.). This information is used to save the user's decisions (choosing the font, contrast, accepting the policy), maintaining the user's session (e.g. after logging in), saving the password (with consent), collecting information about the user's device and their visit to ensure security, but also for visit analysis and content customization.
2. Information obtained through cookies and similar technologies is not combined with other data of P100 users, nor are they used to identify them by the Data Controller.
3. The user can set the browser to block certain types of cookies and other technologies, by specifying, for example, that only those that are necessary for the correct display of the page will be allowed. By default, most browsers allow the use of all cookies, but the user can change these settings at any time, and can also delete already installed cookies. Each browser allows this through one of the options available in the settings or preferences.
4. By using P100 without changing the settings, i.e. with the default acceptance of cookies and similar technologies, you consent to their use for the purposes set out above. The Controller does not use the obtained information for marketing purposes.

Automated decision making and profiling

1. The processing of the user's personal data may be automated, which may involve automated decision-making, including profiling, which is performed by the Data Controller under applicable law. This applies to the following cases:
- verifying the identity of the P100 user, where the assessment is made by Idenfy (www.idenfy.com) based on the established criteria.
- assessing the risk of violating the law, where the assessment is made on the basis of the obtained data and established criteria.
2. The consequence of the performed assessment, in the above cases, is automatic classification to a risk group, where being classified to the unacceptable risk group may entail consequences provided for by law.

Review and update of the personal data protection policy

1. The policy is periodically reviewed in terms of its adequacy, at least once a year.
2. Whenever the legal provisions which are the source of the obligations indicated in the Policy change, or there are significant factual changes within the Data Controller’s structure, the Policy review is carried out immediately.

‍