Privacy policy zrzutka.pl

  1. Introduction

    In the interests of transparency in our operations and your comfort, we have prepared a comprehensive privacy policy from which you can find out when and what personal data we collect and how we process it, and what rights you have. We also indicate the cases in which we may share your personal data with third parties.

    Zrzutka.pl sp. z o.o. is committed to the highest standards of security, particularly with regard to the protection of personal data. We conduct a risk analysis on an ongoing basis to ensure that the personal data we collect is processed in a lawful, secure manner and that only authorised persons have access to the data and only to the extent necessary for the proper performance of their duties. We pay particular attention to ensuring that all operations on personal data are recorded and carried out with the greatest care.

    Below, we explain the terms that will appear in the remainder of this document:

    1. Administrator - Zrzutka.pl sp. z o.o. with its registered office in Wrocław, al. Karkonoska 59, 53-015 Wrocław, NIP 8992796896, REGON 365261657, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław, VI Economic Division of the National Court Register under KRS number 0000634168, being a domestic payment institution entered in the UKNF Payment Services Register under number IP48/2019.
    2. Personal data - all information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data and internet identifier.
    3. RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
    4. Website - the website operated under the domain www.zrzutka.pl and under any sub-domains, within the framework of which the Administrator provides electronically the services consisting in particular in providing space for the creation of dropshots by Users and mediating the transfer of funds between Users.
    5. User - a natural person of full legal age, a legal person or an organisational unit without legal personality, to which the law grants legal capacity, using the Service, with the exclusion of persons who are completely incapacitated. A natural person using the Website who is at least 13 years of age and who has sent the consent of the legal representative to use the Website shall also be considered a User. User uses one or more services provided by the Administrator.
    6. Organiser - a User who organises a collection with the intention of raising funds for a specific purpose in the Service.
    7. Money Box Organiser - User who creates a Money Box for a chosen drop.
    8. Beneficiary - natural or legal person, other than the Organiser himself/herself, for whose benefit the Organiser collects funds for the purpose specified in the description of the collection drop.
    9. Supporter - a User who contributes funds for the purpose indicated in the description of the droplet organised by the Organiser.

  2. Anti-money laundering and counter-terrorist financing obligations.

    By mediating the transfer of money from Supporters to the Organiser and by maintaining accounts for the Drops, our portal provides payment services. We operate as a national payment institution on the basis of the relevant authorisation from the Financial Supervision Commission. This nature of our business makes it necessary for us to comply with the obligations under the AML and Terrorist Financing Act of 1 March 2018 (Journal of Laws 2022, item 593, as amended - hereinafter: the "AML Act"). This is not without effect on our processing of Users' personal data, which in certain cases we have not so much the right as the obligation to process in a certain way:

    1. We must verify the identity of the Organiser

      The process of setting up and verifying the Organiser's account is described in detail in our Terms and Conditions. As part of this, we must ask the Organiser to provide personal data, which we are then obliged to confirm. We have to collect the following data: first and last name, nationality, PESEL number or date of birth (in the case of persons without PESEL), and the series and number of the identity card and, in the case of a self-employed person, also the NIP. This data must then be confirmed by means of a so-called verification transfer and a scan of the identity card sent to us. The AML Act requires us to verify this data and entitles us to obtain and retain a copy of the Organiser's identity document.

    2. We must apply financial security measures

      The AML Act requires us to apply so-called financial security measures, i.e. methods by which we are to detect possible attempts to use our portal for money laundering or terrorist financing. To this end, we must, among other things, analyse the transactions carried out on our portal for such purposes and, in certain cases, obtain additional explanations or documents from the Organiser.

    3. We must keep the data for the period specified in the Act

      We are obliged to store all data obtained as a result of financial security measures, as well as data identifying the Organisers and data relating to transactions carried out on our portal, for a period of 5 years from the termination of the business relationship with the relevant Organiser (in simple terms, closure of the User's account). After this time, they are automatically deleted, unless we first receive a request from the relevant authority to store them longer in a specific case.

    4. In certain cases, we are obliged to pass on transaction data to the relevant authorities

      If we have a reasonable suspicion that criminal funds are being collected on our portal or if we notice a case of alleged money laundering or terrorist financing, we are obliged to report this to the relevant authorities (public prosecutor's office or the General Inspector of Financial Information). We must then provide them with all the data in our possession concerning the suspicious transaction and the Organiser. In the course of investigating a particular case, we may also exchange information with other payment service providers involved in the transaction in question (e.g. the bank from which we received the transfer).

    In the case of anti-money laundering and terrorist financing, the legal basis on which we base the processing of personal data is the mandatory statutory regulations - in such cases, it is therefore not possible to withdraw consent to the processing of personal data (as the processing is carried out on the basis of a statutory obligation and not consent), nor to request us to delete the data (we have a legal obligation to keep the data for a certain period of time). On the other hand, the data we collect as part of the application of financial security measures is protected by statutory secrecy independent of the RODO under the AML Act, for the breach of which we would face high penalties. This data is further secured and encrypted, and only employees directly responsible for AML and terrorist financing have access to it.

    The obligations under the AML Act are independent of the other bases on which we base the processing of personal data. You can find out how we process data in other cases from the rest of this privacy policy.

  3. What personal data do we collect and process? What are the purposes and legal basis for their processing?

    As Users use the Website for a variety of purposes and in a variety of ways, we collect and process personal data to a varying extent and on different legal bases.

    1. Using the Website without creating an account

      Personal data of persons using the Website who are not Supporters or Organisers are not processed by the Administrator.

      The data obtained in connection with the use of the Service by the Users and which are not personal data are used by Zrzutka.pl sp. z o.o. for analytical, statistical, marketing purposes and in order to ensure the operation of the Service and measure its performance. You can read about how and for what purpose we use cookies in the relevant section below.

      If you indicate to us a potential organisation to which you think we should offer Patron status, and provide us with an email address to which we should notify you when a Patron account has been created for that organisation, your email address will only be used for such notification - you will not be assigned to the newsletter database, and your data (email) will not be processed in any other way, unless you give separate marketing consent by ticking the relevant checkbox or, at a later stage, decide to create an account on the Service and then give the relevant consent.

    2. Account registration

      Persons who register on the Website are asked to provide the following personal data necessary to create and operate an account: first name, last name, and email address.

      Indication of this data is required in order to create and operate an account, and failure to do so will result in the inability to create an account. The above data is collected and processed on the basis of consent for the processing of personal data expressed when creating an account (Article 6(1)(a) RODO), and in the event that the User starts using any services offered by the Website - also for the purpose of performing the contract for the provision of services offered by the Administrator (Article 6(1)(b) RODO).

      In the event that you do not take any further action on the Website after registering your account (supporting or organising Drops, using paid additional features, etc.), your data is stored, but is not used for any other purpose, except for our creation of business statistics.

      If you give separate marketing consent, we will be able to send you information about new interesting actions and features within the Service (newsletter). However, this is not obligatory and you can withdraw such consent at any time.

    3. Creating and supporting drop-ins
      1. Organiser

        Organising airdrops on the Service involves the processing of a wider range of personal data. Please note that depending on your choice of account form (private - for an individual or held for another entity) different personal data is processed:

        1. in the case of accounts for natural persons, the following data are processed: first name, surname, e-mail address, PESEL number, nationality, series and number of identity document, as well as its expiry date, image, address data, bank account number and IP address of the Organiser,
        2. in the case of legal persons and other entities - personal data of the natural person running the profile of such an entity, as indicated in the point above, as well as personal data of persons entitled to representation in accordance with the KRS (National Court Register) and authorising a specific person to run the profile, and personal data of actual beneficiaries of the entity, resulting from relevant registers (if applicable).

        In addition to the basis for processing indicated above, consisting of the need to comply with the obligations assigned to us by the AML Act (in particular the proper identification and verification of the identity of our clients), we process this data for the following purposes:

        1. in order for us to provide services related to the conduct of the drop box - the legal basis is the necessity of the processing for the performance of the contract;
        2. in order to comply with our statutory obligations - in addition to the AML obligations already indicated above, these are in particular tax and accounting obligations (e.g. issuing and posting an invoice for the premium services you have purchased);
        3. for analytical and statistical purposes - the legal basis is the Administrator's legitimate interest to analyse your account usage and activity and to improve the functions used;
        4. for possible establishment and investigation of claims or defence against them - the legal basis is the legitimate interest consisting in the protection of our rights;
        5. for marketing purposes - the legal basis is the legitimate interest of the Administrator. You can find out when and exactly how we process this data in the section , "Marketing, analytics and social networking activities".

        Additional data on health and living situation (including assets) may be processed to verify the truthfulness of the drops in the situations indicated in the Terms and Conditions (see section XIII). Where the documents used for the verification of the airdrop contain data included in the so-called special category of personal data under RODO, in particular data concerning health, the Administrator processes them on the basis of a separate consent. Such consent should be provided by the data subject (the Organiser, if the documents concern his/her own data, and the Beneficiary of the droplet, if the collection is organised for a third party). In the case of minors or persons without legal capacity, the consent should be signed by a parent or legal guardian.

        Giving a separate consent for the processing of personal data included in a special category of personal data is a necessary condition for the verification on the basis of the documents in which such data is included. If you intend to organise a collection for a third party whose verification may require the production of such documents, make sure that they give their consent for us to process this information - failure to do so may make the drop-off unverifiable.

        Personal and other data visible in the documents sent by the Organisers as part of the verification procedures described in Chapter XIII of the Terms of Service may be disclosed to the entities appearing as the issuers of such documents in order to confirm their reliability or to law enforcement authorities in the event that we have a justified suspicion of fraud or use of a forged document. Outside of these cases, we treat all data resulting from these documents as strictly confidential, and we use the documents themselves only for the collection verification process and store them on external, secure storage media, with access to them only by the staff conducting the verification process.

        If your droplet is visible in search engines, your name or the name of your organisation will also be displayed in its so-called metatitle. In your account settings, you can disable the aforementioned visibility at any time - as a result, your droplet will not appear in search results. The metatitle is the content that appears in search results, in social media shares of the droplet, or as text displayed in a browser tab when the page is open.

        The visibility of Moneyboxes in search engines depends on whether the droplet for which the Moneybox has been organised is indexed. If you are the organiser of a Treasure Box and do not want it to be visible in search results, please contact the Organiser of the Treasure Box - you cannot disable the Treasure Box or Treasure Box search options yourself.

      2. Beneficiary

        In order for you to be able to organise a collection for a third party, it will be necessary for that person to fill in the appropriate consent form, based on which we will process their personal data such as name, surname, PESEL, as well as their image. In addition to the consent form, we will also need a scan of that person's ID card. We will only use this data for the credibility verification process of the dropshipper. We will check that you actually have authorisation from a specific person to carry out a collection on their behalf, and to do this - we need to know their personal details. We do this on the basis of her consent, which as a Collection Organiser you will need to obtain. For this reason, make sure that the person for whom you are organising the collection is aware of this and gives such consent - we do not allow collections for anonymous Beneficiaries. Please note that this does not mean that you should publish the full details of the Beneficiary in the description of the collection - they are only necessary for our information.

        The Beneficiary can also send their own documentation directly using a special form. For a link to the form, the Organiser or the Beneficiary themselves should contact support.

      3. Supporters

        Your support of any droplet organised on our portal does not require the creation of a User account with us. Nevertheless, due to our obligations under the AML Act and Regulation 2015/847 of 20 May 2015 on information accompanying fund transfers, we may process your name, email address, bank account number and other details related to the transaction, such as the date and time of the payment or the amount of the payment made.

        Due to the fact that for most of the deposit methods offered by us we use the services of a payment intermediary (PayU S.A.), the choice of such a method means that a separate administrator of your personal data will be PayU S.A. with its registered office in Poznań (60-166), at 182 Grunwaldzka Street, which will process them for the purpose of completing the payment transaction, notifying you of the status of completion of your payment, processing complaints, as well as for the purpose of fulfilling the legal obligations incumbent on PayU. You will find information that a particular payment method is supported by PayU at the bottom of the payment screen after selecting the relevant option. You can read PayU's collection of privacy information here.

        The organiser of the drop-off to which you make a donation will have access to the personal data of the Supporters in our possession (indicated by the Supporters themselves in the donation form or provided to us by payment intermediaries, including those obtained through online payment systems such as Google Pay and Apple Pay). This is because, through our portal, you are entering into a legally binding contract with the Contributor (usually a donation contract or, in the case of Drop-ins where the Organiser offers a reciprocal benefit for the contributions, a contract of a different type - sale, provision of services). This data is made available to the Organiser in order to enable the Organiser to perform the agreement concluded with the Supporters, as well as to fulfil other obligations stipulated by law (e.g. tax, accounting). Additionally - if the Organiser offers you certain Offers in return for your contributions to his/her drop - we may also share your address and phone number with him/her in order to carry out the dispatch of said Offers.

        The Organiser - on the basis of the data provided by us - may contact the Supporters or the Moneybox Organiser, e.g. in order to thank them for their donations or to inform them about other drops which may be of interest to them. In doing so, the Organiser should have a legitimate interest in processing the personal data of Supporters or Moneybox Organisers, pursuant to Article 6(1)(f) of the DPA, which legitimises the establishment of the aforementioned contact.

        This contact should serve the purpose of building a relationship with the Supporters or Moneybox Organisers - this way the Organiser can keep them informed about the further progress of the respective campaign or other activities that the organisation it represents is carrying out. In addition, the Organiser can use this function to send thanks or to present accounts related to the implementation of a specific Project. It is also important that the content of the messages sent to Supporters or Moneybox Organisers is related to the Organiser's activity within the Service, i.e. relates to his/her drops or is related to them.

        It is important to note that the use of the function described above must not infringe on the interests of Supporters or Moneybox Organisers - the Organiser's actions should be balanced and proportionate. The sending of messages may be of a one-off nature (e.g. in the case of acknowledgements), whereas in the case of regular contact, moderation is required in both the number and frequency of messages delivered. If a particular Supporters or Moneybox Organiser has not undertaken any activity in relation to the delivered messages for a period of 6 months, the purpose on the basis of which the personal data of that Supporters or Moneybox Organiser is processed shall be deemed to have become obsolete. This means that the Organiser no longer has a legal basis for processing the personal data of such a Supporter or Moneybox Organiser and must therefore terminate the process.

        If a Supporters or Moneybox Organiser requests that the sending of communications to their email address be discontinued, the Organiser is obliged to comply with this request immediately.

        If you are a Dropbox Organiser and decide to use the personal data provided to you in the Organiser's panel for a different - designated - purpose, please note that you then become a separate controller of the personal data and it is you who has the obligations indicated in the RODO towards the persons whose data you start to process.

        In accordance with Article 20 of the RODO, the Organiser has the possibility to directly retrieve and directly transmit the data available in the Organiser's panel to another controller by means of an application programming interface (API). If, as an Organiser, you decide to exercise this right, please note that you are obliged to exercise it without prejudice to the rights of others. If the data transferred at your request also includes personal data of Supporters or Moneybox Organisers, you must ensure that it is processed in accordance with the law - once the data has been transferred, we are no longer responsible for the processing carried out by the Organiser or by any other administrator receiving personal data in this way.

    4. Issuing and purchasing Offers

      As part of the Website, we also make it possible to issue and purchase Offers. Offers can be issued either by the Organiser of the droplet or by a third party (the so-called Funder) - for more information on this, please see the Rules of Offers, which is attached to our Terms and Conditions.

      When filling in the form describing the details of his/her offer, the Offeror may stipulate that it will be necessary for the Purchaser to provide address or contact details (telephone number) in order to purchase the Offer. In such a case, these data are completed by the Purchaser when making the payment for the Offer and are transferred to the Exhibitor in order to enable him to perform the agreement the subject of which is the transfer of the Offer (Article 6(1)(b) of the RODO). The Exhibitor may contact the Purchaser to make arrangements for the receipt of the Offer or send it to the address provided by the Purchaser.

      In order to fulfil the obligations arising from the Act of 23 May 2024 amending the Act on the exchange of tax information with other countries and certain other acts, which implements Council Directive (EU) 2021/514 of 22 March 2021 amending Directive 2011/16/EU on administrative cooperation in the field of taxation (the so-called DAC-7 Directive), the Administrator - acting in accordance with Article 6(1)(c) of the RODO - may request the Exhibitor to indicate its tax identification number (so-called TIN). A TIN (Tax Identification Number) is a tax identification number used for tax purposes in a given country (i.e. the country in which you report your taxes), e.g. in Poland the TINs are PESEL and NIP.

      In the event that the Purchaser of an Offer informs us that the Exhibitor, despite having paid for the Offer, has not fulfilled its obligation, we may ask the Exhibitor to send us proof of the transfer of the Offer it has offered. In the event that the Exhibitor fails to do so, or the documents sent by him do not dispel any doubts, we may pass on his personal data (name, address, PESEL number) to the Purchaser of the Offer, in order to enable the Purchaser to pursue his claims against the Exhibitor outside the Service (e.g. amicably or judicially). The basis for such action is the necessity of the processing to protect the interests of the Purchaser (Article 6(1)(f) RODO).

      In the event that the Exhibitor has transferred the offered Offer to the Purchaser and the Purchaser subsequently receives a refund of the payment made for the Offer, the Exhibitor may contact us with a message to which he will attach proof of the transfer of the Offer. In such a case, we may share the personal data of the Purchaser in our possession with him in order to enable him to assert his claims outside the Service (e.g. amicably or judicially). The basis for such action is that the processing is necessary to protect the interests of the Exhibitor (Article 6(1)(f) RODO).

    5. Making submissions via the contact form

      We provide the possibility to contact us using an electronic form available on the Website. Using the form requires the user to provide personal data in the form of an e-mail address. The user may also provide other data in order to facilitate the contact or handling of the request.

      Please note that providing your e-mail address is necessary so that we can process your request. This data is processed:

      • for the identification of the sender and the handling of his/her enquiry sent via the form provided - the legal basis of the processing is the necessity of the processing for the performance of the service contract (Article 6(1)(b) RODO);
      • for analytical and statistical purposes - the legal basis for processing is the Administrator's legitimate interest in keeping statistics on queries submitted by Users via the Website in order to improve the functionalities used (Article 6(1)(f) RODO).

    6. Marketing, analytics and social networking activities

      If you have given your separate consent (by ticking the button , "Inform me about interesting actions and new features" when creating your account) we may also process your data for marketing purposes, which may consist of sending you e-mail notifications about interesting content that may contain commercial information. You may withdraw this consent at any time.

      For all airdrops for which the Organiser leaves the option "allow search engines to index this airdrop" ticked when editing them, so-called dynamic remarketing ads will be created using marketing solutions provided by Facebook and Google.

      The administrator also uses tools available within Facebook and provided by Facebook Inc., 1601 S. California Ave. Palo Alto, CA 94304, USA. The Administrator has implemented Facebook's Pixel service on the Service in order to personalise advertisements based on the analysis of actions taken by Users visiting the Service. The Organiser may also implement its own Facebook Pixel in order to receive automatically collected information about the use of the Website (but only within the dropdown where it has installed the Facebook Pixel), so that it can track and analyse the effects of promotional activities for its dropdown where it has installed its own Facebook Pixel. The information collected in this way is generally transmitted to a Facebook server in the United States and stored there. We would like to emphasise that the information collected within the Facebook Pixel is anonymous and prevents the Administrator and the Organiser from identifying specific Users and linking interactions with the service, e.g. the name shared on Facebook. As part of this tool, we only receive data regarding the actions taken by the User on the Service. In addition, the Facebook Pixel, when measuring the User's interactions with the Service, looks for, among other information, form fields and other sources on the website that could contain data such as name and email address. Such data is anonymised while still in the User's browser and before it is potentially sent to Facebook's servers, preventing it from being accidentally recorded on Facebook where it could be accessed by the Administrator or Organiser. It is noted that Facebook may combine this information with other information about you collected through your use of Facebook and use it for its own purposes. Such actions taken by Facebook are fully independent of the Administrator. We recommend that you read Facebook's privacy policy in this regard, which you can find here.

      For advertising purposes, we also use the TikTok Ads service provided by TikTok Technology Limited and TikTok Information Technologies UK Limited. This platform allows us to promote our brand by sharing short video formats. With the help of TikTok Ads Manager we have the opportunity to reach a wide audience. In addition, thanks to the TikTok Pixel, we can measure the actions taken by these audiences, i.e. examine what actions were taken by users who were redirected from the TikTok platform to the Service via the ads. The data we obtain in this way is anonymised and aggregated, so we are unable to identify specific individuals from it. They only serve us to analyse the behaviour of advertising recipients, which in turn allows us to adapt the direction of communication to the needs of visitors to our Service. You can find more information about the privacy policy operating on the TikTok platform here.

      In addition, we use Microsoft Ads provided by Microsoft Corporation for advertising purposes. This platform enables us to promote our brand in the search engine Bing. With the help of Microsoft Ads, we have the opportunity to reach a wide audience. In addition, thanks to the Universal Event Tracking (UET) tag, we can measure the actions taken by these audiences, i.e. investigate what actions were taken by users who were redirected from the Bing search engine to the Service via the Ads. The data we obtain in this way is anonymised and aggregated, so we are unable to identify specific individuals from it. They are only used for us to analyse the behaviour of ad recipients, which in turn allows us to tailor the direction of communication to the needs of visitors to our Service. You can find more information about the privacy policy in place at Microsoft Ads here.

      We use a tool called Microsoft Clarity, which enables us to analyse users' behaviour on the Website on the basis of such functionalities as: playback of recorded sessions or so-called heatmaps of pages. The data obtained with this tool allows us to identify areas of the Website that require improvement. As a result, we can continuously improve the quality of the services we provide.

      This tool uses cookies and other technologies to collect information about the behaviour of users and their terminal equipment, in particular the IP address of the device, which is recorded and stored in an anonymised form, screen resolution, device type, information about the browser used, geolocation (country). This information is then stored in a user profile, which is subject to pseudonymisation. The data obtained in the manner described above is not used by Microsoft Clarity or by us to identify individual users.

      Microsoft Clarity is provided by Microsoft Corporation based at 1 Microsoft Way, Redmond, WA 98052-6399, United States - you can read more about Microsoft Clarity here, additional information about its privacy policy can be found here.

      In addition, we use a tool called Sentry to record and analyse user behaviour occurring prior to an error on the Service. The data obtained through this tool allows us to identify why errors occur in our system and, as a result, to improve our code.

      This tool uses cookies and other technologies to collect information about the behaviour of users and their terminal devices, in particular the IP address of the device, screen resolution, device type, information about the browser used, geolocation (country). The data obtained in the manner described above is used by us only to identify reasons for system errors.

      Sentry is provided by Functional Software Inc. based at 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States - you can read more about Sentry here, additional information about its privacy policy can be found here.

      The administrator also uses analytical tools offered by Google Analytics. They allow tracking user activity on the Website on the basis of anonymised data which does not allow the Administrator to determine the identity of specific individuals (in particular, data concerning the channel from which users access the website and their further activity on it, including any payments made). On this basis, the Administrator can examine the effectiveness of its advertising campaigns and the performance of its services, as well as plan the development of the Website. The data obtained through the Google Analytics tool are not used by the Administrator to try to identify specific website visitors.

      The Google Analytics tool can also be used by the Organiser of the droplet, by implementing the appropriate code into the droplet using the panel offered by this tool. In this way, he or she can study the activity within his or her droplet, including analysing the sources of hits on his or her collection in order to plan appropriate marketing campaigns. The data is also anonymised in this case.

      The information obtained through this route is, in principle, transferred to Google's servers in the United States and stored there. It should be noted that Google may combine this information with other information about you collected through your use of other Google services and use it for its own purposes. Such actions taken by Google are fully independent of the Administrator. In this respect, we recommend that you read Google's privacy policy and check the relevant privacy settings of the browser and the services you use.

      The website contains links to websites administered by entities independent of the Administrator. These entities may apply different legal solutions regarding privacy policy. The links enable Users to familiarise themselves with their content and obtain additional information.

      With regard to any websites, to which links are included as part of the Service, and which are not owned or controlled by the Administrator, the Administrator does not bear any responsibility for their content, including the rules of protecting the confidentiality of information applicable to the Users.

      If we wish to support valuable initiatives, we may decide ourselves to promote a specific collection on our social media channels (Facebook, Twitter, Instagram, TikTok, LinkedIn) or to purchase advertisements in which such a drop would be indicated, as well as to present it within any subpage of our Service, in our newsletter and push notifications. By organising a drop-off within the Service, you are consenting to such potential action by us. As part of it, we may publish a link to your droplet along with our description indicating why we found it interesting or worthy of support, or use elements within the content of your droplet (including photographs) to promote both your droplet and our Service.

      We take such action on the basis of our legitimate interest to inform you about interesting initiatives on our portal. If you wish, you may object to it - in which case your droplet will not be taken into account when we plan such promotion. However, take into account that such a situation is beneficial both for us, as it allows us to promote ourselves as a portal with valuable initiatives, and for you - because you will get free promotion of your droplet, which will surely translate into its popularity among Supporters. If your objection reaches us after we have already taken the actions described above - we will not take new ones, but this will not affect the legality of the actions we have taken previously.

      As part of the Service, we also use profiling (Article 22 RODO), which involves the processing of your personal data (including by automated means) for the purpose of analysing or forecasting, among other things, your personal preferences, interests or behaviour.

      Based on information about the content you view, we can deduce which of the services we provide will be of interest or useful to you. It is through profiling that the advertisements you see when using your browser are tailored to you and your needs.

      Your personal data will be processed in a partially automated manner, including in the form of profiling, however this will not result in decisions that produce legal effects for you or affect you in a similarly significant manner. The profiling carried out within the Service does not concern the conclusion or refusal of a framework agreement or the possibility to use the services provided by the Administrator. You can disable the profiling option in your account settings at any time. This action will not affect the number of advertisements displayed, but will only reduce their tailoring to your preferences.

      We are committed to continuously improving the quality of our services, but to make this possible, we need your feedback! For this reason, we may ask you to provide feedback on the Trustpilot A/S platform after you have made a successful withdrawal of the funds you have collected from your droplet. In this case, we are acting on the basis of legitimate legal interest. We use the automated services offered by Trustpilot A/S to collect feedback - in the process, we will only provide our partner with your email address. Adding feedback is completely voluntary.

      Please note that if you choose to create an account on the above platform, Trustpilot A/S will become a separate controller of your personal data, independent of us. You can find more information on data processing by Trustpilot A/S here.

  4. Who do we share your data with?
    1. Service providers

      We use specialised services provided by third parties to whom, if necessary, we disclose your personal data with appropriate security procedures. These service providers include.

      • accounting, legal, tax, auditing services;
      • online payment processing services;
      • promotional, marketing, analytical services;
      • IT services.

      When we enter into cooperation with service providers, we enter into appropriate agreements for the entrustment of the processing of personal data. This means that these entities, when processing your personal data on our behalf, are obliged to protect your personal data with the highest security standards. We only use reputable entities, and the issue of protecting the personal data that will be transferred in the course of the respective contract is an important factor in the selection of a contractor.

      The most important providers to whom we transfer data:

      Google - https://business.safety.google/privacy/
      Facebook - https://www.facebook.com/policy.php/
      Microsoft - https://privacy.microsoft.com/en-US/privacystatement
      LinkedIn - https://www.linkedin.com/legal/privacy-policy

    2. Payment cards

      If you decide to order a payment card from us, we also process your data for the purpose of performing the related services. In this case, your data are transferred by the Administrator to DPD Polska sp. z o.o. with its registered office in Warsaw (02-274), ul. Mineralna 15, entered in the Register of Entrepreneurs of the National Court Register, maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS No. 0000028368, NIP: 5260204110, which processes these data for the purpose of delivering the ordered payment card to the User.

      The processing of personal data by DPD Polska sp. z o.o. takes place according to the principles described here.

    3. State authorities

      If required by law, the Administrator will disclose personal data to other entities, mainly public ones, including in response to a court order, summons or other legal request or enquiry carried out in the exercise of public authority and only if this request is based on a proper legal basis.

    4. Transfers of data outside the EEA

      We transfer personal data outside the EEA only when necessary, ensuring an adequate level of protection, primarily by:

      • cooperating with processors of personal data in countries for which a relevant European Commission decision has been issued;
      • applying the standard contractual clauses issued by the European Commission;
      • applying binding corporate rules approved by the competent supervisory authority;

      Apart from the situations described above, we do not transfer personal data to third parties.

    5. Tax authorities

      In the situations set out in the Act of 23 May 2024 amending the Act on the exchange of tax information with other states and certain other acts, we are obliged to provide the Head of the National Tax Administration with your identification data, including your TIN number established by us, together with data on the sales of goods achieved by you in a given calendar year. This obligation arises if you sell at least 30 goods in a given year by listing them as Offers on our Service, or if you achieve a total remuneration of more than EUR 2,000 from their sale. If this happens, we will inform you by 31 January of the following year exactly what data we have transferred in this way for the previous year.

  5. How long do we process your personal data?

    The duration of the processing of your personal data depends on the type of service provided and the purpose of the processing. As a general rule, your data is processed for the duration of the service provided, until you withdraw your consent or raise an effective objection to the processing of your data in cases where the basis of the processing is the legitimate interest of the Administrator, unless the processing of your data may be necessary for the establishment, investigation or defence of claims by the Administrator, in which case your data is processed until the expiry or limitation of any possible claims against the Administrator. This does not apply to data processing that we are obliged to carry out under the AML Act, where the law stipulates that we must retain the data for a period of 5 years after the termination of the business relationship with the customer.

  6. What rights do you have in relation to the processing of your personal data?

    Individuals whose personal data is collected and processed by the Controller have the following rights:

    • the data subject's right of access (Art. 15 RODO) - on this basis you can find out whether we are processing your personal data and gain access to it, as well as obtain information about the purposes of the processing, the categories of your personal data that we are processing, the recipients or categories of recipients of your personal data, the intended period of retention of your personal data or the criteria for determining this period, your rights under the RODO, the right to lodge a complaint with a supervisory authority, the source of your personal data unless collected from you, automated decision-making, including the safeguards applied in relation to the transfer of personal data outside the EEA. You may also receive a copy of your personal data being processed;
    • the right to rectification (Article 16 of the RODO) - on this basis you can request us to complete, update or correct your personal data;
    • the right to erasure, or the so-called "right to be forgotten" (Article 17 RODO) - on this basis, you can request the erasure of your personal data if:
      1. the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
      2. you have withdrawn the consent on which the processing is based under Article 6(1)(a) or Article 9(2)(a) RODO and there is no other legal basis for the processing;
      3. you have raised an objection under Article 21(1) or (2) RODO and there are no overriding legitimate grounds for the processing;
      4. your personal data has been unlawfully processed;
      5. the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the Controller is subject;
      6. the personal data were collected in connection with the offering of information society services as referred to in Article 8(1) of the RODO.
    • The right to restrict processing (Article 18 RODO) - if you make a request on this basis, we will cease to carry out operations on your personal data until the request has been considered, unless the grounds indicated in Article 18(2) RODO apply. The exercise of this right may involve a temporary restriction or prevention of the use of certain functionalities of the Website, if these involve the processing of the data covered by the request;
    • The right to data portability (Article 20 RODO) - on this basis, you have the right to receive your personal data that we process on the basis of your consent, in a computer-readable format. It is also possible to request that this data be sent to another entity - provided, however, that the technical capacity to do so exists both on the part of the Controller and the other entity;
    • The right to object to other purposes of processing (Article 21 RODO) - you may object at any time to the processing of your personal data on the basis of the legitimate interest of the Controller (e.g. for analytical or statistical purposes), including profiling. If we consider the objection to be legitimate and we have no other legal basis for processing your personal data, it will be deleted taking into account the principles discussed in Chapter V of this privacy policy;
    • the right to withdraw consent (Article 7(3) of the DPA) - if your data is processed on the basis of your consent, you have the right to withdraw it at any time, but this does not affect the lawfulness of processing carried out before the withdrawal of that consent;
    • The right to complain - if you consider that we are processing your personal data in breach of the RODO or other data protection legislation, you can lodge a complaint with the President of the Data Protection Authority.

    You can make a request regarding the exercise of your data subject rights:

    • in writing by sending a letter to: Zrzutka.pl sp. z o.o., al. Karkonoska 59, 53-015 Wrocław;
    • by e-mail to: ,
    • in some cases (e.g. withdrawal of consent for the processing of personal data) through a dedicated function in the User's profile in the Service.

    The request should, as far as possible, indicate precisely what the request concerns, i.e. in particular:

    • what right listed in Section VI you wish to exercise;
    • what processing the request relates to (e.g. use of a specific service or functionality within the Service, receipt of a newsletter);
    • which processing purposes the request relates to (e.g. analytical purposes).

    If the request made is formulated in such a way that it is not possible to determine the content of the request or for other reasons it is not possible to comply with the request, we will request additional information from you.

    We will respond to your request within 1 month of receiving it. If it is necessary to extend this period, we will inform you of the reasons for the extension.

    The response will be provided to the e-mail address from which the request was sent or, in the case of requests sent to the Administrator's registered address, by post to the address indicated by you, unless it is clear from the content of the letter that you wish to receive a response to the e-mail address and if such an e-mail address is indicated in the request.

    Please note that most of the rights mentioned above relate to situations where we process your personal data solely on the basis of your consent or our legitimate interest. You will not be able to successfully request that we, for example, erase or limit the duration of the processing of your personal data if we are obliged by a specific regulation - in particular the AML Act - to process it.

  7. Policy on the use of cookies
    1. What are cookies?

      Cookies ("cookies") are IT data - usually text files - that are stored on your device when you visit our Service or another domain where the Administrator's widget has been placed. These files usually contain the domain name of the website from which they originate, information about how long such a file will be stored on your computer, as well as a randomly generated, unique number used to identify the browser from which you connect to the Website.

      Cookies are mainly used in the course of optimising the use of websites. In addition, they make it possible to collect statistical data so that we can learn about how users use the Website. This provides us with valuable information which enables us to continuously develop the Website, its structures and functionality.

    2. Types of cookies

      We use the following types of cookies on the Website:

      • session cookies - are stored on your device until you log out of the Service or switch off your web browser;
      • permanent - are subject to deletion after a predetermined period of time, irrespective of your switching off your web browser or logging off the Website;

        both

      • our own - set by the servers of our Website, and
      • third parties (our partners) - set by the servers of websites other than the Website.

      We store the following information in cookies:

      • Your logins to the Website;
      • information about your activities on the Website (e.g. whether you have consented to the processing of cookies, whether you have interacted with messages appearing on the Website's homepage, etc.);
      • the dropdowns that have interested you;
      • a session identifier to identify the logged-in user;
      • tracking identifier.

    3. Why do we use them?

      We use cookies to provide you with a fully comfortable, uninterrupted access to the Website, as well as to its basic functionalities, such as logging in or the correct use of the options available in the User profile. Importantly, cookies are always active, and obtaining your consent in this case is not required - without them, using the Website would not be technically possible.

      In other cases, you can decide whether you agree to the cookies indicated below:

      • functional - these cookies allow us to personalise our services so that we can offer you tailored solutions, e.g. in terms of the presentation settings of the Website;
      • performance cookies - these cookies allow us to investigate how you use our Website, i.e. which of the available functions you use most often, how often you visit the Website, etc;
      • advertising - these cookies allow us to provide you with advertising drop-downs that may be of interest to you;
      • analytical - these files are used for us to analyse and keep statistics on visits to the Website.

    4. Other information

      You have complete freedom to manage your cookies - you can make changes to your cookie preferences at any time using the appropriate settings on your web browser.

      Each browser vendor provides a cookie management policy - you can read more about this on the dedicated pages of each vendor, e.g. Google Chrome, Mozilla Firefox, Internet Explorer.

      Please note that withdrawing your consent or objecting to the processing of cookies may make it difficult or even impossible to use our Website.

  8. Do you have any questions? Get in touch with us!

    You can contact us via e-mail address or postal address: Zrzutka.pl sp. z o.o., al. Karkonoska 59, 53-015 Wrocław. You can also write to our Data Protection Officer - Ms. Oliwia Salachny at .

    This Privacy Policy may be updated. When it is, the effective date is changed, which can be found below. Any previous versions of the Privacy Policy will be available upon request.

    Effective date: 2024-08-27.