FORMTS PRIVACY POLICY

TABLE OF CONTENTS:

  1. GENERAL PROVISIONS
  2. BASIS FOR PROCESSING DATA
  3. PURPOSE, BASIS, AND PERIOD OF DATA PROCESSING ON THE INTERNET SERVICE
  4. DATA RECIPIENTS ON THE INTERNET SERVICE
  5. PROFILING ON THE INTERNET SERVICE
  6. RIGHTS OF THE DATA SUBJECT
  7. COOKIES ON THE INTERNET SERVICE
  8. FINAL PROVISIONS

GENERAL PROVISIONS

  1. This Privacy Policy of the Internet Service is informative, which means that it is not a source of obligations for the Users of the Internet Service. The privacy policy primarily contains principles regarding the processing of personal data by the Administrator on the Internet Service, including the basis, purposes, and period of processing personal data, as well as the rights of individuals whose data is processed, and information regarding the use of Cookies on the Internet Service.
  2. The Administrator of personal data collected through the Internet Service is Damian Krychowski conducting business under the name Damian Krychowski (registered office and address for service: ul. Marii Skłodowskiej-Curie 8/22, 42-400 Zawiercie, Poland), NIP: 6492262191, email address: office@formts.com – hereinafter referred to as the "Administrator" and also acting as the Service Provider on the Internet Service.
  3. Personal data on the Internet Service is processed by the Administrator in accordance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as "GDPR" or "GDPR Regulation." The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
  4. The use of the Internet Service, including entering into agreements, is voluntary. Similarly, the provision of personal data by the User of the Internet Service is voluntary, subject to two exceptions: (1) entering into agreements with the Administrator – failure to provide, in cases and to the extent indicated on the Internet Service and in the Regulations of the Internet Service and this privacy policy, personal data necessary to conclude and perform the Service Agreement or other agreement with the Administrator will result in the inability to conclude the respective agreement. Providing personal data is a contractual requirement in such a case, and if the data subject wishes to enter into a specific agreement with the Administrator, they are obliged to provide the required data. The scope of data required to conclude an agreement is indicated beforehand on the Internet Service and in the Regulations of the Internet Service; (2) statutory obligations of the Administrator – providing personal data is a statutory requirement arising from universally applicable legal provisions imposing an obligation on the Administrator to process personal data (e.g., for the purpose of keeping tax records), and failure to provide them will prevent the Administrator from fulfilling these obligations. The Administrator takes special care to protect the interests of individuals whose personal data it processes, and in particular is responsible for ensuring that the data collected by it are: (1) processed lawfully; (2) collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; (3) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and (5) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  5. Taking into account the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Administrator implements appropriate technical and organizational measures to ensure that the processing is carried out in accordance with the GDPR Regulation and to be able to demonstrate this. These measures are subject to review and update as necessary. The Administrator employs technical measures to prevent unauthorized access to and modification of personal data transmitted electronically.
  6. All words, expressions, and acronyms appearing in this privacy policy and beginning with a capital letter (e.g., Service Provider, Internet Service, Electronic Service) should be understood in accordance with their definitions contained in the Regulations of the Internet Service available on the Internet Service's website.

BASIS FOR PROCESSING DATA

  1. The Administrator is entitled to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  2. Processing of personal data by the Administrator requires the existence of at least one of the grounds indicated in point 2.1 of the privacy policy. The specific grounds for processing personal data of Users of the Internet Service by the Administrator are indicated in the subsequent point of the privacy policy – regarding the specific purpose of processing personal data by the Administrator.

PURPOSE, BASIS, AND PERIOD OF DATA PROCESSING ON THE INTERNET SERVICE

  1. The purpose, basis, and period as well as the recipients of personal data processed by the Administrator result from the actions taken by each respective User on the Internet Service.
  2. The Administrator may process personal data on the Internet Service for the following purposes, on the following legal bases, and for the following periods:
Purpose of data processingLegal basis for data processingData retention period
Implementation of a Service Agreement, another contract or taking action on a data subject's request before a contract is concludedArticle 6(1)(b) of the GDPR Regulation (performance of a contract) - the processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.The data shall be stored for the period necessary for the performance, termination or otherwise expiry of the concluded contract.
Responding to an enquiry sent to the AdministratorArticle 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) - the processing is necessary for the purposes of the Controller's legitimate interests - consisting of the need to review the content of the enquiry sent by the data subject via the contact form available on the Website and, if necessary, to respond to that enquiry.The data shall be stored for the time necessary for the Controller to review and respond to the data subject's request, but not longer than the duration of the legitimate interest pursued by the Controller in relation to the information contained in the request.
Direct marketingArticle 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) - processing is necessary for the purposes of the Administrator's legitimate interests - consisting of looking after the interests and good image of the Administrator, its Website and seeking to sell services.The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of the Administrator's claims against the data subject in respect of the Administrator's business activities. The limitation period shall be determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years). The Administrator may not process data for direct marketing purposes in the event of an effective objection to this effect by the data subject.
Newsletter managementArticle 6(1)(a) of the GDPR Regulation (consent) - the data subject has consented to the processing of their personal data for marketing purposes by the Controller.The data is stored until the data subject withdraws his or her consent to further processing for this purpose.
BookkeepingArticle 6(1)(c) of the GDPR Regulation in conjunction with Article 74(2) of the Accounting Act, i.e. of 30 January 2018. (Journal of Laws of 2018, item 395 as amended) - the processing is necessary for the fulfilment of a legal obligation incumbent on the Administrator.The data is retained for the period required by the law requiring the Administrator to keep the accounts (5 years, calculated from the beginning of the year following the financial year to which the data relates).
Establishing, asserting or defending claims which the Administrator may assert or which may be asserted against the AdministratorArticle 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) - the processing is necessary for the purposes of the Administrator's legitimate interests - consisting of establishing, pursuing or defending claims which the Administrator may raise or which may be raised against the Administrator.The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of claims that may be raised against the Administrator (the basic limitation period for claims against the Administrator is six years).
Use of the Website and ensuring its correct operation, including form creation, editing, storage, and managementArticle 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) - the processing is necessary for the purposes arising from the Administrator's legitimate interests - consisting of the operation and maintenance of the Website and the form builder services.The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of the Administrator's claims against the data subject in respect of the Administrator's business activities. The limitation period is determined by law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years).
Keeping statistics and analysing traffic on the Website, including form usage analyticsArticle 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator) - the processing is necessary for the purposes of the Administrator's legitimate interests - consisting of statistics and analysis of traffic on the Website and form builder usage in order to improve the functioning of the Website and increase the reach of the services provided.The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of the Administrator's claims against the data subject in respect of the Administrator's business activities. The limitation period is determined by law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years).
User authentication and account management for the form builder serviceArticle 6(1)(b) of the GDPR Regulation (performance of a contract) - the processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.The data shall be stored for the period necessary for the performance, termination or otherwise expiry of the user account and service agreement.
Storage and management of form templates, form code, and form-related dataArticle 6(1)(b) of the GDPR Regulation (performance of a contract) - the processing is necessary for the performance of a contract to which the data subject is party in relation to the form builder services.The data shall be stored for the period necessary for providing the form builder services, or until the user requests deletion of their forms and related data.

DATA RECIPIENTS ON THE INTERNET SERVICE

  1. For the proper functioning of the Internet Service, including the proper provision of Electronic Services by the Administrator, it is necessary for the Administrator to use services of external entities (such as cloud hosting providers, authentication services, storage providers). The Administrator exclusively utilizes services of such processing entities that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR Regulation and protects the rights of individuals whose data is processed.
  2. Personal data may be transferred to countries outside the European Economic Area (EEA), including the United States, where our service providers (Stripe and Cloudflare) operate. Such transfers are made under:
    1. Adequacy decisions by the European Commission;
    2. The EU-US Data Privacy Framework (for US-based certified recipients);
    3. Standard Contractual Clauses (SCCs) approved by the European Commission.
    The Administrator ensures that the data subject has the possibility to obtain a copy of their data and information about the specific safeguards applied to data transfers by contacting office@formts.com. The Administrator transfers collected personal data only when necessary for the respective purpose of processing data in accordance with this privacy policy.
  3. Data transfer by the Administrator does not occur in every case and not to all recipients or categories of recipients specified in the privacy policy – the Administrator transfers data only when necessary for the realization of the respective purpose of processing personal data and only to the extent necessary for its implementation.
  4. Personal data of Users of the Internet Service may be transferred to the following recipients or categories of recipients:
    1. Entities processing electronic payments or credit/debit card transactions – in the case of a User who utilizes electronic payment methods or credit/debit cards on the Internet Service, the Administrator provides collected personal data of the User to the selected entity processing such payments on behalf of the Administrator, to the extent necessary for processing the payment made by the User. In the case of the Internet Service, the entity responsible for processing both electronic payments and bank transfers is the Stripe system operated by the entity: Stripe, Inc. (https://stripe.com/).
    2. Cloud service providers supplying the Administrator with technical, IT, and organizational solutions, enabling the Administrator to conduct business operations, including the Internet Service and Electronic Services provided through it. The primary cloud service provider is Cloudflare, Inc. (https://cloudflare.com) for hosting, CDN, and data storage services. Cloudflare is certified under the EU-US Data Privacy Framework and processes data in accordance with their Data Processing Addendum and Standard Contractual Clauses. The Administrator provides collected personal data of the User to the selected provider acting on its behalf only in the case and to the extent necessary for the realization of the respective purpose of data processing in accordance with this privacy policy.
    3. Accounting, legal, and advisory service providers ensuring accounting, legal, or advisory support to the Administrator (in particular, accounting firms, law firms, or debt collection companies) – the Administrator provides collected personal data of the User to the selected provider acting on its behalf only in the case and to the extent necessary for the realization of the respective purpose of data processing in accordance with this privacy policy.
    4. Authentication service providers – in the case of a User who chooses to authenticate using Google Sign-In, the Administrator receives from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) the following data necessary for account creation and authentication:
      • Email address
      • Name (if provided in Google account)
      • Google account identifier
      This data is processed solely for the purpose of authenticating the User and managing their FormTs account. The legal basis for this processing is Article 6(1)(b) of the GDPR (performance of a contract). Google's privacy policy is available at: https://policies.google.com/privacy
    5. Analytics service providers – the Administrator uses Google Analytics 4, a web analytics service provided by Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). Google Analytics uses cookies to analyze how Users use the Website. The information generated by the cookie about the User's use of the Website may be transmitted to and stored by Google on servers, including servers in the United States.
      • Google Analytics cookies are only set after the User has given explicit consent through the cookie consent banner displayed on the Website.
      • Data collected includes: pages visited, time spent on pages, traffic sources, device and browser information, and approximate geographic location (country/city level).
      • IP anonymization is enabled by default in Google Analytics 4, meaning the full IP address is not stored.
      • Data retention period is set to 14 months in the Administrator's Google Analytics configuration.
      • For data transfers to the United States, Google LLC is certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023), ensuring an adequate level of protection for personal data transferred to the United States in accordance with Article 45 of the GDPR.
      • The legal basis for this processing is Article 6(1)(a) of the GDPR (consent).
      • Users can withdraw consent at any time by clicking "Cookie Settings" in the website footer. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
      • Users can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
      Google's privacy policy is available at: https://policies.google.com/privacy
  5. When Customers use the FormTs Service to create forms that collect personal data from third parties (form respondents), the following applies:
    1. The Customer acts as the Data Controller for the personal data collected through their forms;
    2. FormTs acts as a Data Processor processing data on behalf of the Customer;
    3. FormTs processes form submission data solely for providing the FormTs Service and in accordance with the Customer's instructions;
    4. Form respondent data is stored on Cloudflare infrastructure with appropriate safeguards for international data transfers as described in section 4.2;
    5. Customers are responsible for ensuring they have a lawful basis to collect and process personal data through their forms, including providing appropriate privacy notices to form respondents.
  6. Business Customers who require a Data Processing Agreement (DPA) to comply with their data protection obligations may request one by contacting office@formts.com. The DPA sets out the terms under which FormTs processes personal data on behalf of the Customer and includes Standard Contractual Clauses where applicable.

PROFILING ON THE INTERNET SERVICE

  1. The GDPR Regulation imposes an obligation on the Administrator to inform about automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR Regulation, and – at least in these cases – to provide essential information about the principles of their making, as well as the significance and anticipated consequences of such processing for the data subject. Bearing this in mind, the Administrator provides information regarding potential profiling in this section of the privacy policy.
  2. The Administrator may use profiling on the Internet Service for direct marketing purposes and to improve user experience with the form builder service, but the decisions made on its basis by the Administrator do not concern the conclusion or refusal to conclude a Service Agreement or the possibility of using Electronic Services on the Internet Service. The result of using profiling on the Internet Service may include, for example, reminders of unfinished form creation actions on the Service, sending feature updates, or proposals of form templates that may correspond to the interests or preferences of a particular person, or proposing better terms compared to the standard offer of the Internet Service. Despite profiling, the individual freely decides whether they want to take advantage of, for example, the offer or feature recommendations received in this way.
  3. Profiling on the Internet Service involves the automatic analysis or prediction of the behaviour of a particular person on the Internet Service website or through the analysis of previous form creation activities or actions taken on the Internet Service website. The condition for such profiling is the possession of personal data of a particular person by the Administrator, in order to subsequently send them, for example, relevant form templates or feature recommendations.
  4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

RIGHTS OF THE DATA SUBJECT

  1. Right of access, rectification, restriction, erasure, or portability – the data subject has the right to request from the Administrator access to their personal data, their rectification, erasure ("right to be forgotten"), or restriction of processing, and also has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the rights mentioned above are indicated in Articles 15-21 of the GDPR Regulation.
  2. Right to withdraw consent at any time – the data subject whose data are processed by the Administrator based on the consent given (based on Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  3. Right to lodge a complaint with a supervisory authority – the data subject whose data are processed by the Administrator has the right to lodge a complaint with the supervisory authority in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular, the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
  4. Right to object – the data subject has the right at any time to object, for reasons relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests pursued by the controller) of the GDPR Regulation, including profiling based on these provisions. In such a case, the Administrator may no longer process this personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims.
  5. Right to object to direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right at any time to object to the processing of their personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.
  6. In order to exercise the rights referred to in this section of the privacy policy, you can contact the Administrator by sending an appropriate message in writing or by email to the Administrator's address specified at the beginning of the privacy policy.

COOKIES ON THE INTERNET SERVICE

  1. Cookies are small text information files in the form of text files, sent by the server and saved on the side of the person visiting the Internet Service website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone – depending on the device used by the visitor of the Internet Service). Detailed information about cookies, as well as the history of their creation, can be found, among others, here: (https://en.wikipedia.org/wiki/HTTP_cookie).
  2. Cookies that may be sent by the Internet Service website can be divided into various types, according to the following criteria:
    By their provider:

    their own (created by the Administrator's website) and owned by third parties (other than the Administrator)     		By their duration of storage on the device of the visitor to the Website:
    1. session files (stored until you log out or leave the Website or switch off your web browser) and permanent (stored for a specific period of time, defined by the parameters of each file or until manual removal)
    		With regard to the purpose of their use:
    1. essential (enabling the proper functioning of the Website page),
    2. functional/preferential (enabling adjustment of the website's page to the visitor's preferences)
    3. analytical and performance (gathering information on the use of the Website page)
  3. The Administrator may process the data contained in Cookies when visitors use the Website for the following specific purposes:
    • identify users as logged in to the Website and show that they are logged in (essential cookies)
    • storing data from completed forms, form builder states, surveys or login data for the Website (essential and/or functional/preference cookies)
    • remembering form templates and form builder configurations for the purpose of improving user experience (cookies required)
    • adapting the content of the Website to the individual preferences of the Customer (e.g. as regards colours, font size, page layout, form builder interface preferences) and optimising the use of the Website's pages (functional/preference cookies)
    • keep anonymous statistics on how the Website and form builder are used (analytical and performance cookies)
  4. The following analytical cookies are used on the Website (only after User consent):
    Cookie NameProviderPurposeDuration
    _gaGoogle AnalyticsDistinguishes unique users by assigning a randomly generated number as a client identifier2 years
    _ga_*Google AnalyticsMaintains session state and tracks user interactions across pages2 years
    These cookies are set only after the User clicks "Accept" on the cookie consent banner. Users can change their preference at any time by clicking "Cookie Settings" in the website footer.
  5. It is possible to check in the most popular web browsers which cookies (including the duration of the cookies and their provider) are being sent by the Website at any given time, as follows:
    In the Chrome browser:

    (1) in the address bar, click on the padlock icon on the left, (2) go to the 'Cookies' tab.     		In the Firefox browser:

    (1) in the address bar, click on the shield icon on the left, (2) go to the 'Allowed' or 'Blocked' tab, (3) click on the box 'Inter-site tracking cookies', 'Social media tracking elements' or 'Content with tracking elements'     		Internet Explorer browser:

    (1) click the 'Tools' menu, (2) go to the 'Internet Options' tab, (3) go to the 'General' tab, (4) go to the 'Settings' tab, (5) click the 'View Files' box
    In the Opera browser:

    (1) in the address bar, click on the padlock icon on the left, (2) go to the 'Cookies' tab.     		In the Safari browser:

    (1) click on the 'Preferences' menu, (2) go to the 'Privacy' tab, (3) click on the box 'Manage site data'     		Irrespective of the browser:

    using the tools available, for example, at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/
  6. By default, most web browsers available on the market accept the storage of cookies. Everyone has the ability to determine the conditions of using cookies through the settings of their own web browser. This means that it is possible, for example, to partially limit (temporarily) or completely disable the ability to store cookies – however, in the latter case, this may affect some functionalities of the Internet Service.
  7. The settings of the internet browser regarding cookies are important from the point of view of consent to the use of cookies by the Internet Service – according to the regulations, such consent can also be expressed through the settings of the internet browser. Detailed information on changing settings regarding cookies and their self-deletion in the most popular internet browsers is available in the browser's help section and on the following pages (simply click on the respective link):
    • [Chrome browser] (https://support.google.com/chrome/answer/95647)
    • [Firefox browser] (https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences)
    • [Internet Explorer browser] (https://support.microsoft.com/en-us/topic/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d)
    • [Opera browser] (https://help.opera.com/en/latest/web-preferences/#cookies)
    • [Safari browser] (https://support.apple.com/en-us/guide/safari/manage-cookies-and-website-data-sfri11471/mac)
    • [Microsoft Edge browser] (https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09)

FINAL PROVISIONS

The Internet Service may contain links to other websites. The Administrator encourages you to familiarize yourself with the privacy policy established there after moving to other sites. This privacy policy applies only to the Administrator's Internet Service.