Attachment no. 1 to the Terms and Conditions
1) GENERAL PROVISIONS
- The Data Controller of personal data collected through the Application is Łukasz Wiatrak Firnity (address: ul. Słomiana 24/20, 30-316 Kraków), having an e-mail address: firstname.lastname@example.org – hereinafter referred to as the “Data Controller” who is also the Service Provider of the Application.
- Personal data in the Application are processed by the Data Controller in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
- The Data Controller assures diligence in protecting the interests of persons to whom the personal data processed by him relates, and in particular he is responsible and ensures that the data collected by him are: (1) processed in accordance with the law; (2) collected for specified, legitimate purposes and not subject to further processing incompatible with those purposes; (3) factually correct and adequate in relation to the purposes for which they are processed; (4) stored in a form that allows identification of the data subjects, no longer than necessary to achieve the purpose of processing, and (5) processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage by appropriate technical or organizational measures.
- Taking into account the nature, scope, context and purposes of processing as well as the risk of violation of the rights or freedoms of data subjects of different probability and severity of threat, the Data Controller implements appropriate technical and organizational measures to process it in accordance with the GDPR Regulation and to be able to demonstrate it. These measures are reviewed and updated as necessary. The Data Controller uses technical measures to prevent unauthorized persons from acquiring and modifying personal data sent electronically.
2) GROUNDS FOR DATA PROCESSING
- The Data Controller is entitled to process personal data in cases where - and to the extent that - at least one of the following conditions is met: (1) the data subject has given consent to the processing of his personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Data Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3) PURPOSE, GROUNDS AND PERIOD OF DATA PROCESSING IN THE APPLICATION
- Each time the purpose, grounds and period as well as the recipient of personal data processed by the Data Controller result from actions taken by a given User in the Application.
- The Data Controller may process personal data in the Application for the following purposes, on grounds and during the periods indicated in the table below
|The purpose of data processing
|The grounds of data processing
|The period of data processing
|Performance of a contract for the use of the Application or taking actions at the request of the data subject prior to entering into a contract
|Article 6 para. 1 letter b) of the GDPR Regulation (performance of a contract) - processing is necessary for the performance of a contract, including to the extent necessary to take steps at the request of the data subject prior to entering into a contract.
|The data is stored for the period necessary to perform, terminate or expire in another way of the concluded contract.
|Using the Application by the User and ensuring its proper functioning
|Article 6 para. 1 letter b) of the GDPR Regulation (performance of a contract) - processing is necessary for the data subject to be able to properly use specific functionalities of the Application, which for its operation requires providing the User’s data or downloading this data via the Application directly from the Jira Cloud product and Discord services under the User’s authorization.
The above actions include displaying, modifying and adding User content stored in the Jira Cloud product and Discord services integrated with the Application and are undertaken at the request of the Application User.
|The data is stored for the period necessary for the correct use by the data subject of specific functionalities of the Application or the data subject ceases to use this functionality, but no longer than until the termination or expiry in another way of the concluded contract for the use of the Application by the User.
|Sending direct messages and server messages to Discord services via the Application in the event of certain interactions of the User with the Application
|Article 6 para. 1 letter b) of the GDPR Regulation (performance of the contract) - processing is necessary to implement the main assumptions of the Application and for the data subject to be able to use functionalities of the Application in a manner consistent with their intended use.
The above actions include sending Discord server messages and direct messages to the data subject about an issue, comment or reaction in the Application or sending a direct message when the data subject has been mentioned by another person using the Application as part of the same Jira Cloud product in the content of issues or comments.
|The data is stored for the period necessary to send the message to the data subject, but no longer than until the termination or otherwise expiry of the concluded contract for the use of the Application by the User.
|Reading the content of Discord messages to identify and retrieve information about Jira issues when mentioned by users within the Discord platform, and providing relevant details back to the users as an embed via the Jira bot.
|Article 6 para. 1 letter b) of the GDPR Regulation (performance of the contract) - processing is necessary for the functionality of the Application and to enable users to receive accurate and up-to-date information about Jira issues mentioned in Discord messages, in line with the intended use of the Application.
|The data is stored for the period necessary to identify the mentioned Jira ticket/issue, retrieve its information, and send the embed containing the relevant details to the Discord server. The data will not be stored for a longer period than the duration of the contract for the use of the Application by the User.
|Determination, investigation or defense of claims which may be raised by the Data Controller or which may be raised against the Data Controller.
|Article 6 para. 1 letter f) of the GDPR Regulation (legitimate interest of the Data Controller) - processing is necessary for purposes arising from the legitimate interests of the Data Controller - consisting in establishing, investigating or defending claims that may be raised by the Data Controller or which may be raised against the Data Controller
|The data is stored for the duration of the legitimate interest pursued by the Data Controller, but no longer than for the prescription period of claims that may be raised against the Data Controller (the basic prescription period for claims against the Data Controller is six years).
|Keeping statistics and analyzing traffic in the Application
|Article 6 para. 1 letter f) of the GDPR Regulation (legitimate interest of the Data Controller) - processing is necessary for purposes resulting from the legitimate interests of the Data Controller - consisting in keeping statistics and analyzing traffic in the Application in order to improve the functioning of the Application.
|The data is stored for the duration of the legitimate interest pursued by the Data Controller, however no longer than for the prescription period of the Data Controller’s claims against the data subject. The prescription period is determined by law, in particular the Polish Civil Code (the basic prescription period for claims connected with conducting a business activity is three years).
4) RECIPIENTS OF DATA IN THE APPLICATION
- In order to assure proper functioning of the Application, it is necessary for the Data Controller to use the services of external entities (such as e.g. software supplier). The Data Controller uses solely the services of such processing entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.
- The data of the Application User’s can be transferred to the following recipients or categories of recipients:
5) PROFILING IN THE APPLICATION
- The Data Controller may use profiling for the purposes of direct marketing in the Application, but the decisions made on its basis by the Data Controller do not relate to the conclusion or refusal to conclude a contract or the possibility of using the functionality in the Application.
- Profiling in the Application consists in the automatic analysis or forecast of a given person’s behavior as part of the Application, e.g. by analyzing the previous history of activities undertaken in the Application. The condition of such profiling is that the Data Controller possesses personal data of a given person.
- The data subject has the right not to be subject to a decision that is based solely on automated processing, including profiling, and produces legal effects on that person or similarly significantly affects him.
6) THE DATA SUBJECT’S RIGHTS
- The right to access, rectify, limit, delete or transfer - the data subject has the right to request the Data Controller to access his personal data, rectify it, delete it (“right to be forgotten”) or limit processing and has the right to object to processing, and also has the right to transfer his data. Detailed conditions for exercising the abovementioned rights are indicated in art. 15-21 of the GDPR Regulation.
- The right to withdraw consent at any time - a person whose data is processed by the Data Controller on the basis of expressed consent (pursuant to art. 6 para. 1 letter a) or art. 9 para. 2 letter a) of the GDPR Regulation), has the right to withdraw consent at any time without affecting the lawfulness of the processing that was carried out on the basis of his consent before its withdrawal.
- Right to lodge a complaint to the supervisory body - a person whose data is processed by the Data Controller has the right to lodge a complaint to the supervisory body in the manner and according to a procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland is the President of the Personal Data Protection Office.
- Right to object - the data subject has the right to object at any time - for reasons related to his particular situation - to the processing of personal data concerning him based on art. 6 para. 1 letter e) (public interest or tasks) or f) (legitimate interest of the Data Controller), including profiling based on these provisions. In such a case, the Data Controller may no longer process this personal data, unless he demonstrates the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or interests for establishing, investigating or defending claims.
- Right to object to direct marketing - if personal data is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him for the purposes of such marketing, including profiling, to the extent in which processing is associated with such direct marketing.
7) COOKIES AND ANALYTICS
- Cookies are small pieces of text files sent by the server and saved at the visitor’s of the Application device (e.g. on the hard disk of a computer, laptop, or smartphone’s memory card – depending on the type of device used by the Application’s visitor). Detailed information on Cookies as well as the history of their origin can be found e.g. at: https://en.wikipedia.org/wiki/HTTP_cookie.
- Cookies, which can be sent via the Application, can be divided into various types, according to the following criteria:
|With regard to the provider:
1) own (created by the Controller’s Application) and
2) belonging to other persons/third parties (other than the Controller)
|With regard to the period of their retention on the appliance of the Application’s visitor:
1) session cookies (stored till the moment of closing of the Application or a browser) and
2) persistent cookies (having some expiration period, defined by parameters of each file or until they are removed by hand)
|With regard to the purpose of their usage:
1) strictly necessary cookies (enabling proper functioning of the Application),
2) functional/preferential cookies (enabling adjustment of the Application to the visitor’s preferences),
3) analytical and performance cookies (collecting information on the use of the Application)
- The Controller may process information contained in Cookies during visiting of the Application for the following particular reasons:
|Purposes of using Cookies in the Controller’s Application:
1) storing data necessary for the configuration of the third-party application – Slack for the time of carrying out said configuration by User (strictly necessary Cookies and/or functional/preferential Cookies)
2) keeping anonymous statistics and analyzing the traffics and methods of use of the Application, including the use of tools and scripts tracking the User’s behaviour in the Application which may be provided by third parties (analytical and performance Cookies)
3) saving data from the filled-in forms (strictly necessary Cookies and/or functional/preferential Cookies)
- Checking in the most popular internet browsers, which Cookie files (including the expiry period of Cookies and their provider) are being sent in a given moment by the Application can be done, as follows:
|In Chrome browser:
(1) in the address bar, click the ’locked’ icon on the left, (2) go to the benchmark „Cookie files”.
|In Firefox browser:
(1) in the address bar, click the ’shield’ icon on the left, (2) go to the benchmark „Allowed” or „Blocked”, (3) click the button „Tracking cookies between websites”, „Tracing elements of social networks or „Content with tracing elements”
|In Internet Explorer browser:
(1) Click „Tools” menu, (2) go to „Internet options” benchmark, (3) go to „General” benchmark, (4) then go to „Settings”, (5) click the button „Display files”
|In Opera browser:
(1) in the address bar, click the ’locked’ icon on the left, (2) go to the benchmark „Cookie files”.
|In Safari browser:
(1) click menu „Preferences”, (2) go to „Privacy” benchmark, (3) click the button „Manage website data”
|Independent of the browser used, you can apply tools available e.g. at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/
- As a standard, most internet browsers on the market accept saving Cookies by default. Every person has the possibility to specify the conditions of using Cookies in the browser settings. It means that one may, e.g. partially restrict (e.g. temporarily) or fully disable saving Cookies – in the latter case it may have an impact on some functionalities of the Application.
- The Controller may use Google Analytics, Universal Analytics services in the Application, which are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). The services help the Controller to analyse the frequency of visits in the Application. The data collected are processed under the above services to generate statistics helpful while administering the Application. The data are of collective nature. Using the above services in the Application, the Controller collects such data as the sources and medium of acquiring visitors of the Application and the manner of their conduct in the Application, information concerning their devices and browsers used to visit the website, IP and domain, geographical data and demographic data (age, sex) and interests.
- It is possible to easily block sharing information with Google Analytics as regards the activity in the Application – install to that end an opt-out add-on made available by Google Ireland Ltd. available at: https://tools.google.com/dlpage/gaoptout?hl=pl.
- The Data Controller may use the Microsoft Application Insights services provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA) in the Application. These services help the Data Controller keep statistics and analyze traffic in the Application and optimize its functioning. By using the above services in the Application, the Data Controller collects data such as the behavior of people using the Application and information about devices and browsers via which they visit the Application. More information on how Microsoft Application Insights works can be found at: https://docs.microsoft.com/en-us/azure/application-insights/app-insights-data-retention-privacy.
- The Data Controller may use in the Application the Sentry tool provided by Functional Software Inc. (132 Hawthorne St, San Francisco, CA 94107, USA). The Sentry tool is used to detect errors that Users may encounter while using the Application, for the purpose of their later removal and repair by the Data Controller. The collected data may therefore include the history of the User’s activity in the Application, as well as information about the devices and browsers of the person who uses the Application. More information on the functioning of the Sentry tool can be found at the following website: https://sentry.io/privacy/.
8) FINAL PROVISIONS