Privacy Policy

The Privacy Policy describes the rules for the processing of personal data on the website https://virtualcar360.com (“the Platform”).

The Privacy Policy is for information purposes and serves satisfaction of the disclosure requirements imposed on the data controller under the GDPR, i.e. Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Anyone who uses the Platform should become familiar with the Privacy Policy. The Privacy Policy determines the rules for processing personal data and using cookies and other tracking technologies used in connection with the functioning of the Platform.

1. PERSONAL DATA CONTROLLER
   1. The controller of personal data is Exacto Holding sp. z o.o. with its registered office in Warsaw (01-745) at ul. Jasnodworska 3B/271, entered in the register of entrepreneurs of the National Court Register (KRS) maintained by the District Court for the capital city of Warsaw, 12th Commercial Division of the National Court Register, under number KRS: 0000623940, Tax Identification Number NIP: 5222980786, National Business Registry Number REGON: 143758000, share capital in the amount of PLN 250,000 (“Service Provider”).
   1. Each data subject may contact the Service Provider as the controller of his/her personal data by sending a message to the e-mail address: support@exacto-group.com, or a letter to the address stated in clause 1.1. above.
   1. The Service Provider has appointed a Data Protection Officer – Mr Bartłomiej Serafinowicz. You can contact him by e-mail at iod@exacto-group.com and at telephone number 664-272-989.

• DATA PROCESSING METHOD
  • The purpose and scope of the processed personal data are determined by the scope of the consents and data provided by a data subject before starting to use the Platform. The processing of personal data handled by the Service Provider may concern in particular: i) name; ii) surname; iii) e-mail address; iv) name of the company (employer/mandator); v) telephone number; vi) IP address; vii) other data voluntarily provided by the relevant person.
  • Providing personal data is voluntary, but failure to state personal data will prevent the contact via the contact form agents. Due to the nature of actions taken up by the Service Provider, they cannot be provided anonymously.
  • The personal data will be processed for the following purposes:

purpose	scope of data	legal basis	processing period
providing access to the Platform	IP address, cookies necessary to display the Platform	Article 6(1)(f) of the GDPR – legitimate interest of the Service Provider as the controller that consists in enabling the Platform to be displayed	until the end of the User's presence on the Platform
contacting the data subjects initiated via contact form	Name, surname, phone number, e-mail address, company name (employer/mandator), other data voluntarily provided by the data subject	Article 6(1)(f) of the GDPR – legitimate interest of the Service Provider as the controller that consists in responding to queries and correspondence provided directly by data subjects with the use of the functionalities of the Platform	until correspondence ends or the data subject objects
contact via phone with data subjects	phone number, first and last name, other data provided voluntarily by the data subject	Article 6(1)(f) of the GDPR – legitimate interest of the Service Provider as the controller that consists in responding to queries and correspondence provided directly by data subjects	until the call ends or the data subject objects
analysing traffic on the Platform	IP address, Cookies	article 6(1)(a) of the GDPR – consent given by the data subject	until data cease to be useful or the data subject withdraws the consent
sending Newsletter	e-mail address	Article 6(1)(a) of the GDPR – consent given by the data subject	where consent is given – until the data cease to be useful for the purpose of processing or the data subject withdraws the consent

• If the Service Provider is advised that the relevant person uses the Platform in violation of applicable legal provisions, then the Service Provider may process the User’s personal data in a scope required for establishing his/her liability. This will be based on Article 6(1)(f) of the GDPR, i.e. legitimate interest of the Service Provider that consists in its ability to seek claims and protect against claims.
  • The Service Provider will not transfer personal data to third countries (beyond the European Economic Area). However, if necessary, the Service Provider ensures that: (i) it will apply one of the legal instruments permitted by the GDPR to legalise the transfer; (ii) it will verify the recipient of the data as well as assess the ability of the country of that recipient to protect the rights and freedoms of the data subject; (iii) it will inform the persons whose data are to be transferred to a third country and indicate their rights related to the transfer prior to the transfer.

• RECIPIENTS OF DATA
  • The Service Provider may entrust the processing of the Users’ personal data to third parties. The recipients of the Users’ data may involve in particular: hosting provider, e-mail operator, software development company, software provider, provider of the service for sending e-mails, entities providing cloud.
  • The personal data collected by the Service Provider may also be disclosed to competent state bodies or institutions (law enforcement authorities, courts, security service) authorised to gain access to them on the basis of generally applicable legal provisions, or other persons and entities – in the cases prescribed by generally applicable legal provisions.
  • Each entity to which the Service Provider transfers personal data for processing on the basis of a personal data transfer agreement (“Data Transfer Agreement”) guarantees an adequate level of security and confidentiality of the processing of personal data. An entity processing personal data on the basis of the Data Transfer Agreement may process personal data through another entity only upon prior consent of the Service Provider.
  • The Users’ personal data may be disclosed to unauthorised entities under the Privacy Policy only upon prior written consent of the data subject.

• RIGHTS OF DATA SUBJECTS
  • Each data subject has the right to: (a) delete the collected personal data referring to him/her both from the system belonging to the Service Provider as well as from bases of entities that have co-operated with the Service Provider, (b) restrict the processing of data, (c) portability of the personal data collected by the Service Provider and referring to the relevant person, in this to receive them in a structured form, (d) request the Service Provider to enable him/her access to his/her personal data and to rectify them, (e) object to personal data processing, (f) withdraw the consent towards the Service Provider at any time without affecting the legality of the personal data processing carried out on the basis of the consent before it is withdrawn, (g) lodge a complaint about the Service Provider to the supervisory authority (President of the Personal Data Protection Office).
  • The data subjects may exercise their rights in particular by means of the communication channels referred to in clause 1.2. of this Privacy Policy or by contacting the DPO (his details are provided in clause 1.3.).
  • If a data subject wishes to exercise either of his/her rights, we recommend to contact us at the following e-mail address support@exacto-group.com or directly with the DPO. This would enable the Service Provider to take actions as quickly as possible.

• OTHER DATA
  • The Service Provider may store http enquiries, therefore the files containing web server logs may store certain data related to the Users, including the IP address of the computer sending the enquiry, the name of the User’s station – identification through http protocol, date and system time of registration in the Application and receipt of the enquiry, number of bytes sent by the server, the URL address of the site visited by the User before, information concerning the Users’ browsers, information concerning errors occurred by the realization of the http transaction. Web server logs may be collected for the purposes of the proper administration of the Platform. Only persons authorised to administer the IT system have access to the data referred to above. Files containing web server logs may be analysed for the purposes of preparing statistics of traffic on the Platform and occurring errors. Summary of such details does not identify Users.
  • The Service Provider may use analytics tools of  Google Analytics as part of which it has access to anonymised information on the Users, including: information on the operating system and Internet browser used by the User, time spent on the Platform. The details referred to in the preceding sentence are not combined with the User’s personal data and do not enable his/her identification and are not personal data within the meaning of the GDPR. 
  • The scope of the use of the tools referred to in clause 5.2. above in relation to the User depends on the scope of consents given by the User regarding the use of Cookies.

• SECURITY
  • The Service Provider takes care of the security of the Users’ personal data. For this purpose, the Service Provider has implemented appropriate safeguards and means of protection of personal data, taking into account risks connected with personal data processing processes. In particular, the Service Provider applies technological and organisational means in order to secure personal data against being disclosed to unauthorised persons, taken over by an unauthorised person, changed, lost, damaged or destroyed, as well as processed in violation of the GDPR by using, among other things, SSL certificates. The compilations of the personal data collected by the Service Provider is stored on secured servers, moreover, personal data are also secured by internal procedures of the Service Provider related to the processing of personal data and information security policy.
  • Irrespective of the foregoing, the Service Provider states that using the Internet and services provided by electronic means may pose a threat of malware breaking into the ICT system and device of the relevant person, as well as a third party gaining access to data, including personal data. In order to minimise such threats, each person should use appropriate technical safeguards (antivirus programs) or programs securing identification in the Internet.

• COOKIES
  • For the purposes of the correct operation of the Platform, the Service Provider uses cookie files (“Cookies”). Cookies are text information recorded on the User’s device (computer or smartphone), which may be read by the ICT system of the Platform or ICT systems of third parties.
  • The Service Provider uses two types of Cookies: (a) session cookies, which are permanently deleted upon closing the session of the browser; (b) permanent cookies, which remain on the device after closing the session until they are deleted.
  • It is not possible to determine the identity or otherwise identify a User on the basis of Cookies, whether session or permanent. Cookies prevent the collection of any personal data.
  • Files generated directly by the Service Provider may not be read by other websites. Third-party Cookies (i.e. Cookies provided by entities co-operating with the Service Provider) may be read by an external server.
  • The User may individually change the cookie settings at any time, stating the conditions of their storage, through the Internet browser settings.
  • The User may individually disable storing Cookies on his/her device at any time in accordance with the instructions of the Internet browser producer, but this may disable some or all functionalities of the Platform.
  • The User may individually remove Cookies stored on his/her device at any time in accordance with the instructions of the Internet browser producer.
  • The Service Provider uses own Cookies for the following purposes: authentication of the Platform adjustment of their content to the preferences or conduct of the Users; analysis and research of views, including click number and path taken by the Users on the Platform to improve their appearance and organisation of content, time spent on the Platform, number of Users and frequency of their visits to the Platform.
  • The Service Provider uses Third-party Cookies for the purpose of preparing anonymous statistics to optimise the functionality of the Platform and analysing and examining the Users’ conduct with respect to the Platform.
  • Details concerning Cookie support are available in the settings of the browser used by the User.

• FINAL PROVISIONS
  • The Privacy Policy comes into force on: 21.02.2024