PRIVACY POLICY

1. GENERAL PROVISIONS

Capitalised terms used in this Privacy Policy shall have the meanings assigned to them in the TipTip Terms and Conditions available at: https://tiptip.com.pl, or in this Privacy Policy.

In respect of the privacy of the Users of the Service and in order to comply with the requirements arising from applicable laws and regulations, the Administrator – TipTip spółka z ograniczoną odpowiedzialnością, with its registered office in Warsaw, at ul. Młynarska 8 / 12, 01-194 Warsaw, Poland, hereby publishes this document explaining and informing how the data provided by the Users of the Service is collected, processed and protected.

Before commencing use of the Service or registering an account, the User should familiarise themselves with the contents of this Privacy Policy.

2. COLLECTION AND PROCESSING OF DATA BY TIPTIP

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) (OJ EU L 119, p. 1), the Administrator of the personal data provided by the Partner while using the Service is TipTip spółka z ograniczoną odpowiedzialnością, with its registered office in Warsaw, at ul. Młynarska 8 / 12, 01-194 Warsaw, Poland. The Administrator processes personal data in accordance with the applicable provisions of law, including the above Regulation of the European Parliament and of the Council (“GDPR”) and the Act of 18 July 2002 on the Provision of Electronic Services (consolidated text: Journal of Laws of 2020, item 344).

The Administrator enables Customers to use the Service anonymously; however, in order to use the Service, it is necessary to provide the data indicated by the Payment Operator cooperating with the Administrator. For the purpose of providing the Service, the Administrator is provided with the data submitted by the Customer, namely: first name, surname and e-mail address.

The Administrator enables Partners to use the Service anonymously; however, in order to obtain full access to the services and functionalities offered through the Service under the Agreement, registration by completing the registration form is recommended. Provision of data by the Partner is voluntary; however, failure to provide certain data may make it impossible to register with the Service, use certain services, receive notifications, etc.

During registration, the Administrator shall inform the Partner which of the data specified in the registration form is necessary for the performance of the services and shall indicate which data is additional and does not affect the registration process. For the purpose of performing the Agreement, the Administrator may make certain Partner data publicly available within the Service (e.g. first name).

The User independently decides which additional data provided by them (e.g. profile picture) will be made public in the Service.

Regardless of the above, the Administrator may process photographs provided solely for the purpose of identity verification – such photographs are not published and are subject to the processing rules set out in this Policy.

In addition, in order to enhance the security of the TipTip Service and prevent abuse, the Administrator may process the User’s personal data in the form of their image recorded in a photograph (e.g. a selfie or facial photograph).

Such data may be processed solely for the following purposes:
- confirming the User’s identity,

- securing transactions carried out through the Service,

- preventing fraud and breaches of the Terms and Conditions.

Providing a photograph may be required where this is necessary to verify an account or specific activities within the Service.

The legal basis for the processing of such data is the Administrator’s legitimate interest consisting in ensuring the security of the services and protection against abuse (Article 6(1)(f) GDPR).

In order to register with the Service, the Partner will be asked to provide at least the following data:

• Username and password;
• First name and surname;
• Address;
• E-mail address;
• Nationality;
• Date of birth or PESEL number;
• Identity document number;
• Bank account number used for receiving Tips..

The Administrator also receives information about the Partner from the Payment Operator – the entity enabling the Partner to receive a Tip in non-cash form. The Administrator receives from the Payment Operator information on the payment status of the Tip.

In addition, the Administrator collects information concerning Users’ interactions with the Service, its functionalities and services, including: device and login information, so-called system logs containing the date, time of the visit and the IP address of the device from which the connection was made, as well as data concerning statistics on the use of the Service and traffic to and from individual websites. In addition to the performance of the Agreement and the provision of services by the Administrator, the above activities are aimed at improving the Service and the Administrator’s services and adapting them to the needs of the Partner and the Customer. Data stored in server logs may be associated with specific persons using the Service and may be used by the Administrator to identify the User.

Where registration for or logging into the Account takes place via another platform verifying and authenticating the Partner, the Administrator receives data from entities providing such a service, i.e. Facebook, Google or Twitter. The Administrator receives from them the following data: e-mail address, gender, user identifier, date of birth, and automatically generated username.

Verification of the Partner’s Identity

For the purpose of fulfilling legal obligations and ensuring the security of TipTip’s services, TipTip applies a two-step Partner identity verification process (a verification transfer in the amount of PLN 1 and photo verification, including the processing of data from the identity document and facial image data (selfie/liveness) in order to confirm identity and prevent abuse).

In justified cases, TipTip may carry out repeated identity verification (re-verification).

Data obtained in the verification process is not published in the Service.

3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

Customer data is processed in particular for the following purposes:

• providing Customers with the Service through the Service Platform,
• responding to complaints and grievances,
• ensuring compliance with legal requirements where the law requires the processing of personal data,
• verifying users’ identity and preventing fraud and abuse within the TipTip Service,
• ensuring the security of information processed by the Administrator,
• managing ICT systems,
• pursuing claims.

Partner data is processed in particular for the following purposes:

• providing services to Partners under the Agreement,
• measuring and improving services,
• providing information about the services and functionalities of the Service, as well as about the services of other companies cooperating with the Administrator,
• making advertising space available within the Service,
• conducting direct marketing,
• sending free notifications containing information concerning the Administrator, provided that the Partner has previously consented to receiving promotional correspondence from the Administrator,
• responding to complaints and grievances,
• ensuring compliance with legal requirements where the law requires the processing of personal data,
• ensuring the security of information processed by the Administrator,
• managing ICT systems,
• pursuing claims.

To the extent that the Partner’s personal data is processed for the purpose of improving the quality of the Administrator’s services, providing information about the Administrator’s other services, as well as delivering marketing content within the Service and conducting research and analyses relating to products, services and advertising effectiveness, the legal basis for the processing of the Partner’s personal data is the Administrator’s legitimate interest. It is in the Administrator’s interest to provide and improve its services, ensure their highest quality, and inform Partners or Customers about them.

Third parties may have access to the Administrator’s websites in order to place their own code on them, enabling the analysis of the User’s online activity for the purpose of displaying advertisements tailored to the User’s interests and preferences, by means of automated comparison of the User’s interests and preferences with model interests and preferences of Internet users (profiling).

In this respect, the Administrator’s contractors are independent administrators of the User’s personal data, separate from the Administrator (TipTip sp. z o.o.), and the principles and obligations applicable to their processing of the User’s personal data correspond to those described in this Policy with respect to the Administrator.

The Partner may consent to receiving the newsletter and notifications from the Administrator. The newsletter and notifications may contain content tailored to the Partner’s interests, based on the Partner’s activity within the Service. The Partner may opt out of receiving the newsletter at any time by changing the settings in the Account.

The legal basis for the processing of the User’s personal data by the Administrator is:

a) Article 6(1)(b) GDPR – necessity for the conclusion and performance of the Agreement or the provision of the Service;

b) Article 6(1)(c) GDPR – necessity for compliance with legal obligations incumbent on the Administrator, in particular those arising from anti-money laundering and counter-terrorist financing regulations;

c) Article 6(1)(f) GDPR – the Administrator’s legitimate interest consisting in ensuring the security of the Service, preventing fraud, and pursuing claims.

4. DISCLOSURE OF DATA

As a rule, the Administrator does not disclose Users’ personal data to third parties, whether natural persons or legal entities, except where the Administrator has a legal basis for doing so, upon the request of duly authorised entities, or where such disclosure is necessary for the performance of the services offered by the Administrator.

In connection with the identity verification process and the provision of services, data may be transferred to entities cooperating with the Administrator, in particular: providers of identity verification/photo verification services, the payment operator, and providers of IT and hosting services – solely to the extent necessary to achieve the purposes of the processing.

The User’s data may be disclosed upon request to public authorities or other entities authorised to access such data under the law, in particular where this is necessary to ensure the security of our systems or the rights of other Users.

The User’s data may also be accessed by entities whose services are used by the Administrator for the purpose of providing services to the User (e.g. entities providing hosting for the Service). In such cases, the Administrator enters into appropriate agreements with such entities, the purpose of which is to protect the data against access by unauthorised persons.

Due to the need to prevent certain functions within the Service from being performed by internet robots, the Administrator uses the Google reCAPTCHA mechanism to periodically examine whether the behaviour of Users bears the hallmarks of bot activity. For this reason, the Administrator may disclose the IP address of the User’s computer to Google Inc.

Some of our service providers may store Users’ data outside the territory of the European Economic Area. In such cases, Users’ data may be stored in countries that ensure an adequate level of personal data protection, or in countries that do not ensure such a level of protection. In the latter case, the Administrator safeguards Users’ data by entering into agreements with the Administrator’s service providers containing the so-called Standard Contractual Clauses approved by the European Commission, which guarantee adequate protection of Users’ data in third countries, by relying on the EU-US Privacy Shield programme, or on other legal bases for the transfer of personal data.

The Administrator may disclose anonymous aggregated summaries and statistical statements concerning, for example, the number of persons visiting the Service. However, such data does not make it possible to identify individual users and does not constitute personal data.

5. UPRAWNIENIA UŻYTKOWNIKA

The User is entitled to the following rights in relation to their personal data processed by the Administrator within the Service.

1. Right of access to personal data:

At the User’s request, the Administrator shall confirm what personal data of the User it processes and shall provide the User with a copy of such data. In any case, the Partner has access, through the Account, to the personal data that the Partner has provided to the Administrator.

2. Right to rectification of personal data:

Where the User’s personal data is inaccurate or incomplete, the User may request that the Administrator rectify or complete such data. In any case, the Partner may correct their personal data through the Account.

3. Right to erasure of personal data:

In certain situations, the User may request that the Administrator erase personal data processed by the Administrator (for example, where the data is no longer necessary for the provision of services by the Administrator).

4. Right to restriction of processing of personal data:

In certain situations, the User may request that the Administrator temporarily suspend the processing of their data (for example, by ceasing to send marketing information). By way of example, the User may request restriction of the processing of their personal data where the User objects to the processing or contests the accuracy of the data. Notwithstanding the restriction of processing, the Administrator shall remain entitled to store the personal data.

5. Right to request portability of personal data:

In certain situations (for example, with regard to data processed on the basis of consent), the User also has the right to receive the personal data processed by the Administrator in a structured, commonly used and machine-readable format in order to transmit such data to another administrator.

6. Right to object to the processing of personal data.

The User may request that the Administrator cease processing the User’s personal data where:

1. the Administrator processes the User’s personal data on the basis of its legitimate interest or the legitimate interest of a third party, except where such interests prove to override the User’s interests, rights and freedoms,
2. the User’s data is processed for direct marketing purposes,
3. the processing involves automated decision-making concerning the User, including profiling.

The User may exercise their rights by sending an appropriate request by electronic means to the following e-mail address: [email protected].

6. DATA RETENTION PERIOD

The Administrator retains the User’s personal data only for as long as is necessary to achieve the purposes for which the data was collected. After that period, the data is deleted or anonymised in such a manner that it is no longer possible to identify the User.

Data in the form of photographs submitted solely for the purposes of the technical completion of the verification process may be retained for no longer than 48 hours from the time of submission and shall thereafter be deleted.

Irrespective of the above, data and information necessary to demonstrate compliance by the Administrator with its legal obligations (including AML obligations), verification results, transaction data, and documentation related to the business relationship may be retained for the period required by law.

After the expiry of the required retention periods, the data shall be deleted or anonymised.

Personal data may be retained for a longer period where such an obligation arises under the law or where this is necessary for the Administrator to defend against or pursue claims against the User.

7. MANAGING OPEN SESSIONS – SELECTING THE “KEEP ME LOGGED IN” FUNCTION

During the login process, the Partner may select the “Keep me logged in” function. Selecting this function causes a “cookie” file to be sent to the Partner’s Device for the purpose of remembering the User. Once this function is enabled, the Partner does not need to log in again on that device after closing the browser session. When the browser is reopened, the Partner visiting the Service will be recognised as a logged-in person. If the Partner uses devices to which other persons have access, it is recommended not to select the “keep me logged in” option and to log out of the service each time. It should be noted that enabling the “Keep me logged in” function is not equivalent to the functionality offered by browsers consisting in the browser remembering login credentials and passwords. When the “Keep me logged in” option is used, the logged-in status is remembered, whereas access passwords are not stored, which makes this solution safer from the Partner’s perspective.

8. POLICY ON “COOKIES” AND OTHER MECHANISMS FOR THE AUTOMATIC STORAGE OF DATA ON THE USER’S TERMINAL DEVICE OR DATA AUTOMATICALLY TRANSMITTED BY THE USER

The Service uses automatic data storage mechanisms (such as “cookies”, “Local Storage Object”, and “e-Tag” mechanisms). They are used in order to better adapt the Service to the needs of Users. For the purposes of this policy, automatic data storage mechanisms shall be referred to as “cookies”.

“Cookies” are files stored on the User’s terminal device and are used to identify the User’s browser while using the Service. By means of cookies, the Administrator is provided with statistical information on User traffic, User activity and the manner in which the Service is used. They make it possible to adapt content and services to the User’s preferences.

Most “cookies” are so-called session cookies, which are automatically deleted from the hard drive after the session ends (i.e. after logging out or closing the browser window). Some “cookies” make it possible to recognise the User’s terminal device upon subsequent visits to the Service – they are not deleted automatically and are stored on the terminal device. In the case of mobile devices, a mechanism analogous to that used for desktop devices has been implemented for accepting “cookies”, enabling information related to a given User to be remembered.

The Administrator informs that third parties, including entities not capital-linked to the Administrator, may place their own “cookies” in Users’ browsers for the purpose of displaying advertisements in the Service.

The Administrator may use the services of external service providers in order to collect information on Users’ activity within the Service. Such entities may place their own “cookies” on Users’ devices.

The Service may also use third-party services through which the Administrator obtains anonymised reports concerning the use of the website and the effectiveness of marketing campaigns conducted. A User who does not consent to such monitoring of their behaviour should object by using the tools available on the websites made available by such entities, for example: https://tools.google.com/dlpage/gaoptout/

The User may disable the acceptance of “cookies” in their browser at any time; however, the effect of such a change may be difficulties in using the services provided through the Service. Stored cookies may also be deleted by the User by using the appropriate functions of the internet browser, software designed for this purpose, or tools available within the operating system used by the User.

Due to the diversity of browsers and applications used to access internet services, the management of “cookies” differs between browsers; therefore, before using the Service, we recommend becoming familiar with the method of managing privacy/security functions available in the menu of the browser used by the User and configuring them in the manner preferred by the User.

Failure to make changes in the settings of the browser used with regard to the management of “cookies” will result in “cookies” being automatically placed on the User’s terminal device. Failure by the User to change the browser settings so as to disable the acceptance of “cookies”, combined with use of the Service, shall constitute the User’s consent to the use of “cookies” on the terms set out in this Policy.

For security reasons, it is recommended to use the latest available versions of internet browsers.

In the event of problems related to configuring the blocking of “cookies”, the User may request assistance from Customer Service by sending an electronic inquiry to the following e-mail address: [email protected].

9. USE OF “COOKIES” FOR MARKETING PURPOSES

The Administrator and other entities may use “cookies” for statistical purposes in order to measure the display of advertisements appearing in the Service and the number of clicks on such advertisements. The Administrator’s “cookies” and the cookies of other advertisers make it possible to measure how often advertisements are displayed to the User and how effective the marketing campaigns conducted are. This makes it possible to provide Users of the Service with advertisements tailored to their preferences and interests. Which advertisements may be of interest to the User is determined on the basis of the User’s behaviour in the Service and the manner in which the User interacts with content available in the Service.

Some of the “cookies” placed in Users’ browsers are used for marketing purposes. These files allow the Administrator to determine what content the User may be interested in and to display advertisements based on such interests. Accordingly, advertisements may be displayed within the Service on the basis of Users’ behaviour on other websites. For example, a User who frequently visits sports-related websites may see advertisements for sports equipment in the Service.

Data concerning Users’ activity in the Service may be made available to the Administrator’s marketing partners. Accordingly, when using other websites, the User may see advertisements displayed on the basis of their activity in the Service.

The Service may also use a form of online marketing known as “retargeting”. This enables the Administrator’s partners to display advertisements to Users on the basis of their interactions with websites not associated with the Service. For example, a User who did not complete the purchase of a wardrobe on a furniture website may, while using the Service, see an advertisement from that website presenting products the User had previously viewed.

Behavioural marketing conducted within the Service does not involve the collection of personal data such as first name, surname, residential address, or any other data allowing the User’s behaviour to be attributed to any identifiable person.

The User may object to the display of advertisements in the Service using behavioural marketing. However, this will not result in advertisements ceasing to be displayed to the User in the Service, but only in advertisements no longer being tailored to the User’s preferences and interests. More information on how the User may object to behavioural marketing is available on the following website: https://adssettings.google.com/.

10. ACCESS LOGS

While using the Service, access logs containing information on the IP address of the User’s terminal device are collected and analysed. Information obtained in this way is used for the purposes of administering the Service and for statistical analyses of Users’ interactions with the Service. Pursuant to Article 18(6) of the Act of 18 July 2002 on the Provision of Electronic Services and other applicable provisions of law, the Administrator may be obliged to disclose to state authorities the data provided by Partners during registration in the Service or supplied by the Payment Operator, and in the case of non-logged-in Users – to provide the IP address contained in the access logs.

11. DELETION OF THE APPLICATION FROM MOBILE DEVICES

A Partner who decides to install on their device the Mobile Application belonging to the Administrator is informed of the security rules and the manner in which the application operates. Installation is carried out with the Partner’s consent. The Partner may discontinue using the Mobile Application and uninstall it at any time. Installation and uninstallation are carried out in the standard (native) manner applicable to the version of the operating system installed on the terminal device. In order to uninstall the Mobile Application from the terminal device, the Partner should follow the recommendations of the manufacturer of the operating system with which their mobile device operates.

12. LINKS TO OTHER WEBSITES

This document applies solely to the Service. The Administrator shall not be liable for links placed in the Service enabling Users to directly access websites whose administrator is not the Administrator. We encourage Users to review the privacy provisions published on the websites to which such links lead.

13. TECHNICAL AND ORGANISATIONAL MEASURES SAFEGUARDING DATA

Information provided by Users is processed and stored using appropriate security measures compliant with the requirements imposed by Polish law. The Administrator safeguards Users’ data against unauthorised access, use or disclosure. Data is processed in a controlled environment while maintaining a high standard of protection.

At the same time, we draw attention to, and recommend, that Partners do not disclose their registration data to third parties and that they use the “log out” option after finishing their use of the Service.

14. PROCESSING OF CHILDREN’S DATA

The services offered through the Service are intended for persons who are at least 18 years old. Accordingly, the Administrator does not knowingly process the personal data of children.

15. CHANGES TO THE PRIVACY POLICY

The Administrator undertakes to maintain the current version of the Privacy Policy in the footer of the Service.

16. CONTACT AND THE RIGHT TO LODGE A COMPLAINT

Questions, requests and comments regarding the privacy policy rules and the processing of the User’s data by the Administrator should be sent electronically to the following e-mail address: [email protected].

In the event of a negative outcome of the identity verification process, the User may contact the Administrator in order to obtain information on the further course of action, including the possibility of repeated or manual verification.

Where the User is not satisfied with the response provided by the Administrator or with the actions taken by the Administrator, the User has the right to lodge a complaint with the President of the Personal Data Protection Office.