PRIVACY POLICY OF THE "YVIA" WEB APPLICATION

§ 1. General Information

  1. This Privacy Policy sets out the rules for the processing of personal data and other information concerning users of the Yvia website and application (hereinafter: the "Application") provided by YVIA CONSULTING PROSTA SPÓŁKA AKCYJNA with its registered office at Lublin, 20-213, ul. Gospodarcza 26, Poland entered in KRS 0001189743, NIP: 9462757185, REGON: 542497475, e-mail: hello@yvia.pl (hereinafter: the "Controller" or the "Service Provider").
  2. The Controller exercises the highest degree of diligence to ensure that the processing of personal data is carried out in accordance with applicable laws, including:
    • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"),
    • the Polish Act of 18 July 2002 on the Provision of Electronic Services,
    • the Polish Personal Data Protection Act of 10 May 2018,
    • the ePrivacy Directive and electronic communications regulations,
    • the Digital Services Act (EU) 2022/2065,
    • CCPA/CPRA (California Consumer Privacy Act) – for users in the United States,
    • HIPAA – insofar as health-related data are processed in the context of services provided in the United States.
  3. This Policy applies to all users of the Application, regardless of their place of residence or citizenship, and covers both personal data and data collected automatically when using the Application.

§ 2. Data Controller

  1. The controller of personal data of the Application's users is YVIA CONSULTING PROSTA SPÓŁKA AKCYJNA, with its registered office at Lublin, 20-213, ul. Gospodarcza 26, Poland, e-mail: hello@yvia.pl.
  2. You may contact the Controller on any matter related to personal data protection at: hello@yvia.pl
  3. The Controller may appoint a Data Protection Officer (DPO); the DPO's contact details will be made available to users in the Application and on the website.

§ 3. Categories of Data Processed

The Controller may process the following categories of personal data:

  1. Identification and contact data – first name, last name, e-mail address, phone number, login credentials.
  2. Subscription and payment data – billing data, transaction numbers, invoicing details.
  3. Application usage data – IP address, device identifiers, activity data, system logs, time of use, activity history.
  4. Profile and emotional data – information on moods, preferences, ratings, emotional responses, results of self-assessment tools.
  5. Communication data – contents of messages, comments, forum and chat posts.
  6. Consent and preference data – records of marketing and analytics consents granted.

§ 4. Purposes and Legal Bases of Processing

The Controller processes personal data for the following purposes:

Processing purposeLegal basisData scope
Conclusion and performance of the electronic services agreementArt. 6(1)(b) GDPRidentification, contact, subscription data
Account servicing and provision of Application featuresArt. 6(1)(b) GDPRaccount and activity data
Payments, invoicing, and accountingArt. 6(1)(c) GDPRbilling data
Personalisation of content, profiling, and AI recommendationsArt. 6(1)(a) and (f) GDPRprofile and emotional data
Security and fraud preventionArt. 6(1)(c) and (f) GDPRlogs, IP, activity data
Compliance with legal obligations (e.g., tax, archiving)Art. 6(1)(c) GDPRbilling data
Direct marketing of own services and newsletter distributionArt. 6(1)(a) GDPRcontact data
AI model training and Application improvementArt. 6(1)(f) GDPRanonymised or pseudonymised data

§ 5. Profiling and Automated Decision-Making

  1. The Controller uses profiling within the meaning of Article 4(4) GDPR to personalise content, recommendations, and Application functionalities.
  2. Profiling may include, among others, analysis of emotional data, user activity, interaction history, and preferences.
  3. Profiling does not produce legal effects concerning the user nor does it form the basis for decisions producing legal consequences within the meaning of Article 22(1) GDPR.
  4. The user has the right to object to profiling at any time.

§ 6. Data Recipients and Processors

  1. Personal data may be disclosed to:
    • IT, hosting, and cloud service providers,
    • payment operators,
    • analytics, marketing, and AI service providers,
    • law firms and auditors,
    • public authorities – only to the extent required by law.
  2. All entities processing data on behalf of the Controller act on the basis of written data processing agreements compliant with Article 28 GDPR.

§ 7. Data Transfers Outside the EEA

  1. Personal data may be transferred outside the European Economic Area only where:
    • the European Commission has adopted an adequacy decision, or
    • standard contractual clauses (SCCs) have been concluded, or
    • other appropriate safeguards under Article 46 GDPR are in place.
  2. Information on countries to which data are transferred is published in the Privacy Policy within the Application.

§ 8. Data Retention Period

  1. Data are stored for the duration of the agreement, and thereafter for the period:
    • necessary for tax and accounting settlements – up to 5 years,
    • required for the establishment, exercise, or defence of claims – until expiry of limitation periods,
    • until withdrawal of consent – where processing is based on consent.
  2. Anonymised data may be stored indefinitely for statistical or research purposes.

§ 9. Users' Rights

Users have the following rights:

  • right of access (Art. 15 GDPR),
  • right to rectification (Art. 16 GDPR),
  • right to erasure ("right to be forgotten") (Art. 17 GDPR),
  • right to restriction of processing (Art. 18 GDPR),
  • right to data portability (Art. 20 GDPR),
  • right to object to processing (Art. 21 GDPR),
  • right to withdraw consent at any time,
  • right to lodge a complaint with the President of the Personal Data Protection Office (UODO) or another competent supervisory authority.

§ 10. Cookies and Tracking Technologies

  1. The Application uses cookies and similar technologies for functional, analytical, and marketing purposes.
  2. Detailed information on the use of cookies is set out in a separate Cookie Policy available within the Application.
  3. The user may change cookie settings in their web browser at any time.

§ 11. Data Security

  1. The Controller implements appropriate technical and organisational measures to ensure the security of personal data, including:
    • encryption in transit (TLS 1.3),
    • encryption at rest (AES-256),
    • pseudonymisation and anonymisation,
    • access control and multi-factor authentication,
    • intrusion detection/prevention systems (IDS/IPS),
    • regular security audits and testing.
  2. In the event of a personal data breach, the Controller will notify users and the competent supervisory authority in accordance with Article 33 GDPR.

§ 12. Changes to the Privacy Policy

  1. The Controller reserves the right to amend this Policy in the event of changes in law, technology, or the Application's functionalities.
  2. Users will be informed of amendments at least 30 days in advance.
  3. Continued use of the Application after the effective date of amendments constitutes acceptance thereof.

§ 13. Contact Details

For matters related to personal data protection, please contact the Controller:

YVIA CONSULTING PROSTA SPÓŁKA AKCYJNA

20-213 Lublin, ul. Gospodarcza 26, Poland

hello@yvia.pl