Privacy Policy for the http://ABAStroke.com Service

§ 1. Scope of this Privacy Policy

This Privacy Policy provides information on the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) in connection with use of the Service https://abastroke.com/ .

The Controller states that processing of data in the application is governed by the Privacy Policy made available within the application itself.

§ 2. Controller of personal data

Name and contact details of the data controller

The data controller for this Application is:

ABAStroke sp. z o.o., ul. Warszawska 3/3, 31-155 Krakow, Poland

Data Protection Officer

If you have questions about our data protection measures, data processing or the protection of the rights of data subjects, you may contact our Data Protection Officer as follows: Michał Ryś, michal@abastroke.com

§ 3. Definitions

Personal data - any information relating to an identified or identifiable natural person, identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including the device IP address, online identifier and information collected through cookies or similar technology.

User - any natural person who has full legal capacity, or a natural person who does not have full legal capacity provided that prior consent of their legal representative has been obtained, who visits the Website or uses one or more services or functionalities described in this Policy.

Privacy Policy - this Privacy Policy.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Service - the website operated by the Controller at https://abastroke.com/ .

§ 4. General provisions

The Privacy Policy sets out the rules for the processing and protection of personal data of Users using the Service. It also sets out the rules for the use of cookies.

The website is intended for adults or for persons over 13 years of age with the consent of their legal guardian.

The Service Privacy Policy is informational in nature.

Users' personal data are processed in accordance with data protection laws and the Polish Telecommunications Law of 16 July 2004 (Journal of Laws 2024, item 1221).

The Controller makes every effort to protect the interests of the persons whose data are collected, and in particular ensures that the data are processed lawfully. Personal data are collected by the Controller for defined and lawful purposes and are not further processed in a manner incompatible with those purposes. The Controller states that the data it collects are stored in a form permitting identification of the data subjects for no longer than is necessary to achieve the relevant processing purpose.

The purpose of the Privacy Policy is to define the Controller's activities relating to personal data collected through the Service and related services and tools used by Users to perform activities within the Service.

A User who uses the services and tools made available within the Service confirms that they have read the Privacy Policy and, where necessary, consents to the use of their personal data in accordance with the Privacy Policy.

All data collected by the Controller are protected using reasonable technical and organisational measures and security procedures to protect them against access by unauthorised persons or unauthorised use.

The Controller has exclusive access to the data on the terms set out in the Privacy Policy. Access to personal data may also be entrusted to other entities that collect, process and store personal data in accordance with their own terms and privacy policies. Such entities are granted access to the User's personal data only to the extent necessary to ensure the proper provision of services.

10. The Controller applies appropriate technical and organisational measures to ensure the security of personal data processing and to protect the data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

As part of its information security management system, the Controller has implemented and maintains procedures and safeguards compliant with the requirements of ISO/IEC 27001 (Information Security Management System). The Controller holds a certificate of conformity with ISO/IEC 27001, confirming the use of globally recognised standards in information protection, risk management and continuous improvement of safeguards.

The security measures used include, in particular, data access control, encryption, system monitoring, regular testing and assessment of the effectiveness of safeguards, security incident management and training of persons authorised to process personal data.

The Controller continuously analyses threats and takes measures aimed at minimising the risk of personal data breaches.

§ 5. Collection, acquisition, scope and purpose of collecting personal data

The Controller obtains information about users, among other things, by collecting server logs through the hosting provider.

Data recorded in server logs are not associated with specific persons using the Service website and are not used to identify persons using the Service.

Server logs are used only as supporting material for administering the Service, and their contents are not disclosed to anyone other than persons authorised to administer the server. These data are used exclusively to administer the Service and are not associated with specific persons browsing the website.

Viewed resources are identified by URL. In addition, the following may be recorded:

• time of receipt of the request;
• time of sending the response;
• name of the user station, identified via the HTTP protocol;
• information about errors that occurred during the HTTP transaction;
• URL of the page previously visited by the user (referer link), if the Service was accessed through a link;
• information about the user's browser;
• information about the user's IP address.

The Controller processes Users' personal data necessary for the proper provision of services available in the Service and is entitled to use data collected and stored within the Service for the following purposes:

• conclusion and performance of an agreement for the provision of an electronic service (on the basis of Article 6(1)(b) GDPR);
• providing full User support, solving technical problems and making appropriate functions available (on the basis of Article 6(1)(b) and (f) GDPR);
• contacting Users, in particular for purposes related to service provision and User support (on the basis of Article 6(1)(a), (b) and (f) GDPR);
• conducting research and analysis to improve the operation of available services (on the basis of Article 6(1)(b) and (f) GDPR).

The Controller is entitled to automatically obtain and record data transmitted to the server by Users' browsers or devices, such as IP address, software and hardware parameters, pages viewed, mobile device identification number and other data concerning devices and use of systems. Such information will be collected when the Service website is used.

The Controller collects, processes and stores the following User data:

• email address;
• first name and surname;
• telephone number;
• company name, in the case of Customers who are not consumers;
• tax identification number (NIP), in the case of Customers who are not consumers;
• business address, in the case of Customers who are not consumers;
• contact details of the Customer's employee, such as first name, surname, email address and telephone number;
• content of messages sent, among other ways, through the contact form.

The Controller states that providing data by the Customer in the above scope is voluntary and optional. The http://ABAStroke.com website does not require users to register, and contact is voluntary.

The Controller informs that it does not use tracking technology in the form of tracking code to track activities undertaken by the User within the Service.

The Controller further informs that it does not use remarketing tools provided by third parties.

§ 6. Cookies policy and operational data

The Service does not use cookies. Cookies are IT data, in particular text files, stored on the end device of the Service User and intended for use of the Service websites. Such data are not collected or used by the Service. The http://abastroke.com website includes a widget from an external provider, UserWay. This widget may remember the user's settings, such as contrast, larger font size, pausing animations and similar accessibility preferences. It serves only to technically remember accessibility preferences.

§ 7. Rights and obligations of the Controller and Users

The Controller has the right and, where applicable, a statutory obligation to provide selected or all information concerning Website Users to public authorities or third parties that request such information on the basis of applicable law.

The Controller does not entrust data processing or disclose collected personal data to unrelated entities without the consent of the persons concerned, unless the following circumstances apply:

Personal data may be disclosed to third parties only where we are obliged or authorised to do so by law. Recipients of data may include, in particular:

• persons operating our infrastructure or IT systems;
• persons providing data hosting.

The Controller does not transfer data outside the European Economic Area.

We currently do not carry out any operations involving automated decision-making that produces legal effects for the addressees or similarly significantly affects them.

The User has the right at any time to access personal data concerning them that are collected by the Controller. In particular, the User has the right to request:

• access to data processed by us, including information on our processing of the data or a copy of the data;
• rectification or correction of data;
• restriction of processing, meaning suspension of operations on data or refraining from deleting data;
• erasure of data, the so-called right to be forgotten;
• transfer of data to another controller.

Irrespective of the above, the User has the right to object to processing of data carried out on the basis of our legitimate interest. In such a case:

• if personal data are processed for marketing purposes, we will immediately stop such processing;
• if processing is based on another type of interest, we will stop such processing unless we demonstrate that the interest overrides the interests, rights and freedoms of the natural person, or that there is a basis for the establishment, exercise or defence of legal claims.

If the User considers that processing of their data infringes applicable law, the User has the right to lodge a complaint with the supervisory authority, that is, the President of the Personal Data Protection Office (PUODO). PUODO contact details are available in particular at https://uodo.gov.pl/pl/p/kontakt .

The User may exercise their rights in particular by contacting us in the manner specified in § 10.

§ 8. Data retention period

Personal data collected for the purposes specified in the Privacy Policy will be stored:

• for the time necessary to perform concluded agreements or for the duration of our legitimate interest in processing the data, and in each case for no shorter than the period of the User's visit to the Service websites;
• until consent is withdrawn, where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn. Withdrawal of consent may result in the inability to continue providing certain services, carrying out activities or using functionalities whose performance requires personal data processing based on consent. In particular, this may result in cessation of sending commercial information, newsletters, marketing offers or other content for which consent was given, and, in justified cases, limitation or inability to perform certain services;
• in the case of complaints, until any claims become time-barred.

Withdrawal of consent does not affect the processing of personal data that takes place on other legal grounds provided in Article 6(1) of Regulation (EU) 2016/679 (GDPR), in particular where processing is necessary for the performance of a contract, compliance with a legal obligation incumbent on the controller, or pursuit of the controller's legitimate interests.

§ 9. Changes to the Privacy Policy

We reserve the right to amend or update this Privacy Policy at any time and without prior notice in order to adapt it to new legal requirements, technological development or changes in our internal processes. We recommend that you regularly review this Privacy Policy to stay up to date with any changes and to ensure that you know the current information on the protection of your personal data.

§ 10. How can you contact us?

If you have any questions about how we use your personal data, you may contact us by email or in writing at the following address:

ABAStroke sp. z o.o., ul. Warszawska 3/3, 31-155 Krakow, Poland - marked: "data protection"

Email: contact@abastroke.com, michal@abastroke.com