Privacy Policy

Information on the processing of personal data FOR USERS OF THE SERVICE (including the ROD APPLICATION)

Table of Contents

1. Personal Data Administrator
2. Data Protection Officer
3. Contact details of the Personal Data Administrator
4. Source of personal data
5. Categories and scope of personal data processing
6. Purposes and legal basis of personal data processing
7. Data retention period
8. Information on automated decision-making, including profiling
9. Right to object to processing for marketing purposes, including profiling
10. Categories of data recipients
11. Transfer of data outside the European Economic Area
12. Rights of the data subject
13. Right to lodge a complaint
14. Right to withdraw consent
15. Information on the requirement or voluntariness of providing data and the consequences of not providing it

Personal Data Administrator

The administrator of your personal data is GOODAPP limited liability company based in Pniewo, located at: Pniewo, ul. Wesoła 28, 18-400 Łomża, entered into the National Court Register maintained by the District Court in Białystok, 12th Commercial Division of the National Court Register under number KRS 0001039086; NIP 7182165933 (hereinafter: “Administrator”).

Data Protection Officer

We have not appointed a Data Protection Officer (DPO). Therefore, for all matters related to the protection of your personal data and the exercise of your rights, please contact the Administrator directly via email at: [email protected] or in writing to our registered office: Pniewo, ul. Wesoła 28, 18-400 Łomża.

Contact details of the Personal Data Administrator

• in writing, by sending correspondence to: Pniewo, ul. Wesoła 28, 18-400 Łomża
• by email, by sending correspondence to: [email protected]

Source of Personal Data

Your personal data is obtained directly from you – via the registration form provided on the Administrator's website at: rod-app.com (hereinafter: the “Service”), excluding data collected automatically through cookies on the Service and its subpages (if used) – in situations described in detail at: https://rod-app.com/docs/en/cookies.html.

Categories and Scope of Personal Data Processing

In connection with your use of the registration form and order form available on the Administrator’s Service and its subpages, as well as in connection with the use, payment for, and settlement of the ROD application service, the Administrator collects and processes the following data:

• email address

The Administrator is entitled to collect and process the above data based on Article 18(1) of the Act of 18 July 2002 on the provision of electronic services (Journal of Laws of 2002, No. 144, item 1204, as amended), to the extent necessary for establishing, defining the content of, amending, or terminating the Agreement for the provision of electronic services by the Administrator and for the proper performance of those services.

The Administrator may also collect and process personal data of persons using the Service and its subpages (even if they do not have an account in the Service), including the IP address or other identifiers and information collected through cookies or other similar technologies – in situations described in detail at: https://rod-app.com/docs/en/cookies.html.

In terms of the data entered by you into the ROD application, such as personal data of your clients, collaborators, or contractors for whom you act as the data controller, the Administrator processes this data as a data processor on the basis of a Data Processing Agreement, which constitutes an integral part of: https://rod-app.com/docs/en/terms-newsletter.html by the Administrator.

Purposes of Personal Data Processing and Legal Basis for Processing

• Account registration on the Service to enable use of the ROD application

  Art. 6(1)(b) GDPR – processing is necessary to take steps at the request of the data subject prior to entering into a contract.

• Execution and settlement of the service agreement for the use of the ROD application, including payment transactions via an electronic payment provider

  Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract concluded with you.

• Handling the complaint process

  Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract concluded with you.

• Keeping accounting records and fulfilling accounting and tax obligations

  Art. 6(1)(c) GDPR in connection with Art. 86 §1 and Art. 70 of the Tax Ordinance Act of 29 August 1997, and Art. 74(2) of the Accounting Act of 29 September 1994 – processing is necessary for compliance with a legal obligation to which the Administrator is subject.

• Establishing, pursuing, or defending against claims

  Art. 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, namely the ability to establish, assert, or defend against claims and secure evidence if needed legally.

• Handling requests/exercising rights of data subjects

  Art. 6(1)(c) GDPR in connection with Articles 13–21 GDPR – processing is necessary for compliance with a legal obligation to which the Administrator is subject.

• Maintaining documentation for the data protection system adopted by the Administrator, including in the form of registers

  Art. 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, namely the ability to record and secure information in case there is a legal need to prove facts or compliance with data protection laws.

• Conducting statistical analyses

  Art. 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, which is the ability to conduct statistical analysis related to provided services to improve their quality and functionality, and tailor them to the needs of clients and potential clients.

• Direct marketing of the Administrator’s services (conducted directly or via traditional correspondence)

  Art. 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, namely the ability to carry out marketing activities.

• Promotion and marketing of the Administrator’s activities by sending commercial and marketing information via email (if consent is given)

  Art. 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, namely the ability to carry out marketing activities.
  
  Additionally, the sending of commercial information via email is based on your consent in accordance with Article 10 of the Act on Providing Services by Electronic Means and Article 172 of the Telecommunications Law – if you consent to receiving marketing content via email.

• Use of cookies and similar tracking technologies on the Service and its subpages, including enabling the use of and management of the Service, and for statistical, analytical, advertising, and marketing purposes

  Art. 6(1)(f) GDPR – only for the use of necessary cookies – processing is necessary for the purposes of the legitimate interests pursued by the Administrator, namely ensuring the proper functioning and management of the Service and its subpages, and maintaining service quality for users.
  
  Art. 6(1)(a) GDPR in connection with Articles 173 and 174 of the Telecommunications Law – for uses other than necessary cookies – if consent has been given.
  
  The processing of personal data through functional, analytical, or advertising cookies depends on obtaining your consent via the cookie consent management platform in the Service. This consent may be withdrawn at any time via the platform (details about cookie consent are described in https://rod-app.com/docs/en/cookies.html).

Data Retention Period

The Administrator will process the data for the duration of the validity and full settlement of the agreements for the provision of electronic services, including the agreement for the use of the ROD application concluded with you (i.e. until your account is deleted from the service or your right to use the ROD application is revoked by the Administrator and the agreement is settled — no longer than the expiry of the limitation period for claims arising from the processing of personal data for the purposes indicated above), and additionally:

• Data processed for accounting and tax purposes is retained for 5 years — starting from the end of the calendar year in which the tax obligation arose.
  Art. 86 §1 in connection with Art. 70 of the Tax Ordinance Act of 29 August 1997 and Art. 74 of the Accounting Act of 29 September 1994.

• Data processed for the purpose of handling requests/exercising data subject rights is retained until the request is fulfilled in accordance with legal obligations, but no longer than the expiry of the limitation period for claims arising from the data processing. In accordance with Art. 118 of the Civil Code of 23 April 1964.

• Data processed to maintain documentation for the personal data protection system (e.g. registers) is stored until the expiry of the limitation period for claims. In accordance with Art. 118 of the Civil Code of 23 April 1964.

• Data used to assert or defend claims will be processed for the duration of the claim's limitation period, in accordance with applicable laws.
  Art. 751 and Art. 118 of the Civil Code of 23 April 1964.

• Data processed for statistical and analytical purposes will be stored during the Administrator’s operation period, but no longer than 3 years from the date of collection.

• Data processed for direct marketing purposes will be processed for the duration of such activities by the Administrator or until you object to the processing for this purpose.

• Data processed for promotional and marketing purposes (e.g. sending commercial and marketing information via email) will be processed for as long as the Administrator conducts such activities or until you object — whichever comes first.

• Personal data collected through cookies and similar tracking technologies will be processed until the expiration of specific cookies used in the tool or until consent is withdrawn — whichever occurs first. Details about cookie expiration periods can be found at: https://rod-app.com/docs/en/cookies.html.

• In the case of data processed based on consent, the data will be processed until that consent is withdrawn.

After the retention period expires, the documentation will be destroyed or anonymised in a way that prevents the identification of the data subject.

Information on Automated Decision-Making, Including Profiling

During the processing of your data – with the exception of an automatically sent account registration confirmation link – there will be no automated decision-making that would produce legal effects concerning you or similarly significantly affect you, especially in terms of your rights or obligations.

However, the Administrator may carry out profiling of users of the Service and its subpages, in connection with the use of advertising tools and tracking technologies applied on the Service and its subpages, for the purpose of observing user behaviour and tailoring content to their needs, personalising advertisements, or analysing whether a person who clicked an ad subscribed to the Administrator’s services. Profiling data is of a statistical nature, such as user behaviour on the site, gender, age, location, interests, and is not used to identify the user.

Right to Object to Processing for Marketing Purposes, Including Profiling

We also inform you that if your personal data is processed for direct marketing purposes, you have the right to object at any time, free of charge, to such processing — whether initial or further — including profiling and automated decision-making. If such objection is made, we will stop these activities. You can exercise this right by sending a request by post or by email to the Administrator (addresses provided above).

Categories of Data Recipients

Due to the need to ensure proper organisation and service of the Administrator’s website and application, and the use of services provided by third-party suppliers, your personal data may be shared with the following categories of recipients:

1. Service providers supplying the Administrator with technical, organisational solutions or IT infrastructure, such as:
   • Email provider: Google LLC, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
   • Hosting provider: OVH Sp. z o.o., a subsidiary of OVH Groupe SA, RCS Lille 537 407 926, 2 rue Kellermann, 59100 Roubaix, France
   • Cloud storage provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg
   • Providers of analytics, statistics, and advertising tools, and those supporting marketing campaigns:
   • Meta Business Suite – Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
   • Meta Ads – Meta Platforms Ireland Limited
   • Facebook Pixel – Meta Platforms Ireland Limited
   • Google Ads incl. Discovery Campaigns – Google LLC, Google Ireland Limited
   • Google Analytics – Google LLC, Google Ireland Limited
   • Google Tag Manager – Google LLC, Google Ireland Limited
   • TikTok Ads Manager – TikTok Technology Limited and TikTok Information Technologies UK Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (company no. 635755)
   • TikTok Business Center – same providers as above
   • TikTok Pixel – same providers as above
   • Accounting and HR services: Biuro Obsługi Księgowej Sp. z o.o., Izabela Pawłowska, ul. Waleriana Łukasińskiego 45, 18-400 Łomża
   • Payment platform operator: Stripe Payments Europe, Limited and Stripe Technology Europe, Limited, The One Building, 1 Lower Grand Canal Street, Dublin 2, Ireland
   • Legal and consulting services or those supporting the Administrator in pursuing claims (e.g. law firms, auditors, debt collection agencies)
2. Data recipients not considered processors under the GDPR (excluding public authorities, who may receive data in specific legal proceedings under EU or Member State law), such as:
   • Entities authorised under applicable laws, especially courts and public authorities, to the extent necessary for the performance of their duties and as required by law
   • Individuals authorised by you in exercising your rights
   • Banks

Your data will only be shared to the extent necessary – both in terms of the amount of data shared and the duration of sharing.

Transfer of Data Outside the European Economic Area (EEA)

Due to the Administrator’s use of social media platforms (such as Facebook, Instagram, YouTube) and tools/services like Google Analytics, Google Ads, or Facebook Pixel, provided by entities based or with servers outside the EEA (e.g. Google LLC or Meta Platforms, based in the United States), and the use of Stripe Inc. for online payments, your personal data may be transferred to entities located outside the European Economic Area, particularly to the United States of America.

The Administrator only uses services of providers who have declared participation in the EU-U.S. Data Privacy Framework (DPF) and are listed in the public registry of entities participating in the programme. This serves as a guarantee of their compliance with GDPR when processing the entrusted data.

More information is available at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Detailed information about data processing by Google LLC and its privacy policy is available at: https://policies.google.com/privacy?hl=en

You can access currently available tools to block Google Analytics at: https://tools.google.com/dlpage/gaoptout

More information about Google Analytics can also be found at: www.google.com/policies/privacy/partners/ and https://support.google.com/analytics/answer/6004245?hl=en

Rights of the Data Subject

The Administrator ensures you the right to:

• access data – obtain confirmation from the Administrator whether your personal data is being processed, and if so, access to that data and information under Article 15 of the GDPR,
• rectify data – request immediate correction of inaccurate personal data and completion of incomplete personal data,
• request data erasure – request immediate deletion of personal data if one of the conditions listed in Article 17 of the GDPR is met, e.g. the data is no longer necessary for the purposes for which it was collected. Note: This right may be limited due to the Administrator’s legal obligations (Article 17(3)(b) GDPR)
• restrict processing – suspend data operations or refrain from deleting data in the cases outlined in Article 18 GDPR, such as when the accuracy of personal data is contested,
• data portability – receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, or request that the data be transmitted directly by the Administrator if technically feasible,
• object to data processing – in the situations outlined in Article 21 GDPR.

You can exercise these rights by sending a request by post, email, or calling the Administrator (see contact details above).

To verify your identity and ensure you are authorised to make the request, the Administrator may ask you to provide additional information. The scope of each right and the situations in which they apply are defined by law and depend, for example, on the legal basis and the purpose of the data processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority for data protection (currently the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw) if you believe that your personal data is being processed in violation of the law.

Right to Withdraw Consent

If your data is processed based on your consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent by sending a request by post to the Administrator’s address or via email (contact details above).

Information on the Requirement or Voluntariness of Providing Data and the Consequences of Not Providing It

Registering an account on the Administrator’s Service and using the services it offers is entirely voluntary. However, failure to provide the data required in the registration and order forms will result in the inability to conclude, perform, or settle the agreement for the provision of electronic services (account registration and use of the ROD application).