§ 1 - General information

1. The operator of the {page} service is a company named JB Engineering Jakub Bilan, with its registered office at ul. Kłodzka 1, 63-400 Ostrów Wielkopolski, subject to entry in the Central Register of Business Activity, registered under NIP: 622-267-79-24, REGON: 362321360.
2. The service performs functions of collecting information about users and their behavior in the following ways:
   • through voluntarily entered information in forms,
   • through storing cookie files (so-called "cookies") in end devices,
   • through collecting server logs.

§ 2 - Information in forms

1. The service collects information provided voluntarily by the user.
2. The service may additionally save information about connection parameters (time designation, IP address).
3. Data in the form is not made available to third parties otherwise than with the user's consent.
4. Data provided in the form may constitute a collection of potential clients, registered by the Service Operator in the register maintained by the General Inspector for Personal Data Protection.
5. Data provided in the form is processed for the purpose resulting from the function of the specific form, e.g. in order to carry out the service request handling process or commercial contact.
6. Data provided in forms may be transferred to entities technically implementing certain services, payment service providers, or other entities with whom the Service Operator cooperates in this regard.

§ 3 - Information about cookies

1. The service uses cookies.
2. Cookies (so-called "cookies") are IT data, in particular text files, which are stored in the Service User's end device and are intended for using the Service's websites. Cookies usually contain the name of the website they come from, the time they are stored on the end device, and a unique number.
3. The entity placing cookies on the Service User's end device and gaining access to them is the Service Operator.
4. Cookies are used for the following purposes:
   • creating statistics that help understand how Service Users use websites, which enables improving their structure and content,
   • maintaining the Service User's session (after logging in), thanks to which the User does not have to re-enter their login and password on each subpage of the Service,
5. Two main types of cookies are used within the Service: "session" (session cookies) and "persistent" (persistent cookies). "Session" cookies are temporary files that are stored in the User's end device until logging out, leaving the website, or turning off the software (web browser). "Persistent" cookies are stored in the User's end device for the time specified in the cookie parameters or until they are deleted by the User.
6. Software for browsing websites (web browser) usually by default allows storing cookies in the User's end device. Service Users can change settings in this regard. The web browser allows deleting cookies. It is also possible to automatically block cookies. Detailed information on this subject is contained in the help or documentation of the web browser.
7. Restrictions on the use of cookies may affect some functionalities available on the Service's websites.

§ 4 - Server logs

1. Information about some user behaviors is subject to logging at the server layer. This data is used exclusively for the purpose of administering the service and ensuring the most efficient hosting services.
2. Viewed resources are identified by URLs. Additionally, the following may be subject to recording:
   • time of request arrival,
   • time of response sending,
   • client station name – identification carried out by HTTP protocol,
   • information about errors that occurred during HTTP transaction execution,
   • URL of the page previously visited by the user (referer link) – in case when the transition to the Service occurred through a link,
   • information about the user's browser,
   • information about the IP address.
3. The above data is not associated with specific persons browsing the pages.
4. The above data is used exclusively for administrative purposes.

§ 5 - Data disclosure

1. Data is subject to disclosure to external entities only within legally permitted limits.
2. Data enabling the identification of a natural person is disclosed exclusively with the consent of that person.
3. The Operator may have an obligation to provide information collected by the Service to authorized bodies on the basis of lawful requests within the scope resulting from the request.

§ 6 - Managing cookies – how to express and withdraw consent in practice?

1. If the user does not want to receive cookies, they can change their browser settings. We reserve that disabling cookies necessary for authentication, security, and maintaining user preferences may make it difficult, and in extreme cases may prevent the use of websites.
2. To manage cookie settings, select the web browser/system from the list below and follow the instructions:
   • Google Chrome
   • Mozilla Firefox
   • Apple Safari
   • Opera
   • Internet Explorer
   • Google Chrome (Android)
   • Apple Safari (iOS)

§ 7 - Users' rights related to personal data processing

• Right of access to personal data. Users have the right to obtain access to their personal data, implemented upon request made to the Operator.
• Right to rectification of personal data. Users have the right to request from the Operator immediate rectification of personal data that are inaccurate or / and completion of incomplete personal data, implemented upon request made to the Operator.
• Right to erasure of personal data. Users have the right to request from the Operator immediate erasure of personal data, implemented upon request made to the Operator. In the case of user accounts, data erasure consists in anonymization of data enabling User identification. The Operator reserves the right to suspend the implementation of the erasure request in order to protect the Operator's legally justified interest (e.g. when the User has violated the Terms and Conditions or the data was obtained as a result of conducted correspondence).
• Right to restriction of personal data processing. Users have the right to restriction of personal data processing in cases indicated in Art. 18 GDPR, including questioning the accuracy of personal data, implemented upon request made to the Operator.
• Right to data portability. Users have the right to obtain from the Operator, personal data concerning the User in a structured, commonly used format suitable for machine reading, implemented upon request made to the Operator.
• Right to object to personal data processing. Users have the right to object to the processing of their personal data in cases specified in Art. 21 GDPR, implemented upon request made to the Operator.
• Right to lodge a complaint. Users have the right to lodge a complaint with the supervisory authority dealing with personal data protection.

§ 8 - Recruitment – job application

In the case of sending a job application through our recruitment website or by email, we process candidates' personal data exclusively for the purpose of conducting the recruitment process.

Scope of processed data

As part of the recruitment process, we may process the following personal data:

• first and last name,
• email address,
• phone number,
• optionally: LinkedIn profile,
• information about the source from which the candidate learned about the job offer,
• application documents (CV, cover letter, references), which may contain additional data such as date of birth, residential address, etc.

The candidate may also voluntarily provide special category data, such as:

• information about health status (e.g. disability),
• ethnic origin,
• biometric data (e.g. handwritten signature).

Legal basis for data processing

Processing of candidates' personal data takes place on the basis of:

• Art. 6(1)(b) GDPR and Art. 88 GDPR in connection with Art. 22¹ § 1 of the Labor Code – for the purpose of carrying out pre-contractual activities (recruitment process),
• Art. 9(2)(a) GDPR and Art. 88 GDPR in connection with Art. 22¹ § 4 of the Labor Code – in the case of voluntary provision of special category data and consent to their processing.

Data is transmitted using TLS encryption and stored in a secured database.

Access to data

Access to data is available exclusively to HR department employees and persons responsible for recruitment for the given position.

Data retention period

Candidates' personal data is stored for a period of 6 months from the end of the recruitment process (i.e. from the day after informing the candidate about the recruitment decision). After this time, the data will be deleted or anonymized.

Anonymized data may be used exclusively for statistical purposes, e.g. to determine the number of applications in a given period or the demographic structure of candidates (without the possibility of identifying a specific person).

Candidate's rights

The candidate has the right to withdraw consent to the processing of special category data at any time, without affecting the lawfulness of processing carried out before the withdrawal of consent.

§ 9 - Social media login

Description and scope of data processing

1. For the purpose of registration and logging into the customer account, we offer the possibility of authentication using an existing user profile through login plugins (so-called social login) in the following social services: Facebook, Google, Twitch, Discord, and Microsoft. This eliminates the need to create a separate account directly in our service.
2. On the registration or login page, you will find appropriate icons enabling login through the selected social service. Before connecting to the external provider, it is necessary for you to express explicit consent to the process described below and data transfer.
3. Clicking the appropriate icon will open a new window (so-called application), in which you need to log in with your login credentials to the selected social service. After successful authentication, your profile will be connected to our system. The social service will then provide us with basic data such as first and last name and email address, necessary for registration or login. If you consent to the transfer of this data, the required form fields will be automatically filled in.
4. Only after your explicit consent will this data be saved in our system and used for the purpose of carrying out login and creating an account. After completing this process, no permanent connection is maintained between your account in our system and the account in the social service.
5. For the purpose of carrying out the authentication process, your IP address is also transmitted to the provider of the given social service.
6. In connection with the use of this function, personal data may be transferred to third countries (outside the EU/EEA), in particular to the United States. To ensure an appropriate level of data protection, we have concluded with providers the so-called EU-USA standard contractual clauses. However, it should be remembered that the USA has been recognized by the Court of Justice of the EU as a country not guaranteeing an adequate level of data protection. Due to the lack of a decision stating an appropriate level of protection and the lack of effective appeal measures, there is a risk that data may be processed by American services for supervisory purposes. We cooperate with providers to implement additional protection measures when necessary.
7. We have no influence on the scope and further processing of data by social service operators. More information can be found in their privacy policies:

• Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
  https://www.facebook.com/policy.php
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  https://policies.google.com/privacy?hl=en
• Twitch Interactive, Inc., 350 Bush Street, 2nd Floor, San Francisco, CA 94104, USA
  https://www.twitch.tv/p/en/legal/privacy-notice/
• Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
  https://privacy.microsoft.com/en-us/privacystatement
• Discord Inc., 444 De Haro Street, Suite 200, San Francisco, CA 94107, USA
  https://discord.com/privacy

Purpose and legal basis for data processing

1. The legal basis for processing data transferred from social services is Art. 6(1)(a) GDPR – consent of the data subject. This consent can be withdrawn at any time without giving reasons with effect for the future. Withdrawing consent means giving up logging in through the given service – then only classic login using email address and password will be possible.
2. Processing of personal data serves exclusively to simplify the login process and is not a necessary condition for using our website.

Data retention period

1. Personal data obtained as part of social login is deleted along with the deletion of the account in the service.

§ 10 - Data processing using third-party companies

1. Cloudflare

   For the purpose of detecting and protecting against attacks on our website and technical infrastructure (e.g. hacking attempts, "denial of service" attacks – DDoS), we process personal data, including identification data, connection data, and location data (including IP addresses).

   For this purpose, we use the Content Delivery Network (CDN) service provided by Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA, based on a data processing agreement in accordance with Art. 28 GDPR. Personal data may be processed by Cloudflare in server log files.

   In connection with this, personal data may be transferred to third countries, in particular to the United States of America (USA). To ensure an appropriate level of personal data protection during such transfer, we have concluded with Cloudflare the so-called EU-USA standard contractual clauses in accordance with European Commission decisions.

   However, it should be remembered that according to the jurisprudence of the Court of Justice of the European Union, the USA does not provide a level of personal data protection corresponding to EU standards. In particular, due to the lack of a decision on an appropriate level of protection and possible insufficient safeguards, there is a risk that user data may be processed by American public authorities for control and supervisory purposes – possibly without the possibility of effective legal redress.

   To the extent possible, we remain in current contact with the service provider to ensure additional personal data protection measures that may prove necessary.

   More information about Cloudflare's data processing principles can be found at: https://www.cloudflare.com/privacypolicy.

   This processing takes place on the basis of our legitimate interest in ensuring website security (Art. 6(1)(f) GDPR).