of the MyMedCal Service

Effective as of: March 1, 2025

§1.
Data Controller

  1. The controller of personal data processed through the MyMedCal Service is Artur Niedźwiedź, Władysława Łokietka 12e/8, 41-106 Siemianowice Śląskie, Poland, NIP: 6431784682, REGON: 541314751.

  2. Personal data is processed in accordance with the currently applicable provisions of law, in particular:
    Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR),
    the Act of May 10, 2018 on Personal Data Protection,
    and the Act of July 12, 2024 – Electronic Communications Law.

  3. This Privacy Policy defines the rules for processing the personal data of Website Users, as well as persons entering into contracts with the Data Controller, including data related to the use of the application, and data collected through contact with the Data Controller (e-mail, telephone, traditional correspondence).

  4. The Data Controller has not appointed a Data Protection Officer due to the absence of such an obligation.
    For matters related to data protection, the Controller may be contacted at:
    [email protected] or by phone at +48 690 043 723.

§2.
Definitions

For the purposes of this Privacy Policy:

  1. Service – the MyMedCal web application and related services provided by the Data Controller.

  2. Controller – the entity that determines the purposes and means of processing personal data.

  3. User – a natural person to whom the data relates and who uses the services available within the Service.

  4. Personal Data – any information which, without excessive time or cost, may lead to the identification of a natural person, including identification, address, and contact data.

  5. Third Country – a country outside the European Economic Area (EEA).

§3.
Purposes of Personal Data Processing

  1. The Data Controller processes personal data only where permitted by applicable law, including for the following purposes:

    • conclusion and performance of a contract or presentation of an offer, pursuant to Article 6(1)(b) GDPR;

    • documentation of contract performance, including issuing invoices or bills to natural persons, maintaining accounting and tax records, pursuant to Article 6(1)(c) GDPR, in order to comply with legal obligations incumbent on the Data Controller, in particular under Article 70 of the Act of August 29, 1997 – Tax Ordinance;

    • taking actions at the request of the data subject, including responding to inquiries submitted via electronic means or handling traditional correspondence, pursuant to Article 6(1)(b) GDPR, and marketing of the Controller’s own products and services pursuant to Article 6(1)(f) GDPR, i.e. on the basis of the legitimate interests of the Controller or the data subject;

    • pursuing rights and claims by the Data Controller or the data subject, pursuant to Article 6(1)(f) GDPR, for legitimate purposes.

  2. Providing personal data is necessary for the performance of distance contracts, including delivery of digital products and issuing accounting documents, pursuing claims, and responding to inquiries. Providing personal data in other cases is voluntary.

  3. Failure to provide the required data prevents the performance of a distance contract, issuance of an invoice or bill, or contact at the request of the data subject.

§4.
How Data Is Collected

Personal data of Users is collected directly from the data subjects through:

  • completion of a contact form when submitting an inquiry via the website;

  • providing data necessary to prepare and conclude a contract;

  • direct contact with the Data Controller using the contact details available on the website.

§5.
Scope of Processed Data

The scope of processed personal data is limited to the minimum necessary to provide services, including:

  • submitting an inquiry via the contact form or contact details available on the website: e-mail address, phone number, name, and any other data voluntarily provided by the data subject;

  • issuing invoices or bills: first and last name or company name, registered address, tax identification number (NIP), bank account number;

  • preparation and conclusion of a contract: first and last name, address, NIP/REGON of the ordering party.

§6.
Data Retention Period

The retention period depends on the purpose for which the data was collected and is as follows:

  • for the conclusion and performance of contracts, including distance sales – for the period necessary to document the performed contract, including issuing invoices or bills – 5 years, counted from the end of the calendar year in which the tax payment deadline expired, pursuant to Article 112 of the Act of March 11, 2004 on Value Added Tax in conjunction with Article 70 of the Act of August 29, 1997 – Tax Ordinance;

  • for setting up an account in the Service and requesting feedback via external satisfaction survey services – until consent is withdrawn, without affecting the lawfulness of processing prior to withdrawal;

  • for responding to inquiries submitted via contact forms or by phone – for no longer than 6 months, unless the person decides to conclude a contract with the Data Controller;

  • for pursuing claims – pursuant to Article 118 of the Act of April 23, 1964 – Civil Code; unless otherwise provided by law, the limitation period is six years, and for periodic claims or claims related to business activity – three years;

  • until consent is withdrawn, where processing is based on consent.

§7.
Recipients of Personal Data

  1. User personal data may be entrusted to other entities processing data on behalf of the Data Controller, in particular entities providing:

    • website hosting services;

    • servicing and maintenance of IT systems in which data is processed, including invoicing systems;

    • accounting services;

    • office support services.

  2. Personal data may also be disclosed to entities supporting the Data Controller, including online payment service providers, where necessary to process orders or perform contracts.

  3. Personal data may be processed outside the European Economic Area, in a third country, in particular in the United States of America, due to the use of IT solutions whose servers are located outside the EEA. The legal basis for such transfers is Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries. The Data Controller and service providers ensure the highest level of data protection, and processing will not violate the privacy of individuals.

§8.
Rights of Data Subjects

  1. Data subjects have the right to:

    • access the content of their personal data, including obtaining the first copy free of charge;

    • rectify personal data;

    • erase personal data, unless other legal provisions require data retention;

    • data portability, where processing is based on a contract or consent and carried out by automated means;

    • withdraw consent to the processing of personal data, where processing was based on consent (withdrawal does not affect the lawfulness of prior processing);

    • object to data processing based on Article 6(1)(e) or (f) GDPR for reasons related to the data subject’s particular situation, as well as the right to restrict processing and not to be subject to automated decision-making, including profiling, producing legal effects or similarly significant impacts.

  2. To exercise the above rights, the data subject may contact the Data Controller.

  3. Data subjects also have the right to lodge a complaint with the Polish Personal Data Protection Authority (UODO) if processing violates GDPR provisions. Complaints may be submitted electronically or in writing to:
    Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland.

§9.
Cookies

  1. The Service uses cookies to provide services and functions tailored to the preferences and needs of Users. Cookies allow the User’s device to be recognized and the website to be displayed accordingly.

  2. Cookies may be session cookies (deleted when the browser is closed) or persistent cookies.

  3. Persistent cookies are stored after the browsing session ends and store information such as login or password, facilitating and speeding up website use and remembering selected settings.

  4. The purposes of cookies and access to them by third parties are described below.

§10.
Purposes of Cookies Use

  1. Cookies are used for:

    • adapting website content to individual User preferences and optimizing website usage (functional cookies);

    • conducting analyses and statistics to understand how Users interact with the website and to improve its structure and content.

  2. Cookie data is archived and used for statistical analysis and global traffic assessment.

  3. Cookie data is not combined with personal data provided during contract performance or contact with the Data Controller.

§11.
Third-Party Tools

  1. To analyze website traffic, its sources, and optimize activities, the Service uses:

    • Google Analytics – provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, enabling analysis of website usage (country/city, number of visits, pages viewed, visit duration, etc.). The main cookie used by Google Analytics (“_ga”) distinguishes users and is valid for 2 years. Each “_ga” cookie is unique to a given service and cannot be used to track users across unrelated websites.
      Privacy settings may be adjusted at: https://policies.google.com/privacy
      Users may permanently opt out via: https://tools.google.com/dlpage/gaoptout

    • Google Ads – advertising tool provided by Google LLC, enabling ads in Google search results and conversion tracking and remarketing in conjunction with Google Analytics cookies.

§12.
Cookies and Data Transfers Outside the EEA

  1. Processing cookie data by providers whose headquarters or servers are located in third countries involves transferring such data outside the EEA, including IP addresses and information about visited pages.

  2. Transfers to the United States are based on the European Commission’s decision of July 10, 2023 on the adequacy of protection under the EU-US Data Privacy Framework, applicable to providers certified under this framework, such as Google LLC and Meta Platforms, Inc.

§13.
Cookie Consent Management

  1. Upon entering the website, the User may accept cookies, reject them, or consent only to selected cookies.

  2. Pursuant to Article 399(2) of the Act of July 12, 2024 – Electronic Communications Law, consent may be expressed through device or service configuration settings.

  3. Consent is voluntary and may be withdrawn at any time. Users may delete or disable cookies in their browser or manage cookie settings using tools provided on the website.

  4. Consent is not required where cookies are necessary for electronic communication transmission or provision of services requested by the end user.

  5. Disabling cookies may limit functionality of certain parts of the Service, particularly functional cookies necessary for proper operation.

§14.
Final Provisions

If this Privacy Policy is amended, in particular due to technical solutions or changes in applicable law, relevant modifications shall take effect within 14 days of their publication on the Service website.