PRIVACY AND COOKIES POLICY
(version 1.0 available and valid from 01.01.2024

Dear User/Dear User!
Your privacy is important to us, so we have prepared information for you on how, as the Administrator, we collect and process your personal data and use cookies (so-called „cookies”) and other tracking technologies in connection with:

● your use of our Open Carrot application available in the web version and for mobile devices, hereinafter referred to as the Application,
● your use of our website https://www.opencarrot.com/, hereinafter referred to as the Website,
● by you contacting us by e-mail, including via the contact form on the Website, via social media or in another way.

Just like any other person using the Application or Website, you are their User.

In the Privacy and Cookies Policy, hereinafter referred to as the Privacy Policy, you will find references to the GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of data personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). The text of this regulation can be found, for example, on the European Union website:https://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679or on the website of the Personal Data Protection Officehttps://uodo.gov.pl/pl/p/prawo. We make sure to collect and process your personal data in accordance with the GDPR.

This Privacy Policy does not cover third party websites, web or mobile applications or other services that use the Application as Business Users. These are individual companies (brands) that have a registered account in the Application. Business Users are responsible for providing you with their own privacy policies regarding how they handle your personal data provided in the Application. Please read section 4 of this Privacy Policy („Recipients of your data”) to learn more about what information is shared with Business Users and what their obligations are in connection with it.

The Application may contain links to other websites or applications. We encourage you to read their privacy policies after navigating to other websites or applications. This privacy policy applies only to the Application and the Website.

Our services are aimed at adults. If you are not one of them, please do not use our Application.

Please read this Privacy Policy and if you have any questions, please contact us at the contact details provided below.

PART I – PERSONAL DATA

1. Administrator
The owner of the Application and the administrator of your personal data is OPEN CARROT spółka z ograniczoną odpowiedzialnością with its registered office in Słupsk. The Administrator’s registered office address is: ul. Filmowa 1/9, 76-200 Słupsk. The administrator as a company is registered in the register of entrepreneurs of the National Court Register under the number 0001017951, has NIP: 8393235341 and REGON number: 524409947.

2. Contact details
If you have any questions or doubts related to your personal data or the Privacy Policy, you can contact us, as the Administrator, at any time by sending an e-mail to the following address:info@open-carrot.com.Please send written correspondence to: OPEN CARROT sp. z o. o., ul. Filmowa 1/9, 76-200 Słupsk.

3. Your personal data
In accordance with GDPR”personal data” means any information relating to an identified or identifiable natural person („data subject”). Using the Application, depending on the individual functionalities you use, involves providing the Administrator with such User data as:
● name
● last name
● profile photo (image)
● User description
● login
● password
● e-mail adress
● Tax Identification Number
● Phone number
● IP number
● location
● data regarding place of residence or correspondence address, including: country, region, city, street, ● house or apartment number, postal code
● data regarding the brand or brands or store with which you cooperate.

4. Purposes and legal basis for the processing of personal data
We collect your personal data when you use the Application and its individual functions.We collect your personal data in order to offer our services, such as creating and maintaining an account on the App, conducting marketing activities on our Site, offering technical support, responding to your inquiries and sending you communications. We obtain your personal data directly from you, as part of automatic data collection on your devices and using cookies. In some cases, we may also obtain information from third parties, for example a Business User who will provide us with your details as a contact person on their behalf.

We use various legal bases to justify the processing of your personal data, such as consent, performance of the contract and our legitimate interests – we describe it in detail in the table below. Each time your consent is the legal basis, you can withdraw it at any time – in section 7 of this Privacy Policy („Your rights”) you will find information on how to do this.

Purpose of personal data processing	Description of the purpose of processing personal data	Legal basis for the processing of personal data
Creating and maintaining a User account	We collect your personal data when you register as a User in the Application and use its individual functionalities, e.g. sending a photo from your mobile device.Your personal data such as name and surname, location and image (profile photo) are visible to other users of the Application.You can change your registration details directly in the App. Datafor this purposeWithWe collect and process based on your consent.	art. 6 section 1 letter a GDPR
Using the functionality of the Application	We collect data about your activities regarding individual brands (Business Users) that you decide to engage in when using the Application, regardless of whether you have completed them. These may be activities organized by us or Business Users. Activities may include, but are not limited to: surveys or competitions – in such a case, we collect your answers or competition results, information about the time of your involvement and the prize received. Your personal data may also be included in the rankings. Some activities may require sharing photos, including photos of receipts or invoices, which may contain your personal data, such as name, address, tax identification number. Other activities may involve posting content or photos on social media, in which case Business Users may have access to such data via those social media. Datafor this purposeWithWe collect and process based on your consent.	art. 6 section 1 letter a GDPR
Contact and handling correspondence	If you inquire from us about our services or request support from us via the App, contact form on the Website, e-mail, social media or otherwise, we will process the personal data required to respond to your enquiries. This concerns contact details and data contained in the content of your message or attachments, which you provide us voluntarily in order to contact us and conduct correspondence. We also process your e-mail address to send you important information, such as updates to the Privacy Policy or Terms of Service, and notifications about technical breaks. Datafor this purposeWithwe take and processbased on our legitimate interests.	art. 6 section 1 letter f GDPR
Organization of promotional campaigns	Together with Business Users, we may organize various promotional campaigns or competitions, the rules of which, including the scope of processed data, will be specified in separate regulations. We collect and process data for this purpose based on our legitimate interests.	art. 6 section 1 letter f GDPR
Own marketing, newsletter, push notifications	With your consent, we will use your e-mail address to provide you with promotional content, e.g. in the form of a newsletter. If you are a User of the Application and you consent to this, we will send you push notifications related to activities in the Application. For this purpose, we will process electronic data about your device. Datafor these purposes, we collect and process based on our legitimate interests.	art. 6 section 1 letter f GDPR
Analysis and statistics	We automatically collect data about your devices, such as the browser you are using. We also collect analytical data, such as time spent on the Site or App and the features you use. Datafor this purposeWithwe take and processbased on our legitimate interests.	art. 6 section 1 letter f GDPR
Defense against or pursuit of claims	If any claims arise on your or our part in connection with the use of our Website or Application, we may process your data to take action to defend against claims or to pursue them in a manner consistent with applicable law. Datafor this purposeWithwe take and processbased on our legitimate interests.	art. 6 section 1 letter f GDPR
Fulfillment of obligations related to the protection of personal data and other legal obligations	We also process your data to fulfill our legal obligations as the Administrator. These may be obligations related to the protection of personal data, but also resulting from other legal regulations, e.g. when an authorized entity, e.g. the police, prosecutor, court, asks us to provide data. Datafor this purposeWithwe take and processbased on a legal obligationon the administrator.	art. 6 section 1 letter c GDPR

5. Recipients of your data
To ensure the proper functioning of the Application, we also use the services of external entities to which your personal data as a User may be transferred. Personal data are provided by the Administrator only to the extent that they are necessary to achieve the given purpose of processing these data. We choose service providers who ensure that we apply such technical and organizational measures that allow us to meet the requirements of the GDPR and protect the rights of data subjects.

Personal data of Application Users may be transferred to the following recipients or categories of recipients:

● providers of technical, programming and IT services –for the purposes of preparing, operating and maintaining the Application;

● electronic or payment card payment service provider– handling payments made by or on behalf of the User;

● providers of legal and advisory services who provide the Controller with legal or advisory support(in particular a law firm) – for the purposes of providing legal services to us.

Notwithstanding the above, your personal data such asname and surname, gender, age, education, e-mail address, telephone number, location and image (profile photo)will be visible within the Application to other Users and Business Users. The purpose of the Application is to enable you, as a User, to obtain rewards for participating in activities related to individual brands organized by us or by individual Business Users, including for sharing information about brands and their products with other Users.

Through the Application, you can select the Business Users with whom you want to cooperate and whose activities you want to use. If you unfollow a Business User, you will not be informed about their brand activities.

If, as a User, you perform an activity related to a given brand or collect a reward in our Application, information related to this is shared with the given Business User. For example, a Business User will see when you completed an activity, any information, photos or other files you shared in connection with the activity, your name, profile picture, email address and location. The Business User may use this information for their own purposes, e.g. analytical purposes. If you receive a physical product from a Business User as a reward, the Business User will also have access to your correspondence address. In such cases, each Business User is a separate personal data administrator who is subject to obligations arising from applicable law, including the GDPR.We are not responsible for the privacy policies, procedures and practices of Business Users and encourage you to read their privacy policies before using activities related to a given Business User and its services.

We require Business Users to:

● provided Users with their own privacy policies, in which they inform Users how they process their personal data;
● have assured that their processing of Users’ personal data will be consistent with applicable law;
● have assured that the technical and IT measures they use ensure adequate protection of Users’ personal data;
● inform you and the relevant authorities about any breach of personal data security during the processing of personal data by the Business User outside the scope of the Application;
● respond to Users’ requests regarding their rights related to the protection of personal data; however, if you make such a request to us, we will coordinate the response to you with the Business User.

6. Transfer of data to third countries
Some of our processing of your personal data may involve their transfer to third countries. This is related to the use of tools whose providers are located in third countries, in particular in the USA.

Currently, as part of the Application, we use the Cloudflare photo storage system, provided by an entity based in the USA. Cloudflare’s privacy policy can be found here: https://www.cloudflare.com/privacypolicy/

7. Data storage period
The storage period of your data varies depending on the purpose of your transfer and the legally justified purposes of its processing:

Purpose of personal data processing	Data storage period
Creating and maintaining a User account	for the duration of the User’s account*
Using the functionality of the Application	for the duration of the User’s account*
Contact and handling correspondence	for the duration of correspondence and until the limitation period for claims that may be related to it expires**
Organization of promotional campaigns	for the duration of the User’s account*
Own marketing, newsletter, push notifications	for the duration of the User’s account*
Analysis and statistics	for the duration of the User’s account*
Defense against or pursuit of claims	until the limitation period for claims**
Fulfillment of obligations related to the protection of personal data and other legal obligations	We process data related to the protection of personal data until they lose their usefulness, you raise an objection or the limitation period for our liability as the Administrator expires.

8. Your permissions
In certain cases, you are entitled to:
● the right to request from the Administrator access to your personal data(Article 15 of the GDPR) – this right includes the possibility of obtaining access to data, receiving certain information about the data and receiving a copy of the data;
● the right to request the Administrator to correct your personal data(Article 16 of the GDPR) – thanks to it you can correct incorrect data or supplement data that is incomplete;
● the right to request the Administrator to delete your personal data(Article 17 of the GDPR) – this is the so-called „right to be forgotten” if there are no grounds for processing your data;
● the right to request from the Administrator to limit the processing of your personal data(Article 18 of the GDPR) – if in your opinion the data processed by us is incorrect or we process it unjustifiably to a certain extent, you can demand that we limit the processing of data to specific activities or to its storage;
● the right to transfer your data(Article 20 of the GDPR) – if you would like to receive from us the personal data you have provided to me in a structured, commonly used, machine-readable format; you can instruct us to send this data directly to another administrator;
● the right to object to the processing of your personal data(Article 21(1) of the GDPR) – you have the right to object at any time – for reasons related to your particular situation – to the processing of your personal data; this applies to data processing pursuant to Art. 6 section 1 letter e) (in the public interest or for the implementation of public tasks) or Art. 6 section 1 letter f) (legitimate interest of the administrator), including profiling based on these provisions;
● the right to object to direct marketing (Article 21(2) of the GDPR)– if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for the purposes of such marketing, including profiling, to the extent that the processing is related to such marketing. direct.
● the right to withdraw consent to the processing of your personal data(Article 13(2)(c) of the GDPR) – if data processing is based on your consent, you can withdraw it at any time, but this will not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal;
● the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office (Article 77 of the GDPR).

If you want to use any of the above-mentioned rights, you can contact us as the Administrator by sending an appropriate message in writing or by e-mail to the Administrator’s addresses indicated in point 2 of this Privacy Policy („Contact details”).

All these rights are regulated in the GDPR, including the provisions indicated above. We encourage you to read these regulations before exercising your individual rights or if you simply want to learn more about them.

9. Voluntary provision of data
You provide us with personal data voluntarily if you want to use the Application and its individual functions. If you do not provide your personal data required when registering a User account, you will not be able to use the Application. If you register a User account but do not provide the personal data required to use its particular features, you will not be able to use those features.

10. Profiling in the Application
As part of the Application, we use tools that, based on collected data, e.g. about your previous activities in the Application, suggest activities that may interest you, offer more favorable conditions compared to the standard offer of the Administrator or Business Users, remind you about unfinished activities in the Application. Applications. Despite such automated processing of personal data (profiling), it is you, the User, who decides whether you want to use such hints, suggestions or reminders.

11. Security of your data
We take care of the confidentiality and security of the personal data provided to us. We collect personal data with due care and appropriately protect against access by unauthorized persons. We do not share the data provided to us with third parties, except for the situations indicated in point 4 of this Privacy Policy („Recipients of your data”).

PART II – COOKIES AND OTHER TECHNOLOGIES

12. What are cookies and do we use them?
Our Application in the web version (available after logging in via the Website) and in the mobile version, like other applications, uses cookies.

Cookies are small text information stored on your end device (e.g. computer, tablet, smartphone), which can be read by our IT system (own cookies) and by third-party IT systems (third-party cookies).

In the case of the Application, we do not use third-party cookies, i.e. cookies that would be read by third-party IT systems (third-party cookies). Cookies may save and store specific information to which our IT system gains access for specific purposes, which you will read about below.

Third-party cookies only relate to the use of our Website – more information on this subject can be found in point 17 of this policy, regarding our tracking of your behavior on the Website.

13. Basis for our use of cookies
In the case of the Application, we use cookies because they are necessary for its proper functioning and necessary to provide services to you electronically. The legal basis for such use is Art. 173 section 3 point 2 of the Act of July 16, 2004, Telecommunications Law (consolidated text: Journal of Laws of 2022, item 1648, as amended).

We use third-party cookies on our Website based on your consent.

14. What own cookies do we use and for what purpose?
We use our own cookies to ensure the proper functioning of individual mechanisms of the Application. In the case of the mobile and web version of the Application, we use our own cookies that enable us to store the following data:

User’s ID, i.e. the User’s identification number used to use the functionality of the Application, e.g. if a given User wants to add a store, the User ID allows for assigning this store to a specific brand;

Token– used for authorization with the Application Programming Interface (API); The API was created specifically for the Application and communicating with it using the Token is necessary for the User to use the Application;

Username- used to display it in the User panel after logging in to the Application,

User role– this is the role of the logged in User (e.g. brand, seller, administrator), used to display it in the panel and to use the functionality of the Application; the user role is also sent to the API,

URI– in the form of a link to a profile photo stored on an external website.

In the case of the Mobile Application, we also use our own cookies, such as:
Cache– i.e. cache for temporary data, which is automatic
released while using the Application or after closing it;

Shared Preference – i.e. the so-called shared preferences that allow you to use data stored on your device as part of the Android or iOS operating system, such as saved passwords, to the extent necessary to use the Application.

15. How long is the information collected by own cookies stored?
In the case of the web version of the Application, all cookies expire after 60 minutes from the moment of logging in to the Application. They are renewed after logging in to the web version of the Application.
In the case of the Mobile Application, cookies may store information for the longest time until the Application is uninstalled.

16. Can you disable or customize your own cookies?
In the case of both the web and mobile versions of the Application, you cannot disable or customize the cookies we use. These are embedded technologies
in the Application and necessary to use it. Without the cookies we use, it is not possible to use the Application.

17. What third-party cookies are used?
In the case of the Application, both in the web and mobile versions, we do not use third-party cookies. All first-party cookies we use are part of our Application.

You will learn about cookies used by third parties in the next section regarding tracking your behavior on the Website.

18. Do we track your behavior on the Website?
Each use of the Website, even without logging in to the web version of the Application, involves saving and storing logs on our server, including: user’s IP address, date and time of the event, type of event. The logs are used to administer the Website and are not used by the Administrator to identify the User.
Additionally, we use the Google Analytics tool provided by the American company Google LLC. In order to use Google Analytics, a special Google Analytics tracking code has been implemented in the Website’s code. The tracking code uses cookies related to the Google Analytics service. You can block the Google Analytics tracking code at any time by installing a browser add-on provided by Google, the so-calledGoogle Analytics Opt-out https://tools.google.com/dlpage/gaoptout

Google Analytics automatically collects information about your activity on our Website. According to information available in Google’s privacy policy[link], Google Analytics uses a set of cookies to collect information and generate reports with website usage statistics without identifying individual users. The main cookie used by Google Analytics, „_ga”, enables the service to distinguish individual users and lasts for 2 years. The „_ga” cookie is used by all websites that use Google Analytics (including Google services). Each „_ga” file is unique to a specific service, so it cannot be used to track you or your browser on other, unrelated sites.

As part of Google Analytics, we only have access to anonymous information, i.e. information that does not allow us to identify you or link it to personal data that we collect about you in accordance with this Privacy Policy.

Thanks to the information collected in this way, we can analyze user behavior on our Website and keep statistics related to it, and then draw conclusions from these statistics to design and implement solutions that improve the effectiveness of the Website.

If you are interested in details related to Google’s use of data from websites and applications that use Google services, we encourage you to read this information. You can currently find them in Google’s privacy policy[link].