Privacy Policy

Privacy Policy of the Website VELLAM.PL

Table of contents:

1. General provisions
2. Legal bases for data processing
3. Purpose, legal basis and period of data processing
4. Recipients of the data
5. Profiling on the Website
6. Rights of the data subject
7. Cookies and analytical tools
8. Processors (sub-processors)
9. Final provisions

1. General provisions

1. This Privacy Policy is informational in nature, which means that it does not impose any obligations on the users of the Website. It primarily sets out the rules under which the Controller processes personal data on the Website, including the legal bases, purposes and periods of processing, the rights of data subjects, as well as information about the use of cookies and analytical tools.
2. The Controller of personal data collected via the Website within the meaning of the GDPR is Aleksander Kamiński, conducting business activity under the firm FEATHERIT – ALEKSANDER KAMIŃSKI, entered in the Central Register of Business Activity of the Republic of Poland (CEIDG), business and correspondence address: ul. Bazyliowa 27, 71-220 Bezrzecze, Poland, tax identification number (NIP) 8542386448, statistical number (REGON) 365009515, e-mail address: info@vellam.pl (hereinafter the "Controller"). The Controller is also the Service Provider of the Website.
3. Personal data is processed by the Controller in accordance with applicable laws, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter "GDPR". Official text of the GDPR: eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
4. Use of the Website is voluntary. Likewise, the provision of personal data by a User is voluntary, subject to the conclusion of contracts with the Controller – where data required for the conclusion and performance of a contract with the Controller (e.g. a contract for the provision of the Electronic Service Account) is not provided in the cases and to the extent indicated on the Website, in the Terms of Service and in this Privacy Policy, the contract cannot be concluded. In such a case, providing personal data is a contractual requirement, and if the data subject wishes to enter into the given contract with the Controller, they are obliged to provide the required data. The scope of data required to conclude the contract is indicated in advance each time on the Website (e.g. during Account registration) and in the Terms of Service.
5. The Controller takes particular care to protect the interests of the data subjects whose personal data it processes, and in particular is responsible for and ensures that the data it collects is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which it is processed; (4) kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes of the processing; and (5) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
6. Taking into account the nature, scope, context and purposes of processing and the risk of violation of the rights or freedoms of natural persons (of varying likelihood and severity), the Controller implements appropriate technical and organisational measures to ensure that processing is carried out in accordance with the GDPR and to be able to demonstrate this. These measures are reviewed and updated where necessary. The Controller applies technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically (e.g. SSL certificate, data encryption, access to the Account only after providing an individual password, etc.).
7. All words, expressions and acronyms used in this Privacy Policy beginning with a capital letter (e.g. Service Provider, Website, Electronic Service) are to be understood in accordance with their definition in the Terms of Service of the Website, available on the Website.

2. Legal bases for data processing

1. The Controller is entitled to process personal data in cases – and to the extent – where at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specified purposes; (2) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2. The processing of personal data by the Controller requires in each case the existence of at least one of the grounds indicated in section 2.1 of this Privacy Policy. The specific legal bases for the processing of personal data of Users of the Website by the Controller are indicated in the next section of the Privacy Policy – in relation to the relevant purpose of processing.

3. Purpose, legal basis and period of data processing

1. The purpose, legal basis, period and recipients of personal data processed by the Controller result each time from the activities undertaken by the given User on the Website.
2. The Controller may process personal data on the Website for the following purposes, on the following legal bases and for the following periods:

Purpose of data processing	Legal basis	Storage period
Performance of a contract for the provision of an Electronic Service or any other contract with the Controller, or taking steps at the request of the data subject prior to entering into a contract	Art. 6(1)(b) GDPR (contract) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract	Data is stored for the period necessary for the performance, termination or other expiry of the concluded contract.
Marketing of goods and services of the Controller or its partners (e.g. sending commercial information, including direct marketing, using end-user telecommunications devices such as e-mail and telephone, or automated calling systems)	Art. 6(1)(f) GDPR (legitimate interest) – processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party (e.g. its partners), which include direct marketing – consisting in protecting the interests and good reputation of the Controller, its Website and promoting its services – for example, in connection with prior consent given by the data subject (e.g. during Account registration) to the sending of commercial information using end-user telecommunications devices such as e-mail and telephone, within the scope of the consent given	Data is stored for the duration of the Controller's legitimate interest, but no longer than until the expiry of the limitation period for claims of the Controller against the data subject arising from the Controller's business activity. The limitation periods are specified by law, in particular the Polish Civil Code (the basic limitation period for claims related to the conduct of business activity is three years). The Controller may not process data for direct marketing purposes where the data subject has effectively objected. In addition, where processing is based on the data subject's consent to sending commercial information, including direct marketing, the data is stored until the consent is withdrawn by the data subject, without affecting the lawfulness of processing based on consent before its withdrawal.
Keeping of tax books	Art. 6(1)(c) GDPR (legal obligation) in conjunction with Art. 86 § 1 of the Polish Tax Ordinance Act of 17 January 2017 (Journal of Laws 2017, item 201, as amended) – processing is necessary for compliance with a legal obligation to which the Controller is subject	Data is stored for the period required by law obliging the Controller to keep tax books (until the expiry of the limitation period for the tax obligation, unless tax laws provide otherwise).
Establishment, pursuit or defence of claims that may be raised by the Controller or that may be raised against the Controller	Art. 6(1)(f) GDPR (legitimate interest) – processing is necessary for the purposes of the Controller's legitimate interests consisting in the establishment, pursuit or defence of claims	Data is stored for the duration of the Controller's legitimate interest, but no longer than the limitation period for claims that may be raised against the Controller (the basic limitation period for claims against the Controller under Polish law is six years). The Controller may not process data for this purpose where the data subject has effectively objected.
Use of the Website and ensuring its proper functioning	Art. 6(1)(f) GDPR (legitimate interest) – processing is necessary for the purposes of the Controller's legitimate interests consisting in operating and maintaining the Website	Data is stored for the duration of the Controller's legitimate interest, but no longer than the limitation period for the Controller's claims against the data subject arising from its business activity (basic limitation period under the Polish Civil Code: three years). The Controller may not process data for this purpose where the data subject has effectively objected.
Keeping statistics and analysing traffic on the Website (including storing administrative server logs)	Art. 6(1)(f) GDPR (legitimate interest) – processing is necessary for the purposes of the Controller's legitimate interests consisting in keeping statistics and analysing traffic on the Website (including storing administrative server logs containing usage data such as source, medium, time and date of server access, information on how the Website is used, and information on the devices and browsers of the data subjects), for the purpose, among others, of improving the Website, monitoring its security and analysing and diagnosing technical problems	Data is stored for the duration of the Controller's legitimate interest, but no longer than the limitation period under Polish civil law. The Controller may not process data for this purpose where the data subject has effectively objected.

4. Recipients of the data

1. For the proper functioning of the Website, including the proper provision of Electronic Services by the Controller, it is necessary to use the services of third parties (such as software providers). The Controller uses only the services of such processors which provide sufficient guarantees of implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and protects the rights of the data subjects.
2. The Controller may transfer personal data to a third country (outside the European Economic Area), ensuring that such transfer is to a country that guarantees an adequate level of protection in accordance with the GDPR, or – in the case of other countries – that the transfer is carried out on the basis of standard data protection clauses. The Controller ensures that the data subject has the opportunity to obtain a copy of their data. The Controller transfers collected personal data only in the case and to the extent necessary to achieve the relevant purpose of processing in accordance with this Privacy Policy.
3. Disclosure of data by the Controller does not occur in every case and not to all recipients or categories of recipients indicated in this Privacy Policy – the Controller only shares data where this is necessary to achieve a given purpose of processing and only to the extent necessary for that purpose.
4. Users' personal data may be shared with the following recipients or categories of recipients:
   1. Providers of electronic payments or card payments – in the case of a User who makes a purchase using electronic payments or card payments, the Controller shares the collected personal data with the selected payment services provider acting on the Controller's behalf, to the extent necessary to process the payment made by the User.
   2. Service providers supplying the Controller with technical, IT and organisational solutions enabling it to conduct its business activity, including the Website and the Electronic Services provided through it, including the Vellam application (in particular providers of AI systems and software for operating the Website, providers of e-mail and hosting services, and providers of business management and technical support software) – the Controller shares the collected personal data with the selected provider acting on the Controller's behalf only in the case and to the extent necessary to achieve the relevant purpose of processing. Some of the AI providers used by the Controller are established outside the European Economic Area (including in the United States). Data transfers to these providers take place on the basis of standard contractual clauses approved by the European Commission.
   3. Providers of accounting, legal and advisory services supporting the Controller on legal or advisory matters (in particular, an accounting office, law firm or debt collection firm) – the Controller shares collected personal data with the selected provider acting on the Controller's behalf only in the case and to the extent necessary to achieve the relevant purpose of processing.

5. Profiling on the Website

1. The GDPR imposes on the Controller the obligation to provide information about automated decision-making, including profiling as referred to in Art. 22(1) and (4) GDPR, and – at least in such cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Therefore, in this section the Controller provides information about possible profiling.
2. The Controller may use profiling on the Website for the purposes of direct marketing; however, decisions made by the Controller on this basis do not concern the conclusion or refusal to enter into a contract with the Controller, or the possibility of using the Website and its Electronic Services. The effect of profiling on the Website may be, for example, a reminder of uncompleted actions on the Website, the sending of an offer of a service that may correspond to the interests or preferences of the given person, or the proposal of better conditions compared to the standard offer of the Website. Despite profiling, the given person freely decides whether they wish to take advantage of, for example, the received offer or discount.
3. Profiling on the Website consists in the automatic analysis of information provided or the prediction of a person's behaviour on the Website, e.g. by analysing past browsing history or other actions taken on the Website. The prerequisite for such profiling is that the Controller holds personal data of the given person so that it can subsequently send, for example, a discount code or an offer.
4. The data subject has the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them.

6. Rights of the data subject

1. Right of access, rectification, restriction, erasure and data portability – the data subject has the right to request from the Controller access to their personal data and their rectification, erasure ("right to be forgotten") or restriction of processing, the right to object to processing, and the right to data portability. The detailed conditions for exercising these rights are set out in Articles 15–21 GDPR.
2. Right to withdraw consent at any time – if the data is processed on the basis of consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR), the data subject has the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
3. Right to lodge a complaint with a supervisory authority – the data subject whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner provided for in the GDPR and Polish personal data protection law. The competent supervisory authority in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO). However, the data subject may also lodge a complaint with the supervisory authority competent for their place of residence, place of work or the place of the alleged infringement in their EU Member State.
4. Right to object – the data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Art. 6(1)(e) (public interest or official authority) or (f) (legitimate interest) GDPR, including profiling based on those provisions. The Controller shall in such a case no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is carried out for the establishment, exercise or defence of legal claims.
5. Right to object to direct marketing – where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.
6. To exercise the rights referred to in this section, the Controller may be contacted in writing or by e-mail at the address provided at the beginning of this Privacy Policy.

7. Cookies and analytical tools

1. Cookies are small text files sent by the server and saved on the device of the person visiting the Website (e.g. on the hard drive of a computer, laptop or on the memory card of a smartphone – depending on the device used by the visitor). Detailed information on cookies and their history can be found, among other places, here: en.wikipedia.org/wiki/HTTP_cookie.
2. Cookies that may be sent by the Website can be divided into various types according to different criteria:

By provider:

1. First-party cookies (set by the Controller's Website)
2. Third-party cookies (set by entities other than the Controller)

By the time they are stored on the User's device:

1. Session cookies (stored until logout, leaving the Website or closing the browser)
2. Persistent cookies (stored for a period specified by the parameters of the given cookie or until manually deleted)

By purpose of use:

1. necessary cookies (enabling the proper functioning of the Website);
2. functional/preference cookies (enabling adaptation of the Website to the visitor's preferences);
3. analytical and performance cookies (collecting information about how the Website is used);
4. marketing, advertising and social media cookies (collecting information about the visitor for the purpose of displaying advertising, personalising it and carrying out other marketing activities, including on websites other than the Website, such as social networks or other websites belonging to the same advertising network).

3. The Controller may process data contained in cookies while using the Website for the following specific purposes:

Purposes of using cookies on the Controller's Website:

• Identifying and maintaining the User's session after logging in to the Website (necessary cookies);
• Ensuring the proper functioning of the services and features of the Website used by the User (necessary and/or functional/preference cookies);
• Protecting the Website and its visitors against bots, spam and other cybersecurity threats (necessary cookies);
• Storing data from completed forms, surveys or other input on the Website (necessary and/or functional/preference cookies);
• Proper display of external content on the Website, including third-party content (functional/preference cookies);
• Adapting the content of the Website to individual preferences of the User (e.g. colours, font size, page layout) and optimising the use of the Website (functional/preference cookies);
• Keeping anonymous statistics on the use of the Website, including collecting statistical data on visits and behaviour of users in order to analyse traffic and improve the functioning of the Website (analytical and performance cookies).

4. Regardless of the browser used, it is possible to check which cookies are currently being sent by the Website using tools available, for example, at: cookiemetrix.com or cookie-checker.com.
5. By default, most browsers available on the market accept the storage of cookies. Everyone has the option to determine the conditions for the use of cookies through the settings of their own browser. This means that, for example, one can partially restrict (e.g. for a given period) or completely disable the storage of cookies – however, the latter may affect some features of the Website.

6. Browser cookie settings are significant from the point of view of consent to the use of cookies by the Website – in accordance with the regulations, such consent may also be expressed through browser settings. Detailed information on changing cookie settings and deleting cookies independently in the most popular browsers can be found in the help section of the given browser and on the following pages:
   • Google Chrome
   • Mozilla Firefox
   • Microsoft Edge / Internet Explorer
   • Opera
   • Safari
7. The Controller may use on the Website Google analytical services such as Google Analytics and Universal Analytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller to compile statistics and analyse traffic on the Website. The data collected as part of these services is processed to generate aggregated statistics helpful in administering the Website and analysing traffic. When using these services, the Controller collects data such as sources and medium of visitor acquisition, behaviour on the Website, information on devices and browsers, IP address and domain, geographical and demographic data (age, gender) and interests.
8. The User may easily block the sharing of information about their activity on the Website with Google Analytics, e.g. by installing the browser add-on provided by Google Ireland Ltd., available at: tools.google.com/dlpage/gaoptout.
9. In connection with possible use of Google analytical services, the Controller informs that full information on the rules of processing of data of Website visitors (including data stored in cookies) by Google Ireland Ltd. is available in the privacy policy of Google services: policies.google.com/technologies/partner-sites.
10. The Controller may use on the Website the Sentry tool provided by Functional Software Inc. (132 Hawthorne St, San Francisco, CA 94107, USA). This tool is used to detect errors that Users may encounter when using the Vellam application, so that the Controller can subsequently fix them. The data collected may therefore include the User's activity history in the application, including information on the use of the application and information on the device used by the User. More information on how this tool works and how data is processed by the provider can be found at: sentry.io/privacy.

8. Processors (sub-processors)

The table below contains a list of processors which process Users' personal data on behalf of the Controller (sub-processors) within the meaning of Art. 28 GDPR. With each of these entities the Controller has concluded or undertakes to conclude a data processing agreement. For entities established outside the European Economic Area, data transfers are carried out on the basis of standard contractual clauses (SCC) approved by the European Commission.

Company	Location	Processing purpose	Privacy policy / DPA
OpenRouter Inc.	USA (SCC)	Routing requests to AI language models – analysis of User texts	openrouter.ai/privacy
Stripe, Inc. / Stripe Technology Europe, Limited	USA / Ireland	Payment processing and subscription management	stripe.com/privacy
Clerk, Inc.	USA (SCC)	Authentication and User account management	clerk.com/privacy
Functional Software, Inc. (Sentry)	USA (SCC)	Error detection and application monitoring	sentry.io/privacy
Google Ireland Limited	Ireland (EEA)	Website traffic analysis (Google Analytics)	policies.google.com/privacy

The Controller reviews the list of sub-processors regularly and updates it in case of changes. The User may object to the inclusion of a new sub-processor in the manner described in Section 3 of this Privacy Policy.

9. Final provisions

The Website may contain links to other websites. The Controller recommends that, after visiting other websites, Users read the privacy policies in force there. This Privacy Policy concerns only the Controller's Website.

Polish law and the GDPR apply to the processing of personal data.