III GENERAL RULES ON PERSONAL DATA SECURITY 

1. The confidentiality and security of Personal Data are a priority for the Administrator.

   
   

2. The Application collects Personal Data, including Medical Data, Reading Medical Data is only possible on the User's device under the terms specified in the Regulations. The above means that:

   
   

1. neither the Administrator nor any other entity acting on behalf of or for the benefit of the Administrator has access to the User's Medical Data;
   
   

2. the servers used by the Administrator contain only data and information downloaded or entered into the Application, which, however, cannot be linked to a given User (no possibility of identifying the User);
   
   

3. Only the User decides to whom and to what extent Medical Data will be made available.

   
   

3. The Administrator does not analyze, process or reproduce any User Medical Data that would enable his or her identification.

   
   

4. The Administrator may use data and information, other than Personal Data required to create an Account, collected by the Application only and exclusively when such data are anonymized, i.e. when it is not possible to assign them to a given User, in particular for the purposes of creating anonymous reports and aggregate statistics by the Administrator and improving the Application and creating new functions of the Application.

   
   

5. The Administrator does not disclose Medical Data to other entities. Only the User is the holder of the Medical Data and only he decides on the possible disclosure of Medical Data to other Users or third parties.

   
   

6. In order to ensure the integrity and confidentiality of Personal Data, the Controller has implemented procedures enabling access to Personal Data only to authorized persons and only to the extent necessary for the tasks they perform.

   
   

7. The Administrator uses organizational and technical solutions to ensure that all operations on Personal Data are recorded and performed only by authorized persons.

   
   

8. The Controller shall take the necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Controller.

   
   

9. The Controller conducts ongoing risk analysis and monitors the adequacy of Personal Data security measures to address identified threats. Where necessary, the Controller implements additional measures to enhance data security.

   
   

2. PURPOSES AND LEGAL BASIS FOR PROCESSING

   
   

1. CREATION OF AN ACCOUNT BY THE USER

   
   

• To create a User Account, the User must provide the necessary data, such as an email address, phone number, or link the Account to an account the User already has in other applications (e.g., Facebook). By accepting the Terms and Conditions, the User and the Administrator conclude an agreement for the provision of electronic services.

  
  

• The basis for the processing of Personal Data related to the concluded contract is the necessity to perform the contract or to take action at the User’s request before concluding it (Article 6, paragraph 1, letter b) of the GDPR).

  
  

2. USING THE APPLICATION WITH RESPECT TO MEDICAL DATA

   
   

• In order to use all the functionalities of the Application, in particular in the scope of storing, monitoring and archiving Medical Data, it is necessary to provide Medical Data or for the User to consent to linking the Application with the Device that will transfer such Medical Data to the Application.

  
  

• Since Medical Data concerning health constitutes a special category of Personal Data, the basis for the processing of Personal Data is explicit consent (Article 9 paragraph 2 letter a) of the GDPR).

  
  

3. ANALYTICAL, STATISTICAL AND RESEARCH PURPOSES

   
   

• The Administrator may process Personal Data of Data Subjects for analytical, statistical and research purposes, in particular by analysing Users' activity in the Application and the manner of using the Account, as well as their preferences in order to improve the functionalities of the Application.

  
  

• Medical Data may be processed for analytical, statistical and research purposes, in proportion to these purposes and in compliance with the User's rights and appropriate measures to protect them.

  
  

• The Administrator may process Personal Data within the above-mentioned scope for the purposes of preparing reports, analyses, studies and scientific research commissioned by third parties, provided that such documents will never contain Medical Data enabling the identification of the User, but will be in the form of collective summaries regarding a given category of previously defined characteristics (e.g. a list of people with symptoms X broken down by age).

  
  

• The legal basis for processing is the legitimate interest of the Controller and the necessity for reasons related to the public interest in the field of public health and the necessity for scientific and statistical research purposes (Article 6 paragraph 1 letter f of the GDPR and Article 9 paragraph 2 letters i) and j) of the GDPR).

  
  

4. E-MAIL AND TRADITIONAL CORRESPONDENCE

   
   

• In the event that Data Subjects send correspondence to the Controller via e-mail or traditional mail, the Personal Data contained in this correspondence are processed solely for the purpose of communication and resolving the matter to which the correspondence relates.

  
  

• The legal basis for processing is the legitimate interest of the Controller (Article 6, paragraph 1, letter f of the GDPR) consisting in conducting correspondence addressed to it in connection with its business activities.

  
  

5. TELEPHONE CONTACT

   
   

• In the event of contacting the Controller by telephone, in matters unrelated to the concluded contract or the services provided, the Controller may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates.

  
  

• In such a case, the legal basis is the legitimate interest of the Controller (Article 6, paragraph 1, letter f of the GDPR) consisting in the need to resolve the reported matter related to the business activity conducted by the Controller.

  
  

6. CLAIM FINDING:

   
   

• In order to establish, pursue and enforce any claims arising from the manner in which the User uses the Application or other services of the Administrator, the Administrator may process certain Personal Data if it is necessary to prove the existence of the Administrator's claim, including the extent of the damage suffered.

  
  

• In such a case, the legal basis is the legitimate interest of the Controller (Article 6, paragraph 1, letter f of the GDPR), consisting in the establishment, pursuit and enforcement of claims and defense against claims in proceedings before courts and other state authorities.

  
  

7. IMPLEMENTATION OF USER RIGHTS

   
   

• In order to enable the exercise of rights arising from the GDPR, in particular the possibility of submitting complaints, inquiries and requests, the Controller has the right to process certain Personal Data for this purpose.

  
  

• In such a case, the legal basis is the legitimate interest of the Controller (Article 6 paragraph 1 letter f of the GDPR), consisting in enabling the User to exercise the rights arising from the GDPR.

  
  

8. MARKETING OF SERVICES OFFERED BY THE ADMINISTRATOR:

   
   

1. Sending commercial information:

   
   

• Based on consent specifying the communication channel, the Administrator has the right to send messages to an e-mail address and, if necessary, contact you by telephone in order to present its services.

  
  

• The legal basis is the consent of the data subject (Article 6(1)(a) of the GDPR).

  
  

• If you consent to the sending of information via e-mail, the legal basis for the processing of Personal Data will also be Article 10, paragraph 2 of the Act of 18 July 2002 on the provision of services by electronic means.

  
  

• If you consent to telephone contact for the purpose of providing information, the legal basis for the processing of Personal Data will be Article 398 of the Act of 12 July 2024 - Electronic Communications Law.

  
  

2. Newsletter:
   
   

• Based on the consent granted by the Data Subject, the Administrator has the right to send information regarding its activities to the provided e-mail address.

  
  

• The legal basis is the consent of the person to whom the Personal Data relates (Article 6 paragraph 1 letter a of the GDPR).

  
  

3. NECESSITY TO PROVIDE PERSONAL DATA

   
   

1. Creating an Account

Providing Personal Data is voluntary, but necessary to create an Account within the Application.

2. Processing in the Medical Data Application

Providing or sharing Medical Data is voluntary, but may be necessary to use certain features of the App. Failure to provide or share Medical Data may result in inability to use all of the App's functionalities.

3. Newsletter

Data subjects will only receive the newsletter if they have provided their email address for this purpose. Providing an email address is voluntary, but necessary to receive such messages.

4. PROFILES ON FACEBOOK AND LINKEDIN

   
   

   1. The Administrator has public profiles on social media platforms such as Facebook and LinkedIn. Therefore, it processes Personal Data provided by visitors to these profiles (such as comments, likes, and online identifiers).

      
      

   2. Personal Data of Data Subjects visiting the Administrator's profiles are processed:

      
      

      1. in order to effectively manage profiles by providing portal users with information about the Administrator’s initiatives and other activities and in connection with promoting various types of events, services and products;

         
         

      2. for statistical and analytical purposes;

         
         

      3. may be processed for the purpose of pursuing and defending against claims.

         
         

   3. The legal basis for the processing of Personal Data is the legitimate interest of the Controller (Article 6, paragraph 1, letter f of the GDPR), consisting in:

      
      

      1. promoting your own brand and improving the quality of services provided,

         
         

      2. if necessary – pursuing claims and defending against claims.

         
         

   4. The above information does not apply to the processing of Personal Data by the administrators of the websites (Facebook and LinkedIn). The purpose and scope of processing Personal Data by the operators of social networking sites are described in detail in the privacy policies of the aforementioned social networking sites, available on their websites.

      
      

   5. The data subject may always delete his or her comments under the Administrator's posts, stop following the Administrator or cancel his or her account on the above-mentioned social networking sites.

      
      

5. DATA RECIPIENTS

   
   

1. In connection with conducting business activities requiring the processing of Personal Data, Personal Data may be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, postal operators, couriers, providers of accounting, legal and advisory services and marketing agencies.

   
   

2. Personal Data of Data Subjects using online payments are made available to payment service providers within the meaning of the Act of 19 August 2011 on payment services.

   
   

3. The Controller may share anonymised data (i.e. data that does not identify specific Data Subjects) with external service providers in order to better recognise the attractiveness of advertisements and services offered by the Controller, excluding Medical Data, in particular those downloaded via system interfaces (such as Apple HealthKit or Google Health Connect), which are not made available to third parties for advertising, marketing or market research purposes.

   
   

4. The Administrator reserves the right to disclose selected information concerning the User to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.

   
   

6. DATA TRANSFERS OUTSIDE THE EEA

   
   

The Administrator does not transfer Personal Data outside the European Economic Area.

7. AUTOMATIC DECISION-MAKING, INCLUDING PROFILING
   
   

For the proper functioning of the Application, the Application may use profiling, which, however, does not result in making decisions that have legal effects on the User or affect the User in a similarly significant way.

8. . PERSONAL DATA PROCESSING PERIOD
   
   

1. Except in cases that impose a different period of storage of Personal Data on the Administrator, the Administrator stores Personal Data that does not constitute Medical Data for the period of time the User has an Account as well as for a period of 3 years from the deletion or closure of the Account by the User.

   
   

2. The Administrator stores Medical Data only for the period of time the User has an Account.

   
   

3. The period of processing of Personal Data that does not constitute Medical Data may be extended if the processing is necessary to establish, pursue or defend against claims, and after this period - only if and to the extent required by law.

   
   

4. If Personal Data are processed on the basis of the Controller's legitimate interest, the Controller processes these data until an effective objection to the processing of Personal Data for the above-mentioned purposes is raised.

   
   

5. Where Personal Data is processed based on the consent of the Data Subject, such consent may be withdrawn at any time. Personal Data will be processed until the consent is withdrawn. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

   
   

9. DATA SUBJECT RIGHTS

   
   

Data subjects have the following rights:

1. the right to information about the processing of Personal Data – on this basis, the Controller provides the natural person submitting the request with information on the processing of Personal Data, including in particular the purposes and legal basis of processing, the scope of the data held, the entities to which they are disclosed and the planned date of data deletion;
   
   

2. the right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed Personal Data relating to the natural person submitting the request;
   
   

3. the right to rectification – The Administrator is obliged to remove any inconsistencies or errors in the Personal Data being processed and to supplement them if they are incomplete;

   
   

4. the right to delete data – on this basis, you may request the deletion of Personal Data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
   
   

5. the right to restrict processing – in the event of such a request, the Controller shall cease performing operations on Personal Data – except for operations to which the Data Subject has consented – and shall cease storing them, in accordance with the adopted retention principles or until the reasons for limiting data processing cease to exist (e.g. a decision of the supervisory authority is issued permitting further data processing);
   
   

6. the right to transfer data – On this basis – to the extent that Personal Data is processed by automated means in connection with a concluded contract or expressed consent – ​​the Controller releases the data provided by the data subject in a machine-readable format. It is also possible to request that this data be transferred to another entity, provided, however, that there are technical possibilities in this regard on the part of both the Controller and the indicated entity;
   
   

7. the right to object to the processing of data for marketing purposes – The data subject may object to the processing of Personal Data for marketing purposes at any time, without having to justify such objection;
   
   

8. the right to object to other purposes of data processing – The data subject may at any time object – for reasons relating to his or her particular situation – to the processing of Personal Data which is carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property);
   an objection in this respect should contain justification.

   
   

9. the right to withdraw consent – if data are processed on the basis of consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of processing carried out before its withdrawal;
   
   

10. the right to complain – If the processing of Personal Data is deemed to violate the provisions of the GDPR or other provisions regarding the protection of Personal Data, the Data Subject may file a complaint with the authority supervising the processing of Personal Data, with jurisdiction over the Data Subject's habitual residence, place of work, or place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office. 
    
    

10. MAKING REQUESTS RELATED TO THE EXERCISE OF RIGHTS

    
    

1. A request regarding the exercise of the rights of Data Subjects may be submitted:

   
   

1. in writing to the following address: GAIA Prosta Spółka Akcyjna with its registered office in Radom at ul. Kazimierza Pułaskiego 6/10, 26-600 Radom;

   
   

2. by e-mail to the following address: gaia-support@mygaia.app. 
   
   

2. If the Controller is unable to identify an individual based on the request, it will request additional information from the requestor. Providing such Personal Data is not mandatory, but failure to provide it will result in the request being refused.

   
   

3. The request may be submitted in person or through a proxy (e.g., a family member). For data security reasons, the Administrator encourages the use of a power of attorney certified by a notary or authorized legal counsel or attorney, which will significantly speed up verification of the request's authenticity.

   
   

4. A response to a request should be provided within one month of its receipt. If an extension is necessary, the Administrator will inform the requester of the reasons for doing so.

   
   

5. If a request is submitted to the Controller electronically, the response will be provided in the same form, unless the requestor has requested a response in a different form. In other cases, the response will be provided in writing. If the deadline for fulfilling the request prevents a written response, and the scope of the requestor's data processed by the Controller allows for electronic contact, the response should be provided electronically.

   
   

6. The Administrator stores information regarding the submitted request and the person who submitted the request in order to ensure the possibility of demonstrating compliance and to establish, defend or pursue any claims of Data Subjects.

   
   

11. DATA PROTECTION INSPECTOR

    
    

1. The Administrator has not appointed a Personal Data Inspector.

   
   

2. In matters related to Personal Data, contact with the Administrator is possible at the following address: gaia-support@mygaia.app.
    

12. EXTERNAL PARTY LINKS

    
    

    1. If external links are included in the Application, this Privacy Policy does not apply to the processing of Personal Data by external entities.

       
       

    2. When providing links, the Administrator makes every effort to ensure that they only refer to entities that process Personal Data in accordance with data protection and security standards. However, the Administrator has no influence on the compliance of other providers or third parties with data protection and security regulations. Therefore, you should consult other providers or third parties about the data protection regulations they provide.

       
       

13. COOKIES
    
    

1. Cookies (also known as cookies) are text files sent by a web server and stored on the user's computer (usually on the hard drive). Default cookie parameters allow only the server that created them to read the information they contain. Cookies are most often used for counters, polls, online stores, websites that require logins, advertising, and to monitor visitor activity.

   
   

2. Purposes of storing and accessing cookies:

   
   

1. personalisation of the website (for example: remembering the selected font size, selecting a version for the visually impaired or a colour version);

   
   

2. remembering user data and choices (for example: no need to enter login and password each time on each subpage, remembering login upon return visits);

   
   

3. enabling interaction with social networking sites (for example: displaying your friends, fans or publishing posts on Facebook directly from the site);

   
   

4. customizing advertising content displayed on the website;

5. creating website statistics and user flow statistics between different websites;

   
   

3. The Administrator uses technical, analytical and marketing cookies.

   
   

1. Technical cookies are necessary for the proper functioning of the Application. We use them to:

   
   

• optimize the Application for the devices most frequently used by its users – this will ensure that the Device displays it correctly and legibly;

  
  

• remember whether the Data Subject has consented to the display of selected content.

  
  

2. The Administrator uses analytical cookies to improve the functioning of the Application and to measure the effectiveness of our marketing activities, without identifying Personal Data.

3. Marketing cookies are used to tailor the content and forms of advertising to the needs and preferences of data subjects.

   
   

4. Below you will find links to resources showing how you can specify the conditions for storing or accessing cookies using the settings of the most popular web browsers.

   
   

• Firefox

• Chrome

• Opera

• Safari
  
  

5. Please note, however, that deleting or blocking cookies may result in some sections of the website or app not functioning properly. If changing cookie settings results in an opt-out cookie being placed (which is used solely to identify a user's objection—a lack of consent), please note that the opt-out cookie only works in the browser in which it was saved. If you delete all cookies or use a different browser or device, you will need to re-set the opt-out settings.

   
   

14. PRIVACY POLICY UPDATE
    
    

This Privacy Policy may be subject to change, either due to changes in generally applicable regulations or as a result of changes in the scope of services provided by the Administrator. The Administrator will notify about changes to the Privacy Policy on the website or in the Application, informing you of the date of implementation of the changes, so that you can exercise your rights under the GDPR, in particular the right to withdraw consent or object.