PERSONAL DATA PRIVACY POLICY (GDPR)

§1 Identity of the Data Controller

The controller of personal data provided while using the Service operated at https://levelly.ai/ is Levelly.ai P.S.A. with its registered office in Warsaw (address: ul. Lewinowska 43D, 03-684 Warsaw), a company entered in the Register of Entrepreneurs of the National Court Register under KRS number 0001141060.

Personal data are processed in accordance with applicable legal provisions, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR), the Act of 10 May 2018 on Personal Data Protection, as well as the Act of 12 July 2024 – Electronic Communications Law.

This Privacy Policy covers the principles of personal data processing of:

1. Users of the Service,
2. persons concluding agreements with the Data Controller,
3. persons contacting the Data Controller (by email, telephone, or traditional correspondence),
4. persons using the Data Controller's social media.

§2 Definitions

For this Policy, the following definitions apply:

Data Controller – the entity determining the purposes and means of personal data processing; in this Policy, understood as: Levelly.ai P.S.A. with its registered office in Warsaw (ul. Chłodna 51, 00-867 Warsaw), KRS: 0001141060.

Personal Data – any information which, without excessive time or cost, may lead to the identification of a natural person, including identification, address, and contact data.

Third Country – a country outside the European Economic Area (EEA).

Service – the website available at https://levelly.ai, through which the User may browse content, subscribe to the newsletter, or contact the Controller.

Demo Functionality – a functionality of the Service through which the User may access a demo version of the Levelly.ai platform.

User/Data Subject – a natural person whose data are processed and who uses the Service or the Controller's social media.

§3 Purposes of Personal Data Processing

The Controller processes Personal Data only where permitted by law, including for:

1. Preparation and performance of a contract, including the conclusion of a distance contract via the Demo Functionality to which the Data Subject is a party, as well as the exercise of rights arising from the contract (including, inter alia, non-conformity of the subject matter with the contract and withdrawal from the contract), where such processing is carried out based on Article 6(1)(b) of the GDPR, i.e. it is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject before entering into a contract.
2. Documenting the performance of concluded contracts, including the issuance of a bill or invoice, and maintaining accounting and tax records, based on Article 6(1)(c) of the GDPR, i.e., for the purpose of complying with legal obligations incumbent upon the Controller, including, inter alia, Article 70 of the Act of 29 August 1997 – the Tax Ordinance.
3. Taking action at the request of the Data Subject, including responding to enquiries submitted via electronic or telephone communication or for the purpose of handling traditional correspondence, where such processing is carried out based on Article 6(1)(b) of the GDPR, i.e. it is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject before entering into a contract.
4. Sending requested marketing information by electronic means (newsletter) to the email address provided by the User for this purpose, where such processing is carried out based on the consent of the Data Subject, in accordance with Article 6(1)(a) of the GDPR and Article 398 of the Act of 12 July 2024 – Electronic Communications Law.
5. Registration and creation of an account in the Service, where such processing is carried out based on Article 6(1)(a) of the GDPR, i.e., the consent of the Data Subject.
6. Marketing of the Controller's own products and services by means of traditional or electronic correspondence, based on Article 6(1)(f) of the GDPR, i.e., for the legitimate interests pursued by the Controller or the Data Subject.
7. For the purpose of sending an email requesting an evaluation of the Service and the Levelly.ai platform (including the demo version available within the Demo Functionality), such processing is carried out based on Article 6(1)(f) of the GDPR and is undertaken in pursuit of the legitimate interest of the Controller, which is to improve the offering of the Service and the Levelly.ai platform by collecting reliable feedback from the Service owner (the Controller).
8. Sending a request to provide feedback on the Controller's services and products via external satisfaction survey services, such as Google, with the consent of the Data Subject, i.e., based on Article 6(1)(a) of the GDPR, namely the consent of the Data Subject.
9. Pursuing rights and claims by the Controller or the Data Subject, based on Article 6(1)(f) of the GDPR, and carried out in pursuit of a legitimate interest.

Providing personal data is necessary for the performance of a distance contract, including the provision of a digital product and/or the issuance of an accounting document, the pursuit of claims, as well as responding to the User's enquiries. Providing personal data in other respects is voluntary.

Failure to provide the required personal data will make it impossible to perform the distance contract, issue a bill or invoice, or establish contact at the request of the Data Subject.

§4 Methods of Collecting Personal Data

Personal data are collected directly from the Data Subject via:

1. contact forms,
2. newsletter subscription forms,
3. demo Functionality order forms,
4. account registration,
5. contract-related communication,
6. direct contact,
7. social media.

§5 Scope of Personal Data

The scope of processed Personal Data has been limited to the necessary minimum, including:

1. submission of an enquiry via the contact form or using contact details available on the Service: email address, telephone number, first name, and any other data voluntarily provided by the Data Subject,
2. subscription to the newsletter: first name, surname, email address, company name,
3. placing an order within the Demo Functionality: first name and surname, email address, telephone number,
4. issuance of a bill, invoice, or other accounting document: first name and surname or entity name, registered address, tax identification number (NIP),
5. preparation, conclusion, and performance of a contract: first name and surname, address, and commonly used identification data.

§6 Data Retention Period

The period of data processing depends on the purpose for which the data were collected and is as follows:

1. conclusion and performance of a contract, including a distance contract (order) – for the period necessary to document the performance of the contract, including the issuance of a bill or invoice – 5 years, calculated from the end of the calendar year in which the tax payment deadline expired, pursuant to Article 112 of the Act of 11 March 2004 on Value Added Tax, in conjunction with Article 70 of the Act of 29 August 1997 – Tax Ordinance,
2. for the purpose of sending commercial information by electronic means (newsletter) and/or creating an account in the Service or sending a request for feedback via external satisfaction survey services – until the withdrawal of consent, without affecting the lawfulness of processing carried out before its withdrawal,
3. for the period necessary to respond to an enquiry submitted via the contact form or by telephone, but no longer than 6 months, unless the person decides to conclude a contract with the Data Controller,
4. for the purpose of pursuing claims, based on the Act of 23 April 1964 – Civil Code (unless a specific provision provides otherwise, the limitation period is six years, and for periodic claims and claims related to conducting business activity, three years).

§7 Recipients of Personal Data

The User's personal data may be entrusted to other entities for the purpose of providing services on behalf of the Controller, in particular to entities supporting the Controller's business operations in the following areas:

1. hosting of the website and/or the Service,
2. email hosting,
3. servicing and maintenance of IT systems in which data are processed, including for newsletter automation, issuance of accounting documents, order processing, etc.,
4. provision of accounting services (accounting office),
5. provision of office support (virtual assistant, virtual office, etc.),
6. provision of marketing services (virtual assistant, marketing agency, social media manager, etc.).

The User's personal data may also be disclosed to banks and/or electronic payment operators within the Service, as referred to in the Demo Functionality Terms and Conditions.

§8 Transfer of Data Outside the EEA

The Controller does not directly transfer Users' personal data to third countries or international organisations.

However, due to the Controller's use of the Google Analytics analytical tool, data may be transferred to the United States. In such a case, the basis for the data transfer is Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, adopted pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, recognising an adequate level of protection of personal data ensured under the EU–US Data Privacy Framework.

Administrators of social media platforms are entities with a global reach, and their organisational structures are often international in nature. This may involve the transfer of personal data by companies located within the European Economic Area to data processing centres or other entities in third countries. For this reason, the Controller recommends that Users familiarise themselves with the privacy policies of the administrators of the respective social media platforms.

§9 Rights of Data Subjects

Data Subjects have the right to:

1. access the content of their personal data, including obtaining the first copy of such data free of charge,
2. rectify data that are inaccurate or have changed,
3. erase data, unless other legal provisions require the Controller to retain the data for a specified period,
4. data portability, where the processing is based on a contract or the consent of the Data Subject and is carried out by automated means,
5. withdraw consent to the processing of personal data – where the processing is based on consent. Withdrawal of consent shall not affect the lawfulness of processing carried out before its withdrawal,
6. object to the processing of data – on grounds relating to their particular situation, where processing is based on Article 6(1)(e) or (f) of the GDPR, as well as the right to restriction of processing,
7. not to be subject to automated decision-making, including profiling, where such decisions would produce legal effects concerning the Data Subject or similarly significantly affect them,
8. exercise control over data processing and obtain information regarding the identity of the Controller, as well as information about the purpose, scope, and method of data processing, the content of such data, their source, and the manner of their disclosure, including recipients or categories of recipients of the data.

2. To exercise the right to information, access to data, rectification, as well as other rights, the Data Subject may contact the Controller.

3. The Data Subject also has the right to lodge a complaint with the Personal Data Protection Office (UODO) if the processing of data violates data protection laws (GDPR). A complaint may be submitted electronically or in writing to: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00–867 Warsaw.

§10 Final Provisions

In the event of changes to the applicable Privacy Policy, in particular where required by implemented technical solutions or changes in legal provisions concerning the privacy of Data Subjects, appropriate amendments will be introduced to this Privacy Policy (GDPR), which shall become effective upon their publication on the Service's website.