effective from August 23, 2022.
Henry limited liability company with its registered office in Warsaw at ul. Hoża 86/410, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw, XII Commercial Division of the National Court Register under the KRS number: 564018, nip: 5213699794, REGON: 361824891, the owner of the askhenry.pl website and the entity providing the “Ask Henry” service, protects the privacy of people using its services/Internet portal and their personal data.
- Administrator – Henry Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw at ul. Hoża 86/410, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, under KRS number: 564018, nip: 5213699794, REGON: 361824891;
- Account – an electronic service created and provided by the Administrator to the User as part of the Website, constituting the area of the User’s exclusive access in the ICT system provided by the Administrator;
- Personal data – any information about an identifiable User or a Non-logged User, i.e. a person who can be directly or indirectly identified, in particular, on the basis of an identifier such as name, identification number, location data, Internet identifier or one or more specific factors determining the physical, genetic, mental, economic, cultural or social identity of a natural person;
- Customers – all entities cooperating with the Administrator, its contractors, to whom the Administrator provides its services and directly related marketing services;
- Service Providers – all entities cooperating with the Administrator, its contractors, which provide the Administrator with their services and directly related marketing services;
- Profile – a collection of information about the User of a personal and behavioural nature, collected by the Administrator, and related to his/her personal factors, in particular his/her personal preferences, behaviours, interests, location;
- Profiling – any form of automated processing of personal data by the Administrator, which consists in using data collected in the Profile to assess certain personal factors of a natural person, in particular their analysis or forecasts of aspects regarding data collected within the Profile or inference about the features and personal factors of Users other than those collected in the Profile;
- Regulations – regulations for the provision of services through the Website;
- The GDPR – the Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
- Website – a web portal owned and managed by the Administrator, within which the Administrator provides its services, located at: http://askhenry.pl;
- Settings – a function of the Account, allowing the User using the Services to properly manage these services, including independently modifying their scope and choosing preferences regarding the scope and purposes of processing their personal data;
- User – a person who has an Account and uses the Services;
- Services – a set of services provided electronically by the Administrator, services provided on the basis of the “Ask Henry” service regulations located at http://askhenry.pl/regulamin/, as well as direct marketing services.
- Controller of personal data
The Controller of personal data of Users and Users not logged in is the Administrator.In case of questions regarding the processing of data and the rights of Users and Non-logged Users, it is possible to contact the Administrator via e-mail, to the following address: firstname.lastname@example.org.Legal basis: information obligation art. 13 section 1 letter a of the GDPR.
- Scope and purposes of processing personal data of Users and Non-logged Users
Due to the fact that the Administrator provides various services to Users, the Users’ personal data are processed for various purposes, to different extent and on different legal basis specified in the GDPR. In order to ensure transparency of information, we grouped them through the prism of data processing purposes.
- Objective 1: Creating an Account, User’s access to the Website, use of Services provided by ContractorsScope of data: For this purpose, the Administrator processes personal data provided by Users in the registration form on the Website, i.e. e-mail address and name, surname, telephone number, company (employer).Legal basis: necessity to perform the contract for the provision of Services to the User (art. 6 item 1 letter b of the GDPR), consent of the data subject (art.6 it.1 let. A of GDPR)
- Objective 2: Use of the ServicesTypes of Services: The Administrator processes Users’ personal data in order to provide Users with its services and enable the use of Services provided by Contractors on the basis of User’s Orders provided by the Administrator.Scope of data: The Controller processes the following personal data of Users for the above purpose: name and surname, e-mail address, telephone number, correspondence address (street, house number, postal code, city), user’s address, if different from the correspondence address, content of the order given by the User or other data resulting from the specificity of the service ordered by the User on the basis of the regulations located at http://askhenry.pl/regulamin/Legal basis: necessity to perform a distance contract through the Website (art. 6 item 1 letter b) of the GDPR).
- Objective 3: Statistics on the use of particular functions and parts of the Website, popularity of products/services and facilitating the use of the WebsiteScope of data: For these purposes, personal data is processed by the Administrator regarding the activity of Users on the Website, such as: pages and subpages of the Website visited and the amount of time spent on each of them, as well as data on the search history, IP address, location, device ID and data on the browser and operating system.Legal basis: legitimate interest of the Administrator (art. 6 item 1 let. f GDPR), consisting in improving the functionality of the Website and facilitating access to the Account
- Objective 4: Establishment, recovery and enforcement of claimsScope of data: For this purpose, the Administrator may process certain personal data provided under the Account or placing an order, such as: name, surname, address, data on the use of the Services, other data necessary to prove the existence of a claim, including the size of the damage suffered.Legal basis: legitimate interest of the administrator ( art. 6 item 1 (f) of the GDPR), consisting in establishing, pursuing and enforcing claims and defending against claims in proceedings before courts and other state authorities.
- Objective 5: Consideration of complaints and requests, answers to questionsScope of data: For this purpose, the Administrator processes personal data provided by the User within the Account, i.e. name and surname, e-mail address and type of services used by the User, as well as data regarding the use of the Services being the cause of the complaint or request, data contained in documents attached to the complaint or request.Legal basis: the necessity of processing to fulfill the legal obligation incumbent on the Administrator (art. 6 item 1 letter c of the GDPR) and the legitimate interest of the Administrator (art. 6 item 1 (f) of the GDPR), consisting in improving the functioning of the Services and building positive relations with Users.
- Objective 6: Recommended product/service offeringsType of services: Recommended product offers are special, individual offers addressed to Users on the basis of their activity on the Website. Recommended offers are presented:- on the Website; or
– by sending them to the User’s e-mail address.Scope of data: For this purpose, the Administrator processes personal data provided as part of the Account and aggregated as part of the Profile, including data on the User’s activity on the Website, recorded and stored through cookies, in particular information about visited subpages and unfinished orders.Profiling: The above data is used to create a User Profile, corresponding to the User’s personal preferences and interests. On the basis of these data, the Administrator may assess, analyze and forecast other personal factors relating to Users and supplement the Profile with additional data on their basis. Then, on the basis of the Profile created in this way, specific offers, promotions and commercial information addressed to specific Users are selected.
Legal basis: legitimate interest of the Administrator (art. 6 item 1 (f) of the GDPR), consisting in direct marketing of the Administrator’s services or products.
- Objective 7: Marketing and remarketingType of Services: The Administrator processes personal data of Users and for the purpose of direct marketing of services or own products, as well as performing Profiling, in order to best match the products or services offered to Users to their current needs and predict their behavior or purchase preferences.Scope of data: For this purpose, the Administrator processes personal data provided within the Account, i.e. name and surname, e-mail address (in cases where consent has been granted for the use of telecommunications terminal equipment for direct marketing via electronic means of communication), and collected in the Profile, regarding the User’s activity on the Website, recorded and stored through cookies (also in relation to not logged in Users), in particular the history of the websites visited, personal preferences, behaviours, interests, search history, order history, clicks on the Website, login and registration dates, data on the display and use of specific services/products on the Website, activity related to communication with the Administrator.Profiling: The above data is used to create a User Profile, corresponding to the User’s personal preferences and interests. On the basis of these data, the Administrator may assess, analyze and forecast other personal factors relating to Users and supplement the Profile with additional data on their basis. Then, on the basis of the Profile created in this way, specific offers, promotions and commercial information addressed to specific Users are selected.Remarketing: In order to reach Users and Users not logged in with the Administrator’s marketing messages outside the Sites, the Administrator uses the services of external providers. These services consist in displaying the Administrator’s marketing messages, including commercial information, on pages other than the Website. For this purpose, external suppliers (including Google, Facebook) install, for example, an appropriate code or pixel to retrieve information about the activity of Users or Users not logged in to the Website. This information concerns the activities of Users or Users not logged in to the Website, in particular the history of the websites visited.
Legal basis: consent of the data subject (art. 6 item 1 letter a of GDPR and art. 22 it. 2 letter c of the GDPR) and the legitimate interest of the Administrator (art. 6 item 1 (f) of the GDPR), consisting in direct marketing of the Administrator’s services or products.
- Obligation to provide personal data and consequences of not providing them
Providing some personal data is a condition for using the Services or concluding a distance contract with the Administrator (mandatory data). Mandatory data are marked on the Website. The consequence of not providing these data is the User’s inability to use the Services. In addition to data marked as mandatory, providing other personal data is voluntary.In the scope of personal data, which are collected automatically, their provision is also voluntary, and the expression of such will on the part of the User or the Non-logged User is the appropriate set of settings of the web browser from which the connection to the Website takes place.
- Procedures for automated decision-making and profiling
The Administrator shall make all reasonable efforts to match the offer of its own products and any marketing messages addressed to Users to their interests and preferences. For this purpose, it carries out automated processing of personal data, which may also take the form of Profiling.The Administrator also points out that targeting and personalization of the Administrator’s marketing communication, in particular offers and commercial information, based on the collected behavioral data (related to the User’s behavior and activity on the Website, in particular the history of the visited subpages), unless it is the result of inference about other features and personal factors of the User on the basis of data collected in the Profile, does not constitute Profiling.The above actions and making decisions are automated processing of personal data – and occur in a situation where a specific act or omission of the User on the Website causes him to see a specific commercial message – identical for all Users who behaved similarly. Such a message is not directed to the User on the basis of an assumption made in an automated manner by the Administrator and in connection with specific information provided by the User.After considering the interests of the Administrator and the interests, rights and freedoms of Users, the Administrator decided that presenting content to Users in connection with automated decision-making, including on the basis of profiling, will not unduly interfere with the privacy of Users or constitute an undue nuisance to them. In weighing up interests, rights and freedoms, account shall be taken in particular of the following:
- thanks to profiling, the Administrator provides Users with easier access to the desired products/services, compared to traditional tools, based on independent searching of the Website’s resources;
- sending marketing messages to the e-mail address is in accordance with the reasonable expectations of Users who have expressed their willingness to receive such messages in e-mail messages in accordance with applicable regulations (in particular the Act on the provision of electronic services and the Telecommunications Law);
- The profile is created on the basis of data provided by Users and data resulting from their activity on the Services. The Profile is used to personalize recommended offers, while maintaining appropriate guarantees for the protection of Users’ privacy, in particular, the Profile collects data provided by Users and behavioural data related only to Users’ activity on the Website, and not sensitive data regarding private life or activity on other websites;
- as part of creating the Profile, the Administrator does not request the effects of the User’s work, economic situation or health;
- decisions based on automated processing, including Profiling, do not significantly affect the legal situation of Users;
- Users can easily withdraw their consent to receive commercial information and process their personal data from Settings.
- The above allows to assume that automated processing of personal data and making decisions, including profiling, does not pose a significant threat to the rights and freedoms of Users, does not have significant legal effects against them and is not unduly burdensome, and consequently – there are no premises preventing the Administrator’s interests from being granted overriding character.The consequences of automated processing of Users’ personal data will only be the diversity of marketing messages addressed to them, depending on their activity on the Website. In connection with the above, it is possible to make certain commercial discounts available only to a limited group of Users who have met certain conditions. As a consequence, some discounts and promotions will be unavailable to other Users.In connection with the above, the Users have additional rights, described in detail in point 9.
- Processing of personal data of children
In order to use the Services, you must be at least 16 years of age or have parental consent or custody of your child. The Controller does not knowingly collect personal data from children under the age of 16 without the consent of their parent or guardian.
- Data Recipients
Personal data of Users may be shared by the Administrator with other entities. Depending on the circumstances, these entities may be subject to the Controller’s instructions as to the purposes and methods of processing these data (processors) or independently determine the purposes and methods of processing the Users’ personal data (administrators). The Administrator makes the User’s personal data available to the following categories of recipients:
- Service Providers
Personal data of Users may be made available to entities that provide services to the Administrator supporting its activities, e.g. suppliers of marketing tools, accounting, legal advisors.Processing entitiesThe Administrator uses the services of entities that process personal data of Users only on its behalf. These are, among others, entities providing hosting services, cloud storage space, providing marketing systems (e.g. for sending newsletters and other e-mails), for analyzing traffic on the Website, for analyzing the effectiveness of marketing campaigns, etc.Currently, the Controller cooperates with the following Service Providers, who are entities processing personal data:
- Freshworks Inc. 2950 S.Delaware Street, Suite 201. San Mateo, CA 94403, USA. Supplier of CRM (freshdesk.com) available at askhenry.freshdesk.com.
- Click Labs Inc. Suite 600, Tampa, Florida, 33609, USA.
- Tookan Order Processing Application Provider, available at tookanapp.com.
- Mailgun Technologies, Inc. 112 E Pecan St. #1135, San Antonio, TX 78205 – provider of the Mailgun service (mailgun.com), intended for sending notifications in the form of an e-mail.
- Piprdrive OÜ, Mustamäe tee 3a Tallinn 10615 Estonia – provider of the CRM Pipedrive solution (pipedrive.com) for contact management.
- Freshmail (freshmail.com), FreshMail Sp. z o.o., Al. 29 Listopada 155c, 31-406 Kraków – provider of sending e-mails for marketing purposes.Currently, the Administrator also uses the services of entities that do not act solely on his behalf and determine the purposes and methods of using the Users’ personal data. These are entities providing payment services and mainly remarketing campaign services and conducting statistical surveys.Currently, the Administrator cooperates with the following categories of users’ data recipients, who are personal data administrators:
- Google LLC, 1600 Amphiteatre Parkway, Mountain View, California 94043, United States;
- Facebook, Inc 1601 Willow Road Menlo Park, California 94025, USA.Contractor of services commissioned by the User through the Website.Location: Our suppliers are based mainly in Poland and other countries of the European Economic Area (EEA). However, some of the Service Providers may be established outside the EEA. In connection with the transfer of personal data outside the EEA, the Administrator ensured that service providers provide guarantees of a high level of protection of personal data. These guarantees result from the use in the contracts for entrusting the processing of so-called standard contractual clauses concluded with the Service Providers specified in the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to data processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).
- State authorities
Personal data are also made available when requested by authorized state authorities, in particular organizational units of the prosecutor’s office, the Police or the supervisory authority in the field of personal data protection (PUODO).
- Service Providers
- Data storage period
Personal data of Users are stored by the Administrator for the entire period of holding an Account on the Website in order to provide the Services, as well as for marketing purposes. After deleting the Account, the Users’ data is anonymized or pseudonymized, except for the following data: order history. After 5 years from anonymization or pseudonymization, all data is deleted.Personal data of not logged-in Users are stored for a period corresponding to the validity of cookies stored on their devices.
- Rights of data subjects
The Administrator ensures the exercise of the following rights to Users and Non-logged Users by contacting him in one of the ways indicated in point 2. In addition, some of the permissions can be implemented by changing the Settings accordingly. All rights described below with respect to Users are also vested in Non-logged Users.
- Right to withdraw your consent
The User has the right to withdraw any consent that he/she gave at the time of registration to the Website, as well as when using the Services and Account functions. Withdrawal of consent shall take effect from the moment of withdrawal of consent. Withdrawal of consent does not affect the processing carried out by the Administrator in accordance with the law before its withdrawal.Withdrawal of consent does not entail any negative consequences. However, it may prevent you from continuing to use the Services. The withdrawal of consent does not affect the processing that takes place on a basis other than the consent of the data subject, for example in order to perform the contract between the Administrator and the User.Legal basis: Article 7 it. 3 of GDPR.
Right to object to the use of data
The User has the right to object at any time to the processing of his/her personal data, including automated processing, and in particular Profiling, if the processing of data takes place on the basis of the legitimate interest of the Administrator.
Notwithstanding the foregoing, the data subject shall have the right to object at any time to the processing of personal data relating to him or her for the purposes of direct marketing, including Profiling, to the extent that the processing is related to such direct marketing.
Resignation from receiving recommended offers in the form of an e-mail, as well as resignation from receiving commercial information regarding the Administrator’s products or services, is treated as an objection to the processing of personal data, including Profiling for marketing purposes and guarantees the cessation of their further processing for this purpose.
If the Administrator is unable to demonstrate another legal basis for the processing of personal data of the User who has raised an objection, superior to the interests, rights and freedoms of the User or the grounds for establishing, pursuing or defending claims, it will immediately delete the personal data of such User.
Legal basis: Article 21 of the GDPR
Right to delete (‘right to be forgotten’)
The user has the right to request deletion of all or some personal data A request to delete all personal data will be treated as a request to delete the Account.
The above right is granted if at least one of the following circumstances occurs:
- the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The User has withdrawn the consent on which the processing was based and the Administrator has no other legal basis for the processing;
- The User has objected to the processing and there are no overriding legitimate grounds for the processing or the User has objected to the processing of data for direct marketing purposes;
- the personal data has been unlawfully processed;
- personal data must be deleted in order to comply with a legal obligation provided for by the applicable law;Despite the request to delete personal data, in connection with raising objections or withdrawing consent, we may retain certain personal data to the extent necessary to establish, investigate or defend claims. This applies in particular to personal data including name, surname, e-mail address and order history, which are kept for the purposes of dealing with complaints and claims related to the use of the Services.Legal basis: Article 17 of the GDPRRight to restrict data processing
The User has the right to request the restriction of the processing of their personal data (Article This entitlement shall be granted if one or more of the following conditions apply:
- The User questions the correctness of personal data – the limitation is made for a period allowing the Administrator to check the correctness of these data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- The Controller no longer needs personal data for the purposes of processing, but they are needed by the User to determine, assert or defend claims;
- The User has raised an objection to the processing of personal data – the restriction is made until it is established whether the legally justified grounds on the part of the
- Administrator are superior to the grounds for the objection of the data subject.Legal basis: Article 18 of the GDPRRight to access data
- Everyone has the right to obtain from the Controller confirmation whether we process personal data of a specific person, and if this is the case, this person has the right to:
- access your personal data,
- obtain information about the purposes of processing, categories of personal data processed, recipients or categories of recipients of such data, the planned period of storage of personal data or the criteria for determining this period, about the rights it has under the GDPR and about the right to lodge a complaint to the supervisory authority, about the source of such data, about automated decision-making, including Profiling and about the safeguards applied in connection with the transfer of such data to a third country;
- acquire a copy of their personal data.
Legal basis: Article 15 of GDPRRight to rectificationThe User has the right to rectify and complete the personal data provided by them. This right can be exercised from the Account by independently changing the Settings and verifying the scope of data entered within the Account.
With regard to personal data unavailable from the Account, the User has the right to request the Administrator to rectify these data (if they are incorrect) and to complete them (if they are incomplete).
Legal basis: Article 16 of the GDPR
The right to data portability
The User has the right to receive their personal data, which the User provided to the Controller, and then send it to another personal data controller of their choice (Article
The User also has the right to request that personal data be sent by the Administrator directly to such other administrator, if technically possible.
The administrator sends the data in the form of an XML or CSV file. This format is a commonly used machine-readable format that allows you to transfer the received data to another personal data controller.
Legal basis: Article 20 of GDPR;
The right to obtain human intervention on the part of the Administrator
In each case in which automated processing of personal data takes place (automated decision making, including profiling), the User has the right to question the decision made in an automated manner, to express his opinion on the decision taken and to demand human intervention on the part of the Administrator. Human intervention is carried out by reassessing the features, factors and premises that were taken into account when the automated decision was made by a person authorized by the Administrator and issuing a decision other than the previous one or maintaining it. In the case of Profiling, the Administrator should omit the features and personal factors that were derived from the data collected in the Profile, and the decision related to human intervention should be made on the basis of the database collected in the Profile, which is not a form of assessment, analysis or forecast of data provided by the User.
The above right does not apply in the event that such a decision does not have any legal effects on the User or the impact on his/her situation is negligible.
However, if a decision taken in an automated manner: (i) is not necessary for the conclusion or performance of a contract between the User and the Controller; (ii) is not permitted by Union law or the law of the Member State to which the Controller is subject and which provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; and (iii) is not based on the explicit consent of the data subject, the right of the User not to be fully subject to decisions taken solely by automated means is an expression of the above right. In the event of a request to exercise this right, the Administrator shall take all reasonable measures to ensure that the decision-making process does not remain solely automated, i.e. to ensure the presence of the human factor in at least one of its stages.
Legal basis: art. 22 of the GDPR;
- Response Time
If the User, using the rights described in point 9, makes an appropriate request to the Administrator, the Administrator shall immediately consider this request positively or negatively, but not later than within one month after receiving it. However, if, due to the complicated nature of the request or the number of requests, it is impossible to meet the monthly deadline, the Administrator will fulfill the obligation to consider the request within the next two months, after informing the User about the circumstances.
- Complaints and applications
The Administrator encourages to ask questions and submit applications regarding the processing of Users’ personal data and the exercise of their rights.Each person has the right to lodge a complaint with the supervisory authority in the field of personal data protection (PUODO) if they believe that their right to the protection of personal data or other rights granted to them under the GDPR have been violated by the Administrator.
- Security of personal data
The Administrator and the entities with which it cooperates, make every effort to ensure the security of personal data processed on the Website, including through the use of encrypted data transmission (SSL) during registration and login, which ensures the protection of the credentials entered and significantly hinders the interception of access to the Account by unauthorized systems or persons.