INSY PLATFORM PRIVACY POLICY

This Privacy Policy (the "Policy") contains information about the processing of your personal data in connection with your use of the "INSY" platform, available at insy.io (the "Platform").

Any capitalized terms not defined otherwise in this Policy have the meanings given to them in the Terms of Service, available at: insy.io/terms-of-service.

Personal Data Controller

The controller of your personal data is INSY sp. z o.o. with its seat in Rzeszow (registered office address: ul. Borowa 1C, 35-232 Rzeszow), entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court in Rzeszow, 12th Commercial Division of the National Court Register, under KRS number: 0001191036, NIP: 5170462877, REGON: 542552731, with share capital of PLN 5,000 (five thousand zlotys) (the "Controller").

Contact with the Controller

In all matters related to the processing of personal data, you may contact the Controller by means of:

  1. email - at: support@insy.io
  2. traditional mail - at: ul. Borowa 1C, 35-232 Rzeszow

Personal Data Protection Measures

The Controller uses modern organizational and technical safeguards in order to ensure the best possible protection of your personal data and guarantees that it processes such data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR"), the Polish Personal Data Protection Act of 10 May 2018, and other personal data protection laws.

Information About Processed Personal Data

Using the Platform requires the processing of your personal data. Below you will find detailed information about the purposes and legal bases of the processing, as well as the storage period and whether providing the data is mandatory or voluntary.

Agreement for the Account Service

Purpose of processingProcessed personal dataLegal basis
Conclusion and performance of the agreement for the Account Service
  • full name
  • email address
  • other data provided in the form
  • additional information voluntarily provided by the User on the Platform
Art. 6(1)(b) GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
Providing the above personal data is a condition for entering into and performing the agreement for the Account Service (providing the data is voluntary, but failure to do so will make it impossible to conclude and perform the agreement). The Controller will process the above personal data until limitation periods for claims arising from the agreement for the Account Service expire.

Agreement for the Community Joining Service

Purpose of processingProcessed personal dataLegal basis
Conclusion and performance of the agreement for the Community Joining Service
  • full name
  • email address
  • other data provided in the form
  • additional information voluntarily provided by the User on the Platform
Art. 6(1)(b) GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
Providing the above personal data is a condition for entering into and performing the agreement for the Community Joining Service (providing the data is voluntary, but failure to do so will make it impossible to conclude and perform the agreement). The Controller will process the above personal data until limitation periods for claims arising from the agreement for the Community Joining Service expire.

Agreement for the Community Creation Service

Purpose of processingProcessed personal dataLegal basis
Conclusion and performance of the agreement for the Community Creation Service
  • full name
  • email address
  • other data provided in the form
  • additional information voluntarily provided by the User on the Platform
Art. 6(1)(b) GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
Providing the above personal data is a condition for entering into and performing the agreement for the Community Creation Service (providing the data is voluntary, but failure to do so will make it impossible to conclude and perform the agreement). The Controller will process the above personal data until limitation periods for claims arising from the agreement for the Community Creation Service expire.

Newsletter

Purpose of processingProcessed personal dataLegal basis
Conclusion and performance of the Newsletter supply agreement
  • full name
  • email address
Art. 6(1)(b) GDPR (processing is necessary for the performance of the Newsletter or Digital Content supply agreement concluded with the data subject or in order to take steps prior to entering into such agreement) and Art. 6(1)(f) GDPR (processing is necessary for the purposes of the Controller's legitimate interests, in this case informing about new features and promotions available on the Platform)
Providing the above personal data is voluntary, but necessary in order to receive the Newsletter (failure to provide the data will result in the inability to receive the Newsletter). The Controller will process the above personal data until an effective objection is raised, the processing purpose is achieved, or limitation periods for claims arising from the Newsletter supply agreement expire (whichever occurs first).

Complaint Procedure

Purpose of processingProcessed personal dataLegal basis
Handling complaint proceedings
  • full name
  • email address
  • other data included in the message to the Controller
Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, including the obligations to respond to a complaint - Art. 7a of the Polish Consumer Rights Act; and to perform the Customer's rights under the provisions concerning the Controller's liability for non-conformity of a tangible good with the sales agreement or a digital performance with the agreement applicable to it)
Providing the above personal data is a condition for receiving a response to a complaint or for exercising the User's rights under the provisions concerning the Controller's liability for non-conformity of the digital performance with the agreement applicable to it (providing the data is voluntary, but failure to do so will make it impossible to receive a response to the complaint and to exercise the above rights). The Controller will process the above personal data for the duration of the complaint procedure and, if the above rights are exercised by the User, until the relevant limitation periods expire.

Verification Procedure and Appeals (DSA)

Purpose of processingProcessed personal dataLegal basis
Conducting verification proceedings and considering appeals against decisions regarding unlawful content handling
  • full name/business name
  • contact data, including email address
  • other data included in the message to the Controller
Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, including the obligations to provide a mechanism for reporting unlawful content (Art. 16 of Regulation 2022/2065 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (the "DSA")) and to handle complaints (Art. 20 DSA))
Providing the above personal data is a condition for receiving a response to a notice or for exercising the User's rights under the DSA (providing the data is voluntary, but failure to do so will make it impossible to receive a response and to exercise the above rights). The Controller will process the above personal data for the duration of the verification procedure and, if the above rights are exercised by the User, until the relevant limitation periods expire.

Handling Inquiries

Purpose of processingProcessed personal dataLegal basis
Handling inquiries submitted by Users
  • first name
  • email address
  • other data included in the message to the Controller
Art. 6(1)(f) GDPR (processing is necessary for the purposes of the Controller's legitimate interests, in this case answering the received inquiry)
Providing the above personal data is voluntary, but necessary in order to receive a response to the inquiry (failure to provide the data will result in the inability to receive a response). The Controller will process the above personal data until an effective objection is raised or the processing purpose is achieved (whichever occurs first).

Reviews of Services

Purpose of processingProcessed personal dataLegal basis
Making Reviews of Services available
  • first name
  • optionally - other data included in the Review
Art. 6(1)(f) GDPR (processing is necessary for the purposes of the Controller's legitimate interests, in this case making Reviews available for informational and promotional purposes)
Providing the above personal data is voluntary, but necessary in order to add a Review (failure to provide the data will result in the inability to add a Review). The Controller will process the above personal data until an effective objection is raised or the processing purpose is achieved (whichever occurs first).

Tax Obligations

Purpose of processingProcessed personal dataLegal basis
Compliance with tax obligations (including issuing VAT invoices and storing accounting records)
  • full name/business name
  • residential/registered office address
  • tax identification number and other registration data
Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case obligations arising from tax law)
Providing the above personal data is voluntary, but necessary for the Controller to comply with its tax obligations (failure to provide the data will result in the inability to comply with those obligations). The Controller will process the above personal data for 5 years from the end of the year in which the tax payment deadline for the previous year expired.

Obligations Related to Personal Data Protection

Purpose of processingProcessed personal dataLegal basis
Performance of obligations related to personal data protection
  • full name
  • contact details provided by you (email address, correspondence address, phone number)
Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case obligations arising from personal data protection laws)
Providing the above personal data is voluntary, but necessary for the proper performance by the Controller of obligations arising from personal data protection laws, including the exercise of rights granted to you under the GDPR (failure to provide the data will result in the inability to properly exercise those rights). The Controller will process the above personal data until limitation periods for claims related to breaches of personal data protection laws expire.

Establishment, Assertion, or Defense of Claims

Purpose of processingProcessed personal dataLegal basis
Establishment, assertion, or defense of claims
  • full name/business name
  • email address
  • residential/registered office address
  • PESEL number
  • NIP
Art. 6(1)(f) GDPR (processing is necessary for the purposes of the Controller's legitimate interests, in this case establishing, asserting, or defending against claims that may arise in connection with the performance of agreements concluded with the Controller)
Providing the above personal data is voluntary, but necessary in order to establish, assert, or defend against claims that may arise in connection with the performance of agreements concluded with the Controller (failure to provide the data will result in the inability of the Controller to take the above actions). The Controller will process the above personal data until the limitation periods for claims that may arise in connection with the performance of agreements concluded with the Controller expire.

Analysis of Activity Within the Platform

Purpose of processingProcessed personal dataLegal basis
Analysis of your activity within the Platform
  • date and time of visit
  • device IP address
  • type of device operating system
  • approximate location
  • type of web browser
  • time spent on the Platform
  • visited subpages and other actions taken within the Platform
Art. 6(1)(f) GDPR (processing is necessary for the purposes of the Controller's legitimate interests, in this case obtaining information about your activity within the Platform)
Providing the above personal data is voluntary, but necessary in order for the Controller to obtain information about your activity within the Platform (failure to provide the data will result in the inability of the Controller to obtain such information). The Controller will process the above personal data until an effective objection is raised or the processing purpose is achieved.

Administration of the Platform

Purpose of processingProcessed personal dataLegal basis
Administration of the Platform
  • IP address
  • server date and time
  • information about the web browser
  • information about the operating system

The above data are automatically recorded in so-called server logs whenever the Platform is used (it would not be possible to administer the Platform without server logs and automatic recording).

Art. 6(1)(f) GDPR (processing is necessary for the purposes of the Controller's legitimate interests, in this case ensuring the proper functioning of the Platform)
Providing the above personal data is voluntary, but necessary in order to ensure the proper functioning of the Platform (failure to provide the data will result in the inability to ensure that the Platform functions properly). The Controller will process the above personal data until an effective objection is raised or the processing purpose is achieved.

Profiling

In order to create your profile for marketing purposes and to direct direct marketing tailored to your preferences to you, the Controller will process your personal data in an automated manner, including profiling; however, this will not produce any legal effects concerning you or similarly significantly affect your situation.

The scope of the profiled personal data corresponds to the scope indicated above with respect to the analysis of your activity within the Platform and the data you save in your Account.

The legal basis for processing personal data for the above purpose is Art. 6(1)(f) GDPR, pursuant to which the Controller may process personal data for the purposes of its legitimate interests, in this case conducting marketing activities tailored to recipients' preferences. Providing the above personal data is voluntary, but necessary to achieve the above purpose (failure to provide the data will result in the inability of the Controller to conduct marketing activities tailored to recipients' preferences).

The Controller will process personal data for profiling purposes until an effective objection is raised or the processing purpose is achieved.

Recipients of Personal Data

The recipients of personal data will include the following external entities cooperating with the Controller:

  1. hosting provider;
  2. newsletter service provider;
  3. companies providing tools for activity analysis within the Platform and for directing direct marketing to its users (including Google Analytics);
  4. accounting services provider;
  5. Stripe Inc. - payment operator;

In addition, personal data may also be disclosed to public or private entities if such an obligation arises from generally applicable laws, a final court judgment, or a final administrative decision.

Transfer of Personal Data to a Third Country

In connection with the Controller's use of services provided by Google LLC, your personal data may be transferred to the following third countries: the United Kingdom, Canada, the United States, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia, and Australia. The legal basis for transfers to the above third countries is:

  • for the United Kingdom, Canada, Israel, and Japan - European Commission adequacy decisions confirming an adequate level of personal data protection in each of those third countries;
  • for the United States, Chile, Brazil, Saudi Arabia, Qatar, India, China, South Korea, Singapore, Taiwan (Republic of China), Indonesia, and Australia - contractual clauses ensuring an adequate level of protection, compliant with the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679.

You may obtain a copy of the data transferred to a third country from the Controller.

Your Rights

In connection with the processing of personal data, you are entitled to the following rights:

  1. the right to obtain information about what personal data concerning you are processed by the Controller and to receive a copy of such data (right of access). The first copy is free of charge; the Controller may charge for additional copies;
  2. if the processed data become outdated or incomplete (or otherwise incorrect), you have the right to request rectification;
  3. in certain situations, you may request the Controller to erase your personal data, for example when: the data are no longer necessary for the purposes communicated to you; you have effectively withdrawn your consent and the Controller has no other legal basis to process the data; the processing is unlawful; or erasure is required in order to comply with a legal obligation binding on the Controller;
  4. where personal data are processed by the Controller on the basis of your consent or for the performance of an agreement concluded with you, you have the right to data portability to another controller;
  5. where personal data are processed by the Controller on the basis of your consent, you have the right to withdraw that consent at any time (withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal);
  6. if you consider that the processed personal data are incorrect, processed unlawfully, or no longer necessary to the Controller, you may request that the Controller refrain from carrying out any operations on the data, except storing them, for a specified period needed, for example, to verify data accuracy or pursue claims;
  7. you have the right to object to the processing of personal data where the legal basis for the processing is the Controller's legitimate interest. If an objection is effectively raised, the Controller will stop processing personal data for that purpose;
  8. you have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that the processing of personal data violates the GDPR.

Cookies

  1. The Controller informs you that the Platform uses "cookies" installed on your end device. These are small text files that may be read by the Controller's system and also by systems belonging to other entities whose services the Controller uses (e.g. Facebook, Google).
  2. The Controller uses cookies for the following purposes:
    1. ensuring the proper functioning of the Platform - thanks to cookies, the Platform can operate smoothly, its functions can be used, and users can conveniently move between subpages;
    2. increasing the comfort of using the Platform - thanks to cookies, errors on some subpages may be detected and continuously improved;
    3. creating statistics - cookies are used to analyze the way users use the Platform. This makes it possible to continuously improve the Platform and adapt its operation to users' preferences;
    4. conducting marketing activities - thanks to cookies, the Controller may direct advertisements tailored to users' preferences to them.
  3. The Controller may place both persistent and temporary (session) cookies on your device. Session cookies are usually deleted when the browser is closed, whereas closing the browser does not remove persistent cookies.
  4. Information about cookies used by the Controller is displayed in the panel located at the bottom of the website / Platform footer. Depending on your decision, you may enable or disable cookies from individual categories (except necessary cookies) and change those settings at any time.
  5. Data collected through cookies do not allow the Controller to identify you.
  6. The Controller uses the following cookies or tools using cookies:
ToolProviderFunctions and scope of collected dataStorage period
Necessary cookiesControllerThese cookies are necessary for the proper operation of the Platform / Platform website, therefore you cannot disable them. Thanks to these cookies (collecting, among other things, your device IP address), it is possible, among other things, to inform you about cookies operating within the Platform.Most necessary cookies are session cookies; however, some remain on your device for 12 months or until they are deleted.
Google AnalyticsGoogleThis tool allows statistical data to be collected about how Users use the Platform, including the number of visits, visit duration, search engine used, and location. The collected data help improve the Platform and make it more user-friendly.up to 2 years or until deleted (whichever occurs first)
Facebook PixelFacebookThis tool makes it possible to determine that you opened the Platform and also to direct advertisements displayed on Facebook and Instagram social media services to you and measure their effectiveness.up to 3 months or until deleted (whichever occurs first)

7. Through most commonly used browsers, you can check whether cookies have been installed on your device, remove installed cookies, and block their installation by the Platform in the future. However, disabling or restricting cookies may cause significant difficulties in using the Platform, for example the need to log in on every subpage, longer loading times, and limitations in using certain functionalities.

Final Provisions

In matters not regulated by this Policy, generally applicable personal data protection laws shall apply.

The Policy is effective as of 01.01.2026.