Attachment no. 1 to the Terms and Conditions
PRIVACY POLICY OF THE COMMUNITY QUESTIONS FOR CONFLUENCE APPLICATION
Please read this privacy policy carefully. The privacy policy sets out the rules regarding the processing of personal data collected and processed when using the Application.
1) GENERAL PROVISIONS
- The hereby privacy policy of the Application is informative, which means that it is not a source of obligations for Application Users. The privacy policy contains primarily rules regarding the processing of personal data by the Data Controller in the Application, including the grounds, purposes and period of processing of personal data and the rights of data subjects as well as information regarding the use of cookies and analytical tools in the Application.
- The Data Controller of personal data collected through the Application is Łukasz Wiatrak Firnity (address: ul. Słomiana 24/20, 30-316 Kraków), having an e-mail address: contact@questions-answers-community.com – hereinafter referred to as the “Data Controller” who is also the Service Provider of the Application.
- Personal data in the Application are processed by the Data Controller in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
- Using the Application is voluntary. Similarly, providing personal data related to the use of the Application by the User is voluntary, with two exceptions: (1) concluding contracts with the Data Controller – a failure to provide, in cases and to the extent indicated in the Application and in the Terms and Conditions of the Application and the hereby privacy policy, personal data necessary to conclude and perform a contract with the Data Controller results in the inability to conclude such contract. Providing personal data is in this case a contractual requirement and if the data subject wants to conclude a given contract with the Data Controller, he is obliged to provide the required data. Each time the scope of the data required to conclude a contract is indicated in advance on the Atlassian Marketplace (in case of buying the subscription of the Application) or in the Application itself (in case of using its functionalities) and in the Terms and Conditions of the Application; (2) the Data Controller’s statutory obligations - providing personal data is a statutory requirement resulting from the generally applicable legal provisions imposing an obligation on the Data Controller to process personal data and failure to provide it will prevent the Data Controller from performing these obligations.
- The Data Controller assures diligence in protecting the interests of persons to whom the personal data processed by him relates, and in particular he is responsible and ensures that the data collected by him are: (1) processed in accordance with the law; (2) collected for specified, legitimate purposes and not subject to further processing incompatible with those purposes; (3) factually correct and adequate in relation to the purposes for which they are processed; (4) stored in a form that allows identification of the data subjects, no longer than necessary to achieve the purpose of processing, and (5) processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage by appropriate technical or organizational measures.
- Taking into account the nature, scope, context and purposes of processing as well as the risk of violation of the rights or freedoms of data subjects of different probability and severity of threat, the Data Controller implements appropriate technical and organizational measures to process it in accordance with the GDPR Regulation and to be able to demonstrate it. These measures are reviewed and updated as necessary. The Data Controller uses technical measures to prevent unauthorized persons from acquiring and modifying personal data sent electronically.
- All words, expressions and acronyms appearing in the hereby privacy policy and beginning with a capital letter (e.g. Service Provider, User, Application) should be understood in accordance with their definition contained in the Terms and Conditions of the Application.
2) GROUNDS FOR DATA PROCESSING
- The Data Controller is entitled to process personal data in cases where - and to the extent that - at least one of the following conditions is met: (1) the data subject has given consent to the processing of his personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Data Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- The processing of personal data by the Data Controller requires each time at least one of the grounds indicated in point 2.1 of the privacy policy. The specific grounds for processing personal data of the Customers of the Application by the Data Controller are indicated in the next section of the privacy policy – in relation to the given purpose of processing personal data by the Data Controller.
3) PURPOSE, GROUNDS AND PERIOD OF DATA PROCESSING IN THE APPLICATION
- Each time the purpose, grounds and period as well as the recipient of personal data processed by the Data Controller result from actions taken by a given User in the Application.
- The Data Controller may process personal data in the Application for the following purposes, on grounds and during the periods indicated in the table below
The purpose of data processing | The grounds of data processing | The period of data processing |
---|---|---|
Performance of a contract for the use of the Application or taking actions at the request of the data subject prior to entering into a contract | Article 6 para. 1 letter b) of the GDPR Regulation (performance of a contract) - processing is necessary for the performance of a contract, including to the extent necessary to take steps at the request of the data subject prior to entering into a contract. | The data is stored for the period necessary to perform, terminate or expire in another way of the concluded contract. |
Using the Application by the User and ensuring its proper functioning | Article 6 para. 1 letter b) of the GDPR Regulation (performance of a contract) - processing is necessary for the data subject to be able to properly use specific functionalities of the Application, which for its operation requires providing the User’s data or downloading this data via the Application directly from the Confluence Cloud product under the User’s authorization. The above actions include displaying, modifying and adding User content stored in the Confluence Cloud product integrated with the Application and are undertaken at the request of the Application User. | The data is stored for the period necessary for the correct use by the data subject of specific functionalities of the Application or the data subject ceases to use this functionality, but no longer than until the termination or expiry in another way of the concluded contract for the use of the Application by the User. |
Sending e-mail notifications via the Application in the event of certain interactions of the User with the Application | Article 6 para. 1 letter b) of the GDPR Regulation (performance of the contract) - processing is necessary to implement the main assumptions of the Application and for the data subject to be able to use functionalities of the Application in a manner consistent with their intended use. The above actions include sending the data subject notifications about a new question, answer, comment or reaction in the Application or sending a notification when the data subject has been mentioned by another person using the Application as part of the same Confluence Cloud product in the content questions, answers or comments. | The data is stored for the period necessary to send the notification to the data subject, but no longer than until the termination or otherwise expiry of the concluded contract for the use of the Application by the User. |
Determination, investigation or defense of claims which may be raised by the Data Controller or which may be raised against the Data Controller. | Article 6 para. 1 letter f) of the GDPR Regulation (legitimate interest of the Data Controller) - processing is necessary for purposes arising from the legitimate interests of the Data Controller - consisting in establishing, investigating or defending claims that may be raised by the Data Controller or which may be raised against the Data Controller | The data is stored for the duration of the legitimate interest pursued by the Data Controller, but no longer than for the prescription period of claims that may be raised against the Data Controller (the basic prescription period for claims against the Data Controller is six years). |
Keeping statistics and analyzing traffic in the Application | Article 6 para. 1 letter f) of the GDPR Regulation (legitimate interest of the Data Controller) - processing is necessary for purposes resulting from the legitimate interests of the Data Controller - consisting in keeping statistics and analyzing traffic in the Application in order to improve the functioning of the Application. | The data is stored for the duration of the legitimate interest pursued by the Data Controller, however no longer than for the prescription period of the Data Controller’s claims against the data subject. The prescription period is determined by law, in particular the Polish Civil Code (the basic prescription period for claims connected with conducting a business activity is three years). |
4) RECIPIENTS OF DATA IN THE APPLICATION
- In order to assure proper functioning of the Application, it is necessary for the Data Controller to use the services of external entities (such as e.g. software supplier). The Data Controller uses solely the services of such processing entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.
- Personal data may be transferred by the Data Controller to a third country (outside the European Union or the European Economic Area), while the Data Controller ensures that in such case it will take place in relation to the country ensuring an adequate level of protection - pursuant to the GDPR Regulation, and the data subject may obtain a copy of his data. The Data Controller transfers the collected personal data only in the case and to the extent necessary to achieve the given purpose of data processing in accordance with the hereby privacy policy.
- The transfer of data by the Data Controller does not occur in every case and not to all recipients or categories of recipients indicated in the privacy policy - the Data Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.
- The data of the Application User’s can be transferred to the following recipients or categories of recipients:
- providers of accounting, legal and advisory services providing the Data Controller with accounting, legal or advisory support (in particular an accounting office, law firm or debt collection company) - the Data Controller provides the User’s collected personal data to a chosen supplier acting on his behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with the hereby privacy policy.
- service providers that provide the Data Controller with technical, IT and organizational solutions that enable the Data Controller to run and maintain the Application (in particular the computer software provider for running the Application, the e-mail and hosting providers as well as the software provider for managing the company and providing technical support to the Data Controller) - the Data Controller provides the User’s collected personal data to the chosen supplier acting on his behalf only in the case and to the extent necessary to achieve the given purpose of data processing in accordance with the hereby privacy policy.
5) PROFILING IN THE APPLICATION
- The GDPR Regulation requires the Data Controller to inform about automated decision-making, including profiling, as referred to in art. 22 para. 1 and 4 of the GDPR Regulation, and - at least in these cases - relevant information about the decision-making rules, as well as about the significance and anticipated consequences of such processing for the data subject. With this in mind, the Data Controller provides information on possible profiling in this section of the privacy policy.
- The Data Controller may use profiling for the purposes of direct marketing in the Application, but the decisions made on its basis by the Data Controller do not relate to the conclusion or refusal to conclude a contract or the possibility of using the functionality in the Application.
- Profiling in the Application consists in the automatic analysis or forecast of a given person’s behavior as part of the Application, e.g. by analyzing the previous history of activities undertaken in the Application. The condition of such profiling is that the Data Controller possesses personal data of a given person.
- The data subject has the right not to be subject to a decision that is based solely on automated processing, including profiling, and produces legal effects on that person or similarly significantly affects him.
6) THE DATA SUBJECT’S RIGHTS
- The right to access, rectify, limit, delete or transfer - the data subject has the right to request the Data Controller to access his personal data, rectify it, delete it (“right to be forgotten”) or limit processing and has the right to object to processing, and also has the right to transfer his data. Detailed conditions for exercising the abovementioned rights are indicated in art. 15-21 of the GDPR Regulation.
- The right to withdraw consent at any time - a person whose data is processed by the Data Controller on the basis of expressed consent (pursuant to art. 6 para. 1 letter a) or art. 9 para. 2 letter a) of the GDPR Regulation), has the right to withdraw consent at any time without affecting the lawfulness of the processing that was carried out on the basis of his consent before its withdrawal.
- Right to lodge a complaint to the supervisory body - a person whose data is processed by the Data Controller has the right to lodge a complaint to the supervisory body in the manner and according to a procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland is the President of the Personal Data Protection Office.
- Right to object - the data subject has the right to object at any time - for reasons related to his particular situation - to the processing of personal data concerning him based on art. 6 para. 1 letter e) (public interest or tasks) or f) (legitimate interest of the Data Controller), including profiling based on these provisions. In such a case, the Data Controller may no longer process this personal data, unless he demonstrates the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or interests for establishing, investigating or defending claims.
- Right to object to direct marketing - if personal data is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him for the purposes of such marketing, including profiling, to the extent in which processing is associated with such direct marketing.
- In order to exercise the rights referred to in this article of the privacy policy, you can contact the Data Controller by sending an appropriate message by e-mail to the Data Controller’s address indicated at the beginning of the privacy policy.
7) COOKIES AND ANALYTICS
- Cookies are small pieces of text files sent by the server and saved at the visitor’s of the Application device (e.g. on the hard disk of a computer, laptop, or smartphone’s memory card – depending on the type of device used by the Application’s visitor). Detailed information on Cookies as well as the history of their origin can be found e.g. at: https://en.wikipedia.org/wiki/HTTP_cookie.
- Cookies, which can be sent via the Application, can be divided into various types, according to the following criteria:
With regard to the provider: 1) own (created by the Controller’s Application) and 2) belonging to other persons/third parties (other than the Controller) | With regard to the period of their retention on the appliance of the Application’s visitor: 1) session cookies (stored till the moment of closing of the Application or a browser) and 2) persistent cookies (having some expiration period, defined by parameters of each file or until they are removed by hand) | With regard to the purpose of their usage: 1) strictly necessary cookies (enabling proper functioning of the Application), 2) functional/preferential cookies (enabling adjustment of the Application to the visitor’s preferences), 3) analytical and performance cookies (collecting information on the use of the Application) |
- The Controller may process information contained in Cookies during visiting of the Application for the following particular reasons:
Purposes of using Cookies in the Controller’s Application: 1) storing data necessary for the configuration of the third-party application – Slack for the time of carrying out said configuration by User (strictly necessary Cookies and/or functional/preferential Cookies) 2) keeping anonymous statistics and analyzing the traffics and methods of use of the Application, including the use of tools and scripts tracking the User’s behaviour in the Application which may be provided by third parties (analytical and performance Cookies) 3) saving data from the filled-in forms (strictly necessary Cookies and/or functional/preferential Cookies) |
- Checking in the most popular internet browsers, which Cookie files (including the expiry period of Cookies and their provider) are being sent in a given moment by the Application can be done, as follows:
In Chrome browser: (1) in the address bar, click the ’locked’ icon on the left, (2) go to the benchmark „Cookie files”. | In Firefox browser: (1) in the address bar, click the ’shield’ icon on the left, (2) go to the benchmark „Allowed” or „Blocked”, (3) click the button „Tracking cookies between websites”, „Tracing elements of social networks or „Content with tracing elements” | In Internet Explorer browser: (1) Click „Tools” menu, (2) go to „Internet options” benchmark, (3) go to „General” benchmark, (4) then go to „Settings”, (5) click the button „Display files” |
In Opera browser: (1) in the address bar, click the ’locked’ icon on the left, (2) go to the benchmark „Cookie files”. | In Safari browser: (1) click menu „Preferences”, (2) go to „Privacy” benchmark, (3) click the button „Manage website data” | Independent of the browser used, you can apply tools available e.g. at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/ |
- As a standard, most internet browsers on the market accept saving Cookies by default. Every person has the possibility to specify the conditions of using Cookies in the browser settings. It means that one may, e.g. partially restrict (e.g. temporarily) or fully disable saving Cookies – in the latter case it may have an impact on some functionalities of the Application.
- The browser settings concerning Cookies are essential as regards the consent to use Cookies by the Application – in accordance with the law, such consent may also be expressed in the browser settings. In view of lack of such consent, change the browser setting accordingly as regards Cookies. Detailed information concerning the change in Cookies settings and their individual removal in the most common browsers is available in the help section of the browser and the following websites (click the link):
- The Controller may use Google Analytics, Universal Analytics services in the Application, which are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). The services help the Controller to analyse the frequency of visits in the Application. The data collected are processed under the above services to generate statistics helpful while administering the Application. The data are of collective nature. Using the above services in the Application, the Controller collects such data as the sources and medium of acquiring visitors of the Application and the manner of their conduct in the Application, information concerning their devices and browsers used to visit the website, IP and domain, geographical data and demographic data (age, sex) and interests.
- It is possible to easily block sharing information with Google Analytics as regards the activity in the Application – install to that end an opt-out add-on made available by Google Ireland Ltd. available at: https://tools.google.com/dlpage/gaoptout?hl=pl.
- The Data Controller may use the Microsoft Application Insights services provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA) in the Application. These services help the Data Controller keep statistics and analyze traffic in the Application and optimize its functioning. By using the above services in the Application, the Data Controller collects data such as the behavior of people using the Application and information about devices and browsers via which they visit the Application. More information on how Microsoft Application Insights works can be found at: https://docs.microsoft.com/en-us/azure/application-insights/app-insights-data-retention-privacy.
- The Data Controller may use in the Application the Sentry tool provided by Functional Software Inc. (132 Hawthorne St, San Francisco, CA 94107, USA). The Sentry tool is used to detect errors that Users may encounter while using the Application, for the purpose of their later removal and repair by the Data Controller. The collected data may therefore include the history of the User’s activity in the Application, as well as information about the devices and browsers of the person who uses the Application. More information on the functioning of the Sentry tool can be found at the following website: https://sentry.io/privacy/.
8) FINAL PROVISIONS
- The Application may contain links to other websites or applications. The Data Controller urges that after switching to other pages please read the privacy policy set out for a given page. The hereby privacy policy applies exclusively to the Data Controller’s Application.
- This privacy policy does not apply to the rules of processing of Users’ personal data, which are collected and stored independently by Atlassian in connection with the Users’ use of Atlassian products, unless this data is simultaneously downloaded by the Data Controller via the Application to the extent necessary to meet one of the purposes of processing specified in point 3 of the privacy policy.