Privacy Policy

The Privacy Policy describes how we process information about you, including personal data and cookies.

1. General information
   1. The service provider is cyber_Folks S.A., based in Poznan, Franklina Roosevelta 22, 60-829 Poznań, entered in the National Court Register by the District Court Poznań – Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under the number KRS 0000612359, REGON (statistical number) 364261632, NIP (tax identification number) 7822622168, share capital 225,541.00 PLN fully paid up.
   2. The Provider is the Controller of the personal data voluntarily provided by Users when visiting the website, establishing services, using services, or participating in various marketing activities that may be conducted by the Provider (e.g. competitions, newsletters, etc.).
   3. The data provided by Users in order to use the services is needed in the process of launching and providing the services. This includes, in particular, activities such as:
      • technical launch of services,
      • payments and invoicing,
      • processing and storage of financial documents based on specific provisions: tax, financial and accounting, etc.,
      • informing about the expiry dates of the services and the possibility of extending them,
      • informing about planned technical works and malfunctions,
      • informing about significant configuration changes,
      • informing about amendments to the regulations,
      • implementation of technical maintenance, including answers to Users’ requests,
      • explanations in regard to settlements,
      • direct sales contact – if requested by the User,
      • sending marketing information by e-mail, text messages, telephone and other communication channels – if the User agrees to such forms of contact (for example, by signing up for a newsletter, indicating consent by registering the service or by using the client’s Panel – detailed terms and scope of the consent, together with an indication of the relevant provisions are located at the place where the User expresses the consent)
   4. The Provider, as a hosting company, is also a data processor for data controlled by customers and which has been entrusted to it by conclusion of a relevant agreement in the client’s Panel. The detailed rules for processing shall then be laid down in this agreement. This Policy shall not apply to the use of such data. The Provider is not a controller of such personal data.
   5. This Policy does not cover any information relating to services, goods or websites belonging to any entity other than the Provider, except for the designated cooperating entities.
   6. The service provides functions to acquire information on Users and their behaviors by:
      • Use of data voluntarily inserted in the forms that are then entered into the Provider's systems,
      • Using the Provider’s services,
      • Storing cookies on end devices,
      • Storing technical information in the server logs of http servers, e-mail servers, or other network services and the Provider's applications (system logs).
2. Detailed information on the processing of personal data

   The processing of personal data shall be carried out in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) of 27 April 2016 (OJ L No 119), hereinafter referred to as "GDPR", taking into account the provisions of the Act on Provision of Services by Electronic Means and other generally applicable laws.

   1. The Controller of personal data

      The Controller of personal data is (Provider): cyber_Folks S.A., based in Poznań, Franklina Roosevelta 22, 60-829 Poznań, entered in the National Court Register by the District Court Poznań-Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under the number KRS 0000612359, REGON 364261632, NIP 7822622168, share capital 215,228,00 PLN fully paid up.

      Contact details of the Controller: Franklina Roosevelta 22, 60-829 Poznań, e-mail: dos@domeny.pl, phone: +48 12 296 36 63.

   2. Data Protection Officer

      The Data Protection Officer with the Controller’s company is Mr. Dariusz Sikorski, who shall provide more information on the rights of the Data subject and the processing of his/her personal data at the following e-mail address: iod@cyberfolks.pl

   3. The voluntary provision of personal data

      Personal data is provided voluntarily, but the Provider informs that unless otherwise indicated in the content of individual forms (e.g., that the provision of data is optional), the use of the Provider's services anonymously or by using a nickname shall be not possible. Therefore, refusal to provide data may result in a refusal to enter into a contract and a refusal to provide the requested service.

   4. To set up a customer’s account to order Provider’s services, a login must be created and mandatory data provided:

      Private individuals (Mandatory data)	Businesses and organizations (Mandatory data)
      full name address of residence e-mail address phone number PESEL (personal identification number)	full name name of a company or organization business address e-mail address phone number NIP number

   5. The types of data processed, purposes, legal basis for the processing of the data by the Provider and the expected retention period

      Type of data	Purposes of processing	Legal basis	Retention period
      Mandatory data (as indicated above). Contact details of the customer's staff (in particular: full name, e-mail address, telephone number).	Maintenance of a customer account on the website, provision of services ordered electronically, ensuring contact in reference to provided services.	Article 6(1)(b) of the GDPR (necessity for the execution of the contract) Article 18(1) of the Act on Provision of Services by Electronic Means	Until the customer's account is deleted.
      	Pursuing or defending potential claims.	Article 6(1)(f) of the GDPR (legitimate interest)	Until expiry of any claims limitation period.
      	Marketing and direct marketing of the Controller’s products or services, including sales analysis, customer satisfaction surveys, and improving the quality of the services, etc.	Article 6(1)(f) of the GDPR (legitimate interest)	Until the Data Subject objects, under the terms of Articles 21 to 22 of the GDPR.
      	Sending commercial information by electronic means (advertising e-mails and text messages, making telephone calls to present promotional or personalized offers, analyzing Users’ activity and preferences.	Article 6(1)(a) of the GDPR in conjunction with Articles 172(1), 173(1) of the Telecommunications Law and Article 10(2) of the Act on Provision of Services by Electronic Means (Consent)	Until the Data Subject withdraws an acceptance or objects, under the terms of Articles 21 to 22 of the GDPR.
      The data necessary for the chosen method of settlement of the services, in particular: Details of the payment method or bank account from which the payment was made. The data contained in the invoices (VAT invoices) issued. Details of the services ordered and performed (order history).	Settlement of performed services.	Article 6(1)(b) of the GDPR (necessity for the execution of the contract) Article 18(2) of the Act on Provision of Services by Electronic Means	For the duration of the contract and thereafter until the expiry of the limitation period of any claims or until the expiry of the obligation to keep accounting and tax documents.
      	The performance of legal obligations concerning bookkeeping and tax duties.	Article 6(1)(c) of the GDPR (fulfillment of legal accounting obligations)
      	Pursuing or defending potential claims.	Article 6(1)(f) of the GDPR (legitimate interest)
      The data contained in correspondence with the Controller (e.g., in completed contact forms, service management system, electronic mail, chat application, traditional mail, etc.) Records of telephone calls	Handling of correspondence, service management system, requests, inquiries or complaints. A demonstration of the content of statements or requests made by a Data Subject. Pursuing or defending potential claims.	Article 6(1)(f) of the GDPR (legitimate interest) Article 6(1)(c) of the GDPR (performance of legal obligations to respond to requests from data subjects)	Until expiry of any claims limitation period.
      	Pursuing or defending potential claims.	Article 6(1)(f) of the GDPR (legitimate interest)
      Data on the use of the electronic service (performance data): A tag that identifies the Data Subject based on the data collected. Tags identifying the end of the telecommunications network or the ICT system used by a Data Subject. Information on the commencement, termination and extent of any use of the electronically supplied service. Information on the use of electronically supplied services by the recipient.	Ensuring quality parameters of service and their optimization. Maintaining security measures. Determination of unauthorized use of services. Pursuing or defending potential claims.	Article 6(1)(f) of the GDPR (legitimate interest) Article 18(5- 6) of the Act on Provision of Services by Electronic Means	Up to 6 months, and for data concerning access to the customer’s panel and placing of orders, instructions or requests - for the duration of the service and thereafter until the expiry of the limitation period of any claims.
      Data requested under the law by public authorities or authorized entities.	In exceptional circumstances, the provision of personal data at the request of public authorities or bodies authorized to do so under the law.	Article 6(1)(c) of the GDPR (performance of legal obligations)	By the time the controller has fulfilled its legal obligations.
      All data of a Data Subject processed by the Controller in the IT systems described above.	Making and storing backup copies. Maintaining the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services. Ensuring the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident. Testing, measuring and evaluating on a regular basis the effectiveness of technical and organizational measures to ensure the security of processing.	Article 6(1)(c) in conjunction with Article 32(1) of the GDPR (fulfillment of legal obligations to ensure data security, integrity and availability)	According to the internal backup schedule.

   6. Right to withdraw consent

      If the Controller processes personal data on the basis of a consent, such consent of a Data Subject may be withdrawn by him/her at any time. However, this may result in loss of access to the service provided under the prior consent. The withdrawal of consent shall not affect the lawfulness of the processing carried out by the Controller before the withdrawal.

   7. The rights of a Data Subject in connection with the processing of personal data

      A Data Subject shall have the following rights regarding his/her personal information:

      Right of access to data	Article 15 of the GDPR. The nature of rights: The data subject shall have the right to obtain confirmation from the Controller as to whether personal data concerning him or her are being processed and, where this is a case, the right to have access to the personal data and the right to information contained in that provision.
      Right to rectification and completion	Article 16 of the GDPR The nature of rights: The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing a supplementary statement.
      Right to erasure	Article 17 of the GDPR The nature of rights: The data subject shall have the right to request the Controller to delete the personal data relating to him or her without delay and the Controller shall be required to erase the personal data without undue delay if one of the circumstances set out in this provision arises.
      Right to restriction of processing	Article 18 of the GDPR The nature of rights: The restriction of processing involves the identification by the Controller of personal data processed in order to limit their processing in the future. Once the data has been marked, processing, except for storage, is permitted only on the basis of the consent or for the purposes mentioned in this provision. Restriction of processing may be requested in cases referred to in this provision.
      Right to data portability	Article 20 of the GDPR The nature of rights: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit the data to another entity without hindrances from the Controller.
      Right to objection	Article 21 of the GDPR The nature of rights: Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling, to the extent that it is related to such direct marketing. The objection shall also be admissible in the other cases referred to in Articles 21-22 of the GDPR.

      A Data subject can exercise these rights by contacting the Controller in any manner specified at the beginning. This also applies to the withdrawal of previously granted consents. During a distance contact, pursuant to Article 12(6) of the GDPR, the Controller may request the provision of personal data for the purpose of verifying the identity.

   8. Recipients of the data

      Personal data will be provided, as appropriate, to entities acting solely upon the order of the Controller or providing services to the Controller, in particular:

      • in case of Internet domain registration ordered by a Data Subject, to domain registry operators and Internet domain subscribers or to intermediaries registering a given domain extension in Poland and abroad;
      • in case of registration of a cryptographic certificate ordered by a Data Subject, to the certification center operators, under a cryptographic certificate ordered by a Data Subject or to the intermediaries in this regard in Poland and abroad;
      • to advertising and marketing companies (advertising agencies, call centers, software platforms for marketing automation and analytics and to platforms for e-mail or text messaging and chat communication);
      • to enterprises providing services relating to pursue or defense of claims and providing legal and accounting services (debt recovery companies, law or tax firms, accounting offices);
      • to data centers, contractors, and service technicians;
      • to postal operators and courier services providers.

      Personal data may also be shared with:

      • auditors;
      • bodies which, under the applicable law, remain entitled to require data, including in particular courts, prosecutors, police, tax and customs administration;
      • other entities entitled to access data under the law.
   9. Transmission of data to third countries where the GDPR regulations do not apply

      Personal data shall, in principle, not be transferred to a third country or to an international organization outside the European Economic Area (EEA). Such transfer may, however, take place within the limits set out below:

      Registration of domains and SSL certificates

      The transmission of data outside the EEA shall only take place in case of an order by a Data subject requiring the transfer of personal data to a third country, i.e. in particular in case of the registration of an Internet domain, the register of which is operated by an entity established in a country which is not EEA-based or in case of an SSL certificate operated by that entity. In such cases, personal data shall be transmitted on the basis and in the order of the provisions of Chapter V of the GDPR, that is:

      a) first, on the basis of a decision of the European Commission stating that the third country, territory or specific sector in that third country or international organization concerned provides an adequate level of protection for personal data pursuant to Article 45 of the GDPR; or

      b) second, when the Controller has provided adequate safeguards and ensured that the rights of data Subjects and effective remedies are in place (standard data protection clauses adopted by the European Commission) or has implemented another mechanism, which in accordance with the law, legalizes the transfer of data to a third country pursuant to Articles 46 and 47 of the GDPR; or

      c) third, when the transfer of personal data is necessary for the performance of a contract between the Data Subject and the Controller or for the implementation of pre-contractual measures taken at the request of the Data Subject and with reference to execution of a service ordered individually by such Data Subject under Article 49 of the GDPR.

      Taking into consideration the fact that it is not possible to identify and describe in advance all possible situations for the transfer of personal data outside the EEA in connection with domain registration, purchase of SSL certificates or ordering other services offered by the Controller in this document (the IANA database has more than 1500 domains, including national, regional, global and nTLD type domains whose registers are often maintained by separate organizations), the following details can be obtained:

      • about entities responsible for domain registration, including their registered address, at IANA (Internet Assigned Numbers Authority) website: http://www.iana.org/domains/root/db ;
      • about entities providing SSL certificates, including their registered address, at: https://certyfikatyssl.pl/ ;
      • about countries for which the European Commission has decided to determine an adequate level of protection of personal data, details are available on the Commission's website:
        https://www.ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en ;
      • about the standard data protection clauses adopted by the European Commission, which are available on the European Union legislation website: Decision 2021/914 of 4 June 2021 and earlier decisions repealed with effect from 27 September 2021: Decision 2001/497/EC of 15 June 2001; Decision 2004/915/EC of 27 December 2004; Decision 2010/87/EU of 5 February 2010

      Analytical or advertising services

      Personal data may be transferred outside the EEA to the United States, due to the use of analytical or advertising services provided by global suppliers having head offices and data centers in Europe, such as:

      • Google Ireland Limited, for Google Ads and Google Analytics, and
      • Meta Platforms Ireland Limited for Facebook and Instagram.

      In this case, the data shall be transferred on the basis of standard contractual data protection clauses adopted by the European Commission, which are available on the European Union legislation website: Decision 2021/914/EC of 4 June 2021

   10. Profiling

       Data Subjects may be subject to automated decision-making, including profiling, to provide services under a contract and to conduct direct marketing and sales analysis by the Controller. Profiling is an automatic way of reading the interests of a Data Subject and is intended only to better match the services provided to the needs of a particular customer. Profiling affects the advertising offered to a Data Subject but does not have legal effects and is not based on so-called sensitive data (special categories of data).

   11. Right to lodge a complaint

       Any Data Subject using the Controller’s services shall have the right to clarification concerning the processing of his/her personal data with the Data Protection Officer accessible at the following e-mail address: iod@cyberfolks.pl. A Data Subject shall also have the right to lodge a complaint to the supervisory authority, which is the President of the Data Protection Office, Stawki 2, 00-193 Warsaw, for example, in case where he/she considers that his/her personal data is not processed in accordance with applicable law.

3. Selected methods of data protection.
   1. The Provider applies different types of personal data protection mechanisms, in particular:
      • the protection against unauthorized access,
      • the protection against the loss of data,
      • the protection against accidental or unauthorized modification of data.
   2. Users’ passwords are not explicitly stored in the system or encrypted in a reversible manner.
   3. Login and data entry places, including personal data, are protected by encryption when data is transmitted between the User's device and the Provider's server (SSL certificate).
   4. The Provider has security measures against data loss (e.g. disk arrays, regular backups).
   5. The Provider uses adequate measures to protect the data processing locations (e.g. notification systems, special fire-fighting systems).
   6. The Provider uses adequate means of protection for processing systems in the event of a sudden power failure (e.g. dual power lines, generator sets, UPS maintenance systems).
   7. The Provider uses measures to physically protect access to data processing locations (e.g. access control, video surveillance and alarm systems).
   8. The Provider uses measures to ensure appropriate environmental conditions for the server systems as part of the data processing system (e.g. environmental control, specialized air conditioning systems).
   9. The Provider uses organizational solutions to ensure the highest possible degree of protection and confidentiality (training, internal regulations, behavior policies, password policies, etc.)
   10. The Provider has appointed the Data Protection Officer.
4. Information in forms.
   1. The website collects information provided voluntarily by the User, including personal data, if provided.
   2. The website stores information about the connection parameters (time stamp, IP address).
   3. In some cases, the website may record the information that helps link the information in the form to the e-mail address of the User who has filled the form. In this case, the User's email address appears inside the URL address of the page containing the form.
   4. The data provided in the form is processed for the purpose of the function of a relevant form, e.g. to process a service request, commercial contact or service registration, etc. Each time the context and description of the form clearly indicate what it is used for.
5. System logs.
   1. The Provider automatically creates security logs (system logs) and website usage statistics that contain information about some Users’ behaviors. This data is used to administer the website and to provide the best possible service for the hosting services provided.
   2. Information to be recorded:
      • the resources specified by the URL (URLs of the requested resources – pages, files),
      • the time when the query comes from the User,
      • the time when response to a User was sent
      • client’s device ID - HTTP identification
      • information about the errors that occurred during the HTTP transaction,
      • the URL of a previously visited site (referred link) – where the Website was accessed by a link on another website,
      • information on User’s browser (name, version),
      • information on the public IP network address,
      • diagnostic information related to the individual ordering process through website recorders to assess the correct placement of website components.
      • electronic mail related information, if User uses a mail service offered by the Provider.
6. Information on cookies.
   1. The website uses cookies.
   2. Cookies are IT data, especially text files that are stored on the User’s end device and are intended for use of the Website. Cookies usually contain the name of the web page from which they are derived, the duration of their storage on the end device, and a unique number.
   3. The Provider is the entity posting cookies on the User’s end device and having access to them.
   4. In the Website, two basic types of cookies are used: "session cookies" and "persistent cookies." “Session cookies” are temporary files that are stored on User’s end device until he/she logs out, leaves the web page, or closes the software (web browser). "Persistent cookies” are stored on end device for a period of time specified in the cookie parameters or until User deletes them.
   5. Cookies are used for the following purposes:

      Type and basis of processing	Purpose and detailed description
      Functional cookies - always active (legitimate interest of the Controller)	These are cookies necessary for the website to function. The website will not function properly unless the User shall accept such cookies. For example, a cookie that saves User’s consent or objection is needed to know if the User has agreed to certain actions on the website. These cookies will also allow to log to the Customer’s Panel, to add a product to a shopping cart or to place an order, as they ensure that User’s session is maintained so that the User would not have to re-enter his/her login and password on each subpage.
      Analytical and performance cookies (User’s consent)	Enable collection of information about how the website is used. These files will allow us to count visits and traffic sources on our website, so we can measure and improve its performance and learn which pages are the most popular and the least popular, and understand how visitors navigate on our website. Cookies help us analyze the performance of the website and collect synthetic information. For example, we can make heat maps, so we know which content is readable and not, which allows us to design the website better. Cookies also show which blog posts were read more often and which were read less frequently, which helps us to develop more interesting content.
      Social cookies (User’s consent)	Social media cookies allow us to associate a User with his/her social media accounts. The User can share content from our website. Social media files (from third parties, such as Facebook) collect information to provide personalized advertising. For example, social media ads provided to User are better suited to him/her and reduce the chance to run ads for services or products the User have already purchased.
      Marketing cookies (User’s consent)	These are files related to the operation of marketing automation systems and the settlements of advertising. This means that we can reduce the number of times an ad is displayed. Cookies also allow us to run benchmarking tests to continuously improve our website's performance. By testing multiple page layouts, we can find it easier to achieve the best readability for the User. Communication is also becoming more personalized. For example, we can inform a User on an article about how to find a domain name when we see that he/she is looking for a domain and it is difficult for him/her to find a matching name. We can also, if we see several failed attempts in a row, display a hint concerning logging in. Based on information from cookies and from other activities, User’s interest profile is built. We also use this type of cookies to keep information about service commands for a command program.

   6. Web browsing software (Web browser) usually allows cookies to be stored on User’s end device by default. Users of our Website can change the settings in this area. Web browser enables deleting of cookies. Automated cookies blocking is also enabled. Detailed information is available on help page or in documentation of web browser.
   7. Restrictions on the use of cookies may affect some of the features available on the Service websites.
   8. Cookies placed with User’s consent on an end device may also be used by third parties cooperating with Provider; this relates in particular to companies such as:
      • Google Ireland Limited, for Google Ads and Google Analytics services, and
      • Meta Platforms Ireland Limited for Facebook and Instagram services.
   9. The Provider uses Google Analytics to analyze traffic on the website.
   10. The Provider uses remarketing, namely the activities that allow the ad networks to display the User advertising messages that match his/her behavior on the website. The technical condition of such actions is that cookies are supported.
   11. In regard to information on User’s preferences collected by Google, Facebook, and Instagram advertising networks, User can view and edit information resulting from cookies, using the tools that are available at:

       https://www.google.com/ads/preferences/

       https://www.facebook.com/help/109378269482053

       https://help.instagram.com/478880589321969

   12. The way Google, Facebook, and Instagram use personal data is to be found in the Privacy policies and Terms of use:

       https://policies.google.com/technologies/partner-sites?hl=pl

       https://www.facebook.com/help/336858938174917

       https://help.instagram.com/1896641480634370

7. Cookie management - how can a consent be given and withdrawn in practice?
   1. If a User does not want to receive cookies, he/she can change browser settings or disable cookies by clicking on the "Cookies Settings" link in the footer of the web page. Please note that disabling the use of cookies required for authentication, security, maintaining preferences of a User may make it difficult and, in extreme cases, may prevent the use of Provider's websites.
   2. To manage cookies, select the Web browser you are using from the list below and follow the instructions:
      • Microsoft Edge
      • Microsoft Internet Explorer
      • Google Chrome
      • Mozilla Firefox
      • Safari (macOS)
      • Opera
      • Brave
   3. Mobile devices:
      • Google Chrome (Android)
      • Google Chrome (iOS iPhone)
      • Mozilla Firefox Mobile (Android)
      • Apple Safari (iOS iPhone)
      • Samsung Internet (Mobile)
      • Brave Mobile (Android)
      • Windows Phone 7
8. Changes to Privacy Policy
   1. The Provider reserves the right to make changes to the Privacy Policy if it is required by law or by changes made to the Provider's websites, as well required to improve the functioning of the Provider's website.
   2. The date specified below is the last version of the Privacy Policy.

      Date of recent changes: 7 June 2022