Privacy policy of the PR1V WWW.PR1V.PL website and application

PR1V sp. z o.o., registered by the District Court for m.st. Warsaw in Warsaw, XII Commercial Division of the National Court Register, KRS number: 0001053226, registered office address at 11A Lelewela Street, 05-410 Józefów (hereinafter referred to as the “Company”), protects the personal data and privacy of its customers and users of the website www.pr1v.pl (hereinafter referred to as the “Website”) and the PR1V App (hereinafter referred to as the “Application”). First of all, we comply with the regulations on the protection of personal data, and we also protect your data from the point of view of IT security. You provide us with your data voluntarily and we give you the opportunity to change and update your personal data at any time, and we also provide you with advice and explanations.

The Company does not transfer user data to unauthorized entities. Personal data is stored on servers and in properly secured places, to which only authorized persons have access.

The Company’s employees participate in training in the field of personal data protection and IT system management, and the company has in place appropriate internal documents regulating the process of personal data protection.

This page is intended to help you understand how we process and protect your personal data.

We act in accordance with the law

The Company cares about the security of personal data, in particular it protects it against unauthorized access. In addition, the Company ensures the exercise of rights resulting from:

¾ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”),

¾ the Act of 18 July 2002 on the provision of electronic services (Journal of Laws No. 144, item 1204, as amended),

¾ the Act of 10 May 2018 on the protection of personal data (Journal of Laws No. 2018, item 1000);

¾ of the Act of 12 July 2024 on Electronic Communications Law (Journal of Laws, item 1221), hereinafter referred to as PKE.

Table of contents:

1. Who is responsible for your personal data?

2. How to contact the Administrator?

3. On what basis and for what purpose do we process your personal data?

4. What is the scope of personal data processing?

5. What rights do you have regarding your personal data?

6. Who do we share your data with?

7. Transfer of personal data to third countries.

8. How long do we keep your personal data?

9. Automated decision-making.

10. Changes to the Privacy Policy.

1. Who is responsible for your personal data?

The administrator of your personal data is PR1V sp. z o.o. with its registered office in Józefów (05 – 410), 11A Lelewela Street, entered into the register of entrepreneurs kept by the District Court for the capital city of Warsaw, XIV Commercial Division of the National Court Register under KRS number: 0001053226 NIP: 7011160610, REGON: 526141791.

2. How to contact the Administrator?

In matters related to the processing of your personal data by the Administrator, please contact us as follows:

1. by traditional mail to the address of the Company’s registered office, i.e. 11A Lelewela Street, 05 – 410 Józefów. 2. via a dedicated email address: iodo@pr1v.pl

3. What is the scope of personal data processing?

The Company processes the following personal data of users of the www.pr1v.pl website https://www.pr1v.pl/ or application users: name and surname, telephone number, e-mail address.

Providing the above data is voluntary. This means that there is no legal obligation to provide them. However, refusal to provide them may result in restriction of access to certain functionalities, including the possibility of maintaining a user account or placing orders for telecommunications services.

In the event of an intention to conclude a contract for the provision of telecommunications services, the Company processes the following personal data of the subscriber (a person who is a party to the contract for the provision of telecommunications services or applying for the conclusion of such an agreement):

a. If the subscriber is a natural person – name(s) and surname, PESEL number (if available) or name, series and number of the document confirming identity. In the case of foreigners who are not citizens of a member state or the Swiss Confederation – the passport or residence card number is also processed. The above also applies to persons who represent a subscriber who is not a natural person (e.g. representatives of commercial law companies).

b. If the subscriber is not a natural person – the name, REGON or NIP identification number or KRS number or information about the entry in CEIDG or other relevant register.

Providing the above data is obligatory, as the obligation to verify them before the commencement of the provision of services results from Article 296 sections 1 – 3 of the PKE. Refusal to provide them will result in a refusal to start providing telecommunications services.

In the case of subscribers who want to conclude a contract with number portability, it is also mandatory to provide a current phone number. Failure to provide the above data will result in the inability to proceed with the application for number portability.

After concluding the contract for the provision of telecommunications services, the following data related to the use of the service will also be processed:

1) Retention data, i.e. data generated in the telecommunications network in connection with the subscriber’s activity – in accordance with Article 47(1) of the PKE;

2) Data on telecommunications services provided to the subscriber to the extent enabling the determination of receivables for the provision of these services and consideration of complaints – in accordance with Article 394 of the PKE;

3) Transmission data for the purposes of service settlement and interconnection settlements – in accordance with Article 391 of the PKE;

4) Device location data for the purpose of transmitting information to emergency call systems when using emergency numbers – in accordance with Article 337 of the PKE.

In the case of giving the appropriate consent, the subscriber’s identification data (number, name and surname, name of the city and street of residence) are also transferred to the list of subscribers or the number office in accordance with Articles 395-396 of the PKE.

The Company each time processes personal data to the extent adequate to the given purpose of personal data processing, i.e. among others provision of telecommunications services, fulfillment of the legal obligation incumbent on the Company as the controller, marketing purposes, profiling, responding to questions, demands, complaints and others. Each time, the content of the consent granted to the processing of personal data will specify in detail the purpose of the processing and, consequently, the scope of data processing.

4. On what basis and for what purpose do we process your personal data?

The Company processes personal data, m.in. in order to ensure the proper provision of services through the Website and application and other services provided by the Company, in order to comply with legal obligations related to the provision of telecommunications services. In the case of consents granted, the data may also be processed to a wider extent.

The legal bases for the processing of personal data are as follows:

1) Data of application or website users – processed in order to perform or conclude a contract at the request of the data subject (Article 6(1)(b) of the GDPR);

2) Subscriber data in the scope indicated in point 3 above (except for data transferred to subscriber directories or number offices) – are processed for the purpose of concluding and performing the contract (Article 6(1)(b) of the GDPR) and for the performance of legal obligations incumbent on the Company (Article 6(1)(c) of the GDPR in connection with Article 47(1), Article 296(1)-(3), Article 337, Article 391, Article 394 of the PKE);

3) Subscriber data in the scope of data transferred to subscriber directories or number agencies – are processed on the basis of consent obtained pursuant to Articles 395-396 of the PKE.

5. What rights do you have regarding your personal data?

Under the GDPR, you have a number of rights in relation to your personal data. The following is a general description of your rights:

a) the right to access personal data – you can exercise the right to access your data at any time.

b) the right to rectify and supplement personal data – you have the right to request the Administrator to immediately rectify your inaccurate personal data, as well as to request that incomplete personal data be completed.

c) the right to delete personal data – you have the right to request the Administrator to immediately delete your personal data in each of the following cases:

¾ when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,

¾ where the data subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;

¾ when you object to the processing of data referred to in point e) below and there are no overriding legitimate grounds for the processing of this data;

¾ where personal data is unlawfully processed;

¾ when the personal data must be erased in order to comply with a legal obligation provided for in the law of the European Union or the Polish law;

¾ where the personal data has been collected in connection with the provision of information society services.

¾ However, the Administrator will not be able to delete your personal data to the extent that their processing is necessary for:

o the exercise of the right to freedom of expression and information;

o comply with a legal obligation requiring processing under European Union or Polish law;

o establishing, pursuing or defending claims.

d) the right to restrict the processing of personal data – you have the right to request the Administrator to restrict the processing of data in cases where:

¾ you question the accuracy of the personal data – for a period allowing the Administrator to verify the accuracy of this data;

¾ the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

¾ The Controller no longer needs the personal data for the purposes of the processing, but you need them to establish, pursue or defend claims;

¾ you have objected to the processing referred to in point e) below – until it is determined whether the legitimate grounds on the part of the Controller override your grounds for objection.

e) the right to object – you have the right to object to the processing of your personal data if the Administrator processes this data in a legitimate interest, i.e. data processing for the purpose of direct marketing. The Data Controller may not consider your objection if it fails to demonstrate the existence of compelling legitimate grounds for the processing which override your interests, rights and freedoms, or grounds for the establishment, exercise or defence of claims;

f) the right to withdraw consent – to the extent that the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;

g) the right to transfer data – to the extent that your data is processed for the purpose of concluding and performing a contract or processed on the basis of consent and the data processing is carried out in an automated manner – you have the right to receive from the Administrator in a structured, commonly used and machine-readable format your personal data, which you have provided before or

during cooperation with the Company. You also have the right to transmit this personal data to another controller.

h) the right to lodge a complaint against the processing of personal data by the Administrator to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection.

The rights referred to in points a) – g) above can be exercised by contacting us:

1. by traditional mail to the address of the Company’s registered office, i.e. 11A Lelewela Street, 05 – 410 Józefów. 2. via a dedicated email address: iodo@pr1v.pl

6. Who do we share your personal data with?

We may share your personal data with the following recipients or categories of data recipients:

1. service providers who perform services on our behalf or on our behalf. We require compliance with applicable data protection laws in our contracts with such service providers;

2. if such an obligation arises from mandatory provisions of law, to the necessary extent also to other third parties, in particular authorized state authorities.

7. Transfer of personal data to third countries.

The Company does not transfer personal data to third countries

8. How long do we keep your personal data?

The Company makes every effort to ensure that your personal data is processed in an adequate manner and for as long as it is necessary for the purposes for which it was collected. With this in mind, the Company stores your personal data for no longer than necessary to achieve the purposes for which the data was collected or, if necessary, to comply with applicable law, in particular the period of performance of the contract and the period of limitation of claims.

9. Automated decision-making.

The Company does not perform automated decision-making, including profiling, based on the personal data provided.

10. Changes to the Privacy Policy

This Privacy Policy may be amended in particular if the need or obligation to make such changes results from changes in relevant legal provisions, including changes in data recipients. Data subjects who are

processed in accordance with this Privacy Policy will be notified of changes to this Privacy Policy with reasonable notice.

LOGIN AND PASSWORD

The Company uses technical and organizational measures aimed at the best possible protection of the collected personal data against unauthorized access or improper use by unauthorized persons.

METHODS OF PERSONAL DATA PROTECTION

The Company carefully selects and applies technical and organizational measures to ensure the protection of personal data against unlawful processing. These include internal controls on the data collected, storage and processing procedures, and physical security measures designed to protect against unauthorized access to the systems on which we store personal information. The Company maintains documentation describing the manner of processing personal data and technical and organizational measures to ensure the protection of the processed personal data, appropriate to the risks and categories of data to be protected.

COOKIES

Cookies are text information sent by the server and saved on your computer or mobile device – hereinafter referred to as the “End Device” used to visit the Website. This technology allows selected information about the Website to be left in the web browser of your End Device. If you do not want to receive cookies from the Website or any other website, you can change the settings of your web browser so that you are always informed about a cookie and have the ability to decide whether to accept or reject it. Web browsers allow you to block cookies. To change your browser settings and block cookies, you can follow the instructions provided by the manufacturer of the browser installed on your End Device.

We would like to inform you that deleting, blocking, restricting the receipt of cookies may cause disruptions in the use of the Website, and in extreme cases even completely prevent the use of some of its functionalities.

At the same time, we would like to inform you that you can change your preferences regarding cookies at any time, and that you can delete the files stored on your End Device at any time.

Notwithstanding the above, during the time of your presence on the Website. The Company also processes the so-called operational data referred to in Article 18(5) of the Act of 18 July 2002 on the provision of electronic services. This data allows us to know how our website is used by each visitor to the Website. Operating data is processed only for statistical purposes.