Privacy Policy

  1. DEFINITIONS
    1. Controller – Oxla sp. z o.o., with its registered office in Warsaw (02-703) at ul. Bukowińska 2/189, entered in the Register of Business Entities maintained by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register, under KRS No. 0000851382, REGON: 386608946, NIP: 5213902284, with a share capital of in the amount of PLN 202,000.00.
    2. Personal Data– means any information relating to an identified or identifiable natural person who can be identified by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including by way of an IP address of a device, location data, an online identifier and information collected through cookie files or other similar technology. 
    3. Policy– this privacy policy.
    4. GDPR– the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
    5. Service – the online service operated by the Controller at www.oxla.com
    6. User– each natural person using the Service or using the Controller’s services as presented in the Rules.
    7. Product – the software that is a database with an analytical function, as described in detail in the Rules and in the documentation available at the following address: https://docs.oxla.com/, that is available for download through the Service in the manner and on the terms as provided in the Rules.
    8. Rules – the rules of the Service, available at „Terms of Use”. 
  2. THE PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE SERVICE
    1. In connection with the use of the Service by the User, the Controller collects data to the extent required to render the specific services that it offers, as well as information about the User’s activity while using the Service. The detailed rules and the objectives of processing Personal Data gathered during the use of the Service by the User have been presented below. 
  3. THE OBJECTIVES AND LEGAL GROUNDS FOR THE PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE SERVICE
    1. THE USE OF THE SERVICE
      1. The Personal Data of all the persons using the Service (using the IP address or other identifiers and information gathered via cookie files and other similar technologies) is processed by the Controller:
        1. to render services electronically within the scope of providing Users with the content gathered in the Service – the legal basis for such data processing is the necessity to conduct processing for the purposes of performing a contract (Article 6(1)(b) of the GDPR);
        2. for analytical and statistical purposes – the legal basis for such data processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), such as conducting analyses of Users’ activity and their preferences to improve the applied functionalities and services rendered; and
        3. for the Controller’s marketing purposes – the rules of processing Personal Data have been presented in the MARKETING section.
      2. The activity of a User in the Service, including his or her Personal Data, is registered in the system logs (a special computer program used to store a chronological record with information about events and actions that relate to the IT system used by the Controller to render services). The information collected in the logs is processed primarily for purposes related to the rendering of services. The Controller also processes it for technical or administrative purposes, to ensure that the IT system is secure and to manage such system, but also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).
    2. DOWNLOADING PRODUCTS AND CONCLUDING CONTRACTS ON PRODUCT USE
      1. In the case of natural persons operating as a sole proprietorship (jednoosobowa działalność gospodarcza), downloading, installing and using the Product necessitates providing Personal Data required to conclude a contract on the use of the Product. Personal Data must be provided to allow for the conclusion of a contract concerning the use of the Product, and a failure to provide such data would result in an inability to conclude a Product use contract, which would prevent any downloading, installation and use of the Product. 
      2. The Personal Data obtained in connection with the conclusion of a contract on the use of the Product is processed by the Controller:
        1. to conclude and perform a contract on the use of the Product, including specifically to allow the downloading, installation and use of the Product – the legal basis for the processing is the need to process Personal Data for the purposes of performing a contract (Article 6(1)(b) of the GDPR);  and
        2. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), such as the analysis of Users’ activity and their preferences to improve the applied functionalities and services rendered. 
    3. CORRESPONDENCE BY EMAIL OR VIA TRADITIONAL ROUTES 
      1. In case of any correspondence not related to services rendered to the sender or any other contract concluded therewith which is sent to the Controller via email or via traditional routes, the Personal Data in such correspondence is processed exclusively for communication purposes and the resolution of the issue to which the correspondence relates. 
      2. The legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) comprising responding to correspondence addressed thereto in connection with its business activity. 
      3. The Controller processes exclusively the Personal Data that is material to the specific issue to which relevant correspondence relates. All correspondence is kept in a manner ensuring the security of the Personal Data (and other information) included therein and is disclosed to authorised persons only.
    4. RECRUITMENT
      1. Within the scope of recruitment processes, the Controller expects that Personal Data (e.g. in a CV or a curriculum vitae) will be transferred exclusively to the extent determined by the labour law. Therefore, no information of a broader scope shall be transferred. If any submitted applications contain additional data that exceed the scope required under the labour law, the processing of such data will be based on the applicant’s consent (Article 6(1)(a) of the GDPR), which was granted based on an unequivocal confirmatory action such as the despatch of application documents by a candidate. If the despatched applications contain any information inadequate for the purpose of recruitment, such information will not be used or taken into consideration in the recruitment process.  
      2. Personal Data is processed:
        1. if the preferred form of employment is a contract of employment – for the purposes of performance of the duties resulting from the law connected with the employment process, including primarily the Labour Code – the legal basis for the processing is the legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR in conjunction with the relevant labour law regulations);
        2. if the preferred form of employment is a civil law contract – for the purposes of the recruitment process – the legal basis for the processing of data included in the application documents is the taking of action prior to the conclusion of a contract at the request of the data subject (Article 6(1)(b) of the GDPR);
        3. for the purposes of a recruitment process and in respect of data that is not required by law or by the Controller and for the purposes of future recruitment processes – the legal basis for the processing is the consent therefor (Article 6(1)(a) of the GDPR); and
        4. for the purposes of the verification of the qualifications and skills of a candidate and the determination of the terms of cooperation – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR). The Controller’s legitimate interest is the verification of candidates for work and the determination of  the terms of cooperation therewith, if any.
      3. To the extent that Personal Data is processed based on consent, such consent may be withdrawn at any time without any impact on the lawful processing of data prior to the withdrawal of such consent. If consent is granted for the purposes of any future recruitment processes, the Personal Data shall be deleted no later than after two years, provided that the consent is not withdrawn earlier. 
      4. Providing data within the scope specified in Article 22(1) of the Labour Code is required – if the candidate prefers to be employed based on a contract of employment – by the law, including specifically by the Labour Code, and in the case of a preference for employment based on a civil law contract – by the Controller. Failure to provide such data results in the inability to take the given candidate into consideration in the recruitment process. Providing other data is voluntary.
    5. PROCESSING OF THE PERSONAL DATA OF THE REPRESENTATIVES OF THE CONTROLLER’S CLIENTS
      1. In connection with the conclusion of contracts for the use of the Products, the Controller obtains from clients the data of the persons involved in the conclusion and performance of such contracts (e.g. contact persons, persons representing a given entity, attorneys-in-fact). The scope of the provided data is in each case limited to that required to conclude and perform a given contract and usually does not include any information other than the name and surname and the business contact data (in the case of contact persons), or the name, surname, position, data included in public registers or in a power of attorney (in the case of persons representing other entities and attorneys-in-fact). 
      2. Such Personal Data is processed to enforce the legitimate interests of the Controller and its contractor/client (Article 6(1)(f) of the GDPR) in connection with the conclusion of a given contract and the proper and efficient performance thereof. Such data may be disclosed to third parties involved in the performance of the agreement.
      3. The data is processed for the period required to achieve the above-mentioned interests and to perform the relevant obligations prescribed by law. 
  4. MARKETING
    1. The Controller processes the Personal Data of Users for marketing purposes, which processing may comprise various types of analytical and statistical actions and any efforts related to the direct marketing of services (delivery of commercial information via email). 
    2. For the purposes of the marketing activities, the Controller, in certain circumstances, uses profiling. This means that in order to allow the automatic processing of data, the Controller assesses certain select factors concerning Users for the purposes of analysing their behaviour or presenting a forecast. This allows to better match the content addressed to the User to such User’s individual preferences and interests.  
    3. DIRECT MARKETING
      1. A User’s Personal Data may also be used by the Controller to send marketing content to such User via email. Such actions are taken by the Controller exclusively if the User has consented thereto, and such consent may be withdrawn at any time. 
      2. Personal data is processed:
        1. to deliver any commercial information that was ordered – the legal basis for the processing, including with the use of profiling, is the legitimate interest of the Controller (Article 6(1)(f) of GDPR in conjunction with any relevant laws concerning electronic communication) promoting the goods or services of the Controller in connection with the consent given for the given channel of communication; and
        2. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of GDPR) of conducting analyses of Users activity in the Service to improve the applied functionalities. 
  5. SOCIAL MEDIA
    1. The Controller processes Personal Data of Users who visit the Controller’s profiles on any social media (Twitter, LinkedIn, Discord). Such data is processed exclusively in connection with the profile, including to inform Users of the activities of the Controller and to promote various types of events, services and products. The legal basis for the processing of Personal Data by the Controller for that purpose is its legitimate interest (Article 6(1)(f) of GDPR) of promoting its own brand.

      CAUTION: The above information does not apply to the processing of personal data by service administrators (Twitter, LinkedIn, Discord).
  6. PERIOD OF PROCESSING PERSONAL DATA
    1. The period of processing data by the Controller depends on the type of services rendered and the purpose of the processing. In principle, the data is processed throughout the time that the services are rendered, until the consent is withdrawn or until an objection against the processing of data is successfully lodged in circumstances in which the legal basis for the processing of data is a legitimate interest of the Controller. 
    2. The period of processing of data may be extended if the processing is required to determine and to enforce claims, if any, or to defend any claims, and after that time only if and to the extent that it is required by law. After the period of processing, the data is irrevocably deleted or anonymised. 
  7. USER’S RIGHTS
    1. A User has the right to access the data thereof and to demand the correction of data, the deletion of data, the restriction of processing of data, the right to transfer data and the right to object against the processing of data, as well as the right to lodge a complaint with a supervisory authority responsible for the protection of Personal Data. 
    2. To the extent that User’s data is processed based on consent, such consent may be withdrawn at any time by contacting the Controller by email at: [email protected] or by traditional post at the following address: Warsaw (02-703) at ul. Bukowińska 2/189. 
    3. A User has the right to object against  the processing of data for marketing purposes if the processing is done in connection with the legitimate interest of the Controller and – for reasons related to any special circumstances applicable to the User – in other cases when the legal basis for the processing is the legitimate interest of the Controller (e.g. in connection with achieving any analytical and statistical objectives). 
  8. RECIPIENTS OF DATA
    1. In connection with the performance of services, Personal Data will be disclosed to external entities, including specifically to suppliers responsible for servicing IT systems and marketing agencies (within the scope of marketing services). 
    2. The Controller reserves the right to disclose select information concerning a User to relevant authorities or third parties who request the disclosure of such information based on a legitimate legal basis and in accordance with applicable law. 
  9. TRANSFER OF DATA OUTSIDE THE EEA
    1. The level of the protection of Personal Data outside the European Economic Area (EEA) differs from that secured by EU law. For that reason, the Controller transfers Personal Data outside the EEA exclusively when it is necessary and ensures an appropriate level of protection, primarily by:
      1. cooperating with entities processing Personal Data in the countries with respect to which the European Commission has issued a relevant decision concerning confirmation of offering an adequate level of protection of Personal Data; 
      2. applying standard contractual clauses issued by the European Commission; and
      3. applying binding corporate rules approved by the relevant supervisory authority. 
    2. The Controller informs Users of the intention to transfer Personal Data outside of the EEA always at the stage of the collection of such data. 
  10. SECURITY OF PERSONAL DATA
    1. The Controller analyses risks on an ongoing basis to ensure that it processes Personal Data in a secure manner – primarily ensuring that only authorised persons have access to such data and only to the extent that is required in view of the duties of such persons. The Controller ensures that all of the operations involving Personal Data are registered and performed exclusively by authorised employees and associates (współpracownicy).
    2. The Controller takes all of the actions that are necessary to ensure that its subcontractors and other cooperating entities also guarantee the application of relevant means of security in each case when they process Personal Data based on instructions issued by the Controller.  
  11. CONTACT DATA
    1. The Controller may be contacted by email at: [email protected] or at its address for service: Pl. Europejski 1/40p | 00-844 Warsaw.
  12. CHANGE OF THE PRIVACY POLICY
    1. The Policy is verified on an ongoing basis and updated if required.
    2. The current version of the Policy has been adopted and has been in force since the 20th of July 2023.