This is a machine translation provided for your convenience. Only the original Polish version is legally binding. In the event of any discrepancy, the Polish text prevails: Polish original.
§1. Data controller
The controller of personal data is RADES PATRYK IMIOŁA, NIP: 8351621849, address: Pukinin 64, 96-200 Rawa Mazowiecka, email: info@pixdeliver.com.§2. Scope of data processed
The data processed includes:- first and last name,
- email address,
- in the case of registration via a Google account (OAuth 2.0): the Google identifier and profile photo (if shared),
- in the case of using passkey login: the passkey’s authentication data (the identifier and the public key associated with the User’s device); the biometric data used to confirm identity remains solely on the User’s device and is not transmitted to the Controller,
- technical data related to the use of the Service (IP address, browser type, device type, operating system).
§3. Purposes and legal bases of processing
The data is processed for the following purposes and on the following legal bases:- provision of the Service (creating and operating an Account and galleries) – on the basis of Article 6(1)(b) of the GDPR (performance of a contract),
- provision of the optional feature for generating gallery descriptions using artificial intelligence (based on the gallery name and optional brief entered by the User) – on the basis of Article 6(1)(b) of the GDPR (performance of a contract),
- handling payments – on the basis of Article 6(1)(b) of the GDPR (performance of a contract),
- contacting the User in matters related to the Service – on the basis of Article 6(1)(f) of the GDPR (the legitimate interest of the Controller),
- fulfilling legal obligations, including tax and accounting obligations – on the basis of Article 6(1)(c) of the GDPR (legal obligation).
§4. Processors (subprocessors)
The data may be transferred to the following entities:- Stripe – payment handling,
- Cloudflare R2 – data storage,
- Cloudflare for SaaS – handling of Users’ custom domains,
- Hetzner – server infrastructure,
- Laravel Nightwatch – application monitoring and error reporting,
- Laravel Forge and Laravel Cloud – server management,
- Google (Google Gemini) – generating proposed gallery descriptions using AI; only the text data entered by the User (the gallery name and the optional brief) is processed, on the basis of Google’s data processing (processor) terms. The data is not used to train AI models.
- a European Commission decision establishing an adequate level of protection (including the EU-US Data Privacy Framework), or
- standard contractual clauses (SCC) approved by the European Commission.
§5. Data of gallery recipients (the User’s clients)
- By using the Application, the User (photographer) makes galleries available to their clients and to other persons visiting the galleries (hereinafter: “gallery recipients”). Gallery recipients may provide their personal data, in particular a first name or name, an email address, and the content of a message, when submitting a selection of photos or a request to purchase photos.
- With respect to the personal data of gallery recipients, the controller is the User, who decides on the purposes and means of its processing. The Service Provider processes this data solely on behalf of and for the User, as a processor, to the extent necessary to provide the Service (in particular, to pass selections and purchase requests on to the User) – on the basis of the entrustment of processing resulting from the Terms of Service.
- The Service Provider does not use the data of gallery recipients for its own purposes. The exercise of the rights to which gallery recipients are entitled under the GDPR is ensured by the User as the controller; the Service Provider supports the User in fulfilling these obligations to the extent resulting from the provisions of law.
- The above does not apply to technical data (e.g. IP address, device data) processed by the Service Provider in order to ensure the security and proper functioning of the Application, for which the Service Provider remains the controller.
§6. Data location
The data is stored on servers located in the European Union. To the extent that the processors listed in §4 may process data outside the EEA, the appropriate safeguards described in §4 are applied.§7. Data retention period
- Personal data related to the Account is stored for the duration of the contract (the activity of the Account).
- After the Account is deleted, personal data is deleted without delay, with the exception of data whose storage is required by the provisions of law (e.g. data related to tax settlements is stored for the period required by the provisions of the Tax Ordinance and the Accounting Act).
- Technical data (logs) is stored for a period not exceeding 90 days.
§8. Cookies
The Service uses only technical cookies, necessary for the proper functioning of the application. No marketing or analytics cookies are used.§9. User’s rights
The User has the right to:- access the data (Article 15 of the GDPR),
- rectify it (Article 16 of the GDPR),
- erase the data (Article 17 of the GDPR),
- restrict the processing (Article 18 of the GDPR),
- data portability (Article 20 of the GDPR),
- object to processing based on the legitimate interest of the Controller (Article 21 of the GDPR),
- withdraw consent at any time, if the processing is based on consent – without affecting the lawfulness of the processing carried out before the withdrawal of consent (Article 7(3) of the GDPR),
- lodge a complaint with the President of the Personal Data Protection Office (UODO).