Privacy policy
This section contains information regarding the GDPR and a policy regarding privacy and cookies in the StethoMe.com shop and on the website.
This document establishes the conditions for processing of personal data (hereinafter also referred to as “data”) and cookies on the StethoMe.com and shop.StethoMe.com online services, operated through the website available under the URL address: StethoMe.com and shop.StethoMe.com, hereinafter referred to as the “Online Service”.
§1. HOW TO CONTACT THE DATA CONTROLLERYour personal data processed within the Online Services is controlled by StethoMe Sp. z o.o. with its registered office in Poznań (61-663), at ul. Winogrady 18a, entered in the Register of Entrepreneurs of the National Court Register under KRS No: 0000558650, Tax ID No (NIP): 7831726542 and Statistical ID No (REGON): 361535342.
You can contact the Data Controller by using the e-mail address: rodo@stethome.com.
§2. BASIS FOR PROCESSING OF YOUR DATA
When collecting personal data, we always inform about the legal basis for its processing. The basis stems from the provisions of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation). When we refer to:
- Article 6(1)(a) of the GDPR – it means that we process personal data on the basis of consent,
- Article 6(1)(b) of the GDPR – it means that we process personal data because this is necessary for the performance of an agreement or in order to take steps prior to entering into the agreement, at a request,
- Article 6(1)(c) of the GDPR – it means that we process personal data in order to comply with a legal obligation,
- Article 6(1)(f) of the GDPR – it means that we process personal data in order to pursue legitimate interests.
§3. INFORMATION ON THE PROCESSING OF DATA FOR THE PURPOSE OF CONCLUDING AND PERFORMING AGREEMETS OR FOR THE EXERCISE OR DEFENCE OF CLAIMS (IF ANY)
- We may process personal data required for the performance of an agreement concluded with you. However, even before concluding it, we may process personal data required for taking steps at your request. This data is processed under Article 6(1)(b) of the GDPR.
- In the event of performance of an agreement on the provision of paid services, we may process your data for the purposes of meeting the accounting and tax obligations. This data is processed under Article 6(1)(c) of the GDPR.
- During the performance of an agreement and after its completion, we process personal data of a party thereto for the purposes of examination and exercise of claims (if any). Our legitimate interest includes e.g. the possibility of responding to a complaint, which is our obligation resulting from separate provisions of civil law. In such a case we will process personal data on the basis of a legitimate interest consisting in the defence or exercise of claims (if any). This data is processed under Article 6(1)(f) of the GDPR.
- We will store this data for a period required to fulfil the indicated objectives, however, not longer than until claims resulting from separate provisions of law become time-barred.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, as well as the right to lodge a complaint with a supervisory authority. Where data is processed for the purpose specified in item 3, you also have the right to object to its processing.
- The provision of data is voluntary, however, failure to provide the data will render the conclusion and performance of the agreement impossible.
- The data is received by: our hosting provider, e-mail service provider, IT service provider, transport service provider, advertising service provider, provider of accounting services and invoicing software, banking service and electronic payment service provider, the provider of legal, counselling and debt collection services, as well as other service providers used by us in the fulfillment of a specific purpose.
§4. INFORMATION ON THE PROCESSING OF DATA FOR THE PURPOSE OF SENDING A NEWSLETTER
- We give you an option to subscribe to the list of recipients of our newsletter. If you have used this function, we process your personal data for the purposes of sending you the newsletter. The newsletter may contain advertising, commercial, or marketing content.
- This data is processed on the basis of your consent, i.e. under Article 6(1)(a) of the GDPR.
- You have the right to withdraw the consent at any time. The withdrawal of consent does not affect the lawfulness of previous processing of data.
- We will store your data until you withdraw the consent. If you never withdraw the consent, we will process your data until we stop sending the newsletter.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, as well as the right to lodge a complaint with a supervisory authority.
- The provision of data is voluntary, however, failure to provide the data will make it impossible for us to send the newsletter.
- The data is received by: our hosting provider, IT service provider, e-mail service provider and the newsletter distribution service provider.
§5. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF SENDING A SATISFACTION SURVEY TO A CUSTOMER
- We may process your personal data in the form of an e-mail address for the purpose of sending you a satisfaction survey, which will let us know your opinion on our products and services. You may consent to the sending of the survey while making an order in our on-line shop.
- Consent to the sending of the survey is voluntary (Article 6(1)(a) of the GDPR). You decide whether you wish to be sent the survey and about the period of processing of your data. Remember that you can withdraw your consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, the right to object to the data processing and the right to lodge a complaint with a supervisory authority.
- The data can be received by: our hosting provider, IT service provider, marketing service provider, the provider of marketing automation services, e-mail service provider.
§6. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF PUBLICATION OF COMMENTS ON THE WEBSITE AND IN SOCIAL MEDIA
- We may process your and your friends’ personal data such as full name and image for the purpose of publication of comments about our product on our website and in our social media. This happens when we contact you to obtain your consent to such publication and you grant the consent.
- Since the personal data is processed on the basis of consent (Article 6(1)(a) of the GDPR), the granting of consent is purely voluntary. You decide what data you wish to make available to us and for how long, therefore, we will process the data until you withdraw the consent.
- Remember that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, the right to object to the data processing and the right to lodge a complaint with a supervisory authority.
- The data is received by: our hosting provider, IT service provider, e-mail service provider, advertising service provider, administrators of individual social media channels.
§7. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF RECRUITMENT FOR RESEARCH STUDIES
- We may process your personal data such as full name, telephone number, e-mail address and age for the purpose of recruitment for research studies on the basis of your application and consent to be included in our database of potential candidates.
- By participating in our recruitment, you consent to the processing of your personal data provided in the application form. If we accept your candidacy, we will contact you for the purpose of further cooperation related to the research studies.
- You may withdraw the consent to the processing of personal data at any time, because it has been freely given (Article 6(1)(a) of the GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, the right to object to the data processing and the right to lodge a complaint with a supervisory authority.
- The data may be received by: our hosting provider, IT service provider, physicians/medics/analysts/medical centres cooperating within the framework of the research studies, providers managing the research study process, providers of marketing automation services, e-mail service provider.
§8. INFORMATION ON THE PROCESSING OF PERSONAL DATA RELATED TO THE PARTICIPATION IN RESEARCH STUDIES
- We may process your personal data such as full name, telephone number, e-mail address, age and auscultation recordings for the purpose of conducting research studies. As part of the cooperation, we will also ask you to provide the address of residence to which we will send you a stethoscope. The processing of indicated data (of yours or of your child) is based on your application and consent to the participation in the research study.
- You may resign from the participation in the medical research at any time.
- The participation in the research studies is purely voluntary.
- While resigning from the participation in the research programme, you can also withdraw the consent to the processing of personal data. If you do not withdraw the consent, we will keep you informed about future research programmes. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- After you withdraw the consent to the processing of personal data, we will erase your (or your child’s) personal data such as full name, telephone number, e-mail address and age, whereas data from auscultation recordings will be anonymised in order to eliminate the possibility of associating an individual with a specific auscultation recording.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, the right to object to the data processing and the right to lodge a complaint with a supervisory authority.
- The data may be received by: our hosting provider, IT service provider, physicians/medics/analyst/medical centres cooperating within the framework of the research studies, providers managing the research study process, providers of marketing automation services, e-mail service provider.
§9. INFORMATION ON THE PROCESSING OF PERSONAL DATA AS PART OF USING THE STETHOME SYSTEM
- We may process your personal data provided by you in the registration form (patient and physician) and data related to the user account in order to perform a service related to the StethoMe system (application).
- The personal data is processed for the purpose of performance of an agreement (Article 6(1)(b) of the GDPR) or fulfilment of a legitimate interest of the controller or a third party (Article 6(1)(f) of the GDPR) and on the basis of consent (Article 6(1)(a) of the GDPR).
- Personal data processed in order to perform an agreement will be processed for a period necessary for the provision of the service and for as long as necessary for the establishment, exercise or defence of claims, and until withdrawal of consent to the processing.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, the right to object to the data processing and the right to lodge a complaint with a supervisory authority.
- The data may be received by: our hosting provider, IT service provider, physicians/medics/analysts/medical centres cooperating within the framework of monitoring of the quality of a solution, providers of marketing automation services, e-mail service provider.
- More information about the use of the StethoMe system can be found in the Rules.
§10. INFORMATION ON THE PROCESSING OF DATA FOR THE PURPOSE OF DIRECT MARKETING AND PROFILING
- We may process your personal data for the purposes of direct marketing. This happens, e.g. when we respond to your message and present details of our offer.
- For the purposes of direct marketing, we may use profiling, which consists in automated decision-making with regard to showing you advertisements. Such a decision is made on the basis on the actions you have been taking in the Online Service, and in particular on the basis of agreements concluded and websites browsed. In practice, profiling supports the usefulness of our Online Service, allowing to present you the content that may potentially be of interest to you.
- This data is processed under Article 6(1)(f) of the GDPR.
- We will store your data for the time necessary for the purpose of implementation.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to data portability, the right to object to the data processing and the right to lodge a complaint with a supervisory authority.
- You have the right not to be subject to profiling, unless your have consented to it. However, in such a case the basis for processing of your data will be the consent (Article 6(1)(a) of the GDPR), which you can withdraw at any time moment. In such a case your data will be processed until you withdraw the consent.
- The provision of this data is voluntary, however, failure to provide the data will render the performance of direct marketing activities impossible.
- The data is received by: our hosting provider, IT service provider, e-mail service provider and advertising service provider.
§11. INFORMATION ON THE PROCESSING OF DATA FOR THE PURPOSES OF ENSURING SECURITY
- From the moment you launch our website, we process certain data for the purpose of ensuring security of the services, namely:
- public IP address of the device sending the enquiry,
- browser type and language,
- date and time of the enquiry,
- the number of bytes sent by the server,
- URL of the previously visited page, if you have visited the website by using the link,
- information on errors that occurred during the handling of the enquiry.
- Our legitimate interest in this processing is the keeping of server event logs and securing the Online Service against potential hacker attacks and other abuses. This includes the possibility of determining the IP address of a person performing an illegal activity in the Online Service, such as an attempt at breaching the security measures, publication of prohibited content or attempted illegal activities with the use of our servers.
- This data is processed under Article 6(1)(f) of the GDPR.
- We will store this data for a period required to fulfil the indicated objectives, however, not longer than until claims resulting from separate provisions of law become time-barred.
- You have the right of access to your data, the right to its rectification, erasure and restriction of it procession, the right to object to its processing and the right to lodge a complaint with a supervisory authority.
- The provision of this data is a condition for using the Online Service. Failure to provide the data will render the use of the Online Service impossible.
- The data is received by our hosting provider and IT service provider.
§12. INFORMATION ABOUT DATA RECIPIENTS
When processing personal data, we use external services. Consequently, your personal data may be received by third parties. When collecting personal data, we always inform about those recipients, however, since the intelligibility of the message is our top priority, we only mention it briefly. That is why we hereby explain that whenever we inform about individual categories of recipients, we have the following entities in mind:
- IT service provider: eCommerceConnections Sp. z o.o., ul. Topolowa 2a, 62-090 Bytkowo; Shopify International Ltd., 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland; LINKER CLOUD Sp. z o.o., ul. Tadeusza Borowskiego 2, 03-475 Warsaw.
- Transport service provider / couriers: eCommerceConnections Sp. z o.o., ul. Topolowa 2a, 62-090 Bytkowo; InPost S.A, ul. Wielicka 28, 30-552 Kraków; DHL Parcel Polska Sp. z o.o., ul. Osmańska 2, 02-823 Warsaw.
- Hosting service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
- E-mail service provider: Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA.
- Advertising and analytics service provider: Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA; Facebook Inc. 1 Hacker Way, Menlo Park, CA 94025, USA; LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
- Accounting service provider: Taxteam sp. z o.o., al. Kościuszki 39, 90-418 Łódź.
- Invoicing software provider: Fakturownia sp. z o.o., ul. Juliana Smulikowskiego 6/8, 00-389 Warsaw; Shopify International Ltd., 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland.
- Legal / counselling / debt collection service provider - these service providers are appointed individually whenever the need arises.
- Newsletter distribution service provider: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA.
- Banking service provider: Santander Bank Polska S.A., al. Jana Pawła II 17, 00-854 Warsaw; mBank S.A. with its registered office in Warsaw at ul. Senatorska 18.
- Electronic payment service provider: PayU S.A., ul Grunwaldzka 186, 60-166 Poznań; PayLane Sp. z o.o., ul. Norwida 4, 80–280 Gdańsk; PAYPAL POLSKA SP. Z O. O., ul. Emilii Plater 53, 00-113, Warsaw, Poland; Stripe Payments Europe, Ltd., C/O A & L Goodbody, Ifsc, North Wall Quay, D01 H104, Dublin, Ireland.
§13. INFORMATION ON THE TRANSFER OF DATA TO THIRD COUNTRIES
- In view of the fact that we use the services of other providers, your personal data may be transferred outside the European Economic Area, namely to the following country: United States of America (USA).
- The European Commission has determined that certain countries from outside the European Economic Area (EEA) protect personal data sufficiently.
- Since the country to which we transfer the personal data has not been recognised as a secure country, the transfer of data is based on an agreement that contains the standard data protection clauses adopted by the European Commission.
§14. UNCONDITIONAL RIGHTS OF THE PERSONS WHOSE DATA IS PROCESSED
Whenever we mention the rights related to the processing of your personal data, we mean the rights described below. The possibility of exercising the rights described below is independent of the legal basis for personal data processing.
The right of access to data
You have the right to obtain from us confirmation as to whether personal data concerning you is being processed. If this is the case, you have the right to access this data and to receive additional information about:
- the purposes of the processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations,
- where possible, the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period,
- the right to request from us rectification or erasure of data or restriction of its processing, the right to object to such processing and the right to lodge a complaint with a supervisory authority,
- the source of data, if your data has not been collected from you,
- the existence of automated decision-making (including profiling) and about the significance and the envisaged consequences of such processing for you.
After receiving such a demand, we are obligated to provide you with a copy of personal data that is being processed. If such a demand is received by electronic means and we do not receive any reservation to the contrary, we will provide the information also by electronic means.
Right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (right to be forgotten)
You have the right to obtain from us the erasure of personal data concerning you without undue delay. Then, we will be obligated to erase personal data without undue delay if one of the following grounds applies:
- you have withdrawn consent to the processing of your data and there is no other legal ground for its processing,
- you have effectively objected to the processing of data concerning you,
- your personal data has been unlawfully processed,
- your personal data needs to be erased for compliance with a legal obligation,
- your personal data has been collected in relation to the offer of information society services.
Right to restriction of processing
You have the right to obtain from us restriction of processing where one of the following applies:
- you contest the accuracy of the data – for a period enabling us to verify the accuracy of the data,
- the processing is unlawful and you oppose the erasure of the data and request the restriction of its use instead,
- we no longer need the personal data for the purposes of processing, but you need the data for purpose of the establishment, exercise or defence of claims,
- you have objected to the processing of your data – pending the verification whether our legitimate grounds override the grounds for your objection.
Automated decisions, including profiling
You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you.
The right does not apply if the decision:
- is necessary for the conclusion or performance of an agreement between you and us,
- is authorised by Union law or law of the Republic of Poland, which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests, or
- is based on your explicit consent.
Right to lodge a complaint
You have the right to lodge a complaint in relation to processing of your personal data to the supervisory authority: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, tel. 22 531 03 00, fax. 22 531 03 01, e-mail: kancelaria@uodo.gov.pl.
§15. CONDITIONAL RIGHTS OF THE PERSONS WHOSE DATA IS PROCESSED
Whenever we mention the rights related to the processing of your personal data, we mean the rights described below. The possibility of exercising them depends each time on the legal basis for the processing of personal data.
Right to withdraw consent to the processing
When we are processing your personal data on the basis of consent, you have the right to withdraw the consent at any time. Naturally, the withdrawal of consent does not affect the lawfulness of previous processing of personal data.
Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit the data to another controller without any hindrance from us, if the processing:
- is based on consent or an agreement, and
- is carried out by automated means.
When exercising the right to data portability, you may demand that the personal data be transmitted from us directly to another controller, where technically feasible. This right must not adversely affect the rights and freedoms of others.
Right to object
When we are processing your personal data on the basis of Article 6 (1)(f) of the GDPR, you have the right to object to the data processing on grounds relating to your particular situation.
In such a case we are no longer allowed to process such personal data, unless we demonstrate the existence of:
- compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
- grounds for the establishment, exercise or defence of claims.
If you object to the processing of your personal data for direct marketing purposes, we will not be allowed to process it for such purposes.
§16. COOKIES - INTRODUCTION
The Online Service website uses cookies. Cookies are small, commonly used files that contain a sequence of characters, which are sent and stored on the end device (e.g. a computer, laptop, tablet, or smartphone) used when visiting the Online Service. This information is sent to the memory of the browser used, which sends it back when the user enters the same website later. Cookies can be categorised using three methods of division.
When it comes to the purpose of use, we differentiate three categories of cookies:
- Necessary cookies – these files enable correct functioning of the website and its functions, e.g. authentication or security cookies. Without storing them on your device, you will not be able to use the website.
- Analytical cookies – these files enable the monitoring of the websites opened, traffic sources and duration of a visit on a website. If they are not stored, there will be no limitation in using the website functions.
- Advertising cookies – these files enable displaying personalised advertisements on the website or outside of it. If they are not stored, there will be no limitation in using the website functions.
- Social media cookies – these files enable displaying a fanpage on the website, as well as “liking” it. If they are not stored, there will be no limitation in using the website functions.
In terms of a validity period, we differentiate two categories of cookies:
- session cookies – existing until the end of a session,
- persistent cookies – existing after the end of a session.
With regard to the cookie administrator, we differentiate:
- our cookies,
- third-party cookies.
§17. DATA CONTROLLER’S COOKIES
The cookies administrated by us enable:
- access authentication,
- maintaining a session after logging in,
- securing the Online Service against hacker attacks,
- browser “memorisation” of the content of form fields filled in (optional),
- browser “memorisation” of items added to the basket.
Thanks to that, using the Online Service functions becomes easier and more pleasant.
§18. THIRD-PARTY COOKIES
We use cookies administered by Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA, as part of the following services:
- Google Ads – advertising files used for conducting advertising campaigns using the Google Ads service and evaluating their quality,
- Google Analytics – analytical files used for studying user behaviour and traffic and preparation of traffic statistics,
- Google Analytics for Firebase: analysis of application users, use of e.g. created remarketing lists for advertising purposes,
- BigQuery: provided that we carry out integration, analysis of raw data about users.
Data collected by Google Inc. is of an anonymous and aggregated nature. In particular, the data does not contain any identifying characteristics (understood as personal data) of the Online Service users. By using the services listed, we collect data such as the source of acquisition of users visiting the Online Service, their behaviour on the Online Service website, information on the devices and browsers used by them, IP address, domain, demographic data (age, sex), interests and geographical data.
More information on this topic can be found here: https://policies.google.com/technologies/cookies?hl=pl
We use cookies administered by Facebook Inc. 1 Hacker Way, Menlo Park, CA 94025, USA:
- Advertising pixel tags used by Facebook Inc. 1 Hacker Way, Menlo Park, CA 94025, USA. These are elements published in digital content and enabling the recording of information about e.g. the activity on the website, as well as the effectiveness of advertisements. The pixel tag of Facebook Inc. can be managed through the Facebook service, in its user panel,
- Facebook analytics: analysis of users,
- Facebook Ads: advertisements based on data from FB pixel and remarketing lists.
More information on this topic can be found here: https://www.facebook.com/policies/cookies/
HOTJAR
We use cookies administered by Hotjar Limited, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta. Thanks to the Hotjar tool, we analyse your activities on our website, including: information about your device, browser and its language, location and anonymised IP number. We carry out this analysis on order to optimise our website in terms of its usability. If you wish to object to processing of your data for these purposes, use the following link: https://www.hotjar.com/legal/compliance/opt-out.
§19. CONSENT TO THE USE AND MANAGEMENT OF COOKIES
With the exception of necessary cookies, they are processed on the basis of a user’s consent.
Consent to the processing of cookies is voluntary and may be withdrawn at any time. However, it should be borne in mind that the lack of consent to the use of certain cookies may result in the limitation of use of the Online Service and its functions, and even prevent its use.
You may grant consent to the use of cookies in the following manner:
- through settings of the software installed on the telecommunications end device used,
- by using the button that includes a declaration of consent to the processing of cookies or confirmation of having read and understood its terms and conditions,
- through the settings available on the website.
§20. CACHE
When you are using the Online Service website we may automatically use the cache installed on your device. The local memory can store data between sessions, i.e. between subsequent visits on the Online Service website. We use cache in order to make the use of the Online Service faster, by eliminating situations in which the same data would be downloaded from the Online Service multiple times, thus generating load on the User’s online connection. Cache may also store data such as a password for logging.
§21. LINKS TO OTHER WEBSITES OR SOFTWARE
The Online Service may contain links to other websites or software. We are not responsible for any principles of adherence to the privacy policies and processing of cookies that apply to those websites or software. We recommend that you read the privacy and cookie policy of those websites or software after visiting them or before installing them.
§22. CHANGES TO THE PRIVACY AND COOKIE POLICY
- The Privacy and Cookie Policy enters into force on the date of its publication on the Online Service website.
- Changes to the Privacy and Cookie Policy are made through publication of its new content on the Online Service website.
- We publish information on a change to the Privacy and Cookie Policy on the Online Service website not later than 3 days before the date of entry into force of its new wording.