1. Controller – APPVENTIS PROSTA SPÓŁKA AKCYJNA (a simplified joint-stock company) with its registered office in Radom, Poland (Kazimierza Pułaskiego 6/10, 26-600 Radom), entered into the Register of Entrepreneurs maintained by the District Court of Lublin Wschód in Lublin with its seat in Świdnik, 6th Commercial Division of the National Court Register, under KRS number: 0001145581, Tax ID (NIP): 7963033729, with a share capital of PLN 100.00.
2. STORYLANDIA Application or Application – the mobile application owned by the Controller, enabling Users to generate personalized stories for children.
3. Personal Data – any information relating to an identified or identifiable natural person, in particular by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recordings, contact details, location data, information contained in correspondence, and information collected through recording devices or similar technologies.
4. Account – an individual section of the Application assigned to a specific User, identified by a single email address or mobile phone number, enabling the User to perform certain actions within the Application.
5. Data Subject – a natural person whose Personal Data are processed by the Controller, including but not limited to Users and other individuals who contact the Controller (e.g. by email).
6. Policy – this Privacy Policy.
7. Terms of Service – the Terms and Conditions of the STORYLANDIA Application.
8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
9. STORYLANDIA Website or Website – the online service named STORYLANDIA, operated by the Controller in Polish, available at https://storylandia.pl, which also includes the STORYLANDIA Application.
10. Services – services provided electronically to Users by the Controller within the Application.
11. User – a natural person aged 18 or older with full legal capacity, or a person over 13 years of age using the Service under the supervision and consent of a legal guardian, who, after reading and accepting the Terms of Service, has completed the registration process, resulting in the creation of an active Account.
1. In connection with its business operations, in particular through the Website and Application, the Controller collects and processes Personal Data in accordance with applicable laws, especially the GDPR, and adheres to the principles of data processing laid down therein.
2. The Controller:
2.1. ensures transparency in the processing of Personal Data;
2.2. provides information about data processing at the time of collection, in particular about the purposes and legal basis, unless exempted by law;
2.3. collects and processes only the data necessary for the stated purpose and for no longer than required.
3. When processing Personal Data, the Controller ensures their confidentiality and security and provides Data Subjects with access to information about how their data are processed.
If, despite implemented safeguards, a personal data breach occurs (e.g. data leakage or loss) that could pose a high risk to individuals' rights or freedoms, the Controller shall inform the affected Data Subjects in compliance with legal requirements.
1. The confidentiality and security of Personal Data are a top priority for the Controller.
2. The Controller may use non-personal data collected through the Website and Application only when anonymized, i.e. when it cannot be linked to a specific User, for purposes such as producing anonymous reports and aggregate statistics.
3. To ensure data integrity and confidentiality, access to Personal Data is restricted to authorized individuals and only to the extent necessary for the performance of their duties.
4. The Controller uses organizational and technical measures to ensure that all data operations are logged and performed only by authorized persons.
5. The Controller also ensures that any contractors or third parties acting on its behalf guarantee the application of appropriate security measures whenever they process Personal Data.
6. The Controller continuously conducts risk assessments and monitors the adequacy of safeguards, implementing additional measures where necessary to improve data protection.
1. ACCOUNT CREATION
1.1. To create a User Account, it is necessary to provide certain data such as an email address. By accepting the Terms of Service, the User enters into an electronic services agreement with the Controller.
1.2. Legal basis: necessity for the performance of a contract or to take steps at the request of the User prior to entering into a contract (Article 6(1)(b) GDPR).
2. USE OF THE APPLICATION
2.1. To provide the Application's Services, the Controller processes other Personal Data necessary for the performance of specific functions.
2.2. Legal basis: Article 6(1)(b) GDPR – contract performance or pre-contractual steps.
3. ANALYTICAL, STATISTICAL AND RESEARCH PURPOSES
3.1. The Controller may process Personal Data for analytical, statistical, and research purposes, such as analyzing Users' activity and preferences to improve the functionality of the Website and Application.
3.2. The Controller may also prepare aggregated reports, analyses, and studies for third parties or for research purposes. Such documents will never include Personal Data identifying individual Users.
3.3. Uploaded graphic files (e.g. photos or drawings) may be processed to generate personalized stories. These files are used exclusively to create story content and related visuals. They will not be published or used for other purposes and may be deleted or anonymized after the service is completed.
3.4. Legal basis: legitimate interest of the Controller, and necessity for research or statistical purposes (Article 6(1)(f), Article 9(2)(i) and (j) GDPR).
4. EMAIL AND POSTAL CORRESPONDENCE
4.1. Personal Data contained in correspondence received by email or post are processed solely for communication and issue resolution.
4.2. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) – handling correspondence related to business operations.
5. TELEPHONE CONTACT
5.1. When contacting the Controller by phone on matters unrelated to an existing contract or services, the Controller may request limited Personal Data necessary to handle the issue.
5.2. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) – resolving matters related to its business activity.
6. PURSUING CLAIMS
6.1. The Controller may process certain Personal Data to establish, exercise, or defend legal claims arising from Users' use of the Website or Application.
6.2. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR).
7. EXERCISING DATA SUBJECT RIGHTS
7.1. To facilitate the exercise of rights under the GDPR (e.g. filing complaints or requests), the Controller may process relevant Personal Data.
7.2. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR).
8. MARKETING OF CONTROLLER'S SERVICES
8.1. Commercial communications:
8.1.1. With the Data Subject's consent, the Controller may send commercial messages by email.
8.1.2. Legal basis: consent (Article 6(1)(a) GDPR) and, where applicable, Article 10(2) of the Polish Act on Electronic Services (18 July 2002) or Article 398 of the Electronic Communications Law (12 July 2024).
8.2. Newsletter:
8.2.1. Based on the Data Subject's consent, the Controller may send newsletters to the provided email address.
8.2.2. Legal basis: consent (Article 6(1)(a) GDPR).
1. Account creation: Providing Personal Data is voluntary but required to create an Account and use the Services.
2. Newsletter: Providing an email address is voluntary but necessary to receive newsletters.
1. The Controller operates public profiles on Facebook and LinkedIn. It processes Personal Data of visitors to these profiles (e.g. comments, likes, social media IDs) for purposes including:
1.1. effective profile management and communication;
1.2. promotion of services, events, and activities;
1.3. statistical and analytical purposes;
1.4. potential establishment or defense of legal claims.
2. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) – brand promotion, service improvement, and claim management.
3. Note: This Policy does not cover processing performed by the operators of Facebook or LinkedIn. Details are available in those platforms' respective privacy policies.
4. Users may delete their comments, stop following the Controller, or delete their social media accounts at any time.
1. In connection with its operations, Personal Data may be disclosed to third parties such as IT service providers, postal operators, couriers, accounting firms, legal or consulting service providers, and marketing agencies.
2. Data of Users using online payments are shared with payment service providers under the Polish Payment Services Act (19 August 2011).
3. Anonymized data (non-identifying) may also be shared with external providers for analytical purposes.
4. The Controller reserves the right to disclose selected information to competent authorities or third parties who lawfully request such information.
1. The Controller does not transfer Personal Data outside the European Economic Area (EEA).
1. The Controller does not use automated decision-making or profiling within the Website or Application.
1. Personal Data are retained for as long as the User maintains an Account and for three (3) years after its deletion or closure.
2. This period may be extended if necessary for legal claims or defense, or as required by law.
3. When data are processed based on legitimate interest, they are retained until an effective objection is raised.
4. When processed based on consent, data are retained until consent is withdrawn. Withdrawal does not affect the lawfulness of prior processing.
1. Data Subjects have the following rights:
1.1. Right to information – to obtain details about the processing of their Personal Data.
1.2. Right of access – to receive a copy of their data.
1.3. Right to rectification – to correct inaccurate or incomplete data.
1.4. Right to erasure ("right to be forgotten") – to request deletion of data no longer necessary.
1.5. Right to restriction of processing – to request suspension of processing under certain conditions.
1.6. Right to data portability – to receive their data in a structured, machine-readable format or have it transmitted to another controller.
1.7. Right to object – to object to processing for marketing or other legitimate interest purposes.
1.8. Right to withdraw consent – where processing is based on consent, it may be withdrawn at any time.
1.9. Right to lodge a complaint – with a supervisory authority, in Poland: the President of the Personal Data Protection Office (UODO).
1. Requests regarding Data Subject rights may be submitted:
1.1. In writing: APPVENTIS PROSTA SPÓŁKA AKCYJNA, ul. Kazimierza Pułaskiego 6/10, 26-600 Radom, Poland
1.2. By email: [email protected]
2. If identification is not possible, the Controller may request additional information. Responses are provided within one month. In justified cases, this period may be extended with prior notice.
3. Requests submitted electronically will generally receive electronic replies unless otherwise requested.
4. The Controller keeps records of requests and responses to demonstrate compliance and to establish or defend legal claims.
1. The Controller has not appointed a Data Protection Officer.
1. This Privacy Policy may be amended due to changes in applicable law or in the Controller's operations.
2. The Controller will inform Users about updates via the Website or Application, indicating the effective date of changes, allowing Users to exercise their GDPR rights, including withdrawal of consent or objection.