Privacy Policy

1.1. Controller – APPVENTIS PROSTA SPÓŁKA AKCYJNA (a simplified joint-stock company) with its registered office in Radom, Poland (Kazimierza Pułaskiego 6/10, 26-600 Radom), entered into the Register of Entrepreneurs maintained by the District Court of Lublin Wschód in Lublin with its seat in Świdnik, 6th Commercial Division of the National Court Register, under KRS number: 0001145581, Tax ID (NIP): 7963033729, with a share capital of PLN 100.00.

1.2. STORYLANDIA Application or Application – the mobile application owned by the Controller, enabling Users to generate personalized stories for children.

1.3. Personal Data – any information relating to an identified or identifiable natural person, in particular by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recordings, contact details, location data, information contained in correspondence, and information collected through recording devices or similar technologies.

1.4. Account – an individual section of the Application assigned to a specific User, identified by a single email address or mobile phone number, enabling the User to perform certain actions within the Application.

1.5. Data Subject – a natural person whose Personal Data are processed by the Controller, including but not limited to Users and other individuals who contact the Controller (e.g. by email).

1.6. Policy – this Privacy Policy.

1.7. Terms of Service – the Terms and Conditions of the STORYLANDIA Application.

1.8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.9. STORYLANDIA Website or Website – the online service named STORYLANDIA, operated by the Controller in Polish, available at https://storylandia.pl, which also includes the STORYLANDIA Application.

1.10. Services – services provided electronically to Users by the Controller within the Application.

1.11. User – a natural person aged 18 or older with full legal capacity, or a person over 13 years of age using the Service under the supervision and consent of a legal guardian, who, after reading and accepting the Terms of Service, has completed the registration process, resulting in the creation of an active Account.

2.1. In connection with its business operations, in particular through the Website and Application, the Controller collects and processes Personal Data in accordance with applicable laws, especially the GDPR, and adheres to the principles of data processing laid down therein.

2.2. The Controller:

• 2.2.1. ensures transparency in the processing of Personal Data;
• 2.2.2. provides information about data processing at the time of collection, in particular about the purposes and legal basis, unless exempted by law;
• 2.2.3. collects and processes only the data necessary for the stated purpose and for no longer than required.

2.3. When processing Personal Data, the Controller ensures their confidentiality and security and provides Data Subjects with access to information about how their data are processed. If, despite implemented safeguards, a personal data breach occurs (e.g. data leakage or loss) that could pose a high risk to individuals' rights or freedoms, the Controller shall inform the affected Data Subjects in compliance with legal requirements.

3.1. The confidentiality and security of Personal Data are a top priority for the Controller.

3.2. The Controller may use non-personal data collected through the Website and Application only when anonymized, i.e. when it cannot be linked to a specific User, for purposes such as producing anonymous reports and aggregate statistics.

3.3. To ensure data integrity and confidentiality, access to Personal Data is restricted to authorized individuals and only to the extent necessary for the performance of their duties.

3.4. The Controller uses organizational and technical measures to ensure that all data operations are logged and performed only by authorized persons.

3.5. The Controller also ensures that any contractors or third parties acting on its behalf guarantee the application of appropriate security measures whenever they process Personal Data.

3.6. The Controller continuously conducts risk assessments and monitors the adequacy of safeguards, implementing additional measures where necessary to improve data protection.

5.1. Account creation. Providing Personal Data is voluntary but required to create an Account and use the Services.

5.2. Newsletter. Providing an email address is voluntary but necessary to receive newsletters.

6.1. The Controller operates public profiles on Facebook and LinkedIn. It processes Personal Data of visitors to these profiles (e.g. comments, likes, social media IDs) for purposes including:

• 6.1.1. effective profile management and communication;
• 6.1.2. promotion of services, events, and activities;
• 6.1.3. statistical and analytical purposes;
• 6.1.4. potential establishment or defense of legal claims.

6.2. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) – brand promotion, service improvement, and claim management.

6.3. Note: This Policy does not cover processing performed by the operators of Facebook or LinkedIn. Details are available in those platforms' respective privacy policies.

6.4. Users may delete their comments, stop following the Controller, or delete their social media accounts at any time.

7.1. In connection with its operations, Personal Data may be disclosed to third parties such as IT service providers, postal operators, couriers, accounting firms, legal or consulting service providers, and marketing agencies.

7.2. Data of Users using online payments are shared with payment service providers under the Polish Payment Services Act (19 August 2011).

7.3. Anonymized data (non-identifying) may also be shared with external providers for analytical purposes.

7.4. The Controller reserves the right to disclose selected information to competent authorities or third parties who lawfully request such information.

7.5. For sending email messages (marketing, transactional, and service emails) the Controller uses the services of Mailjet SAS, with its registered office at 4 rue Jules Lefebvre, 75009 Paris, France, part of the Sinch AB group. Mailjet SAS acts as a processor under a data processing agreement concluded with the Controller in accordance with Article 28 GDPR. The current list of Sinch sub-processors is available at: https://sinch.com/legal/data-protection-agreement-sub-processors/.

8.1. The Controller generally processes Personal Data within the European Economic Area (EEA).

8.2. Where the Controller uses processors with offices or infrastructure outside the EEA (in particular sub-processors of email marketing, hosting, or analytics providers), transfers of Personal Data take place only on the basis of:

• 8.2.1. a European Commission adequacy decision (Article 45 GDPR), including for certified recipients in the United States — on the basis of the EU–US Data Privacy Framework (Commission Decision 2023/1795); or
• 8.2.2. Standard Contractual Clauses approved by Commission Decision 2021/914 (Article 46(2)(c) GDPR), incorporated into agreements with the processors.

8.3. A current list of processors, including those whose sub-processors may be located outside the EEA, is available on request to the address provided in §12 and is referenced in §7 of this Policy.

9.1. The Controller uses profiling within the meaning of Article 4(4) GDPR solely to tailor marketing communications to the preferences and behaviour of Users of the Application.

9.2. Profiling consists of assigning Users to segments (e.g. by Application activity, subscription status, favourite story categories, language of communication) based on data collected through their use of the Application.

9.3. Profiling performed by the Controller does not produce legal effects concerning the Data Subject or similarly significantly affect them within the meaning of Article 22(1) GDPR — it serves solely to adjust the content and frequency of marketing communications.

9.4. The legal basis for profiling for marketing purposes is the consent of the Data Subject (Article 6(1)(a) GDPR), expressed separately and in a manner allowing it to be withdrawn at any time.

9.5. The Controller does not make decisions about Data Subjects based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them.

10.1. Personal Data are retained for as long as the User maintains an Account and for three (3) years after its deletion or closure.

10.2. This period may be extended if necessary for legal claims or defense, or as required by law.

10.3. When data are processed based on legitimate interest, they are retained until an effective objection is raised.

10.4. When processed based on consent, data are retained until consent is withdrawn. Withdrawal does not affect the lawfulness of prior processing.

Data Subjects have the following rights:

• 11.1. Right to information – to obtain details about the processing of their Personal Data.
• 11.2. Right of access – to receive a copy of their data.
• 11.3. Right to rectification – to correct inaccurate or incomplete data.
• 11.4. Right to erasure ("right to be forgotten") – to request deletion of data no longer necessary.
• 11.5. Right to restriction of processing – to request suspension of processing under certain conditions.
• 11.6. Right to data portability – to receive their data in a structured, machine-readable format or have it transmitted to another controller.
• 11.7. Right to object – to object to processing for marketing or other legitimate interest purposes.
• 11.8. Right to withdraw consent – where processing is based on consent, it may be withdrawn at any time.
• 11.9. Right to lodge a complaint – with a supervisory authority, in Poland: the President of the Personal Data Protection Office (UODO).

12.1. Requests regarding Data Subject rights may be submitted:

• 12.1.1. in writing: APPVENTIS PROSTA SPÓŁKA AKCYJNA, ul. Kazimierza Pułaskiego 6/10, 26-600 Radom, Poland;
• 12.1.2. by email: [email protected].

12.2. If identification is not possible, the Controller may request additional information. Responses are provided within one month. In justified cases, this period may be extended with prior notice.

12.3. Requests submitted electronically will generally receive electronic replies unless otherwise requested.

12.4. The Controller keeps records of requests and responses to demonstrate compliance and to establish or defend legal claims.

13.1. The Controller has not appointed a Data Protection Officer.