GC APP PRIVACY POLICY APPLICABLE FROM 1.09.2022

1. DEFINITIONS
   1. Controller - CSG SPÓŁKA AKCYJNA with the registered office in Kraków, ul. Kalwaryjska 33, 30-509 Kraków, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków-Śródmieście, XI Commercial Division of the National Court Register, under the number KRS 0000714229, share capital: PLN 350,000.00 fully paid up, tax identification number (NIP) : 6793163992, company statistical number (REGON): 369293269, BDO: 00011314
   2. Personal data - information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including in particular: name, surname, e-mail address, device IP , online identifier and information on electricity consumption for EV charging.
   3. Policy - this Privacy Policy.
   4. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
   5. Application - mobile application to operate EV chargers (“GC Mamba”).
   6. User - any natural person using the Application.
2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE APPLICATION
   1. In connection with the User's use of the Application, the Controller collects data to the extent necessary to provide services via the Application, as well as information about the User's activity in the Application. The detailed rules and purposes of the processing of Personal Data collected during the use of the Application by the User are described below.
   2. The Application can use the following permissions:
      1. Access to a camera or photo camera - in order to be enable the scanning of product QR codes;
      2. Access to the memory of the device on which the Application is installed - in order to save the data necessary for the Application to operate;
      3. Access to an Internet connection to enable download of new software for connected devices and communication with the server;
      4. Access to connection with Bluetooth and Bluetooth Low Energy - in order to enable connection of the Application with products and control devices (including software update).
3. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING IN THE APPLICATION
   USE OF THE APPLICATION
   1. Personal data of all persons using the Application (including the IP address or other identifiers) are processed by the Controller:
      1. In order to provide electronic services in the scope of making the content collected in the Application available to Users - then the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) GDPR);
      2. For analytical and statistical purposes - then the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) GDPR), consisting in conducting analyses of Users' activity, as well as their preferences in order to improve the functionalities used and the services provided;
      3. In order to possibly establish and pursue claims or defend against claims - the legal basis for processing is the Controller's legitimate interest (Article 6 (1) (f) GDPR), consisting in the protection of its rights;
   2. The User's activity in the Application, including their Personal Data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical and administrative purposes, for the purposes of ensuring the security of the IT system and managing this system, as well as for analytical and statistical purposes - in this respect, the legal basis for processing is the Controller's legitimate interest (Article 6 (1) (f) GDPR).
   REGISTRATION IN THE APPLICATION
   3. Persons who register in the Application are asked to provide the data necessary to create and operate the account. In order to facilitate service, the User may provide additional data, thereby consenting to their processing. Such data can be deleted at any time. Providing data marked as mandatory is required to set up and operate an account, and failure to do so results in the inability to create an account. Providing other data is voluntary.
   4. Personal data is processed:
      1. In order to provide services related to the operation and maintenance of an account in the Application - the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) GDPR), and in the scope of optional data - the legal basis for processing is consent (Article 6 (1) (a) GDPR);
      2. For analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) GDPR), consisting in conducting analyses of Users' activity in the Application and the manner of using the account, as well as Users' preferences in order to improve the functionalities used;
      3. In order to possibly establish and pursue claims or defend against claims - the legal basis for processing is the Controller's legitimate interest (Article 6 (1) (f) GDPR), consisting in the protection of its rights;
   CONTACT FORMS
   5. The Controller provides the possibility of contacting it using electronic contact forms. Using the form requires providing Personal Data necessary to contact the User and answer the inquiry. The User can also provide other data to facilitate contact or handling of the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to do so results in the inability to respond to the inquiry. Providing other data is voluntary.
   6. Personal data is processed:
      1. In order to identify the sender and handle their inquiry sent using the provided form - the legal basis for processing is the necessity of processing to perform the contract for the provision of the service (Article 6 (1) (b) GDPR); in the scope of optional data, the legal basis for processing is consent (Article 6 (1) (a) GDPR);
      2. For analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) GDPR), consisting in keeping statistics of inquiries submitted by Users via the Application in order to improve its functionality.
4. PERIOD OF PERSONAL DATA PROCESSING
   1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, the data is processed for the duration of the service, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Controller.
   2. The data processing period may be extended, if processing is necessary to establish and pursue any claims or defend against claims, and after that time only if and to the extent that it is required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.
5. USER RIGHTS
   1. The User has the right to access the data and request rectification, deletion, restriction of processing, the right to transfer data and the right to object to data processing, as well as the right to lodge a complaint with the supervisory body dealing with personal data protection.
   2. To the extent that the User's data is processed on the basis of consent, this consent may be withdrawn at any time by contacting the Controller.
6. DATA RECIPIENTS
   1. In connection with the provision of services, Personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and entities related to the Controller, including companies from its capital group.
   2. The Controller reserves the right to disclose selected information about the User to the competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
   3. Personal data may be transferred to entities providing services in the field of sending e-mails and IT companies providing services in the field of Application support. In addition, Personal Data may be shared with IT or marketing companies that help us inform you about our promotions and new products.
7. TRANSFER OF DATA OUTSIDE EEA
   1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
      1. Cooperation with entities processing Personal Data in countries for which an appropriate decision of the European Commission has been issued regarding the assurance of an adequate level of protection of Personal Data;
      2. Use of standard contractual clauses issued by the European Commission;
      3. Application of binding corporate rules approved by the competent supervisory authority;
      4. In the case of data transfer to the USA - cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission
   2. The Controller always informs about the intention to transfer Personal Data outside the EEA at the stage of collecting them.
8. SECURITY OF PERSONAL DATA
   1. The Controller regularly carries out a risk analysis to ensure that personal data is processed by it in a safe manner - ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary due to the tasks they perform. The Controller makes sure that all operations on Personal Data are recorded and performed only by authorized employees and partners.
   2. The Controller takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process Personal Data on behalf of the Controller.
9. CONTACT DETAILS
   1. Contact with the Controller is possible via the e-mail address: [email protected] or correspondence address: CSG SPÓŁKA AKCYJNA with its registered office in Kraków, ul. Kalwaryjska 33, 30-509 Kraków.
10. CHANGES TO THE PRIVACY POLICY
    1. The Policy is verified on an ongoing basis and updated, if necessary.
    2. The current version of the Policy has been adopted and has been in force since 1.09.2022