Privacy policy

CADitNOW

Please read this privacy policy carefully. The privacy policy governs the processing of personal data collected and processed when you use the CADitNOW Application.

1. GENERAL PROVISIONS

• This Application privacy policy is for informational purposes only, meaning it does not constitute a source of obligations for Application Users. The Privacy Policy primarily contains principles regarding the processing of personal data by the Administrator in the Application, including the basis, purposes, and duration of personal data processing, as well as the rights of data subjects.
• The controller of personal data collected via the Application is: jointly: (1) Natalia Hoffa, conducting business activity under the name CAD it NOW Natalia Hoffa, entered into the Central Register and Information on Business Activity of the Republic of Poland, maintained by the minister responsible for the economy, with: address of the place of business and address for service: ul. Akacjowa 4, 62-100 Wągrowiec, NIP 7662010691, REGON 527357607, e-mail address: hj.caditnow@gmail.com, contact telephone number: +48 739051755 (2) Patrycja Jeziorska, conducting business activity under the name CAD it NOW Patrycja Jeziorska, entered into the Central Register and Information on Business Activity of the Republic of Poland, maintained by the minister responsible for the economy, with: address of the place of business and address for service: ul. Zbożowa 59c/4, 81-020 Gdynia, NIP 9581744409, REGON 528775531, e-mail address: hj.caditnow@gmail.com, contact telephone number: +48 722042798 – hereinafter referred to as the “Administrator” and being at the same time the Service Provider of the CADitNOW Application.
• Personal data in the Application are processed by the Controller in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as „GDPR” or „GDPR Regulation”. Official text of the GDPR: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
• Using the CADitNOW Application, including making purchases, is voluntary. Similarly, providing personal data by the User using the CADitNOW Application is voluntary, subject to two exceptions: (1) entering into a contract – failure to provide the personal data required to enter into a contract for the use of the Application or specific Electronic Services (e.g., Account registration, activation of paid access to the Application, etc.) in the cases and to the extent indicated in the CADitNOW Application and the CADitNOW Application Terms and Conditions and this Privacy Policy will result in the User being unable to enter into a contract and use the Application’s services. Providing personal data is a contractual requirement in such a case, and if the data subject wishes to use a given Electronic Service available in the Application, they are obligated to provide the required data. The scope of data required to use specific Application services is previously specified in the CADitNOW Application and the CADitNOW Application Terms and Conditions; (2) statutory obligations of the Administrator – providing personal data is a statutory requirement resulting from generally applicable legal provisions imposing on the Administrator the obligation to process personal data (e.g. for the purpose of keeping accounting books) and failure to provide them will prevent the Administrator from fulfilling these obligations.
• Administrator dokłada szczególnej staranności w celu ochrony interesów osób, których przetwarzane przez niego dane osobowe dotyczą, a w szczególności jest odpowiedzialny i zapewnia, że zbierane przez niego dane są: (1) przetwarzane zgodnie z prawem; (2) zbierane dla oznaczonych, zgodnych z prawem celów i niepoddawane dalszemu przetwarzaniu niezgodnemu z tymi celami; (3) merytorycznie poprawne i adekwatne w stosunku do celów, w jakich są przetwarzane; (4) przechowywane w postaci umożliwiającej identyfikację osób, których dotyczą, nie dłużej niż jest to niezbędne do osiągnięcia celu przetwarzania oraz (5) przetwarzane w sposób zapewniający odpowiednie bezpieczeństwo danych osobowych, w tym ochronę przed niedozwolonym lub niezgodnym z prawem przetwarzaniem oraz przypadkową utratą, zniszczeniem lub uszkodzeniem, za pomocą odpowiednich środków technicznych lub organizacyjnych.
• Uwzględniając charakter, zakres, kontekst i cele przetwarzania oraz ryzyko naruszenia praw lub wolności osób fizycznych o różnym prawdopodobieństwie i wadze zagrożenia, Administrator wdraża odpowiednie środki techniczne i organizacyjne, aby przetwarzanie odbywało się zgodnie z Rozporządzeniem RODO i aby móc to wykazać. Środki te są w razie potrzeby poddawane przeglądom i uaktualniane. Administrator stosuje środki techniczne zapobiegające pozyskiwaniu i modyfikowaniu przez osoby nieuprawnione danych osobowych przesyłanych drogą elektroniczną.
• Wszelkie słowa, wyrażenia i akronimy występujące w niniejszej polityce prywatności i rozpoczynające się dużą literą (np. Usługa Elektroniczna, Użytkownik, Aplikacja) należy rozumieć zgodnie z ich definicją zawartą w Regulaminie Aplikacji CADitNOW.

2. BASICS OF DATA PROCESSING

• The Controller is entitled to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has consented to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary to comply with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
• The processing of personal data by the Administrator requires the existence of at least one of the grounds indicated in point 2.1 of the privacy policy. The specific grounds for processing the personal data of CADitNOW Application Users by the Administrator are indicated in the next point of the privacy policy – ​​in relation to the given purpose of personal data processing by the Administrator.

3. PURPOSE, BASIS AND PERIOD OF DATA PROCESSING IN THE APPLICATION

• Each time, the purpose, basis and period as well as the recipients of personal data processed by the Administrator result from the actions undertaken by a given User in the Application.
• Processing of personal data by the Service Provider as a processor on the basis of the entrustment agreement attached as an annex to the Regulations:
  1. The Service Provider, as part of the provision of subcontracting services for digital prosthetic restorations, acts as an entity processing personal data on behalf of its clients (dental clinics or prosthetic laboratories), who are the controllers of such data.
  2. In this regard, the Service Provider processes personal data (including special categories of personal data – health data, such as patient names and surnames, patient records, treatment plans, photographs, intraoral scans, X-ray images, CBCT scans, and other diagnostic materials) solely on the basis of a concluded personal data processing agreement and documented instructions from the controller. The Service Provider does not use this data for its own purposes and does not make independent decisions regarding the purposes and methods of its processing.
  3. Detailed information on the processing of patients’ personal data (including the purposes of processing, legal basis, storage periods and rights of data subjects) can be found in the privacy policy or information clause of the data controller (clients of the Service Provider).
• The Administrator may process personal data in the Application for the following purposes, on the basis and within the periods indicated in the table below:

Purpose of data processing	Legal basis for data processing	Data storage period
Performance of the contract for the use of the Application, the contract for the provision of Services or any other contract, or taking action at the request of the data subject before concluding the contract	Article 6(1)(b) of the GDPR (contract) – processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract	The data is stored for the period necessary to perform, terminate or otherwise expire the concluded contract.
Sending commercial information, including direct marketing, using telecommunications terminal equipment (e.g. e-mail, telephone) or automated calling systems	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests of the Controller, which include direct marketing – consisting in taking care of the interests and good image of the Controller, its Application and striving to sell services – for example in connection with the prior consent of the data subject (e.g. when subscribing to the Newsletter) to sending commercial information using telecommunications terminal equipment, such as e-mail or telephone, depending on the scope of the consent granted	Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for the Controller’s claims against the data subject arising from the Controller’s business activities. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).
Determining, pursuing or defending claims that may be raised by the Administrator or that may be raised against the Administrator	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests of the Controller – consisting in establishing, pursuing or defending claims that may be raised by the Controller or that may be raised against the Controller	The data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims that may be brought against the Controller (the basic limitation period for claims against the Controller is six years).
Using the Application and ensuring its proper functioning	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests of the Controller – consisting in running and maintaining the Application	Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for the Controller’s claims against the data subject arising from the Controller’s business activities. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).
Keeping statistics and analyzing traffic in the Application	Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes of the legitimate interests of the Controller – consisting in keeping statistics and analysing traffic in the Application in order to improve the functioning of the Application	Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for the Controller’s claims against the data subject arising from the Controller’s business activities. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).

4. RECIPIENTS OF DATA IN THE APPLICATION

1. For the proper functioning of the CADitNOW Application, including the provision of Electronic Services, the Controller must use the services of external entities (such as a software provider or payment processor). The Controller only uses the services of processors who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.
2. Personal data may be transferred by the Controller to a third country. The Controller ensures that in such a case, this will be done in accordance with the GDPR Regulation in relation to a country ensuring an adequate level of protection, and in the case of other countries, on the basis of standard data protection clauses, and the data subject has the option to obtain a copy of their data. The Controller transfers collected personal data only when and to the extent necessary to achieve the given data processing purpose in accordance with this privacy policy.
3. The Controller does not transfer data in every case and not to all recipients or categories of recipients indicated in the privacy policy – ​​the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.
4. Personal data of CADitNOW Application Users may be transferred to the following recipients or categories of recipients:
   • providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular an accounting office, law firm or debt collection company) – the Controller makes the collected personal data of the User available to a selected provider acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.
   • service providers supplying the Controller with technical, IT and organizational solutions enabling the Controller to run and maintain the Application and provide Electronic Services (in particular the computer provider for running the CADitNOW Application, the e-mail and hosting provider and the provider of software for company management and providing technical support to the Controller) – the Controller makes the collected personal data of the User available to a selected supplier acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.

5. PROFILING IN THE APPLICATION

1. The following information results primarily from the use of Google Analytics, GA4 by the Controller on the start page (home/information page).
2. The GDPR imposes on the Controller an obligation to provide information on automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and – at least in these cases – relevant information on the principles underlying such decision-making, as well as on the significance and envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the privacy policy.
3. The Administrator may use profiling in the Application for direct marketing purposes, but the decisions made on its basis by the Administrator do not concern the conclusion or refusal to conclude a contract or the ability to use Electronic Services in the Application. Despite profiling, the individual freely decides whether to use, for example, a discount or offer received in this way.
4. Profiling in the Application involves the automatic analysis or prediction of a given person’s (User’s) behavior within the home page, for example, by analyzing previous activity or purchase history. The condition for such profiling is that the Administrator has the person’s personal data so that it can then send them, for example, an offer or discount.
5. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar manner.

6. RIGHTS OF THE DATA SUBJECT

1. Right of access, rectification, restriction, erasure, or transfer – the data subject has the right to request from the Controller access to their personal data, rectification, erasure („right to be forgotten”), or restriction of processing, and has the right to object to processing, as well as the right to transfer their data. Detailed conditions for exercising the above-mentioned rights are set out in Articles 15-21 of the GDPR.
2. The right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (pursuant to Article 6 paragraph 1 letter a) or Article 9 paragraph 2 letter a) of the GDPR Regulation) has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
3. Right to lodge a complaint with a supervisory authority – an individual whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
4. Right to object – the data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on Article 6(1)(e) (public interest or task) or (f) (legitimate interest of the controller), including profiling based on these provisions. In such a case, the controller is no longer permitted to process the personal data unless they demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defense of legal claims.
5. Right to object to direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his or her personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
6. In order to exercise the rights referred to in this point of the privacy policy, you can contact the Administrator by sending an appropriate message in writing or by e-mail to the Administrator’s address indicated at the beginning of the privacy policy.

7. COOKIES AND ANALYTICS

a.i.1. This point 7 of the Privacy Policy applies only to the web version of the application, i.e. the websites: https://caditnow.com/ and https://www.caditnow.com/.

a.i.2. Cookies are small pieces of information in the form of text files, sent by the server and stored on the website visitor’s computer or laptop hard drive, or on the smartphone’s memory card, depending on the device used by the visitor. Detailed information on cookies and their history can be found here: https://pl.wikipedia.org/wiki/HTTP_cookie.

a.i.3. Cookies that may be sent by a website can be divided into different types, according to the following criteria:

By provider: 1) own (created by the website) and 2) belonging to third parties (other than the Administrator)

In terms of their storage period on the website visitor’s device: 1) session cookies (stored until the visitor leaves the website or closes the web browser) and 2) persistent cookies (stored for a specified period of time, defined by the parameters of each file, or until manually deleted)

Due to the purpose of their use: 1) necessary (enabling the website to function properly), 2) functional/preferential (enabling the website to be tailored to the visitor’s preferences), 3) analytical and performance (collecting information about how the website is used), 4) marketing, advertising, and social media (collecting information about the website visitor in order to display advertisements to that person, personalize them, and conduct other marketing activities, including on websites separate from the website, such as social media or other websites belonging to the same advertising network as the Application)

a.i.4. The Administrator may process data contained in Cookies when visitors use the website for the following specific purposes:

• remembering data from completed forms or surveys (essential and/or functional/preference cookies)
• adapting the website content to the individual preferences of Service Users (e.g. regarding colors, font size, page layout) and optimizing the use of the website (functional/preference cookies)
• keeping anonymous statistics showing how the website is used (analytical and performance cookies)
• displaying and rendering advertisements, limiting the number of ad displays and ignoring advertisements that a given person does not want to see, measuring the effectiveness of advertisements, as well as personalizing advertisements, i.e. examining the behavioral characteristics of visitors to the web version of the Application by anonymously analyzing their activities (e.g. repeated visits to specific pages, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their expected interests, also when they visit other websites in the advertising network of Google Ireland Ltd. or Facebook, i.e. Meta Platforms Ireland Limited (marketing, advertising and social cookies)

a.i.5. Checking which cookies are currently being sent by the website, regardless of the web browser, is possible, for example, using the tools available at: https://www.cookiemetrix.pl or https://www.cookie-checker.com.

a.i.6. By default, most web browsers available on the market accept cookies by default. Everyone can specify the terms of use of cookies through their own web browser settings. This means that, for example, you can partially restrict (e.g., temporarily) or completely disable the ability to save cookies – in the latter case, however, this may affect some of the App’s functionalities.

a.i.7. Your web browser’s cookie settings are important for consenting to the use of cookies by the website – in accordance with the regulations, such consent can also be expressed through your web browser settings. Detailed information on changing cookie settings and deleting them yourself in the most popular web browsers is available in your web browser’s help section and on the following websites (just click the appropriate link):

• in Chrome
• in Firefox
• in Opera
• in Safari
• in Microsoft Edge

a.i.8. The Administrator may use Google Analytics and GA4 services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) on the home page (home/information page). These services help the Administrator compile statistics, analyze traffic, and monitor errors in the operation of the website. The collected data is processed as part of the above services to generate statistics that help administer the website, analyze website traffic, and improve the quality of service and safety of website users. This data is aggregated. By using the above services on the website, the Administrator collects data such as the sources and means of acquiring website visitors, their behavior on the website, information about the devices they use to visit the website, IP address, geographic data, demographic data (age, gender), and interests.

a.i.9. It is possible for a given person to easily block the provision of information about their activity on the Application’s home page to Google Analytics – for this purpose, you can, for example, install a browser add-on provided by Google Ireland Ltd., available here: https://tools.google.com/dlpage/gaoptout?hl=pl.

a.i.10. In connection with the possibility of the Controller using analytical and advertising services provided by Google Ireland Ltd. on the website, the Controller indicates that full information on the principles of processing data of persons visiting the Application by Google Ireland Ltd. (including data stored in Cookies) can be found in the privacy policy of Google services at the following internet address: https://policies.google.com/technologies/partner-sites.

8. FINAL PROVISIONS

The Application may contain links to other websites or applications. The Administrator encourages users to review the privacy policies posted on other websites after visiting them. This privacy policy applies only to the Administrator’s Application.