Data Processing Agreement (DPA)

Introduction

This Agreement applies to the “Bluur” service (hereinafter referred to as the “Service”) available on the Internet at https://app.bluur.ai/.

The Parties agree that this Personal Data Processing Agreement (“Agreement”) sets out their obligations regarding the processing and security of data and personal data on behalf of the Controller, for the purpose of processing data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: GDPR).

The Agreement forms an integral part of the Terms of Service. Furthermore, the parties agree that, unless a separate agreement has been concluded, this Agreement governs matters relating to data processing and security.

The Agreement sets out the rules for the operation and use of the Service administered by BTC Spółka z ograniczoną odpowiedzialnością (hereinafter referred to as the “Processor” or “BTC”) with its registered office in Szczecin, ul. 1 Maja 38, 71-617 Szczecin, entered in the National Court Register under number 00000129373.

This Agreement is concluded in electronic form as a result of the Administrator’s acceptance of the content of the Agreement during the purchase of the Service and enters into force upon its acceptance.

Restrictions on

When the Customer purchases a new subscription or renews an existing subscription, the provisions of the Data Processing Agreement (DPA) in force at that time shall apply and shall not be changed during the term of the subscription.

New features, additions, or related software

Notwithstanding the above provisions regarding updates, in the event of the introduction of new features, additions, or related programs (i.e., those not previously part of the Service), BTC may introduce new or update existing provisions in the Agreement applicable to the Customer’s use of such new features, additions, or related programs.

If these provisions change the Agreements in any material adverse way, BTC will provide the Customer with a choice regarding the use of new features, additions, or related software without losing existing features. If the Customer does not install or use the new features, additions, or related software, the relevant new provisions will not apply.

Electronic notifications

BTC may provide the Customer with information and notifications regarding the Service electronically, including by email, on the Service portal, or on the designated website. The notification shall be deemed delivered on the date it is made available by BTC.

Previous versions

These Terms and Conditions contain provisions relating to the Service available at any given time. Previous versions of the Agreement can be found at
https://bluur.ai/pl/data-protection-addendum-dpa.

Definitions

The following defined terms are used in this Agreement::

• Administrator (Customer) – an entity that creates an Account and purchases a subscription to the Service;
• Account – a physically and/or logically separate instance intended exclusively for one business entity, in which data and documents are saved and stored
• Customer (Administrator) – an entity entering into this Agreement;
• Data – any data, including files containing text, sounds, software, images, and videos, provided to BTC by or on behalf of the Customer as a result of using the Service;
• Personal Data means information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1. Subject matter of the Agreement

1. The agreement sets out the rules for entrusting the Processor with the processing of personal data in connection with the provision of Services by the Processor to the Controller under the Subscription purchased by the Controller.
2. The Administrator declares that it is the administrator of personal data entrusted to the Processor on the basis of the Agreement.
3. The processor declares that it provides sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.
4. The Administrator entrusts the Processor with the processing of personal data on behalf of the Administrator, and the Processor undertakes to process the entrusted personal data in accordance with the law and the provisions of the Agreement, including with due diligence.

2. Processing of personal data

1. The Processor shall process the personal data entrusted by the Controller for the purpose of providing the Service. Technical documentation, user documentation, terms and conditions, and policies are available at: https://bluur.ai/.
2. The scope of personal data processing covers the following categories of personal data in relation to the following categories of persons: employees; data categories: first name, last name, email address, IP address; graphic documents that may contain personal data.
3. The Processor may process personal data only to the extent and for the purposes specified in the Agreement.
4. The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by European Union law or the law of the Member State to which the Processor is subject; in which case, prior to commencing processing, the Processor shall inform the Controller of that legal obligation, unless such information is prohibited by law on grounds of an important public interest. A documented instruction shall be understood as personal data processing activities commissioned on the basis of this Agreement and the Terms of Service.
5. The processing of personal data will be carried out during the term of the Service Subscription, subject to paragraph 6.
6. The Processor may also process personal data after the termination of the Service (in particular after the expiry, cancellation, or termination of the Subscription), only to the extent that the processing is necessary for the pursuit of the legitimate interests of the Controller, Processor’s legitimate interests, as well as in situations necessary for the Controller or Processor to comply with their legal obligations.

3. Responsibilities of the Processor

1. The Processor undertakes to ensure that persons authorized to process personal data keep such data and security measures confidential, both during the provision of the Service to the Controller and after its termination.
2. The processor shall take all measures required under Article 32 of the GDPR.
3. The Processor undertakes to assist the Controller in fulfilling its obligations referred to in Articles 32–36 of the GDPR, in particular:
4. ensure an adequate level of security for the personal data being processed,
5. report any detected personal data breaches to the Administrator immediately, but no later than 24 hours after their detection.
6. The Processor undertakes to delete the personal data entrusted to it immediately after the purpose of their processing has ceased to exist, but no later than 14 days after the end of the provision of the Service to the Controller (in particular after the expiry, cancellation, or termination of the Subscription), unless Union or Member State law to which the Processor is subject requires the storage of personal data.
7. In the absence of instructions from the Controller, the Processor may request the Controller to provide guidelines on how to proceed with the data.
8. The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations laid down in the Agreement and shall allow the Controller or an auditor authorized by the Controller to conduct audits, including inspections.
9. In connection with the obligation specified in paragraph 5, the Processor shall immediately inform the Controller if, in its opinion, the instruction given to it constitutes a violation of the GDPR or other provisions of the Union or the Member State to which the Processor is subject, concerning the protection of personal data.
10. The Processor may use personal data to contact the Administrator to the extent necessary to provide the Service and ensure the security of the Service (e.g., service notifications, incidents, technical change announcements, Service performance reports).
11. The Processor may use personal data to inform the Administrator about changes to the Service, new versions of the Service, new options, and products. You can opt out of receiving these messages by clicking the unsubscribe link in the email you receive, following the instructions contained therein, or contacting the Processor. External service providers may be used to manage the sending of marketing emails, such as:
    – Mailerlite – Privacy Policy available at: https://www.mailerlite.com/pl/legal/privacy-policy.

10. The Processor may offer paid products and/or services as part of the Service. In such cases, payment processing is carried out through external providers (payment processors). The Processor does not store or collect payment card data. This information is transmitted directly to third-party payment processors, whose data protection policies are set out in their Privacy Policies. The processors apply PCI-DSS standards managed by the PCI Security Standards Council, which is a joint initiative of brands such as Visa, Mastercard, American Express, and Discover. PCI-DSS requirements ensure secure payment data processing. The Processor may use the services of providers such as:
    – Stripe – Privacy Policy available at: https://stripe.com/en-pl/privacy.

11. Apart from the entities indicated above, the Processor is not authorized to transfer personal data to a third country or international organization outside the European Economic Area. The Processor may not use subcontractors who transfer personal data outside the European Economic Area. If, in the course of performing the Agreement or the Main Agreement, the Processor intends or is required to transfer personal data outside the European Economic Area, the Processor shall notify the Controller thereof in order to enable the Controller to take the necessary measures to ensure that the processing complies with the law or to terminate the entrusting of the Processing.

4. Further entrusting of personal data processing

1. The Controller authorizes the Processor to further entrust the processing of personal data within the European Economic Area, subject to paragraphs 2 and 4.
2. The Processor may not subcontract the entire performance of the Agreement.
3. Further entrusting of processing is based on an agreement concluded by the Processor with the subcontractor, imposing the same obligations on the subcontractor and granting the Controller the same rights towards the subcontractor as those arising from the Agreement, in particular the obligation of the subcontractor to provide sufficient guarantees that appropriate technical and organizational measures will be implemented so that the processing complies with the requirements of the GDPR, and the right of the Controller to control the manner in which the subcontractor processes the entrusted personal data.
4. The Processor shall inform the Controller of its intention to further entrust personal data at least 7 days prior to further entrusting the processing. Failure to express explicit objection on the part of the Controller shall constitute consent to further entrusting the processing of personal data.
5. The processor shall inform the controller of the expiry of the contract under which the processing of personal data was further entrusted.
6. The processor provides information about subprocessors on the website http://bluur.ai.

5. Right of inspection

1. Pursuant to § 3 (6) of the Agreement, the Administrator shall be entitled to inspect the manner in which the Processor processes the personal data entrusted to it.
2. The Administrator shall inform the Processor of the planned audit at least 7 days before it begins.
3. The audit may be conducted by an authorized employee of the Administrator or an auditor authorized by the Administrator.
4. As part of the audit, the Administrator has the right to:
5. access to documents and information related to the entrusting of personal data processing,
6. conducting inspections of devices, media, and IT or ICT systems used to process entrusted personal data, provided that such action results from the Administrator’s reasonable doubts;
7. obtain written or oral explanations to the extent necessary to establish the facts.
8. After completing the audit, the Administrator shall present the audit results to the Processor. The Processor may submit any objections to the audit results to the Administrator within 7 days of receiving them.
9. In the event of negative audit results, the Administrator and the Processor undertake to take joint action to remedy the irregularities and ensure the correctness of further processing of personal data by the Processor.

6. Responsibility

1. The Processor shall be liable to the Controller for any damage caused by its actions or omissions in connection with a failure to fulfill the obligations that the GDPR imposes directly on the Processor, or where it has acted outside the scope of the Controller’s lawful instructions or contrary to those instructions.
2. The Processor shall be liable to the Controller for the actions and omissions of the subcontractor as for its own, in particular for failure to comply with personal data protection obligations.

7. Term of the Agreement

1. The Agreement shall be concluded for the duration of the provision of Services to the Administrator. The Agreement shall enter into force upon purchase of the Subscription and acceptance of its terms and conditions by the Administrator. The duration of personal data processing shall continue until the obligation to return or delete personal data in accordance with §3(4) has been fulfilled, and until that time, the provisions of the Agreement shall apply accordingly.
2. The Parties hereby declare that entrusting the Processor with the processing of personal data covered by the Agreement is voluntary, but necessary for the proper performance of the Services by the Processor for the benefit of the Controller. During the term of the Subscription, the Parties mutually exclude the possibility of terminating or cancelling the Agreement without simultaneously terminating the provision of the Service to the Administrator.
3. Any breach of the provisions of the Agreement by the Processor shall constitute a valid reason entitling the Controller to demand the immediate termination of the processing of personal data and the termination of the provision of the Service to the Processor (including the cancellation of the Subscription), without prejudice to the Controller’s rights under the law.

8. Final provisions

1. In the event of any discrepancy between the provisions of the Agreement and other terms and conditions of the Service (including the Subscription terms and conditions), the provisions of the Agreement shall prevail.
2. In matters not covered by this Agreement, the provisions of the GDPR and Polish law shall apply.
3. Any disputes arising from the Agreement shall be settled by the court having jurisdiction over the seat of the Processor.
4. Any amendments to this Agreement must be made in electronic form, otherwise they shall be null and void.
5. The Agreement is concluded in electronic form and is recorded in the Processor’s ICT system; the Parties agree that acceptance of the Agreement during the account registration and/or Subscription activation process (including ticking the checkbox) is tantamount to making declarations of will in documentary form.