Data Privacy, Processing, & Security Policy

Data Privacy, Processing, & Security Policy Summary

This summary highlights the key points of our Data Privacy, Processing, & Security Policy, which explains how we handle your personal data.

This summary is intended for informational purposes only; you should carefully read the full Data Privacy, Processing, & Security Policy before using our services.

1. Introduction

This policy explains how Fast & Running (the “Company,” “we,” “us,” or “our”) collects, uses, stores, and protects your personal data. It applies to any personal data we collect from clients and others who interact with our services. We are committed to complying with data protection laws like the GDPR.

2. Key Definitions

• Personal Data: Any information that can identify you, like your name, email, or online identifiers.
• Data Processing: Any action we take with your personal data, including collecting, storing, using, sharing, or deleting it.
• Data Controller: We are the Data Controller, meaning we decide how and why your personal data is used.
• Data Processor: A third party that processes data on our behalf.
• Data Subject: You (the person whose data we process).

3. Data Collection and Use

We collect personal data for specific purposes, including:

• Providing our Services.
• Providing and managing your account (e.g., your name, email, contact details).
• Improving our services and understanding how you use them (e.g., IP addresses, browser type).
• Communicating with you, including customer support and marketing (if you allow it).

We only collect the data we need.

4. Lawful Basis for Processing

We only process your data when we have a legal reason, such as:

• Your consent (you can withdraw it).
• To fulfill our contract with you.
• To comply with legal obligations.
• Our legitimate interests (as long as they don’t harm your rights).

5. Data Sharing

We only share your data when necessary:

• With companies that help us provide our services (e.g., hosting, payment processors). They have data protection agreements with us.
• If required by law.
• In case of a business transaction (like a merger).

We do not sell your personal data.

6. Your Rights

You have rights regarding your data, including the right to:

• Access your data.
• Modify your data.
• Delete your data.
• Restrict how we use your data.
• Receive your data in a portable format.
• Withdraw your consent.

7. Data Security

We take steps to protect your data, including:

• Using encryption.
• Limiting access to your data.
• Conducting security audits.
• Having procedures to respond to data breaches.

8. Data Transfer

If we transfer your data outside of the EEA, we ensure it is protected through legal safeguards.

9. Data Retention

We keep your data only as long as necessary and delete it securely when we don’t need it anymore.

1. Introduction

This Data Privacy, Processing, & Security Policy (“Policy”) explains how Fast & Running (Fundacja Rozwoju Przedsiębiorczości “Twój StartUP”, “Company,” “we,” “us,” or “our”) collects, processes, stores, and protects personal data.

It applies to all personal data collected from clients and other individuals who interact with our services, websites, and business operations.

1.1 Purpose and Scope

The purpose of this Policy is to explain:

• What personal data we collect and why.
• How we process and protect personal data.
• The legal basis for processing data.
• Your rights regarding your data.
• Our responsibilities under data protection laws.

This Policy applies to all personal data processed by Company, whether electronically or manually.

1.2 Company Identification

Fast & Running (Fundacja Rozwoju Przedsiębiorczości “Twój StartUP”), located at ul. Żurawia 6/12 lok 766, Warszawa, Poland, acts as the data controller and/or data processor(as applicable) for personal data collected through our services.

We are committed to safeguarding personal data and complying with applicable data protection laws.

1.3 Regulatory Compliance

We comply with all relevant data protection laws, including the General Data Protection Regulation (GDPR) (EU) and others applicable to our operations.

1.4 Policy Updates & Review

We periodically review and update this Policy to reflect changes in legal requirements, data processing practices, or business operations.

This Data Privacy, Processing, & Security Policy is effective as of April 1, 2025 (01.04.2025).

If significant changes occur, we will notify registered users via email and update the revision date at the top of this Policy. We encourage all users to review the Policy periodically. Your continued use of our services after an update constitutes acceptance of the revised terms.

2. Definitions

For the purposes of this Policy, the following definitions apply:

• “Anonymization” – The process of permanently altering personal data so that it can no longer be linked to an identifiable person, even with additional information.
• “Client” – Any individual or legal entity that uses our services or interacts with us.
• “Company” – [Your Legal Company Name], the entity responsible for providing services and handling personal data as either a Data Controller or Data Processor, depending on the circumstances.
• “Data Controller” – The entity that determines the purpose and means of processing personal data (i.e., decides how and why personal data is used).
• “Data Processing” – Any action performed on personal data, including collection, storage, use, modification, sharing, or deletion, whether automated or manual.
• “Data Processor” – An entity that processes personal data on behalf of a Data Controller based on its instructions.
• “Data Subject” – A person whose personal data is being processed.
• “Personal Data” – Any information that can directly or indirectly identify a person, such as a name, email, phone number, location data, or online identifier.
• “Pseudonymization” – A technique where identifiers in personal data are replaced with artificial labels so that it cannot be linked to an individual without additional information, which is kept separate.
• Special Category Data (also referred to as Sensitive Personal Data) – Sensitive personal data, including information about a person’s racial or ethnic origin, political views, religious beliefs, trade union membership, health, genetic or biometric data, or sexual orientation.
• “Third-Party Processor” – An external entity that processes personal data on behalf of the Company, such as cloud service providers, analytics tools, or payment processors.

3. Data Privacy

This section explains how Company collects, uses, and protects the personal data of Data Subjects.

3.1 Data Collection & Purpose

We collect personal data for legitimate purposes and ensure it is not processed for incompatible purposes. The types of data we collect and their intended uses include:

• Account Information: When you register, we collect your name, email, contact details, and login credentials to:
  • Provide and manage your account.
  • Communicate service-related updates.
• Service Usage Data: We collect information on your interactions with our services, including IP addresses, browser type, and device details, to:
  • Improve functionality and user experience.
  • Analyze trends and usage patterns.
  • Maintain security and system stability.
• Communication Data: We collect information from customer support requests and inquiries to:
  • Respond effectively and provide support.
  • Enhance customer service.
• Marketing Data: We may collect data for marketing purposes, such as sending promotional emails.

3.2 Data Minimization

We collect only the personal data necessary for its intended purpose, ensuring it is:

• Adequate – Sufficient to fulfill the stated purpose.
• Relevant – Directly related to the intended use.
• Limited – Not excessive for the required processing.

3.3 Lawful Basis for Processing

We process personal data only when a lawful basis under applicable data protection laws, including GDPR, applies. Our legal bases include:

• Consent: Where required, we obtain your explicit consent for specific purposes, which you may withdraw at any time.
• Contractual Obligation: Data is processed as required to fulfill a contract or pre-contractual request.
• Legal Obligation: Data is processed to comply with applicable laws or regulatory requirements.
• Legitimate Interests: We process data when necessary for our legitimate interests, ensuring they do not override your rights and freedoms.

3.4 Consent Management

When processing relies on consent, we ensure that:

• Consent is freely given, specific, informed, and unambiguous.
• Clear information about data usage is provided.
• Separate consent is obtained for distinct processing activities.
• Withdrawal of consent is simple and accessible.
• Consent records are maintained to demonstrate compliance. 

3.5 Data Usage & Sharing

• Internal Use: Data is used strictly for the purposes outlined in Section 3.1, with access limited to authorized personnel.
• Third-Party Sharing: We share personal data only when necessary and under strict safeguards, including:
  • Service Providers: Third parties assisting in service delivery (e.g., hosting, payment processing, analytics). These providers adhere to data protection agreements.
  • Legal Compliance: Data may be disclosed when required by law or legal proceedings.
  • Business Transactions: In case of a merger, acquisition, or asset sale, data may be transferred with appropriate safeguards.
• No Sale of Data: We do not sell, rent, or trade personal data for third-party marketing without explicit consent.

3.6 Data Subject Rights

Under applicable laws (e.g., GDPR), you have the following rights regarding your personal data:

• Access – Request a copy of your personal data.
• Rectification – Correct inaccuracies in your personal data.
• Erasure – Request deletion of your personal data under certain conditions.
• Restriction – Limit processing in specific circumstances.
• Data Portability – Receive your data in a structured format for transfer.
• Objection – Object to processing, including direct marketing.
• Withdraw Consent – Revoke previously given consent at any time.

3.7 Data Accuracy & Updates

We take reasonable steps to ensure data is accurate and up to date. You can:

• Update your information through available mechanisms.
• Request corrections for inaccuracies.
• We strive to update or correct inaccuracies without undue delay.

4. Data Processing & Third-Party Processing

This section outlines how Company processes personal data and manages third-party data processors.

4.1 Data Processing Activities

We engage in various data processing activities to provide, improve, and secure our services, including collection, storage, organization, use, transfer, encryption, and deletion of personal data. These activities may include:

• Collection: Gathering personal data from clients and other sources, as outlined in Section 3.1.
• Storage: Storing personal data securely on our servers or cloud-based solutions.
• Organization and Structuring: Organizing personal data for efficient processing and retrieval.
• Use: Processing personal data for purposes described in Section 3.1, such as service provision, communication, and improvement.
• Transfer: Transmitting personal data internally (e.g., between departments) or externally (e.g., to third-party processors) for service delivery.
• Encryption: Employing encryption techniques to protect personal data during both storage and transfer.
• Deletion: Securely deleting personal data when it is no longer necessary for its intended purpose or as required by applicable law.

4.2 Data Processing Responsibilities

• Company’s Responsibilities: As a Data Processor, we are responsible for:
  • Processing personal data only for the specified purposes and in accordance with the instructions of the Data Controller.
  • Implementing appropriate technical and organizational measures to ensure the security and confidentiality of personal data.
  • Assisting the Data Controller in fulfilling its obligations under applicable data protection laws, such as responding to Data Subject requests.
  • Notifying the Data Controller without undue delay if we become aware of a personal data breach.
• Client’s Responsibilities: As the Data Controller, the Client is responsible for:
  • Determining the lawful basis for processing personal data.
  • Providing Data Subjects with clear and transparent information about how their personal data is processed.
  • Ensuring the accuracy, completeness, and legality of the personal data they provide to Company.
  • Complying with applicable data protection laws when using our services, including the sharing of personal data with third parties.

4.3 Third-Party Data Processors

We may engage third-party data processors to assist in delivering our services. These include, but are not limited to:

• Cloud Service Providers: For data storage and infrastructure.
• Analytics Tools: To analyze service usage and improve our offerings.
• Payment Processors: To handle payment transactions.
• Communication and Support Platforms: To manage client communications.

We enter into Data Processing Agreements (DPAs) with all third-party data processors to ensure they:

• Process personal data only for the specified purposes.
• Implement appropriate security measures to protect personal data.
• Comply with applicable data protection laws.
• Assist us in fulfilling our data protection obligations.

5. Data Security

Company is committed to maintaining the security and confidentiality of personal data. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, use, disclosure, alteration, or destruction.

5.1 Security Measures

We employ a range of security measures designed to protect personal data, including: 

Data Encryption:

• We use encryption to protect personal data during transmission (e.g., HTTPS, TLS) to prevent unauthorized interception.
• We use encryption at rest (e.g., full disk encryption, database encryption) to protect stored personal data.

Access Controls:

• We implement access controls to restrict access to personal data to authorized personnel only. These controls include user permissions, role-based access control (RBAC), and the principle of least privilege.
• We use Access Control Lists (ACLs) to manage access to specific data and resources.

Regular Security Audits:

• We conduct regular security audits and vulnerability assessments to identify and address potential security risks. These audits may include internal audits and external penetration testing.

Secure Backups:

• We maintain secure backups of personal data to ensure its availability and recoverability in the event of data loss or system failure. Backups are stored securely, and access is restricted. 

5.2 Access Control & Authentication

Password Management Policies:

• We enforce strong password policies, requiring users to create complex passwords and change them regularly. Passwords are securely stored using hashing algorithms.

Multi-Factor Authentication (MFA):

• Where appropriate, we implement Multi-Factor Authentication (MFA) to provide an additional layer of security. MFA requires users to provide multiple verification factors to access accounts or systems.

5.3 Data Breach Notification

We have established procedures to address potential data breaches. In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within the required time frame (e.g., 72 hours under GDPR), unless the breach is unlikely to result in a risk to Data Subjects’ rights and freedoms.
• Notify affected Data Subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• Provide timely and transparent information about the breach, including its nature, likely consequences, and the measures taken or planned to mitigate the breach.
• Take reasonable steps to minimize the impact of the breach and prevent future incidents.

5.4 Data Retention & Deletion

We have data retention and deletion policies in place to ensure that personal data is:

• Retained only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements.
• Securely deleted or anonymized when it is no longer necessary for those purposes.

Our data retention and deletion practices include:

• Defining specific retention periods for different categories of personal data.
• Implementing secure deletion methods to prevent data recovery.
• Regularly reviewing and updating our data retention policies.

6. Data Transfer Mechanisms

This section outlines our policies and procedures for transferring personal data across international borders.

6.1 Cross-border Data Processing

When processing personal data involves transferring data outside of the European Economic Area (EEA) or other regions with equivalent data protection laws, we take steps to ensure that such transfers comply with applicable data protection regulations and that personal data remains protected.

If personal data is processed by third parties outside of the EEA (e.g., in the context of using cloud services, analytics tools, or other third-party services), we implement appropriate safeguards to ensure an adequate level of protection for the transferred data. These safeguards may include, but are not limited to:

• Standard Contractual Clauses (SCCs): We may use Standard Contractual Clauses approved by relevant authorities.
• Adequacy Decisions: We may transfer personal data to countries that are recognized as providing an adequate level of data protection.
• Other Appropriate Safeguards: We may also rely on other legally recognized mechanisms to ensure data protection during international transfers.

We regularly review our data transfer mechanisms to ensure they remain compliant with applicable data protection laws and best practices, such as the General Data Protection Regulation (GDPR) and relevant local laws.

7. Contact Information

If you have any questions or concerns regarding this Data Privacy, Processing, & Security Policy, please feel free to contact us. We are here to assist you and provide any clarification you may need:

• Company Name: Fast & Running
• Email: hello@fastandrunning.eu
• Support Contact: All contact information can be found on Contact Us page.