I. GENERAL PROVISIONS

Terms written in this Privacy Policy with a capital letter have the meaning assigned to them in the Yourtips.me Regulations available at: https://yourtips.me, or in this Privacy Policy. Respecting the privacy of the Users of the Service and to meet the requirements arising from legal regulations, the Administrator – Myroot sp. z o.o., headquartered at: Grochowska 42 / 31, 04-282 Warsaw, Poland, publishes this document explaining and informing how the data provided by Users is collected, processed, and secured within the Service and Mobile Application available at: https://yourtips.me

Before starting to use the Service or registering, the User should familiarize themselves with the content of this Privacy Policy.

II. DATA COLLECTION AND PROCESSING BY YOURTIPS.ME

Pursuant to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) (OJ L 119, p. 1), the administrator of the personal data provided by the Partner while using the Service is Myroot sp. z o.o., headquartered at: Grochowska 42 / 31, 04-282 Warsaw, Poland. The Administrator processes personal data in compliance with applicable laws, including the GDPR and the Act of 18 July 2002 on the provision of electronic services (consolidated text: Journal of Laws of 2020, item 344).

The Administrator provides Clients with the option to use their Service anonymously; however, to use the Service, it is necessary to fill in the data specified by the Payment Operator cooperating with the Administrator. During the Service provision, the Administrator receives the data provided by the Client, i.e., name, surname, and email address, phone number. The Administrator provides Partners with the option to use their Service anonymously; however, to gain full access to services and functionalities offered through the Service under the Agreement, registration by filling in the registration form is required. Providing data by the Partner is voluntary, but failure to provide certain data may prevent registration in the Service, using some services, receiving notifications, etc.

During the authorization, the Administrator will inform the Partner which of the data listed in the registration form are necessary for the provision of services and indicate which data are additional and do not affect the registration process. To perform the Agreement, the Administrator may disclose part of the Partner's data (e.g., name) within the Service. The User decides which of the additional data provided (e.g., photo) will be disclosed. To register in the Service, the Partner will be asked to provide at least the following data:

- Phone number

- Name and surname

- Email address

- Bank account number for receiving Tips

Information about the Partner is also received from the Payment Operator – the entity that enables the Partner to receive a Tip in a cashless form. The Administrator receives information about the status of Tip payments from the Payment Operator.

Additionally, the Administrator collects information about Users' interactions with the Service, functionalities, and services, including device and login information, system logs containing the date, time of visit, and IP address of the device used to connect, and data on Service usage statistics, traffic to and from individual sites. Besides fulfilling the Agreement and providing services by the Administrator, these actions aim to improve the Service and the Administrator's services and tailor them to the needs of the Partner and Client. Data recorded in server logs may be associated with specific individuals using the Service and may be used by the Administrator to identify the User.

In case of authorization to the Account via SMS – verifying and authenticating the Partner – the Administrator receives data from entities providing telecommunication services. The Administrator receives a code automatically generated from the SMS by these entities.

III. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

Customer data is processed, in particular, for the following purposes:

- Providing the Client with the Service within the Service

- Responding to complaints and grievances

- Ensuring compliance with legal regulations where the law requires the processing of personal data

- Ensuring the security of information processing by the Administrator

- Managing IT systems

- Pursuing claims

Partner data is processed, in particular, for the following purposes:

- Providing services to Partners under the Agreement

- Measuring and improving services

- Informing about the Service's services and functionalities and the services of other companies cooperating with the Administrator

- Providing advertising space in the Service

- Conducting direct marketing

- Sending free notifications with information about the Administrator if the Partner has previously agreed to receive promotional correspondence from the Administrator

- Responding to complaints and grievances

- Ensuring compliance with legal regulations where the law requires the processing of personal data

- Ensuring the security of information processing by the Administrator

- Managing IT systems

- Pursuing claims

Insofar as Partner personal data is processed to improve the quality of the Administrator's services, provide information about other Administrator services, and deliver marketing content within the Service, conduct research and analysis on products, services, and the effectiveness of advertising, the legal basis for processing the Partner's personal data is the Administrator's legitimate interest. The Administrator's interest is to provide, improve their services, ensure their best quality, and inform Partners or Clients about them.

Third parties may access the Administrator's websites to place their codes to analyze User activity on the Internet to display advertisements tailored to their interests and preferences through automated comparison of User interests and preferences with model interests and preferences of Internet users (profiling).

In this regard, the Administrator's contractors are independent personal data controllers of the User, and the principles and obligations applied by them in their data processing correspond to those described in this Policy regarding the Administrator.

The Partner may consent to receive newsletters and notifications from the Administrator. The newsletter and notifications may contain content tailored to the Partner's interests based on their activity within the Service. The Partner can unsubscribe from receiving the newsletter at any time by changing the settings in the Account.

The legal basis for the Administrator's processing of the User's personal data is also the necessity to perform the Agreement or provide the Service based on which the User gains access to services within the Service and uses the Service's functionalities.

IV. DATA DISCLOSURE

As a rule, the Administrator does not disclose personal data of Users to third parties, except in situations where the Administrator has a legal basis for doing so and upon request from authorized entities or when it is necessary to perform services offered by the Administrator.

User data may be disclosed at the request of public authorities or other entities authorized to such access under the law, particularly when it is necessary to ensure the security of our systems or the rights of other Users.

Entities whose services are used by the Administrator to provide services to the User (e.g., entities providing hosting services for the Service) may access the User's data. In such cases, the Administrator concludes appropriate agreements with these entities, the subject of which is the protection of data from unauthorized access.

Due to the need to prevent certain functions in the Service from being performed by internet robots, the Administrator uses the Google reCAPTCHA mechanism to periodically check whether User behavior shows signs of robot activity. For this reason, the Administrator may disclose the IP address of the User's computer or mobile device to Google Inc.

Some of our service providers may store User data outside the European Economic Area. In such cases, User data may be stored in countries that ensure an adequate level of personal data protection or in countries that do not provide such a level. In the latter case, the Administrator secures User data by concluding agreements containing Standard Contractual Clauses approved by the European Commission with the Administrator's service providers, providing adequate data protection guarantees in third countries, using the EU-US Privacy Shield program, or other grounds for transferring personal data. The Administrator may disclose anonymous aggregate summaries and statistical summaries regarding, e.g., the number of people visiting the Service. However, these data do not allow individual Users to be identified and do not constitute personal data.

V. USER RIGHTS

The User has the following rights concerning their personal data processed by the Administrator within the Service.

- **Right of access to personal data:** Upon the User's request, the Administrator will confirm which personal data of the User is being processed and provide them with a copy of such data. In any case, the Partner has access to personal data they have provided to the Administrator through the Account.

- **Right to rectify personal data:** If the User's personal data is incorrect or incomplete, the User can request the Administrator to correct or complete it. In any case, the Partner can correct their personal data through the Account.

- **Right to delete personal data:** In certain situations, the User can request the Administrator to delete their personal data processed by the Administrator (e.g., when the data is no longer necessary for the Administrator's services).

- **Right to restrict personal data processing:** The User can request the Administrator to temporarily stop processing their data (e.g., not sending marketing information) in specific situations. The User may, for example, request to restrict the processing of their personal data when they object to the processing or when they question the accuracy of the data. Despite the restriction of processing, the Administrator will still be entitled to store personal data.

- **Right to request the transfer of personal data:** In certain situations (e.g., regarding data processed based on consent), the User also has the right to receive personal data processed by the Administrator in a structured, commonly used, and machine-readable format to transfer such data to another administrator.

- **Right to object to the processing of personal data:** The User can request the Administrator to stop processing their personal data when:

  - The Administrator processes the User's personal data based on their legitimate interest or the interest of a third party, except in situations where these interests are overridden by the interests, rights, and freedoms of the User,

  - The User's data is processed for direct marketing purposes,

  - The processing involves

 automated decision-making concerning the User, including profiling.

The User can exercise their rights by sending an appropriate request electronically to the email address: yourtipsme@gmail.com

VI. DATA STORAGE PERIOD

The Administrator stores the User's personal data only for the time necessary to achieve the purposes for which the data was collected. After this period, the data is deleted or anonymized so that the User's identity cannot be established.

Personal data may be stored longer if such an obligation arises from legal regulations or is necessary to defend or pursue the Administrator's claims against the User.

VII. MANAGING OPEN SESSIONS - SELECTING THE "DON'T LOG ME OUT" FUNCTION

During the authorization process, the Partner can select the "Don't log me out" function. Selecting this function sends a "cookie" file to the Partner's Device to remember the User. By enabling this function, the Partner does not have to log in again on the device after closing the browser session.

Reopening the browser will cause the Partner visiting the Service to be recognized as a logged-in person. If the Partner uses devices accessible to others, it is recommended not to select the "don't log me out" option and to log out of the service each time. It should be noted that enabling the "Don't log me out" function is not identical to the functionality offered by browsers that involve remembering the browser's login and access passwords. After using the "Don't log me out" option, the login state is remembered, but access passwords are not saved, making it safer for the Partner.

VIII. COOKIES POLICY AND OTHER AUTOMATIC DATA STORAGE MECHANISMS ON THE USER'S END DEVICES OR TRANSMITTED AUTOMATICALLY BY THE USER

The Service uses automatic data storage mechanisms ("cookies", "Local Storage Object", "e-Tag"). They are used to better tailor the Service to the needs of Users. For the purposes of this policy, automatic data storage mechanisms will be referred to as "cookies".

"Cookies" are files saved on the User's end device, used to identify the User's browser while using the Service. They provide the Administrator with statistical information about User traffic, activity, and usage of the Service. They allow for the customization of content and services to the User's preferences. Most "cookies" are session cookies, automatically deleted from the hard drive after the session ends (i.e., logging out or closing the browser window). Some "cookies" allow for recognizing the User's end device during subsequent visits to the Service - they are not automatically deleted, but are saved on the end device. In the case of mobile devices, the same mechanism as for stationary devices is applied, allowing the storage of information related to a given User. The Administrator informs that third parties, including those not related to the Administrator, may place their "cookies" in Users' browsers to display advertisements in the Service.

The Administrator may use external service providers to collect information about User activity in the Service. These entities may place their "cookies" on Users' devices.

The Service may also use third-party services through which the Administrator obtains anonymized reports on the use of the Service and the effectiveness of marketing campaigns. A User who does not agree to such monitoring of their behavior should express their objection using the tools available on the pages provided by such entities, e.g., https://tools.google.com/dlpage/gaoptout

The User can disable cookie handling in their browser at any time; however, this change may result in difficulties in using the services provided through the Service. Saved cookies can also be deleted by the User using appropriate browser functions, programs designed for this purpose, or tools available within the operating system used by the User.

Due to the diversity of available browsers and applications for handling web services, cookie management in different browsers looks different, so before starting to use the Service, we recommend familiarizing yourself with the privacy/security management methods in the browser menu used by the User and configuring them in the preferred way. Failure to change the browser settings regarding cookie management will result in cookies being automatically placed on the User's end device. Failure to make changes to the browser settings to disable cookie acceptance and using the Service means the User agrees to the use of cookies on the terms described in this Policy.

For security reasons, it is recommended to use the latest available versions of web browsers.

If there are problems related to setting the cookie acceptance block, the User can request help from Customer Support by sending an electronic inquiry to the email address: yourtipsme@gmail.com.

IX. USE OF "COOKIES" FOR MARKETING PURPOSES

The Administrator and other entities may use cookies for statistical purposes to measure ad displays in the Service and the number of clicks on those ads. Administrator and other advertisers' cookies allow measuring how often ads are displayed to the User and how effective marketing campaigns are. This enables delivering advertisements tailored to the User's preferences and interests. Which ads may interest the User is determined based on the User's behavior in the Service and how the User interacts with the content available in the Service. Some cookies placed in User browsers serve marketing purposes. These files allow the Administrator to determine which content the User may be interested in and display ads based on these interests. Therefore, ads may be displayed in the Service based on User behavior on other sites. For example, a User frequently visiting sports-related sites may see ads for sports equipment in the Service.

Data about User activity in the Service may be shared with the Administrator's marketing partners. As a result, the User using other sites may see ads displayed based on activity in the Service. The Service may also use a form of online marketing called "re-targeting". This allows the Administrator's partners to display ads to Users based on their interactions with sites not related to the Service. For example, a User who did not complete a wardrobe purchase on a furniture site may see an ad from that site displaying the products the User viewed.

Behavioral marketing conducted within the Service does not involve collecting personal data such as name, surname, home address, or other data that allows assigning User behavior to any identifiable person. The User can object to displaying ads in the Service using behavioral marketing. However, this will not prevent ads from being displayed to the User in the Service but will result in ads not being tailored to the User's preferences and interests. More information on how the User can object to behavioral marketing is available on websites: https://adssettings.google.com/

X. ACCESS LOGS

During the use of the Service, access logs with information about the IP number of the User's end device are collected and analyzed. The obtained information is used for Service administration and statistical analysis of User interactions with the Service. According to the provisions of art. 18 section 6 of the Act of 18 July 2002 on the provision of electronic services and other applicable legal provisions, the Administrator may be required to disclose data provided by Partners during registration in the Service or provided by the Payment Operator to state authorities, and in the case of unlogged Users – to provide the IP number contained in the access logs.

XI. REMOVING THE APPLICATION FROM MOBILE DEVICES

A Partner who decides to install the Mobile Application belonging to the Administrator on their device is informed about the security principles and how it functions. Installation is done with the Partner's consent. The Partner can withdraw from using the Mobile Application at any time and uninstall it. Installation and uninstallation are done in the standard (native) way for the operating system version installed on the end device. To uninstall the Mobile Application from the end device, the Partner should follow the manufacturer's instructions for the operating system their mobile device is running on.

XII. LINKS TO OTHER SITES

This document only refers to the Service. The Administrator is not responsible for links placed in the Service that allow Users to go directly to sites not administered by the Administrator.

We encourage you to read the privacy policy statements posted on the sites to which the references lead.

XIII. TECHNICAL AND ORGANIZATIONAL MEASURES TO SECURE DATA

Information provided by Users is processed and stored using appropriate security measures in accordance with the requirements set by Polish law. The Administrator protects User data from unauthorized access, use, or disclosure. Data is processed in a controlled environment, maintaining high protection standards.

At the same time, we note and recommend that Partners do not share their registration data with third parties and use the "log out" option after using the Service.

XIV. PROCESSING CHILDREN'S DATA

Services offered within the Service are intended for persons who are 18 years old. Therefore, the Administrator does not knowingly process children's personal data.

XV. CHANGES TO THE PRIVACY POLICY

In the footer of the Service, the Administrator undertakes to maintain the current content of the Privacy Policy.

XVI. CONTACT AND RIGHT TO FILE A COMPLAINT

Questions, requests, and comments regarding privacy policy principles and the User's data processing by the Administrator should be directed electronically to the email address: yourtipsme@gmail.com

In cases where the User is not satisfied with the response provided by the Administrator or the actions taken by the Administrator, the User has the right to file a complaint with the President of the Personal Data Protection Office.