Privacy Policy

1. Who are we and how to find us

• The controller of your personal data is NERDS.FAMILY Prosta Spółka Akcyjna with its registered seat in Kraków (address: Aleja Powstania Warszawskiego 15, 31-539 Kraków), entered into the registry of entrepreneurs of the National Court Register under the number: 0000968726, having Tax Identification Number (NIP): 6762616352 and Statistical Number (REGON): 521847463 (hereinafter referred to as: „ NERDS.FAMILY ” or “ We ”). You can contact us via e-mail to the address: [email protected]

2. How and why we process your personal data

• 1. USERS OF OUR SERVICE

  We may process your personal data in connection with your use of our service available at https://nerds.family   (hereinafter referred to as: „ Service ”).

  By creating an account, you conclude a contract with us and become a user of the Service (hereinafter referred to as: „ User ”). Therefore, we process your personal data in order to carry out the contract with you and to fulfill  our legal obligations as well as tax obligations.

  The legal basis for the processing of your personal data is Article 6 section 1 letter b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as: the “ GDPR ”), (i.e. „processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to the conclusion of the contract" ) and Article 6 section 1 letter c) of the GDPR (i.e. „processing is necessary to fulfil a legal obligation on the administrator" ).

• 2. OTHER VISITORS OF OUR SERVICE        

  We process data of each user characterizes how the user uses our Service (these are so-called operating data). 

  This processing includes an automatic reading of a unique identifier that identifies the end of the telecommunications network or IT system you use (i.e. your IP address), the date and time of the server, information about the technical parameters of the software and the device you use (e.g. whether you use your laptop or phone for browsing our site and the place from which you connect to our server. We may use this information for market research purposes and to improve the performance of the Service. The data stored in the server logs is not associated with specific people using the website. The server logs are only auxiliary material used to administer the Service.

  This data is processed on the basis of Article 6 section 1 letter f) of the GDPR (i.e. „processing is necessary for purposes arising from legitimate interests pursued by the administrator or by a third party" ). This legitimate interest is to enable the diagnosis of errors in the Service and the improvement of its quality.

• 3. CONTACT 

  By contacting us, you provide us with your personal data, including those contained in the content of the correspondence, in particular the e-mail address, name and surname. Providing this data is voluntary, but necessary to contact us.

  The legal basis for the processing of your personal data that you provide by contacting us is Article 6 section 1 letter f) of the GDPR (i.e. „processing is necessary for purposes arising from legitimate interests pursued by the administrator or by a third party" ). The “legitimate interest for the processing of your personal data” in this case is possibility for us to contact with Service Users and answer questions asked by persons interested in the operation of the Service.

• 4. DIRECT MARKETING

  If we think we can help you with our services, we process your personal data for marketing purposes. Therefore, processing is necessary for the purposes of legitimate interests pursued by the controller of personal data, that is us (Article 6 section 1 letter f) of the GDPR).

  After obtaining a separate consent we may process your personal data also for marketing purposes,  i.e. to present you commercial, advertising, promotional and marketing information regarding NERDS.FAMILY (pursuant to article 172 section 1 of the Telecommunications Act of July 16, 2004 and article 10 section 2 of the Act of July 18, 2002 on the providing services by electronic means).

  However, the legal basis for processing your personal data for direct marketing purposes is Article 6 sec. 1 letter f) of the GDPR (i.e. „processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party" ).

  According to Recital 47 of the GDPR: " The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest ." Such a legitimate interest may exist in cases where there is a substantial and appropriate relationship between the data subject and the controller. Consent to the sending of commercial communications under the Act on the providing services by electronic means is precisely the link between the person giving consent and the controller referred to in Recital 47 of the GDPR. The fact that you have given your consent for the above mentioned marketing purposes means that you have reasonable grounds to expect that your personal data may be processed for such purposes.

  You have the right to object at any time and free of charge to this processing, whether primary or further - including profiling, insofar as it is related to direct marketing. Once you have objected to the processing of your personal data for direct marketing purposes - NERDS.FAMILY may no longer process your data for such purposes.

  You also have the right to withdraw your consent to receive commercial communications and marketing contacts at any time and free of charge. Withdrawal of consent does not affect the legality of actions taken on the basis of consent before its withdrawal.

• 5. PURSUING OF CLAIMS

  The legal basis for processing your personal data after your contact ends or the contract is terminated is our legitimate interest in archiving correspondence for the purposes of ensuring that you can prove certain facts in the future. So we can process your personal data for the purpose of pursuing and defending against claims pursuant to Article 6 section 1 letter f) of the GDPR (i.e. „processing is necessary for purposes arising from legitimate interests pursued by the administrator or by a third party" ).

• 6. COOKIES

  We process completely anonymous data of each User of the Service, which characterizes the way they use our Service (these are the so-called exploitation data). This processing includes automatic reading of a unique identifier identifying the termination of the telecommunications network or ICT system you are using (i.e. your IP address), as well as the date and time of the server, information about technical parameters of the software and device you use (e.g. whether you are using a laptop or a telephone while browsing our Service) and the place from which you are connecting to our server. Data stored in server logs are not associated with specific people using the service. Server logs are only an auxiliary material used to administer the Service. 

  Like almost all websites and applications, we use cookies. Cookies are small text information stored on your end device (e.g. computer, tablet, smartphone), which can be read by our ICT system.

  Cookies allow us to:

  1. ensure the proper functioning of the Service;
  2. improve the speed and security of using the Service;
  3. use analytical tools;
  4. use marketing tools, including tools that perform profiling in the understanding of the GDPR.

  The legal basis for point 1 and 2 above is our legitimate interest as data controller (Article 6 section 1 letter f) of the GDPR). 

  The legal basis for point 3 and 4 above is your consent (Article 6 section 1 letter a) of the GDPR). 

  The cookies we use do not collect any personal data from you. Anonymous data is completely sufficient for the purposes mentioned above. If we process your personal data for other reasons (e.g. you have an account on our Service and there you provided us with your data), we do not combine them in any way with anonymous data obtained by means of cookies.  However, you should know that we may combine some of the data we collect about you (e.g. about your interactions with our Service) with other information we have and use it for our own purposes, including marketing purposes.

  Consent to cookies

  During your first visit to our Service, you will be informed about the use of cookies. Accepting and closing this information means that you agree to the use of cookies by the provisions of this privacy policy for all purposes listed above. You can always withdraw your consent regarding points 3 and 4 above (without affecting the lawfulness of processing based on consent before its withdrawal). 

  You can always withdraw your consent by deleting cookies and changing the settings of cookies in your browser. Remember, however, that disabling cookies may cause difficulties in using the Service, as well as many other websites that use cookies. Consent to use cookies may be necessary for the proper use of your account on the site (cookies allow the software of our site to ‘see’ that you are logged in and maintain the continuity of your session when you jump between subpages). 

  Custom Cookies and third party cookies

  Cookies can be divided into own and coming from third parties. As far as our own cookies are concerned, we use them in order to improve the functioning of the Service and to enable proper use of accounts (session maintenance). The NERDS.FAMILY, like most of today’s web services, uses functions provided by third parties, which involves the use of cookies from third parties.

  Analysis and statistics. 

  On the basis of a legitimate interest, we use cookies to track website statistics, such as the number of visitors, the type of operating system and web browser used to browse the site, time spent on the website, visited subpages, etc. 

  Importantly, you do not have to share the information contained in cookies with us. You can prevent this by deleting cookies and changing the cookie settings on your web browser. Opting out of cookies usually only applies to a specific browser - this means that the same action will have to be taken for any other browser you use on the same or a different device.

  You can also use tools that allow you to collectively manage your cookie settings and browser plug-ins that allow you to control your cookies. Web browsers also offer the option of using the so-called "incognito mode", which allows you to visit websites without saving information about the sites you have visited and the files you have downloaded in your browser history. As a rule, cookies created in incognito mode are deleted when you close all incognito mode windows.

  Please note, however, that disabling cookies may cause difficulties in using the Service, as well as many other websites that use cookies.

3. What personal data we process

• 1. USERS OF THE SERVICE

  1. username / name and surname,
  2. e-mail address,
  3. image (e.g. included in the User's profile picture),
  4. data related to other applications associated with the User's account (e.g. Github, Discord),
  5. billing information and payment details (including data processed by the Stripe application),
  6. history of the User's activity in the Service (responses to tasks, prompts given to other users, information about User progress and reactions etc.),
  7. history of User's correspondence with NERDS.FAMILY.

• 2. USERS AND OTHER VISITORS OF OUR SERVICE

  1. device IP address,
  2. device screen resolution,
  3. device type (unique device identifiers),
  4. operating system and browser type,
  5. geographic location (country only),
  6. preferred language (device interface language),
  7. mouse events (movements, location and clicks),
  8. keystrokes,
  9. referring URL and domain,
  10. pages visited,
  11. server date and time,
  12. location of the terminal device from which the user connects to the service,
  13. UTM tags, determining from which network location the user arrived
  14. online identifiers, including cookie IDs, web protocol addresses and device identifiers.

• 3. PEOPLE WHO CONTACT US

  1. name and surname,
  2. phone number,
  3. e-mail address,
  4. other personal data that could potentially be included in the message by the sender.

4. To whom we disclose your personal data

• ACADEMIES OF OUR TRUSTED PARTNERS

  If you take part in academies run by our trusted partners on the Service, we will provide them with information about you. If recruitment is being conducted for a given academy, a trusted partner running a academy may also receive information from us about your participation in the recruitment process and your performance.

• RECRUITMENT OF OUR TRUSTED PARTNERS

  One of the goals of the Service is to enable Users to find new career opportunities. This occurs through, among other things:

  1. publishing job opportunities on the Service by our trusted partners (more information can be found here: https://nerds.family/job_offers),
  2. inviting selected participants taking part in academies organized on the Service by trusted partners to contact them and participate in their recruitment processes.

  In both of the above-mentioned cases, the controller of the personal data processed in connection with your participation in the recruitment is a specific trusted partner. In this case, the entity conducting the recruitment will provide you with its privacy policy regarding the protection of personal data processed as part of the recruitment processes. If any of our trusted partners take any action against you that you do not wish to be taken, please contact us immediately by email: [email protected]

  Some of the operations described above may involve sending your personal data to so-called third countries (outside the European Economic Area) where GDPR does not apply. However, this always happens based on the legal instruments provided for in the GDPR, guaranteeing adequate protection of your rights and freedoms.

• EXTERNAL SERVICES SUPPORTING OUR BUSINESS

  Please bear in mind that in running our business we use the support of specialized external entities which may or must have access to some of your data.

  We may disclose your personal data with external provider of: (i) hosting services and mailing systems, (ii) IT services, (iii) payment service providers, (iv) accounting, legal, advisory and consulting services.

  Some of the operations described above involve sending your personal data to so-called third countries (outside the European Economic Area) where GDPR does not apply. However, this always happens based on the legal instruments provided for in the GDPR, guaranteeing adequate protection of your rights and freedoms.

  It may also happen that we have to disclose your personal data state administration bodies authorised to do so by law (e.g. tax authorities, offices, courts).

• HEROKU

  We entrust the processing of personal data to Heroku in order to store data on their servers. Heroku is a service offered by Salesforce.com, Inc. According to the information provided by this provider and the choice of NERDS.FAMILY, personal data is processed in data centers located in Europe. Heroku privacy policy is available at: https://www.salesforce.com/company/privacy/  

• GITHUB

  To use our Service properly, you must have a Github account. The data controller of your personal data processed in connection with the use of Github is GitHub, Inc. or GitHub B.V. (for individuals outside North America). Github's privacy policy is available at: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement  

• DISCORD

  When using our Service, some communication may be conducted on the Discord. If you reside in the European Economic Area (EEA) or United Kingdom, Discord Netherlands BV is  the “data controller” of your personal information collected through the Discord services. For everyone else, Discord Inc. is the data controller. Discord’s privacy policy is available at: https://discord.com/privacy

• STRIPE

  We use the Stripe – an online payment processing service and platform for managing them. This involves processing data about the payment method you choose, including, for example, information about the payment card used. For most of Stripe services, it is either Stripe, Inc., the US parent company operating under US law, or Stripe Payments Europe, Limited (SPEL), an Irish company operating under Irish law, the data controller responsible for Personal Data collected and processed in relation to Stripe Services. If you are located outside of the Americas (e.g., European Economic Area (EEA), Switzerland or the United Kingdom, countries located in Asia Pacific (APAC)), SPEL is the primary entity responsible for the processing of your personal data. Some of the payment processing services offered by SPEL are services that may be only provided for by an authorised payment services provider or electronic money institution. In this case, SPEL and the Stripe local regulated entity (defined as those who are licensed, authorized or registered by a Local Regulatory Authority) will act as joint controllers of your Personal Data. You can read more about the different entities Stripe operates through here: https://stripe.com/en-pl/privacy-center/legal#which-stripe-entities-are-involved . Stripe’s privacy policy is available at: https://stripe.com/en-pl/privacy

• INFORMATION ON PERSONAL DATA TRANSFER TO THIRD COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

  In the case of transfer of personal data to a third country within the meaning of the GDPR, when the European Commission has not issued a decision on the adequate protection of personal data for these countries (Article 45 of the GDPR), the personal data controller takes appropriate remedial measures to ensure an appropriate level of data protection. They include, among others European Union Standard Contractual Clauses or Binding Internal Data Protection Laws. In cases where this is not possible, we base the transfer of data on the exceptions set out in Article 49 of the GDPR, in particular based on the express consent or the necessity to transfer data in order to fulfill the terms of the contract or perform pre-contractual measures. The legal basis for the transfer of data to the U.S. is - unless otherwise stated - the consent referred to in Article 6 sec. 1 letter a) of the GDPR in connection with Article 49 sec. 1 letter a) of the GDPR. At the same time, we would like to inform you that in the case of sending data to a third country for which no decision on adequate protection of personal data or appropriate guarantees has been issued, there is a possibility and risk that the authorities in a given third country will gain access to the data sent for the purpose of collecting and analyzing them and that it will not be possible to guarantee the exercise of the rights of the data subjects.

5. How long we process your personal data

• 1. OUR SERVICE USERS

  We will process your personal data for as long as it is necessary for our cooperation (as long as we maintain an account for you on the Service)   and, where applicable, thereafter for the time needed to fulfill tax obligations and period of time necessary for the statute of limitations for claims related to the contract between us. 

  In addition, if you have any legal or contractual entitlements, we must process your personal data for the duration of those entitlements in order to be able to assist you in this regard if necessary.

• 2. COOKIES

  The processing of your personal data contained in cookies lasts until you disable their use. You can do this by deleting cookies and changing cookie settings in your browser.

• 3. CONTACT

  Personal data provided in order to contact us will be stored for no longer than is necessary to answer you, and after that time may be stored in the event of potential claims for the limitation period specified by law.

• 4. OTHER

  The processing of your data based on your consent continues until the consent is withdrawn. Withdrawal of consent does not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal.

6. How do we enable you to realize your rights

We make our best efforts to ensure that you are satisfied with working with us. Please bear in mind, however, that you are entitled to a number of privileges which will allow you to have influence on the manner in which we process your personal data, and in some cases you may stop such processing. 

If you are a person to whom the GDPR applies, these rights include:

• 1. The right of access by the data subject (regulated in Article 15 of the GDPR)

  Article 15

  Right of access by the data subject

  • 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. where the personal data are not collected from the data subject, any available information as to their source;
    8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  • 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  • 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

• 2. Right to rectification of your data (regulated in Article 16 of the GDPR)

  Article 16

  Right to rectification

  The data subject shall have the right to obtain from the controller without undue delay  the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

• 3. Right to erase your data (regulated in Article 17 of the GDPR)

  Article 17

  Right to erasure (‘right to be forgotten’)

  • 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    4. the personal data have been unlawfully processed;
    5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  • 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  • 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    5. for the establishment, exercise or defence of legal claims.

• 4. Right to restrict of processing of your data (regulated in Article 18 of the GDPR)

  Article 18

  Right to restriction of processing

  • 1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
    1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • 2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
  • 3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

• 5. Right to data portability of your data (regulated in Article 20 of the GDPR)

  Article 20

  Right to data portability

  • 1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
    1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
    2. the processing is carried out by automated means.
  • 2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  • 3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • 4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

• 6. Right to object to the processing of your data (regulated in Article 21 of the GDPR)

  Article 21

  Right to object

  • 1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • 3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  • 4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  • 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  • 6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

• If you are not a person to whom the GDPR applies, these rights include all the rights granted to you under the applicable data protection law in your country.
• In order to exercise any of the rights above described, please contact us by sending an e-mail to the address we have first contacted you from, or the address : [email protected] .

7. Complaint to the supervisory authority

•  If you are the person to whom the GDPR applies pursuant to Article 77 of the GDPR you are entitled to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place where the alleged violation has been committed, if you believe that processing of your personal data violates the provisions of the GDPR. 
• In Poland, the supervisory body is the President of the Office for Personal Data Protection – you can make a complaint, among others by traditional mail to the address of ul. Stawki 2, 00-913 Warsaw or by e-mail to the address:  [email protected] , you can also get more detailed information (including current phone numbers) on the website:  https://uodo.gov.pl/
• To contact another supervisory authority responsible for the protection of personal data, please visit the website of the European Data Protection Board available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

8. Is submitting personal data necessary for concluding an agreement with us

• We collect your personal data primarily to the extent necessary for the conclusion and performance of the agreement. Some data is also necessary for us to fulfil the obligations arising from the law (tax regulations, accounting regulations). Failure to provide your data will, unfortunately, prevent the conclusion and implementation of the agreement.

9. How do we obtain your personal data

• We obtain your personal data directly from you (including automated methods). 

10. Automated processing and profiling