This document describes how we collect, use and protect the personal data of Customers and, to a certain extent, Users invited to use the Business Customer Account and Services offered within the GoTacho Application, as described and defined in the Terms and Conditions of Use of the GoTacho Application (hereinafter referred to as the “Agreement”).

We are the controller of the data we process for our own purposes, as detailed below.

The issues of processing personal data of Users invited to use the Company Account (“Invited User”) and any personal data added to the Application (including the Mobile Application), to the extent that such processing is carried out on behalf of the Client, are regulated in the Data Processing Agreement, which constitutes an annex to the Application Regulations.

The issues of personal data processing in connection with visiting our website and using the functionalities offered therein are described in detail in the Privacy Policy for the website www.gotacho.com  (hereinafter referred to as the “Website”).

All capitalized terms used in this document and not otherwise defined herein shall have the meanings given to them in the Application Terms and Conditions.

The Controller of your personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) is GOTACHO SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Poznań (60-288), at 15/1 Promienista Street, entered into the register of entrepreneurs maintained by the District Court Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under the KRS number: 0001177082, Tax Identification Number (NIP): 7792589531, National Business Registry Number (REGON): 541928080 (hereinafter referred to as “we”).

You can contact us by mail at the address indicated above or via the contact form available on our website www.gotacho.com  under “Contact”.

To register a Customer Account, it is necessary to provide:

At this stage, you can also optionally indicate:

The data in question are processed by us for the purpose of concluding and implementing the Agreement with the entity on behalf of which you register the Account - based on our legitimate interest [Article 6 (1)(f) GDPR] or, if you are a natural person, on the basis of necessity for the performance of the Contract to which you are a party [Article 6 (1)(b) GDPR].

In addition, the Account Holder’s personal data will be processed, where appropriate, for the following purposes:

The data in question will be stored by us for the duration of the performance of the Agreement referred to above, with additional consideration, where applicable, of the limitation period for claims that may be brought against us and that we may have against the Client, as well as any legal obligations we may have regarding the storage of personal data.

Providing the data referred to in this section is voluntary but necessary for the conclusion and performance of the Agreement. Providing the Client’s company name and Tax Identification Number is not mandatory at this stage and is required at the time of purchase of the Service at the latest.

If you have consented to receiving commercial information, your email address will be processed for this purpose based on your consent [Article 6, Section 1, Letter a of the GDPR]—until you withdraw it or we cease conducting such marketing activities. You can withdraw your consent at any time—from your Customer Account or by clicking the unsubscribe link in every commercial message we send. Consent to receive commercial information at the provided email address and the related processing of personal data is voluntary and does not affect your ability to use the Application’s functionality.

To redeem GoTachoCoin, it is necessary to indicate:

The purposes and legal basis for processing the personal data of the Customer Account Holder and the data storage period will remain unchanged from what is indicated in section 2.1 above.

Providing the data referred to in this section is voluntary but necessary for the conclusion and implementation of the Service Agreement in the Subscription or Top-up model.

In the event of a purchase of Services, we will, where appropriate, process the data of the Customer Account Holder and data related to the use of the Services also for the purpose of:

The Account Owner may delete the Account in the manner specified in the Application Terms and Conditions, which does not affect our ability to store personal data associated with the Account for the proper settlement of the Services [Article 6 (1) (f) of the GDPR], and, where applicable, in connection with the performance of our obligations under applicable law [Article 6 (1) (c) of the GDPR] and for the purpose of establishing, defending and pursuing claims - based on our legitimate interest [Article 6 (1) (f)GDPR].

The Owner of the Customer Account and another User with appropriate authorizations may invite Users to use the Corporate Customer Account within the scope of the authorizations granted to such User.

For this purpose it is necessary to indicate:

If the User does not activate the Profile within 24 hours of generating the invitation to the organization, the data is automatically deleted from the Application and our infrastructure. If within 7 days of activating the profile, no data (connections) are assigned to the invited User or the User does not create a Private Account, the profile will be automatically deleted.

Both the User and other authorized Users can edit and add data of the invited User.

We process the data in question on behalf of the Client on the basis of the Personal Data Processing Agreement concluded with the Client.

Regardless of the above, in connection with the use of the Application by the User invited to use the Customer Account and also using the Mobile Application - we may process certain data as their independent data controller:

The Application allows, among other things, uploading files to the Application, adding documents, adding data, generating reports, sending and managing notifications. We process this data on behalf of the Client based on the Personal Data Processing Agreement concluded with the Client. The Client determines the purposes and legal basis for processing such data, as well as the data retention period in the Application.

Application Logs will be processed for the following purposes: technical support, application improvement, ensuring security based on our legitimate interest in achieving these purposes [Article 6 (1) (f) GDPR].

The information contained in the Web Application logs includes:

Logs from the Mobile Application include the following information:

The information contained in the Mobile Application logs also includes:

Log retention will be a maximum of 30 days:

In order to diagnose Mobile Application errors and report Application failures, we use the Sentry tool provided by Functional Software, Inc.

The tool collects the following information:

The tool in question runs in the background of the Application.
Collected data will be deleted after 90 days.

The legal basis for this processing is our legitimate interest in diagnosing and reporting errors in the Application [Article 6, paragraph 1 (f) GDPR].

In connection with the use of Sentry, personal data may be transferred outside the EEA. The tool provider complies with the Data Privacy Framework for transfers of personal data from Europe to the United States. In the event that the Data Privacy Framework is invalidated or the Data Privacy Framework does not apply to transfers of European personal data, such transfers will be governed by the Standard Contractual Clauses as set out in your agreement with the tool provider.

The mobile app (Android version) requires permission to access the precise location of the device on which the Mobile App is installed (ACCESS_FINE_LOCATION). Obtaining this permission allows you to configure further permissions required for Bluetooth operation or directly access them, such as device scanning and connecting to devices – this is necessary for Bluetooth communication with the device used to read tachograph data. We do not use Bluetooth to determine the precise location of the device.

The app will ask for permission to access your location during use. You can revoke this consent at any time in your device’s system settings.

Without the Mobile Application’s access to the device’s location, reading data from the tachograph will not be possible. The legal basis for processing device location data is our legitimate interest in the necessity of processing to ensure the appropriate functionality of the Application for the performance of the contract under the Terms and Conditions [Article 6, Section 1 (f) of the GDPR]. We do not store this data. iOS versions of the mobile application do not require the User to grant the Application access to location.

We may process your personal data to comply with our obligations under applicable law, including in the event of inquiries from law enforcement or government agencies under Article 6(1)(c) of the GDPR.

We may also process your personal data for the purpose of establishing, protecting and pursuing claims – based on our legitimate interest [Article 6 (1) (f) GDPR].

Where appropriate, we may transfer data to:

The above sections of this document generally indicate the retention periods for personal data or, where applicable, the criteria for determining such periods. The periods for which we retain individual data are closely linked to the purpose of processing and the legal basis for such processing. General information on the principles for determining data retention periods can be found below.

We are entitled to process personal data that we process based on your consent until you withdraw your consent or until the processing of your personal data is no longer necessary to achieve the purpose for which the data is processed, or until the given processing purpose is achieved and completed, whichever occurs first.

We will process data that we process based on our legitimate interest until you object (unless we can demonstrate that our interests override your interests or fundamental rights and freedoms or grounds for establishing, pursuing or defending claims), or until the processing of your personal data is no longer necessary to achieve the purpose for which the data is processed, or until the given processing purpose has been achieved and completed, whichever comes first.

We will store the data we process to fulfill our obligations under the law for the period specified in those provisions.

We do not determine the retention period for personal data processed on behalf of the Client; it remains the responsibility of the Client as the personal data controller, who may, among other things, independently delete the Accounts of Users invited to the Client Account and any data and documents sent or added to the Application.

Providing data is voluntary, but to the extent necessary to conclude the Agreement and use our Services.

In connection with the processing of your personal data, you have the following rights, within the limits set by law and where applicable:

You can exercise your rights by contacting us via the contact form available on our Website under “Contact” or by sending correspondence to our registered office address indicated in point 1 of this document.

We will make every effort to promptly process your request and answer your questions regarding the processing of your personal data. We will respond no later than 30 days from the date we receive your request. If this deadline should be extended, in appropriate cases due to the complex nature of the request or the number of requests we receive, we will inform you of the extension and provide the reasons for the extension.

If there are reasonable doubts as to the identity of the person submitting the request, we may request additional information necessary to confirm the identity of the person submitting the request. Providing such information is not mandatory, but failure to provide it will result in the request being refused.

We retain information regarding the reports we receive in order to demonstrate compliance with the accountability principle set out in the GDPR and to establish, protect and pursue claims.

The processing of personal data of Customers and Users using the Profile created within the Company Account is not subject to automated decision-making based on the personal data received.

The Web Application and Mobile Application servers are located in the EEA. In addition to data transfers outside the EEA in connection with the Mobile Application’s error reporting tools, transfers may also occur in connection with payment processing by Stripe. The solution provider is Stripe Payments Europe Limited, but data may be transferred to Stripe Inc., based in the United States, as well as to other Stripe subcontractors. Stripe Inc. is certified under the Data Privacy Framework. For the remainder, the Standard Contractual Clauses in the relevant modules apply.

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from them.

Our goal is to ensure the highest possible level of protection for your data. The information contained in this document is subject to change as technology and our Services evolve. The latest version of the Privacy Notice for Customers and Users using a Business Account is always available on our Website.