Privacy Policy


Information about the Administrator

  1. The owner of the Fotka.com website (the "Service") and the administrator of personal data collected through it is Fotka Spółka z ograniczoną odpowiedzialnością Spółka komandytowa, with its registered office in Elbląg (registered office address and correspondence address: ul. Władysława Orkana 24, 82-300 Elbląg), entered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number: 0000721451, NIP: 1132579612, REGON: 140315867.

  2. The Service includes websites under the fotka.com domain and mobile applications available in the official stores of Windows Market, Google Play Market, and the App Store.

Administrator's Information Obligations

  1. The provisions of this Privacy Policy fulfill the information obligations of Fotka Spółka z ograniczoną odpowiedzialnością Spółka komandytowa arising from Article 13 of the General Data Protection Regulation of April 27, 2016 (Official Journal of the European Union L.2016.119.1; hereinafter referred to as "GDPR").

  2. The Administrator declares that it has exercised due diligence in fulfilling these obligations while adhering to the transparency criteria for informing and communication as specified in Article 12 of the GDPR.

Contact Information Regarding Personal Data Protection

  1. For matters related to personal data protection, you can contact the Administrator:

    1. by mail, at the address: Fotka sp. z o.o. sp.k., ul. Władysława Orkana 24, 82-300 Elbląg;
    2. via email by sending a message to: iod@fotka.com.

  2. To enhance the security of processed personal data, the Administrator has appointed a Data Protection Officer (DPO), who can be contacted via email at: iod@fotka.pl.

Administrator's Declaration

  1. The Administrator of the Service takes special care to protect the rights and freedoms of individuals whose data is being processed and ensures that such data is:

    1. processed lawfully, fairly, and transparently,

    2. collected for specified, explicit, and legitimate purposes, and not processed further in a way incompatible with those purposes,

    3. adequate, relevant, and limited to what is necessary for the purposes for which it is processed,

    4. accurate and, where necessary, kept up to date,

    5. stored in a form that permits the identification of the data subject for no longer than necessary for the purposes for which the data is processed,

    6. processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

  2. As part of the measures mentioned in point 1(f) above, the Administrator has implemented the following safeguards: firewalls, data encryption, physical access controls to data centers, and authorization controls for accessing information. The effectiveness of the security measures applied to the User’s data requires the User to comply with the rules outlined in the Fotka Service Regulations, especially by not sharing their passwords with third parties. It is also the User's responsibility to ensure the accuracy of the data provided during account registration and to update this information as needed.

  3. The User's personal data is processed in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L.2016.119.1 of May 4, 2016), the Personal Data Protection Act of May 10, 2018 (Journal of Laws of 2018, item 1000, as amended), the Act of February 21, 2019, amending certain laws to ensure the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (Journal of Laws of 2019, item 730), and the Act of July 18, 2002, on the Provision of Electronic Services (consolidated text: Journal of Laws of 2019, item 123, as amended).


Purpose, Basis, and Scope of Personal Data Collection

  1. Each time, the purpose, basis, and scope, as well as the recipients of the data processed by the Administrator, are based on the legally permissible actions taken by the Administrator of the Fotka.com service.

  2. Possible purposes for collecting personal data and their scope:

    1. Conclusion and execution of a contract for the provision of electronic services offered by the Fotka.com Service: Processing basis: Article 6(1)(b) of the GDPR (processing is necessary for the performance of the contract).

      1. Personal data of the account holder and data related to the User's use of the Service through this account: name, surname, email address, date of birth, location (town/city).

    2. Achievement of the User’s objectives of the Service – establishing and maintaining contacts with other Users of the Service via the Service. Processing basis: Article 6(1)(a) of the GDPR (consent of the data subject) – consent is given by accepting the Fotka.com Service's terms and conditions. Data voluntarily provided by the User (the User decides which information they wish to share, with the understanding that it is available and can be used by all persons accessing the Service) may include the following categories:

      1. User’s contact details: name, surname, date of birth, website address, location (town/city),

      2. Data concerning education, profession, occupation, income (partially from a selection menu),

      3. Data regarding the use of substances (alcohol, cigarettes) (from a selection menu),

      4. User’s photos and videos (image of the person),

      5. Data about physical appearance: description of selected physical features and preferred clothing (from a selection menu),

      6. Data concerning the User’s personality (from a selection menu) and data about marital status, children, and preferences in this regard,

      7. Data concerning preferences, likes, and interests (from a selection menu).

    3. Verification of the User via phone number – a procedure used to reduce the number of fake accounts; Processing basis: Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party); Scope of processed personal data: phone number of the Service User.

    4. Complaint procedure related to the performed or ongoing electronic service;
      Processing basis: Article 6(1)(b) of the GDPR; Scope of processed personal data: name and surname of the person filing the complaint, contact details (correspondence address, email address, phone number), reason, and details of the complaint.

    5. Marketing of the Service Provider’s own products or services and marketing of business partners’ products and services;
      Processing basis – Article 6(1)(a) or Article 6(1)(f) of the GDPR (consent of the data subject – marketing of third-party products and services or legitimate interest of the Administrator – direct marketing of their own products and services); Scope of processed personal data: name, surname, email address, phone number.

    6. Profiling to optimally tailor the offer of services and products from cooperating Partners to the recipient’s profile; Processing basis – Article 6(1)(a) of the GDPR (consent of the data subject for the marketing of third-party products and services); Scope of processed data: age, gender, location, data voluntarily provided by the User (as mentioned in point 2 above in this policy).

    7. Settlement of transactions related to access to paid features of the Service (so-called "Star Club")
      Processing basis: Article 6(1)(b) of the GDPR (processing is necessary for the performance of the contract); Scope of processed personal data: phone numbers for SMS payments, information about settlements, contact details.

    8. Creating a User account on the external service provider’s website – promotion (marketing of the business partner's services);>
      Processing basis – Article 6(1)(a) of the GDPR (consent of the data subject); Scope of processed personal data: login, date of birth, name, gender, location (depending on the external service requirements).

    9. Ensuring the security of the Service and protecting its Users' data
      Processing basis: Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party); Scope of processed personal data: login data for the Fotka.com Service, device data and geolocation (e.g., IP address) from which the connection is made.

    10. Handling illegal content. The Administrator has implemented the DSA Form in the Service, allowing any person or entity visiting the Service ("Submitter") to report the presence of certain information in the Service that the Submitter considers illegal content under the provisions of the Terms of Service. Reporting illegal content requires providing the following information necessary to process the report: a sufficiently justified explanation of why the Submitter alleges that the information constitutes illegal content, clear identification of the exact electronic location of the information (such as the exact URL or precise URLs), the name and surname or name and email address of the Submitter (except for reports concerning information related to one of the offenses mentioned in Articles 3-7 of Directive 2011/93/EU), and a statement confirming the Submitter's good faith belief that the information and allegations in the report are accurate and complete. The Submitter may additionally provide other data if they believe it will facilitate the identification of illegal content or the handling of the report. Providing personal data marked as mandatory in the DSA Form is required to accept and process the report, and failure to provide such data may result in the inability to process the report. Providing other data is voluntary, and if provided, the Administrator assumes the Submitter has consented to its processing. The personal data collected via the DSA Form is processed by the Administrator:

      1. to fulfill the legal obligations incumbent on the Administrator, arising from Articles 16-17 of the Digital Services Act (DSA), including accepting the report concerning illegal content, reviewing the report, informing about the decision made by the Administrator regarding the report, and justifying the imposed restrictions (Article 6(1)(c) of the GDPR); b. based on the Submitter's consent, if personal data that is not necessary to process the report submitted via the DSA Form is provided (Article 6(1)(a) and Article 9(2)(a) of the GDPR).
      2. based on the Submitter's consent, if personal data that is not necessary to process the report submitted via the DSA Form is provided (Article 6(1)(a) and Article 9(2)(a) of the GDPR).

      Regardless of the above, the Administrator may process personal data of service recipients to fulfill other legal obligations incumbent on the Administrator, arising from the Digital Services Act (DSA), including to comply with orders to take action against illegal content or to provide information and notify the suspicion of a crime under Article 18 of the DSA (Article 6(1)(c) of the GDPR).

    11. The Administrator also processes anonymized data related to the use of the Service to generate statistics on the use of the Service. These data are aggregated and anonymous, i.e., they do not contain identifying characteristics of individuals using the Fotka.com Service.  

    Sharing of Personal Data

    1. Personal data of Users of the Fotka.com Service contained in their profiles are shared with other Users of the Service in connection with the primary function of the service, which is browsing and rating photos and associated User profiles.

    2. With the User's consent, their data may be shared with entities providing payment services (payment platforms). Currently, the Fotka.com Service uses the following payment platforms:

      1. Dotpay Sp. z o.o. based in Krakow, 30-552 Krakow, at 72 Wielicka Street,

      2. PayPal (Europe) S.a r.l. & Cie, S.C.A with its registered office at L-1150 Luxembourg,

      3. Centrum Technologii Mobilnych Mobiltek Sp. z o.o based in Krakow, 2 Józefińska Street, 30-529 Krakow,

      4. Autopay S.A., 6 Powstańców Warszawy Street, 81-718 Sopot,

      5. Google Ireland Limited, Gordon House Barrow Street, Dublin 4, Ireland,

      6. Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.

    3. We inform you that in cases described in separate legal provisions and according to the procedures indicated in those provisions, personal data may be transferred to authorized state authorities, including public administration.

    4. Personal data may also be disclosed for the purposes of audits, ensuring compliance with regulations, and exercising ownership supervision.

    5. Users' personal data may be processed using external IT infrastructure of hosting service providers that meet GDPR security requirements.

    6. The Administrator declares that in every case, entrusting personal data for processing is done based on a personal data processing entrustment agreement or another legal instrument, and the sharing of data is based on an appropriate legal basis under Article 6(1) or Article 9(2) of the GDPR.

    7. The personal data of Users who have consented to the processing of their personal data for marketing purposes may be transferred to entities specializing in providing online advertising services. The User's data (age, gender, and location) may be used for profiling to display better-targeted advertisements. In selecting entities providing this category of services, the Administrator is guided by the criteria set out in Article 28(1) of the GDPR, meaning that each contractor must guarantee the implementation and application of appropriate technical and organizational measures for the safety of personal data according to its category. Currently, the Fotka.com Service cooperates with Partners:

      1. Tri-table Sp. z o.o. located at 1 Józefa Poniatowskiego Avenue, 03-901 Warsaw: Partner's privacy settings.

        Partner's privacy settings

    8. Users' personal data may be transferred to third countries, i.e., outside the European Economic Area (EEA), according to the list of data recipients attached to the Policy. Since July 10, 2023, the transfer of data between the European Union or EEA and the United States of America is regulated by the "EU-U.S. Data Privacy Framework." The following entities outside the EEA, which may receive your personal data:

      1. Google LLC,

      2. Meta Platforms, Inc.,

      have joined the "EU-U.S. Data Privacy Framework." In the case of transferring data to the United States of America (so-called third country), the legal basis for the transfer of data is the decision of the European Commission dated July 10, 2023, stating the appropriate level of protection of personal data in that country, ensured by the "EU-U.S. Data Privacy Framework."


    Periods of Processing Personal Data (Data Retention)

    1. Personal data may be stored:

      1. Personal data associated with the User's account in the Service - for the entire duration of the account's existence (duration of the agreement). After the account is deleted by the User, the data is permanently removed within 30 days (excluding backup database copies created for the security of the Service; data from these copies is deleted after a maximum of 3 months).

      2. Basic identifying data of the User’s account in the form of an email address, first name, and surname provided in connection with the agreement for using the service, as well as data regarding payments made by the User related to the use of the Service - until the statute of limitations for any claims of the parties, i.e., the User and the Service, expires.

      3. Marketing data - until consent for data processing for this purpose is withdrawn, with the stipulation that data regarding prior consent and marketing operations conducted concerning the User of the Service will be archived for at least 5 years from the date of withdrawal of consent.

      4. Personal data regarding facts and events subject to tax obligations or recorded in appropriate accounting books - for the period required by law, particularly in accordance with the provisions of the Tax Code and the Accounting Act.

      5. Personal data necessary for the Administrator or third parties to pursue claims or that serve as evidence in proceedings before a court or public administration authority - until the usefulness of this data in ongoing proceedings or until the conclusion of other legally permissible actions related to the pursuit of claims.

      6. Personal data of the Reporter or another interested party as defined by the Digital Services Act (DSA) - for the time necessary to process the report or fulfill another obligation provided for in the DSA, and thereafter for a period arising from applicable legal requirements. If the Reporter has consented to the processing of their personal data contained in the report, this data will be retained until the consent is revoked. In justified cases, personal data will be retained as long as necessary to achieve the legally justified interests of the Administrator.


    Rights of the Person Whose Data is Processed by the Administrator

    1. Personal data may be stored:

      1. Personal data associated with the User's account in the Service - for the entire duration of the account's existence (duration of the agreement). After the account is deleted by the User, the data is permanently removed within 30 days (excluding backup database copies created for the security of the Service; data from these copies is deleted after a maximum of 3 months).

      2. Basic identifying data of the User’s account in the form of an email address, first name, and surname provided in connection with the agreement for using the service, as well as data regarding payments made by the User related to the use of the Service - until the statute of limitations for any claims of the parties, i.e., the User and the Service, expires.

      3. Marketing data - until consent for data processing for this purpose is withdrawn, with the stipulation that data regarding prior consent and marketing operations conducted concerning the User of the Service will be archived for at least 5 years from the date of withdrawal of consent.

      4. Personal data regarding facts and events subject to tax obligations or recorded in appropriate accounting books - for the period required by law, particularly in accordance with the provisions of the Tax Code and the Accounting Act.

      5. Personal data necessary for the Administrator or third parties to pursue claims or that serve as evidence in proceedings before a court or public administration authority - until the usefulness of this data in ongoing proceedings or until the conclusion of other legally permissible actions related to the pursuit of claims.

      6. Personal data of the Reporter or another interested party as defined by the Digital Services Act (DSA) - for the time necessary to process the report or fulfill another obligation provided for in the DSA, and thereafter for a period arising from applicable legal requirements. If the Reporter has consented to the processing of their personal data contained in the report, this data will be retained until the consent is revoked. In justified cases, personal data will be retained as long as necessary to achieve the legally justified interests of the Administrator.


    Rights of the Person Whose Data is Processed by the Administrator

    1. Every person whose data is processed by the Administrator has the right to:

      1. access their personal data, rectify it, delete it, restrict its processing, and the right to data portability in the cases specified in the provisions of the GDPR,
      2. withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (this particularly applies to data processing for marketing purposes),
      3. object at any time to the processing of personal data for reasons related to their particular situation, as well as the right to object to the processing of data for direct marketing purposes,
      4. lodge a complaint with a Supervisory Authority if the person whose data is being processed believes that the processing of their data by the Administrator violates the provisions of the GDPR or national regulations.

    2. Except for the right to lodge a complaint with the Supervisory Authority, all other rights may be exercised by Users by submitting a matter to the email address provided for contacting in matters related to personal data protection, using the contact form, or other contact details of the Fotka.com Service.

    3. In the case of communications mentioned in point 2, the Administrator may condition the execution of the actions on the unambiguous identification of the identity of the person making the inquiry, request, objection, or demand.


    Possibility of Choosing the Data Collected by the Administrator

    1. Providing personal data during registration on the Service is voluntary; however, failure to provide this data will prevent the conclusion of a contract for using the functionalities of the Fotka.com Service.

    2. Data contained in the User Profile may be voluntarily modified by the User; however, the absence of certain data specified by the Administrator may restrict the use of some features of the Service.

    3. Providing personal data for marketing purposes is voluntary; however, failure to provide this data will result in the inability to receive offers of services and bonuses offered by the data Administrator and its business partners.

    4. Consent to profiling for marketing purposes is entirely voluntary; however, lack of consent may result in the inability to receive personalized offers tailored to the User's age, location, preferences, and interests from the Service's Partners.
    5. Providing data necessary for logging into external services offering online games is voluntary; however, failure to provide this data will result in the inability to use the service.
    6. Providing data marked as mandatory in the DSA Form is required for accepting and handling the report, and failure to provide it may result in the inability to process the report. Providing other data is voluntary; however, by providing it, the Administrator assumes that the Reporter has given consent for its processing.

    Withdrawal of Consent When It Is the Basis for Data Processing by the Administrator

    1. At any time, the individual whose data is being processed has the right to withdraw consent for the processing of personal data.

    2. The withdrawal of consent does not affect the lawfulness of the processing carried out based on prior consent.

    3. Consent can be withdrawn in the following ways:

      1. Consent for the processing of data for marketing purposes can be withdrawn in the account settings or by communicating with the User Support department.

      2. Consent for the use of electronic communication methods can be withdrawn in the account settings or by communicating with the User Support department.

      3. To completely delete the profile along with the data, the account must be deleted using the option: "Remember that you can always change your data or completely delete your account" in the account settings or by communicating with the User Support department.

      4. Other granted consents can be withdrawn by contacting the Administrator through any chosen communication channel, including by communicating with User Support department.


    Cookies Policy

    1. Definition and Purpose of Cookies

      Cookies are small text files saved by the Service on the terminal device of the person visiting the Service (computer, mobile device) via a browser. They typically contain the domain name of the website from which they originate, the time they are stored on the user's device, and a unique number. Cookies are read or modified during subsequent visits to the Service and may contain basic information about the user, their individual appearance settings, actions taken on the Service, or any other data useful for improving the Service. The cookies used by the Service are safe for the user's device, preventing viruses or unwanted software from infiltrating the user's devices.

    2. Types of Cookies Used by the Service

      The Service uses the following types of cookies:
      1. Necessary Cookies: These ensure the proper functioning of the Service. They help identify the software used by the visitor and customize the Service for each user. They are also essential for providing services through the Service. This type of cookie contains information necessary for the proper functioning of the website, especially those requiring authorization. The use of these cookies does not require user consent, as they are processed based on the legitimate interest of the Administrator (Art. 6(1)(f) of the GDPR) and under Art. 173(3) of the Telecommunications Law.
      2. Functional Cookies: These assist in executing certain functions, such as sharing content on social media platforms, collecting feedback, and adapting the Service content to individual preferences. The Service uses these cookies based on user consent (Art. 6(1)(a) of the GDPR and Art. 173(2) and Art. 174 of the Telecommunications Law).
      3. Analytical Cookies: These help gather information about the number of visitors, bounce rates, traffic sources, etc., and are used to prepare statistics that help the Administrator understand the preferences and behaviors of visitors. The analysis is anonymous and allows for adapting the content and appearance of the Service to prevailing trends and evaluating the popularity of the site. The Service uses these cookies based on user consent (Art. 6(1)(a) of the GDPR and Art. 173(2) and Art. 174 of the Telecommunications Law).
      4. Advertising Cookies: Used to display relevant ads and marketing campaigns to visitors. These cookies track visitors across different sites and collect information to provide personalized ads based on user consent (Art. 6(1)(a) of the GDPR and Art. 173(2) and Art. 174 of the Telecommunications Law).

    3. Managing Cookies

      Users can accept or reject new cookies and delete existing ones through their browser settings. They can also set their browser to notify them of each new cookie placement on their computer or device. More detailed information on managing cookies can be found in the help function of the user's web browser.

    4. Effects of Disabling Cookies

      Disabling selected or all cookies may lead to improper functioning of the Service, and not all functionalities may be available. For example, it may not be possible to finalize transactions or use those products and services that require logging in.

    5. Types of Cookies Used in the Service

      1. Persistent Cookies: Used to modify the appearance or functionality of the Service based on previous choices or actions (e.g., filter settings). They remain on the user's device until expiration or deletion by the Administrator or the user. The absence of these cookies prevents browsing the Service according to the user’s preferences.
      2. Session Cookies: These contain a string identifying the dataset stored on the server side (the so-called session). The session is used by the authentication system for the user visiting the Service and many other mechanisms enhancing functionality and ensuring security. They remain on the user's device until logging out or closing the browser. The absence of these cookies impairs the proper functioning of the Service.

    6. Data Processing by the Administrator

      The Administrator may process the following data characterizing how the user visits the Service and uses the services provided electronically:
      1. Identifiers marking the telecommunications network or IT system used by the visitor;
      2. Information on the start, end, and scope of each use by the visitor of the electronically provided services;
      3. Information on the use of services provided electronically by the visitor.

    7. Third-Party Services

      The Service uses Google Analytics, a web analysis service by Google Ireland Limited based in Dublin, Ireland, and Meta Pixel, a web analysis service by Meta Platforms, Inc. based in Menlo Park, California, USA. Google Analytics collects its cookies, which are saved on the user's computer and contain data related to the device and browser, IP address, and user actions on the Service to measure and report statistics on user interaction. Google uses the data from Google Analytics to provide the Service with measurement services. Identifiers, such as cookies, are used to measure user interaction with the Service. IP addresses are used to protect the Google Analytics service and inform the Service of the origins of visitors. Google Analytics uses IP addresses to determine the geographic location of visitors and to ensure the functionality of the service. According to contracts with Google, the Service cannot transfer personally identifiable information to Google. Google Analytics uses so-called “cookies,” text files saved on the user's computer that allow the analysis of the user’s use of the Service. Information generated by the cookie about the use of the Service is typically sent to Google's server in the USA and stored there. If IP anonymization is activated on the Service, your IP address will be truncated by Google in EU member states or other contracting states of the European Economic Area Agreement. The full IP address will be sent to Google’s server in the USA and truncated there only in exceptional cases. On behalf of the Service operator, Google will use this information to evaluate the user's use of the website, compile reports on website traffic, and provide other services related to website traffic and internet usage. The IP address sent by the user's browser within Google Analytics will not be linked to other Google data. The Meta Pixel is a short code placed on the website that measures the effectiveness of advertising based on analyzing the actions taken by the user on the website. Users can prevent cookies from being stored within Google Analytics and Meta Pixel by not consenting to the use of these cookies or by withdrawing previously granted consent as described earlier in the Cookies Policy. Users can also prevent Google from collecting data generated by cookies and related to the use of the website (including IP address) and processing this data by Google by downloading and installing the browser plug-in available at the following link: Google Analytics Opt-out. The Service uses Google Analytics and Meta Pixel to analyze the use of the Service and regularly improve it. The statistics obtained may be used to enhance the offering and make it more interesting for users. User personal data contained in cookies (including those related to Google Analytics and Meta Pixel) may be transferred to the United States of America (under the principles described in “Sharing Personal Data,” section 9). More information about Google Analytics can be found at: Google Analytics Support.
     

    Additional Information

    1. Changes in Email Communication

      As of May 22, 2019, the Service has ceased sending commercial information from the Service and its Partners via email. User consent for receiving commercial information at the email address provided earlier is retained in accordance with the provisions of this policy and can be modified in the account settings.

    2. External Links

      The Service Fotka.com may contain links to other websites. Users are encouraged to review the privacy policies established on those sites after navigating away from the Service. This privacy policy applies only to the Fotka.com Service.
     

    Changes to the Privacy Policy

    1. Policy Updates


      The privacy policy is regularly reviewed and updated as necessary. The current version of the privacy policy was adopted and is effective as of September 17, 2024.