Privacy Policy
§1. General provisions
- This Privacy Policy sets out the principles for the processing and protection of personal data of Users and Clients using the website and web application available at www.outagen.com. This document also sets out the principles for the use of cookies and similar technologies.
- This Privacy Policy is for information purposes and is intended to fulfill the information obligations resulting in particular from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation, hereinafter referred to as the GDPR.
- The controller of personal data processed in connection with the Website and the Service is Konrad Caban, conducting business under the name SITEIMPULSE Konrad Caban, with business address at ul. Niedźwiedzia 29B, 02-737 Warsaw, Poland, postal address at ul. Rymanowska 3, 02-916 Warsaw, Poland, entered in the Central Register and Information on Business Activity of the Republic of Poland, VAT ID: PL5212118341, REGON: 012887347, e-mail: office AT siteimpulse DOT com, telephone: +48 22 266 24 06, hereinafter referred to as the Controller.
- The Controller processes personal data in accordance with applicable data protection laws, including the GDPR, Polish data protection regulations and the Act on the Provision of Electronic Services.
- Capitalized terms used in this Privacy Policy shall have the meaning assigned to them in the Terms and Conditions of Outagen, unless this Privacy Policy provides otherwise.
- The Service is addressed exclusively to businesses and professional users. Nevertheless, personal data may be processed in relation to natural persons acting on behalf of or in connection with such business entities, including account users, representatives, employees, contractors or contact persons of Clients.
- Personal data is processed lawfully, fairly and transparently, for specific purposes and to the extent necessary for those purposes.
- The Controller applies appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, disclosure or destruction.
- Personal data is not sold to third parties.
- Personal data may be disclosed to or entrusted to third parties only where necessary to provide the Service, operate the Website, comply with legal obligations, pursue legitimate interests of the Controller, or where the data subject has given consent.
§2. Categories of personal data
- The Controller may process the following categories of personal data:
- Account and registration data, such as first and last name, business name, e-mail address, password hash, time zone, account status and account settings;
- business and billing data, such as business name, address, VAT ID, tax identification data, invoice details, payment status and billing history, where applicable;
- contact data, such as e-mail address, telephone number, message content and correspondence history;
- Service configuration data, such as Monitor names, Monitor settings, Page URLs, generated e-mail addresses, generated webhook URLs, configured webhook URLs, alerting settings, configured content, selectors, incident parameters and other data entered into the Panel;
- Incident, Reaction and Alert data, such as incident type, incident status, start and end dates, detection status, reaction timestamps, alert timestamps, e-mail or webhook delivery data and incident history;
- technical and log data, such as IP address, browser type, device information, operating system, request timestamps, URLs accessed, session identifiers, error logs, security logs and similar technical information;
- payment data, where Paid Plans are ordered, such as payment method, payment identifier, transaction status and payment operator information; the Controller does not store full payment card numbers unless expressly stated otherwise;
- marketing and communication data, such as newsletter subscription status, consent records, communication preferences and information about messages sent to the User or Client;
- analytics data, such as information about use of the Website, Panel or Service, user interactions, feature usage and aggregated statistics.
- The scope of processed data may depend on how the User or Client uses the Website and the Service, including whether an Account is created, whether Monitors are configured, whether webhook or e-mail alerting is used, whether a Paid Plan is ordered, and whether the User contacts the Controller.
- The Client should not enter unnecessary personal data into Monitor names, configured content, selectors, webhook URLs or other Service configuration fields unless such data is necessary for the Client’s use of the Service and the Client has a lawful basis for doing so.
§3. Sources of personal data
- Personal data may be obtained directly from the User or Client, in particular through:
- registration forms;
- Account and Panel settings;
- Monitor configuration;
- contact forms;
- e-mail correspondence;
- support requests;
- payment and billing processes;
- newsletter or marketing consent forms, if available.
- Personal data may also be generated automatically during the use of the Website or Service, in particular through server logs, application logs, cookies, session identifiers, analytics tools and security tools.
- Personal data may be received from external systems configured by the Client, in particular from the Client’s Monitoring Tool, where such tool sends a Reaction to Outagen by e-mail, webhook or another method made available by the Controller.
- Personal data may also be received from payment operators, accounting providers, communication providers, analytics providers or other service providers cooperating with the Controller, to the extent necessary for the purposes described in this Privacy Policy.
§4. Purposes and legal bases of processing
- Personal data may be processed for the purpose of creating and maintaining an Account, providing access to the Panel and enabling use of the Service. The legal basis is Article 6(1)(b) GDPR, namely the necessity of processing for the performance of a contract or for taking steps prior to entering into a contract.
- Personal data may be processed for the purpose of providing the core functionality of Outagen, including creating Monitors, generating Pages, simulating Incidents, receiving Reactions, recording detection status, maintaining incident history and sending Alerts. The legal basis is Article 6(1)(b) GDPR.
- Personal data may be processed for the purpose of communication with the User or Client, including responding to inquiries, handling support requests, sending technical notices, service notices, legal notices and information concerning the Account or Service. The legal basis is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, depending on the context.
- Personal data may be processed for the purpose of billing, payment handling, invoice issuing, tax compliance and accounting obligations. The legal basis is Article 6(1)(c) GDPR, namely the legal obligation imposed on the Controller, and where necessary Article 6(1)(b) GDPR.
- Personal data may be processed for the purpose of handling complaints, enforcing the Terms and Conditions, establishing, pursuing or defending claims. The legal basis is Article 6(1)(f) GDPR, namely the legitimate interest of the Controller.
- Personal data may be processed for the purpose of ensuring security, preventing abuse, detecting unauthorized access, protecting the Service infrastructure, maintaining logs and investigating technical incidents. The legal basis is Article 6(1)(f) GDPR.
- Personal data may be processed for analytical, statistical and Service improvement purposes, including understanding how the Website, Panel and Service are used, improving functionality, testing features and developing the Service. The legal basis is Article 6(1)(f) GDPR.
- Personal data may be processed for marketing purposes, including sending commercial information, newsletters or product updates, where the User or Client has given consent or where such communication is permitted under applicable law. The legal basis may be Article 6(1)(a) GDPR or Article 6(1)(f) GDPR, depending on the communication and applicable legal requirements.
- Personal data may be processed for the purpose of complying with legal obligations, including obligations resulting from tax, accounting, consumer, telecommunications, electronic services, data protection or other applicable laws. The legal basis is Article 6(1)(c) GDPR.
- Where processing is based on consent, consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.
§5. Processing of Service configuration, Incidents, Reactions and Alerts
- In order to provide the Service, the Controller processes data entered by the Client into the Panel and data generated during use of the Service.
- This may include Monitor configuration, generated Page URLs, generated e-mail addresses, generated webhook URLs, webhook URLs provided by the Client, incident parameters, alerting settings, incident history, detection status, Reaction data and Alert data.
- If the Client configures Outagen to receive Reactions by e-mail or webhook, the Controller processes data necessary to receive, identify, record and associate such Reactions with the relevant Monitor and Incident.
- If the Client configures Outagen to send Alerts by e-mail or webhook, the Controller processes data necessary to prepare, send and record such Alerts.
- The Client is responsible for ensuring that data entered into the Service, including e-mail addresses, webhook URLs, Monitor names, content strings or selectors, is lawful and does not unnecessarily contain personal data.
- The Controller does not control the content, operation or privacy practices of the Client’s external Monitoring Tool. The Client is responsible for configuring their Monitoring Tool and for ensuring that any personal data processed by that tool is processed lawfully.
- The Controller may process technical metadata related to Reactions and Alerts, such as timestamps, delivery status, source address, destination address, response status, error messages and similar technical information, for the purpose of providing, documenting, securing and troubleshooting the Service.
§6. Cookies and similar technologies
- The Website and Panel may use cookies and similar technologies.
- Cookies are small text files stored on the User’s device and used by websites or applications for purposes such as maintaining sessions, remembering settings, ensuring security, analyzing usage and supporting marketing activities.
- The Controller may use the following categories of cookies:
- necessary cookies, required for the proper operation of the Website, Panel and Service, including login, session handling, security and account functionality;
- functional cookies, used to remember preferences and settings;
- analytical cookies, used to understand how the Website, Panel or Service is used and to improve them;
- marketing cookies, used only where applicable and where required consent has been obtained, for marketing, remarketing or measurement purposes.
- Necessary cookies may be used on the basis of the legitimate interest of the Controller or because they are technically required to provide the Service requested by the User or Client.
- Analytical and marketing cookies are used in accordance with applicable law, including on the basis of consent where required.
- The User may manage cookie settings through the browser settings and, where available, through privacy settings or a cookie consent mechanism provided on the Website.
- Blocking or deleting cookies may affect the operation of the Website, Panel or Service, and in some cases may prevent logging in or using selected features.
§7. Server logs and technical data
- The Controller automatically collects information transmitted by the User’s browser, device or software to the servers used by the Website and Service.
- Such information may include IP address, date and time of request, browser type, operating system, device parameters, requested URLs, referrer URL, session identifiers, response codes, error messages and similar technical data.
- Server logs and technical data are processed for the purposes of:
- ensuring proper operation of the Website and Service;
- maintaining security;
- detecting abuse or unauthorized access;
- diagnosing errors;
- generating technical and statistical information;
- establishing, pursuing or defending claims.
- Server logs are generally not used to identify specific Users, unless necessary for security, abuse prevention, troubleshooting, legal compliance or claims.
§8. Recipients of personal data and service providers
- Personal data may be disclosed to or entrusted to entities cooperating with the Controller only to the extent necessary for the purposes described in this Privacy Policy.
- Such entities may include in particular:
- hosting and server infrastructure providers;
- domain, DNS, SSL and network infrastructure providers;
- e-mail delivery and communication providers;
- payment operators;
- accounting and invoicing service providers;
- analytics and product analytics providers;
- customer support and communication tools;
- security, anti-abuse and monitoring providers;
- legal, tax, accounting or business advisors;
- public authorities, courts or other authorized entities, where required by law.
- In particular, depending on the features used and the tools enabled by the Controller, personal data may be processed by the following providers:
- OVH SAS - hosting and server infrastructure;
- Google - analytics, marketing, security or infrastructure tools, depending on the tools enabled;
- other technical providers necessary to operate, secure, analyze or develop the Website and Service.
- Payment data may be processed directly by payment operators. The Controller may receive transaction identifiers, payment status, payer information and other payment-related data necessary to record and handle payments.
- The Controller requires processors to process personal data only on the Controller’s instructions and in accordance with applicable data protection law, unless such entities act as independent controllers under applicable law.
- Personal data may be disclosed to public authorities, courts, law enforcement agencies or other authorized entities where required by applicable law.
§9. Transfers outside the European Economic Area
- Some service providers used by the Controller may process personal data outside the European Economic Area.
- Where personal data is transferred outside the European Economic Area, the Controller ensures that such transfer takes place in accordance with applicable data protection law.
- In particular, transfers may take place:
- to countries covered by an adequacy decision of the European Commission;
- on the basis of standard contractual clauses approved by the European Commission;
- on the basis of other safeguards permitted by Chapter V of the GDPR.
- The User may obtain additional information about the safeguards applied to international transfers by contacting the Controller.
§10. Data retention
- Personal data is stored for no longer than necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.
- Account data is generally processed for the duration of the Account and thereafter for the period necessary to establish, pursue or defend claims, comply with legal obligations or protect legitimate interests of the Controller.
- Data processed for the purpose of performing the contract is generally stored for the duration of the contract and thereafter until the expiry of the limitation period for claims.
- Billing, invoice, tax and accounting data is stored for the period required by applicable tax and accounting laws.
- Data processed on the basis of consent is processed until consent is withdrawn, unless another legal basis for further processing applies.
- Data processed on the basis of legitimate interest is processed until an effective objection is raised, unless the Controller demonstrates compelling legitimate grounds for processing or the data is necessary for the establishment, pursuit or defense of claims.
- Technical logs may be stored for the period necessary for security, troubleshooting, abuse prevention, statistical analysis and claims handling.
- Monitor configuration, Incident history, Reaction data and Alert data may be stored for the period necessary to provide the Service, maintain history and reports, support the Client, ensure security and establish, pursue or defend claims.
- During product development, including the BETA Phase, certain data retention periods may be adjusted for technical, security or development reasons. Where such changes materially affect Clients, the Controller will inform Clients where reasonably possible.
- After the expiry of the applicable retention period, personal data is deleted, anonymized or otherwise irreversibly de-identified.
§11. Rights of data subjects
- Data subjects have the following rights under the GDPR:
- the right of access to personal data;
- the right to rectification of inaccurate personal data;
- the right to erasure of personal data;
- the right to restriction of processing;
- the right to data portability;
- the right to object to processing based on legitimate interest;
- the right to withdraw consent at any time, where processing is based on consent;
- the right to lodge a complaint with a supervisory authority.
- In Poland, the supervisory authority is the President of the Personal Data Protection Office.
- Requests concerning personal data may be submitted to the Controller using the contact details indicated in this Privacy Policy.
- The Controller may ask the person submitting a request to provide additional information necessary to verify their identity or process the request.
- The exercise of certain rights may be limited where permitted by law, in particular where processing is necessary to comply with legal obligations, establish, pursue or defend claims, maintain security or protect the rights of other persons.
- Deletion or restriction of certain personal data may make it impossible or significantly limited to provide the Service.
§12. Voluntary provision of data
- Providing personal data is voluntary, but may be necessary to create an Account, use the Service, configure Monitors, receive Alerts, contact the Controller, order a Paid Plan, make a payment or receive an invoice.
- Failure to provide data required for a specific purpose may prevent the Controller from providing the relevant functionality or service.
- Providing data for marketing purposes is voluntary and is not required to use the Service.
§13. Automated decision-making and profiling
- The Controller may use automated tools for analytics, security, abuse prevention, service improvement and communication purposes.
- The Controller does not make decisions based solely on automated processing, including profiling, that would produce legal effects concerning the User or similarly significantly affect the User, unless expressly stated otherwise and permitted by applicable law.
- Analytics and product usage data may be used to improve the Website, Panel and Service, develop features, identify usability issues and understand how Users interact with the Service.
§14. Marketing communication
- The Controller may send marketing or commercial communication to Users or Clients where permitted by law, in particular where the User or Client has given consent or where such communication is permitted under applicable rules concerning electronic communication.
- Consent to receive marketing communication may be withdrawn at any time.
- Withdrawal of consent does not affect the lawfulness of communication sent before consent was withdrawn.
- Service-related, technical, legal, security, billing or account messages are not marketing communication and may be sent where necessary to provide the Service, perform the contract, comply with legal obligations or pursue legitimate interests of the Controller.
§15. Security
- The Controller applies technical and organizational measures appropriate to the risks related to personal data processing.
- Such measures may include access controls, authentication mechanisms, password protection, encryption where appropriate, backups, logging, monitoring, software updates, network security and internal access restrictions.
- The User and Client are responsible for maintaining the confidentiality of login credentials and for ensuring that persons using the Account are authorized to do so.
- The Client should promptly notify the Controller of any suspected unauthorized access to the Account or other security incident related to the Service.
§16. Changes to the Privacy Policy
- The Controller may change this Privacy Policy, in particular due to changes in the Website, Service, legal requirements, technologies used, service providers, data processing purposes or business model.
- Changes to the Privacy Policy will be published on the Website.
- Where required by law or where changes are material, the Controller may notify Users or Clients by e-mail, through the Panel or by another appropriate method.
- The current version of the Privacy Policy is available on the Website.
§17. Contact
- In all matters concerning personal data and this Privacy Policy, the Controller may be contacted at:
- Data protection requests should be sent to the e-mail address indicated above, preferably with a clear description of the request.
SITEIMPULSE Konrad Caban
ul. Rymanowska 3
02-916 Warsaw
Poland
e-mail: office AT siteimpulse DOT com
telephone: +48 22 266 24 06
ul. Rymanowska 3
02-916 Warsaw
Poland
e-mail: office AT siteimpulse DOT com
telephone: +48 22 266 24 06