LightClock logo LightClock

Privacy policy

Effective from: January 1, 2026

  1. DEFINITIONS
    1. Administrator – LightApply. z o.o., with its registered office in Zielona Góra, Poland, at ul. Plac Matejki 21b/2, entered in the Register of Entrepreneurs, Commercial Division of the National Court Register under KRS number 0000849943, under NIP 8943156010, REGON 386520565 ("Administrator", "Company").
    2. Application - mobile application and browser application version called "LightClock” intended for use via a web browser or installation on a mobile device with the Android or iOS operating system, enabling the use of the Application and participation in the Loyalty Program, on the terms described in the Application Regulations.
    3. Personal Data - all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural, or social identity, including device IP, location data, internet identifier, and information collected through cookies and other similar technologies.
    4. Profile – individual User Profile, available to the User after logging in to the Application, within which the User has the opportunity to use the Application.
    5. Policy – this Privacy Policy.
    6. Loyalty program – the "AuRoom Coin" program, the terms and conditions of which are set out in the Application Terms and Conditions.
    7. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
    8. User – any natural person visiting the Application or using one or more of the Application's functionalities.
  2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE APPLICATION
    1. In connection with the User's use of the Application, the Administrator collects data to the extent necessary to provide specific services, as well as information about the User's activity on the Application. The detailed rules and purposes of processing personal data collected during the User's use of the Application are described below.
  3. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING ON THE APPLICATION
    1. PERSONAL DATA
      1. for the purpose of providing electronic services in the scope of making the content collected on the Application available to Users – in this case, the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);
      2. for analytical and statistical purposes – in this case, the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in analyzing User activity and preferences in order to improve the functionalities used and the services provided;
      3. for the purpose of pursuing or defending against claims – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in the protection of its rights;
      4. for the Administrator's marketing purposes – the rules for the processing of personal data for marketing purposes are described in the "MARKETING" section.
      5. The User's activity on the Application, including their personal data, is recorded in system logs (a special computer program used to store chronological records containing information about events and activities related to the IT system used to provide services by the Administrator). The information collected in the logs is processed primarily for purposes related to the provision of services. The Administrator also processes it for technical and administrative purposes, for the purposes of ensuring the security of the IT system and managing that system, as well as for analytical and statistical purposes – in this respect, the legal basis for processing is the Administrator's legitimate interest (Article 6(1)(f) of the GDPR).
    2. PROFILE AND SERVICE
      1. Persons who wish to create a Profile and use the Application are asked to provide the data necessary to create a Profile and verify their age (first name, last name, email address).
      2. Personal data is processed:
        1. for the purpose of providing services related to the maintenance and operation of the Profile, including enabling the use of the Service and considering any complaints – the legal basis for the processing of personal data is the necessity to perform a contract to which the data subject is party (Article 6(1)(b) of the GDPR);
        2. for the purpose of possible establishment and pursuit of claims or defense against claims – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.
    3. CHATBOT
      1. The Administrator provides the possibility to contact him via live chat (chatbot service) available through the Meta WhatsApp application. Using the chat functionality with the Meta administrator tool requires the User to log in to the Meta platform or the WhatsApp application.
      2. User data is processed for the purpose of:
        1. communicating with the Administrator and for purposes resulting from such communication – the legal basis for processing is the necessity to perform the service agreement (Article 6(1)(b) of the GDPR);
        2. ensuring the User's participation in the Loyalty Program and competitions, if they agree to participate in them – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
        3. sending marketing content by the Administrator via chat – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the possibility of sending content promoting the Administrator's activities and services in connection with the consent given;
        4. establishing or pursuing possible claims or defending against such claims by the Administrator – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the defense of its economic interests.
      3. If the User uses the Chatbot service in the WhatsApp application, the Administrator will automatically collect the User's phone number. Providing other personal data by the User during a conversation with the chatbot is voluntary, but may be necessary to communicate about specific chatbot functions. Without providing such data, communication may not be possible.
    4. CHAT
      1. The administrator provides the possibility to contact him via live chat ("chat service") available on the Application.
      2. User data is processed:
        1. for the purpose of communicating with the Administrator and for purposes resulting from such communication – the legal basis for processing is the necessity to perform the service agreement (Article 6(1)(b) of the GDPR);
        2. if you are interested in establishing cooperation with the Administrator as a franchisee – for the purpose of considering your candidacy as a franchisee and for the purpose of establishing possible cooperation – the legal basis for processing is taking action at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR);
        3. for analytical and statistical purposes – in this case, the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in analyzing the activity of Users and their preferences in order to improve the functionalities and recruitment methods used;
        4. in order to establish or pursue possible claims or defend against such claims by the Administrator – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the defense of its economic interests.
    5. GEOLOCATION
      1. The Administrator has provided a tool on the Application for geolocating the User's device using the Google Maps API. The use of this functionality is optional and not required for the proper use of the Application. Location data is processed solely for the purpose of enabling the User to find the nearest stationary points of sale of the Administrator's network if the User consents to access to geolocation information – in which case the basis for the processing of such data is the consent given by the User (Article 6(1)(a) of the GDPR). The above data is processed once, i.e., the information is used at the time of consent. After closing the website, the Administrator does not have access to location data and does not store location information read while browsing the website.
      2. The User's use of the Google Maps API tool included in the Application is also governed by the current version of the Additional Terms of Service for Google Maps and Google Earth, which can be found at https://maps.google.com/help/terms_maps/.
      3. When using this tool, Google processes the User's personal data in accordance with the current version of Google's Privacy Policy, available at https://policies.google.com/privacy.
    6. CONTACT FORMS AND RECRUITMENT FORMS
      1. The Administrator provides the possibility to contact him using electronic contact forms.
      2. Use of the form requires the provision of personal data necessary to contact the User and respond to the inquiry. The User may also provide other data at to facilitate contact or handling of the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide such data will result in the inability to handle the inquiry. Providing other data is voluntary.
      3. Depending on the specific form used by the User, personal data is processed:
        1. in the case of the contact form – to handle the inquiry submitted via the contact form – the legal basis for processing is the necessity of processing for the performance of a service contract (Article 6(1)(b) of the GDPR); with regard to the processing of optional data, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
        2. in the case of using the residential rental form – for the purpose of handling the rental application, and in the case of a decision to enter into cooperation – for the purpose of establishing such cooperation. The legal basis for processing is to take action at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR); with regard to the processing of optional data, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
        3. in the case of using the form dedicated to persons wishing to establish commercial cooperation with the Administrator – for the purpose of considering the application for establishing commercial cooperation and for the purpose of establishing possible cooperation. The legal basis for the processing of Personal Data, the provision of which in the form is mandatory, is to take action at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR), and in the case of processing Personal Data, the provision of which is not mandatory, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
        4. in the case of a general contact form used to submit complaints or reports – for the purpose of ensuring contact and handling the report or complaint. The legal basis for the processing of Personal Data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the need to resolve the report or complaint;
        5. in the case of using the whistleblowing form – for the purpose of handling submitted reports – the legal basis for processing is the necessity of processing to fulfill the legal obligation incumbent on the Administrator (Article 6(1)(c) of the GDPR);
        6. if you use the recruitment form and give your consent for the purposes of future recruitment processes – the legal basis for processing is your consent (Article 6(1)(a) of the GDPR);
        7. in order to prevent abuse of the job referral program and to ensure its proper settlement, the legal basis for the processing of personal data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in detecting and eliminating abuse of the referral program and ensuring its reliable implementation;
        8. if candidates who do not have Polish citizenship qualify for the next stage of recruitment, their personal data will be processed for the purpose of verifying their qualifications and language skills (knowledge of Polish and English). The legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in verifying that the candidate meets the conditions necessary to conclude a civil law contract or an employment contract;
        9. for the Administrator's marketing purposes – the rules for the processing of personal data for marketing purposes are described in the MARKETING section.
      4. in relation to the use of each of the forms:
        1. to ensure communication security and counteract unwanted actions taken by bots – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in ensuring the security of communication and the Application;
        2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in keeping statistics on queries submitted by Users via the Application;
        3. for the purpose of pursuing or defending against claims – the legal basis for processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.
  4. MARKETING
    1. CONTEXTUAL ADVERTISING
      1. The Administrator processes, including via the Application, Users' personal data for the purpose of marketing activities, which may consist in displaying marketing content to the User that is not tailored to their preferences (contextual advertising). The processing of personal data is then carried out in connection with the pursuit of the Administrator's legitimate interest (Article 6(1)(f) of the GDPR), consisting in conducting marketing activities for its own services.
    2. TARGETED ADVERTISING
      1. The Administrator may also process Users' personal data for marketing purposes by displaying marketing content on the Application that corresponds to the User's interests and preferences, in particular purchasing preferences (behavioral advertising), if the User consents to the use of advertising cookies or social media cookies on the Application, in accordance with the rules set out in sections 6.12 to 6.17 of the Policy.
      2. If the User has visited the Application and consented to the installation of cookies, or if the User has accepted cookies on other websites, the Administrator may, in cooperation with trusted partners, display advertising content tailored to the User's interests, browsing history, information about visits to the Application, or interest in topics similar to those covered by the Application – not only on our website, but also outside of it. In such situations, the User's personal data (e.g., visited pages, device model and brand, browser and operating system type, cookies) may be transferred to external online marketing service providers for the purpose of displaying targeted advertising. The legal basis for data processing is the legitimate interest of the Administrator in connection with the consents expressed by the User. The Administrator also analyzes the effectiveness of advertising campaigns. The legal basis for processing is then the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in measuring the results of campaigns and optimizing the marketing strategy.
      3. The list of the Administrator's trusted partners is available upon request sent by the User to the email address: contact@lightapply.com.
    3. DIRECT MARKETING
      1. If you use the contact form for franchisee recruitment and give your consent, your personal data may be used by the Administrator to send you marketing content via email to the email address provided in the application or during profile registration. Such actions are taken by the Administrator only if the User has given their consent, which they may withdraw at any time. The legal basis for the processing of personal data in this case is the Administrator's legitimate interest in connection with the consent given to send marketing communications via the selected communication channel (Article 6(1)(f) of the GDPR). The Administrator's legitimate interest consists in marketing its own goods and services.
      2. The consent given for the marketing activities described in point 4.4. may be withdrawn at any time by sending an email to: contact@lightapply.com or in writing to the address of the Administrator's registered office. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
  5. SOCIAL MEDIA
    1. The Administrator processes the personal data of Users visiting the Administrator's profiles on social media (Facebook, YouTube, Instagram, LinkedIn, TikTok). This data is processed solely in connection with the operation of the profile, including for the purpose of informing Users about the Administrator's activities and promoting various types of events, services, and products. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in promoting its own brand, improving the quality of services provided, and analyzing the preferences and activities of Users visiting the Administrator's profiles on social media in order to improve the functionalities used and services provided.
    2. The above information does not apply to data processing by social media administrators (Facebook, YouTube, Instagram, LinkedIn, TikTok). Detailed information on the purpose and scope of data collection by social media platforms can be found at the following links:
      1. Facebook: https://www.facebook.com/policy.php
      2. YouTube: https://policies.google.com/privacy
      3. Instagram: https://help.instagram.com/519522125107875/?maybe_redirect_pol=0
      4. LinkedIn: https://pl.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
      5. TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/pl
  6. COOKIES
    1. Cookies are small text files installed on the User's device. Cookies collect information that facilitates the use of the website, e.g., by remembering information about the User, such as login details or language preferences. The Administrator is the controller of the data processed in connection with the use of cookies. The Administrator uses its own files on the Application, which are installed directly by the Application. Third-party cookies are also used – these are cookies from a domain other than the domain of the visited website – primarily for the Administrator's analytical and advertising activities.
    2. The Application uses cookies primarily to ensure the proper functioning of the website, to remember the User's choices on the website, and, if the User has given their consent, also to analyze and track traffic on the Application and to tailor advertising content to the User's interests. Within the Application, based on the consent obtained, cookies are also installed to enable the use of social media functionality.
    3. Below you will find detailed information about the cookies that the Administrator uses on the Application. The Administrator regularly uses tools to scan the Application in order to determine which cookies are stored on the User's device, so that the list of cookies used is as accurate as possible. The Administrator uses the following categories of files: necessary, functional, analytical, advertising cookies, and social media cookies.
    4. Necessary Cookies
      1. The Administrator's use of essential cookies is necessary for the proper functioning of the website. These files are installed in particular for the purposes of remembering login sessions or filling in forms, as well as for purposes related to privacy settings.
      2. The legal basis for data processing in connection with the use of essential cookies is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR).
      3. If the User wishes to obtain more information about individual files in this category, i.e., the names of individual cookies, a description of their operation, validity period, and origin, they should click on the "Manage cookies" button located in section 8 of the Privacy Policy or the button with the same content available in the footer of each subpage of the Application. After the cookie banner appears, select the "Manage cookies" button and then expand the "Essential cookies" list, then select the "Details" button below.
    5. Functional and analytical cookies
      1. Functional cookies are used to remember and adapt the Application to the User's choices, including language preferences. Functional cookies may be installed by the Administrator and its partners via the Application.
      2. Analytical cookies enable the collection of information such as the number of visits and sources of traffic to the Application. They are used to determine which pages are more or less popular and to understand how Users navigate the site by keeping statistics on traffic on the Application. Data processing is carried out in order to improve the performance of the Application. The information collected by these cookies is aggregated, so it is not intended to determine your identity. Analytical cookies may be installed by the Administrator and its partners via the Application.
      3. The legal basis for the processing of Personal Data in connection with the use of functional and analytical cookies by the Administrator is its legitimate interest (Article 6(1)(f) of the GDPR), which is to ensure the highest quality of services provided on the Application, in connection with the User's consent to their storage (separate for analytical files, separate for functional files).
      4. The processing of Personal Data in connection with the use of functional and analytical cookies is subject to the User's consent to the use (separately) of functional and analytical cookies via the cookie consent management platform. This consent may be withdrawn at any time via this platform.
      5. If the User wishes to obtain more information about individual files in these categories, i.e., the names of individual cookies, a description of their operation, validity period, and origin, they should click the "Manage cookies" button located in section 8 of the Privacy Policy – "Manage cookies" or the button with the same content available in the footer of each subpage of the Application. When the cookie banner appears, select the "Manage cookies" button and then expand the list of "Analytical cookies" or "Functional cookies," then select the "Details" button located under each list.
    6. Advertising cookies
      1. Advertising cookies allow the advertising content displayed to be tailored to the interests of Users within and outside the Application. Based on the information from these cookies and the User's activity on other websites, a profile of the User's interests is built. Advertising cookies may be installed by the Administrator and its partners through our Application.
      2. The legal basis for the processing of Personal Data in connection with the use of advertising cookies by the Administrator for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in promoting the Administrator's brand and informing about the Administrator's current offer, including by directing marketing information corresponding to their interests to Application Users, in connection with the User's consent to the storage of advertising cookies.
      3. The processing of Personal Data in connection with the use of advertising cookies is possible after obtaining the User's consent to the use of consent via the consent management platform. This consent may be withdrawn at any time via this platform.
      4. If the User wishes to obtain more information about individual files in this category, i.e., the names of individual cookies, a description of their operation, validity period, and origin, they should click the "Manage cookies" button located on the Application.
    7. Social media cookies
      1. These cookies are installed by the Administrator's partners to tailor the advertising content displayed on the social media used by the User. Based on the information from these cookies and activity on other websites or social media, a profile of interests is created. This allows the content displayed to be tailored to individual needs. Social media cookies do not directly store personal data, but they identify the web browser and equipment. If the User does not allow the use of these cookies, the Administrator will not be able to prevent the same advertisement from being displayed or enable liking and sharing of content posted by the Administrator on social media.
      2. If the User wants to obtain more information about individual files in this category, i.e., the names of individual files, description of their operation, validity period, and origin, they should click the "Manage cookies" button located in section 8 of the Privacy Policy – "Manage cookies" or the button with the same content available in the footer of each subpage of the Application. When the cookie banner appears, select the "Manage cookies" button and then expand the "Social media cookies" list, then the "Details" button below.
  7. ANALYTICAL AND MARKETING TOOLS USED BY THE ADMINISTRATOR'S PARTNERS
    1. The Administrator and its Partners use various solutions and tools for analytical and marketing purposes. Below is basic information about these tools. Detailed information in this regard can be found in the privacy policy of the respective partner.
    2. A list of the Administrator's trusted partners is available upon request from the User sent to the email address: contact@lightapply.com.
    3. CLOUDFLARE TURNSTILE
      Cloudflare Turnstile is a tool used to protect against abuse and automated bots. The tool collects and processes certain technical data about the User to ensure the security of the Application. The data is processed to protect against security threats. Detailed information on data processing by Cloudflare can be found at: https://www.cloudflare.com/privacypolicy/.
    4. GOOGLE ANALYTICS
      Google Analytics cookies are files used by Google to analyze how the User uses the Application, to create statistics and reports on the functioning of the Application. Google does not use the collected data to identify the User and does not combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
    5. GOOGLE TAG MANAGER
      Google Tag Manager is a tool for managing scripts on a website. It can be used to install various types of scripts on a website. This includes, among others, scripts related to consents given by the User, scripts tracking the User's behavior through analytical tools such as Google Analytics, or conversion tracking from advertising systems such as Google Ads. In connection with the use of the tool, Google collects aggregated data on the execution of these scripts, without the possibility of identifying a specific User. Detailed information on the scope and rules of data collection in connection with this service can be found at: https://www.google.com/analytics/terms/tag-manager/.
    6. GOOGLE ADS
      Google Ads is a tool that allows the Administrator to measure the effectiveness of advertising campaigns, enabling the analysis of data such as keywords or the number of unique users. Google Ads also allows for effective advertising campaigns, e.g. through ads tailored to the interests of Users (including those related to the Application). The Google Ads platform also allows us to display our ads to people who have visited the Application in the past. Information on data processing by Google in relation to the above service is available at: https://policies.google.com/technologies/ads?hl=pl.
    7. META PIXEL
      Meta Pixel is a tool used on the Application that allows the Administrator to measure the effectiveness of advertising campaigns carried out by the Administrator, optimize them, and build a group of recipients for these campaigns based on movements on the Application. It also allows the Administrator to analyze which Users visited the Application after previously viewing an advertisement on Facebook or Instagram, which may help the Administrator target advertisements to audiences who are potentially interested in the Administrator's products or services (retargeting).

      With regard to personal data processed using this tool, Meta Platforms Ireland Limited, based in Ireland, has the status of joint controller of personal data together with the Administrator. Users' personal data is processed by joint controllers for the purpose of measurement and analysis within the Application. The Administrator and Meta have adopted joint arrangements in this regard, which can be found at these links: https://pl-pl.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0, https://pl-pl.facebook.com/help/443357099140264?helpref=about_contentoraz, https://www.facebook.com/legal/controller_addendum
    8. YOUTUBE
      The Administrator uses the YouTube tool on the Application to analyze and compile statistics on the playback of videos posted on the Application that originate from the YouTube platform. The use of this tool results in the processing of the User's personal data using cookies provided by YouTube, provided that the User using the Application consents to their installation. Detailed information on data processing by YouTube can be found at these links: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/#protecting-viewer-data, https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines, and https://support.google.com/youtube/answer/10364219?hl=pl.
  8. MANAGING COOKIE SETTINGS
    1. The use of cookies to collect data, including access to data stored on the User's device, requires the User's consent. On the Application, the Administrator obtains consent from the User via the cookie consent management platform. This consent may be withdrawn at any time in accordance with the rules described in section VIII.4 below.
    2. Consent is not required only in the case of cookies whose use is necessary to provide a telecommunications service (data transmission for the purpose of displaying content) – the User cannot opt out of these cookies if they want to use the Application.
    3. In order to receive advertising tailored to the User's preferences, in addition to consenting to the installation of cookies via the cookie consent management platform, it is necessary to maintain appropriate browser settings that allow cookies from the Application to be stored on the User's end device.
    4. Withdrawal of consent to the collection of cookies on the Application is possible via the Application. The User can return to the banner by clicking on the button below, available in the footer of each subpage of the Application. The User also has the option to withdraw consent by changing their browser settings. Detailed information on this subject can be found at the following links:
      1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
      2. Mozilla Firefox: https://support.mozilla.org/pl/kb/ciasteczka
      3. Google Chrome: https://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
      4. Opera: https://help.opera.com/Windows/12.10/pl/cookie.html/
      5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
    5. To exercise your rights to access, correct, delete, restrict, transfer, object to the processing of your personal data, file a complaint, or ask another question about cookies, please send your request to contact@lightapply.com.
  9. PERIOD OF PERSONAL DATA PROCESSING
    1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Administrator.
    2. The period of data processing may be extended if processing is necessary to establish and pursue possible claims or defend against them, and after that time only if and to the extent required by law. After the processing period has expired, the data is irrevocably deleted or anonymized.
  10. USER RIGHTS
    1. The User has the right to: access the content of the data and request its rectification, deletion, restriction of processing, the right to transfer data and the right to object to the processing of data, as well as the right to lodge a complaint with the supervisory authority responsible for personal data protection.
    2. To the extent that the User's data is processed on the basis of consent, it may be withdrawn at any time by contacting the Administrator or using the functionalities available on the Application. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
    3. The User has the right to object to the processing of data for marketing purposes if the processing is carried out in connection with the legitimate interest of the Administrator, as well as for reasons related to the specific situation of the User – in other cases where the legal basis for data processing is the legitimate interest of the Administrator (e.g., in connection with the pursuit of analytical and statistical purposes).
  11. DATA RECIPIENTS
    1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular providers of IT systems and services, analytical and marketing tools, and entities affiliated with the Administrator, including companies from its capital group.
    2. If the User's consent is obtained, their data may also be made available to other entities for their own purposes, including marketing purposes.
    3. The Administrator reserves the right to disclose selected information about the User to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
  12. OBTAINING DATA FROM EXTERNAL SOURCES
    1. The Administrator may use User data from external sources (e.g., the Administrator's social media profiles, visited websites, location data), including data received from the Facebook social network, the Instagram social network, and other partners of the Administrator. This data may include User activity and behavior histories. The Administrator will process it in order to better understand Users' purchasing preferences and to continuously improve the personalized offer provided to Users via the Application in accordance with the rules set out in the Policy and Terms and Conditions.
  13. TRANSFER OF DATA OUTSIDE THE EEA
    1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily through:
      1. cooperation with entities processing Personal Data in countries for which the European Commission has issued an appropriate decision confirming the adequate level of protection of Personal Data; in some cases, the European Commission additionally requires that such a processor participate in programs approved by it, bringing together entities from outside the EEA, whose participants are required to provide Personal Data with the same protection as they enjoy in the European Union (detailed information can be found here);
      2. the use of standard contractual clauses issued by the European Commission; together with the required additional security measures, they ensure the same level of protection for Personal Data as in the European Union; sample contracts can be found here;
      3. the use of binding corporate rules approved by the competent supervisory authority.
    2. The controller always informs about the intention to transfer personal data outside the EEA at the stage of their collection.
    3. Users' personal data, processed by the Administrator in connection with the Users' use of the Application, is transferred to entities outside the European Economic Area (hereinafter: EEA), i.e.:
      1. in connection with the User's use of the Wix service, because the provider of this tool, Wix.com Ltd. based in Tel Aviv, Israel, transfers Personal Data to its subcontractor, Wix.com Poland Sp. z o.o. based in Poland, in Krakow at ul. Prądnicka 20A. Wix.com Poland Sp. z o.o., based in Krakow, Poland, transfers data to the following countries located outside the EEA: the USA, including as part of its cooperation with the following further providers: Meta, Inc., based in the USA, and Google Ireland Limited, based in Dublin (Ireland), which transfers it to its subcontractors located outside the EEA – in accordance with the information in sections 13.3.2. and 13.3.3. below. The legal basis for the transfer of personal data to the USA is the adequacy decision referred to in section 13.1.1. above in connection with obtaining an entry on the list of self-certified entities under the Data Privacy Framework program, and in other cases – the standard contractual clauses issued by the European Commission referred to in section 13.1.2. above;
      2. in connection with the use of Google Analytics, because the provider of this tool, Google Ireland Limited, based in Ireland, transfers Personal Data to its subcontractors providing services outside the EEA, i.e.:
        1. Google UK Ltd in the United Kingdom, Google Israel Ltd. in Israel, TMJ, Inc. in Japan, SCSK Serviceware Corporation in Japan, K.K. Teledirect Japan, Jellyfish U.K. Limited in the United Kingdom, Accenture Japan Ltd. in Japan, Google Argentina S.R.L. in Argentina, Google Infraestructura Argentina S.R.L. in Argentina, Atento Argentina S.A. in Argentina, Cognizant Technology Solutions de Argentina SRL in Argentina ─ in this case, Personal Data is transferred outside the EEA based on the adequacy decision referred to in section 13.1.1. above,
        2. Google Peru S.R.L. in Peru, Google Kenya Limited in Kenya, Google FZ LLC in the United Arab Emirates, Google Colombia Limitada in Colombia, Google Brasil Internet Ltda. in Brazil, Google Australia Pty Ltd. in Australia, Google Asia Pacific Pte. Ltd. in Singapore, GOC Services India Private Limited in India, GOC Philippines, Inc. in the Philippines, TTEC Brasil Serviços Ltda. in Brazil, TDCX (MY) Sdn. Bhd. in Malaysia, Regalix India Private Limited in India, Regalix Inc. in the USA, Intelenet Global Services Private Limited in India, HCL Technologies Limited in India, HCL (Brazil) Tecnologia da Informação Ltda in Brazil, HCL America Inc. in the USA, GlobalLogic Technologies Limited in India, GlobalLogic Inc. in the USA, EPAM Systems Inc. in the USA, Concentrix Daksh Services India Private Limited in India, Concentrix Solutions Corporation in the USA, Competence Call Center İstanbul Çağrı Merkezi Hizmetleri Anonim Şirketi in Turkey, Cognizant Technology Solutions Philippines, Inc. in the Philippines, Cognizant Technology Solutions India Private Limited in India, Cognizant Technology Solutions de Mexico S.A. de C.V. in Mexico, Cognizant Serviços de Tecnologia e Software do Brasil S/A in Brazil, Accenture Solutions Private Limited in India, Accenture LLP in the USA, Accenture Inc. in the Philippines, Accenture Co. Ltd. in Taiwan ─ in this case, Personal Data is transferred outside the EEA on the basis of the standard contractual clauses issued by the European Commission, referred to in section 13.1.2. above;
      3. in connection with the use of the Google Tag Manager tool, because the provider of this tool, Google Ireland Limited, based in Ireland, transfers Personal Data to its subcontractors providing services outside the EEA, i.e.
        1. Google UK Ltd in the United Kingdom, Google New Zealand Limited in New Zealand, Google Israel Ltd. in Israel, SCSK Serviceware Corporation in Japan, K.K. Teledirect Japan in Japan, Jellyfish U.K. Limited in the United Kingdom, Accenture Japan Ltd. in Japan, Google Argentina S.R.L. in Argentina, Google Infraestructura Argentina S.R.L. in Argentina, Cognizant Technology Solutions de Argentina SRL in Argentina ─ in which case Personal Data is transferred outside the EEA on the basis of the adequacy decision referred to in section 13.1.1. above,
        2. Google Peru S.R.L. in Peru, Google Kenya Limited in Kenya, Google FZ LLC in the United Arab Emirates, Google Colombia Limitada in Colombia, Google Brasil Internet Ltda. in Brazil, Google Australia Pty Ltd. in Australia, Google Asia Pacific Pte. Ltd. in Singapore, GOC Services India Private Limited in India, GOC Philippines, Inc. in the Philippines, TDCX (MY) Sdn. Bhd. in Malaysia, Regalix Inc. in the US, Intelenet Global Services Private Limited in India, HCL Technologies Limited in India, HCL (Brazil) Tecnologia da Informação Ltda in Brazil, HCL America Inc. in the US, GlobalLogic Technologies Limited in India, GlobalLogic Inc. in the US, EPAM Systems Inc. in the US, Concentrix Daksh Services India Private Limited in India, Concentrix Solutions Corporation in the US, Cognizant Technology Solutions Philippines, Inc. in the Philippines, Cognizant Technology Solutions India Private Limited in India, Cognizant Technology Solutions de Mexico S.A. de C.V. in Mexico, Cognizant Serviços de Tecnologia e Software do Brasil S/A in Brazil, Accenture Solutions Private Limited in India, Accenture LLP in the USA, Accenture Inc. in the Philippines, Accenture Co. Ltd. in Taiwan ─ in this case, Personal Data is transferred outside the EEA on the basis of the standard contractual clauses issued by the European Commission, referred to in section 13.1.2. above;
      4. in connection with the use of the Meta Pixel tool, because the provider of this tool, Meta Platforms Ireland Limited, based in Ireland, which has the status of a joint controller, transfers Personal Data to its subcontractors providing services outside the EEA, i.e.:
        1. Meta Platforms Inc. based in the USA – in this case, Personal Data is transferred outside the EEA on the basis of the adequacy decision referred to in point 13.1.1. above, in connection with the subcontractor's entry on the list of self-certified entities under the Data Privacy Framework program;
        2. Andale Inc., Greater Kudu LLC, Goldframe LLC, Meta Operations LLC, Morning Hornet LLC, Offprints LLC, Omanyte LLC, Paile LLC, Raven Northbrook Services Limited, Scout Development LLC, Siculus Inc., Sidecat LLC, Stadion LLC, Starbelt LLC, Woolhawk LLC, Vitesse LLC, Winner LLC d/b/a Ernst LLC located in the USA ─ in this case, Personal Data is transferred outside the EEA on the basis of the standard contractual clauses issued by the European Commission referred to in point 13.1.2. above;
      5. in connection with the use of the Cloudflare Turnstile tool, as the provider of this tool, Cloundflare, Inc. is based in the United States. The transfer of data is based on the adequacy decision referred to in section 13.1.1. in connection with obtaining an entry on the list of self-certified entities under the Data Privacy Framework program. The provider may also transfer Personal Data to its subcontractors located outside the EEA, i.e.:
        1. Slack Technologies, Inc. ─ based on the standard contractual clauses issued by the European Commission referred to in section 13.1.2. above.
        2. Zendesk, Inc. – based on the standard contractual clauses issued by the European Commission, referred to in section 13.1.2. above.
        3. Salesforce, Inc. – based on the adequacy decision referred to in section 13.1.1. in connection with obtaining an entry on the list of self-certified entities under the Data Privacy Framework program;
        4. Cloudflare Group companies, i.e. Cloudflare Ltd. in the United Kingdom, Cloudflare Pte. Ltd. in Singapore, Cloudflare Australia Pty Ltd in Australia, Cloudflare Japan K.K. in Japan, Cloudflare (Canada) Information Technology Co., Ltd. in Canada, Cloudflare Middle East FZ- LLC in Dubai, U.A.E., Cloudflare India Private Limited in India, Area 1 Security, LLC in the United States, Cloudflare Korea LLC in Korea, Cloudflare Mexico S. de R.L de C.V. in Mexico City, and Cloudflare Malaysia Sdn. Bhd. in Malaysia – based on the adequacy decision referred to in section 13.1.1. or the standard contractual clauses issued by the European Commission referred to in section 13.1.2. above, respectively;
    4. To the extent that the basis for the transfer of data to the provider or its subcontractor indicated in section XIII. 3 is the standard contractual clauses issued by the European Commission, the User has the right to obtain a copy of the standard contractual clauses establishing appropriate safeguards and a summary description of the security measures applied. To do so, please contact the Administrator at the following e-mail address: contact@lightapply.com
    5. The Administrator has assessed the risk of transferring Users' personal data outside the European Economic Area and has determined that, in connection with the security measures applied, the transfer of personal data to the entities indicated in point 13.3. above may take place on the basis of the standard contractual clauses referred to in point 13.4. above.
  14. PERSONAL DATA SECURITY
    1. The controller conducts ongoing risk analysis to ensure that personal data is processed by it in a secure manner, ensuring, above all, that only authorized persons have access to the data and only to the extent necessary for the performance of their tasks. The controller ensures that all operations on personal data are recorded and performed only by authorized employees and associates.
    2. The controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process personal data on behalf of the controller.
  15. CONTACT DETAILS
    1. The Administrator can be contacted via email at: contact@lightapply.com or by post at: ul. Plac Matejki 21b/2, 65-056 Zielona Góra, Poland.
    2. The Administrator has appointed a Data Protection Officer who can be contacted by email at contact@lightapply.com or in writing at the Administrator's mailing address for any matters relating to the processing of personal data.
  16. CHANGES TO THE PRIVACY POLICY
    1. The Policy is reviewed on an ongoing basis and updated as necessary. In the event of an update to the Policy, the User will be notified by displaying clear information on the Application or by sending an email to the User. In some cases, the User may be notified in advance of an update to the Policy, and the fact of using the Application's services will mean acceptance of the updated version of the Policy.
    2. A User who does not accept the terms and conditions of the Application's services after the new version of the Policy comes into force may cease to use the Application's services.
    3. The current version of the Policy was adopted and has been in force since January 1, 2025.