Umowa o przetwarzanie danych
Jest to automatyczne tłumaczenie ułatwiające zapoznanie się z dokumentem.
W przypadku rozbieżności pierwszeństwo ma oryginalna wersja w języku angielskim.
W przypadku rozbieżności pierwszeństwo ma oryginalna wersja w języku angielskim.
The use of the platform involves the collection and processing of personal data. When you provide your personal data, for example, during registration or plan payment, we process it in accordance with the Privacy Policy.
If you place information about individuals on the website, use data collection forms, customer relationship management system, tools for creating online stores, training courses, as well as connect advanced statistics analysis, you become a controller of personal data of third parties. We process such data as a processor, acting on your behalf.
This Data Processing Agreement (hereinafter referred to as the DPA) is an integral part of the Terms of Service (hereinafter referred to as the Agreement). All terms and definitions are used in the DPA in the same meaning as in the Agreement. Terms related to the processing of personal data shall be interpreted as provided for by the applicable legislation.
If you place information about individuals on the website, use data collection forms, customer relationship management system, tools for creating online stores, training courses, as well as connect advanced statistics analysis, you become a controller of personal data of third parties. We process such data as a processor, acting on your behalf.
This Data Processing Agreement (hereinafter referred to as the DPA) is an integral part of the Terms of Service (hereinafter referred to as the Agreement). All terms and definitions are used in the DPA in the same meaning as in the Agreement. Terms related to the processing of personal data shall be interpreted as provided for by the applicable legislation.
1. General Terms of Processing
1.1. Subject Matter. In order to fulfill the obligations under the Agreement, the User instructs, and the Administration undertakes to process personal data of third parties collected or otherwise processed through the functionality of the Platform.
The provisions of the DPA shall constitute documented instructions of the User within the meaning of applicable data protection legislation.
1.2. Categories of Data Subjects. For the purposes of the DPA, third parties may include any natural persons, including:
1) employees, consultants, contractors, business partners, and contact persons whose information is published or otherwise made available within the User’s Project;
2) candidates, current or prospective clients or partners of the User who submit personal data through data collection forms within the User’s Project;
3) visitors of the User’s Project whose information is collected automatically.
1.3. Purpose of Processing and Categories of Personal Data. The Administration shall process personal data on behalf of the User within the following scope:
The provisions of the DPA shall constitute documented instructions of the User within the meaning of applicable data protection legislation.
1.2. Categories of Data Subjects. For the purposes of the DPA, third parties may include any natural persons, including:
1) employees, consultants, contractors, business partners, and contact persons whose information is published or otherwise made available within the User’s Project;
2) candidates, current or prospective clients or partners of the User who submit personal data through data collection forms within the User’s Project;
3) visitors of the User’s Project whose information is collected automatically.
1.3. Purpose of Processing and Categories of Personal Data. The Administration shall process personal data on behalf of the User within the following scope:
Purpose | Categories of Personal Data |
Posting information about individuals on Projects | The list is determined by the User independently based on the Platform’s functionalities and is not controlled by the Administration |
Using data collection forms, Tilda CRM, creation of online stores and training courses through the Personal Account, shopping cart, payment systems and/or delivery services on the Projects | Depending on the functionality used and its settings, the personal data processed may include: name, e-mail address, phone number, address, last 4 digits of the bank card, expiry date of the bank card, information about orders, order history, information about purchased goods. Any other list is determined by the User independently based on the Platform’s functionalities and is not controlled by the Administration |
Using internal statistics of Projects on the Platform provided that the simplified mode in the Project settings has been disabled by the Use | Redirection sources, IP, including country and city by IP. Statistics cookies previous URL, tildasid and tildauid, TILDAUTM |
Integration with Third-Party Services, including analytics and statistics services | Cookies determined by the User and the owner of the Third-Party Service independently |
Application of protection and security systems | IP addresses, essential cookies to protect the Project from DDoS attacks – __ddgN where N is any number, _ddgid and __ddgmark, and cookies to prevent unauthorized access |
1.4. Data Processing Restrictions. The User independently assesses the lawfulness of personal data processing on the Platform, as well as the possibility of authorizing the Administration to process such data. User accepts and acknowledges that:
1) the Administration does not process personal data relating to health, genetic data, biometric data, or other special categories of personal data;
2) the functional possibility of posting Content on the Projects is not intended for publishing images containing personal data, including photos of individuals and scanned copies of documents.
1.5. Duration of Processing. The Administration shall process personal data of third parties for the duration of the Agreement or for any additional period necessary to fulfil the obligations under the Agreement, until such data is erased in accordance with the procedures set out in the DPA.
2. User Responsibilities, Warranties and Representations
2.1. Organizing Personal Data Processing on the Platform. The User, being the data controller, independently organizes the processing of personal data of individuals on the Platform. The User determines the purposes and grounds for processing personal data, its composition, list of actions and operations to be performed.
2.2. Ensuring Legal Compliance. When processing personal data on the Project, the User shall independently ensure compliance with the applicable legislation. In particular, the User without the Administration involved:
1) establishes the procedure for collecting consents to the processing of personal data on the Project, including the use of data collection forms and/or analytics services;
2) publishes a privacy policy or privacy notice on the Project;
3) appoints responsible persons and develops a set of internal documents regulating data processing.
2.3. Existence of a Legal Ground. By processing personal data on the Platform, the User represents and warrants that they have obtained the consents of the subjects or other legal ground for processing the data and its transfer to the Administration under the DPA.
At the request of the Administration sent to the User's e-mail address specified in the Account, the User undertakes to provide documents confirming the existence of legal grounds for processing within 24 hours of receipt of the request.
2.4. Connecting Third-Party Services. When using the Platform, the User may be offered to connect Third-Party Services that collect or otherwise process personal data, including data collection services, payment systems and/or delivery services.
Data processing by Third-Party Services is performed by their owners acting independently of the Administration and not acting in the name of and/or on behalf of the Administration. The Administration is not responsible for processing of personal data by owners of Third-Party Services.
The User undertakes to independently ensure the lawfulness of personal data processing when connecting Third-Party Services, including issue of separate instructions for processing with their owners.
2.5. Cross-Border Transfers. When using the Platform’s functionality, cross-border transfer of personal data of third parties may occur on the User's initiative, in particular, when:
1) changing the User’s profile country;
2) granting access to a Project to a User with another profile country;
3) transferring a Project to the Account of a User with another profile country.
4) connecting Third-Party Services to the Project.
The User undertakes to independently ensure the security of the cross-border transfer of personal data in accordance with the requirements of applicable legislation.
2.2. Ensuring Legal Compliance. When processing personal data on the Project, the User shall independently ensure compliance with the applicable legislation. In particular, the User without the Administration involved:
1) establishes the procedure for collecting consents to the processing of personal data on the Project, including the use of data collection forms and/or analytics services;
2) publishes a privacy policy or privacy notice on the Project;
3) appoints responsible persons and develops a set of internal documents regulating data processing.
2.3. Existence of a Legal Ground. By processing personal data on the Platform, the User represents and warrants that they have obtained the consents of the subjects or other legal ground for processing the data and its transfer to the Administration under the DPA.
At the request of the Administration sent to the User's e-mail address specified in the Account, the User undertakes to provide documents confirming the existence of legal grounds for processing within 24 hours of receipt of the request.
2.4. Connecting Third-Party Services. When using the Platform, the User may be offered to connect Third-Party Services that collect or otherwise process personal data, including data collection services, payment systems and/or delivery services.
Data processing by Third-Party Services is performed by their owners acting independently of the Administration and not acting in the name of and/or on behalf of the Administration. The Administration is not responsible for processing of personal data by owners of Third-Party Services.
The User undertakes to independently ensure the lawfulness of personal data processing when connecting Third-Party Services, including issue of separate instructions for processing with their owners.
2.5. Cross-Border Transfers. When using the Platform’s functionality, cross-border transfer of personal data of third parties may occur on the User's initiative, in particular, when:
1) changing the User’s profile country;
2) granting access to a Project to a User with another profile country;
3) transferring a Project to the Account of a User with another profile country.
4) connecting Third-Party Services to the Project.
The User undertakes to independently ensure the security of the cross-border transfer of personal data in accordance with the requirements of applicable legislation.
3. Transfers of Personal Data by the Administration
3.1. Transfers to Third Parties. The Administration transfers personal data based on data processing agreements to the following processors:
1) Hetzner Online GmbH – for storage of personal data on servers;
2) G-Core Labs SA – for storage and backup of User Projects;
3) Google Cloud EMEA Limited – for ensuring information security of Projects.
The User hereby grants the Administration general written authorization to engage the specified processors for personal data processing.
All processors processing personal data on behalf of the Administration undertake to comply with confidentiality, protection, and security measures required by applicable legislation.
Subject to the limitations of liability set out herein, the Administration remains responsible before the User for acts and/or omissions of engaged processors.
3.2. Changes to the List of Engaged Processors. The Administration has the right to involve other third parties in the processing of personal data, subject to prior notification to the User. The notification is sent to the e-mail address used for authorization on the Platform, or by posting relevant information in the Personal Account.
The User has the right to submit reasoned objections to the change in the list of engaged processors within 10 days from the date of notification. At the same time, the User understands and acknowledges that:
1) the engagement of third parties may be necessary for the proper fulfillment of the Administration's obligations under the Agreement;
2) if objections are received, the Administration may unilaterally terminate the Agreement out of court.
3.3. Security of Cross-Border Transfers. The Administration carries out cross-border transfer of personal data on the territory of:
1) Member States of the European Union – for storage and information security purposes;
2) the United States of America – for storage and backup of User Projects.
Prior to initiating a cross-border transfer, the Administration shall determine whether the country to which the personal data is transferred is recognized as providing an adequate level of data protection in accordance with applicable law.
When transferring personal data to a country that does not ensure the required level of protection, the Administration undertakes to enter into standard contractual clauses with the recipient or to ensure the application of binding corporate rules.
1) Hetzner Online GmbH – for storage of personal data on servers;
2) G-Core Labs SA – for storage and backup of User Projects;
3) Google Cloud EMEA Limited – for ensuring information security of Projects.
The User hereby grants the Administration general written authorization to engage the specified processors for personal data processing.
All processors processing personal data on behalf of the Administration undertake to comply with confidentiality, protection, and security measures required by applicable legislation.
Subject to the limitations of liability set out herein, the Administration remains responsible before the User for acts and/or omissions of engaged processors.
3.2. Changes to the List of Engaged Processors. The Administration has the right to involve other third parties in the processing of personal data, subject to prior notification to the User. The notification is sent to the e-mail address used for authorization on the Platform, or by posting relevant information in the Personal Account.
The User has the right to submit reasoned objections to the change in the list of engaged processors within 10 days from the date of notification. At the same time, the User understands and acknowledges that:
1) the engagement of third parties may be necessary for the proper fulfillment of the Administration's obligations under the Agreement;
2) if objections are received, the Administration may unilaterally terminate the Agreement out of court.
3.3. Security of Cross-Border Transfers. The Administration carries out cross-border transfer of personal data on the territory of:
1) Member States of the European Union – for storage and information security purposes;
2) the United States of America – for storage and backup of User Projects.
Prior to initiating a cross-border transfer, the Administration shall determine whether the country to which the personal data is transferred is recognized as providing an adequate level of data protection in accordance with applicable law.
When transferring personal data to a country that does not ensure the required level of protection, the Administration undertakes to enter into standard contractual clauses with the recipient or to ensure the application of binding corporate rules.
4. Security of Processing
4.1. Implemented Measures. The Administration shall maintain confidentiality and ensure security of personal data in accordance with applicable legislation, including:
1) maintaining records of processing activities;
2) defining a list of persons authorized to collect and process personal data or having access to it;
3) establishing access control procedures for personal data;
4) use of secure communication channels and encryption;
5) application of pseudonymization techniques, including the use of IDs in the Administration’s internal systems;
6) implementation of identification and/or authentication mechanisms when processing personal data;
7) use of backup and recovery systems;
8) assessment and management of information security risks;
9) addressing data protection and security requirements in contracts and/or data processing agreements with service providers;
10) conducting regular technical audits.
4.2. Personal Data Breach. In the event that a personal data breach is identified, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and/or access to personal data of third parties, the Administration is obliged to notify the User of this breach without undue delay.
The notification shall include a description of the nature of the breach, the possible consequences for the data subjects, and the measures that the Administration has taken and/or intends to take to mitigate such consequences.
At the same time, the User understands and acknowledges that the notification of a personal data breach can under no circumstances be considered an admission of fault and/or liability on the part of the Administration.
1) maintaining records of processing activities;
2) defining a list of persons authorized to collect and process personal data or having access to it;
3) establishing access control procedures for personal data;
4) use of secure communication channels and encryption;
5) application of pseudonymization techniques, including the use of IDs in the Administration’s internal systems;
6) implementation of identification and/or authentication mechanisms when processing personal data;
7) use of backup and recovery systems;
8) assessment and management of information security risks;
9) addressing data protection and security requirements in contracts and/or data processing agreements with service providers;
10) conducting regular technical audits.
4.2. Personal Data Breach. In the event that a personal data breach is identified, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and/or access to personal data of third parties, the Administration is obliged to notify the User of this breach without undue delay.
The notification shall include a description of the nature of the breach, the possible consequences for the data subjects, and the measures that the Administration has taken and/or intends to take to mitigate such consequences.
At the same time, the User understands and acknowledges that the notification of a personal data breach can under no circumstances be considered an admission of fault and/or liability on the part of the Administration.
5. Assistance to the User
5.1. Provision of Information and Audit. At the User's request, during the term of the DPA, the Administration is obliged to provide documents and other information confirming that measures have been taken and are being complied with in order to execute the DPA. However, the User may submit such requests no more than once every 3 months.
Upon the User's written request, the Administration undertakes to assist in conducting audits or inspections by providing the User with the necessary information on the personal data processing procedures.
5.2. Assistance in Compliance with Obligations. As a general rule, the User, being the personal data controller, shall independently ensure compliance with the requirements established by applicable law.
However, taking into account the nature of the processing, upon the User's written request, the Administration shall provide reasonable assistance in complying with obligations related to:
1) ensuring the security of processing;
2) preparing notifications of personal data breaches;
3) conducting data protection impact assessments;
4) conducting prior consultations with supervisory authorities;
5) processing data subject requests by implementing appropriate technical and organizational measures, to the extent feasible given the nature of the processing.
Upon the User's written request, the Administration undertakes to assist in conducting audits or inspections by providing the User with the necessary information on the personal data processing procedures.
5.2. Assistance in Compliance with Obligations. As a general rule, the User, being the personal data controller, shall independently ensure compliance with the requirements established by applicable law.
However, taking into account the nature of the processing, upon the User's written request, the Administration shall provide reasonable assistance in complying with obligations related to:
1) ensuring the security of processing;
2) preparing notifications of personal data breaches;
3) conducting data protection impact assessments;
4) conducting prior consultations with supervisory authorities;
5) processing data subject requests by implementing appropriate technical and organizational measures, to the extent feasible given the nature of the processing.
6. Deletion of Personal Data
6.1. Ensuring the Rights of Subjects. The User undertakes to process personal data on the Platform until the processing purposes are fulfilled. If the consent to personal data processing is withdrawn, or the grounds allowing such processing are terminated, the User shall independently ensure the erasure of personal data.
6.2. Return or Deletion Procedure. Upon receipt of a separate request, the Administration shall, at the User’s choice, delete or return the personal data received from the User within a period not exceeding 30 days, unless another period is established by applicable law.
The Administration shall also delete personal data upon expiration of the retention period established on the Platform or determined independently by the User. In particular, when using data collection forms on the Project, the data retention period shall be set through the relevant Project settings.
At the same time, the Administration shall have the right not to delete and/or not to return personal data received from the User where the right or obligation to retain such data is provided for under applicable law.
6.3. Blocks and Restrictions on the Platform. In case of violation or reasonable suspicion that the User has violated the Agreement and/or the applicable legislation, the Administration shall be entitled to block the User's account, as well as take other measures provided for by the Agreement.
The User understands and acknowledges that if the Administration takes administrative measures, the personal data processed under the DPA may be deleted without the possibility of subsequent recovery.
6.2. Return or Deletion Procedure. Upon receipt of a separate request, the Administration shall, at the User’s choice, delete or return the personal data received from the User within a period not exceeding 30 days, unless another period is established by applicable law.
The Administration shall also delete personal data upon expiration of the retention period established on the Platform or determined independently by the User. In particular, when using data collection forms on the Project, the data retention period shall be set through the relevant Project settings.
At the same time, the Administration shall have the right not to delete and/or not to return personal data received from the User where the right or obligation to retain such data is provided for under applicable law.
6.3. Blocks and Restrictions on the Platform. In case of violation or reasonable suspicion that the User has violated the Agreement and/or the applicable legislation, the Administration shall be entitled to block the User's account, as well as take other measures provided for by the Agreement.
The User understands and acknowledges that if the Administration takes administrative measures, the personal data processed under the DPA may be deleted without the possibility of subsequent recovery.
7. Liability, Compensation for Losses
7.1. Liability of the Administration. The Administration shall not be responsible for the actions of the User when processing personal data on the Platform. Any claims, demands or complaints of third parties related to the processing of their personal data should be resolved directly by the User without the Administration involved.
The Administration shall also not be responsible for acts and/or omissions related to the processing of personal data of third parties where the Administration has acted solely in accordance with the User’s instructions.
In any case, the Administration’s liability shall not exceed the amount of the cost of the Plan paid by the User and valid during the period of occurrence of events that are the basis for the emergence of property liability of the Administration.
7.2. User’s Responsibility and Compensation for Losses. The User, being the data controller under the legislation of the Russian Federation, is individually responsible to the subjects of personal data for the lawfulness of personal data processing.
In the event that a judicial and/or administrative case is initiated against the Administration, a lawsuit is brought, or a claim is made from any party due to the User’s violation of the personal data processing procedure, the User is obliged to compensate the Administration for all losses, including, reasonable legal expenses.
The Administration shall also not be responsible for acts and/or omissions related to the processing of personal data of third parties where the Administration has acted solely in accordance with the User’s instructions.
In any case, the Administration’s liability shall not exceed the amount of the cost of the Plan paid by the User and valid during the period of occurrence of events that are the basis for the emergence of property liability of the Administration.
7.2. User’s Responsibility and Compensation for Losses. The User, being the data controller under the legislation of the Russian Federation, is individually responsible to the subjects of personal data for the lawfulness of personal data processing.
In the event that a judicial and/or administrative case is initiated against the Administration, a lawsuit is brought, or a claim is made from any party due to the User’s violation of the personal data processing procedure, the User is obliged to compensate the Administration for all losses, including, reasonable legal expenses.
8. Miscellaneous
8.1. Governing Law. Regardless of the provisions of the Agreement, processing of personal data under these Instructions shall be governed by and construed in accordance with the laws of the United Arab Emirates.
Where data subjects whose personal data is processed by the Administration are located in a European Union and/or European Economic Area member state, the processing of personal data shall also be subject to the provisions of the General Data Protection Regulation.
8.2. Standard Contractual Clauses. Processing of personal data of individuals located in the European Union and/or European Economic Area by the Administration shall additionally be governed by Standard Contractual Clauses.
In accordance with the General Data Protection Regulation, these Standard Contractual Clauses ensure the lawfulness of personal data transfers to the United Arab Emirates.
In the event of any conflict between these Instructions and the provisions of the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Where data subjects whose personal data is processed by the Administration are located in a European Union and/or European Economic Area member state, the processing of personal data shall also be subject to the provisions of the General Data Protection Regulation.
8.2. Standard Contractual Clauses. Processing of personal data of individuals located in the European Union and/or European Economic Area by the Administration shall additionally be governed by Standard Contractual Clauses.
In accordance with the General Data Protection Regulation, these Standard Contractual Clauses ensure the lawfulness of personal data transfers to the United Arab Emirates.
In the event of any conflict between these Instructions and the provisions of the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
