Privacy Policy
1. Introduction
This Privacy Policy outlines the rules regarding the collection and processing of Personal Data in connection with the use of the Website for the purpose of providing electronic services by ICTK. Depending on whether you are a User, an unregistered User, or a Specialist, please refer to the relevant section for more information.
2. Definitions Used in the Privacy Policy
- Cookies – text data collected in the form of files placed on the Device of the User, unregistered User, or Specialist.
- Personal Data – Any information related to an identified or identifiable natural person (“data subject”); an identifiable person can be identified, directly or indirectly, by reference to identifiers like name, ID number, location data, IP address, or one or more of these characteristics describing the natural person in question – physical, physiological, genetic, psychological, economic, cultural or social identity.
- EEA – European Economic Area – a free trade zone and single market, including the countries of the European Union and the European Free Trade Association, excluding Switzerland and the United Kingdom.
- Account – a collection of resources and settings created for a User or Specialist.
- Unconfirmed Account – a technical account created after ICTK receives a correctly completed registration form or authentication is performed and the Terms and Conditions are accepted. ICTK maintains an Unconfirmed Account until the Account creation is confirmed, but in any case, for no longer than 30 days from the day the registrant receives an email with an activation link.
- ICTK, we, our – ICTK Prosta Spółka Akcyjna with headquarters in Warsaw, Nowogrodzka 56A, 00-695, entered into the registry of enterprise maintained by the District Court for the city of Warsaw, in Warsaw, 12th Commercial Division of the National Court Register with the KRS number: 0001058111, REGON: 526412310, NIP: 7011164909, e-mail: kontakt@ictk.pl
- Processing – an operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Privacy Policy – this document.
- Specialist – a person who, as part of their activities, provides psychological or psychotherapeutic services to ICTK Users.
- Profile – an Account feature that allows a User or Specialist to input and store selected information.
- Terms and Conditions – the Terms of Service for providing electronic services within the Website.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Platform – websites through which ICTK provides its services, i.e., ictk.pl, zatrzymajsie.pl
- Electronic Device – a device and its software through which a User, unregistered User, or Specialist gains access to the Service.
- Services – services provided by us within the scope of operating the Websites, described in detail in the Terms and Conditions, including the provision of Account services.
- Privacy Settings – an Account feature that allows a User or Specialist to manage the Services and functionalities, including independently modifying their scope and selecting privacy preferences.
- User – an adult natural person with an Account, using the Services offered by ICTK within the Service. In the case of a minor or fully incapacitated person, the User is considered to be the legal representative of that person.
- Unregistered User – a natural person or a sole proprietor using Services offered by ICTK on the Website, which do not require the creation of an Account.
In the Privacy Policy, we also use the names of specific Services and Account functionalities (e.g., Profile), which are described in detail in the Website’s Terms and Conditions.
3. Personal Data Administrator and Contact Methods
ICTK is the administrator of your personal data regarding the use of Services.
If you have any questions regarding the processing of your Personal Data and the rights you are entitled to in this regard, please contact us in the following ways:
- via the contact form;
- with our Data Protection Officer by sending an email to iod@ictk.pl
4. Personal Data, Purposes, and Legal Bases for Processing in Relation to Different Categories of Individuals
Since the Service provides various services and functionalities for Unregistered Users, Users, and Specialists, depending on who you are, we will process your personal data for different purposes, to different extents, and on different legal bases specified in GDPR regulations. We aim to ensure that the information you receive is as clear as possible, which is why our Privacy Policy includes sections dedicated to different categories of people visiting our Service.
If you are an unregistered user or a user
Account Creation and Authentication
Purpose | Data Scope | Legal Basis |
---|---|---|
Account creation | Email address, password, IP address | Necessity for the performance of a contract for the provision of account services (Article 6(1)(b) of GDPR) |
Authentication via Facebook, Google, or Apple | Email address, password, IP address, first and last name | Necessity for the performance of a contract for the provision of account services (Article 6(1)(b) of GDPR) |
Provision of Services Not Requiring Registration or Account Creation
Provision of Services not Requiring Registration:
- the ability to explore online psychotherapy;
- learning about the SFBT method;
- getting to know ICTK;
- finding/searching for a specialist;
- accessing materials related to mental health.
Data related to activities in the Services: data on viewed content, sessions, device used, operating system, browser, location, ID number. If you contact us via social media platforms like Facebook, we may additionally process your data to the extent you provide it on that platform, such as your profile picture, first and last name, and data included in messages sent to us on Messenger.
Necessity for the execution of a contract for the provision of electronic services (Article 6(1)(b) of GDPR)
Provision of Services Requiring Registration and Account Creation
PURPOSE: Provision of Services Requiring Registration in our Websites
- psychological first aid;
- regular psychotherapy;
- psychological counseling;
- specialist consultation;
- participation in webinars and training sessions.
The full range of services requiring registration and account creation is specified in our Terms and Conditions
DATA SCOPE: Data available in the User’s account, such as first and last name, email address, phone number, information related to psychotherapy, notes made by specialists summarizing sessions, notes created during sessions and meetings by specialists, information included in homework that the participant may be asked to complete during therapeutic sessions.
LEGAL BASIS: Necessity for the performance of a contract for the provision of electronic services (Article 6(1)(b) of GDPR), consent of the data subject (Article 9(2)(a) of GDPR) for data related to therapy.
It is permitted for minors to use services requiring account creation, with the explicit consent of their guardian or legal representative. In such a case, the guardian or legal representative must register the account, enter the minor’s data, and provide consent for the minor to use the services and for the associated processing of personal data.
Billing for Paid Services, Performing Tax and Accounting Obligations, Debt Collection, and Claim
Purpose | Data Scope | Legal Basis |
---|---|---|
Billing for paid service contracts | First and last name, address, email, phone number, data related to the purchased service. | Legitimate interest (Article 6(1)(f) of GDPR) – proper determination of fees for the use of services. |
Performing tax and accounting obligations related to contract execution, including the delivery of invoices and e-invoices | First and last name, address, email, phone number, information related to the purchased service, such as amount and date of financial transaction. | Compliance with legal obligations (Article 6(1)(c) of GDPR) – primarily resulting from applicable accounting and tax regulations. |
Debt collection actions | First and last name, address, email, phone number, information regarding overdue payments for services rendered. | Legitimate interest (Article 6(1)(f) of GDPR) – recovery of payments for properly rendered paid services. |
Pursuing or defending claims arising from improper performance of contracts | First and last name, address, email, phone number, information regarding overdue payments for services rendered, data related to the purchased service, including amount, date. | Legitimate interest (Article 6(1)(f) of GDPR) – pursuing and defending against claims from users who have used paid services. |
Marketing of Our Services
Purpose | Data Scope | Legal Basis |
---|---|---|
Direct marketing of our own Services and products | Data provided when creating an account, supplemented in the profile, information about services, such as participation in training (does not apply to matters discussed in therapy or related to its course), data provided in separate forms used to obtain consents, newsletters, as well as information about activity in our Services, collected based on Cookies (login and registration dates, visits to specific pages and subpages of the Services). | Legitimate interest (Article 6(1)(f) of the GDPR) – marketing of our own services and products. |
Remarketing | Information related to your activity on the Platforms – for remarketing activities, we use services of external providers, such as pixels, to collect information about your activity on the Platforms. This allows us to display our marketing messages to you on platforms other than our own. Details can be found in our Cookies Policy. | Legitimate interest (Article 6(1)(f) of the GDPR) – marketing of our own services and products. |
Other Purposes
Purpose | Data Scope | Legal Basis |
---|
Statistics on the use of Platforms, security of Platforms | Information about the subpages visited on our Platforms, time spent on our Platforms, search terms, IP address, location, device ID, information about the web browser and operating system used when visiting our Platforms. | Legitimate interest (Article 6(1)(f) of the GDPR) – ensuring safe and easy use of electronically provided services, improving the quality of the service. |
Pursuing or defending against claims | Name, email address, information related to the use of the Platforms, and other information necessary for pursuing or defending against claims, including the validity of the claim and the extent of the damage caused. | Legitimate interest (Article 6(1)(f) of the GDPR) – establishing, pursuing, or defending against claims. |
Handling complaints or claims related to our Services | Name, email address, and other data provided by the User in the Account, data related to the use of our Services that caused the complaint or claim, data contained in the documents attached to the complaint or claim. | Legitimate interest (Article 6(1)(f) of the GDPR) – improving electronically provided services, building positive relationships with users of Platforms and Services. |
Assessing satisfaction with our Services | Name, email address, phone number, information about the Services you use, information contained in responses to surveys and forms. | Legitimate interest (Article 6(1)(f) of the GDPR) – improving the Services provided and assessing user satisfaction with our Platforms and Services. |
Managing social media profiles | Personal data obtained via social media, such as name, username, avatar (image), content of comments and messages sent to us. More details regarding the processing of personal data related to managing social media profiles can be found in the information clause. | Legitimate interest (Article 6(1)(f) of the GDPR) – building relationships with Users and Specialists, including direct marketing of products, Platforms and Services. |
If you are a Specialist
If you cooperate with us based on a contract for provision of psychological or psychotherapeutic services, this section is for you.
Account Creation and Authentication
Purpose | Data Scope | Legal Basis |
---|---|---|
Account Creation | Email address, password, IP address. | Necessity for the performance of the account service agreement (Article 6(1)(b) of the GDPR). |
Authentication via Facebook, Google, or Apple | Email address, password, IP address, first and last name. | Necessity for the performance of the account service agreement (Article 6(1)(b) of the GDPR). |
Services Related to Account Ownership
Purpose | Data Scope | Legal Basis |
---|---|---|
Use of Service Features (e.g., My Calendar, My Patients, Payments and Settlements – all Services related to account ownership by a Specialist are specified in the Terms and Conditions) | First and last name, business name, NIP number, REGON number, bank account number, phone number, email address, mailing address, education and career history, photo (image), specialization or area of expertise, and any other data you provide during Profile creation. | Necessity for the performance of the account service agreement (Article 6(1)(b) of the GDPR). |
Other Purposes
Purpose | Data Scope | Legal Basis |
---|---|---|
Fulfilling tax and accounting obligations related to contract execution, including the delivery of invoices and e-invoices | First and last name, address, email, phone number, information about the purchased service, such as amount and date. | Compliance with legal obligations (Article 6(1)(c) of the GDPR) – primarily arising from applicable accounting and tax regulations. |
Debt collection activities | First and last name, address, email, phone number, information about overdue payments for the completed service. | Legitimate interest (Article 6(1)(f) of the GDPR) – collecting payments for properly delivered paid services. |
Pursuing or defending claims arising from improper contract performance | First and last name, address, email, phone number, information about overdue payments for the completed Service, data about the purchased Service, such as amount and date. | Legitimate interest (Article 6(1)(f) of the GDPR) – pursuing and defending against claims from Users who have used paid Services. |
Direct marketing of our own Services and products | Email address, phone number, and first and last name. | Legitimate interest (Article 6(1)(f) of the GDPR) – marketing of our own Services and products. |
Statistics on the use of individual functionalities of the Platforms, facilitating usage, IT security | Information about visited pages and subpages within the Platforms, time spent on specific pages and subpages of the Platforms, search history within the Platforms, IP address, device ID, information about the browser used to visit the Platforms, information about the operating system. | Legitimate interest (Article 6(1)(f) of the GDPR) – ensuring safe and easy use of electronically provided services, improving the quality of service. |
5. Information Applicable to All Visitors of the Service
Recipients of Your Personal Data
We will share your personal data with the following categories of recipients:
Service Providers
These are entities that help us provide services or assist us in running our business. The purpose of sharing personal data is to provide the services. Most of these entities act as so-called data processors (under Article 28 of the GDPR), but some of them may act as independent data administrators. The entities to which we may transfer personal data include the following categories:
- Companies providing cloud services and server maintenance,
- Companies providing IT security services,
- Companies providing telecommunications and similar services,
- External legal advisors and auditors,
- Banks,
- Insurance companies,
- Payment service providers,
- Companies handling financial security operations,
- IT companies providing IT services.
State Authorities
When authorized state authorities request it, we will share your personal data. Authorized state authorities include, in particular: organizational units of the prosecution, the police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.
Transfer of Personal Data Outside the EEA
We use providers based primarily in Poland and other EEA countries. However, some of our providers may be located outside the EEA. In connection with the transfer of your data outside the European Economic Area, we ensure that our providers offer guarantees of a high level of personal data protection. These guarantees include, in particular, the commitment to apply standard contractual clauses approved by the European Commission. You have the right to request a copy of the standard contractual clauses, which outline appropriate security measures. To make such a request, follow the instructions provided in section 3 of this Privacy Policy.
Information on Automated Decision-Making, Including Profiling
Personal data is not subject to profiling which results in decisions based solely on automated processing. We may direct personalized ads to visitors of our services, but these actions will not have any legal consequences for them. This means that within the Platform and through tracking technologies, data may be profiled to better personalize the offers ICTK directs to its recipients. This should not affect the legal situation of the data subject, particularly concerning contracts entered or planned. The goal is to better tailor the content and ads that visitors to our services receive, which results from statistical data or activity on our services.
Personal Data Storage Periods
ICTK will process personal data for as long as necessary to achieve the purposes outlined in this Policy and until ICTK fulfills its legal obligations. The table below outlines the processing periods for specific purposes:
Purpose of Processing | Personal Data Processing Period |
---|---|
Data processed as part of Service provision | For the entire duration of the Service agreement or Account ownership. If the agreement ends or the Account is deleted, we will store your personal data for 6 years from that point. |
Data collected as part of an unconfirmed account | For 30 days from the date you receive the activation link for creating an Account, as outlined in the Terms and Conditions. After this period, personal data will be anonymized. |
Data collected via cookies | According to the lifecycle of individual cookies. More details can be found in the Cookie Policy. |
Data collected in connection with marketing activities | Until an objection is expressed. |
Inquiries, complaints, and requests | For Unregistered Users, for the period necessary to resolve the inquiry/complaint/request, but no longer than 3 years from the receipt of the message. If the message constitutes or may constitute evidence in court or other state proceedings, it may be stored until the proceedings are definitively concluded. |
Data processed based on legitimate interest | Until we consider an objection to the processing of personal data for these purposes as effective. This does not apply to ICTK’s marketing purposes. |
Rights Related to the Processing of Your Personal Data
If you wish to exercise your rights, you can submit a request through the contact form. Additionally, if you have an Account, you can manage your privacy settings within your Account.
Timeframe for Fulfilling Requests
If you exercise your rights and make a request, we will fulfill the request (or deny it if necessary) promptly, but no later than one month from the date the request was received. If the request is complex or if we receive multiple requests, and we cannot fulfill it within a month, we will complete it within two additional months and inform you of the extended timeframe.
Right to Withdraw Consent
You have the right to withdraw your consent to the processing of your personal data, which you provided while using our Services and functionalities. Withdrawal of consent takes effect from the moment of withdrawal and does not affect any processing carried out prior to the withdrawal.
Legal Basis: Article 7(3) GDPR
Right to Erasure (Right to be Forgotten)
You have the right to request the deletion of your personal data. Below are the circumstances under which you can request that we delete your personal data:
- The processing of your personal data is unlawful.
- You withdraw your consent for the processing of your personal data, where the processing was based on that consent.
- You object to the processing of your personal data in relation to our marketing activities.
- The processing was based on our legitimate interest, and your objection is considered justified.
- The processing of your personal data is no longer necessary for the purposes for which it was collected or processed.
However, please note that some of your personal data may still be retained to the extent necessary for:
- Establishing, pursuing, or defending legal claims, including your name, email address, activity history on the Platforms, and billing data.
Legal Basis: Article 17 GDPR
Right to Access Data and Obtain a Copy
You have the right to confirm whether we are processing your personal data, and if so, you have the right to:
- Access your personal data;
- Obtain information about the purposes of processing and the categories of processed personal data;
- Obtain information about recipients or categories of recipients of your personal data;
- Obtain information about the planned retention period or the criteria for determining this period;
- Obtain information about your rights under GDPR and the right to lodge a complaint with a supervisory authority;
- Obtain information about the source of your personal data;
- Obtain information about automated decision-making, including profiling;
- Obtain information about the safeguards in place for the transfer of your personal data outside the EEA;
- Obtain a copy of your personal data.
Legal Basis: Article 15 GDPR
Right to Rectification
You have the right to correct and complete your personal data. You can do this yourself through your account settings. For other personal data, you can submit a request to us indicating what needs to be corrected or completed if the personal data is incomplete.
Legal Basis: Article 16 GDPR
Right to Data Portability
Under your right to data portability, you have the right to:
- Receive a file with your personal data, which you can then transfer to another data administrator of your choice; or
- Request that we directly transfer your personal data to the administrator you indicate, provided it is technically feasible.
Your personal data will be provided in a commonly used, machine-readable format, allowing it to be transferred to another data controller.
Legal Basis: Article 20 GDPR
Complaints, Questions, and Requests
If you have any complaints, questions, or requests regarding the processing of your personal data and the exercise of your rights, please contact us. You can also file a complaint with the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl) if you believe your GDPR-granted rights have been violated.
External Links
Our website may contain links and references to external sites. We make every effort to ensure these links lead to sites that guarantee a high standard of personal data security. However, we are not responsible for how the operators of these sites use personal data, how they secure its processing, or for the content on those websites. Please review the terms of use and privacy policies available on these external sites, as using them means you accept and will adhere to the rules set by the site owner.
Personal Data Processing Security
We ensure appropriate technical, physical, electronic, and administrative safeguards to protect personal data from unauthorized access. We adhere to generally accepted industry standards to protect the personal data transmitted to us, both during transmission and after it is received. Unfortunately, transmitting information via the internet (including email) is not completely secure. Although we do our best to protect personal data, we cannot guarantee the security of personal data transmitted to us; any transmission is at your own risk. Once we receive your personal data, we will apply appropriate procedures and security measures to prevent unauthorized access to that data.
Cookies
As part of the operation of our Platform, we use Cookies. You can find more information on this subject in the Cookie Policy.
Changes to the Privacy Policy
We may modify and supplement this Privacy Policy. Information about any changes and additions to the Privacy Policy will appear on the main page of the Services. If you have an account, we will inform you by sending the relevant information to the email address you provided.
Cookie Policy
1. Application of the Cookie Policy
This Cookie Policy applies in regard to all ICTK Prosta Spółka Akcyjna Platforms.
2. Contents of the Cookie Policy
This document contains the following information regarding Cookies:
- Use of Cookies;
- Purposes of using Cookies;
- Cookie choices and preferences.
Other information regarding the processing of personal data is outlined in the Privacy Policy.
3. What are Cookies?
A cookie is a small text file that a website stores on a user’s computer or mobile device when the user browses it. First-party cookies belong to the visited website and only that website can read them.
Types of Cookies Used
Cookies can be categorized based on their lifecycle and their origin.
Lifecycle Criteria:
- Session Cookies – Deleted when the browser used to visit the Platform is closed.
- Persistent Cookies – Deleted after a specified time, regardless of whether the browser used to visit the Platform is closed.
Origin Criteria:
- First-party Cookies – Set by our Platforms.
- Third-party Cookies (partners) – Set by servers of partners with whom we cooperate.
4. Purposes of Using Cookies
No. | Type / Category of Cookies | Is Consent Required? | Purpose |
---|---|---|---|
1. | Essential Cookies | These files are always active. | Cookies essential for the proper functioning of the Platforms, including ensuring IT security. These files are always active and cannot be disabled. |
2. | Analytical Cookies | Consent required. | Cookies that allow us to monitor performance and improve the alignment of the Platforms with visitors’ preferences. |
3. | Functional Cookies | Consent required. | Cookies that allow the remembering of settings or preferences, such as language or font. |
4. | Marketing Cookies | Consent required. | Cookies that allow better targeting of ads to the needs and interests of visitors or measuring ad effectiveness. This information can be collected by us or our partners. |
5. | Information from Other platforms | Consent required. | Cookies that allow monitoring of a visitor’s activity on other services to better tailor our ads and offers to their needs and interests. |
6. | Social Media and Plugins | Consent required. | Cookies that enable sharing our content, e.g., on Facebook, or using the “Like” button on the Services. These cookies also allow registering an account using Facebook. |
5. Information Collected via Cookies
- Information about the device you are using (e.g., ID, IP address, operating system, language preferences, web browser, screen resolution).
- Information about visits to the Platforms (time, length of visits, date, search terms used in the services, visited subpages).
- Information about location (if consent has been given to provide such information).
- Information about viewed ads, including clicks on links.
- Information about activity on other platforms (if consent has been given to provide such information, e.g., information about visited services and frequency of visits).
6. Consents and Cookie Management
Consents and management of Cookie preferences can be easily adjusted through the Cookie Management Center. To change your preferences, select the “Cookie Management Center” tab in the footer of the page and update your consents.
Please note that modifying Cookie preferences may make it difficult to use some of the services offered by our Platforms. For cookies used by our partners, please also review their cookie policies.
List of Cookies used:
WordPress
- pll_language: The cookie stores information about the user’s language.
- BEARER: A cookie associated with user login, stores a token for the logged-in user.
- REFRESH_TOKEN: A cookie associated with user login, stores a token used to refresh the session.
ICTK App
- BEARER: A cookie associated with user login, stores a token for the logged-in user.
- REFRESH_TOKEN: A cookie associated with user login, stores a token used to refresh the session.
Shared
- CREATE_VISIT_BODY: A cookie used for communication between WordPress and the application to maintain the appointment scheduling process. It temporarily stores information about:
- the type of appointment,
- the date of the appointment,
- the therapist (ID).