Privacy Policy

This privacy policy sets out the rules for the processing and protection of personal data provided by Users in connection with their use of the Services provided by ONYX Sp. z o.o.

§ 1. General information

1. This policy applies to the Services, which consist of
   • Website, operating at the URL: app.onyxtms.com
   • Mobile applications for Android and iOS platforms.
2. The Operator of the Services and the Administrator of personal data is: ONYX Sp. z o.o., ul. Lubowidzka 33, 80-174 Gdańsk, Poland.
3. Operator's contact email address: contact@onyxtms.com
4. The Operator is the Administrator of your personal data in relation to data provided voluntarily within the Services.
5. The Services use personal data for the following purposes:
   • Handling inquiries via contact forms or other communication channels.
   • Presentation of offers or information.
   • Execution of basic functions of mobile applications.
   • Analysis of the use of Services in order to improve them.
6. The Services perform functions of obtaining information about users and their behavior in the following way:
   • Through data voluntarily entered in forms or other input fields, which are entered into the Operator's systems.
   • By saving cookies on end devices in the case of the website.
   • By collecting data gathered automatically, such as IP address, device data, operating system and its version (in the case of mobile applications).

§ 2. Selected data protection methods used by the Operator

1. Login and personal data entry points are protected at the transmission layer (SSL/TLS encryption). Thanks to this, personal data and login data entered in the Services are encrypted on the user's device and can only be read on the target server.
2. Personal data stored in the database are encrypted in such a way that only the Operator possessing the key can read them.
3. User passwords are stored in hashed form. The hash function works one-way - it is not possible to reverse its operation, which is currently the modern standard for storing passwords.
4. Two-factor authentication may be used in the Services, which constitutes an additional form of login protection.

§ 3. Hosting and third parties

1. The Services are hosted (technically maintained) on the operator's servers: cloudways.com.
2. In some situations, the Administrator has the right to transfer your personal data to other recipients if it is necessary to perform the contract concluded with you or to fulfill the obligations resting on the Administrator. This applies to the following groups of recipients:
   • Hosting company on an entrustment basis.
   • Providers of analytical services (e.g., Google Analytics).
   • Operators of mobile application distribution platforms (Google Play, Apple App Store) to the extent necessary to provide services.

§ 4. Your rights and additional information on the use of data

1. Your personal data processed by the Administrator is kept no longer than necessary to perform the related activities specified in separate regulations (e.g., on accounting). With regard to marketing data, the data will not be processed for more than 3 years.
2. You have the right to request from the Administrator:
   • access to personal data concerning you,
   • their rectification,
   • deletion,
   • restriction of processing,
   • and data portability.
3. You have the right to object to the processing of personal data in order to perform legitimate interests pursued by the Administrator (including profiling), however, the right to object cannot be exercised if there are valid legitimate grounds for processing, overriding your interests, rights and freedoms, in particular the establishment, exercise or defense of claims.
4. You have the right to lodge a complaint against the Administrator's actions to the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, Poland.
5. Providing personal data is voluntary, but may be necessary for the full operation of the Services.
6. Actions consisting of automated decision making, including profiling, may be taken in relation to you in order to provide services under the concluded contract and for the purpose of direct marketing conducted by the Administrator.
7. Personal data is not transferred to third countries within the meaning of the provisions on the protection of personal data. This means that we do not send them outside the European Union.

§ 5. Information about data collected in the Services

1. The Services collect information provided voluntarily by the user, including personal data if provided.
2. The Services may save information about connection parameters (time stamp, IP address).
3. In the case of mobile applications, the Services may collect additional information automatically, such as:
   • unique device identifier (e.g., advertising ID),
   • type and version of the operating system,
   • crash logs,
   • data on app activity.
4. Data provided in the forms is processed for the purpose resulting from the function of a specific form, e.g., to process a service request or commercial contact.
5. Information about user behavior in the Services may be subject to logging. These data are used to administer and optimize the Services.

§ 6. Mobile application permissions

1. In order to ensure full functionality, mobile applications may request access (permissions) to certain resources or functions on your device.
2. Such permissions may include access to the camera, device memory, location or push notifications.
3. Each permission is voluntary and required only to perform specific functions. You can manage the granted consents at any time in the system settings of your device. Refusal to grant consent may limit the operation of some app functions.

§ 7. Important analytical and marketing techniques

1. The Operator applies statistical analysis of traffic in the Services, including through Google Analytics (Google Inc. based in the USA) or similar tools (e.g., Firebase Analytics). The Operator does not provide personal data to the operators of these services, but only anonymized information. These services are based on the use of cookies or other tracking technologies on the user's end device.
2. Regarding information on user preferences collected by the Google advertising network, the user can view and edit information derived from cookies and identifiers using the tool: https://www.google.com/ads/preferences/

§ 8. Information about cookies and similar technologies

1. The website uses cookies. Mobile applications may use similar technologies (e.g., local storage, device identifiers).
2. Cookies are IT data, in particular text files, which are stored on the end device of the Website User. Cookies usually contain the name of the website they come from, the storage time on the end device and a unique number.
3. Similar technologies in mobile applications, such as advertising identifiers (IDFA on iOS, AAID on Android), allow for usage analysis and content personalization similarly to cookies.
4. The entity placing cookies and accessing them is the Operator of the Services.
5. These technologies are used for the following purposes:
   • Maintaining the user's session (after logging in).
   • Saving user settings and preferences.
   • Implementation of the goals set out above in the "Important analytical and marketing techniques" section.
6. Restrictions on the use of these technologies may affect some of the functionalities available in the Services.

§ 9. Managing cookies and consents - how to give and withdraw consent in practice?

1. Website (browsers): If the user does not want to receive cookies, they can change the browser settings. Disabling cookies necessary for authentication, security or maintaining user preferences may make it difficult, and in extreme cases prevent the use of websites. To manage cookie settings, follow the instructions for your browser (e.g., Chrome, Safari, Firefox, Edge).
2. Mobile devices (Android/iOS): The user can manage their advertising identifier and associated consents directly in their device settings.
   • iOS: Settings → Privacy & Security → Tracking.
   • Android: Settings → Google → Ads.
   You can reset your advertising identifier there or limit its tracking.