LENSO.AI — PRIVACY POLICY

§ 1. Definitions

1. Controller - LENSO AI SPÓŁKA AKCYJNA (Joint stock company) with its registered office in Wrocław, Poland (Grabiszyńska st. 186/2B/4, 53-235 Wrocław, entered in the register of entrepreneurs of the National Court Register kept by the District Court for Wrocław - Fabryczna in Wrocław, VI Department under the KRS no.: 0001106624, NIP: 8943236648, REGON: 52870087500000, with its share capital: 1 000 000,00 PLN fully paid.
2. Policy - this Privacy Policy.
3. User - the natural or legal person or any organizational unit operating on a legal basis, who uses the Service.
4. Personal Data - any information relating to an identified or identifiable natural person, including in particular information concerning Users.
5. GDPR - Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
6. UK GDPR - the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. Personal Data is subject to the legal safeguards specified in the UK GDPR (as incorporated and tailored by the Data Protection Act 2018 (DPA) in the UK) and as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
7. Service - the search service provided by the Controller at https://lenso.ai.
8. Website - the Controller’s website available at https://lenso.ai.
9. Terms of Service - Website’s Terms of Service, available at: https://lenso.ai/legal/terms-and-conditions.
10. Cookies - small blocks of data created by a web server and placed on the User's computer.

§ 2. General provisions

1. This Policy applies to the Processing of Personal Data in connection with the activities carried out by the Controller, including providing the Service and the operation of the Website.
2. The Controller is aware of the importance of protecting Users’ Personal Data and for this reason apply technical and organizational measures to ensure the protection and security of the processing of Personal Data, appropriate to the risks and categories of data protected, and in particular technically and organizationally secure the data against their access to unauthorized persons, taking by an unauthorized person, processing in violation of applicable regulations, loss, damage or destruction.
3. The Website includes links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. The Controller does not control these third-party websites and is not responsible for their privacy statements.
4. The Service is not intended for use by individuals under the age of 16. If you are under the age of 16, please do not provide any Personal Data to the Controller. The Administrator is committed to adhering to the highest standards of protection of Personal Data, especially where minors are concerned. The Administrator does not collect or permit the use of the Service to search for information relating to persons under the age of 16. The Administrator uses advanced technological solutions to detect searches related to the data of minors and continuously monitors searches in this regard.
5. You can contact the Controller via the contact form available on the Website (https://lenso.ai/en/contact).

§ 3. Who collects my Personal Data and why

1. To provide services via Website the Controller needs to collect and process some of Personal Data. Without using some of them Users wouldn’t be able to use some of the functionalities of our Website. These data include, for example: data necessary to create a User account or billing data needed to enter into and perform the contract for the Service in paid options. The Controller is obliged to collect some data due to the requirements of applicable law (e.g. for tax purposes).
2. The Controller shall collect and process the Users’ Personal Data only as provided for in the provisions of this Privacy Policy. All data provided by the User, shall be used by the Controller exclusively on the basis of:
        a. point (a) of Article 6 (1) GDPR - the data subject has given consent to the processing of his or her Personal Data for one or more specific purposes; for marketing purposes, if the User consents to receive from the Controller sales and marketing messages (including newsletters);
        b. point (b) of Article 6 (1) GDPR - processing is necessary for the performance of a contract to which the data subject is party; to provide customer service and to contact the User i.a. to notify them of any modification in the products or services offered via the Website, also with regard to the User’s account created on the Website;
        c. point (f) of Article 6 (1) GDPR - processing is necessary for the purposes of the legitimate interests pursued by the Controller; to establish, exercise or defend legal claims, to enforce and investigate possible infringements in the use of the Websites, or other actual or alleged actions contrary to the provisions of law, to protect rights, property or security of the Websites, Users, and employees of the Controller, as well as other third parties, which constitute legitimate interests pursued by the Controller Processing data specified in section above does not validate any Personal Data laws.
        d. point (c) of Article 6 (1) GDPR - to process Personal Data with the purpose of fulfilling legal obligations.
3. The Controller shall retain and process Personal Data of the Users for a period necessary to fulfill processing purposes specified in this Policy or in accordance with applicable provisions of law, i.e. for instance until the User withdraws their consent or until the contract is accomplished. When the processing purpose is achieved, the Controller shall erase the Personal Data or anonymise it, and if the Controller intends to process data for analytical purposes the data shall be subject to pseudonymisation in order to use such data within the scope that is adequate and necessary for certain processing purposes, in such a manner that the Personal Data can no longer be attributed to a specific data subject.
4. The User shall have the following rights with regard to Personal Data processed by the Controller:
        a. right of access;
        b. right of rectification, if Personal Data is inaccurate or incomplete;
        c. right to erasure;
        d. right to object to processing of the User’s Personal Data.
        e. right to data portability.
        f. right to restriction of processing.
        g. right to lodge a complaint to the supervisory authority.
5. The User shall have the right to object to processing by the Controller, if such processing is based on the Controller’s legitimate interest e.g. data profiling for marketing purposes. The Controller shall cease to process data for these purposes, unless there are some legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
6. When a consent for Personal Data processing has been given, the User is entitled to withdraw their consent for further processing at any time. The consent may be withdrawn at any time by contacting the Controller via e-mail address specified in clause I of this Privacy Policy. Consent withdrawal shall not affect legitimacy of data processing performed by the Controller prior to such withdrawal.
7. The application for the exercise of the User's right will be fulfilled without undue delay, but not later than 30 days after its receipt. This deadline may be extended due to the complexity of the request or the number of requests, of which the User will be informed.

§ 4. Server logs, cookies and third - party plug ins.

1. The Controller uses records of information obtained from server logs, which collect such data as: requests to the Website (when the User visits the Website), IP address, type of action performed (e.g. opening a Website), address of the page the User visits and the time when this happens; information about errors (e.g. page not found). This allows the Controller to fix problems and improve the Website, also in terms of security, as server logs help to detect unsafe attempts to access the server or other disturbing activities.The data recorded in server logs are not associated with specific individuals using the Website and are not used by the Controller to identify specific individuals.
2. The Controller also collects Cookies, sent by the server and stored on your device. By making the appropriate choice on our Website, you give your consent to Cookies which may be sometimes considered as Personal Data. You may withdraw this consent at any time by changing your choice, but this will not affect the lawfulness of the processing that took place before you withdraw your consent.
3. The following Cookies are used on the Website:
        a. Cookies necessary for the use of the Website, including session Cookies - necessary for the use of the basic functionalities of the search engine and the User Account, without which some functions will not work properly;
        b. analytical Cookies, including those of our partners - used to conduct Website performance tests, analyse Website traffic, improve user experience; list of partners: Google Inc. - for more information on the details of what and how Google processes Personal Data, see: https://policies.google.com/privacy?hl=pl;
        c. Cookies from our advertising partners - for correct display of advertisements on the Website, for customisation and personalisation of advertising content, for measuring its effectiveness, for avoiding the same advertisements being displayed too many times, and may also be used to create a user profile; list of partners: Google Inc. - for more information on the details of what and how Google processes, please visit: https://policies.google.com/privacy?hl=pl.
4. The data referred to in paragraph 1-3 are processed in accordance with:
        a. Article 6 (1) (b) GDPR, in order to perform the Service, i.e. the Agreement concluded by the User with the Controller by accepting the Terms and Conditions;
        b. Article 6 (1) (a) GDPR, the data subject has given consent to the processing of certain Cookies or other similar technologies expressed through the relevant settings of the search engine;
        c. Article 6 (1) (f) GDPR in the Controller's legitimate interest in facilitating the use of the Website, improving the quality and functionality of the Service provided.
5. The processing of the data referred to in paragraphs 1-3 does not violate the rights and freedoms of the Users, as this information is not used for any additional purposes (other than mentioned above). By using this data the Controller is able to manage the correct operation of the Service, adjust the way the content of the Website is displayed and improve the quality of the provision of Services on the Website.
6. In order to ensure the operation of some of our services, we use third party applications or plugins. The objectives and the scope of data collection, further data processing by social network, as well as the rights and parameters of settings for the protection of your privacy associated with them can be found in the data protection policy of the respective social network. You should not use the respective plug-ins, if you do not wish the providers of social networks to receive data regarding this on-line offer or to continue using these data.

§ 5. Marketing and PR activities

1. Providing your Personal Data for marketing and other profiling purposes is optional; refusal to provide your Personal Data for these purposes will not have any impact on the entering into or performance of the Service. When the Controller uses your data to market its services, display personalized ads or to send you a newsletter, it will collect your prior consent before proceeding to processing your Personal Data for these purposes. You may withdraw your consent at any time by contacting the Controller via the contact form available on the Website.
2. The Controller may post marketing information about its products or services on the Website. The display of this content is carried out by the Controller in accordance with Article 6 (1) (f) of the GDPR Regulations, in line with the Controller's legitimate interest to publish content related to the services provided and promotional content of campaigns in which the Controller is involved.
3. The Controller may also display marketing information relating to the products or services of its counterparties with whom it has entered into a marketing cooperation agreement. The display of this content is carried out by the Controller in accordance with Article 6 (1) (f) of the GDPR, in accordance with the Controller's legitimate interest in marketing the products or services of its counterparties. At the same time, this activity does not infringe on the rights and freedoms of Users, in particular due to the sporadic nature of these activities.

§ 6. Recipients of Personal Data

1. Your Personal Data may be used by certain third parties with whom we cooperate and who help us provide the Service. These entities are service providers such as:
        a. a hosting provider that stores your data on its server;
        b. a mailing service provider that stores your contact data (i.e. name or user account login and e-mail address) if you subscribe to a newsletter;
        c. a payment service provider or payment intermediary that need access to your payment data as well as the type of the Service and billing period you are paying for;
        d. a legal counsel or attorney that provides legal services to us if we need to share some of your data to ensure those services are accurate and well-based;
        e. a service provider that provides technical support for our Website, if that support includes areas where Personal Data is located, including support for Website traffic analysis, ad delivery and personalization, etc. in particular Google Inc. that requires access to the data related to how you use our website to show you personalized ads – to manage the scope of your consent or withdraw the consent already given please see our cookie banner;
        f. other subcontractors/service providers, if the subject matter of their business requires access to Personal Data.
2. The Controller will not sell, rent, distribute or otherwise make your Personal Data commercially available to any third party.
3. In case of cooperation with the Collector partners or suppliers which are external entities - registered offices of such external entities may be situated both in the territory of EU Member States, and in the countries outside the European Economic Area (EEA).
4. If our partners or supplies have their registered offices outside the EEA, the Controller guarantees that transfer of data outside the EEA shall be effected in accordance with applicable provisions of law in this regard (for example conclusion of a personal data processing agreement in accordance with the European Commission guidelines). Level of data protection in countries outside the EEA may differ from the one guaranteed by European law. Whereby we primarily work with companies participating in the Privacy Shield programme, which guarantees their compliance with high data protection standards in line with European regulations.
5. Personal Data may also be transferred to authorized state authorities in connection with their proceedings, at their request and upon fulfillment of the prerequisites confirming the necessity of obtaining such data, in accordance with applicable laws.

§ 7. Automated decision-making

Your Personal Data may be subject to profiling to improve and personalize the offer to Users who visit the Controller's Website. However, the Controller does not make decisions towards you in an automated manner affecting your rights and freedoms.

§ 8. The Safety of your Personal Data

1. In connection with the processing of Personal Data of the User, the Collector is guided by the following principles:      a. compliance with the law - which means that the User’s Personal Data are processed in compliance with the legal prerequisites resulting from Articles 6,9 and 10 of the GDPR;
        b. reliability and transparency - which means that Personal Data are processed in a reliable and transparent way for the User, in particular through the proper implementation of information obligations;
        c. data minimization - which means that the Personal Data of the User are processed in an adequate, appropriate and limited way to what is necessary for the purposes for which they are processed;
        d. limitation of the purpose of data processing - meaning that Personal Data of the User are collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, whereby further processing for archival purposes in the public interest, for purposes of scientific or historical research or for statistical purposes is not considered incompatible with the original purposes;
        e. regularity - which means that the Personal Data of the User must be correct and, if necessary, updated, thus personal data that are incorrect in view of the purposes of their processing are immediately deleted or rectified;
        f. storage restrictions - which means that Personal Data of the User must be stored in a form allowing the identification of the User for no longer than is necessary for the purposes for which the data are processed, provided that the technical and organizational measures required under the GDPR are implemented to protect the rights and freedoms of the User and provided that Personal Data may be stored for longer if they are processed solely for archival purposes in the public interest, for purposes of scientific or historical research or for statistical purposes;
        g. integrity and confidentiality - which means that Personal Data of the User must be processed in a manner ensuring their proper security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage;
        h. accessibility - which means that the User's Personal Data must be protected from destruction, and the Controller ensures that Personal Data is available to authorized persons when they need it or in a timely manner.
2. The Controller applies technical and organizational measures to ensure the protection and security of the processing of Personal Data, as said in par. 2 section 2 Policy.
3. The use of the Internet and electronically provided services may involve specific ICT risks. These risks include, among others, the presence and operation of Internet worms, spyware or malware, including computer viruses. There is also a risk of exposure to cracking activities (attempts to break system security) and other threats.
4. To ensure your safety when using the Internet, we recommend using trusted information sources and security tools. It is a good idea to regularly update your software, including your operating system and antivirus programs, use strong, unique passwords, and be cautious when opening emails and links from unknown senders. It's also a good idea to regularly improve your digital security knowledge.

§ 9. Updates

This Privacy Policy is subject to modification by the Controller at any time. In such cases the Controller shall publish an updated version of the Privacy Policy on a given Website and notify the Users of such modifications and the effective date.

§ 10. Additional information for the UK Residents

1. The Controller adhere to the principles relating to processing of Personal Data set out in the UK GDPR (Article 5 DPA; sections 35-40) which require Personal Data to be:      a. Processed lawfully, fairly and in a transparent manner;
        b. Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is not incompatible with those purposes;
        c. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation);
        d. Accurate and where necessary kept up to date;
        e. Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (storage limitation);
        f. Processed in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage;
        g. Not transferred to another country without appropriate safeguards being in place; and
        h. Made available to data subjects and data subjects are allowed to exercise certain rights in relation to their Personal Data.
2. If you are located in the UK and you believe we are unlawfully processing your personal information, you also have the right to complain to the Information Commissioner's Office. You can find their contact details here: https://ico.org.uk/make-a-complaint/.
3. Every data subject has the rights mentioned in par. 4 sec. 3 of this Policy and may request the transfer of its Personal Data to another party.

§ 11. Additional information for Switzerland Users

1. We will not disclose your personal data to third parties, except to the circumstances mentioned in par. 1 sec. 6.
2. The Controller shall ensure that, in processing the Personal Data of Users who are Swiss citizens, it respects all principles and rights for the protection of Personal Data established under the Federal Data Protection Act (Bundesgesetz über den Datenschutz; (Datenschutzgesetz, DSG) vom 25. September 2020) and Data Protection Regulation (Verordnung über den Datenschutz (Datenschutzverordnung, DSV) vom 31. August 2022.
3. Personal Data:
        a. is processed lawfully, in good faith and proportionate; for a specific purpose that is recognisable to the data subject;
        b. is only accessible to authorized persons;
        c. are available when needed;
        d. are processed in a comprehensible manner;
        e. shall be destroyed or anonymised as soon as they are no longer required for the purpose of processing.
4. The Controller takes all appropriate measures to ensure that the Personal Data is accurate.
5. The Controller shall not process any sensitive personal data nor perform high - risk profiling by a private individual.
6. The Controller may disclose or export Personal Data to other countries, in particular in order to process it or have it processed there. The Controller may disclose Personal Data to countries whose laws do not guarantee adequate data protection, provided that adequate data protection is guaranteed for other reasons, in particular on the basis of standard data protection clauses or with other suitable guarantees.
7. The Controller uses the services of specialized third parties in order to be able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner. The controller uses in particular Services of Google: Provider: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; for more information on the details of what and how Google processes Personal Data, see more: https://policies.google.com/privacy?hl=pl;
8. The Controller uses specialized service providers to process Users’ payments securely and reliably; this means in particular: Paddle.com Market Ltd. (the UK); Paddle Payments Ltd. (Ireland); Paddle. Com Inc (the USA) - for more information on the details of what and how Paddle processes Personal Data, see: https://www.paddle.com/legal/privacy.
9. Any person may request information from the controller as to whether personal data concerning him or her are being processed. Data subjects can also request that the Controller: correct, complete, erase or restrict their Personal Data. Data subjects may also request the disclosure of their Personal Data or the transfer of their data to another controller.
10. Data subjects have the right to enforce their data protection claims by legal means or to lodge a complaint with a competent data protection supervisory authority. The Federal Data Protection and Information Commissioner (FDPIC) is the data protection supervisory authority for complaints by data subjects against private individuals and federal bodies in Switzerland.