Data Processing Agreement
Version: 1.3 · Last updated: 15 May 2026
This document is a Data Processing Agreement (DPA) under Article 28 GDPR for Users of the „Zbieraj Mądrze" Application who enter personal data of their employees, contractors or other third parties into it.
This DPA forms an annex to the Terms of Service and applies to the extent that the User entrusts third-party personal data to the Service Provider by entering them into the Application. The DPA is concluded together with the Account agreement, without a separate signature being required. Upon request, the Service Provider may provide a copy for handwritten or electronic signature: kontakt@zbierajmadrze.pl.
§ 1. Parties
Processor:
ARI.CODE Arkadiusz Rosłoniec
sole proprietorship
Gostomia 17, 26-420 Nowe Miasto nad Pilicą, Poland
Tax ID (NIP): 7972027390
email: kontakt@zbierajmadrze.pl
Controller:
The User of the Application who enters personal data of third parties (in particular employees and contractors).
§ 2. Subject matter and purpose
- The Controller entrusts the Processor with processing personal data to the scope and for the purpose specified in Annex A.
- The Processor shall process entrusted data solely to the extent necessary to provide the services defined in the Terms of Service, in particular: storage, making data visible to the Controller and to users authorised by the Controller, performing settlement calculations, backups and securing the data.
- The Processor shall not process entrusted data for its own purposes and shall not use them for marketing or statistical purposes beyond providing the service to the Controller.
§ 3. Duration
- This DPA is in force for the duration of the main agreement concluded under the Terms of Service between the Controller and the Processor concerning the „Zbieraj Mądrze" Application.
- Upon termination of the main agreement, § 10 of this DPA applies.
§ 4. Type of data and categories of data subjects
Detailed lists are set out in Annex A.
§ 5. Processor's obligations
- The Processor processes data only on the Controller's documented instructions. Actions performed via the Application (entry, edit, deletion, export) are considered such instructions.
- The Processor ensures that persons authorised to process the data (Processor's staff and contractors) have committed themselves to confidentiality or are under a statutory obligation of confidentiality.
- The Processor implements appropriate technical and organisational measures as set out in § 8.
- The Processor assists the Controller, as far as possible, in fulfilling the Controller's obligation to respond to requests from data subjects (Articles 12–22 GDPR).
- The Processor assists the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation with the supervisory authority).
- The Processor immediately informs the Controller if, in its opinion, an instruction infringes GDPR or other data protection law.
§ 6. Controller's obligations
- The Controller declares that it has a valid legal basis for processing the personal data entrusted to the Processor (e.g. employment contract, statutory obligation, legitimate interest).
- The Controller undertakes to fulfil the information obligations under Articles 13 and 14 GDPR towards data subjects (its own employees and contractors), including informing them about the entrusted processing.
- The Controller is responsible for the scope, content and lawfulness of data entered into the Application.
§ 7. Sub-processors
- The Controller grants the Processor general authorisation to use sub-processors listed in Annex C.
- The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors at least 14 days in advance by email or in-app notice. The Controller may object; in such case the parties will negotiate an alternative in good faith, and failing that the Controller may terminate the main agreement effective on the date of the proposed change.
- The Processor ensures that sub-processors are bound by data protection obligations no less strict than those set out in this DPA.
§ 8. Security of processing (Art. 32 GDPR)
The Processor applies the technical and organisational measures listed in Annex B, including:
- encryption of traffic between client and server;
- authentication and access-control mechanisms for the Application;
- organisational and technical restrictions on access to data for authorised persons only;
- logging of selected security and administrative events;
- measures intended to restore data availability and service continuity appropriate to the scale of processing.
§ 9. Personal data breaches
- The Processor notifies the Controller of any detected breach of the security of the entrusted personal data without undue delay, by email or another agreed communication channel.
- The notification includes information required by Art. 33(3) GDPR to the extent available to the Processor, in particular: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the effects.
§ 10. Return or deletion of data
- At the end of the service, the Processor - at the Controller's choice - shall delete or return the entrusted personal data to the Controller and delete existing copies, unless Union or Polish law requires retention.
- After the service ends, data is deleted or returned in accordance with the parties' arrangements and applicable retention rules, subject to legal obligations or technical periods necessary for secure service termination.
- If the Controller requests earlier deletion, the parties shall agree on the method and timing taking into account security and legal obligations.
§ 11. Audit
- The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for audits.
- An audit takes place at a mutually agreed date with at least 14 days' notice, no more often than once every 12 months (except following a detected breach), during the Processor's working hours and at the Controller's cost.
- The Processor may provide the results of an audit performed by an independent body (e.g. SOC 2 or ISO 27001 certification of the hosting provider, or internal audit report) in lieu of a direct audit, to the extent such documents address the audit subject.
§ 12. Liability
- The parties are liable as set out in Art. 82 GDPR and in the Terms of Service.
- The Processor is liable to the Controller for damage caused by breach of this DPA only where it has failed to fulfil obligations GDPR imposes directly on processors or acted outside or contrary to lawful documented instructions of the Controller.
§ 13. Final provisions
- In matters not regulated by this DPA, GDPR, the Polish Data Protection Act and the Terms of Service apply.
- In case of a conflict between this DPA and the Terms - in matters of personal data protection - this DPA prevails.
- Changes to this DPA are made under the amendment rules applicable to the Terms of Service, unless the parties agree an individual change in documentary form (e.g. by email) or sign an updated version.
Annex A - Type of data, categories of data subjects, purpose and duration
| Category | Scope |
|---|
| Categories of data subjects | Employees, contractors, seasonal or piecework workers of the Controller |
| Categories of data | Name, employee identifier (NFC tag, code, BLE scale number), settlement data (amounts, rates, hours, harvested quantity) |
| Purpose of processing | Work and harvest records, settlements, reports for the Controller's accounting and management purposes |
| Duration of processing | Use of the Application by the Controller and the period necessary to wind down the service in line with the parties' arrangements and retention rules |
| Transfer outside the EEA | Possible only to the extent necessary for approved service providers supporting the service and subject to appropriate legal safeguards |
Annex B - Technical and organisational measures
- Encryption of transmissions for client-server connections.
- Authentication and access-control mechanisms for the Application.
- Data isolation between different customers to the extent provided by the system architecture.
- Logging of selected technical and security events.
- Abuse protection for public-facing endpoints.
- Restricted access to production data for authorised personnel only.
- Security maintenance and updates appropriate to the scale of the service.
Annex C - List of sub-processors
| Entity | Location | Purpose | Transfer basis |
|---|
| OVH SAS | France (EEA) | Hosting of the application servers, database, authentication panel and statistics; backup storage | Processing within the EEA - no additional transfer mechanism required |
| Plus Five Five, Inc. (Resend) | USA | Delivery of emails related to registration, verification, account handling and contact | EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework, to the extent and in line with the provider's current legal documentation |
The GoatCounter statistics mechanism available at stats.zbierajmadrze.pl is self-hosted by the Processor on the infrastructure listed in the first row above and is not a separate sub-processor.
The current list of sub-processors is published on the Application's website. The Processor will notify of any planned changes (addition or replacement of a sub-processor) in accordance with § 7.