Privacy policy
PRIVACY POLICY AND PRINCIPLES REGARDING COOKIES
1. GENERAL INFORMATION
The privacy of Users using the Big Steps Application (the “Application”) is very important to us, and we make every effort to
protect it. This document details the means of processing and protecting Users’ personal data in connection with their use of the
Application, and establishes the Principles Regarding Cookies.
This Privacy Policy and Principles Regarding Cookies are linked to the “Terms and Conditions for the Electronic Provision of
Services by Electronic Means – Big Steps Application” (hereinafter: “Terms and Conditions”).
2. DEFINITIONS
2.1. Should the following capitalized terms be used in this document, they will have the meaning given to them below, unless
otherwise stipulated in the provision:
2.2. Controller – ES EDUCATION BOCHIŃSKA I WSPÓLNICY Spółka komandytowa, hereinafter “Big Steps”, entered in the
Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw,
13th Commercial Division of the National Court Register under the National Court Register Number [Krajowy Rejestr
Sądowy, KRS] 0000883647, ul. Plac Thomasa Woodrowa Wilsona 4/15, 01–626 Warszawa, Tax Identification Number
[Numer Identyfikacji Podatkowej, NIP]: 5252852107, National Official Business Register Number [REGON]:
38822625500000, e-mail address: [email protected]. The Controller processes the User’s Personal Data in
the form of their e-mail address (Login) and Password, provided by the User during the use of the Application, as well as
the data stored in the Code (as defined in the Terms and Conditions), data concerning the IP address of the User’s terminal
device and data contained in cookies, as the controller of the Personal Data within the meaning of the Regulation, while
the rest of the User’s Personal Data (including their e-mail address provided by the School for verification purposes), as a
processor within the meaning of the Regulation, acting on behalf of the School;
2.3. Personal Data – means any information relating to an identified or identifiable natural person (“Data Subject”); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, Link within the meaning of the Terms and Conditions, location data, an online
identifier, including the device IP, version of the browser used by the User, operating system and type/name of User’s
device, other information collected through cookies or one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person;
2.4. Privacy Policy – this document regarding privacy and cookies.
2.5. Profile – section (a collection of information stored in the Service Provider’s ICT system concerning a given User) available
in the Application, where registered Users and Third Parties authorized by the User will be able to obtain Content (as
defined in the Terms and Conditions) and access the functionality of the Application under the terms described in the
Terms and Conditions.
2.6. Regulation – the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC.
2.7. Application – Internet service (software) intended for Users, installed on mobile devices, in which, among other things, the
Profile, including the Content and functionalities contained therein, is made available to registered Users. The Application,
as a rule, has a non-public character and is intended for Users who meet the criteria specified in the Terms and Conditions,
after logging into the Application. The Application is also available to the public, without logging in (without registering in
the Application), but in a limited range of its functionalities (“Try it out” option), and no Personal Data of the User is
processed in this option.
2.8. User – a natural person using the Application, entering into a Service Contract with the Service Provider either for
purposes not directly related to their business or professional activity (a student of the School, their guardian, a person
using the Code) or for purposes directly related to their business or professional activity (a teacher at the School or
another person authorized by the School). The Application can be used after the User logs in to the Application with a
Login and Password (depending on the privileges held by the User, directly or with a Code) or without these access tools,
in limited public access to the Application.
2.9. School – an entity with which the User is connected by a contractual relationship, on the basis of which the School, using
the Application, teaches the English language using the Big Steps method or employs the User for this purpose; this
School may provide the Service Provider with the data necessary to verify the User as a person authorized to use the
Application and the Profile.
2.10. Third Party – a person to whom the User has granted rights to access their Profile in its entirety or Sub-Profile(s) under the
Terms and Conditions.
Otherwise, terms used in this Privacy Policy and capitalized have the same meaning as assigned to them in the Terms and
Conditions.
3. PURPOSES OF AND GROUNDS FOR PERSONAL
DATA PROCESSING
3.1. Users’ Personal Data is processed by the Controller on different grounds and for different purposes, depending on which
functionalities of the Application the User uses and which access authorizations the User has. See below for a description
of those purposes and legal grounds for data processing.
In particular, the Controller shall: (i) ensure transparency in the processing of Personal Data, (ii) provide Users with timely
information about the processing of their Personal Data, including by referring to this Privacy Policy, and (iii) process
Personal Data only to the extent necessary for the specified purpose and for the necessary period of time.
The User’s activity in the Application, including data on the extent and manner of use of its functionalities, technical data
on the device on which the Application is installed, data on the location of this device, User identification and contact data,
are recorded in system logs (a computer program in which information on events and actions of the IT system through
which the Controller provides electronic services is recorded) and processed for purposes related to the provision of
services by the Controller, including: technical, administrative, ensuring the security and management of the IT system,
analytical or statistical purposes.
3.2. Processing of Users’ personal data in order to use the functionalities of the Application, after registration in the Application
and accessing the Profile and services: The User uses the Application as a User through the functionalities of the
Application, including those available in their Profile, and therefore their Personal Data provided during registration in the
2
Application, i.e. e-mail address (Login) and Password, and necessary for the operation and use of the Application and the
Profile, as well as the data stored in the Code (as defined in the Terms and Conditions) are processed by the Controller for
the following purposes and on the following legal grounds: in order for the Controller to provide services electronically to
the extent specified in the Terms and Conditions, as this is necessary for the performance of the contract for the provision
of services electronically (legal basis – Article 6(1)(b) of the Terms and Conditions);
Provision of Personal Data by the User is not a statutory or contractual requirement. Provision of data that is marked as
mandatory during the registration process in the Application is required in order to operate and use the Profile, and failure
to provide such data will result in the inability to access and use the Profile in the Application. Provision of other data is
voluntary, it is not a statutory or contractual requirement – the User, by providing such data, consents to their processing;
they will then be processed on the basis of Article 6(1)(a) of the Regulation.
3.3. Processing of Users’ Personal Data with respect to the Personal Data provided to the User in the Profile: The indicated
Personal Data is processed by the Controller on the basis of relevant contracts for entrustment of personal data
processing; the controller of this Personal Data is the School. The User obtains information about the School’s rules for the
processing of Personal Data during the process of concluding an contract with the School to conduct a language course.
3.4. Processing of Personal Data of Users visiting the Controller’s profiles maintained on social media where the Controller has
its public profiles (Facebook, Instagram, YouTube, LinkedIn, TikTok) and where the User leaves their data: If a User visits
the public profiles of the Controller maintained on social media (Facebook, Instagram, YouTube, LinkedIn, TikTok), the
Controller processes the Users’ Personal Data in connection with the maintenance of the Controller’s profile, including in
order to enable the Users to be active on these profiles and to inform the Users about the Controller’s activities and
promote various types of events, services and products (for statistical and analytical purposes, to support the running of a
given profile by the Controller, but also to enable the User to actively use such profile) on the basis of the Controller’s
legitimate interest in promoting its own brand (legal basis art. 6(1)(f) of the Regulation). The data may be also processed
to conduct User satisfaction surveys and determine the quality of Data Controller’s services. The legal basis for
processing is the legitimate interest in obtaining relevant information to improve the quality of the Data Controller’s
products and services (Article 6(1)(f) of the Regulation).
The provision of Personal Data by the User is not a statutory or contractual requirement nor is it the prerequisite for
concluding a contract; however, failure to provide Personal Data prevents the User from using certain features available in
the Data Controller’s profiles in social media.
Users may obtain further information on the processing of Personal Data in the Data Controller’s profiles in the individual
social media. Information provided in this paragraph 3.4 do not apply to the processing of Personal Data by the
administrators of the said services (social media) – the User may find that information in privacy documents provided by
those entities in the said services. Meta Platforms Inc. based in the United States of America and Meta Platforms Limited
based in Ireland, YouTube LLC based in the United States of America, LinkedIn Ireland Unlimited Company based in
Ireland, TikTok Inc. based in the United States of America, may transfer Personal Data to a third country (United States of
America). Such a transfer is possible, as the privacy policies or other personal data protection rules of the
abovementioned data recipients invoke standard data protection clauses adopted by the European Commission.
Information on personal data processing rules applicable to the abovementioned portals is available in the personal data
protection documents that can be found on their websites.
3.5. Processing the data of a User who contacts the Controller by e-mail, mail or telephone on matters other than the use of the
Application: As a general rule, personal data is provided directly by the User and this data usually includes the full name,
e-mail address, other contact details, other data provided by the User, and – in case of telephone contact – the Controller
also automatically acquires a telephone number, from which the call is made.
Personal Data included in the correspondence from the User to the Controller is processed only for the purposes of
communication and addressing the issue raised in the correspondence/communication. Personal Data is processed under
Article 6(1)(f) of the Regulation – processing is necessary for the legitimate interests pursued by the Controller, entailing
responding to correspondence sent to them in connection with their business activities. Data may also be processed
3
based on the grounds indicated in paragraphs 3.2. – 3.4. if the User contacts the Controller for issues referred to in these
paragraphs.
The provisions of Personal Data by the User is not a statutory or contractual requirement nor is it the prerequisite for
concluding a contract; however, failure to provide Personal Data prevents the User from contacting the Controller and
Controller from responding to the correspondence sent by the User.
3.6. Processing Users’ Personal Data on other grounds: The Controller may process User’s Personal Data based on the
consent granted by the User, in each case within the scope, for the purposes, on the terms and for the period specified in
the consent.
3.7. For each case of Personal Data processing described in this section, the Controller may process additional Personal Data
in connection with the establishment, exercise or defense of potential claims of the Controller under Article 6(1)(f) of the
Regulation – processing is necessary for the legitimate interests pursued by the Controller, entailing the exercise and
defense of claims.
3.8. The Controller does not process Personal Data of children under Article 6(1)(f) of the Regulation.
4. COOKIES
4.1. Cookies are IT data, in particular text files, which are stored on the end device of a Application User and intended to be
used in the Application. Cookies usually include the name of the Application from which they originate, storage time on the
end device and a unique number. Cookies collect information to facilitate the use of the Application.
Cookies are used in the Application in order to maintain the session of the Application User (after logging into the Profile),
thanks to which the User does not have to re-enter the Login and Password on each sub-page of the Application; these
cookies are used to identify the logged-in User.
4.2. Two basic types of cookies are used in the Application: session cookies and persistent cookies. Session cookies are
temporary files that are stored on the User’s terminal device until the User logs out or closes the Application. Persistent
cookies are stored in the User’s end device for the period specified in cookie parameters or until they are deleted by the
User.
The Controller uses the following cookies:
a) “necessary” cookies that enable the use of the Application’s features, e.g. authentication cookies used for Application’s
features requiring authentication, i.e.: es_music_session, storing User sessions (for 7 days); sparrow_id, storing the unique
device number (for 7 days) and last_refresh, storing information about the User’s last activity (for 7 days)
b) secure cookies, e.g. cookies used to detect authentication misuse in the Application, i.e.: XSRF-TOKEN, preventing request
forgery attacks between sites (2 hours);
4.3. The use of cookies for the purpose of collecting data, including accessing data saved on the User’s device, is subject to
User’s consent. Such consent may be revoked at any time. Consent is not required only for cookies that are necessary to
provide the telecommunication service (data transmission for the purpose of displaying content).
In many cases, the software used for browsing websites (Internet browser) allows the storage of cookies in the User’s end
device by default. Users of the Application may at any time change their cookie settings or withdraw their consent in this
4
regard. These settings may be changed especially in a manner that blocks the automatic acceptance of cookies in the
web browser or to notify about any cookies that are being stored in the Application User’s device. Further details about the
possibilities and methods in terms of cookie management are available in the software (Internet browser) settings:
a) Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internetexplorer-delete-manage-cookies
b) Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
c) Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
d) Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
e) Safari: https://support.apple.com/kb/PH5042?locale=en-GB
Restrictions on the use of cookies may affect some of the functionalities available in the Application.
Cookies stored in the Application User’s end device may also be used by advertisers and partners cooperating with the
Controller, including Google Analytics.
5. PERSONAL DATA PROCESSING PERIOD
5.1. The period of processing personal data by the Controller depends on the type of service provided through the Application
and the purpose for processing Data. As a general rule, data is processed for the period of providing service by electronic
means on the basis of the Terms and Conditions until consent is revoked (if Personal Data is processed on the basis of
consent), for the period specified in the consent or until an effective objection to the Personal Data processing is raised
(where the legal basis for Personal Data processing is legitimate interest of the Controller and direct marketing).
The period for Personal Data processing may be extended if processing is necessary for the establishment, exercise or
defense or potential claims, and after that period – to the extent required by law. At the end of the processing period,
Personal Data is irreversibly deleted or anonymized.
The above provision and the provisions of paragraphs 6 and 7 above apply to the processing of Personal Data by the
Controller acting as a personal data controller as defined by the Regulation. With regard to the Personal Data processed by
the Controller on behalf of the School, the information contained in the information clauses provided by the School shall
apply, in particular during the process of the User’s conclusion of the language course contract.
6. USER RIGHTS
6.1. The User has the right to:
a) withdraw their consent for Personal Data processing, provided that the processing takes place on the basis on
consent; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its
withdrawal;
b) request the Data Controller to grant them access to their Personal Data and request their rectification, removal (“the
right to be forgotten”) or restriction of their processing as well as transfer data to another controller;
c) to lodge a complaint with the supervisory authority responsible for verifying whether personal data processing is
compliant with the law, i.e. the President of the Personal Data Protection Office.
5
6.2. The User also has the right to object to personal data processing for marketing purposes, if processing takes place on the
basis of legitimate interest of the Controller and – for reasons related to the particular situation of the User – in other
cases, where the legal basis for data processing is legitimate interest of the Controller (e.g. for analytical and statistical
purposes).
6.3. The abovementioned rights, except for lodging a complaint with a supervisory authority, may be exercised by sending a
request to the e-mail address: [email protected] or in another way selected by the User.
7. DATA TRANSFERS
7.1. In connection with the provision of services through the Application, Personal Data will be disclosed to third parties,
including, but not limited to vendors responsible for managing IT systems and entities related to the Controller, including
companies from its capital group, in accordance with data processing agreements concluded with such entities. The
Controller also informs that in connection with the transfer of Personal Data to countries outside the European Economic
Area, personal data may be processed with the use of third party services (processors). Such transfer takes place if the
privacy policies or other personal data protection rules of the processor are based on the grounds specified in the
Regulation, including, but not limited to standard data protection clauses adopted by the European Commission or binding
corporate rules approved by a competent supervisory authority.
The Controller requires these Personal Data processors to ensure that the level of protection of privacy and personal data
processed by these entities is compliant with the law.
7.2. The Controller has the right to disclose certain information of the User to competent authorities or third parties that
request such information, at all times in accordance with applicable laws.
7.3. If the User grants the relevant consent, their data may also be disclosed to other entities for their own purposes, including
marketing purposes.
8. SECURITY OF PERSONAL DATA
8.1. The Controller carries out an ongoing risk analysis to ensure that Personal Data is processed securely. Personal Data may
only be accessed by authorized persons and only to the extent necessary for the purpose of processing and activities
performed by these persons. All operations on Personal Data are documented appropriately and performed only by
authorized persons.
9. IX. FINAL PROVISIONS
9.1. Every User may contact the Controller using the contact information indicated in paragraph 2.2 above, including by
sending an e-mail to: [email protected]. A response will be sent to the e-mail address from which the
request/query/demand was sent and in case of requests/queries/demands sent by mail – a response will be sent by
regular mail to the address specified by the requestor, provided that the contents of the letter do not indicate the desire to
receive feedback by e-mail (in such a case, an e-mail address should be provided).
9.2. The Controller will be reviewing this Privacy Policy on an ongoing basis and, if needed, will be modifying and updating it.