merXu
Cancel

Privacy policy

A WORD OF INTRODUCTION

WHO WE ARE, A FEW DEFINITIONS SO THAT WE UNDERSTAND EACH OTHER, AND WHY WE ARE WRITING THIS

Let's start by introducing ourselves:

We are the merXu Group, i.e. a group of affiliated entities operating on the territory of the European Union (whose data you can find here) which are responsible for the local versions of the merXu Site.

In order to make it easier for you to use all the versions of our Site in each country, all the companies in the merXu Group work together, which also includes the administration of your data. All the companies are their joint-controllers.

If you use the Polish Site, please address any demands, questions or requests to the Polish company, i.e. merXu spółka z ograniczoną odpowiedzialnością.

The registered office of this company is located in Poland, Poznań, ul. św. Marcin 11/7 (postal code: 61-803).

If you don't want to use paper, write to us at: contact@merxu.com.

And now a few definitions. Please, read them carefully

  • GDPR - General Data Protection Regulation. An act which originates from the European Parliament and the Council, the purpose of which is to ensure that personal data are protected and processed inside the European Union in compliance with the same rules. The complete name of this document is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Personal data - information which allows us to identify you or which we have assigned to you in our databases in the course of our cooperation.
  • Processing of personal data - performing activities on personal data. Processing is, for instance, collecting data, entering it into our IT systems, analysing, rectifying, merging into sets, moving between servers, erasing.
  • Platform - our website, the internet platform operated at merXu.com together with all sub-pages.
  • Employee - to make it easier, we use this term to define both a person employed based on an employment contract and a person employed based on a civil law contract (contract of mandate).
  • Employer - to make it easier, we use this term to define both the entity employing a person under an employment contract and a customer employing employees under civil law contracts.

Why are we writing all this?

It is important that you know what is happening with your data. We want to clearly describe how we protect your data and how we work with it and why we do it.

In addition, the privacy policy that you are currently reading complies with the obligation imposed on us by the GDPR. If you want to make sure that we have given you complete information, you can verify us. The obligation we have mentioned results from Articles 13 and 14 of the GDPR.

DATA CONTROLLER - WHO IT IS AND WHAT IT DOES

The controller is the one who decides about the purposes and ways of processing personal data - that is the one who decides why and how (by what means) the data will be processed.

You will encounter different data administrators while using merXu.

In all matters related to the functioning of the Platform, in all services provided by us to your company, this controller is us. And this is what we are explaining in this policy.

Other entities will also be controllers of personal data while using merXu. In electronic payment services, this controller is the payment operator. The controller of your data provided in order to conclude and perform a contract concluded via our Platform is your counterparty. And the controller of your counterparty's personal data (its employees) is you (if you have registered with merXu as a sole proprietor) or your company (if you are an Employee).

WHY WE COLLECT YOUR DATA AND WHY WE CAN PROCESS THEM

The purpose and legal basis for processing of your data depends on who you are.

  • I'm an unregistered person just browsing the merXu site

    We don’t process your personal data. This doesn’t mean that we don’t have any data related to your use of merXu. We have only data which don’t allow us to identify you. More information about this is available in the cookies policy.

  • I’m self-employed and I have registered an account with merXu

    We process your personal data for the following purpose:

    First of all, to be able to provide you with services available on the Platform on the provisions set forth in the Terms and Conditions.

    The legal grounds can be found in Article 6(1)(b) of the GDPR - it informs you that your personal data are processed for the purpose of the performance of a contract (including claims proceedings), which you are a party of (or that your data are processed for the purpose of concluding this contract). The content of the contract between us is the Terms and Conditions.

    Secondly, in order to meet our tax obligations.

    The legal grounds can be found in Article 6(1)(c) of the GDPR - it informs you that your personal data are processed so that the controller (we) can comply with any obligation imposed by law. In this case, it is mainly VAT regulations and rules on keeping economic records.

  • I am an Employee and the company I work for has registered an account with merXu

    We process your personal data in order to ensure the proper provision of services for your employer (including claims proceedings) and proper communication between your Employer and its counterparties.

    The legal grounds can be found in Article 6(1)(f) of the GDPR – it informs you that your personal data are processed because the controller (we in this case) has a legitimate interest in it. This interest is to ensure the efficiency of communication between us and your Employer and to ensure that contracts concluded via merXu can be performed.

  • I subscribed to the newsletter

    We process your personal data in order to provide you with commercial information via a newsletter.

    The legal grounds can be found in Article 6(1)(a) of the GDPR – it informs you that your personal data are processed because you have consented to it.

    The consents given to us can be revoked at any time. Simply write to us or unsubscribe in the e-mail with the newsletter. Revoking your consent doesn’t influence the lawfulness of actions we performed when your consent was in force.

DATA RECIPIENTS

WHO CAN RECEIVE YOUR DATA

If you (or your Employer) have an account with merXu, your data may be transferred to the following categories of entities:

  1. counterparties (yours or your Employer's),

  2. entities to whom we have to provide data because we are required to do so by law, e.g. courts or the police,

  3. entities that support us in carrying out our operations - these are selected entities that operate under our supervision for strictly defined purposes, mainly entities providing IT, accounting or legal services for us (if you have heard of the term “entity entrusted with data processing” or “data processor”, this is what this point is about).

If you have subscribed to our newsletter, your data may be transferred to:

  1. entities to whom we have to provide data because we are required to do so by law, e.g. courts or the police,

  2. entities that support us in our activities - mainly entities providing IT services for us in the area of tools connected with the functioning of the newsletter.

SCOPE OF DATA

WHAT DATA WE HAVE AND FROM WHERE AND WHETHER YOU NEED TO GIVE THEM TO US

Similarly to the previous provisions of the data processing policy, the scope of your data depends on who you are.

  • I’m self-employed and I have registered an account with merXu

    The data we have concerning you come from you. You are under no legal obligation to provide them, however if you don’t do so, it won’t be possible to create a merXu account for you and you won’t be able to use our services. However, if you already have an account, we may ask for additional information from you – it will happen if we are required by law to obtain such information. Then you'll be obliged to give it to us.

    We have the following data concerning you: name, surname, business name, address where you conduct your business, NIP tax identification number, e-mail address, contact phone number, login, password, transaction history, bank account numbers. We may also have other information that you provided to us, for example, in connection with a filed claim.

  • I am an Employee and the company I work for has registered an account in the Platform

    The data we have concerning you come from your Employer and they are:

    • login, password, e-mail address, name, surname, position, contact phone number.
  • I subscribed to the newsletter

    The data we have concerning you come from you. You have no legal obligation to provide them, however if you don’t do so, sending the newsletter to you won’t be possible.

    In this regard, we have your e-mail address and the information whether you wish to receive commercial information only from us or also from our partners.

PROCESSING PERIOD

HOW LONG WE KEEP YOUR DATA

How long your data are processed depends on the purpose of the processing.

We store the data that are collected on your account (or that of your Employer) as long as that account exists - as long as it is necessary to perform the contract between us. And then for the time needed to complete the settlements or the duration of statute of limitations for claims related to the services we provide.

We will process the data collected with regard to the newsletter as long as your consent to sending commercial information remains valid.

RIGHTS OF THE DATA SUBJECT

WHAT ARE YOUR RIGHTS IN RELATION TO DATA PROCESSING

Your rights depend on the legal grounds for processing of personal data. Below, please find a table which presents your rights under specific legal grounds. Legal grounds can be verified in the section: THE PURPOSE OF DATA PROCESSING AND THE LEGAL GROUNDS FOR DATA PROCESSING.

Below you will also find basic information about what individual rights actually offer you.

If you wish to exercise one of your rights, write to us at contact@merxu.com.

RIGHT CONSENT
Article 6(1)(a) of the GDPR
CONTRACT
Article 6(1)(b) of the GDPR
LEGITIMATE INTEREST
Article 6(1)(f) of the GDPR
PROVISION OF THE LAW
Article 6(1)(c) of the GDPR
right to access data YES YES YES YES
right to rectify data YES YES YES YES
right to demand data erasure YES YES YES YES
right to demand restriction of processing YES YES YES YES
right to data portability YES YES NO NO
right to object NO NO YES NO
right to lodge a complaint with the supervisory authority YES YES YES YES
  • Right to access to data: this right allows you to demand that we confirm whether your data are being processed and if so, to demand certain information, in particular on the purpose of the processing, the categories of processed data, the categories of data recipients, the intended period of processing or how this period will be determined, your rights, data source, automated decision-making and profiling. You can also get a copy of your data from us.

  • Right to rectify data: this right allows you to demand that we correct your data if they are incorrect or incomplete.

  • Right to demand data erasure: otherwise known as the right to be forgotten. It allows you to demand that we delete your data from our resources. You may use it if the data are no longer necessary for the purposes for which they were collected, if you have objected to the processing of your data, if you have revoked your consent to the processing of your data, or if their processing is unlawful.

  • Right to demand restriction of processing: this right allows you to demand that we don’t carry out any processing activities - other than storing your data - without your consent. You may exercise this right if you question the correctness of your data that we process (for the time we need to verify your data), if the processing of your data is unlawful but you don’t want your data to be erased, if we no longer need your data but you may need them to defend or exercise your claims, if you have raised objection - until it has been established whether the legitimate grounds for our processing of your data override the reason for which you have objected.

  • Right to data portability: this right allows you to demand that we transfer your personal data to you (or directly to another entity, if technically possible). This applies only to data that we process in an automated way (we have them in our IT system) and only to data that you have transferred to us.

  • Right to object: This right allows you to demand that we don’t sub-process your data for a specific purpose. In order to exercise this right, in your demand you must indicate your specific situation justifying why we shouldn’t sub-process your data. We need to know this so that we can assess whether your interests override the reasons why we are processing your data.

    You don’t need to indicate your specific situation if your data are processed for marketing purposes. In that case, the objection is always effective.

  • Right to lodge a complaint with the supervisory authority: If you believe that there has been an irregularity in the processing of your personal data, you can lodge a complaint with the supervisory authority. In Poland, this body is the President of the Office for Personal Data Protection.