Mohi.to Privacy Policy

Last Updated: 21 August 2023

Introduction

Thank you for visiting our website. We want to assure you that the protection and confidentiality of your personal data is of utmost importance to us.

On this site we provide information about how we process personal data. Personal data is all the information related to an identified or identifiable natural person in accordance with Art. 4(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter referred to as the GDPR). This may include your first and last name, e-mail address, mailing address or phone number.

Who is responsible for the processing of your personal data?

The entity responsible for the processing of personal data, its Controller within the meaning of the GDPR is mohi.to Sp. z o.o. with its registered office at ul. Kłodzka 2/7 in Wrocław (50–536), our other details can be found in the footer of the page.

Contact details of the Data Protection Officer

The Data Protection Officer appointed by us, Mr. Aleksander Gacek, can be contacted by
e-mail at ochronadanych@mohi.to or by mail at the above-mentioned address of mohi.to with the note “Data Protection Officer”.

What is the purpose and the legal basis for the processing of your personal data?

As we explained in the introduction, personal data is “any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’)”; An identifiable person is a natural person who can be identified, directly or indirectly, in particular by the attribution of an identifier such as first and last name, identification number, location data,
on-line identifier or at least one physical, physiological, genetic, psychological, economic, cultural or social characteristic of the person. Below we outline the purposes and the legal bases for the processing of your personal data that we carry out.

Enabling general use of the website

Generally, our website can be viewed without providing personal data. However, some technical data is produced just by browsing the site. When our website is visited by internet users, we save certain data in so-called log files. A log file consists of: IP address, start and end time of the visit to our site, quantity of data transferred, address of the website from which the request came, browser version and its language. The data processing is carried out on the basis of our legitimate interest referred to in Article 6(1)(f) of the GDPR, consisting in ensuring the highest possible quality of the website, identifying the pages that are visited most often, searching for and fixing errors in the structure of the website, general administration of the website including the generation of anonymous statistics. The data is not associated with any specific natural person visiting our site.

Hosting of the website

The hosting services on which this website is based are provided by cyber_folks S.A. with its registered office in Poznań (60-829) at ul. Franklina Roosevelta 22. To this end, we have entered into a data processing entrustment agreement with the provider which ensures that your data will be processed securely in accordance with the GDPR.

Contact by traditional mail and e-mail

When you contact us by traditional mail or e-mail, which is not related to the services we provide to you or to any other contractual relationship between us, we process your personal data contained in the correspondence for the purpose of carrying out the correspondence and resolving any issues to which the correspondence relates. The legal basis for such processing is our legitimate interest [Article 6(1)(f) of the GDPR] in enabling us to conduct ongoing correspondence in connection with the performance of our business activities.

Telephone contact

When you contact us by telephone in matters that are not related to the performance of a contract between us or are not intended to enter into one, we may process your personal data for the purpose necessary to solve the problem you have reported to us. The legal basis for such processing is our legitimate interest [Article 6(1)(f) of the GDPR] in enabling us to conduct ongoing communication in connection with the performance of our business activities.

Contact using electronic forms

In order to use the electronic contact forms provided by us, you are required to provide the necessary personal data to enable us to contact you and provide feedback. If you do not provide the required data, the form cannot be submitted. Completion of the remaining fields is optional. The legal basis for processing is directly related to the nature of the correspondence you send to us. If you are contacting us for the purpose of entering into a contract or in connection with the performance of a contract, the basis for the processing of your data is Article 6(1)(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract); if you are contacting us on other matters, the legal basis for the processing of your data is our legitimate interest in enabling us to conduct ongoing communications in connection with the performance of our business activities [Article 6(1)(f) of the GDPR]. Notwithstanding the above, with regard to the data you provide to us voluntarily, the legal basis for processing is the consent you have given [Article 6(1)(a) of the GDPR].

Publishing information on our customers’ satisfaction

From time to time, we receive feedback from our customers that we want to show off. In such cases, we first obtain the consent of the relevant person [pursuant to Article 6(1)(a) of the GDPR]. We retain the data that allows us to use and publish our customer satisfaction content for as long as we are interested in publishing it and until you withdraw your consent to publish your feedback. We reserve the right to publish these opinions, also in anonymous form.

Social media profiles and industry websites

As part of our promotional activity, we use external social media and industry websites such as:

• Facebook  (mohi.to)
• Instagram (mohi.to)
• Linkedin  (mohi.to)
• Clutch  (mohi.to)
• Dribbble  (mohi.to)

• Facebook  (WeCanFly)
• Instagram  (WeCanFly)
• Linkedin  (WeCanFly)
• Clutch  (WeCanFly)
• YouTube (WeCanFly)

Through these services, we process data that is left by visitors to our profiles, such as comments, messages, likes, and statistics about the popularity of our channels. The statistics are summarized data that we may use to learn about the interactions of users of the sites we operate, and others interested in our business. The statistics for a particular site may be based on personal information that is recorded in connection with a person’s visit to or interaction with our fan page or the content that we publish on it. In addition, with respect to our Facebook channel, we are jointly responsible for data processing with Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”) within the meaning of Article 26 of the GDPR and have entered into an agreement with Facebook Ireland for this purpose. You can find more information on this topic on the dedicated information page located here. The legal basis for our use of the aforementioned services is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR, namely, to use them as channels to promote our brand, publish information about our company and our business, better understand the interests of people who follow our channels, present people interested in our business with information about our initiatives and other activities. The above information does not apply to the processing of personal data carried out by administrators of the mentioned websites, who have their own individual privacy policies. Direct links to the relevant policies are provided below:

• Facebook
• Instagram
• Linkedin
• Dribbble
• YouTube
• Clutch

Social media tools

For the same purposes, our website uses plug-ins and other social tools provided by portals such as Facebook, Instagram, and Linkedin. When you visit our website that contains such a plug-in, your browser establishes a direct connection to the servers of the social network administrators (Service Providers). The content of the plug-in is transmitted by the respective Service Provider directly to your browser and integrated into the website. Thanks to this integration, Service Providers receive information that your browser has displayed our site, even if you do not have a profile with the given Service Provider or you are not logged in with that Service Provider at the moment. Such information (along with your IP address) is sent by your browser directly to the Service Provider’s server (some servers are located in the USA) and stored there. If you are a logged-in user of one of the social networks referenced by the plug-in, the plug-in provider will be able to directly associate your visit to our site with your profile on that social network. When you use a plug-in, such as the “Like” or “Share” button, the corresponding information is sent directly to the server of the relevant Service Provider and stored there. At the same time, the information will be published on the respective social network. The purpose and scope of data collection and its further processing and use by Service Providers, as well as the possibility of contacting you and your rights in that respect and the possibility of making settings to ensure the protection of your privacy are described in the privacy policies of the individual Service Providers:

• Facebook
• Linkedin
• Instagram
• Dribbble
• YouTube
• Clutch

If you do not want social media sites to attribute the data collected during your visit to our website directly to your profile on that site, you must log out of that site before visiting our site. You can also completely prevent plug-ins from loading on your site by using the appropriate extensions for your browser, such as script blocking.

Analysis of the activity of Users of our website

We use the Google Analytics tool provided by Google Ireland Ltd. with its registered office in Ireland (Gordon House, Barrow Street, Dublin, D04. E5W5, Dublin). We do so on the basis of our legitimate interest in generating statistics and analyzing them in order to optimize our website and monitor its correct functioning. Google Analytics automatically collects information about your use of our website. The information collected in this way is usually transferred to a Google server in the United States and stored there. Due to the IP address masking we use, your IP address is truncated before being passed on. The anonymized IP address transmitted by your browser within Google Analytics is generally not combined with other Google data. We do not collect any data within the Google Analytics tool that would allow us to identify you personally. As such, the data collected through Google Analytics is aggregated and is not personal data. The information we have access to within Google Analytics includes in particular:

• information about the operating system and web browser used by visitors to our site,
• the sub-pages they view within it,
• how much time they spend on our site,
• navigating between different tabs within our site,
• the referring site (the “Source”) from which they go to our service.

In order to use Google Analytics, we have implemented a special Google Analytics code in the code of our website. The analytics code uses cookies from Google LLC regarding the Google Analytics service. You can disable the Google Analytics code right from our website, using the mechanism to manage cookies. You can also block Google Analytics tracking code at any time by installing a browser extension provided by Google. Google Analytics and Google Analytics 360 services have been certified to the independent security standard ISO 27001. ISO 27001 is one of the most widely recognized standards in the world and certifies that the systems that support Google Analytics and Google Analytics 360 meet the relevant requirements. If you are interested in the details related to the processing of data within Google Analytics, we encourage you to read the explanation prepared by Google.

Processing of data in regard to sending newsletters.

Based on your voluntary consent, we may process your personal data in the form of your e-mail address, username or first and last name, the date of subscription, the fact and time of opening the message, the fact and number of clicks on the links contained in the messages (statistical data*) in order to send you newsletters containing information about the products and services we offer related to the Website and other content related to the functioning of the Website. We place the link for unsubscribing from the newsletter in the footer of the e-mail you receive from us.

As the Administrator, taking care of the accuracy of the data, we unsubscribe non-working and out-of-date e-mail addresses (so-called bouncing newsletters) from the newsletter, even in case we do not receive your unsubscribe. 

* Statistical data – using web beacons or tracking pixels, we analyze the activity of newsletter subscribers. This data is combined with other personal data, email address, and individual identifier, which is also included in the links placed in the messages we send to you. This allows us to measure the fact and timing of newsletter opens and data on clicks on particular links.

We process this data in order to tailor the content of the newsletters to the interests of subscribers.

Google Re-Captcha

Due to our legitimate interests (i.e. ensuring the accuracy of data, avoiding automated orders and messages sent by so-called bots and optimizing the costs of our website), we have implemented the Re-Captcha security mechanism provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). From time to time, the Re-Captcha service has transferred data to Google Inc. which is based outside the European Economic Area. Such transfer is permitted under Article 46(2)(c) of the GDPR because it is made on the basis of standard contractual clauses approved by the European Union Commission. We use Re-Captcha to distinguish whether an entry is made by a human or by automated means. The query processed for this purpose involves sending your IP address and any other data required by Google for the Re-Captcha service to Google. For this purpose, the data you have entered will be transmitted to Google and analyzed. We encourage you to read detailed information about Google reCAPTCHA and Google’s privacy policy.

Links to external websites

Our website contains links to other websites that do not belong to us. We cannot be held responsible for the privacy practices of these sites. We suggest that when you navigate to other sites, you should review their respective privacy policies. This privacy policy applies only to mohi.to websites.

For how long will we process your personal data?

We process personal data as long as the purpose and the legal basis for the processing exist at the same time, so the processing periods may vary.

• When we process your personal data on the basis of consent, it is processed by us until you revoke it;
• Where it is our legitimate interest that is the legal basis for the processing, your data will be processed for a period that enables us to pursue that interest or until we receive an effective objection to the processing;
• Where the basis for processing your personal data is that it is necessary for the conclusion or performance of a contract between us, the data will be processed for the term of the contract.
• The processing period may also result from applicable laws where they require us to process certain personal data.

The processing period may be extended if the processing is necessary for the establishment or assertion of claims or the defense against claims, and thereafter only if and to the extent required by law. After the end of the processing period, the data is irreversibly deleted or anonymized.

Recipients or categories of recipients of personal data

In processing personal data, we use the services of third parties to whom we disclose personal data. Those particularly include the following:

• Providers responsible for managing, operating, securing, and maintaining information systems and hardware;
• Entities that provide accounting, marketing, advisory, printing, consulting, legal, recruitment, or postal services to us;
• E-mail service providers, cloud software (mailing, invoicing, CRM, accounting systems);
• Instant messaging providers including Facebook Messenger;
• Other subcontractors who may access your personal data in the course of providing services to us;
• To the extent necessary to fulfill tax, accounting or billing obligations, your data may also be transferred to tax authorities.

In addition, we reserve the right to disclose selected information concerning data subjects to authorized authorities or institutions, or other authorized entities which make such a request and have an appropriate legal basis for doing so.

Transfer of personal data outside the European Economic Area (EEA)

In certain situations, we may transfer your personal data to a country outside the EU or EEA (known as Third Countries). Generally, this may be the case if you are our employee or a subcontractor who is involved in an assignment for our customers based in a third country. We will provide you with more information about this directly in the relevant information clause. In addition, we use data processors or, as a legitimate interest, service providers who sometimes process data in third countries; such instances are described above in the section entitled “What is the purpose and the legal basis for the processing of your personal data?”. In connection with the transfer of your data outside the EEA, we verify that Partners provide a guarantee of a high level of protection of personal data. These guarantees arise particularly from the obligation to apply the standard contractual clauses adopted by the Commission (EU) in application of Article 46(2) of the GDPR. You have the right to request that we provide you with a copy of the standard contractual clauses by directing your request to our Data Protection Officer.

Your rights

Under the GDPR, data subjects are entitled to:

• the right of access to their personal data, including obtaining a copy of the data,
• the right to demand rectifying their personal data,
• the right to have their personal data deleted (the right to be forgotten),
• the right to have the processing of their personal data restricted,
• the right to portability of their personal data (if processed under contract or consent),
• the right to object (to the processing of their personal data, to direct marketing, profiling, to processing carried out on the basis of the legitimate interest of the Controller),
• the right to lodge a complaint to the supervisory authority for the protection of personal data (in Poland it is the President of the Office for Personal Data Protection),
• If your data is processed on the basis of consent – you have the right to withdraw the consent (which does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal).

To exercise the above rights, or to request more information on what data we have about you and for what purposes we process it, please contact our Data Protection Officer.

Is there an obligation to provide personal data?

If you enter into a contract with us, the provision of certain data is necessary for its performance. In certain cases, data processing may also be an obligation imposed on us by applicable law. In other cases, i.e., when the provision of data is not required by law or is not necessary for the conclusion or performance of a contract between us, you provide your data voluntarily.

Data security

We make the utmost effort to ensure a high level of security for the personal data we process. Any events affecting data security, including suspicion of sharing files containing viruses and other files of similar nature or other destructive mechanisms other than files, should be reported to our Data Protection Officer.

We use technical and organizational measures to ensure the protection of the processed personal data appropriate to the hazards and the category of data protected, in particular we protect the data against its disclosure to unauthorized persons, acquisition by an unauthorized person, processing in violation of applicable regulations, and change, loss, damage, or destruction. In addition, we take special care to ensure that personal data is:

• correct and processed in a lawful manner,
• collected only for specified purposes and not further processed in a manner incompatible with those purposes,
• adequate, appropriate, and not excessive,
• accurate and up to date,
• not stored longer than necessary,
• processed in a manner that enables the rights of data subjects to be complied with,
• collected, transmitted, and stored in a secure manner.

Personal data is stored by us in databases in which technical and organizational measures have been applied to ensure the protection of processed data in compliance with the requirements set forth by generally applicable laws on the protection of personal data and market standards. Only persons authorized by us have access to the database. We have appropriate policies and procedures in place to safeguard personal data from unauthorized loss, misuse, alteration, or destruction. We make every effort to limit access to your personal data to those who are required to know the information. The individuals who have access to the data are obligated to maintain it in confidence.

We also use technical measures to protect your personal data; in particular:

• SSL – our sites are accessible using an encrypted connection between your browser and the server where the site is hosted. An encrypted connection is enforced on the Site,
• access to data – access to collected information is restricted to designated individuals who are appropriately trained, authorized and obligated to maintain confidentiality, and who hold appropriate credentials,

Our Site uses Cookies and other similar technologies, details of which can be found further in the Policy under “Cookies and other technologies”.

Cookies and other technologies

By using the Site, you consent to the use of cookies – small files sent by our web server that you visit and stored on the end device you use to browse our Site. Cookies consist of a string of letters and numbers that may contain data and other information that enables us to do the following:

• correctly display of our website in your browser – these cookies are necessary for the correct operation of key processes of our website,
• ensuring the security of our site – detecting undesirable activities on the site,
• improving the performance and operation of the website and necessary analytics – these cookies collect statistical data, for example, on the number of visits to individual sub-pages,
• customizing the functionality of our website – including personalization of your settings, such as language, region, font color, etc. and for storing the settings you have chosen.

The cookies used on our website can be divided into session cookies, so called temporary cookies which remain on your device only during the use of the website – they are deleted when you close your browser; and permanent cookies which remain on your device for as long as they have a set duration or until you delete them.

You can block cookies from our website directly in your browser settings at any time. Otherwise, you consent to their use. The additional third-party tools we use may use their own additional cookies. Please note that changing your cookie settings may affect how our website works. For more information on how to change your browser settings to maintain privacy in the most popular web browsers, see below:

• Firefox;
• Internet Explorer;
• Google Chrome;
• MS Edge;
• Opera.

Processing of personal data in connection with the availability of the application on the Shopify App Store

As part of our business of developing and publishing applications on the Shopify App Store platform, we process personal data about users and their customers. In this section, we outline the rules for processing personal data in connection with such activities.

Inpost – Parcel Lockers & Courier

With this Application, merchants using the Shopify platform can easily guide their customers through the order fulfillment and courier ordering process. It also allows you to generate waybills easily. The application connects to the Inpost panel using an API (Application Programming Interface). Below, we describe how your personal data is processed when you use the application while linking it to a store operated by the Shopify platform.
The Inpost Parcel Lockers & Courier application processes personal data of merchants who use it and their customers. The scope of personal data accessed by the application includes: first names, last names, company names, mailing addresses, telephone numbers, e-mail addresses – i.e., data that is necessary to post or ship the goods. In addition, the application also gains access to other data particularly concerning the merchandise purchased in the store; such data includes the name of the merchandise, its price, weight, and SKU code. The data listed above is collected directly from data subjects using Shopify, Inpost’s platform and related technologies.

Once the application is installed, we are able to automatically access the following types of information from a merchant’s account on the Shopify platform: customer (addressee) contact information, merchant (“sender”) contact information, product information and variations, and order information. Moreover, on the side of the InPost system (external access panel of InPost) the application can get automatic access to the list of available parcel lockers, create a new shipment, generate a shipping label and with a proper configuration of the InPost access panel, the application can generate an order to collect money for the generated shipment.

No data is stored in the application database other than the merchant (consignor) data configured on the application side, the internal ID of individual orders assigned by the Shopify system, and InPost system shipments. No other data that the application accesses is saved by the application. Additionally, in the database we store API access data without which the connection between the application and the systems (InPost and Shopify) is not possible: on the Shopify side it is the name of the store (e.g., mohito-apps.myshopify.com) and the access token; on the InPost side it is the ID of the seller organization and the access token (API token).

All data and access privileges are used only to the extent and for the purpose related to the provision of the application service, its maintenance and development, as well as ongoing maintenance and problem solving of its users. The data may also be used to conduct communication related to the service or to resolve technical issues or optimize the performance of the application as described above in this Policy.

Amendments to the Privacy Policy or Cookies Policy

• The Policy is kept under review and will be updated as necessary. The current version of the Policy is effective as of 1 December 2020.
• We reserve the right to make amendments to this Privacy Policy. Amendments will be made if required by applicable law or if the technological conditions of our website change.
• The date this Privacy Policy was last updated: 21 August 2023