Back
Ximly logo

Privacy Policy

The Polish version of these regulations is the original and legally binding version.

§1. General Provisions

  1. 1. The administrator of personal data collected through the Ximly Platform (hereinafter referred to as: the Platform) is Ximly Spółka z ograniczoną odpowiedzialnością with its registered office in Krakow (30-554) at Zamknięta 10 lok. 1.5, registered in the Register of Entrepreneurs of the National Court Register by the District Court for Krakow-Śródmieście in Krakow, XI Commercial Division of the National Court Register under KRS number: 0001152079, NIP: 6793320888, REGON: 54074383, represented by the President of the Management Board, Krzysztof Czaicki, e-mail address: support@ximly.app, tel. 794 774 178 (hereinafter referred to as: the Administrator).
  2. 2. Personal data collected by the Administrator through the Platform are processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR.
  3. 3. All information provided by the Administrator in this document should be understood in accordance with its definition contained in the Terms Of Service.

§2. Types of Processed Data, Scope, and Purpose of Collection

  1. 1. The Administrator processes the personal data of Platform Users in the following cases:
    • a) registration of a User Account (tutor, student, parent/legal guardian of a student) to gain access to the Platform and manage their account, based on Article 6(1)(b) of the GDPR,
    • b) receiving e-mail messages from the Administrator, including push notifications (in the case of a parent/legal guardian's account) and newsletters – Personal data is processed after separate consent is given, based on Article 6(1)(a) of the GDPR,
    • c) payment for lesson credits by a tutor to conduct lessons with students – Personal data is processed based on Article 6(1)(b) of the GDPR (performance of a contract) and Article 6(1)(c) of the GDPR (legal obligations in accounting and taxes),
    • d) ensuring the security of using the Platform, preventing abuse, conducting statistical analyses, and developing the Platform's functionalities – Personal data is processed based on Article 6(1)(f) of the GDPR.
  2. 2. The Administrator processes the following types of personal data:
    • a) when creating an account – first name; last name; e-mail address; date of birth; IP address; phone number, in the case of integration with Google services: first name, last name, and e-mail address retrieved from the Google profile,
    • b) in the case of a parent/legal guardian's account – in addition to the data specified in para. 2(a) above, information related to kinship due to the account being linked to the student's account, who at the time of creating the account on the Platform was under 16 years of age, in order to ensure the safety of minors (Article 6(1)(f) of the GDPR),
    • c) if consent is given for a newsletter – e-mail address,
    • d) in the case of push notifications to a parent/legal guardian – e-mail address,
    • e) in the case of a tutor's account – in addition to the data specified in para. 2(a) above, billing data (NIP, business address), limited payment card data, data on education and qualifications (in the case of Tutor account verification).
  3. 3. Personal data is stored for the period:
    • a) if processed for the performance of a contract – for the duration of the contract, and then for the period of limitation of claims arising from the contract (as a rule, 6 years, and for claims related to business activities – 3 years),
    • b) if processed on the basis of consent – until it is withdrawn, and after its withdrawal for the period of limitation of claims related to processing (as a rule, 6 years, and for claims related to business activities – 3 years),
    • c) if processed to fulfill legal obligations (accounting, taxes) – for the period required by law (currently 5 years from the end of the tax year),
    • d) if processed based on the legitimate interest of the Administrator – for the time necessary to achieve this interest or until the User effectively objects.
  4. 4. When using the Platform, technical data may also be collected, in particular: the User's IP address, the IP address of the Internet provider, browser type, operating system type, time of access to the Platform, and activity within the Platform. This data is processed to ensure the security of the IT system, adapt functionalities to the User's device, and conduct statistical analyses – based on Article 6(1)(f) of the GDPR.
  5. 5. Personal data will also be processed in an automated manner in the form of so-called profiling, provided the User consents to it – Article 6(1)(a) of the GDPR. Through profiling, the Administrator will obtain information enabling the assignment of a profile to a given User in order to make decisions about the User regarding the prediction of their preferences and the functionality of these services.
  6. 6. The Administrator takes the utmost care to protect the rights and interests of the data subjects. In particular, it ensures that the data is:
    • a) used lawfully,
    • b) collected only for clearly defined and legitimate purposes, and not further processed in a way incompatible with those purposes,
    • c) reliable, up-to-date, and adequate for the needs arising from the purpose of their processing,
    • d) stored in a form that allows identification of individuals for no longer than is necessary for the purposes for which the data are processed.
  7. 7. The Administrator informs that due to the development of the Platform, additional functionalities requiring the processing of personal data may be introduced, in particular:
    • a) recording and storing online lessons – for educational, security, and service development purposes (Article 6(1)(a) GDPR; Article 6(1)(f) GDPR),
    • b) integration of online payment systems – to enable settlements between Users via the Platform (Article 6(1)(b) GDPR; Article 6(1)(c) GDPR; Article 6(1)(f) GDPR),
    • c) development of tools based on artificial intelligence, supporting Tutors and Students in the educational process (Article 6(1)(a) GDPR; Article 6(1)(f) GDPR).
  8. 8. The implementation of new functionalities, referred to in para. 7, will always be preceded by an update of this Privacy Policy and by informing Users about the scope of new purposes and legal bases for data processing at least 7 days in advance by sending information about the planned changes to the Users' e-mail addresses.

§3. Processing of Conversations Between Users

  1. 1. The Administrator informs that the content of conversations conducted between Users via the Platform may be processed by the Administrator.
  2. 2. The processing referred to in para. 1 includes, in particular: the content of text messages, files sent within conversations, metadata (date, time, participants), and other data related to communication carried out within the Platform.
  3. 3. The purpose of processing conversation content is:
    • a) to ensure the security of communication and to prevent abuse and illegal content,
    • b) to enable the handling of complaints and disputes between Users,
    • c) to develop and adapt the Platform's functionalities to the needs of Users, including the creation and improvement of tools supporting Tutors in the teaching process,
    • d) to conduct statistical and qualitative analyses to improve the quality of the services provided,
    • e) to develop systems based on artificial intelligence used in the Platform.
  4. 4. The legal basis for processing the data referred to in para. 1 is:
    • a) the necessity of processing for the performance of a contract for the provision of electronic services (Article 6(1)(b) of the GDPR),
    • b) the legitimate interest of the Administrator in ensuring the security and development of services (Article 6(1)(f) of the GDPR),
    • c) in the scope of developing and using tools based on artificial intelligence – the User's consent (Article 6(1)(a) of the GDPR).
  5. 5. The data referred to in para. 1 is stored for the period necessary to achieve the purposes indicated in para. 3, but no longer than for 12 months from the end of a given conversation, unless a longer period results from applicable law or the need to resolve complaints or disputes.

§4. Sharing of Personal Data

  1. 1. Users' personal data may be shared with entities cooperating with the Administrator in running the Platform. This applies in particular to:
    • a) payment system operators,
    • b) accounting office,
    • c) hosting companies,
    • d) providers of software supporting business operations (e.g., accounting programs),
    • e) entities operating mailing systems,
    • f) providers of tools and software necessary for the functioning of the Service,
    • g) entities offering educational services within the Ximly Platform.
  2. 2. The entities indicated in para. 1(a-f), depending on the concluded agreements and the nature of the cooperation, may act on behalf of the Administrator (as processors) or independently determine the purposes and methods of data processing (as controllers).
  3. 3. All personal data of Users are stored exclusively within the European Economic Area (EEA).

§5. Right of Access to Data and Rights of Data Subjects

  1. 1. The data subject has the rights resulting from the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), including in particular:
    • a) the right of access to personal data (Article 15 GDPR),
    • b) the right to rectification of data (Article 16 GDPR),
    • c) the right to erasure of data – the so-called 'right to be forgotten' (Article 17 GDPR),
    • d) the right to restriction of processing (Article 18 GDPR),
    • e) the right to data portability (Article 20 GDPR),
    • f) the right to object to data processing (Article 21 GDPR),
    • g) the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).
  2. 2. To exercise the rights referred to in para. 1(a-g) above, the User may send an appropriate request via e-mail to the Administrator's address: support@ximly.app.
  3. 3. The Administrator is obliged to execute the request of the data subject without delay, but no later than within one month of its receipt. In justified cases, in particular due to the complexity of the matter or the number of requests, this period may be extended by another two months. The Administrator will inform the data subject about the extension of the deadline and its reasons within one month of receiving the request.
  4. 4. Additionally, the User may delete their account (along with personal data) at any time by using the appropriate function available in the profile settings in the Application ("Delete account") or by sending a clear request to delete data to the e-mail address provided above. The Administrator fulfills such a request immediately, ensuring permanent deletion of data.
  5. 5. The data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stanisława Moniuszki 1A, 00-014 Warsaw, tel. 22 531-03-00, kancelaria@uodo.gov.pl) if they consider that the data processing violates the provisions of the GDPR.
  6. 6. The Administrator has appointed a Data Protection Officer whose tasks include, in particular, monitoring the compliance of personal data processing with legal provisions, providing information to Users regarding their rights, and cooperating with the supervisory authority.
  7. 7. Contact with the Data Protection Officer is possible in writing to the Administrator's registered office address or electronically to the e-mail address: support@ximly.app. The User has the right to contact the Data Protection Officer in all matters concerning the processing of their personal data and the exercise of their rights under the GDPR.

§6. Use of Cookies

  1. 1. The Administrator uses the Cookies mechanism within the Platform. The installation of Cookies is necessary for the proper provision of services by electronic means and to ensure the full functionality of the Platform in terms of essential Cookies.
  2. 2. Cookies may be used for the following purposes:
    • a) ensuring the proper operation and security of the Platform (essential cookies),
    • b) conducting statistical analyses of User activity (analytical cookies),
    • c) improving the functioning and adapting the Platform to the individual needs of Users (functional cookies),
    • d) carrying out marketing activities, including providing personalized content (marketing cookies – used only with the User's consent).
  3. 3. The Platform may use the Administrator's own Cookies and third-party Cookies, in particular from providers of analytical, advertising, or payment services.
  4. 4. Depending on the storage time, the following types of Cookies are used within the Platform:
    • a) session cookies – stored on the User's end device until they leave the Platform or log out,
    • b) persistent cookies – stored on the User's end device for the period specified in the Cookies' parameters or until they are deleted by the User.
  5. 5. As a rule, Cookies do not contain personal data that allows for the direct identification of the User. To the extent that data from Cookies can be linked to a natural person, their processing is carried out in accordance with the Privacy Policy and on the basis of Article 6(1)(a), (b), or (f) of the GDPR.
  6. 6. The User has the option to independently determine the conditions for storing or accessing Cookies through their web browser settings, as well as to withdraw consent for the use of Cookies other than essential ones at any time. Detailed information can be found in the Cookie Policy available on the Platform.

§7. Google User Data – Calendar Integration

  1. 1. The Ximly Platform allows Users (Tutors) to integrate their account with Google services.
  2. 2. As part of this integration, the Platform obtains access to the following data from the User's Google account:
    • Profile Data: First name, last name, and e-mail address – used exclusively to verify the User's identity and link the Google account with the account on the Platform.
    • Calendar Data: Information about events and availability – used exclusively for automatic synchronization of the lesson schedule.
  3. 3. The use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
  4. 4. The Administrator declares that data obtained via the Google API:
    • a) Is not shared with third parties for advertising purposes,
    • b) Is not used to display advertisements,
    • c) Is not sold.
  5. 5. In the case of Calendar data – is not used by humans to read the content of private events (unless it is necessary for security purposes or with the User's consent for technical purposes).
  6. 6. The User may revoke the integration and access to Google data at any time via the settings on the Platform or in the Google account security settings (https://myaccount.google.com/permissions).

§8. Final Provisions

  1. 1. Providing personal data by the User is voluntary.
  2. 2. The Administrator declares that within the Platform, it uses entities providing services for the Administrator (Article 28 GDPR):
    • a) Files and backups: Cloudflare R2 – storage of files and backups. Backups are stored exclusively in the EU/EEA region, within the Laravel Cloud and Cloudflare R2 infrastructure.
    • b) WebRTC, relay/CDN, and security services: Cloudflare Realtime / Cloudflare – handling real-time communication, data transmission, and protection of the Service.
    • c) Payment processing: Stripe Payments Europe, Limited – processing payments within the EU/EEA. In certain cases, support from Stripe group entities located outside the EEA is possible (details in §11).
    • d) Sending transactional e-mails and codes: Resend – data processing according to the location specified by Resend. In some cases, data transfer outside the EEA is possible (details in §11).
    • e) Product and UX analytics: PostHog – conducting product usage and experience analytics, launched only in accordance with the User's consent settings (§12).
    • f) Helpdesk and support chat: Featurebase – handling communication with Users for support and technical assistance.
    • g) Error and performance monitoring: Laravel Nightwatch – a tool for monitoring errors and the performance of the Service.
    • h) Authentication and login: WorkOS, Inc. (USA) – provider of authentication and user identity management infrastructure (Single Sign-On, password handling, login via Google account). Data (e-mail address, first name, last name, user identifiers) may be transferred to the USA based on Standard Contractual Clauses (SCC) or the provider's participation in the EU-U.S. Data Privacy Framework.
  3. 3. The Administrator applies appropriate technical and organizational measures to ensure the protection of personal data against unauthorized access, loss, destruction, unauthorized modification, as well as processing inconsistent with applicable law.
  4. 4. The Administrator implements technical solutions to prevent the interception and modification of personal data transmitted electronically by unauthorized persons.
  5. 5. In matters not regulated by this Privacy Policy, the provisions of the GDPR and the provisions of generally applicable law in the territory of the Republic of Poland shall apply.