Green Money Sp. z o.o., based in Kiełczów, operates the Green Coins service, which is part of the Planet Heroes platform (www.planetheroes.app). The service allows users to exchange collected Green Coins for ecological actions they publish using the Let's Do It by Planet Heroes application. This Privacy Policy is an Annex to the Terms and Conditions and constitutes an integral part thereof, detailing the rules for protecting Users' Personal Data (hereinafter referred to as the "Privacy Policy"). Whenever terms capitalized in this Privacy Policy are used, they refer to the definitions contained in the Terms and Conditions and have the meanings assigned to them therein, unless otherwise stated in this Privacy Policy.

As the Service Operator, we respect our Users' right to privacy, particularly by ensuring the protection of Personal Data and implementing appropriate organizational and technical solutions to prevent third-party interference with privacy. Our actions are aimed at guaranteeing Users a full sense of security at a level appropriate to applicable law, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "GDPR"), as well as the legal acts specified in the Terms and Conditions.

1. Scope of the Privacy Policy

Using the Service implies that Users have read and accepted the provisions of this Privacy Policy and the Terms and Conditions. If necessary, the Operator may amend the provisions of this Privacy Policy. In such a case, the provisions regarding changes to the Terms and Conditions shall apply accordingly to changes in the Privacy Policy.

Green Money Sp. z o.o., based in Kiełczów, ul. Południowa 33/18, 55-093 Kiełczów, NIP: 8961620311, REGON: 523923553, registered in the Register of Entrepreneurs of the National Court Register under KRS number 0001008259, as the Operator of the Platform available at: www.coins.planetheroes.pl (the "Service"), is the data controller within the meaning of the GDPR concerning the Personal Data of Users who are natural persons.

The purpose of this Privacy Policy is to define the actions undertaken by the Operator regarding the protection of Personal Data processed through the Service and related services and tools used by Users to perform activities such as Registration, posting Materials, browsing and publishing Projects, and providing Support.

All actions of the Operator are subject to applicable data protection laws, including the GDPR and relevant Polish legal regulations.

2. Scope of Collected Data

Personal Data refers to any information that may identify the User. In connection with the operation of the Service, as the Operator, we collect Personal Data both during the Account Registration process (data provided by the User in the registration form) and during the User's subsequent use of the Service, including but not limited to the exchange of collected Green Coins for rewards.

Among the Personal Data collected as specified in section 1 above, we process Users' Personal Data, including:

• First and last name
• Email address (correspondence address)
• Information related to ecological activities (collecting and exchanging Green Coins)
• Transaction data related to the exchange of Green Coins for discounts and rewards
• Technical data (IP address, browser data, cookies)

Whenever "processing" of Personal Data is mentioned, it refers to any actions and operations performed on Personal Data, including collecting, storing, and analyzing such data.

As part of the Service, the Operator may process the Personal Data of Users who contact the Operator. Such data may be necessary to facilitate communication with the User.

If a User logs into the Service via an external authentication service offered by entities beyond the Operator's control, such as Facebook or Google, the Operator collects only the User's email address and solely for the purpose of such login.

To ensure the appropriate level of service quality for Users or due to the legitimate interests of the Operator or Third Parties, the Operator is authorized to automatically collect and record Personal Data transmitted to the server by web browsers or User devices while using the Service. Such data may include, for example:

• Cookies
• IP address
• Software and hardware parameters used by the User
• Viewed pages
• Mobile device identification number
• Information on application usage
• Tracking pixels
• Locally shared objects
• Other device and system usage data

The data mentioned in section 7 may constitute Personal Data that enables the identification of the User, given the Personal Data already held by the Operator in connection with the User’s Account registration in the Service.

All Personal Data collected by the Operator is protected using reasonable technical and organizational measures and security procedures to prevent unauthorized access or misuse by unauthorized persons.

3. Purposes of Data Processing

Personal data is processed for the following purposes:

• Managing the user account and handling their activity within the Service
• Facilitating the exchange of Green Coins for discounts and rewards with the Service’s partners
• Sending notifications related to the functioning of the Service
• Promoting ecological activities and partners associated with Green Coins
• Conducting marketing and promotional activities for the Service, which constitute our legitimate interest – the legal basis for this is Article 6(1)(f) of the GDPR
• Analyzing and optimizing the operation of the Service, including monitoring traffic, ensuring the appropriate performance of the Service, preparing statistical and analytical reports, conducting scientific research, optimizing Services, and improving support processes based on service interactions, including handling complaints – the legal basis for this is Article 6(1)(b), (c), and (f) of the GDPR.

4. Legal Basis for Data Processing

Personal data is processed based on:

• The user's consent (Article 6(1)(a) of the GDPR) – in the case of marketing communications
• The agreement between the user and the administrator (Article 6(1)(b) of the GDPR) – regarding the use of the Service and the exchange of Green Coins
• Compliance with a legal obligation imposed on the administrator (Article 6(1)(c) of the GDPR)

5. Data Sharing

Users' personal data may be shared with Green Coins business partners, such as companies offering discounts and rewards in exchange for Green Coins. Data may also be transferred to technical service providers and public authorities if required by law.

Google – We use Google Analytics to collect statistics, meaning your data will be received by Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Google is certified under the Privacy Shield program. Additionally, your data, such as your first and last name, may be publicly visible on your Account profile to any visitor of the Service's website. Depending on your activity within the Service, your information may also appear in search engine results.

As the Service Operator, we may share Users' Personal Data with the following entities only with the consent of the concerned Users or based on the Operator's legitimate interest:

• Other websites operated by the Operator
• Entities cooperating with the Operator that manage websites or online applications (including mobile applications) to allow Users to publish Projects and hyperlink to the Service, including Projects posted on the Service

Users' Personal Data may be shared or entrusted for further processing to entities cooperating with the Operator in providing Services. This includes entities offering IT, hosting, consulting, marketing, courier or postal, legal services, as well as payment institutions and authorized state authorities.

The Operator may cooperate with third parties to provide services on its behalf. In such cases, these entities are not authorized to use Users' Personal Data for their own purposes.

Additionally, the Operator may share Users' Personal Data with public authorities if such an obligation arises from applicable legal provisions or is justified by the legitimate interest of the Operator or other Users.

The Operator commits not to sell Users' Personal Data, except in the case of transferring the rights to the Service to another entity.

Users subject to the GDPR, after obtaining Personal Data of other Users from the Operator, are required to fulfill all obligations towards these individuals under the GDPR and other legal provisions, including ensuring the exercise of rights granted to them under the GDPR.

6. Transfer of Data to Countries Outside the European Union

To provide Services within the Service, Users' Personal Data will be transferred outside the European Union. Such data transfers will always be carried out based on appropriate legal safeguards, including but not limited to standard contractual clauses for the transfer of Personal Data to data processors located in third countries, as approved by the European Commission.

Organizations registered outside the European Union to which the Operator transfers Users' Personal Data include: Google.

7. Cookies

Cookies are small text files sent by the Service (website) and stored on the User’s device (usually on a computer hard drive), which the server can read when the User reconnects to the Service from the same device. Cookies typically contain the name of the website they originate from, the duration of their storage on the User’s device, and a unique identifier.

Within the Service, we use the following types of cookies:

• Session cookies – stored on the User’s device until they log out, leave the website, or close their web browser.
• Persistent cookies – stored on the User’s device for a specified period as defined in the cookie parameters or until deleted by the User.
• Performance cookies – enable the collection of information on how the Service’s website is used.
• Necessary cookies – allow the use of Services and functionalities available within the Service.
• Functional cookies – enable the storage of User-selected settings and personalization of the User interface.
• First-party cookies – placed by the Service itself.
• Third-party cookies – originating from external websites other than the Service.

Cookies within the Service are used for the following purposes:

• Adjusting the content of the Service’s web pages to the User’s preferences and optimizing their performance.
• Creating statistics that help understand how Users interact with the Service’s web pages, allowing for improvements in structure and content.
• Maintaining the User’s session (after logging in), so that the User does not have to re-enter their login and password on every subpage of the Service.

The information mentioned in sections 2 and 3 above is in no way linked to the User’s Personal Data and is not used to determine the User’s identity.

To achieve the purposes stated in section 3 above, the Operator may collaborate with business partners, such as research companies and application providers, including Google Analytics. The scope of information collected automatically depends on the settings of the User’s web browser.

In many cases, software used for browsing the internet (web browser) is set by default to allow the storage of cookies on the User’s device.

Users of the Service may change their cookie settings at any time. These settings can be modified, in particular, to block the automatic handling of cookies in the web browser settings or to notify the User each time cookies are placed on their device.

Detailed information on the possibilities and methods of handling cookies is available in the settings of the User’s web browser. Restrictions on the use of cookies, as mentioned in section 5 above, may affect certain functionalities available within the Service.

8. Data Retention Period

The Operator retains Personal Data for the duration of the Agreement concluded with the User and after its termination for purposes such as pursuing claims related to the execution of the Agreement, fulfilling legal obligations, including tax, accounting, fiscal, statistical, and archiving requirements. The data will be stored for a maximum period of 6 years from the end of the year in which the Agreement with the User was terminated, or for a longer period if necessary to ensure accountability.

The Operator retains Personal Data for promotional and marketing purposes for the duration of the Agreement or until the User objects to such processing, whichever occurs first.

Personal Data of individuals who do not have an Account in the Service is stored by the Operator for a period corresponding to the lifecycle of cookies saved on their devices.

9. User Rights

Providing Personal Data and giving consent for its processing is voluntary.

In connection with the processing of Personal Data by the Operator, each User has the following rights:

• The right to access their Personal Data and receive a copy of it.
• The right to rectify (correct) their Personal Data.
• The right to erase their Personal Data.
• The right to restrict the processing of their Personal Data.
• The right to object to the processing of their Personal Data.
• The right to data portability for data provided based on the User’s agreement or consent.
• The right to lodge a complaint with the supervisory authority – the President of the Office for Personal Data Protection or another competent supervisory authority.
• The right to withdraw consent for the processing of Personal Data, with the understanding that withdrawal of consent does not affect the legality of processing carried out based on consent before its withdrawal.

Providing Personal Data is necessary for concluding and executing the Agreement with the User and, consequently, for enabling the User to use the Service and enter into Agreements with other Users acting as Patrons and Heroes.

The Personal Data referred to in the first sentence primarily includes the information specified in §5 of the Terms and Conditions. If a User refuses to provide the required Personal Data as specified in section 3 above, the Operator will be unable to enter into an Account Agreement, and as a result, the User will not be able to access the functionalities available to Users with an active Account.

A User may withdraw consent for the processing of Personal Data at any time. The withdrawal of consent should be carried out in the same form in which it was initially given by the User.

If the User wishes to exercise any of the rights specified in section 2 above, they should submit a request via email to [email protected].

10. Data Security

Green Money Sp. z o.o. implements appropriate technical and organizational measures to protect Users' Personal Data from unauthorized access, disclosure, alteration, or deletion.

11. Contact Information

Information regarding the processing of Personal Data, including responses to questions about the scope of the Privacy Policy, is available via the Operator's electronic correspondence address email: [email protected]