Article 1 – General Information

  1. The controller of personal data processed via the Neuroforma and Teleneuroforma platforms, including the website [hereinafter referred to as the “Platform”], is Titanis sp. z o.o. with its registered office in Warszawa, a company with a share capital of PLN 10,500.00, entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the capital city of Warszawa in Warszawa, 13th Commercial Division of the National Court Register under KRS no. 0000429041, NIP [Tax ID No.] 5213634814, REGON [Business Register No.]: 146242218 [hereinafter referred to as the “Controller,” “we,” or “us”].

  2. Personal data collected by the Controller are processed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, and in accordance with the Personal Data Protection Act of 10 May 2018 (Polish Journal of Laws of 2018, item 1000).

Article 2 – Type, purpose, and scope of processing

  1. The Controller processes personal data via the Platform in order to:
    1. enable users to avail themselves of the services provided by the Platform, which includes access to the exercise database, user-to-user contact, and the organisation of an environment where one user can provide to another using out Platform. For this purpose, personal data are processed pursuant to Article 6(1)(b) of the GDPR (in order to conclude and perform a contract to which the Platform user is a party);
    2. analyse and improve the functioning and security of the services provided by the Controller, which includes training and developing artificial intelligence algorithms that make up the Platform. In this case, personal data are processed on grounds of a legitimate interest pursued by the Controller, pursuant to Article 6(1)(f) of the GDPR;
    3. record, store, and send data to another user (to connect to their account and provide services to them). These data include video recordings of exercises performed by the user, as well as data pertaining to the user’s health status contained in the content of communication between you and the entity providing services to you with the help of the Platform . They are collected on the basis of a separate consent granted by the user, i.e. pursuant to Article 6(1)(a) of the GDPR. In this regard, the user providing the services to you is a separate data controller since the moment this user is granted access to your data;
    4. allow the Controller to send marketing information, including newsletters. These data are collected on the basis of a separate consent granted by the user, i.e. pursuant to Article 6(1)(a) of the GDPR.
  2. The services are performed in accordance with the Regulations available at
  3. Disclosure of your data is voluntary. However, if you fail to provide the data, you may be unable to create an account on the Platform and use our services.
  4. You may revoke your consent to provide data at any time electronically, by sending a relevant declaration of intent to [email protected].
  5. The Controller processes the following categories of the user's personal data:
    1. identification details (first name and surname, and – for certain users – information concerning their cooperation with specific healthcare facilities);
    2. contact details (e-mail address);
    3. data related to how they use the Platform (including their image, to the extent in which it is recorded during exercise, and details concerning communication and other interactions with other Platform users, inter alia special categories of data – data concerning health);
    4. additional information, in particular: the IP address assigned to the user's computer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type, navigation data (including information on links and media clicked on or other actions undertaken on the website).
  6. The Controller stores the users’ personal data:
    1. as long as required to perform the contract concluded in accordance with the Regulations, and for the limitation period for claims thereafter – where the basis for processing is the performance of said contract. Save as otherwise provided in specific provisions, the limitation period is six years, and three years for periodic benefit claims and claims relating to the pursuit of economic activities;
    2. as long as the consent is not revoked – where the basis for processing is consent;
    3. as long as the Controller’s legitimate interest persists or as long as the user does not effectively object to processing – where the basis for processing is the Controller’s legitimate interest.
  7. Personal data will also be processed by automated means in the form of profiling. Profiling will result in creating a profile based on an analysis of the person’s data and behaviour, and in predicting their preferences, behaviours and attitudes. These data may then be used to send messages motivating them to perform specific exercises. Special categories of data will not be subject to profiling. Furthermore, please note that your personal data will not be used for automated decision-making which could affect your rights or freedoms.
  8. To a certain extent (where we obtain your explicit consent), we will share your personal data with other users that you choose. This applies in particular to any personal data pertaining to the users’ health status. The entity responsible for your data in such a case (including data on the exercises performed and contents of correspondence) will also be the entity that renders the services to you.

Article 3 – Making personal data available

  1. The users’ personal data are stored exclusively within the European Economic Area (EEA).
  2. In order to provide the services, your data may be transferred to entities that provide us with services necessary for the operation of the Platform, including, in particular, to:
    1. Google Cloud SQL - Google Ireland limited with its registered office in Dublin, Gordon House, Barrow Street, Dublin 4 (entered in the Companies Registration Office of Ireland under no. 368047);
    2. Google Cloud Storage - Google Ireland limited with its registered office in Dublin, Gordon House, Barrow Street, Dublin 4 (entered in the Companies Registration Office of Ireland under no. 368047);
  3. A specific user’s data, including their image, may also be transferred to another user of the Platform, with whose account said user’s account is linked. This is solely for the purpose of allowing another Platform user to provide services to said user in accordance with the Regulations.

Article 4 – Rights of data subjects

  1. Data subjects have:
    1. the right of access to their data – Article 15 GDPR,
    2. the right to rectification – Article 16 GDPR,
    3. the right to erasure (‘right to be forgotten’) – Article 17 GDPR,
    4. the right to restriction of processing – Article 18 GDPR,
    5. the right to data portability – Article 20 GDPR,
    6. the right to object – Article 21 GDPR,
    7. the right to withdraw consent – Article 7(3) GDPR – this right applies at any time and shall not affect the lawfulness of processing based on consent before its withdrawal.
  2. You may exercise the rights referred to in Section 2 by sending a relevant declaration of intent to [email protected].
  3. If the user exercises one of the rights specified above, the Controller has to comply with their request or refuse to comply with it immediately, but no later than within one month after its receipt. However, if the Controller is unable to comply with the request within one month due to the request’s complexity or due to the large number of requests received, they have to comply with it within a further two months, and inform the user within the original one-month period of the intended extension of the deadline and of the reasons behind it.
  4. In principle, you may exercise the rights listed here free of charge. However, if your requests are manifestly unsubstantiated or excessive, in particular due to their continuing nature, the Controller may:
    1. charge a reasonable fee, taking into account the administrative costs of providing information, maintaining communication with you or taking the actions requested; or
    2. refuse to act on your request.
  5. If the data subject determines that the processing of their personal data is in breach of the GDPR, they may lodge a complaint with the President of the Personal Data Protection Office.

Article 5 – Cookies policy

  1. The Platform uses cookies and other similar technologies (collectively referred to as “cookies”).
  2. The installation of cookies is necessary for the proper provision of services via the Platform. The cookies contain information necessary for the proper functioning of the Platform’s website and display of its content. They also allow preparing general statistical information pertaining to website visits and performing cookie data analysis.
  3. The Platform uses persistent cookies. They are stored in the user's end device for the time specified in cookie parameters or until deleted by the User.
  4. As we cooperate with third parties, the use of the Platform also requires the use of cookies on part of the third parties listed in this Privacy Policy. Cookies collected by entities listed in Section 3(2) are used to provide cloud storage services. Entities referred to in Section 3(2) may also use their own cookies to personalise advertisements presented to the users, and they may also do so for statistical purposes.
  5. The Controller uses its own cookies to better understand how the user interacts with page content. These collect information on how the user visits the site, what type of website they are redirected from, as well as when and how many times they visited the website. This information does not account for specific personal data of the user, but serves to produce website usage statistics.
  6. The user may decide whether or not to allow cookies on their computer or other device they use to the visit the Platform by pre-selecting relevant options in their browser or device settings.  Detailed information on enabling cookies and ways of using cookies can be found in software (Internet browser / operating system) settings.

Article 6 – Security measures applied

  1. The Controller uses technical and organisational measures that are adequate to the risks and categories of data to ensure protection of personal data processed. In particular, the Controller safeguards personal data so that they may not be accessed or obtained by unauthorised persons, be processed in breach of applicable law, or be altered, lost, damaged or destroyed.
  2. The Controller implements adequate technical measures to prevent unauthorised persons from obtaining and altering personal data transferred electronically.
  3. We ensure that the personal data we process are secure and processed in compliance with the regulations, including the GDPR. In this regard, among other things, we apply the following solutions:we use https encryption;
    1. we restrict the access to databases that contain personal data listed in this Policy and processed within the Platform to intranet only;
    2. we make independent copies of the data referred to in the preceding paragraph using asynchronous replication;
    3. we use AES-256 encryption to protect data;
    4. we encode data during transfer from and to the IT cloud.
  4. Users can obtain a more detailed description of the solutions used for personal data processing in response to a specific inquiry.

Article 7 – Final provisions

  1. Amendments to this Policy come into effect when they are posted on the Platform.
  2. In matters not governed by this Privacy Policy, the provisions of the GDPR and other relevant provisions of the Polish law apply accordingly.