PRIVACY POLICY – REE – ENGLISH

PRIVACY POLICY OF THE APPLICATION AND THE GDPR

INFORMATION OBLIGATION

REE

TABLE OF CONTENTS:

1. GENERAL PROVISIONS

2. GROUNDS FOR DATA PROCESSING

3. PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN THE APPLICATION

4. DATA RECIPIENTS IN THE APPLICATION

5. PROFILING IN THE APPLICATION

6. RIGHTS OF DATA SUBJECTS

1) GENERAL PROVISIONS

1. This privacy policy of the Mobile Application is for information
purposes only, which means that it is not

a source of obligations for the Mobile Application Users. The privacy
policy contains primarily rules for

the processing of personal data by the Controller in the Application,
including the grounds, purposes

and scope of personal data processing and the rights of data subjects, as
well as information regarding

the use of cookies and analytical tools in the Application.

2. The Controller of personal data collected via the Application as a
result of the provision of Electronic

Services is the company FASHIONTRADES APS entered into the
Danish National Business Register, ERHVERVSSTYRELSEN, Dahlerups Pakhus
Langelinie Alle 17 2100 København Ø, location: Bredgade 23A, 2. th, 1260
København K, File number X19-DD-40-US , share capital: DKK 40,000.00,
e-mail address:

support@reefashion.app hereinafter referred

to as the “Controller”, which is at the same time the Mobile Application
Service Provider.

3. Personal data in the Application are processed by the Controller in
accordance with the applicable law,

in particular pursuant to Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27

April 2016 on the protection of individuals with regard to the processing
of personal data and on the

free movement of such data and the repeal of Directive 95/46/EC (general
regulation on data

protection) – hereinafter referred to as “GDPR” or the “GDPR Regulation”.
The official text of the GDPR

Regulation:
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

4. Using the Mobile Application is voluntary. Similarly, the provision of
personal data by the User using the

Mobile Application is voluntary, subject to two exceptions: (1) entering
into agreements with the

Controller – not providing the data, in cases and to the extent indicated
in the Mobile Application and

in the Regulations of the Mobile Application and this privacy policy,
necessary to conclude and execute

the agreement for the provision of Electronic Services with the Controller,
results in the inability to

conclude this agreement. Providing personal data is in this case a
contractual requirement and if the

data subject wants to conclude a given agreement with the Controller, they
are obliged to provide the

required data. Each time, the scope of data required to conclude the
agreement is previously indicated

on the Mobile Application website and in the Regulations of the Mobile
Application; (2) statutory duties

of the Controller – providing personal data is a statutory requirement
resulting from the generally

applicable legal provisions imposing the obligation to process personal
data on the Controller (e.g. data

processing for the purpose of keeping tax or accounting books) and failure
to provide them will prevent

the Controller from performing these duties.

5. The Controller takes special care to protect the interest of persons
whose personal data they process,

and in particular is responsible and ensures that the data collected by
them is: (1) processed in

accordance with the law; (2) collected for specified, legitimate purposes
and is not subject to further

processing incompatible with those purposes; (3) factually correct and
adequate in relation to the

purposes for which it is processed; (4) stored in a form that permits the
identification of persons whom

the data concerns, for not longer than it is necessary to achieve the
purpose of processing; and (5)

processed in a manner that ensures adequate security of personal data,
including protection against

unauthorized or unlawful processing and accidental loss, destruction or
damage, using appropriate

technical or organizational measures.

6. Taking into account the nature, scope, context and purposes of the
processing as well as the risk of

violating the rights or freedoms of natural persons with different
likelihood and seriousness of risk, the

Controller uses appropriate technical and organizational measures for
processing in accordance with

this Regulation and is able to prove it. These measures shall be reviewed
and updated where necessary.

The Controller uses technical measures to prevent the acquisition and
modification of personal data

sent electronically by unauthorized persons.

7. All words, expressions and acronyms appearing in this privacy policy and
starting with a capital letter

(e.g. Service Provider, Website, Electronic Service) should be understood
in accordance with their

definition contained in the Regulations of the Mobile Application available
on the Mobile Application

website.

2) GROUNDS FOR DATA PROCESSING

1. The Controller is authorized to process personal data in cases where –
and to the extent to which – at

least one of the following conditions is met: (1) the data subject has
consented to the processing of their

personal data in one or more specific purposes; (2) processing is necessary
for the performance of an

agreement to which the data subject is party or for taking action at the
request of the data subject prior

to the conclusion of the agreement; (3) processing is necessary to fulfill
the legal obligation of the

Controller; or (4) processing is necessary for purposes arising from
legitimate interests pursued by the

Controller or by a third party, except when the interests or fundamental
rights and freedoms of the data

subject, requiring the protection of personal data, prevail over those
interests, in particular when the

data subject is a child.

2. Processing of personal data by the Controller requires each time at
least one of the grounds indicated

in point 2.1 of the privacy policy. The specific grounds for processing
personal data of the Mobile

Application Users by the Controller are indicated in the next section of
the privacy policy – in relation to

a specific purpose of personal data processing by the Controller.


3) PURPOSE, GROUNDS, PERIOD AND SCOPE OF DATA PROCESSING IN THE

APPLICATION

1. Each time, the purpose, grounds, period, scope and recipients of
personal data processed by the

Controller results from actions taken by a particular User in the
Application.

2. The Controller may process personal data in the Application for the
following purposes, on the following

grounds, in the following period and scope:

The purpose of data


processing Legal grounds for data processing The period of data storage

Execution of the

Agreement for the

provision of Electronic

Services or taking

action at the request of

the data subject prior

to concluding the

abovementioned

agreements

Article 6 paragraph 1b) of the GDPR

Regulation (execution of the agreement)

– processing is necessary for the

execution of the agreement to which the

data subject is a party, or for taking

actions at the request of the data subject,

before concluding the agreement

Data is stored for the time necessary

for execution, termination or

expiration of the concluded

Agreement for the provision of

Electronic Services.

Direct marketing Article 6 paragraph 1f) of the GDPR

Regulation (legitimate interest of the

Controller) – processing is necessary for

the purposes resulting from the

legitimate interests of the Controller –

consisting in caring for the interests and

good image of the Controller, Website

and the quest to provide Electronic

Services

The data is stored for the duration of

the legitimate interest pursued by

the Controller, but not longer than

during the period of limitation of the

Controller’s claims in relation to the

data subject, on account of business

activity conducted by the Controller.

The limitation period is defined by

the law, in particular the Civil Code

(the basic period of limitation for

claims related to conducting business

is three years).

The Controller cannot process data

for direct marketing purposes in case

the data subject clearly and

effectively opposes to it.

Marketing Article 6 paragraph 1a) of the GDPR

Regulation (consent) – the data subject

has consented to the processing of their

personal data for the marketing purposes

by the Controller

The data is stored until the data

subject withdraws the consent for

further processing of their data for

this purpose.

Expressing the opinion

by the Customer

Article 6 paragraph 1a) of the GDPR

Regulation – the data subject has

consented to the processing of their

personal data in order to express an

opinion

The data is stored until the data

subject withdraws their consent for

further processing of their data for

this purpose.

Book-keeping Article 6 paragraph 1c) of the GDPR

Regulation in connection with the art. 74

par. 2 of the Accounting Act dated 30

January 2018 (Journal of Laws of 2018,

item 395) – the processing is necessary to

fulfill the legal obligation of the Controller

The data is stored for the period

required by law, obligating the

Controller to store accounting books

(5 years, counting from the beginning

of the year following the financial

year to which the data relate).

Establishment, redress

or defense of claims

that may be filed by the

Controller or that may

be filed against the

Controller

Article 6 paragraph 1f) of the GDPR

Regulation (legitimate interest of the

Controller) – processing is necessary for

purposes arising from the legitimate

interests of the Controller – that consist

in establishment, redress or defense of

The data is stored for the duration of

the legitimate interest pursued by

the Controller, but not longer than

for the period of limitation of claims

which may be filed by the Controller

15

claims which may be filed by the

Controller or which may be filed against

the Controller

(the basic limitation period for claims

against the Controller is six years).

The use of the Website

and ensuring its proper

operation

Article 6 paragraph 1f) of the GDPR

Regulation (legitimate interest of the

Controller) – processing is necessary for

the purposes arising from the legitimate

interests of the Controller, which consist

in running and maintaining the

Application

The data is stored for the duration of

the legitimate interest pursued by

the Controller, but not longer than

for the period of limitation of the

Controller’s claims in relation to the

data subject, on account of business

activity conducted by the Controller.

The limitation period is defined by

the law, in particular the Civil Code

(the basic period of limitation for

claims related to conducting business

activity is three years).

Keeping statistics and

analysis of traffic in the

Application

Article 6 paragraph 1f) of the GDPR

Regulation (legitimate interest of the

Controller) – processing is necessary for

the purposes arising from the legitimate

interests of the Controller, which consist

in keeping statistics and analyzing traffic

in the Application in order to improve the

functioning and extending the reach of

the provided Electronic Services

The data is stored for the duration of

the legitimate interest pursued by

the Controller, but not longer than

for the period of limitation of the

Controller’s claims in relation to the

data subject, on account of the

business activity conducted by the

Controller. The limitation period is

defined by the law, in particular the

Civil Code (the basic period of

limitation for claims related to

conducting the business activity is

three years).

4) DATA RECIPIENTS IN THE APPLICATION

1. For the proper functioning of the Mobile Application, including for the
execution of the concluded Sale

Agreements, the Controller must use the services of external entities (such
as, for example, software

supplier, payment service provider). The Controller uses only the services
of such processors who provide

sufficient guarantees of implementing appropriate technical and
organizational measures, so that the

processing meets the requirements of the GDPR Regulation and protects the
rights of the data subjects.

2. The transfer of data by the Controller does not occur in each case and
not to all recipients or categories of

recipients indicated in the privacy policy – the Controller provides data
only when it is necessary to perform

a given purpose of personal data processing and only to the extent
necessary to achieve it.

3. Personal data may be transferred by the Controller to a third country,
whereby the Controller assures that

the data will be transferred only to the country providing an adequate
level of protection – compliant with

the GDPR Regulation, and the data subject has the opportunity to obtain
copies of their data. The Controller

transfers collected personal data only in the case and to the extent
necessary to achieve a given purpose of

data processing in accordance with this privacy policy.

4. Personal data of the Mobile Application Users and Users may be
transferred to the following recipients or

categories of recipients:

a. entities handling electronic payments or payment cards – in the case of
a Customer who uses the

electronic payment method or payment card in the Application, the
Controller provides the

Customer’s personal data to a selected entity handling the above payments
in the Application on

behalf of the Controller to the extent necessary to handle payments made by
the Customer,

b. service providers supplying the Controller with technical, IT and
organizational solutions enabling the

Controller to conduct business activities, including the Mobile Application
and Electronic Services

provided through it (in particular, the software provider for running the
Mobile Application, e-mail

and hosting provider and software provider) to manage the company and
provide technical support

to the Controller) – the Controller provides the collected personal data of
the Customer to a selected

supplier acting on their behalf only in the case and to the extent
necessary to achieve a given purpose

of data processing in accordance with this privacy policy.

c. providers of accounting, legal and advisory services providing the
Controller with accounting, legal or

advisory support (in particular accounting offices, law firms or debt
collection companies) – the

Controller provides the collected personal data of the Customer to a
selected supplier acting on their

behalf only in the case and to the extent necessary achieve a given purpose
of data processing in

accordance with this privacy policy.

5) PROFILING IN THE APPLICATION

1. The GDPR Regulation imposes on the Controller an obligation to inform
about automated decision making,

including profiling, referred to in art. 22 par. 1 and 4 of the GDPR
Regulation, and – at least

in these cases – relevant information about the rules for making decisions,
as well as the significance

and envisaged consequences of such processing for the data subject. With
this in mind, the

Controller provides information on possible profiling in this section of
the privacy policy.

2. The Controller may use profiling in the Application for direct marketing
purposes, but the decisions

made on its basis by the Controller do not relate to the conclusion or
refusal to conclude the Sales

Agreement or the possibility of using the Electronic Services in the
Application. The result of the use

of profiling in the Application may be e.g. a reminder about unfinished
activities in the Application,

sending a service proposal that may correspond to the person’s interests or
preferences. Despite

profiling, a given person makes a free decision whether they want to make
use of better conditions

in the Application.

3. Profiling in the Application consists in automatic analyzing or
forecasting the behavior of a given

person on the website of the Mobile Application, e.g. through the analysis
of previous actions taken

in the Application. The prerequisite for such profiling is the Controller’s
possession of personal data

of a given person in order to be able to send them, e.g. a discount code.

4. The data subject has the right not to be subject to a decision which is
based solely on automated

processing, including profiling, and produces legal effects in relation to
this person or similarly affects

this person.

6) THE RIGHTS OF DATA SUBJECTS

1.

Right of access, rectification, restriction, deletion or transfer

– the data subject has the right to

request the Controller to provide them with the access to their personal
data, rectify, delete them

(“the right to be forgotten”) or limit their processing and has the right
to object to processing and

the right to transfer their data. Detailed conditions for the exercise of
the abovementioned rights

are indicated in art. 15-21 of the GDPR Regulation.

2. The right to withdraw consent at any time – a person
whose data is processed by the Controller on

the basis of their consent (pursuant to Article 6 paragraph 1a) or art. 9
par. 2a) of the GDPR

Regulation) has the right to withdraw consent at any time without effect on
the lawfulness of the

processing, which was made on the basis of the consent before its
withdrawal.

3. The right to lodge a complaint to the supervisory body
– a person whose data is processed by the

Controller has the right to lodge a complaint to the supervisory body in
the manner and mode

specified in the provisions of the GDPR Regulation and Polish law, in
particular the Act on the

Protection of Personal Data. The supervisory body in Poland is the
President of the Office for

Personal Data Protection.

4. Right to object – the data subject has the right to
object at any time – for reasons related to their

special situation – to the processing of their personal data based on art.
6 par. 1e) (task in public

interest) or f) (legitimate interest of the Controller), including
profiling, on the basis of these

provisions. In such a case, the Controller may no longer process such
personal data unless the

Controller proves that there are valid legal grounds for processing that
override the interests, rights

and freedoms of the data subject or the grounds for establishment, redress
or defense of claims.

5. Right to object related to direct marketing – if
personal data are processed for direct marketing

purposes, the data subject has the right to object to the processing of
their personal data for such

marketing purposes at any time, including profiling, to the extent that the
processing is related to

such direct marketing.

6. In order to exercise the rights referred to in this section of the
privacy policy, you can contact the

Controller by sending a relevant message in writing or by e-mail to the
Controller’s address indicated

in the beginning of the privacy policy or by using the contact form
available on the website of the

Mobile Application.

This website uses cookies to ensure you get the best experience on our website. Learn More