In fulfillment of our obligation under generally applicable laws in the field of personal data protection, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("RODO") and the Act of May 10, 2018 on personal data protection, we inform you of the following:

1. personal data controller

1) The administrator of the personal data is TUTLO sp. z o.o., Nowogrodzka 42, premises 501, 00-695 Warsaw, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, XII Economic Division of the National Court Register under KRS number: 0001021377, NIP: 7011130879, REGON: 524550960, rodo@tutlo.pl, tel. 22 247 20 45.

2) The Administrator will appoint a Data Protection Supervisor (Supervisor), who can be contacted on all matters related to the processing of personal data.The Inspector can be contacted at the following e-mail address: iod@tutlo.pl.

2. purposes and grounds for processing personal data

The Administrator processes personal data for the following purposes:

A. Users of www.tutlo.pl and www.tutlo.com

1) Providing access to www.tutlo.pl and www.tutlo.com - the legal basis for data processing is Article 6(1)(b) of the RODO, i.e. the data processing is necessary for the performance of the contract for access to the service or taking children before its conclusion.

2) Conducting direct marketing of the Administrator's products and services - the legal basis for data processing is Article 6(1)(f) RODO, i.e. data processing is necessary for the purpose of realization of the Administrator's legitimate interest, where this interest consists in selling the offered services.

3) Responding to inquiries, correspondence and complaints addressed to the Administrator - the legal basis for data processing is Article 6(1)(f) RODO, i.e. the processing of data is necessary for the fulfillment of the Administrator's legitimate interest, where this interest consists in providing high quality services including through customer care, or the legal basis for data processing is Art. 6(1)(c) RODO - processing of personal data is necessary for the performance of the Administrator's legal duties, where this duty consists in responding to complaints.

4) Conducting activities and surveys aimed at assessing satisfaction in connection with the agreement concluded with the Administrator and controlling the quality of the services provided - the legal basis is Article 6(1)(f) RODO, i.e. the processing of personal data is necessary for the purpose of realizing the Administrator's legitimate interest, where this interest consists in assessing customer satisfaction and controlling the quality of the services provided.

5) Pursuing or defending against claims of others - the legal basis for data processing is Article 6(1)(f) of the RODO, i.e. the processing of personal data is necessary for the realization of the legitimate interest of the Administrator, as the realization of one's rights in the event of a possible dispute is a legitimate interest of the Administrator.

B. Suppliers and supplier representatives:

1) Performance of a contract or taking action at the data subject's request prior to entering into a contract - 1) if the data subject is a party to the contract, the legal basis for processing will be Article 6(1)(b) of the RODO, i.e. the processing of personal data is not necessary for the performance of the contract; 2) if the data subject is not a party to the contract (but, for example, the data subject's employer), the legal basis for processing will be Article 6(1)(f) of the RODO, because entering into such a contract is a legitimate interest of the Administrator, which consists in the necessity to enter into such a contract. his or her employer), the legal basis for processing will be Article 6(1)(f) of the RODO, because the conclusion of such a contract is a legitimate interest of the Administrator, which consists in the necessity to conclude a contract with a third party.

2) Pursuing or defending against claims of others - the legal basis for data processing is Article 6(1)(f) of the RODO, i.e. the processing of personal data is necessary for the realization of the legitimate interest of the Administrator, as the realization of one's rights in the event of a possible dispute is a legitimate interest of the Administrator.

‍

3.. Data Source

1) Personal data comes directly from the data subject.

2) Personal data may have been provided by third parties, but only if there is a legal basis for such provision.

3) The administrator may also process personal data from public sources.

4 Data recipients

1) The Administrator may share personal data with its subcontractors (entities it uses for processing) such as:

• IT ustug providers;
• accounting service providers;
• marketing service providers.

2) The Administrator does not transfer personal data outside the European Economic Area, with the exception of sharing data with the Administrator's subcontractors (entities that process data on the Administrator's behalf) who provide the Administrator with IT services. The Administrator uses only entities belonging to the EU-U.S. Privacy Shield program, which ensure compliance of their activities with RODO.

3) In case of contacting the lecturers cooperating with the Administrator, your data such as name and surname may be transferred to the lecturers. Some of the lecturers reside in countries that are not members of the European Union. Some of these countries are countries for which the European Commission has not issued a decision declaring an adequate level of protection. In this case the Administrator shall provide appropriate safeguards for personal data. These are, in particular, the standard data protection clauses adopted by the European Commission (Article 46(2)(c) RODO), which the Administrator concludes with the readers.

4) The Administrator may make your personal data available to independent entities (other administrators processing them on their own behalf) such as:

• administrative bodies - to the extent that this is required by law;
• contractors and customers - only to the extent that it will be necessary for the performance of contracts concluded by the Administrator.

5) The Administrator is entitled to provide personal data also to other entities, if such an obligation arises from the law.

5. data storage time

Data obtained for the purpose:

1) Provide access to www.tutlo.pl and www.tutlo.com - the Administrator stores data for no longer than 2 years;

2) promotion of the Administrator's activities - the Administrator stores data until the withdrawal of consent, but no longer than 2 years; responding to inquiries, correspondence and complaints - the Administrator stores data for the period of presenting claims, or if there are no claims for a period of 2 years;

3) conducting surveys aimed at assessing customer satisfaction - the Administrator keeps the data for no less than 2 years;

4) asserting or defending against claims of others - the Administrator keeps the data for the period of limitation of claims;

5) performance of the contract - the Administrator keeps the data for the duration of the contract and for 5 years after its termination.

6. rights of data subjects

1) You have the following rights regarding the processing of personal data: a) the right to access personal data and the right to receive a copy thereof; b) the right to rectification of personal data; c) the right to erasure of personal data; d) the right to ask for restriction of processing of personal data; e) the right to data portability; f) the right to object to the processing of personal data; g) the right to lodge a complaint to the supervisory authority.

2) Where the processing of data is based on consent, you also have the right to withdraw consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

3) In order to exercise the above rights, you may contact the Administrator.

7 Automated decision-making

1) The Administrator does not make automated decisions based on data.

8. information about the voluntariness or necessity of providing data

Provision of personal data is necessary for the performance of the contract between you and the Administrator and the Administrator's performance of its obligations under the law.

In fulfillment of the obligation arising from generally applicable legal provisions regarding the protection of personal data, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") and the Act of May 10, 2018 on the Protection of Personal Data, we hereby inform you of the following: 

1. Personal Data Controller 

1. The Personal Data Controller is TUTLO sp. z o.o., ul. Nowogrodzka 42 lok. 501, 00-695 Warsaw, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, XII Commercial Division of the National Court Register, under KRS number: 0001021377, NIP (Tax 

ID): 7011130879, REGON (Statistical ID): 524550960, email: rodo@tutlo.pl, tel. 22 247 20 45. 

2. The Controller has appointed a Data Protection Officer (DPO), who can be contacted regarding all matters related to the processing of personal data. Contact with the DPO is possible via the email address: iod@tutlo.pl. 

2. Purposes and Legal Bases for Personal Data Processing The Controller processes personal data for the following purposes: 

A. Persons using the www.tutlo.pl and www.tutlo.com services 

1. Provision of access to the www.tutlo.pl and www.tutlo.com services – the legal basis for processing constitutes Art. 6(1)(b) of the GDPR, i.e., processing is necessary for the performance of a contract for access to the service or to take steps prior to entering into a contract. 

2. Direct marketing of the Controller's products and services – the legal basis for processing is Art. 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting of the sale of offered services. 

3. Responding to inquiries, correspondence, and complaints directed to the Controller – the legal basis for processing constitutes Art. 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting of providing high-quality services, including customer service; or the legal basis constitutes Art. 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation to which the Controller is subject, consisting of responding to complaints. 

4. Conducting activities and surveys aimed at assessing satisfaction regarding the contract concluded with the Controller and controlling the quality of services provided – the legal basis constitutes Art. 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the

Controller, consisting of assessing customer satisfaction and controlling the quality of services provided. 

5. Asserting claims or defense against claims by other entities – the legal basis for processing constitutes Art. 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Controller, as the exercise of rights in the event of a potential dispute is a legitimate interest of the Controller. 

B. Suppliers and representatives of suppliers: 

1. Performance of a contract or taking steps at the request of the data subject prior to entering into a contract – 1) if the party to the contract is the data subject, the legal basis for processing constitutes Art. 6(1)(b) of the GDPR (processing is necessary for the performance of a contract); 2) if the party to the contract is not the data subject (but e.g., their employer), the legal basis for processing constitutes Art. 6(1)(f) of the GDPR, as the conclusion of such a contract constitutes a legitimate interest of the Controller, consisting of the necessity to conclude a contract with a third party. 

2. Asserting claims or defense against claims by other entities – the legal basis for processing constitutes Art. 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Controller, as the exercise of rights in the event of a potential dispute is a legitimate interest of the Controller. 

3. Source of Data 

1. Personal data originates directly from the data subject. 

2. Personal data may have been disclosed by third parties, but only in cases where there was a legal basis for such disclosure. 

3. The Controller may also process personal data originating from public sources. 4. Data Recipients 

1. The Controller may disclose personal data to its subcontractors (entities whose services it utilizes during processing), such as: 

○ IT service providers; 

○ entities providing accounting services; 

○ entities providing marketing services. 

2. The Controller does not transfer personal data outside the European Economic Area, with the exception of disclosing data to the Controller's subcontractors (entities processing data on its behalf) who provide IT services to the Controller. The Controller utilizes solely entities belonging to the EU-U.S. Privacy Shield program, which ensure compliance of their operations with the GDPR. 

3. In the event of contact with lecturers cooperating with the Controller, your data, such as first and last name, may be transferred to the lecturers. Some lecturers reside in countries that are not Member States of the European Union. Some of these countries are countries for which the European Commission has not issued a decision regarding an adequate level of protection. In such cases, the Controller ensures appropriate safeguards for personal data. These are, in particular, standard

data protection clauses adopted by the European Commission (Art. 46(2)(c) of the GDPR), which the Controller concludes with the lecturers. 

4. The Controller may disclose your personal data to independent entities (other controllers processing it on their own behalf), such as: 

○ administrative authorities – to the extent required by law; 

○ contractors and clients – solely to the extent necessary for the performance of contracts concluded by the Controller. 

5. The Controller is entitled to disclose personal data to other entities as well, if such an obligation arises from legal provisions. 

5. Data Storage Period 

Data obtained for the purpose of: 

1. Ensuring access to the www.tutlo.pl and www.tutlo.com services – the Controller stores data for no longer than 2 years; 

2. Promotion of the Controller's activities – the Controller stores data until consent is withdrawn, but no longer than 2 years; 

3. Responding to inquiries, correspondence, and complaints – the Controller stores data for the limitation period of claims or, if no claims occur, for a period of 2 years; 

4. Conducting surveys aimed at assessing customer satisfaction – the Controller stores data for no longer than 2 years; 

5. Asserting claims or defense against claims by other entities – the Controller stores data for the limitation period of claims; 

6. Performance of a contract – the Controller stores data for the duration of the contract and for a period of 5 years following its termination. 

6. Rights of Data Subjects 

1. You have the following rights regarding the processing of personal data: a) the right of access to personal data and the right to receive a copy thereof; b) the right to rectification of personal data; c) the right to erasure of personal data; d) the right to request restriction of processing of personal data; e) the right to personal data portability; f) the right to object to the processing of personal data; g) the right to lodge a complaint with a supervisory authority. 

2. If processing is based on consent, you also have the right to withdraw consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. 3. To exercise the above rights, you may contact the Controller. 

7. Automated Decision-Making 

1. The Controller does not make automated decisions based on the data. 8. Information on Voluntary or Mandatory Data Provision

Providing personal data is necessary for the performance of the contract connecting you with the Controller and for the Controller's fulfillment of obligations arising from legal regulations.

‍