Privacy Policy
PRIVACY POLICY
POWERUP! LIMITED LIABILITY COMPANY
Legal status: August 2025, compliant with the GDPR, the Polish Personal Data Protection Act, and other provisions of national and EU law
1. General Information
1.1. This Privacy Policy defines the principles of processing and protecting personal data of users of the “PowerUp!” mobile application (hereinafter: the “Application”) and power bank rental stations managed by POWERUP! Limited Liability Company with its registered office in Warsaw, ul. Elektoralna 13/121, 00-137 Warsaw, entered into the Register of Entrepreneurs of the National Court Register under KRS No. 0001139773, NIP 5253025464, REGON 540242699 (hereinafter: the “Controller,” “Company,” or “we”).
1.2. The Controller processes personal data in accordance with:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”),
The Polish Act of 10 May 2018 on the Protection of Personal Data,
The Constitution of the Republic of Poland, in particular: Art. 2 (rule of a democratic state governed by the rule of law), Art. 30 (protection of dignity), Art. 31(3) (restrictions of freedoms), Art. 32 (equality and non-discrimination), Art. 45 (right to a court), Art. 47 (protection of private life), Art. 72 (protection of children’s rights),
The Polish Code of Administrative Procedure (KPA), including: Art. 7 (principle of building trust), Art. 8 (principle of informing), Art. 9 (duty of explanation), Arts. 77 and 80 (duty to fully establish the facts), Art. 107 (requirements for administrative decisions),
The Polish Act of 12 December 2013 on Foreigners, in particular Arts. 100, 108, 139, 206, where applicable,
The European Convention on Human Rights (ECHR), in particular: Art. 6 (right to a fair trial), Art. 8 (right to respect for private and family life), Art. 13 (right to an effective remedy),
The Charter of Fundamental Rights of the European Union (CFR), in particular: Art. 7 (respect for private life), Art. 21 (non-discrimination), Art. 41 (right to good administration), Art. 47 (right to an effective remedy),
The Treaty on the Functioning of the European Union (TFEU), in particular: Art. 18 (non-discrimination), Art. 21 (freedom of movement), Art. 45 (free movement of workers).
1.3. The purpose of this Policy is to ensure full transparency regarding the processing of personal data, in accordance with the principles of lawfulness, fairness, and transparency (Art. 5(1)(a) GDPR), and to guarantee users the full scope of rights under the law. Use of the Application or rental stations constitutes acceptance of this Policy.
2. Scope of Processed Personal Data
2.1. The Controller may process the following categories of personal data:
Identification and contact details: first name, last name, email address, phone number, user login.
User account data: account ID, password (stored in encrypted form).
Geolocation data: approximate or precise location (continuous or one-time, only with the user’s explicit consent).
Device data: device model, operating system, IP address, advertising identifiers (e.g., Google Advertiser ID, IDFA), application version, browser information.
Transaction data: payment information (e.g., payment method, transaction number), rental and return history of power banks, date/time and location of rental/return.
Camera data: access to the device’s camera solely for scanning QR codes (no image is stored or recorded).
Activity data: system logs, login dates, in-app interaction history, service usage details.
Communication data: information from contact forms, correspondence with customer service, feedback, complaints, claims.
Special category data (in exceptional cases, e.g., complaint handling): processed only with the user’s explicit consent (Art. 9(2)(a) GDPR).
2.2. Most data is provided voluntarily by the user (e.g., during registration or in contact forms). Some data is collected automatically (e.g., device data, system logs, geolocation data with consent).
2.3. The Controller ensures that data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed (data minimization principle, Art. 5(1)(c) GDPR).
3. Purpose and Legal Basis for Processing
3.1. Personal data is processed for the following purposes and on the following legal bases:
a) Service provision and contract performance: account registration, power bank rental, payment processing, locating rental stations – legal basis: performance of a contract or steps taken before entering into a contract at the request of the data subject (Art. 6(1)(b) GDPR).
b) Compliance with legal obligations: e.g., maintaining accounting records, tax reporting, anti-money laundering – legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
c) Customer support: complaint handling, responding to inquiries – legal basis: performance of a contract or legitimate interest of the Controller (Art. 6(1)(b) and (f) GDPR).
d) Service security: fraud detection, abuse prevention, protection of the Application’s integrity – legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).
e) Marketing activities: sending newsletters, promotional notifications, analyzing user behavior – legal basis: explicit consent (Art. 6(1)(a) GDPR).
f) Analytics and service improvement: usage statistics, functionality optimization – legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).
3.2. The Controller follows the principles of proportionality and necessity (Art. 5(1)(b) and (c) GDPR). In case of a change of purpose, the user will be informed in advance and, if necessary, asked for renewed consent (Art. 13(3) GDPR).
3.3. In accordance with the principle of citizens’ trust in public authorities (Art. 8 KPA) and the principle of good administration (Art. 41 CFR), the Controller ensures fair and transparent data processing with respect for the rights and freedoms of users.
4. Data Retention Period
4.1. Personal data is stored for the period necessary to achieve the purposes for which it was collected:
Account and transaction data: for the duration of the contract and up to 24 months after the last login or termination of service, subject to longer periods required by law or for defense against claims.
Accounting and payment data: 5 years from the end of the tax year, in accordance with tax regulations (e.g., the Accounting Act).
Data processed on the basis of consent: until the consent is withdrawn.
Security and dispute resolution data: until the statute of limitations expires (generally 3–10 years, according to the Civil Code or other laws).
4.2. After the retention period, data is permanently deleted or anonymized, in line with the storage limitation principle (Art. 5(1)(e) GDPR).
4.3. In the case of foreign nationals, the Controller complies with the Polish Act on Foreigners (e.g., Arts. 100, 108, 139, 206), ensuring appropriate data retention periods as required by law.
5. Data Recipients and Transfers Outside the EEA
5.1. Personal data may be transferred to the following recipients, in full compliance with the GDPR:
IT service providers: hosting, cloud services, or technical support providers (servers located in the European Economic Area – EEA).
Payment operators: e.g., Stripe, PayPal, PayU, ensuring GDPR compliance and payment data security standards.
Analytics and marketing service providers: e.g., Google Analytics, Firebase, only within legally permitted limits and with user consent.
Public authorities: e.g., courts, tax offices, police, in response to lawful requests (Art. 6(1)(c) GDPR).
5.2. Data transfers outside the EEA (e.g., to the USA) occur only with adequate safeguards, such as standard contractual clauses approved by the European Commission (Art. 46 GDPR) or other mechanisms ensuring an adequate level of protection.
5.3. The Controller ensures that transfers respect the right to privacy (Art. 8 ECHR, Art. 7 CFR) and the prohibition of discrimination (Art. 32 Constitution of Poland, Art. 21 CFR, Art. 18 TFEU).
6. Users’ Rights
6.1. Under the GDPR, the Constitution of Poland (Arts. 47, 72), the ECHR (Arts. 6, 8, 13), and the CFR (Arts. 7, 21, 41, 47), the user has the following rights:
Right of access (Art. 15 GDPR): to obtain information about the data being processed and a copy thereof.
Right to rectification (Art. 16 GDPR): to correct inaccurate or outdated data.
Right to erasure (“right to be forgotten”) (Art. 17 GDPR): to delete data in cases provided by law.
Right to restriction of processing (Art. 18 GDPR): to limit data processing in specific situations.
Right to data portability (Art. 20 GDPR): to receive data in a structured, commonly used format or transfer it to another controller.
Right to object (Art. 21 GDPR): to object to data processing, e.g., for marketing purposes, without the need to justify in the case of direct marketing.
Right to withdraw consent (Art. 7(3) GDPR): to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint (Art. 77 GDPR): to the President of the Personal Data Protection Office (UODO, ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl).
6.2. Requests to exercise rights can be submitted by email to: [email protected]. Requests are processed free of charge within 1 month, extendable to 2 months in complex cases (Art. 12(3) GDPR).
6.3. The Controller ensures fair handling of requests, in accordance with the principle of good administration (Art. 41 CFR, Arts. 7, 8, 9 KPA) and the right to an effective remedy (Art. 13 ECHR, Art. 47 CFR).
7. Cookies and Tracking Technologies
7.1. The Application and the PowerUp! website use cookies, tracking pixels, and other technologies for:
Ensuring proper service functionality (necessary cookies).
Content personalization and traffic analysis (analytical cookies, e.g., Google Analytics, Firebase).
Marketing (marketing cookies, e.g., promotional notifications), with explicit user consent.
7.2. Types of cookies:
Session cookies: temporary, deleted after the session ends.
Persistent cookies: stored for a longer period, e.g., to remember user preferences.
First-party and third-party cookies: used by the Controller or partners (e.g., Google, Firebase).
7.3. Users can manage cookie settings in their browser or device. Refusing optional cookies may limit some functionality. Details are available in a separate cookies policy in the Application.
7.4. The Controller ensures that cookies are used in accordance with the principle of transparency (Art. 5(1)(a) GDPR) and the right to privacy (Art. 47 Constitution of Poland, Art. 8 ECHR).
8. Data Security
8.1. The Controller applies advanced technical and organizational measures to protect personal data, including:
Data transmission encryption (SSL/TLS protocol).
Two-factor authentication (2FA) for user accounts.
Access control to data processing systems.
Regular security audits and penetration tests.
Protection against unauthorized access, data loss, or breaches.
8.2. These measures comply with the principle of data integrity and confidentiality (Art. 5(1)(f) GDPR) and ensure privacy protection (Art. 47 Constitution of Poland, Art. 8 ECHR, Art. 7 CFR).
9. Mobile Application Permissions
9.1. The PowerUp! Application may request access to certain device features, only with the user’s explicit consent. Refusal of certain permissions may limit service functionality. Permissions can be revoked in device settings.
9.2. Types of permissions:
a) Location (approximate or precise, continuous or one-time):
Purpose: to locate the nearest power bank rental stations.
Continuous mode: active only while using the station search feature.
One-time mode: location retrieved only on user request.
Location data is not stored longer than necessary for the service.
b) Camera:
Purpose: to scan QR codes for renting or returning a power bank.
Camera images are not stored, recorded, or saved.
c) Push notifications:
Purpose: to send reminders about ongoing rentals, promotions, or policy changes.
Can be disabled in device settings.
d) Device storage:
Purpose: temporary storage of technical data necessary for the Application’s operation (if required by the OS).
e) Internet access and device identifiers:
Purpose: data synchronization, service personalization, security.
9.3. The Controller ensures that requested permissions comply with the data minimization principle (Art. 5(1)(c) GDPR) and the right to privacy (Art. 47 Constitution of Poland, Art. 8 ECHR).
10. Changes to the Privacy Policy
10.1. The Controller reserves the right to update the Privacy Policy to reflect changes in law, data processing practices, or for other legitimate reasons.
10.2. Users will be notified of significant changes via the Application, email, or push notifications, with adequate notice (Art. 13(3) GDPR).
10.3. Users are encouraged to regularly review the Policy on the website or in the Application.
11. Final Provisions
12.1. This Policy is consistent with the principles of a democratic state governed by the rule of law (Art. 2 Constitution of Poland), the principle of trust in public authorities (Art. 8 KPA), the right to good administration (Art. 41 CFR), and the right to an effective remedy (Art. 47 CFR, Art. 13 ECHR).
12.2. The Controller ensures that personal data processing does not violate the principles of equality and non-discrimination (Art. 32 Constitution of Poland, Art. 21 CFR, Art. 18 TFEU).
12.3. In the case of foreign nationals using PowerUp! services, the Controller complies with the Polish Act on Foreigners (e.g., Arts. 100, 108, 139, 206) and the principles of freedom of movement (Art. 21 TFEU) and free movement of workers (Art. 45 TFEU).
12.4. Any matters not regulated in this Policy are subject to the GDPR, Polish law, and EU law.
Contact
For matters related to personal data protection, please contact:
POWERUP! Limited Liability Company
ul. Elektoralna 13/121, 00-137 Warsaw
KRS: 0001139773, NIP: 5253025464, REGON: 540242699
Email: [email protected]