Definitions

1. Administrator – company under the name UHURA BIONICS Spółka z ograniczoną odpowiedzialnością with its registered office in Ełk at Podmiejskia 5/2.16 Street, 19-300 Ełk, entered into the National Court Register kept by the District Court in Olsztyn, VIII Commercial Division of the National Court Register under KRS number 0001009618, REGON: 523981740, NIP: 8481884010. Contact with the Administrator: e-mail address: legal@uhura.pl, correspondence address: Podmiejska 5/2.16 Street, 19-300 Ełk.

2. Personal Data – any information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.

3. Health Data – any Personal Data relating to the physical or mental health condition of the Data Subject.

4. Data subject – a natural person to whom the Personal Data processed by the Administrator relates, e.g. a person sending an inquiry to the Administrator in the form of an e-mail.

5. Policy – this Uhura Bionics Privacy Policy.

6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

7. Website – a website available at https://www.uhura.pl/ with all subpages, including the Store.

8. Store – an online store operated and managed by the Administrator available within the Website.

Processing of personal data

1. In connection with its business activity, the Administrator collects and processes Personal Data in accordance with the relevant regulations, including in particular the GDPR, and the data processing rules provided for therein.

2. Administrator:

   1. ensures transparency in the processing of Personal Data;

   2. informs about the processing of Personal Data at the time of their collection, in particular about the purpose and legal basis of the processing of Personal Data, unless it is not obliged to do so on the basis of separate regulations;

   3. ensures that Personal Data is collected only to the extent necessary for the indicated purpose and is processed only for the period in which it is necessary.

3. By processing data, the Administrator ensures their security and confidentiality, as well as access to information about the processing to the Data Subjects. If, despite the security measures applied, a breach of the protection of Personal Data occurs (e.g. data "leakage" or loss) and such a breach could cause a high risk of violation of the rights or freedoms of the Data Subjects, the Administrator will inform the Data Subjects about such an event in a manner consistent with the regulations.

4. The Administrator did not appoint a Personal Data Protection Officer.

Security of personal data

1. In order to ensure the integrity and confidentiality of Personal Data, the Administrator has implemented procedures allowing access to Personal Data only to authorized persons and only to the extent necessary due to the tasks performed by them.

2. The Administrator uses organizational and technical solutions to ensure that all operations on Personal Data are recorded and performed only by authorized persons.

3. The Administrator takes the necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures in each case when they process Personal Data at the request of the Administrator.

4. The Administrator conducts risk analysis on an ongoing basis and monitors the adequacy of the Personal Data security measures applied to the identified threats. If necessary, the Administrator implements additional measures to increase data security.

Purposes and legal bases of processing

1. Email and traditional correspondence

   • In the case of sending to the Administrator via e-mail or traditional correspondence not related to the services provided to the sender or any other agreement concluded with him, the Personal Data contained in this correspondence are processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.

   • The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in conducting correspondence addressed to him in connection with his business activity.

   • The Administrator processes only Personal Data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner that ensures the security of the Personal Data (and other information) contained therein and is disclosed only to authorized persons.

2. Phone contact

   • In the case of contacting the Administrator by telephone, in matters not related to the concluded agreement or the services provided, the Administrator may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates.

   • In such a case, the legal basis is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in the need to resolve the reported matter related to its business activity.

3. Collection and processing of health data

   • In connection with the profile of the Administrator's activity as a manufacturer of innovative medical devices, the Administrator may collect and process Health Data (e.g. information on diseases of the speech organ, medical procedures undergone, atypical speech samples). Health Data is processed only to the extent that it has been voluntarily provided by the Data Subject, for purposes related to the fit, calibration and optimization of the medical device, the provision of specialist support and the development of technology (including AI algorithms).

   • The legal basis for the processing of Health Data is the explicit consent of the Data Subject (Article 9(2)(a) of the GDPR in conjunction with Article 6(1)(a) of the GDPR). In the event that the health information provided by the Data Subject is related to the reporting of an adverse event, medical incident or the exercise of rights under the guarantee/warranty, the basis for processing is the fulfilment of the Controller's legal obligations as a manufacturer of the medical device and the necessity for reasons related to the public interest in the field of public health and ensuring high standards of safety of medical devices (Article 9(2)(i) of the GDPR in connection with Article 6(1)(c) of the GDPR and relevant regulations, including EU Regulation 2017/745 (MDR) and Food and Drug Administration (FDA) regulations).

   • The Administrator processes Health Data in compliance with the highest, strict standards of technical and organizational security. Wherever technically possible, the Administrator uses pseudonymization or anonymization techniques. Access to the Health Data is granted only to the Administrator's employees and associates authorized by name, who have been obliged to maintain strict secrecy, and the data themselves are not made available to third parties without the explicit consent of the Data Subject, with the exception of the competent authorities for the supervision of medical devices.

4. Using the store

   • In order to be able to use the Store, in particular in the scope of concluding a sales agreement and a contract for the provision of services by electronic means in the scope of access to the Store, it is necessary for the Subject to provide Personal Data necessary to conclude the above-mentioned agreements.

   • With regard to the use of the Store, the basis for the processing of Personal Data by the Administrator is the necessity to perform the contract or to take action at the request of the Data Subject prior to its conclusion (Article 6(1)(b) of the GDPR) and the necessity to perform obligations arising from the provisions of law, in particular tax regulations, accounting regulations, consumer rights regulations (Article 6(1)(c) of the GDPR).

5. Claims:

   • In order to establish, pursue and enforce any claims arising from the manner in which the Data Subject uses the Website, the Administrator may process certain Personal Data if it is necessary to prove the existence of the Administrator's claim, including the extent of the damage suffered.

   • In such a case, the legal basis is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in establishing, pursuing and enforcing claims and defending against claims in proceedings before courts and other state authorities.

6. Exercise of the rights of the data subject

   • In order to enable the exercise of the rights resulting from the GDPR, in particular regarding the possibility of submitting complaints, inquiries and requests, the Administrator has the right to process certain Personal Data for this purpose.

   • In such a case, the legal basis is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in enabling the Data Subjects to exercise their rights under the GDPR.

7. Analytical, statistical and research objectives

   • The Administrator may process the Personal Data of Data Subjects for analytical, statistical and research purposes, in particular by analysing the activity of users on the Website, as well as their preferences in order to improve the functionalities of the Website, including the Shop.

   • The Administrator may process Personal Data in the above scope for the purposes of preparing reports, analyses, studies and scientific research, whereby such documents will never contain Personal Data allowing for the identification of the Data Subject but will have the character of aggregate lists concerning a given category of previously defined characteristics.

   • The legal basis for the processing is the legitimate interest of the Controller and necessity for reasons related to the public interest in the field of public health and necessity for the purposes of scientific and statistical research (Article 6(1)(f) of the GDPR and Article 9(2)(i) and (j) of the GDPR).

8. Marketing of services offered by the administrator:

   1. Submission of commercial information

      • On the basis of the consent specifying the communication channel, the Administrator has the right to send messages to the e-mail address and, if necessary, to contact by phone, in order to present its services.

      • The legal basis is the consent of the person to whom the Personal Data relates (Article 6(1)(a) of the GDPR).

      • In the case of consent to the sending of information via e-mail, the legal basis for the processing of personal data will also be Article 10(2) of the Act on the provision of services by electronic means.

      • In the event of consent to be contacted by phone for the purpose of providing information, the legal basis for the processing of personal data will also be Article 398 of the Act of the Electronic Communications Law.

   2. Newsletter

      • On the basis of the consent granted by the Data Subject, the Administrator has the right to send information regarding its activity to the e-mail address provided.

      • The legal basis is the consent of the person to whom the Personal Data relates (Article 6(1)(a) of the GDPR).

Need to provide personal data

1. Page

Providing Personal Data is voluntary.

2. Shop

Providing Personal Data is voluntary, but necessary to make purchases in the Store.

3. Newsletter

The data subject will only receive the newsletter if he or she has provided his or her e-mail address for this purpose. Providing your e-mail address is voluntary, but necessary in order to receive such messages.

In-store billing data

1. When placing an order in the Store, it is possible to provide billing data, i.e. data of a person or entity (company) for whom an invoice is to be issued for the order made or which are to be included in the invoice, at the express request of the buyer. The necessary data are indicated in the appropriate forms dedicated to providing billing data.

2. The Personal Data provided by the Buyer as part of the forms concerning the settlement data will be processed by the Administrator in order to fulfil the obligations arising from the provisions of law, in particular tax regulations and accounting regulations. The basis for processing is the necessity to comply with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR).

Profiles on facebook and linkedin

1. The Administrator maintains a fanpage on Facebook and LinkedIn as a joint administrator of personal data within the meaning of Article 26 of the GDPR, respectively with Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland) and LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). Detailed rules for co-administration of fanpage statistics data are available at: https://www.facebook.com/legal/terms/page_controller_addendum (Facebook) and in the LinkedIn privacy policy. The Administrator is responsible for the exercise of the rights of data subjects in the scope of data processed directly by the Administrator. For the rest, the response to requests should be directed to the portal operator.

2. The personal data of Data Subjects visiting the Controller's profiles are processed:

   1. in order to effectively maintain profiles, by presenting to the users of the portals information about the Administrator's initiatives and other activities and in connection with the promotion of various events, services and products;

   2. for statistical and analytical purposes;

   3. Alternatively, they may be processed for the purpose of asserting claims and defending against claims.

3. The legal basis for the processing of Personal Data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting of:

   1. promoting our own brand and improving the quality of services provided,

   2. if necessary – to pursue claims and defend against claims.

4. The above information does not apply to the processing of Personal Data by the administrators of the services (Facebook and LinkedIn).The purpose and scope of the processing of Personal Data by the operators of social networks is described in detail in the privacy policies of the above-mentioned social networks, available on their websites.

5. The data subject can always delete their comments under the Administrator's posts, stop following the Administrator or resign from having an account on the above-mentioned social networks.

Data recipients

1. In connection with conducting activities requiring the processing of Personal Data, Personal Data may be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and equipment, postal operators, couriers, accounting, legal and advisory service providers, and marketing agencies.

2. Personal data of Data Subjects using online payments made available to a payment service provider within the meaning of the Act of 19 August 2011 on payment services.

3. The Administrator may share anonymized data (i.e. those that do not identify specific Data Subjects) with external service providers in order to better recognize the attractiveness of advertisements and services offered by the Administrator.

4. The Administrator reserves the right to disclose selected information concerning the Data Subject to the competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.

Transfer of data outside the EEA

The Administrator does not transfer Personal Data outside the European Economic Area.

Automated decision-making, including profiling

The Administrator uses profiling for the purpose of direct marketing of products and services offered by the Administrator. Profiling consists in the automatic analysis of the shopping activity and preferences of the Data Subject in the Store in order to send personalized offers, discount codes or reminders about unfinished purchases. Decisions made on the basis of profiling do not produce legal effects or significantly affect the Data Subject within the meaning of Article 22 of the GDPR. The data subject has the right to object to profiling used for direct marketing purposes at any time, without the need to provide justification (Article 21(3) of the GDPR).

Period of personal data processing

1. Personal data is processed for the following periods:

   1. e-mail correspondence and telephone contact – 3 years from the last contact or until an objection is filed;

   2. data related to the performance of the sales contract – 5 years from the end of the year in which the sale took place, not shorter than required by tax regulations;

   3. data for invoices and accounting documentation – 5 full tax years after the year of issuing the invoice;

   4. data processed for marketing purposes (newsletter, consents) - until the consent is withdrawn;

   5. data processed for analytical purposes – 26 months from the moment of their collection;

   6. social profiles – for the period of maintaining the profile or until an objection is filed.

2. The period of processing of Personal Data may be extended if the processing is necessary to establish or pursue claims or to defend against claims, and after this period - only in the case and to the extent required by law.

3. In the event that Personal Data is processed on the basis of consent given by the Data Subject, such consent may be withdrawn at any time. Personal data will be processed until the consent is withdrawn. The withdrawal of consent does not affect the lawfulness of processing that was carried out on the basis of consent before its withdrawal.

Rights of data subjects

Data subjects have the following rights:

1. the right to information about the processing of personal data – on this basis, the Administrator provides the natural person submitting the request with information about the processing of Personal Data, including, in particular, the purposes and legal bases of processing, the scope of the data held, the entities to whom they are disclosed, and the planned date of data deletion.

2. the right to obtain a copy of the data – on this basis, the Administrator provides a copy of the processed Personal Data concerning the natural person submitting the request.

3. right to rectification – the Administrator is obliged to remove any inconsistencies or errors of the processed Personal Data and to supplement them if they are incomplete;

4. the right to erasure – on this basis, you may request the deletion of Personal Data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;

5. the right to restriction of processing – in the event of such a request, the Administrator ceases to perform operations on Personal Data – except for operations to which the Data Subject has consented – and to store them, in accordance with the adopted retention rules or until the reasons for the restriction of data processing cease to exist (e.g. a decision of the supervisory authority permitting further data processing is issued).

6. the right to transfer data – on this basis – to the extent that Personal Data are processed in an automated manner in connection with a concluded agreement or consent – the Administrator issues the data provided by the person to whom they relate in a format that allows the data to be read by a computer. It is also possible to request the transfer of such data to another entity, however, provided that there are technical possibilities in this regard on the part of both the Administrator and the indicated entity;

7. the right to object to the processing of data for marketing purposes – the Data Subject may object to the processing of Personal Data for marketing purposes at any time, without the need to justify such objection;

8. the right to object to other purposes of data processing – the Data Subject may at any time object – for reasons related to his/her particular situation – to the processing of Personal Data that is carried out on the basis of the Controller's legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property); the objection in this regard should include a justification.

9. the right to withdraw consent – if the data is processed on the basis of the consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal;

10. right to lodge a complaint – if it is considered that the processing of Personal Data violates the provisions of the GDPR or other provisions concerning the protection of Personal Data, the Data Subject may lodge a complaint with the authority supervising the processing of Personal Data, competent due to the place of habitual residence of the Data Subject, his/her place of work or the place where the alleged infringement was committed. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.

Requests related to the exercise of rights

1. A request regarding the exercise of the rights of Data Subjects may be submitted

   1. in writing to the following address: UHURA BIONICS Sp. z o.o., Podmiejska 5/2.16 Street, 19-300 Ełk;

   2. by e-mail to: legal@uhura.pl.

2. If the Administrator is not able to identify a natural person on the basis of the submitted request, it will ask the applicant for additional information. Providing such Personal Data is not mandatory, however, failure to provide it will result in the refusal to comply with the request.

3. The request can be made in person or by proxy. The proxy should have a power of attorney in writing (signed by hand or with a qualified electronic signature). The Controller may, in justified cases, ask for additional confirmation of the applicant's identity in order to protect against unauthorized disclosure of data.

4. A response to the report should be provided within one month of its receipt. If it is necessary to extend this deadline, the Administrator informs the applicant about the reasons for this action.

5. In the event that the request has been addressed to the Administrator electronically, the response shall be provided in the same form, unless the applicant has requested a response in a different form. In other cases, the answer shall be given in writing. In the event that the deadline for the implementation of the request makes it impossible to provide a response in writing, and the scope of the applicant's data processed by the Administrator allows for contact by electronic means, the response should be provided electronically.

6. The Controller stores information regarding the submitted request and the person who submitted the request, in order to ensure the possibility of demonstrating compliance and to establish, defend or pursue possible claims of Data Subjects.

Third-party links

1. In the event that external links are placed on the Website, including the Store, this Policy does not apply to the processing of Personal Data by third parties.

2. By placing links, the Administrator makes every effort to establish that they refer only to those entities that process Personal Data in accordance with data protection and security standards. However, the Controller has no influence on the compliance of other providers or third parties with data protection and security regulations. Therefore, you should seek information from other providers or third parties about the data protection regulations they have made available.

Cookies

1. Cookies (also called cookies) are textual information sent by a web server and stored on the user's side (usually on the hard drive). The default parameters of cookies allow only the server that created them to read the information contained in them. Cookies are most commonly used for counters, probes, online stores, login sites, advertisements, and to monitor visitor activity.

2. Purposes of storing and accessing cookies:

   1. personalization of the website (for example: remembering the selected font size, choosing a version for the visually impaired or a color version);

   2. remembering the user's data and choices (for example: no need to enter the login and password every time on each subpage, remembering the login when visiting again);

   3. Allow you to interact with social networks (for example, view your friends, fans, or post on Facebook and Google+ directly from your Page)

   4. customizing the advertising content displayed on the website;

   5. creating website statistics and statistics on the flow of users between different websites;

3. The Administrator uses technical, analytical and marketing cookies.

4. Technical cookies are necessary to optimize the website in terms of devices and browsers that are most often used by visitors – thanks to this, your tablet or phone will display it correctly and legibly and allow you to remember whether you have consented to the display of selected content on the portal's website.

5. We use analytical cookies to improve the functioning of our Store and to measure, without identifying your Personal Data, the effectiveness of our marketing activities. These activities allow us to constantly improve the structure and content of the Store so that it meets the needs of our current and potential customers as much as possible.

6. Marketing cookies are used to tailor the content and forms of advertising to your needs and preferences.

7. Below you will find links to resources showing how you can determine the conditions for storing or accessing cookies using the settings of the most popular web browsers

   • Firefox

   • Chrome

   • Opera

   • Safari

8. However, please note that deleting or blocking cookies may result in some sections of the Store not functioning properly. If, as a result of changing the cookie settings, the so-called opt-out cookie is placed (which is used only to identify the User's objection – lack of consent), it should be remembered that the opt-out cookie works only in the browser with which it was stored. If you delete all cookies or use a different browser or other end device, you will have to opt-out again.

Update of the privacy policy

1. This Privacy Policy may be subject to changes resulting either from changes in generally applicable regulations or as a result of changes in the scope provided by the Administrator. The Administrator will inform about changes in the Privacy Policy on the Websites, informing about the date of introduction of the changes, so that you can exercise your rights under the GDPR, in particular withdrawal of consent or objection.

2. The Privacy Policy enters into force on May 30, 2025.