PRIVACY POLICY

The protection of the privacy of people using our website is very important to us, which is why we make every effort to maintain the privacy protection rules at a sufficiently high level.

For a clear and reliable presentation of the principles of personal data processing when using our services and inseparably related to the protection of privacy, we have created this Privacy Policy.

It contains information about the rights that you are entitled to, as well as our obligations, which we comply with to ensure that the processing of personal data is carried out in accordance with the law and good practices.

If you are concerned about the possibility of losing control over information about you online, widespread online tracking and your privacy, we would like to point out that there are a number of tools and solutions that allow you to block such activities - these may be browser extensions, their privacy settings, and more advanced solutions such as VPN networks or browsers that provide greater privacy by redirecting traffic. We do not provide specific solutions because their diversity is huge and their functionalities vary - we encourage you to search for them on the Internet and choose the ones that best suit your needs - you can read the quite extensive list posted on the Privacy Guides website: https://privacyguides.org

We also encourage you to use the network with disabled social media accounts - they are the main source of information for profiling and allow you to link the context of people with services or specific activities.

Tracking and privacy technologies on the web are so dynamic, with new tracking methods emerging all the time. We encourage you to regularly check and adjust your security measures to control the information you share online.

DEFINITIONS

FRSc (hereinafter referred to as the Organization) FRSc Sp. z o.o., based in 36-100 Kolbuszowa, ul. Tyszkiewiczów 2, NIP: 5461393112, REGON: 366236590, registered in the Register of Entrepreneurs kept by the District Court in Rzeszów – 12th Commercial Division of the National Court Register – share capital of 5 000,00 PLN, KRS number: 0000656758.

FRSc Academy – non-public continuing education institution (Register of Schools and Educational Institutions: 477964), the managing body of which is FRSc Sp. z o. o. The Academy is based at ul. march. Józefa Piłsudskiego 20 in Spała (97-215 Spała) and has the REGON number: 521910954.

Website - the website frsc.pl through which the Organization provides its services.

Guest – a person visiting the Website who does not log in to a specific User account or does not have one. A Guest may become a User when he creates an account and provides his personal data.

User – a person using the Website, having an account or ordering services or other benefits provided by the Organization. In the context of the Website, Users also include students using the services of FRSc Sp. z o. o. as the governing body for the FRSc Academy. Regardless of the purpose, for each person placing orders without registering an account or with its registration, entries are created in the Website's database system, thanks to which it is possible to identify this person, process complaints on his behalf or issue invoices. When placing an order, purchasing or providing a paid service by the Organization to persons, the fact of resigning from creating an account does not result in the lack of processing of personal data - this data is processed regardless of the creation of an account because it is necessary to perform the contract between the person and the Organization.

Cookies - these are small pieces of information, called cookies, sent by visited websites and saved on the end device used for connection (computer, laptop, smartphone).

Tracking Identifiers – these are mechanisms that track visits to websites via special identifiers assigned by measurement service providers. The technology operates server-side and is based on assigning unique codes to data such as browser features (fingerprinting) and parameters like operating system version, browser type and version, screen resolution, and device type. Combined, they create a relatively unique device identifier that can be used for approximate identification of Guests or Users.s

Supplier - A third party providing services to the Organization for marketing measurements on the Organization's websites. The provider provides platforms offering tools and services enabling the collection, analysis and reporting of data regarding the effectiveness of online marketing activities. These tools help the Organization understand how the Websites are visited, the behavior of visitors there, and assess the effectiveness of marketing campaigns. Typical functions provided by marketing measurement solution providers include reports for creating and visualizing data that help organizations understand analysis results and make marketing decisions.

Account - a set of resources and settings created for the User as part of the Website's mechanisms used to manage services, including online shopping or the provision of online services.

EEA – European Economic Area (EEA) – free trade and common market area, covering the countries of the European Union and the European Free Trade Association (EFTA), with the exception of Switzerland.

RODO - (GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repeal of Directive 95/46/EC (General Data Protection Regulation).

PERSONAL DATA ADMINISTRATOR

FRSc Sp. z o. o. (also called the Organization) is the Data Controller for personal data processed on the Website or Services. In the case of services provided through or with the help of solutions based on Meta Facebook, it may act as a joint data controller together with Facebook Ireland Limited with its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

FRSc Sp. z o. o. as the managing body, it is also the Data Administrator for personal data processed as part of the tasks of the FRSc Academy.

The Administrator has appointed a Data Protection Officer who can be contacted in matters related to privacy, security and processing of personal data, including the rights and obligations of the Data Administrator. Contact is possible at: iod@frsc.pl,by phone at: 17 7852298or by sending written correspondence to the above-mentioned address of the Organization's headquarters with the note "Data Protection Inspector":

FRSc Sp. z o.o.
ul. Tyszkiewiczów 2
36-100 Kolbuszowa Dolna

METHOD OF OBTAINING PERSONAL DATA

Scenarios of possible forms of obtaining personal data:

1. Information is provided by Guests and Users voluntarily during registration on the Websites, during contact via electronic forms or instant messaging mechanisms on the Website.

• Information obtained automatically is information downloaded by servers operating the Websites, both belonging to the Organization and by Suppliers supporting this process or providing content and materials (e.g. fonts, video materials or CSS scripts). The information obtained in this way concerns the request for a website address (the so-called URL), the date and time of such a request, device data (e.g. hardware model and type of operating system), browser type, data on IP addresses from which the connection is made (directly and indirectly - the so-called .proxy).

• Information sent automatically is not used in a form that would allow it to be directly associated with personal data of Guests. However, this data may allow Solution Providers to identify people with a high degree of probability and, to some extent, monitor their activity on the network - through mechanisms such as identifiers (Ray ID). The organization does not carry out such activities itself, relying only on aggregated statistical data processed by Providers who have such an opportunity and are highly likely to associate the context of the connection with a specific person, especially when the person browses the website while logged in to social networking sites or messengers belonging to them.

• Since the Organization does not process data identifying specific persons, but uses solutions available on the market, which Suppliers may have such an option, we point out that such tracking or identification can be avoided by setting tracking blocking mechanisms available in most browsers. Some of them have this function built-in, others you can download a free add-on.

• Some parts of the Website may contain social media tools - Facebook Meta and Instagram. Their task is to enable the exchange of information between registered users of these social networking sites and to facilitate them in sharing links to the content of the Website. However, it should be noted that such interactions are inextricably linked to the processing of personal data in the context of the Organization's services by Social Networking Sites. Entities responsible for a given social networking site can this way confirm correlations between people and products or services - they then sell this information in an anonymized form - as statistical data to advertisers (i.e. they do not sell personal data, but the ability to reach specific target groups that fit a specific profile ).

• People's data may be obtained indirectly from Meta Facebook and Instagram, where the identity of people interacting with the Organization's profiles on social networking sites may be disclosed. Each user of the Meta websites (Facebook and Instagram) defines the privacy rules in the parameters of their account, and details about the relevant policies can be read respectively:
• https://www.facebook.com/privacy/
• https://about.instagram.com/safety

• References to social media profiles include LinkedIn, where FRSc has a profile publishing informational materials about its activities. Thus, it may involve identifying visitors to FRSc’s LinkedIn profile. For logged-in users, LinkedIn privacy settings apply.
• https://www.linkedin.com/mypreferences/d/categories/privacy

• The Website's pages may also contain elements related to the Organization's activities that require the provision of specific data - e.g. for options related to payments or installment purchases. The Organization does not process this data - but the Websites may contain elements of external suppliers who collect such data in order to perform specific activities related to the provision of services by the Organization.

• FRSc website also links to YouTube, where materials related to the company's activities are posted. YouTube is owned by Google Inc., and privacy settings are described under: Google Privacy Policy
• https://policies.google.com/privacy?hl=pl-PL

LEGAL BASIS FOR PROCESSING PERSONAL DATA

The Organization, as the Data Administrator, may collect personal data based on several grounds, explained briefly below:

1. When registering a User account, the legal basis for processing is Article 6(1)(b) of GDPR – meaning the ability to process personal data for the purpose of concluding and performing a contract.

• To handle complaints, grievances, inquiries, or responses to questions, the Organization may process certain personal data provided during registration or via the contact form. In such cases, the legal basis is either the User's consent (Article 6(1)(a) of GDPR) or the legitimate interest (Article 6(1)(f) of GDPR) related to providing electronic services and building positive relations with Users based on trust and loyalty. Under this premise, the Organization may also promote its services independently or within a group.

• For settlement purposes, the Organization may process necessary data such as: name, surname, company details (if applicable), business address, registration number, tax identification number (NIP) and business registry number (REGON), bank account details, and transaction information. The legal basis is fulfilling a legal obligation under Article 6(1)(c) of GDPR.

• On the basis of explicit consent – the Administrator may process personal data only after obtaining voluntary, specific, informed, and unambiguous consent. Consent may be withdrawn at any time. Please note: the mere use of certain contact forms does not automatically constitute consent for marketing purposes; it only allows a response to a message or the continuation of related correspondence

• Through services provided via Meta (Facebook/Instagram) – users independently decide whether to engage with the Organization’s profiles, e.g., by subscribing, commenting, tagging, or sharing content.

• In the case of personal data collected during courses organized by the FRSc Academy, the applicable regulations are:
• The "Education Law" Act
• The Act on the Education System
• The Act on the Information System in Education
• Relevant regulations issued under these laws.

• In this context, the Organization, as the administrative body for the FRSc Academy, is obliged to collect, process, and store data under the above-mentioned legal acts.

USE OF PERSONAL DATA

1. The main purpose of the Data Administrator in collecting personal data is the organization and management of training courses for individuals interested in broadly understood physiotherapy and acupuncture. Specifically, the purpose may include the sale of FRSc Sp. z o.o. services through the Website. This goal is also related to other activities, such as creating and managing User accounts, conducting business correspondence, and enabling contact with Users. Certain information is required for transaction processing. Some information may also be used to customize the Website to individual needs, including for interactive communication and other additional services. The Website may also include optional registration for selected services, surveys, and questionnaires requesting the provision of additional information necessary for the given purpose.

• Measurement data provided by Visitors and Users while browsing the Websites can be used to design and create better solutions, adjust operation, improve and provide advice and assistance regarding the services we provide.

• Many data can be provided voluntarily, but failure to provide them will make it impossible to provide (or continue to provide) the relevant products or services.

• The information collected on the basis of consciously expressed consents can be used by the Data Administrator to build individualized marketing and advertising offers. This type of advertising can be implemented using visible elements on the Website, in social networking sites or in popular search engines.

• Information about Guests and Users may be used by external parties, such as providers or social media services, which can independently associate the Organization with specific visitors. These actions do not involve the Organization directly processing personal data and the Organization does not have access to that information. Use of third-party services is based on consent given when first (or subsequent after cookie removal) visiting the Website. Visitors can determine whether to enable third-party mechanisms or reject them all.

• The scope of possible data processing by social media providers depends on how they manage profiling and advertising. It may be based on user consents or through paid social media accounts that eliminate or limit ads. The Organization uses social media advertising but does not know which individuals see the ads — this information is only available to the providers.

• Guest and User data are not subject to profiling (automated decision-making) by the Organization. In some cases, Users may give separate consent to receive personalized content or services that may require additional parameters from external providers (e.g., installment payment services)

• Upon appropriate consent or based on the Administrator’s legitimate interest, the User may receive a newsletter (or newsletters) containing information about services, additional features, promotions, or other related services offered within the Organization’s partner network. The Organization always manages the contact data and may integrate partner marketing into its content without sharing any personal data. Such consent can be withdrawn or adjusted at any time, which will update the preferences or completely stop the newsletter delivery. Users may also manage their subscription settings directly through the provider handling the newsletter service on behalf of the Organization — including opting out or modifying parameters.

• When specific consent is granted, selected User data may be shared with marketing partners, who may then send personalized materials. This type of data sharing is clearly marked on the Website and is distinct from passive traffic tracking by external providers — it is a separate, explicit action.

1. 1. For personal data associated with educational activities, collected data will be processed for the purpose of organizing classes conducted in accordance with the principles defined for Continuing Education Institutions.

DATA SHARING

1. 1. In certain cases, based on consent or actions that clearly imply consent, the Administrator may share Users' personal data with entities operating within a group of partners who provide services related to physiotherapy, acupuncture, or similar health services. The cooperation within this group is based on the principles outlined in Article 26 of the GDPR and may be carried out for the purpose of offering a broader range of services to physiotherapists. Activities within the group are conducted in accordance with GDPR requirements and the provisions of this Privacy Policy (e.g., database management, sending personalized emails, or carrying out specific joint actions with other group members). All of the Administrator’s partners are obligated to protect personal data in accordance with an accepted model of privacy protection, as defined in this Privacy Policy.

• Partners operate only on the basis of strictly defined rules - including joint control agreements pursuant to art. 26 of the GDPR or entrusting the processing of personal data contained in accordance with art. 28 of the GDPR along with the mandatory requirement to maintain the confidentiality of any personal data they come into contact with.

• The Data Administrator may also disclose personal data in certain cases to entities such as legal advisors or law enforcement authorities, in connection with the initiation, exercise, or defense of legal claims. This may occur to comply with legal requirements or respond to lawful requests within legal proceedings, to protect rights and property — including enforcement of contracts, execution of court orders, subpoenas, or other legal demands related to judicial processes.

• In certain circumstances, the Administrator may be legally required to disclose processed personal data upon request of authorized government agencies or law enforcement bodies.

• This also applies to third-party providers, who may be obligated to disclose personal data of Guests and Users connected with the Organization’s services.

• Certain User data may be disclosed to external entities upon explicit request from the User. This may occur during the integration of the Website's services with external providers, whose solutions interact with the Website to enable additional features. Such data exchanges are clearly marked, and before any action is taken, explicit consent (Opt-In) is required — either by accepting the terms or actively proceeding with the function. This ensures that no accidental or unintentional data sharing takes place. Without such consent, no further steps are taken — for example, additional services will not be enabled

• If User personal data is required to carry out training services, including the issuance of course completion certificates for programs offered by FRSc Sp. z o.o. or conducted within the FRSc Academy, the scope of collected data may be broader — in accordance with § 22.4 of the Regulation of the Polish Minister of National Education dated March 19, 2019, on continuing education conducted in out-of-school forms.

DATA SAFETY

1. 1. All activities carried out on the Website are protected by technical and organizational security measures, such as encryption. This involves encoding information entered or displayed by Users or Visitors so that it can only be read by their web browsers and the servers operating the Website.

• As part of ongoing security efforts, regular security tests are conducted, independent specialist audits are performed, and up-to-date software versions are used.

• At the same time, however, because it is technically impossible to guarantee that every data transmission on the Internet is completely secure, despite making every effort to ensure the protection of personal data, the Data Administrator cannot ensure or otherwise guarantee the complete security of information provided by Users and Visitors via network.

RETENTION - DATA STORAGE TIME

Personal data is stored no longer than it is necessary to achieve the purposes for which it was collected, unless applicable law requires longer storage. In particular, they will be:

1. Accounts on the Website are created for the purpose of providing services and handling activities related to their fulfillment, as well as other services in accordance with the concluded agreement.

• After deleting the Account, the data will be anonymized, except for the following data: name, surname, e-mail address, application operation history and information on consents given (these data must be kept for a period of 3 years from the deletion of the Account for the purpose of considering complaints and claims related to the use of services).

• If the provision of the service requires the performance of legal and fiscal obligations, the necessary data will be processed for the period required by law (usually 5 years from the date of fulfillment of the legal and fiscal obligation).

• Data processed on the basis of consent will be retained until the consent is withdrawn or the service for which the consent was given is completed.

• Data processed in accordance with the Regulation of the Polish Minister of National Education dated March 19, 2019, on continuing education in out-of-school forms, will be stored in line with documentation retention rules applicable to course and training records conducted under the FRSc Academy.

Additionally, information that may to some extent identify the personal data of Guests and Users is stored for the duration of the lifecycle of cookies saved on their devices. These settings can be changed at any time in any modern browser, including by deleting or clearing cookies.

TRANSFER OF DATA TO THIRD COUNTRIES

Personal data is not transferred outside the European Economic Area (EEA). The servers used are located in Poland or the EEA, and the partners have their registered offices in the European Economic Area.

1. 1. When the Administrator uses such services or where the nature of the service involves joint data controllership with social media providers (e.g., Meta or Google), this may result in the processing of user data by those platforms for individuals visiting the Organization’s Services. It is assumed that these providers process the data in accordance with their declared policies within the European Economic Area (EEA) or under rules ensuring a level of privacy protection no lower than that required under GDPR.

• Detailed information and configuration options for personal data processing by social media providers can be found on their respective privacy pages. These are typically labeled as Privacy Policies, Privacy Centers, or Privacy Settings within user profiles.

LAWS

In connection with the processing of personal data, each person has a number of rights, the implementation of which the Administrator is obliged to ensure. These rights can be exercised by submitting your request in writing or to the e-mail address indicated at the beginning of this Policy.

Each person whose data is processed has the right to:

1. Access to your data pursuant to art. 15 GDPR. In particular, this is the right to obtain confirmation of the processing of personal data and when it takes place:

1. gain access to your personal data,
2. obtaining information about the purposes of processing, about the recipients or categories of recipients of this data, the planned period of data storage or about the criteria for determining this period, about the rights under the GDPR and the right to lodge a complaint with the supervisory body, about the source of this data, about automated decision-making, including profiling.
3. Obtain a copy of your personal information.

• Requests to rectify data (Article 16 of the GDPR). Persons whose data is processed have the right to rectify and complete the personal data provided by them. With regard to other personal data, you have the right to request rectification of these data (if they are incorrect) and their supplementation (if they are incomplete).

• Requests to delete data based on art. 17 GDPR. Persons whose data is processed have the right to request the deletion of all or some of their personal data if:

1. Personal data are no longer necessary for the purposes for which they were collected or processed;
2. data processing is based on consent and this consent has been withdrawn,
3. an objection has been raised against the use of data for marketing purposes,
4. personal data is processed unlawfully.

• Despite the request to delete personal data, in connection with the objection, the Administrator may retain certain personal data to the extent necessary for the purposes of establishing, pursuing or defending claims, as well as in order to perform the obligations provided for by law. This applies in particular to personal data including: name, surname, e-mail address and log history records of our Websites, kept for the purpose of considering complaints and claims related to the use of services.

• Requests to limit data processing (Article 18 of the GDPR). Persons whose data is processed have the right to request the restriction of the use of their personal data in the following cases:

1. when the correctness of your personal data is questioned - then the Administrator limits their use for the time needed to verify the correctness of the data, but not longer than for 7 days,
2. when the processing of data is unlawful, and instead of deleting the data, the restriction of their use has been requested;
3. when personal data are no longer necessary for the purposes for which they were collected or used, but they are needed to establish, pursue or defend claims;
4. when an objection to the use of data has been raised - then the restriction takes place for the time needed to consider whether - due to the particular situation - the protection of interests, rights and freedoms outweighs the interests pursued by the Administrator.

• Right to data portability (Article 20 of the GDPR). Persons whose data is processed have the right to receive their personal data, which they provided, and then send it to another personal data administrator of their choice. You also have the right to request that personal data be sent directly to such another administrator, if it is technically possible. In this case, personal data may be sent in the form of commonly used files and document types, machine-readable and allowing the received data to be sent to another personal data controller.

• Objections to data processing pursuant to Art. 21 GDPR. Persons whose data is processed have the right to object at any time to the use of their personal data, if they are processed based on the legitimate interest of the Administrator. If the objection turns out to be justified and there is no other legal basis for the processing of personal data, they will be deleted for those forms of use for which the objection was made.

• Withdrawal of consent to the processing of personal data. With regard to personal data whose processing is based on consent, you have the right to withdraw it. This right can be exercised by changing the settings in the User's profile that enable or disable consents for specific processing purposes, or by writing to the Data Administrator at the e-mail address indicated at the beginning of this Policy.

• Submit a complaint to the supervisory authority (Article 77 of the GDPR). If the persons whose data is processed consider that the right to the protection of personal data or other rights granted under the GDPR have been violated, they have the right to lodge a complaint with the President of the Office for Personal Data Protection.

How long does the Administrator meet the requests?

If, in exercising the above-mentioned rights, the Administrator receives a request, it will fulfill it or refuse to fulfill it immediately, but not later than within a month after receiving it. However, if - due to the complicated nature of the request or the number of requests - it will not be possible to fulfill the request within a month, it will be fulfilled within the next two months and the person concerned will receive prior information about the intended extension of the deadline.

CHANGES TO THE PRIVACY POLICY

Following the development of technology and changes in the law, the Administrator adjusts the Privacy Policy to them, changing or supplementing the provisions contained therein as needed.

The persons whose data is processed will be informed about any changes or additions by posting relevant information on the Website, and in the case of significant changes by sending separate notifications to the e-mail address provided.

The Privacy Policy does not limit any rights of persons under the contract for the provision of services and the law.