PRIVACY POLICY AND PERSONAL DATA PROTECTION OF THE BRIGHTER.TOWN WEBSITE Date of last update and entry into force: June 28, 2025 I. INTRODUCTORY PROVISIONS AND TERMINOLOGICAL DEFINITIONS This Privacy and Personal Data Protection Policy (hereinafter referred to as the "Policy") is an integral part of the legal ecosystem regulating the operation of the website available at the URL https://brighter.town and all related subdomains, microservices and satellite applications (collectively referred to as the "Website" or "Platform"). This document has been developed based on the highest standards of information transparency and compliance with applicable legal provisions in the field of personal data protection, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR"). Terminological definitions used in this Policy: Data Controller – [full name of the business entity or first name and surname of the natural person conducting business activity] with its registered office in Aleje Jerozolimskie 4 00-024, entered into National Court Register under the number [entry number], having the Tax Identification Number (NIP): 1234567890, the National Business Registry Number (REGON): 1234567890, the share capital in the amount of [amount of share capital] PLN (hereinafter referred to as "Controller");Personal Data – as defined in art. 4 point 1 of the GDPR, any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;Processing – as defined in art. 4 point 2 of the GDPR, an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, distributing or otherwise making available, matching or combining, limiting, deleting or destroying; User – any natural person who visits the Website, uses its functionalities, content or services, regardless of whether they have a registered user account or use the Website as an unregistered person; Cookies – small text files or other tracking technologies installed and stored on the User’s end device (computer, smartphone, tablet, smart TV, etc.) by the web browser when visiting the Website. II. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLERThe controller of your personal data within the meaning of the GDPR is Brighter Town LLC, with its registered office in Aleje Jerozolimskie 4, which is the entity responsible for determining the purposes and means of processing personal data in connection with the operation of the Website.Contact details of the Controller:Correspondence address: Poland, Warsaw, Aleje Jerozolimskie 4 E-mail address: contact@brighter.town Telephone number: +48726768956 Availability hours: all day. In matters related to the processing of personal data, the exercise of your rights and all issues concerning privacy protection, please contact us via the dedicated e-mail address or in writing to the registered office address of the Controller.III. DETAILED PURPOSES, LEGAL BASIS AND PERIODS OF PERSONAL DATA PROCESSINGThe Controller processes Users&apos personal data only for clearly defined, lawful purposes, based on the appropriate legal bases provided for in the GDPR.3.1. Provision of services by electronic means and operation of the WebsitePurpose of processing: Ensuring the proper functioning of the Website, providing services by electronic means in the scope of providing informational, educational and promotional content regarding the services offered, managing user sessions, ensuring the technical security of the platform.Categories of processed data: Device IP address, information about the web browser and operating system, activity timestamps, geographic location data (at the country/region level), session identifiers, technical data regarding the use of the Website.Legal basis: Necessity of processing to perform the contract for the provision of servicesing services by electronic means, to which the User is a party (Article 6 paragraph 1 letter b of the GDPR) and the legitimate interest of the Controller consisting in ensuring the security and stability of IT systems (Article 6 paragraph 1 letter f of the GDPR). Processing period: For the duration of active use of the Website and additionally for a period of 12 months from the last activity for security and technical analysis purposes.3.2. Handling inquiries and communicating with Users. Purpose of processing: Identification of the sender of correspondence, handling inquiries sent via contact forms, e-mail or other communication channels, answering questions, providing technical and substantive support. Categories of processed data: First name and last name or nickname, e-mail address, telephone number (optional), company name and position (in the case of business contact), content of correspondence, message metadata. Legal basis: Necessity to take action at the request of the data subject before entering into a contract (Article 6 paragraph 1 letter b of the GDPR) or the Controller&aposs legitimate interest in conducting business correspondence and customer service (Article 6 paragraph 1 letter f of the GDPR). Processing period: For the time necessary to handle a specific inquiry, and then for a period of 3 years for archiving purposes and possible pursuit of claims. 3.3. Analytical activity and optimization of the Website. Purpose of processing: Conducting advanced statistical analyses of website traffic, studying User behavior, identifying preferences and patterns of Website use, optimizing functionality and content, improving the quality of services provided, creating business reports. Categories of processed data: Anonymized or pseudonymized data on Website activity, navigation paths, time spent on individual subpages, traffic sources, aggregated demographic data, information about devices and browsers. Legal basis: The Controller&aposs legitimate interest in analyzing the effectiveness of the Website and optimizing the services offered (Article 6, paragraph 1, letter f, GDPR). Processing period: Aggregated and anonymized data may be stored indefinitely. Data enabling identification are deleted 26 months after their collection. 3.4. Use of Google Analytics 4. Purpose of processing: Detailed analysis of internet traffic, creating reports on User behavior, conversion tracking, analysis of the effectiveness of the content and functionality of the Website using advanced Google analytical tools. Categories of processed data: Pseudonymized user identifiers, data on sessions and events on the Website, information about devices and browsers, geographic data, organic and paid traffic parameters. Legal basis: Legitimate interest of the Controller in conducting business and marketing analyses (Article 6 paragraph 1 letter f of the GDPR). Processing period: In accordance with the data retention settings in Google Analytics 4, for a maximum period of 14 months, with the possibility of earlier deletion at the User&aposs request. 3.5. Establishing, pursuing, and defending against claims. Purpose of processing: Documenting the Controller&aposs activities, collecting evidence in potential legal disputes, defending against unjustified claims, recovering receivables, cooperating with law enforcement and supervisory authorities. Categories of processed data: All personal data processed for other purposes that may be relevant to establishing facts in legal matters. Legal basis: The Controller&aposs legitimate interest in protecting its rights and legal interests (Article 6 paragraph 1 letter f of the GDPR). Processing period: Until the expiry of the limitation periods for claims specified in civil law, for a maximum of 10 years from the end of the service provision. IV. DETAILED CHARACTERIZATION OF COOKIES AND SIMILAR SOLUTIONS. The website uses advanced tracking technologies, including cookies, web beacons, local storage, session storage, and other mechanisms for collecting data on User activity. 4.1. Taxonomy and classification of cookies. Strictly necessary cookies: Cookies that are absolutely necessary for the proper functioning of the Website, enabling basic functionalities such as page navigation, access to secure areas, and remembering language preferences. Functional cookies: Cookies that allow for remembering choices made by the User (e.g., username, language, region) and providing improved, more personalized features. Analytical/performance cookies: Cookies used to collect information about how Users use the Website, enabling traffic analysis, identifying popular content, and optimizing functionality. Marketing cookies.ngowe (targeting/advertising): Files used to track User activity across various websites in order to create interest profiles and display personalized advertising content. 4.2. Detailed specification of Google Analytics 4: The Website implements the latest version of the Google Analytics 4 (GA4) analytical tool, provided by Google LLC, based in Mountain View, California, United States. GA4 is an advanced, next-generation analytical platform that uses machine learning and artificial intelligence to provide deep insights into User behavior. Mechanism of operation: GA4 uses an event-based measurement model that records User interactions with the Website as a sequence of events. The system automatically tracks key metrics such as page views, sessions, conversions, engagement, and user paths. Collected parameters: Client IDs, session IDs, event timestamps, device parameters (device type, operating system, browser), geographic data (country, region, city), traffic sources, marketing campaign parameters. Privacy mechanisms: GA4 implements advanced privacy protection mechanisms, including automatic IP address anonymization, the ability to exclude sensitive data, GDPR compliance, and consent management mechanisms. 4.3. Managing consent and cookie preferences: Users have full control over the use of cookies on the Website. Upon their first visit, an information banner is displayed with the ability to configure detailed preferences for individual cookie categories. Control mechanisms: Granular cookie category management, the ability to withdraw consent at any time, browser-level configuration, the use of dedicated opt-out tools, automatic respect of Do Not Track signals. CATALOGUE OF USER RIGHTS ARISING FROM THE GDPR In connection with the processing of personal data, Users have a broad catalogue of rights specified in Chapter III of the GDPR, which can be exercised by contacting the Controller. 5.1. Right of access to personal data (Article 15 of the GDPR) The User has the right to obtain from the Controller confirmation as to whether personal data concerning them are being processed, and if so, the User has the right to access such personal data and the information specified in Article 15 paragraph 1 of the GDPR, including in particular information on the purposes of processing, categories of data, recipients of the data, and the planned storage period. 5.2. Right to rectification of personal data (Article 16 of the GDPR) The User has the right to request that the Controller immediately rectify any inaccurate personal data concerning them, and has the right to request that incomplete personal data be supplemented, including by providing an additional declaration. 5.3. Right to erasure of personal data - "right to be forgotten" (Article 17 of the GDPR) The User has the right to request that the Controller immediately delete personal data concerning him or her in the cases specified in Article 17(1) of the GDPR, in particular when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed. 5.4. Right to restriction of processing (Article 18 of the GDPR) The User has the right to request that the Controller restrict processing in the cases specified in Article 18(1) of the GDPR, in particular when he or she contests the accuracy of the personal data or objects to their processing. 5.5. Right to data portability (Article 20 of the GDPR) The User has the right to receive the personal data concerning him or her that he or she has provided to the Controller in a structured, commonly used and machine-readable format and has the right to transmit these personal data to another controller. 5.6. Right to object (Article 21 of the GDPR)The User has the right to object at any time to the processing of personal data concerning him/her which is based on the legal basis set out in Article 6(1)(f) of the GDPR (legitimate interest), including profiling based on these provisions.5.7. Right to withdraw consentIn cases where processing is based on consent (Article 6(1)(a) of the GDPR), the User has the right to withdraw consent at any time, and the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.5.8. Right to lodge a complaint with a supervisory authorityThe User has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of alleged infringement, if the User believes that the processing of personal data concerning him/her infringes the GDPR.Contact details of the Polish supervisory authority:Urząd Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warsaw phone: +48 22 531 03 00 e-mail: kancelaria@uodo.gov.pl VI. DATA RECIPIENTS AND INTERNATIONALTRANSFERS 6.1. Categories of personal data recipients In connection with the implementation of the processing purposes specified in this Policy, the Controller may disclose personal data to the following categories of recipients: Technical subcontractors: Hosting service providers, content delivery network (CDN) operators, cloud service providers, IT system administrators. Analytical service providers: Google LLC (Google Analytics), providers of internet traffic analysis tools, business intelligence platforms. Communication service providers: Email operators, CRM system providers, customer communication platforms. Entities providing legal and accounting services: Law firms, accounting offices, auditors, tax advisors. Public authorities: Courts, prosecutor&aposs offices, law enforcement agencies, public administration bodies – only in cases prescribed by law. 6.2. Data transfers outside the European Economic AreaDue to the use of technology providers based in third countries, in particular Google LLC (United States), Users&apos personal data may be transferred outside the European Economic Area. Protection mechanisms: All data transfers outside the EEA are carried out using appropriate safeguards provided for in Chapter V of the GDPR, in particular:Standard contractual clauses approved by the European CommissionCertification of compliance with recognized data protection standardsBinding corporate rules approved by the competent supervisory authoritiesEuropean Commission adequacy decisionVII. SECURITY AND DATA PROTECTION MEASURESThe Controller implements advanced technical and organizational measures to ensure an appropriate level of personal data security, taking into account state-of-the-art technological solutions, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risk of violations of the rights and freedoms of natural persons with varying likelihood and severity of threat.Technical measures:Data encryption in transmission (TLS/SSL protocols)Data encryption at rest (AES-256)Advanced authentication and authorization systemsRegular software and system updatesReal-time security monitoringIntrusion detection and prevention systems (IDS/IPS)Regular backups with the possibility of quick recoveryOrganizational measures:Information security policiesEmployee data protection trainingAccess control based on the principle of least privilegeRegular security auditsSecurity incident response proceduresConfidentiality agreements with employees and subcontractorsVIII. SYSTEM LOGS AND TECHNICAL MONITORING The operation of the Website involves the automatic generation and storage of system logs containing technical information about User activity. These logs are essential for ensuring the security, stability, and proper functioning of the technical infrastructure. System log content: IP addresses of end devices, HTTP request timestamps, server response codes, browser and operating system (User-Agent) information, URL addresses of requested resources, volume of transferred data, information about errors and technical incidents. Log processing purposes: Ensuring the security of IT systems, Diagnosing and resolving technical faults, Optimizing infrastructure performance, Analyzing traffic patterns for technical purposes, Detecting and preventing cyberattacks. Retention period: System logs are stored for a maximum period of 12 months, after which they are automatically deleted or anonymized. IX. PRIVACY POLICY UPDATE PROCEDURES This Policy is subject to regular review and update to ensure compliance with evolving legal regulations, changes in data processing practices, and the technological development of the Website. Procedure for introducing changes: Identification of the need to update the Policy Development of a draft of changes by the legal team Consultations with personal data protection experts Approval of changes by the Administrator&aposs management Publication of the updated version on the Website Notification of Users of significant changes Communication of changes: Users will be informed of any significant modifications to the Policy via a prominent notice on the Website and, if they have an email address, by electronic means at least 14 days before the changes come into effect. X. FINAL PROVISIONS This Policy constitutes an integral part of the legal regulations of the Website and should be interpreted in conjunction with other regulatory documents, in particular the Regulations on the provision of services by electronic means. In matters not regulated in this Policy, the provisions of the GDPR, the Act of 10 May 2018 on the protection of personal data, the Act of 18 July 2002 on the provision of services by electronic means shall apply and other applicable provisions of Polish and EU law. Any disputes arising from this Policy will be resolved by common courts having jurisdiction over the Administrator's registered office, subject to mandatory provisions on court jurisdiction in consumer matters. This Privacy Policy enters into force on June 28, 2025, and replaces all previous versions of documents regulating personal data protection on the Website. The document has been developed in accordance with the highest industry standards and legal requirements. The Administrator reserves the right to make modifications to ensure continued compliance with applicable law.