REGULATIONS AND PRIVACY POLICY OF THE

APPLICATION

NaviPay

NaviPay is an application available on mobile devices with the Android or iOS operating system, which,

depending on the type of account, allows, among other things, to book parking spaces, make payments for the

use of a parking space, as well as pay for a parking space by the user to his clients.

Please read these Regulations carefully. The Regulations define the rules of using the NaviPay Application by its

Users, including the privacy policy. The NaviPay application is protected by the provisions of copyright,

intellectual property law and other relevant, mandatory provisions of Polish law. The use of the NaviPay

Application is possible under the conditions specified in the Regulations.

The formula of these Regulations provides for the establishment of general terms and conditions of using the

Application. These terms and conditions, if the Customer decides to use the NaviPay Application, regulate in

particular the rules of using the Application, including our liability.

1) ABOUT US

1. The owner of the NaviPay application is NAVIPARKING SPÓŁKA Z OGRANICZONĄ

ODPOWIEDZIALNOŚCIĄ located in Gliwice (registered office and delivery address: ul. Toszecka 101, 44-100

Gliwice); entered into the Register of Entrepreneurs of the National Court Register under KRS number:

0000563097; registry court where the company's documentation is kept: District Court in Gliwice, 10th

Commercial Division of the National Court Register; share capital in the amount of PLN 8,000.00; NIP:

9691613559, REGON: 361771321 and e-mail address: customer.care@naviparking.com.

2. These Regulations define the rules of using the NaviPay Application by the Customers, including the

use of electronic services within the meaning of the Act on the provision of electronic services of July 18,

2002 (Journal of Laws 2002 No. 144, item 1204, as amended), as well as the privacy policy.

2) DEFINITIONS

1. The definitions used in these Regulations:

a. CIVIL CODE - the Civil Code Act of 23 April 1964 (Journal of Laws No. 16, item 93, as amended).

b. ACCOUNT - an electronic service, the functionality of the Application, a collection of resources in the

Application's ICT system, which collects the data provided by the Customer and information about the

Customer's activities in the Application.

c. PERSONAL ACCOUNT - one of two types of Account in the Application, enabling the User access to the

database of parking lots in the Application, a fully automated, digital parking process and payment for

the Parking Service.

d. BUSINESS ACCOUNT - one of two types of Account in the Application, enabling the User topping up the

account balance under the purchased vouchers, scanning parking tickets of the User's customers, paying

for parking tickets to the users of the Personal Account.

e. NAVIPAY, APPLICATION, APP NAVIPAY - a mobile application (software for mobile devices) enabling the

User to use it on a mobile device, in accordance with these Regulations.

Page 1 z 14

f. COPYRIGHT - the Act on Copyright and Related Rights of February 4, 1994 (Journal of Laws No. 24, item

83, as amended).

g. TERMS AND CONDITIONS - these terms and conditions of the NaviPay Application with attachments.

h. ELECTRONIC SERVICE - a service provided electronically by the Service Provider to the Client via the

Application in accordance with these Regulations.

i. SERVICE PROVIDER - NAVIPARKING SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered

office in Gliwice (registered office and delivery address: ul. Toszecka 101, 44-100 Gliwice); entered into

the Register of Entrepreneurs of the National Court Register under KRS number: 0000563097; registry

court where the company's documentation is kept: District Court in Gliwice, 10th Commercial Division of

the National Court Register; share capital in the amount of: PLN 8,000.00; NIP: 9691613559, REGON:

361771321 and e-mail address: customer.care@naviparking.com.

3) GENERAL TERMS OF USE OF THE NAVIPAY APP

1. The Service Recipient is obliged to use the Application in accordance with its intended purpose, in a manner

consistent with the law and morality, with respect for personal rights as well as copyrights and intellectual

property of the Service Provider, other Service Recipients and third parties. The Service Recipient is obliged to

enter data consistent with the facts. The Service Recipient is forbidden to provide illegal content.

2. Technical requirements necessary for the proper launch and use of the Application: (1) a mobile device with

active Internet access; (2) Android or iOS operating system; (3) sufficient space on the mobile device to install

the Application; (4) access to electronic mail.

3. Each Service Recipient may use the Application on the terms specified in the Regulations. A detailed

description of the Application's functionality and principles of its operation is available in the Regulations and

as part of the Application.

4. The administrator of personal data processed in the Application in connection with the implementation of

the provisions of these Regulations is the Service Provider. Personal data is processed for the purposes, for the

period and based on the grounds and principles set out in the privacy policy constituting Annex 1 to the

Regulations. The privacy policy contains mainly the rules regarding the processing of personal data by the

Administrator in the Application, including the grounds, purposes and period of personal data processing and

the rights of data subjects. Using the Application is voluntary. Similarly, the provision of personal data by the

user of the Application is voluntary, subject to the exceptions indicated in the privacy policy (conclusion of the

contract and statutory obligations of the Service Provider).

4) DETAILED TERMS OF USING THE APPLICATION

1. The application is available for download on Google Play and the Apple Store.

2. The condition to start using the Application is to first download and install the Application on a mobile device

as well as to register and log in to the Account panel.

3. The Service Recipient is obliged to update his data provided under the Account in the event of a change.

4. The very installation of the Application and the creation of an Account is free of charge. The use of services

available via the application, marked in the application as paid services, is payable. The description of the paid

services and the rules of payment is provided in further provisions of these Regulations and in the "FAQ"

available in the Application.

Page 2 z 14

5. The entity providing services to the User in the scope of functionalities available in the Application and the

party to the contract for the provision of services available as part of these functionalities is the Service

Provider. As regards the use of a parking space and services related to the use of a parking space (e.g. charging

an electric vehicle), the entity providing the services is the entity that is the operator of a given parking lot, in

accordance with the regulations of the parking lot available to the User before using the service.

Notwithstanding the foregoing, any payments for services purchased by the User using the Application are

made as part of the use of the appropriate functionalities of the Application and only to the Service Provider.

Therefore, the User does not bear any payments to the operator of a given car park for any services purchased

via the Application, including in particular for the use of a parking space.

6. The use of the Application is possible for an indefinite period of time. The User may at any time and without

giving any reason stop using the Application by uninstalling it or removing it from his device in accordance with

the user manual of the device. Uninstalling or removing the Application from your device does not delete the

Account - in order to delete it, the User may at any time and without giving any reason send the Service

Provider an appropriate request, in particular via e-mail to the following address:

customer.care@naviparking.com. In the case of a Business Account, the User may also use the "Delete

Account" option available in the Account settings.

7. The Service Provider reserves the right to suspend the use of the Account by the User in the following cases:

a. when the User violates these Regulations, the Regulations of the parking operator that the User uses,

generally applicable law or rules of social coexistence despite the call of the Service Provider or the parking

operator, respectively, stating the reason;

b. when the User's actions violate the reputation of the Service Provider or the Application despite the Service

Provider's call with a reason;

c. when the User is in arrears with any payments to the Service Provider.

8. The suspension of the use of the Account may take place for a specified period indicated by the Service

Provider or for an indefinite period. During the suspension of the use of the Account, it is not possible to log in

to the Account and use its functionalities.

9. The Client is obliged to immediately take steps to remove the reason for suspending the use of the Account.

10. The Service Provider, in the event of the suspension of the use of the Account for more than 30 calendar

days and the lack of cessation of the reasons for its suspension, has the right to terminate the Service

Recipient's agreement for the provision of the Account Electronic Service.

5) DETAILED TERMS OF USING A PERSONAL ACCOUNT

1. The creation of a Personal Account using the Application is possible after completing a total of four

consecutive steps by the User - (1) selecting the type of Account available after opening the Application in the

mobile version: "Personal Account"; (2) completing the registration form, (3) clicking the "Register" field; (4)

confirming the willingness to create an Account by clicking on the confirmation link sent automatically to the e-

mail address provided. In the registration form, it is necessary for the User to provide the following data: e-mail

address, first and last name and password as well as data regarding the Customer's vehicle necessary to use the

Application's functionality. The use of individual functionalities of the Application may require additional data.

2. As part of the Personal Account, the User has access, inter alia, to the following functionalities (electronic

services):

a. database of parking lots;

b. a fully automated, digital parking process (entry thanks to the "Open barrier" button in the Application or

scanning the parking ticket in the Application or scanning the vehicle license plate);

Page 3 z 14

c. insight into the availability of parking spaces;

d. navigation to the selected parking lot;

e. opening the parking barrier automatically or using a button in the Application;

f. paying for a parking space or settling costs as part of a telephone subscription in Orange, Plus and Play

networks;

g. reservation of parking spaces;

h. purchase of subscriptions allowing access to parking spaces without the need to make payments for a

parking space each time;

i. insight into the history of parking and payments;

j. purchase of the service of charging electric vehicles while parking;

k. use of discounts or free parking space if one of these possibilities is granted by the User with a Business

Account.

3. The availability of some functionalities depends on the offer of a given car park, and information on

availability is indicated each time in the Application.

4. A detailed description of the Personal Account functionality can be found in the "FAQ" tab in the Application.

6) DETAILED TERMS OF USING THE BUSINESS ACCOUNT

1. The creation of a Business Account using the Application is possible after completing a total of four

consecutive steps by the User - (1) selecting the type of Account available after opening the Application in the

mobile version: "Business Account"; (2) completing the registration form, (3) clicking the "Register" field; (4)

confirming the willingness to create an Account by clicking on the confirmation link sent automatically to the e-

mail address provided. In the registration form, it is necessary for the User to provide the following data:

company name, address, tax identification number, e-mail address, contact telephone number, Application PIN

and password. The use of individual functionalities of the Application may require additional data.

2. As part of the Business Account, the User has access, inter alia, to the following functionalities (electronic

services):

a. recharging the balance of the Business Account as part of the purchased vouchers in order to use paid

functionalities and make them available to the User's customers without the need to make each payment;

b. scanning by the User with a Business Account the parking tickets of the User's clients (e.g. the owner of the

premises) and the payment of parking tickets by the User for his clients (in whole or in part) or granting

discounts for parking;

c. granting access to the Account to the User's employees;

d. access to the history of granted discounts.

3. The use of some functionalities requires the client to install the Application and establish a Personal User

Account, about which the Business Account holder is obliged to inform his client. The availability of some

functionalities depends on the offer of a given car park, and information on availability is indicated each time in

the Application.

4. A detailed description of the functionality of the Business Account can be found in the "FAQ" tab in the

Application.

Page 4 z 14

7) IN-APP PAYMENTS

1. The Service Provider provides the User with the following payment methods for paid functionalities available

within the Account, including, for example, individual payments for parking, vouchers or subscriptions:

a. electronic payments, BLIK and card payments via the Przelewy24.pl website (both as part of the Personal

Account and the Business Account) - available payment methods are specified on the website

https://www.przelewy24.pl/. The service of electronic payments and payment cards is provided by: PayPro S.A.

with its seat in Poznań (seat address: ul. Kanclerska 15, 60-327 Poznań), entered in the Register of

Entrepreneurs of the National Court Register kept by the District Court Poznań - Nowe Miasto and Wilda in

Poznań, 8th Commercial Division of the National Court Register under the number KRS 0000347935, NIP

7792369887, REGON 301345068.

b. deferred payment as part of the service of adding due payments to monthly subscription fees for a

telephone bills in Orange, Plus and Play telecom networks (only as part of a Personal Account).

2. If you choose electronic payments, BLIK or a payment card, the User is obliged to make the payment to the

Service Provider immediately, and making the payment is a condition for accessing the functionalities covered

by this payment.

3. In the case of a deferred payment as part of the service of adding due payments to the monthly subscription

fees for a telephone bill in Orange, Plus and Play networks, the User is obliged to make a payment to the

operator: Orange, Plus or Play network, respectively, within the subscription payment date specified in the

relevant contract subscription fee of the User with one of the above networks.

8) CONTACT WITH US

The main form of ongoing communication with the Service Provider is electronic mail (e-mail:

customer.care@naviparking.com), through which information regarding the use of the Application can be

exchanged with the Service Provider. Users may also contact the Service Provider in other ways permitted by law.

9) COMPLAINTS ABOUT THE APPLICATION

1. Complaints related to the operation of the Application, including complaints regarding electronic services,

may be submitted by the Service Recipient, for example, by e-mail (e-mail: customer.care@naviparking.com).

2. The Service Provider recommends including in the description of the complaint: (1) information and

circumstances regarding the subject of the complaint, in particular the type and date of occurrence of the

irregularity; (2) claim; and (3) contact details of the person submitting the complaint - this will facilitate and

speed up the consideration of the complaint by the Service Provider. The requirements set out in the preceding

sentence are only recommendations and do not affect the effectiveness of complaints submitted without the

recommended description of the complaint.

3. The Service Provider will respond to the complaint immediately, not later than within 14 calendar days from

the date of its submission.

10) EXTRAJUDICIAL METHODS OF SETTLING COMPLAINTS AND

PURSUING CLAIMS, AS WELL AS RULES OF ACCESS TO THESE

PROCEDURES

1. This section of the Regulations applies only to Users who are consumers.

Page 5 z 14

2. Detailed information on the possibility for the Service Recipient who is a consumer to use out-of-court

complaint and redress methods as well as the rules of access to these procedures are available on the website

of the Office of Competition and Consumer Protection at:

https://uokik.gov.pl/pozasadowe_rozwiazywanie_sporow_konsumenckich. php.

3. There is also a contact point at the President of the Office of Competition and Consumer Protection (phone:

22 55 60 333, email: kontakt.adr@uokik.gov.pl or a written address: Pl. Powstańców Warszawy 1, 00-030

Warsaw.) which provides assistance to consumers in matters relating to out-of-court resolution of consumer

disputes.

4. The consumer has the following exemplary possibilities of using out-of-court complaint and redress

methods: (1) application for dispute resolution to a permanent consumer arbitration court (more information

at: http://www.spsk.wiih.org.pl/) ; (2) a request for an out-of-court dispute resolution to the voivodeship

inspector of the Trade Inspection (more information on the website of the inspector competent for the place of

business by the Service Provider); and (3) assistance of a powiat (municipal) consumer ombudsman or a social

organization whose statutory tasks include consumer protection (including the Consumer Federation,

Association of Polish Consumers). Advice is provided, inter alia, by e-mail at bilety@dlakonsumentow.pl and at

the consumer helpline number 801 440 220 (the hotline is open on Working Days, from 8:00 to 18:00,

connection fee according to the operator's tariff).

5. At the address http://ec.europa.eu/consumers/odr, there is an online platform for resolving disputes

between consumers and entrepreneurs at the EU level (ODR platform). The ODR platform is an interactive and

multilingual website with a one-stop shop for consumers and entrepreneurs seeking out-of-court settlement of

a dispute regarding contractual obligations arising from an online sales contract or a contract for the provision

of services (more information on the platform itself or at the website of the Office of Competition and

Consumer Protection : https://uokik.gov.pl/spory_konsumenckie_faq_platforma_odr.php

11) WITHDRAWAL FROM THE CONTRACT BY THE CONSUMER

1. This section of the Regulations applies only to the Service Recipients who are consumers and the distance

contracts concluded by them with the Service Provider.

2. The right to withdraw from a distance contract is not available to the consumer. In relation to contracts: (1)

for the provision of services, if the entrepreneur has fully performed the service with the express consent of

the consumer, who was informed before the commencement of the service that after the entrepreneur has

performed the service, he will lose the right to withdraw from the contract; (2) for the delivery of digital

content that is not recorded on a tangible medium, if the performance began with the consumer's express

consent before the deadline to withdraw from the contract and after informing the entrepreneur about the

loss of the right to withdraw from the contract.

3. Subject to point 11.2 of the Regulations, a consumer who has concluded a distance contract may, within 14

calendar days of concluding the contract, withdraw from it without giving a reason and without incurring costs,

subject to the exception referred to in the next sentence. In the case of a paid service, the performance of

which - at the express request of the consumer - began before the deadline to withdraw from the contract, the

consumer who exercises the right to withdraw from the contract after submitting such a request, is obliged to

pay for the services fulfilled until the withdrawal from the contract. The amount of the payment is calculated in

proportion to the scope of the service provided, taking into account the price or remuneration agreed in the

contract. If the price or remuneration is excessive, the basis for calculating this amount is the market value of

the service provided. The period for withdrawing from the contract for the provision of the service starts from

the date of conclusion of the contract. Statements to the Service Provider can be made in accordance with the

contact details provided in point 8 of the Regulations. The model declaration of withdrawal from the contract is

attached as Annex 2 to the Consumer Rights Act, but preferably it is not mandatory.

4. The provisions concerning the consumer contained in this point 11 of the Regulations shall apply from 1

January 2021 and for contracts concluded from that date also to the Service Recipient who is a natural person

Page 6 z 14

concluding a contract directly related to his business activity, if the content of this contract shows that he does

not have a professional nature for that person, resulting in particular from the subject of by her business, made

available on the basis of the provisions on the Central Register and Information on Economic Activity.

12) PROVISIONS CONCERNING ENTREPRENEURS

1. This point 12 of the Regulations and the provisions contained therein are addressed and thus are binding

only for the Service Recipient who is not a consumer, and from January 1, 2021 and for contracts concluded

from that day not being also a natural person concluding a contract directly related to its business when the

content of this contract shows that it does not have a professional nature for that person, resulting in particular

from the subject of the business activity performed by it, made available on the basis of the provisions on the

Central Register and Information on Economic Activity.

2. The Service Provider does not guarantee that the Application is error-free or that the Service Recipient will

be able to operate it without problems and disturbances.

3. The Service Provider has the right to withdraw from the contract concluded with the Customer within 14

calendar days from the date of its conclusion. Withdrawal from the contract in this case may take place without

giving a reason and does not give rise to any claims on the part of the Customer against the Service Provider.

4. The Service Provider may terminate the Service Recipient's contract for the provision of Electronic Services

with immediate effect and without giving reasons by sending such a Service Recipient an appropriate

statement.

5. The Service Provider is entitled at any time to take actions aimed at verifying the truthfulness, reliability and

precision of the information provided by the Service Recipient. In terms of verification, the Service Provider is

entitled, among others to request the Service Recipient to send a scan of the certificates, attestations or other

documents necessary for verification. During the verification referred to in the preceding sentence, the Service

Provider is entitled to withhold the Service Recipient's Reservation for the duration of the verification.

6. The Service Provider is liable towards the Service Recipient, regardless of its legal basis, only up to the

amount of the fee paid by the Service Recipient to the Service Provider in the Application, and in the absence of

such fee - up to PLN 500.00 (five hundred). The amount limitation referred to in the preceding sentence applies

regardless of whether the Service Recipient has concluded any agreement with the Service Provider. The

Service Provider is liable to the Service Recipient only for typical and actual losses, foreseeable at the time of

the conclusion of the contract, excluding lost profits.

7. The Service Provider shall not be liable to the Service Recipient for damages and failure to fulfill obligations

resulting from force majeure events (e.g. hacker break-ins, natural disasters, floods, fires, earthquakes,

epidemics, riots and wars) or any other causes remaining beyond the control of the Service Provider.

8. Any disputes arising between the Service Provider and the Service Recipient shall be submitted to the court

having jurisdiction over the Service Provider's seat.

13) TECHNICAL BREAKS

1. The Service Provider makes every effort to ensure the proper and uninterrupted functioning of the

Application. Due to the complexity and complexity of the Application, as well as due to external factors beyond

the Service Provider's control (e.g. DDOS attacks - distributed denial of service), it is possible, however, for

Page 7 z 14

errors and technical failures that prevent or limit the functioning of the Application in any way. In such a case,

the Service Provider will take all possible and reasonable actions to ensure that the negative effects of such

events are limited as much as possible.

2. In addition to breaks caused by errors and technical failures, there may also be other technical breaks, during

which the Service Provider takes steps to develop the Application and protect them against errors and technical

failures.

3. The Service Provider is obliged to plan technical breaks in such a way that they are the least burdensome for

the Customers, in particular that they are planned for night hours and only for the time necessary for the

Service Provider to perform the necessary actions. The Service Provider is obliged to inform the Customers

about planned technical breaks in advance.

4. The Service Provider shall not be liable to the Service Recipient for damages and failure to fulfill obligations

resulting from any errors and technical failures and technical breaks referred to in this paragraph of the

Regulations.

5. This point of the Regulations does not exclude or limit the rights of the Service Recipient who is a consumer

provided for by law, in particular in the scope of the Service Provider's liability.

14) COPYRIGHT, LICENSE TO USE THE APPLICATION

1. Copyrights and intellectual property rights to the Application as a whole and its individual elements,

including content, graphics, works, patterns and signs available within it, belong to the Service Provider or

other authorized third parties and are protected by Copyright Law and other provisions commonly applicable

law. The protection granted to the Application covers all forms of its expression.

2. The application should be treated like any other work that is protected by copyright. The Service Recipient

has no right to copy the Application, except for cases permitted by the provisions of mandatory law. The

Service Recipient also undertakes not to modify, adapt, translate, decode, decompile, disassemble or in any

other way try to establish the source code of the Application, except for cases permitted by the provisions of

mandatory law.

3. The User using the Application does not receive ownership of any copyrights to the Application. The User is

granted only - under the conditions specified in the Regulations - a free, non-transferable, worldwide and non-

exclusive license entitling him to use the Application in a manner consistent with its intended use, in

accordance with these Regulations and in a manner consistent with the law and good manners, bearing in mind

respect for personal rights, personal data as well as copyrights and intellectual property of the Service Provider,

other Recipients as well as persons and third parties.

4. Under the license granted, the Customer is entitled to use the Application by downloading, installing,

permanently or temporarily reproducing it in the memory of the Customer's mobile device, using it and

displaying it to the extent necessary to use the Application in accordance with its purpose and only for its own,

non-commercial use.

5. The license is granted at the time of concluding the agreement for using the Application and for the period of

its validity.

6. Trademarks of the Service Provider and third parties should be used in accordance with applicable law.

15) FINAL PROVISIONS

Page 8 z 14

1. Agreements concluded on the basis of these Regulations are concluded in Polish and in accordance with

Polish law.

2. The Service Provider reserves the right to amend the Regulations for important reasons, that is: changes in

the law; changes in the scope or form of services provided as part of the Application - to the extent to which

these changes affect the implementation of the provisions of these Regulations.

a. In the case of concluding continuous contracts on the basis of these Regulations (e.g. using the Application),

the amended regulations bind the Service Recipient if the requirements specified in Art. 384 and 384 [1] of the

Civil Code, that is, the User has been properly notified of the changes and has not terminated the contract

within 15 calendar days from the date of notification. In the event that the amendment to the Regulations

results in the introduction of any new fees or an increase in the existing fees, the Service Recipient who is a

consumer has the right to withdraw from the contract.

b. In the event of concluding contracts of a different nature than contracts on the basis of these Regulations,

continuous amendments to the Regulations will not in any way infringe the rights acquired by the Service

Recipients who are consumers before the date of entry into force of the amendments to the Regulations, in

particular, amendments to the Regulations will not affect those already concluded, realized or performed

contracts.

3. In matters not covered by these Regulations, generally applicable provisions of Polish law shall apply, in

particular: the Civil Code; the Act on the provision of electronic services of July 18, 2002 (Journal of Laws 2002

No. 144, item 1204, as amended); The Consumer Rights Act and other relevant provisions of generally

applicable law.

Thank you for reading it carefully!

If you have any questions, we are always at your disposal.

NaviPay team

Page 9 z 14

Appendix No. 1 to the Regulations

APPLICATION PRIVACY POLICY

NaviPay

Please read this privacy policy carefully. The privacy policy sets out the rules for the processing of personal data

when using the Application.

1) GENERAL PROVISIONS

1. This Application privacy policy is informative, which means that it is not a source of obligations for the

Application Service Recipients. The privacy policy contains mainly the rules regarding the processing of personal

data by the Administrator in the Application, including the grounds, purposes and period of personal data

processing and the rights of data subjects.

2. The administrator of personal data collected via the Application is NAVIPARKING SPÓŁKA Z OGRANICZONĄ

ODPOWIEDZIALNNOŚCIĄ with its registered office in Gliwice (registered office and delivery address: ul.

Toszecka 101, 44-100 Gliwice); entered into the Register of Entrepreneurs of the National Court Register under

KRS number: 0000563097; registry court where the company's documentation is kept: District Court in Gliwice,

10th Commercial Division of the National Court Register; share capital in the amount of: PLN 8,000.00; NIP:

9691613559, REGON: 361771321 and e-mail address: customer.care@naviparking.com - hereinafter referred

to as the "Administrator" and at the same time being the Service Provider in the NaviPay Application.

3. Personal data in the Application are processed by the Administrator in accordance with applicable law, in

particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27

April 2016 on the protection of individuals with regard to the processing of personal data and on the free

movement of such data and repealing Directive 95/46 / EC (general data protection regulation) - hereinafter

referred to as "GDPR" or "GDPR Regulation". The official text of the GDPR Regulation: http://eur-

lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

4. Using the NaviPay Application is voluntary. Similarly, the provision of personal data by the Customer using

the NaviPay Application is voluntary, with two exceptions: (1) concluding contracts with the Administrator -

failure to provide in the cases and to the extent indicated on the NaviPay Application website and in the

Regulations of the NaviPay Application and this privacy policy of personal data necessary to conclude and

perform the contract for the provision of Electronic Services with the Administrator results in the inability to

conclude this contract. Providing personal data is in this case a contractual requirement and if the data subject

wants to conclude a given contract with the Administrator, he is obliged to provide the required data. Each

time, the scope of data required to conclude a contract is previously indicated on the NaviPay Application

website and in the NaviPay Application Regulations; (2) statutory obligations of the Administrator - providing

personal data is a statutory requirement resulting from generally applicable legal provisions imposing on the

Administrator the obligation to process personal data (e.g. data processing for the purpose of keeping books)

and failure to provide them will prevent the Administrator from performing these obligations.

5. The administrator takes special care to protect the interests of persons whose personal data being processed

by him, and in particular is responsible and ensures that the data collected by him are: (1) processed in

accordance with the law; (2) collected for specified, lawful purposes and not subjected to further processing

incompatible with these purposes; (3) factually correct and adequate in relation to the purposes for which they

are processed; (4) stored in a form enabling the identification of persons to whom they relate, no longer than it

is necessary to achieve the purpose of processing, and (5) processed in a manner ensuring adequate security of

personal data, including protection against unauthorized or unlawful processing and accidental loss,

destruction or damage by appropriate technical or organizational measures.

Page 10 z 14

6. Taking into account the nature, scope, context and purposes of processing as well as the risk of violating the

rights or freedoms of natural persons with different probability and severity of the threat, the Administrator

implements appropriate technical and organizational measures so that the processing takes place in

accordance with this regulation and to be able to prove it. These measures are reviewed and updated as

necessary. The administrator uses technical measures to prevent the acquisition and modification by

unauthorized persons of personal data sent electronically.

7. All words, phrases and acronyms appearing in this privacy policy and beginning with a capital letter (eg

Service Provider, Application) should be understood in accordance with their definition contained in the

Regulations of the NaviPay Application available on the NaviPay Application pages.

2) BASIS OF DATA PROCESSING

1. The administrator is entitled to process personal data in cases where - and to the extent that - at least one of

the following conditions: (1) the data subject has consented to the processing of his personal data for one or

more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject

is party or in order to take steps at the request of the data subject prior to entering into a contract; (3)

processing is necessary to fulfill the legal obligation incumbent on the Administrator; or (4) processing is

necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except

where these interests are overridden by the interests or fundamental rights and freedoms of the data subject,

requiring the protection of personal data , in particular when the data subject is a child.

2. The processing of personal data by the Administrator requires each time the existence of at least one of the

bases indicated in point 2.1 of the privacy policy. The specific grounds for processing the personal data of

NaviPay Application Service Users by the Administrator are indicated in the next section of the privacy policy -

in relation to the given purpose of personal data processing by the Administrator.

3) PURPOSE, BASIS AND PERIOD OF DATA PROCESSING IN THE APPLICATION

1. Each time the purpose, basis and period as well as the recipients of personal data processed by the

Administrator result from actions taken by a given User in the Application.

2. The Administrator may process personal data in the Application for the following purposes, on the basis and

during the periods indicated in the table below:

Purpose of data

processing Legal basis for data processing Data storage period

Performing the

contract for the use

of the Application,

for the provision of

services, including

Electronic Services,

or taking action at

the request of the

data subject, before

concluding the

above-mentioned

contracts

Article 6 (1) 1 lit. b) GDPR Regulations

(performance of the contract) - processing

is necessary for the performance of the

contract to which the data subject is a

party, or to take action at the request of

the data subject, before concluding the

contract

The data is stored for the period

necessary to perform, terminate or

otherwise terminate the concluded

contract.

Direct marketing Article 6 (1) 1 lit. f) GDPR Regulations

(legitimate interest of the administrator) -

processing is necessary for purposes

resulting from the legitimate interests of

The data is stored for the duration of

the legitimate interest pursued by the

Administrator, but no longer than for

the period of limitation of the

Page 11 z 14

the Administrator - consisting in caring for

the interests and good image of the

Administrator and his Application

Administrator's claims in relation to the

data subject, due to the business

activity conducted by the

Administrator. The limitation period is

determined by the law, in particular

the Civil Code (the basic limitation

period for claims related to running a

business is three years).

Marketing Article 6 (1) 1 lit. a) GDPR Regulations

(consent) - the data subject has consented

to the processing of his personal data for

marketing purposes by the Administrator

The data is stored until the data

subject withdraws his consent for

further processing of his data for this

purpose.

Bookkeeping Article 6 (1) 1 lit. c) GDPR Regulations

(legal obligation) in connection with with

art. 74 sec. 2 of the Accounting Act, i.e. of

January 30, 2018 (Journal of Laws of 2018,

item 395, as amended) - processing is

necessary to fulfill the legal obligation

incumbent on the Administrator

The data is stored for the period

required by law requiring the

Administrator to store accounting

books (5 years from the beginning of

the year following the financial year to

which the data relates).

Determining,

investigating or

defending claims

that may be raised

by the Administrator

or which may be

raised against the

Administrator

Article 6 (1) 1 lit. f) GDPR Regulations

(legitimate interest of the administrator) -

processing is necessary for purposes

resulting from the legitimate interests of

the Administrator - consisting in

establishing, investigating or defending

claims that may be raised by the

Administrator or which may be raised

against the Administrator

The data is stored for the duration of

the legitimate interest pursued by the

Administrator, but no longer than for

the period of limitation of claims that

may be raised against the

Administrator (the basic limitation

period for claims against the

Administrator is six years).

Using the

Application and

ensuring its proper

operation

Article 6 (1) 1 lit. f) GDPR Regulations

(legitimate interest of the administrator) -

processing is necessary for purposes

resulting from the legitimate interests of

the Administrator - consisting in running

and maintaining the Application

The data is stored for the duration of

the legitimate interest pursued by the

Administrator, but no longer than for

the period of limitation of the

Administrator's claims in relation to the

data subject, due to the business

activity conducted by the

Administrator. The limitation period is

determined by the law, in particular

the Civil Code (the basic limitation

period for claims related to running a

business is three years).

Keeping statistics

and analyzing traffic

in the Application

Article 6 (1) 1 lit. f) GDPR Regulations

(legitimate interest of the administrator) -

processing is necessary for purposes

resulting from the legitimate interests of

the Administrator - consisting in keeping

statistics and analyzing traffic in the

Application in order to improve the

functioning of the Application

The data is stored for the duration of

the legitimate interest pursued by the

Administrator, but no longer than for

the period of limitation of the

Administrator's claims in relation to the

data subject, due to the business

activity conducted by the

Administrator. The limitation period is

determined by the law, in particular

the Civil Code (the basic limitation

period for claims related to running a

business is three years).

4) DATA RECIPIENTS IN THE APPLICATION

1. For the proper functioning of the NaviPay Application, including the implementation of contracts concluded

with Customers, it is necessary for the Administrator to use the services of external entities (such as a software

Page 12 z 14

provider). The administrator uses only the services of such processors who provide sufficient guarantees to

implement appropriate technical and organizational measures, so that the processing meets the requirements

of the GDPR Regulation and protects the rights of data subjects.

2. The transfer of data by the Administrator does not take place in every case and not to all recipients or

categories of recipients indicated in the privacy policy - the Administrator provides data only when it is

necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve

it.

3. Personal data of NaviPay Application Service Users may be transferred to the following recipients or

categories of recipients:

a. entities servicing electronic payments, BLIK or payment card - in the case of a Service Recipient who uses

electronic payments in the Application, BLIK or a payment card, the Administrator provides the collected

personal data of the Service User to the selected entity servicing the above payments in the Application at the

request of the Administrator to the extent necessary handling payments made by the Customer.

b. mobile network operators - in the case of the Customer who uses the Application to add payments in the

Application to the Customer's subscription in the mobile network, the Administrator provides the collected

personal data of the Customer of the selected mobile network to the extent necessary to handle the

Customer's payments to this operator.

c. parking lot operators - in the case of a Customer who uses any functionalities in the Application in the field of

services supported by parking operators, the Administrator provides the collected personal data of the

Customer to the operator of the parking lot selected by the Customer in order to perform a given service for

the Customer.

d. service providers supplying the Administrator with technical, IT and organizational solutions enabling the

Administrator to run a business, including the NaviPay Application and Electronic Services provided through it

(in particular computer software providers for running the NaviPay Application, e-mail and hosting providers

and software providers) to manage the company and provide technical assistance to the Administrator - the

Administrator provides the collected personal data to the Service User or a selected supplier acting on his

behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance

with this privacy policy.

e. providers of social plug-ins, scripts and other similar tools placed in the Application, enabling the browser of

the person visiting the Application to download content from the providers of these plug-ins (e.g. logging in

using the login data to the website) and transferring the visitor's personal data to the suppliers, Facebook

Ireland Ltd. and Google Ireland Ltd. - The Administrator uses plugins from Facebook and Google in the

Application and therefore collects and provides personal data of the Service Recipient using the Application to

Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbor, Dublin 2 Ireland) or Google Ireland Ltd.

(Gordon House, Barrow Street, Dublin 4, Ireland) to the extent and in accordance with the privacy principles

available respectively here: https://www.facebook.com/about/privacy/ and here:

https://policies.google.com/privacy?hl=pl (this data includes information about activities in the Application -

including information about the device, visited markets and the manner of using the services - regardless of

whether the Service Recipient is logged in to Facebook or Google).

5) PROFILING IN THE APPLICATION

1. The GDPR Regulation imposes an obligation on the Administrator to inform about automated decision-

making, including profiling referred to in art. 22 sec. 1 and 4 of the GDPR Regulation, and - at least in these

cases - relevant information about the rules for their adoption, as well as the meaning and anticipated

consequences of such processing for the data subject. With this in mind, the Administrator provides

information on possible profiling in this point of the privacy policy.

Page 13 z 14

2. The Administrator may use profiling in the Application for direct marketing purposes, but the decisions made

on its basis by the Administrator do not concern the conclusion or refusal to conclude a contract or the

possibility of using Electronic Services in the Application.

3. Profiling in the Application consists in the automatic analysis or forecast of the behavior of a given person in

the NaviPay Application, or by analyzing the previous history of actions taken in the Application. The condition

of such profiling is the Administrator having personal data of a given person in order to be able to send it, e.g. a

rebate code.

4. The data subject has the right not to be subject to a decision which is based solely on automated processing,

including profiling, and produces legal effects or significantly affects the person in a similar way.

6) THE RIGHTS OF THE PERSON WHO THE DATA CONCERNS

1. The right to access, rectify, limit, delete or transfer - the data subject has the right to request the

Administrator to access his personal data, rectify it, delete ("the right to be forgotten") or limit processing and

has the right to submit object to processing, and has the right to transfer their data. Detailed conditions for the

exercise of the above-mentioned rights are set out in Art. 15-21 of the GDPR Regulation.

2. The right to withdraw consent at any time - a person whose data is processed by the Administrator on the

basis of expressed consent (pursuant to art. 6 section 1 letter a) or art. 9 sec. 2 lit. a) of the GDPR Regulation), it

has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent

before its withdrawal.

3. The right to lodge a complaint to the supervisory body - the person whose data is processed by the

Administrator has the right to lodge a complaint with the supervisory body in the manner and mode specified

in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The

supervisory body in Poland is the President of the Personal Data Protection Office.

4. Right to object - the data subject has the right to object at any time - for reasons related to his particular

situation - to the processing of his personal data based on art. 6 sec. 1 lit. e) (public interest or tasks) or f)

(legitimate interest of the administrator), including profiling based on these provisions. In such a case, the

administrator is no longer allowed to process this personal data, unless he demonstrates the existence of valid

legally valid grounds for processing, overriding the interests, rights and freedoms of the data subject, or

grounds for establishing, investigating or defending claims.

5. Right to object to direct marketing - if personal data is processed for direct marketing purposes, the data

subject has the right to object at any time to the processing of his personal data for such marketing purposes,

including profiling, in the scope in which the processing is related to such direct marketing.

6. In order to exercise the rights referred to in this point of the privacy policy, you can contact the

Administrator by sending an appropriate message in writing or by e-mail to the Administrator's address

indicated at the beginning of the privacy policy or using the contact form available on the NaviPay Application

website.

7) FINAL PROVISIONS

The application may contain links to external websites or applications. The administrator urges that after

switching to other websites or other applications, read the privacy policy established there. This privacy policy

applies only to the Administrator's Application.

Page 14 z 14