Terms and Conditions
In the Terms and Conditions, you will find the most important features of the Heroify platform and a description of how it works and the terms of use that apply to all people visiting or using it.
Definitions
- Service Provider – Heroify Sp. z o.o. based in Warsaw, address: ul. Padewska 23/7 with NIP 521-39-30-518, e-mail address: contact@heroify.co.
- Platform – the Heroify online platform available at www.heroify.co and owned by the Service Provider, within which the Service Provider enables the creation and solving of Tests.
- User – any natural person who has ever used the Platform and whose data is on the Platform.
- Recruiter – a person who creates Tests using the Platform and then makes them available to Candidates.
- Candidate – a person who completes the Tests made available to them by the Recruiter.
- Services – all the services provided to users by the Platform on the basis of these regulations.
- Account – a collection of resources within the Service Provider’s data communication system, in which Users’ data is stored, thanks to which Users can use the Platform.
- Test – a set of questions and tasks generated by the Recruiter through the Platform and solved by the Candidates, which checks the competencies defined by the Recruiter.
- Promotion for start – a set of rules according to which the Service Provider allows Recruiters free use of the Platform, including creation of an unlimited number of Tests and their solving by an unlimited number of Candidates.
Use of the platform
The platform can be used by all users who have agreed to the terms of the Regulations and who have created a free account by providing true and up-to-date information. Providing false data may result in the closure of the Account on the Platform.
The Provider, through the Platform, provides the following Services to Users:
Tests are created automatically after the Recruiter performs the following actions:
Each test has a predefined suggested time, but candidates can exceed it. The final result of the test is influenced by the number of correctly and incorrectly provided answers.
In the case of the newsletter service, in order to receive it, it is necessary to give a separate consent and make your e-mail address available in the appropriate field on the Platform. The newsletter is sent free of charge and the User may unsubscribe it at any time by clicking on the deactivation link in the email.
The Provider, through the Platform, provides the following Services to Users:
- creation and maintenance of an Account on the Platform
- creation of Tests on the basis of questions and tasks available on the Platform as well as own Tests
- making Tests available to Candidates
- solving Tests by Candidates
- comparing Candidates’ results
- sending newsletters
Tests are created automatically after the Recruiter performs the following actions:
- providing the name of the position,
- determining the level of the position,
- making a job offer available,
- choosing the type of test,
- confirmation or selection of competencies to be tested.
Each test has a predefined suggested time, but candidates can exceed it. The final result of the test is influenced by the number of correctly and incorrectly provided answers.
In the case of the newsletter service, in order to receive it, it is necessary to give a separate consent and make your e-mail address available in the appropriate field on the Platform. The newsletter is sent free of charge and the User may unsubscribe it at any time by clicking on the deactivation link in the email.
Copyrights
- All content made available on the Platform, including photos, questions and tasks, is protected by copyright and belongs directly to the Provider or to Users who publish on the Platform with the permission of the Provider.
- Copying the content made available on the Platform and making it available and using it without the written consent of the Service Provider is prohibited and illegal. It may give rise to civil and criminal proceedings against those who do so.
- The use of the Service to a different extent than specified in the Regulations is permitted only with the prior written consent of the Service Provider.
Data processing agreement (DPA)
The DPA attached below to the Terms & Conditions constitutes the instructions given by the Customer to Heroify regarding the processing of Personal Data, in accordance with GDPR, Article 28. Acceptance of the DPA is a condition precedent to the conclusion of the Terms and Conditions between the Parties and its entry into force.
Complaints
- Complaints related to the Service may be submitted to the e-mail address: contact@heroify.co. The complaint should contain the name and surname, company name (in case of Recruiters), email address and a description of the reason for the complaint.
- The Service Provider undertakes to investigate the complaint within 14 days of receiving it and to inform the User about the outcome of the investigation.
Liability
- The Service Provider and its suppliers make every effort to ensure that the Service and the Platform are free of errors and operate continuously, but they do not give any warranty and are not liable for any damages, including loss of profits.
- The Service Provider is not responsible for the content and results of the Tests or for any false or incomplete data or information provided by Users.
- Service Provider is not responsible for the consequences of the use of information obtained by Users as a result of using the Service, in particular for the consequences of decisions taken on this basis.
Final provisions
- Service Provider may make changes to the Regulations without giving reasons. All changes shall become effective upon publication on the Platform, of which the User will be informed by electronic means to the e-mail address provided during registration.
- Any disputes between the parties shall be resolved amicably. However, if it is not possible to resolve a dispute amicably, the Court of competent jurisdiction to hear the dispute shall be the Court with jurisdiction over the Service Provider’s registered office.
- All disputes arising under these Terms of Use shall be governed by Polish law.
- These Terms and Conditions enter into force on 30/11/2021.
Data Processing Agreement
Background
This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations, which arise from the Service Provider’s (“Data Processor”) processing of personal data on behalf of the Customer (“Data Controller”) under the service agreement between the Parties (“Terms and Conditions” or “T&C”).
The DPA is adopted as an appendix to the T&C. In the event that any provision of this DPA is inconsistent with any term(s) of the T&C, the DPA will prevail.
The DPA is adopted as an appendix to the T&C. In the event that any provision of this DPA is inconsistent with any term(s) of the T&C, the DPA will prevail.
Definitions
For the purposes of this DPA:
“Applicable Data Protection law” means any privacy law which may apply to the terms of this agreement and which may vary from time to time;
“Data Controller” and “Data Processor” shall have the meanings as set out in Article 4(7) and (8) respectively of EU General Data Protection Regulation 2016/679 (the “GDPR”);
“Data Protection Supervisory Authority” (DPSA) is the supervisory authority for the purposes of Article 51 of the GDPR;
“Data Subject” means an individual who is the subject of Personal Data;
“Personal Data” shall have the meaning set out in Article 4(1) of the GDPR;
“Prompt Notice” shall mean 24 hours unless otherwise expressly stated in this agreement;
“Special Category Data” shall have the meaning set out in Article 9(1) of the GDPR;
“Third Country” shall mean a location outside of the European Economic Area (EEA), the EEA being: Austria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and United Kingdom.
This DPA, including these definitions and its recitals and schedules, is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the data processing (as well as the Personal Data covered) are specified in Schedule 1 hereto.
“Applicable Data Protection law” means any privacy law which may apply to the terms of this agreement and which may vary from time to time;
“Data Controller” and “Data Processor” shall have the meanings as set out in Article 4(7) and (8) respectively of EU General Data Protection Regulation 2016/679 (the “GDPR”);
“Data Protection Supervisory Authority” (DPSA) is the supervisory authority for the purposes of Article 51 of the GDPR;
“Data Subject” means an individual who is the subject of Personal Data;
“Personal Data” shall have the meaning set out in Article 4(1) of the GDPR;
“Prompt Notice” shall mean 24 hours unless otherwise expressly stated in this agreement;
“Special Category Data” shall have the meaning set out in Article 9(1) of the GDPR;
“Third Country” shall mean a location outside of the European Economic Area (EEA), the EEA being: Austria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and United Kingdom.
This DPA, including these definitions and its recitals and schedules, is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the data processing (as well as the Personal Data covered) are specified in Schedule 1 hereto.
1. Terms
The parties agree that:
1.1 The Data Controller and the Data Processor acknowledge that for the purposes of the Applicable Data Protection Law (as amended) the Customer is the Data Controller and Heroify Sp. z o.o. is the Data Processor in respect of any Personal Data.
1.2 The Data Processor shall process Personal Data only for the purposes of carrying out their obligations arising under the T&C.
1.3 The Data Controller shall instruct the Data Processor to process the Personal Data in any manner that may reasonably be required in order for the Data Processor to carry out the processing in compliance with this DPA and in compliance with Applicable Data Protection law.
1.4 The Data Controller shall refrain from providing instructions which are not in accordance with applicable laws including Applicable Data Protection law, and, in the event that such instructions are given, the Data Processor is entitled to resist carrying out such instructions.
1.5 The details of the transfer and of the Personal Data are specified in Schedule 1. The parties agree that Schedule 1 may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required by law. The parties may execute additional annexes/schedules to cover additional transfers, or may include multiple transfers in Schedule 1, which will be submitted to the DPSA where required.
1.6 This DPA shall continue for no less a term than the term of the Agreement.
1.7 The rights and obligations of the parties with respect to each other under this Clause 1 shall survive any termination of the Agreement.
1.1 The Data Controller and the Data Processor acknowledge that for the purposes of the Applicable Data Protection Law (as amended) the Customer is the Data Controller and Heroify Sp. z o.o. is the Data Processor in respect of any Personal Data.
1.2 The Data Processor shall process Personal Data only for the purposes of carrying out their obligations arising under the T&C.
1.3 The Data Controller shall instruct the Data Processor to process the Personal Data in any manner that may reasonably be required in order for the Data Processor to carry out the processing in compliance with this DPA and in compliance with Applicable Data Protection law.
1.4 The Data Controller shall refrain from providing instructions which are not in accordance with applicable laws including Applicable Data Protection law, and, in the event that such instructions are given, the Data Processor is entitled to resist carrying out such instructions.
1.5 The details of the transfer and of the Personal Data are specified in Schedule 1. The parties agree that Schedule 1 may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required by law. The parties may execute additional annexes/schedules to cover additional transfers, or may include multiple transfers in Schedule 1, which will be submitted to the DPSA where required.
1.6 This DPA shall continue for no less a term than the term of the Agreement.
1.7 The rights and obligations of the parties with respect to each other under this Clause 1 shall survive any termination of the Agreement.
2. Regulatory compliance
To the extent required by law or regulation:
2.1 The Data Processor shall co-operate with the DPSA in connection with any activities performed by the Data Processor;
2.2 The Data Controller, its auditors and the DPSA shall have effective access to data related to such activities, as well as effective access to the Data Processor’s business premises;
2.3 The DPSA shall have without notice the right of access to the Data Processor’s business premises for purposes of this Clause 2; and
2.4 The Data Processor shall give prompt notice to the Data Controller of any development that may have a material impact on the Data Processor’s ability to perform services effectively under this Agreement and in compliance with applicable laws and regulatory requirements.
2.1 The Data Processor shall co-operate with the DPSA in connection with any activities performed by the Data Processor;
2.2 The Data Controller, its auditors and the DPSA shall have effective access to data related to such activities, as well as effective access to the Data Processor’s business premises;
2.3 The DPSA shall have without notice the right of access to the Data Processor’s business premises for purposes of this Clause 2; and
2.4 The Data Processor shall give prompt notice to the Data Controller of any development that may have a material impact on the Data Processor’s ability to perform services effectively under this Agreement and in compliance with applicable laws and regulatory requirements.
3. Obligations of the data controller
The Data Controller warrants and undertakes to:
3.1 The Personal Data has been collected, processed and transferred in accordance with the GDPR and all Applicable Data Protection law.
3.2 It has used reasonable efforts to determine that the Data Processor is able to satisfy its legal obligations under this DPA.
3.3 It will respond to enquiries from Data Subjects and the DPSA concerning processing of the Personal Data by the Data Controller, unless the parties have agreed that the Data Processor will so respond, in which case the Data Controller will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Processor is unwilling or unable to respond. Responses will be made within a reasonable time and in accordance with the Applicable Data Protection law.
3.4 It will make available, upon request, a copy of this DPA to Data Subjects who are relevant to the processing, the subject matter of this DPA, unless this DPA contains confidential information, in which case it may redact such information. The Data Controller shall abide by a decision of the DPSA regarding access to the full text of this DPA by Data Subjects, as long as Data Subjects have agreed to respect the confidentiality of the confidential information removed. The Data Controller shall also provide a copy of this DPA to the DPSA where required.
3.1 The Personal Data has been collected, processed and transferred in accordance with the GDPR and all Applicable Data Protection law.
3.2 It has used reasonable efforts to determine that the Data Processor is able to satisfy its legal obligations under this DPA.
3.3 It will respond to enquiries from Data Subjects and the DPSA concerning processing of the Personal Data by the Data Controller, unless the parties have agreed that the Data Processor will so respond, in which case the Data Controller will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Processor is unwilling or unable to respond. Responses will be made within a reasonable time and in accordance with the Applicable Data Protection law.
3.4 It will make available, upon request, a copy of this DPA to Data Subjects who are relevant to the processing, the subject matter of this DPA, unless this DPA contains confidential information, in which case it may redact such information. The Data Controller shall abide by a decision of the DPSA regarding access to the full text of this DPA by Data Subjects, as long as Data Subjects have agreed to respect the confidentiality of the confidential information removed. The Data Controller shall also provide a copy of this DPA to the DPSA where required.
4. Obligations of the data processor
The Data Processor warrants and undertakes that:
4.1 It will comply with all applicable law including Applicable Data Protection law in its performance of this DPA.
4.2 It will only process the Personal Data on the instructions of the Data Controller.
4.3 It will not transfer Personal Data to a Third Country, other than those about which Data Controller has been informed by Heroify in the moment of accepting this Agreement, without the prior written approval of the Data Controller and only then once the transfer to the Third Country has been legitimized and the Data Controller and the Data Processor are satisfied that an adequate Data Protection regime exists in the Third Country or adequate security measures, like EU Standard Contractual Clauses, has been implemented.
4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller.
4.5 It will have in place appropriate technical and organizational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
4.6 It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
4.7 It will have in place procedures so that any individual party it authorises to have access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor. This provision does not apply to persons authorised or required by law or regulation to have access to the Personal Data.
4.8 It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such disclosure is necessary in order to fulfill the obligations of the DPA, or is required by applicable law.
4.9 It will notify the Data Controller of any request for information by the DPSA and will not disclose any Personal Data without the prior consent of the Data Controller.
4.10 It will notify the Data Controller of any complaint, notice or communication received which relates directly or indirectly to the processing of the Personal Data, or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor and/or the Data Controller with relevant applicable law including Applicable Data Protection law.
4.11 It will give the Data Controller prompt notice of a Personal Data breach or a potential data breach, once becoming aware of it, and the Data Processor will cooperate with the Data Controller in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions.
4.13 It will delete from its systems all soft copies of any Personal Data and return all soft and hard copy documentation on the completion of the Service Agreement or on request from the Data Controller and will do so in a timely manner, giving a written confirmation of it having been done. The only exception to this Clause 4.13 shall be where the Data Processor shall have a legitimate reason, which is confirmed by the Data Controller, to continue to process particular data or where it is legally required to maintain data records.
4.14 It will identify to the Data Controller a contact person within its organisation authorised to respond to enquiries concerning processing of the Personal Data, and will cooperate in good faith with the Data Controller, the Data Subject and the DPSA concerning all such enquiries within a reasonable time.
4.15 It will be capable of demonstrating its compliance with the obligations of Applicable Data Protection law.
4.1 It will comply with all applicable law including Applicable Data Protection law in its performance of this DPA.
4.2 It will only process the Personal Data on the instructions of the Data Controller.
4.3 It will not transfer Personal Data to a Third Country, other than those about which Data Controller has been informed by Heroify in the moment of accepting this Agreement, without the prior written approval of the Data Controller and only then once the transfer to the Third Country has been legitimized and the Data Controller and the Data Processor are satisfied that an adequate Data Protection regime exists in the Third Country or adequate security measures, like EU Standard Contractual Clauses, has been implemented.
4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller.
4.5 It will have in place appropriate technical and organizational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
4.6 It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
4.7 It will have in place procedures so that any individual party it authorises to have access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor. This provision does not apply to persons authorised or required by law or regulation to have access to the Personal Data.
4.8 It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such disclosure is necessary in order to fulfill the obligations of the DPA, or is required by applicable law.
4.9 It will notify the Data Controller of any request for information by the DPSA and will not disclose any Personal Data without the prior consent of the Data Controller.
4.10 It will notify the Data Controller of any complaint, notice or communication received which relates directly or indirectly to the processing of the Personal Data, or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor and/or the Data Controller with relevant applicable law including Applicable Data Protection law.
4.11 It will give the Data Controller prompt notice of a Personal Data breach or a potential data breach, once becoming aware of it, and the Data Processor will cooperate with the Data Controller in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions.
4.13 It will delete from its systems all soft copies of any Personal Data and return all soft and hard copy documentation on the completion of the Service Agreement or on request from the Data Controller and will do so in a timely manner, giving a written confirmation of it having been done. The only exception to this Clause 4.13 shall be where the Data Processor shall have a legitimate reason, which is confirmed by the Data Controller, to continue to process particular data or where it is legally required to maintain data records.
4.14 It will identify to the Data Controller a contact person within its organisation authorised to respond to enquiries concerning processing of the Personal Data, and will cooperate in good faith with the Data Controller, the Data Subject and the DPSA concerning all such enquiries within a reasonable time.
4.15 It will be capable of demonstrating its compliance with the obligations of Applicable Data Protection law.
5. Right of audit
5.1 Upon reasonable request of the Data Controller, the Data Processor will submit, and/or as appropriate its sub-processors will submit, data processing facilities, data files and documentation used for processing, reviewing, auditing and/or certifying by the Data Controller (or any independent or impartial inspection agents or auditors, selected by the Data Controller and not reasonably objected to by the Data Processor) to ascertain compliance with the warranties and undertakings in this Agreement, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data Controller.
6. Data subject's rights
6.1 The Data Processor will assist the Data Controller, whenever reasonably required, in so far as possible, to fulfill the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights as provided under Applicable Data Protection law and the Data Processor will have the appropriate organisational and technical measures in place to deal with Data Subject requests.
7. Liability and indemnity
7.1 The Data Processor will not be liable for any claim brought by a Data Subject arising from any action by the Data Processor to the extent that such action resulted directly from the Data Controller’s instructions.
7.2 Except as provided for in Clause 7.1, the Data Processor shall indemnify the Data Controller for any monetary fine or penalty imposed on the Data Controller by the DPSA that results from the Data Processor’s breach of its obligations under this DPA.
7.2 Except as provided for in Clause 7.1, the Data Processor shall indemnify the Data Controller for any monetary fine or penalty imposed on the Data Controller by the DPSA that results from the Data Processor’s breach of its obligations under this DPA.
8. Law applicable to this agreement
8.1 This DPA shall in all respects be governed by and interpreted in accordance with the laws of Poland. The parties hereto hereby submit to the exclusive jurisdiction of the Polish Courts for all the purposes of this DPA.
9. Resolution of disputes with data subjects or the DPSA
9.1 In the event of a dispute or claim brought by a Data Subject or the DPSA concerning the processing of the Personal Data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
9.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the DPSA. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
9.3 Each party shall abide by a decision of the DPSA which is final and against which no further appeal is possible.
9.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the DPSA. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
9.3 Each party shall abide by a decision of the DPSA which is final and against which no further appeal is possible.
10. Termination
10.1 In the event that either the Data Processor or the Data Controller is in breach of its obligations under this DPA, then either the Data Processor or the Data Controller may temporarily suspend the transfer of Personal Data to the Data Processor until the breach is repaired or the DPA is terminated.
10.2 The parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this DPA as regards the processing of the Personal Data transferred.
10.2 The parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this DPA as regards the processing of the Personal Data transferred.
Schedule 1
Description of the transfer
Data subjects
The Personal Data transferred concern the following categories of Data Subjects:
- Customer’s Candidates participating in recruitment processes that involve use of Heroify’s software
- Customer’s employees using Heroify software (“Users”)
Purpose of the transfer(s)
The transfer is made for the following purposes:
- This transfer is necessary for Heroify to provide Customers with services included in the T&C.
Categories of data
The Personal Data transferred concern the following categories of data:
Personal Data, including without limitation:
Personal Data, including without limitation:
- First and last name of each Candidate and User
- Email address of each Candidate and User
- Phone number of each Candidate
- Heroify test score of each Candidate
- IP address of each Candidate and User
Recipients
The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:
- Google (Google Inc. based in the USA), provider of Google Cloud, the Service in which Heroify’s web application is hosted.
Sensitive data (if appropriate)
The Personal Data transferred concern the following categories of Sensitive Data:
- No Sensitive Data will be transferred within this transfer.
Contact points for data protection enquiries:
Heroify’s Data Protection Officer: gdpr@heroify.co
Copyright © 2024 Heroify. All Rights Reserved