Privacy Policy - Sandbox

Privacy Policy - Sandbox

In this Privacy Policy we explain how and on what basis we collect, store and otherwise process personal data of data subjects: (i) using our sandbox and development environment.


1.1. For the purpose of this Privacy Policy terms: “controller”, “processor”, “data subject”, “personal data” and “processing” shall have the same meaning as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”).

1.2. The terms “TransactionLink”, “we” or “us” as used hereinafer mean TransactionLink spółka z ograniczoną odpowiedzialnością (limited liability company) with its registered seat in Warsaw, address: Rynek Nowego Miasta 9/9, 00-220 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0000823971, tax identification number NIP: 5252812929, statistical number REGON: 385349514, share capital in the amount of PLN 127 150.00.


2.1. You can contact us by: 

a) e-mail:

b) contact tools available on our website:; or

c) in writing to the following correspondence address: Czarnieckiego 72 Street, 01-541 Warsaw, Poland.


3.1. We have appointed Data Protection Officer – Mateusz Pniewski to assist you with privacy-related matters. With any data protection queries or when you wish to exercise your rights, you may contact our Data Protection Officer at or in writing to the address shown above.


4.1. We attest that we act as a controller of the personal data (the “Personal Data”) with respect to your Personal Data acquired by us in connection with your activities while: (i) using our sandbox and development environment. 

4.2. We process Personal Data of the following data subjects:

4.2.1. end users of our sandbox and development environment (the “End Users”); and

4.2.2. other persons or entities as specified in this Privacy Policy.


5.1. Personal Data obtained in connection with using our sandbox and development environment are processed respectively to the extent that is necessary to create and maintain your account. We may also process additional data that you provide us while using our services (based on Article 6(1)(b) of the GDPR).

5.2. If you agree to us recording your activity when you use our services, we may also process your Personal Data to analyze and improve our services (based on Article 6(1)(a) of the GDPR).

5.3. We may also process your Personal Data when it is necessary for compliance with a legal obligation to which the controller is subject (based on Article 6(1)(c) of the GDPR) and to establish, pursue and defend against potential claims (based on Article 6(1)(f) of the GDPR).
In addition, in order to pursue necessary purposes arising from our legitimate interests as the controller of your Personal Data, we may use the technical data of the device you are using to analyze the use and improve our services and also to prevent and investigate illegal activities (based on Article 6(1)(f) of the GDPR).


6.1. If you decide to use our sandbox or our development environment, we process the following Personal Data about you: 

a) name; 

b) e-mail address;

c) information about how you use our services (including your activity, web log data, such as the pages you visit on the website, the date and time of your visit, the files that you download); 

e) other data that you provide us while using our services.


7.1. We may transfer / share your Personal Data: 

a) at any time, when we are legally required to do so, we may disclose your Personal Data or other information about your use of our Services in order to comply with the law, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, prevent and detect fraud, or respond to requests from public authorities; 

b) with entities supporting TransactionLink with its business operations, such as companies providing data hosting services, law firms, marketing companies, providers of advisory;

7.2. We may transfer Personal Data outside of the European Economic Area where it has a lawful basis for that transfer under Articles 44-49 of the GDPR. In circumstances where we transfer your personal data to the processor, which is located outside of the European Economic Area, we will ensure that those data transfers are conducted based on an adequacy decision of the European Commission under Article 45 of the GDPR, or subject to one of the appropriate safeguards as set out in Article 46 of the GDPR.

You can obtain information on the protection measures applied by submitting a request to our Data Protection Officer using contact details given above.


8.1. Your Personal Data will be processed: 

a) for a duration of you using our services;

b) for a duration of a limitation period in order to establish, pursue and defend against claims, however at any time the personal data retention period will not be longer than 6 years counting down from the end of the calendar year, in which you ended up using our website or end of issue processing you contact us about; 

c) if we process your Personal Data based on your consent- until you withdraw this consent The withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal;

d) if it is necessary for us to comply with our obligations under the law, such as tax law, accounting law or laws regulating our obligations as a payment institution providing solely the account information service (e.g. obligations to report statistical data, handle complaints), we may process your data also for the period necessary for the fulfilment of the obligations included in the relevant laws – for relevant periods required therein.

8.2. However, we will normally store your Personal Data for no longer than is necessary, taking into account the purposes for which the Personal Data is collected, i.e. to fulfil our contractual obligations, to pursue our legitimate interests, to fulfil legal obligations or as required for the statutory retention period.


9.1. As a data subject, with regards to your Personal Data, you have a number of rights under the GDPR, which you can exercise by contacting us by means indicated in Section 2 and 3 above. 

Right of access and to obtain the copy of Personal Data

9.2. On this basis, you have the right to obtain confirmation as to whether or not we process your Personal Data and if so, to obtain some general information about the processing. We will also provide you with a copy of your Personal Data.

Right to rectification

9.3. By receiving this kind of request, we are obliged to remove incompatibilities or errors of your Personal Data and supplement them if they are incomplete.

Right to be forgotten

9.4. On this basis, you can request the deletion of your Personal Data, processing of which is no longer necessary to achieve any of the purposes for which your Personal Data were collected or otherwise processed. It may also cover the following situations:

a) processing was based on your consent that you have withdrawn and there is no other legal ground for the processing;

b) you have objected to processing based on the Article 6(1)(f) of the GDPR and there are no overriding legitimate grounds for the processing; 

c) Personal Data have been unlawfully processed;

d) Personal Data have to be erased for compliance with a legal obligation that applies to us.

Please also note that the GDPR sets some exemptions when making use of your right to be forgotten is not possible.

Right to restriction of processing

9.5. You have the right to obtain restriction of processing where one of the following applies:

a) you contest the accuracy of the Personal Data (for a period enabling us to verify the accuracy of the Personal data);

b) the processing is unlawful and you oppose the erasure of the Personal Data and requests the restriction of their use instead;

c) we no longer need the Personal Data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;

d) you have objected to the processing based on the Article 6(1)(f) of the GDPR (for the verification whether our legitimate grounds override yours).

If such a request is made, we cease to carry out operations on your Personal Data – with the exception of operations to which you have consented, processing carried out for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Right to Personal Data portability

9.6. When the processing is based on your consent or the necessity for the performance of a contract – you can request to receive your Personal Data from us in a structured, commonly used and machine-readable format. The right to data portability includes Personal Data provided by you and processed by automated means. You have the right to transfer this data to another data controller.

Right to object to data processing

9.7. At any time, you may object - for reasons related to your particular situation - to the processing of your Personal Data, which is based on the legitimate interest as specified in Article 6(1)(f) of the GDPR (e.g. for analytical or statistical purposes). We shall no longer process the Personal Data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Right to withdraw the consent

9.8. If your Personal Data are processed on the basis of given consent, you have the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal.

Right to lodge a complaint to the Data Protection Authority

9.9. If it is considered that the processing of your Personal Data violates the provisions of the GDPR or other provisions regarding the protection of Personal Data, you may lodge a complaint to the body supervising the processing of personal data, competent in particular for your habitual residence, place of your work or place of the alleged violation. 

In Poland, the supervisory authority is the President of the Personal Data Protection Office, with its office at Stawki 2 Street, 00-193 Warsaw, Poland.


10.1. When we obtain your Personal Data from you, providing us with data is voluntary, however, may be necessary to conclude or perform the agreement between us. We may be not able to conclude the agreement with you or fulfil contractual obligations. In some cases, it may be also necessary for us to fulfil legal obligations, including rules on anti-money laundering and anti-terrorist financing (AML).


11.1. Your Personal Data will not be used for profiling or for automated decision making in relation to you.