Skip to content

Our Commitment to Your Privacy

Privacy Policy

How We Protect Your Data?

PERSONAL DATA SECURITY POLICY

Applicable to the Company under the name of Hero AV Limited Liability Company

§ 1. Definitions

The terms used in this Policy shall be understood as follows:

  1. **Controller** – Hero AV Spółka z ograniczoną odpowiedzialnością with its registered office in Kraków, ul. Stróża Rybna 3, 30-714 Kraków, Poland, Tax ID (NIP): 6793330119, REGON: 541627042, entered into the Register of Entrepreneurs of the National Court Register under KRS number: 0001170485.
  2. **Personal Data** – personal data as defined by the GDPR.
  3. **Contractor** – a natural person or entity with whom the Controller has entered into a service, supply, or other agreement within the scope of the business conducted by the Controller, excluding employment agreements.
  4. **Data Subject** – a natural person whose personal data are processed.
  5. **Employee** – any individual employed by the Controller under an employment contract, including interns and individuals engaged under civil law contracts.
  6. **Security Policy** – this document.
  7. **Enterprise** – the business conducted under Hero AV Sp. z o.o., as defined by the Polish Civil Code.
  8. **GDPR** – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  9. **Website** – the website available at: [www.soundcorehero.com](http://www.soundcorehero.com).
  10. **User** – any person who uses the Website.

§ 2. General Provisions

  1. The Controller processes Personal Data within the Enterprise in a manner that ensures their integrity and confidentiality, applying all legally required and threat-appropriate safeguards.
  2. The Controller strives to ensure that all Personal Data processed within the Enterprise are handled lawfully, solely for the purposes communicated to the Data Subjects, and only for the minimum time necessary to fulfil those purposes.
  3. This Security Policy is a public document outlining general provisions related to Personal Data and their processing. **Annex X** to this Policy comprises a risk analysis and a register of safeguards. This annex is confidential, regularly updated, and contains detailed information on identified risks and mitigation measures.

§ 3. Persons Responsible for Personal Data Protection

  1. Decisions regarding the purposes and means of processing Personal Data are made by the Controller, represented by its general partner. If the general partner is a legal person, these decisions are made by its governing body (management board).
  2. All Employees are obliged to maintain the confidentiality of any Personal Data accessed in connection with their employment.
  3. Employees must object to any instructions that would compromise data security and must indicate the reason for their objection.
  4. No negative consequences shall be imposed on any Employee for refusing to follow instructions that would jeopardize data security.
  5. Employees may process only the Personal Data for which they have been specifically authorized. They are required to refuse to perform any duties involving the processing of data outside their scope of authorization.
  6. Authorizations for personal data processing are issued solely by the individuals referred to in item 1 above.

§ 4. Fulfilment of the Information Obligation

  1. The Website includes a link to the privacy notice, which constitutes **Annex 1** to this Security Policy.
  2. The Website informs Users that using the contact form or sending an email to the address provided on the Website implies consent to the processing of the provided data for the purpose of responding to inquiries and possibly concluding a contract. The data will be processed based on consent until a relevant agreement is concluded, but not longer than 3 months from the last message sent by the Data Subject.
  3. An information clause (Annex 1) is attached to all concluded contracts.
  4. Employees and Contractors are informed that they may request detailed information about the legal basis for data processing and the data retention period. Such information is provided by the persons referred to in § 3(1).
  5. Upon request from the Controller’s representatives, Employees, Contractors, and Users are required to confirm in writing that they have read the privacy notice and/or give consent to the processing of their Personal Data.

§ 5. Exercise of Data Subject Rights

  1. The Controller ensures that Data Subjects may exercise their rights under applicable law.
  2. To exercise their rights, Data Subjects should contact the persons specified in § 3(1) using the contact numbers or email addresses provided. If no other contact details are available, the following address may be used: **[hello@soundcorehero.com](mailto:hello@soundcorehero.com)**.
  3. The Employee managing the above email address must immediately forward any messages concerning data protection to the individuals referred to in § 3(1).
  4. The persons referred to in § 3(1), or designated Employees, will contact the Data Subject and individually agree on the terms, timeline, and method for exercising the rights.
  5. The rights of Data Subjects shall be fulfilled without undue delay.

§ 6. Documentation of Personal Data Protection

  1. All documents related to data protection are kept in a separate folder managed by the persons indicated in § 3(1), subject to the provisions below.
  2. Data processing agreements are stored together with the corresponding principal agreements.
  3. Privacy notices and consents provided in connection with contracts are stored with those contracts.
  4. Privacy notices and consents signed by Employees are stored in their personnel files.
  5. Consents and declarations obtained via the Website are stored on the server and its backup copies or, if this is not feasible, on an external drive or external storage device managed by the individuals in § 3(1).
  6. The processing activities register, authorization register, and processor agreement register are maintained digitally and stored on a local drive and/or in the cloud. Templates of these documents are included as **Annexes 2, 3, and 4** to this Policy.

§ 7. Data Security Procedures

  1. Employees must report any water system leaks or failures to their direct supervisor.
  2. Employees must ensure that all entry doors are locked and the security alarm is armed when leaving the premises last.
  3. Only authorized individuals may possess keys to entry doors, and keys must not be shared.
  4. Any irregularities in device operation must be reported to a direct supervisor.
  5. Company equipment may not be removed from the premises without permission. For remote work, supervisors may authorize such removal. In such cases—or when required by the nature of work—passwords and/or PINs must be used on all portable devices.
  6. Passwords must be at least eight characters long and include at least one digit, one uppercase letter, one lowercase letter, and one special character. Passwords must not be shared and must be changed at least once every three months.
  7. Documents must not be removed from work premises unless approved by a supervisor for remote work. In such cases, they must be stored at the Employee’s home or other private, locked location accessible only to the Employee and/or close family members.
  8. Documents designated by supervisors that contain Personal Data must be scanned and stored on local drives and/or in the cloud.

§ 8. Incident Response Procedure

  1. If an incident potentially compromising the integrity, confidentiality, or security of Personal Data is detected, the person detecting it must immediately notify those referred to in § 3(1).
  2. Within 48 hours of receiving such a report, the persons in § 3(1) must carry out a fact-finding investigation to establish the incident’s details.
  3. If the incident constitutes a personal data breach, the relevant persons must notify the President of the Personal Data Protection Office (UODO), unless it is unlikely to result in a risk to the rights and freedoms of individuals. A written report must be created regardless of whether the UODO is notified.
  4. If it is determined that the incident does not constitute a personal data breach, a note is still drawn up.
  5. All such reports must be stored for five years in accordance with § 6(1).
  6. In every case, the responsible individuals must take appropriate steps to prevent similar incidents and minimize their consequences.

§ 9. Final Provisions

  1. This Security Policy is subject to regular reviews, no less frequently than every six months.
  2. **Annex X** is updated more frequently as needed.
  3. Amendments to this Policy may be introduced at any time by the Controller’s management.