PL Polski EN English UA Українська DE Deutsch ES Español TR Türkçe PT-BR Português (BR)
Login Register

Privacy Policy

How we protect your personal data

§1. General Provisions

  1. This Privacy Policy (hereinafter: "Policy") sets forth the rules for the collection, processing, and protection of personal data of Users of the website getskin.pl (hereinafter: "Service").
  2. The Service collects only data necessary for the proper provision of services, ensuring security, and preventing abuse.
  3. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter: "GDPR") and the Polish Act of 10 May 2018 on the Protection of Personal Data.

§2. Data Controller

  1. The controller of personal data collected through the Service is PRESSWAY Bartłomiej Paluch, Zarzecze 268, 38-220 Dębowiec, Poland, Tax ID (NIP): PL6852340178 (hereinafter: "Controller").
  2. The Controller may be contacted regarding personal data matters at: [email protected].

§3. Purposes and Legal Bases for Data Processing

  1. Users' personal data is processed for the following purposes and on the following legal bases:
    1. Account registration and User identity verification - Art. 6(1)(b) GDPR (performance of a contract),
    2. enabling login to the Service and provision of electronic services - Art. 6(1)(b) GDPR,
    3. Service fulfilment, including awarding Points and exchanging them for Rewards - Art. 6(1)(b) GDPR,
    4. communication with the User (live chat, email, system notifications) - Art. 6(1)(b) GDPR,
    5. preventing abuse, detecting multi-accounts, and fraud protection - Art. 6(1)(f) GDPR (legitimate interest of the Controller),
    6. analytics and Service usage statistics - Art. 6(1)(f) GDPR,
    7. content and offer personalization - Art. 6(1)(a) GDPR (User consent),
    8. distribution of commercial communications (newsletter) - Art. 6(1)(a) GDPR (consent),
    9. marketing, remarketing, and affiliate programs - Art. 6(1)(a) GDPR (consent),
    10. establishing, pursuing, or defending against claims - Art. 6(1)(f) GDPR.
  2. The provision of personal data is voluntary but necessary to use the Service's functionalities. Failure to provide the required data prevents Account registration.

§4. Categories of Data Collected

  1. The Controller collects and processes the following categories of data:

a) Data provided by the User:

  • email address,
  • username (nickname),
  • external account identifiers (Steam ID, Google ID) - when registering through these services.

b) Data provided during identity verification:

  • In justified cases, as referred to in §6(9) of the Terms, the Controller may request the presentation of an identity document (e.g., national ID card or passport). Only data necessary to confirm the User's identity (first name, last name, photograph) is processed. The Controller undertakes not to use the document number, national identification number (PESEL), or any other data not required for identity verification. Scans or photographs of identity documents are deleted promptly upon completion of the verification process, no later than 7 days after successful verification, in accordance with the principle of data minimisation (Art. 5(1)(c) GDPR).

c) Data collected automatically:

  • IP address - recorded during each registration, login, and throughout the use of the Service,
  • browser fingerprint - generated via JavaScript technology on the User's device; comprising technical parameters such as: browser type and version, operating system, screen resolution, installed fonts, time zone, supported technologies, and other device configuration characteristics,
  • device information (type, model, operating system, browser),
  • Service activity data (pages visited, Tasks completed, login dates and times),
  • HTTP protocol headers (including User-Agent, Referer),
  • cookies (details in §9).

The Operator shall not be liable for personal data (including email addresses, Steam identifiers, links to social media profiles) that the User voluntarily and independently discloses in public modules of the Service, such as the publicly accessible chat. The entry of such data is at the User's sole risk.

§4a. Mobile Application

  1. The Service is also available through a mobile application (hereinafter: "App") for Android and iOS devices. In addition to the data described in §4, the App may collect the following categories of data:

a) Push notification tokens:

  • The App uses Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs), provided through the Expo Push Notification service, to deliver push notifications to the User's device.
  • Upon granting permission for push notifications, a unique device push token is generated and stored on the Controller's servers. This token is used solely to deliver notifications related to the Service (e.g., task status updates, reward notifications, account alerts).
  • The push token is stored for the duration of the User's Account or until the User revokes notification permissions. Tokens that become invalid (e.g., after app uninstallation) are automatically removed.
  • Legal basis: Art. 6(1)(a) GDPR (consent expressed by granting notification permissions on the device).

b) Device information:

  • The App may collect technical information about the User's device, including: device model, brand, operating system version, app version, screen resolution, and locale settings. This data is used for technical diagnostics, ensuring compatibility, and improving the App experience.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest - ensuring proper functioning of the App).

c) Camera and photo library access:

  • The App may request access to the device's camera and photo library solely for the purpose of capturing or selecting images required for task verification (proof of completion). Photos are uploaded to the Controller's servers and processed exclusively for the purpose of verifying task submissions.
  • Access is requested only when needed and can be revoked at any time through the device's system settings.
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract - task verification).

d) Advertising and tracking identifiers:

  • The App uses Google AdMob to display rewarded advertisements. AdMob may collect and process the advertising identifier of the device (Google Advertising ID on Android, IDFA on iOS) for the purpose of serving personalized or contextual ads.
  • On iOS devices, access to the IDFA is requested through the App Tracking Transparency (ATT) framework. The User may decline tracking, in which case only contextual (non-personalized) ads are displayed.
  • Data collected by AdMob is processed by Google LLC in accordance with Google's Privacy Policy. The Controller does not have direct access to advertising identifiers collected by AdMob.
  • Legal basis: Art. 6(1)(a) GDPR (consent - expressed through system permissions and ATT prompt on iOS).

e) AdMob Server-Side Verification:

  • When a User watches a rewarded advertisement, Google sends a server-side verification callback (SSVA) to the Controller's servers. This callback contains a transaction identifier, reward information, and the User's internal identifier. No personal data beyond what is already stored by the Controller is transmitted through this mechanism.
  • Transaction identifiers are stored to prevent duplicate reward claims and for audit purposes, with a retention period of 48 hours in cache and permanently in the reward log.

f) Real-time communication (WebSocket):

  • The Service and the App use WebSocket connections (Laravel Reverb) for real-time features such as live chat and presence indicators. During an active WebSocket connection, the following metadata may be processed: User identifier, IP address, User-Agent string, and connection timestamps.
  • This data is processed only for the duration of the active connection and is not stored beyond what is already described in §4 and §5.
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract - provision of real-time Service features).

§5. Processing of Technical Data (IP Address, Fingerprint)

  1. The collection of IP addresses and browser fingerprints is necessary for the realization of the Controller's legitimate interests (Art. 6(1)(f) GDPR), consisting in particular of:
    1. detecting and preventing the creation of multiple accounts (multi-accounts) by a single person - pursuant to the Terms each User is entitled to only one Account,
    2. fraud protection and preventing abuse of the Points-awarding system,
    3. ensuring Service security and protection against unauthorized access,
    4. geolocation for displaying offers relevant to the User's region,
    5. technical diagnostics and Service performance analysis.
  2. The Controller has conducted a balancing test in accordance with Art. 6(1)(f) GDPR and has determined that the processing of technical data (IP, fingerprint) for the purposes described above does not infringe upon the rights and freedoms of Users, and that the Controller's interest in preventing abuse and protecting the Service outweighs the potential impact on Users' privacy. The User has the right to object to such processing in accordance with §10.
  3. Technical data (IP, fingerprint) is retained for a period of up to 12 months from the date of the User's last activity on the Service.

§6. Profiling

  1. The Service may engage in profiling within the meaning of Art. 4(4) GDPR, consisting of automated processing of the User's personal data to evaluate certain personal factors, in particular for:
    1. adapting displayed Tasks and offers to the User's profile (region, platform, activity history),
    2. detecting irregularities and suspicious activity patterns indicating abuse (e.g., multi-accounts, bots),
    3. assessing fraud risk in the fulfilment of high-value Rewards.
  2. Profiling does not lead to decisions producing legal effects concerning the User or similarly significantly affecting them in a fully automated manner without human involvement. Any decision to block an Account or refuse Reward fulfilment is subject to review by a member of the Operator's staff.
  3. The User has the right to object to profiling in accordance with §10.

§7. Data Retention Period

  1. Users' personal data is processed for the following periods:
    1. for the duration of the Account on the Service, and following its deletion - for the period necessary to establish, pursue, or defend against claims, up to a maximum of 6 years (statute of limitations for civil claims). Data processed solely on the basis of consent (marketing, newsletter) is not subject to this period and shall be deleted promptly upon withdrawal of consent,
    2. until consent is withdrawn - with respect to data processed pursuant to Art. 6(1)(a) GDPR,
    3. until a successful objection is raised - with respect to data processed pursuant to Art. 6(1)(f) GDPR,
    4. identity document data (in the case of KYC verification) - deleted promptly upon completion of verification, no later than 7 days after successful verification.
  2. Upon expiry of the above periods, personal data shall be permanently deleted or anonymized.

§8. Data Recipients

  1. Users' personal data may be disclosed to the following categories of recipients:
    1. hosting and IT infrastructure providers,
    2. Task partners (Offerwall operators) - to the extent necessary for Task fulfilment and verification,
    3. payment service providers,
    4. analytics tool providers (e.g., Google Analytics),
    5. advertising network providers (Google AdMob) - in connection with displaying rewarded advertisements in the mobile application,
    6. push notification service providers (Firebase Cloud Messaging, Apple Push Notification service, Expo) - for delivery of push notifications to mobile devices,
    7. law enforcement authorities and public administration bodies - solely on the basis of applicable legal provisions.
  2. Due to cooperation with foreign partners (Offerwall operators), certain data may be transferred to entities located outside the European Economic Area (EEA). In such cases, transfers are carried out on the basis of Standard Contractual Clauses approved by the European Commission or adequacy decisions.

§9. Cookies

  1. The Service uses cookies, i.e. small text files stored on the User's device, in accordance with the provisions of the Polish Electronic Communications Act of 12 July 2024 (as amended). The Service employs the following types of cookies:
    1. session cookies - essential for the proper functioning of the Service, deleted at the end of the session,
    2. persistent cookies - used to remember User preferences and maintain login sessions,
    3. third-party cookies - used for analytical and statistical purposes (including Google Analytics).
  2. Cookies essential for the operation of the Service (session and functional cookies) do not require User consent. Analytical and marketing third-party cookies are installed only after obtaining the User's prior consent, expressed through the consent management mechanism (cookie banner) displayed upon the User's first visit to the Service.
  3. The User may change cookie settings in their web browser at any time, including blocking or deleting stored cookies. Restricting cookie usage may affect the availability of certain Service functionalities.

§10. User Rights

  1. Under the GDPR, the User is entitled to the following rights:
    1. the right of access to their personal data (Art. 15 GDPR),
    2. the right to rectification of data (Art. 16 GDPR),
    3. the right to erasure - "the right to be forgotten" (Art. 17 GDPR). The Controller reserves the right to restrict this right to the extent that continued processing is necessary to prevent abuse and detect multi-accounts. This applies in particular to cases where a User's Account has been blocked for breach of the Terms - in such cases, basic technical data (anonymised email address, IP address, fingerprint) may be retained to prevent re-registration, on the basis of the Controller's legitimate interest (Art. 6(1)(f) GDPR in conjunction with Art. 17(3)(e) GDPR),
    4. the right to restriction of processing (Art. 18 GDPR),
    5. the right to data portability (Art. 20 GDPR),
    6. the right to object to processing (Art. 21 GDPR),
    7. the right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal (Art. 7(3) GDPR).
  2. The above rights may be exercised by submitting a request to: [email protected].
  3. The Controller undertakes to process requests without undue delay, within no more than 30 days of receipt. In particularly complex cases, this period may be extended by a further 60 days, and the User shall be informed accordingly.
  4. The User has the right to lodge a complaint with the competent supervisory authority if they believe that the processing of their personal data violates the provisions of the GDPR.

§11. Data Security

  1. The Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or unauthorized modification, including in particular:
    1. encryption of data transmission using the SSL/TLS protocol,
    2. access controls for IT systems,
    3. regular data backups,
    4. monitoring and logging of security events.
  2. In the event of a personal data breach, the Controller shall without undue delay - and no later than 72 hours after becoming aware of the breach - notify the President of the Personal Data Protection Office, in accordance with Art. 33 GDPR. If the breach is likely to result in a high risk to the rights and freedoms of Users, the Controller shall also promptly inform the affected data subjects, in accordance with Art. 34 GDPR.

§12. Final Provisions

  1. The Controller reserves the right to amend this Privacy Policy. Users shall be notified of material changes through the Service or by electronic communication.
  2. Matters not governed by this Policy shall be subject to the provisions of the GDPR and Polish law.
  3. This Privacy Policy shall enter into force on 1 January 2026.