Privacy and Data Protection Policy

Edu4US - Your Guide to the World of Studying in the USA and Canada!

Privacy and Data Protection Policy

Definitions

Terms used in this Policy are defined as follows:

  • Personal Data – any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  • Site Operator – the entity providing Electronic Services as described in the Terms of Use. The Site Operator is Magdalena Wojtas conducting business under the firm name Magdalena Wojtas Law Firm, registered office: Fort Wola Street 12c/166, 01-258 Warsaw, correspondence address: as above, NIP: 8181673622, REGON: 368406257, email address: info@edu4us.org, phone: 535494666;
  • Cooperating Entity – a natural person conducting business, a legal person, or another organization with legal personality that has commissioned the Site Operator to recruit students;
  • Terms of Use – the document titled “Terms of Use of the edu4us.org website”, which sets out the rules for using the Site and the conditions under which the Site Operator provides Services to the Participant through the Site;
  • GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  • Site – edu4us.org;
  • Participant – a natural person, legal person, or organizational unit without legal personality granted legal capacity by law, using the Electronic Service;
  • Electronic Service – a service provided electronically by the Site Operator to the Participant through the Site, by phone, or email, involving educational consulting on starting studies in the USA and Canada and supporting the recruitment process for the Participant’s chosen Universities;
  • University – a higher education institution, university, or another school in the USA or Canada to which the Participant intends to apply with the help of the Site Operator to maximize the Participant’s chances of admission to the selected university, college, or another school in these countries.

General Information

  1. This Privacy and Data Protection Policy describes how the Site Operator handles Participants’ Personal Data, specifically how it is collected, used, processed, and protected.
  2. The Site Operator collects and processes Participants’ Personal Data in accordance with applicable regulations, including the GDPR and the principles outlined therein.
  3. The Site Operator ensures data processing transparency, particularly by always informing about data processing at the time of collection, including the purpose and legal basis of processing. The Site Operator ensures that data is collected only to the extent necessary for the specified purpose and processed only as long as necessary.
  4. The activities referred to in paragraphs 1 and 2 above are performed by the Site Operator based on the Terms of Use.
  5. The controller of the personal data provided by Participants via the Site is Magdalena Wojtas conducting business under the firm name Magdalena Wojtas Law Firm, registered office: Fort Wola Street 12c/166, 01-258 Warsaw, correspondence address: as above, NIP: 8181673622, REGON: 368406257, email address: info@edu4us.org, phone: 535494666.

The Participant consents to the processing of their Personal Data in accordance with applicable laws before submitting it to the Site Operator via the Site.

Types of Processed Personal Data and Purposes of Processing

  1. To maximize the Participant’s chances of admission to the selected University in the USA or Canada, the Site Operator processes data, including Personal Data about Participants provided via the Site, or directly to the Site Operator’s email address, i.e., info@edu4us.org, or by phone. These include data such as name, surname, email address, phone number, and other data provided in the Application referred to in the Terms of Use, CV, cover letter, and correspondence directed to the Site Operator.  
  2. The Site Operator processes Participants’ Personal Data for the following purposes:

2.1 Inclusion in the Site Operator’s Participant database – the legal basis for processing is consent (Art. 6 paragraph 1 letter a of the GDPR);

2.2 Use in current and future recruitment processes conducted by the Site Operator for Universities mentioned in the Terms of Use – the legal basis for processing is consent (Art. 6 paragraph 1 letter a of the GDPR);

2.3 Sharing with Cooperating Entities – the legal basis for processing is consent (Art. 6 paragraph 1 letter a of the GDPR);

2.4 Analytical and statistical purposes – the legal basis for processing is the Site Operator’s legitimate interest (Art. 6 paragraph 1 letter f of the GDPR) consisting of analyzing Participant activities on the Site and their preferences to improve the applied functionalities;

2.5 Contacting the Participant by phone, email, or other means of communication and informing them about study opportunities at selected Universities or providing other information unrelated to Electronic Services provided to the Participant. In this case, Personal Data is processed solely for communication and resolution of the Participant’s issue. The legal basis for processing is the Site Operator’s legitimate interest (Art. 6 paragraph 1 letter f of the GDPR) consisting of conducting communication with the Participant in connection with their business activities. The Site Operator processes only personal data relevant to the matter.

2.6 Providing Electronic Services to Participants – the legal basis for processing is the necessity to process to perform the contract (Art. 6 paragraph 1 letter b of the GDPR and Art. 22 paragraph 2 letter a of the GDPR). During the period of providing Electronic Services,

2.7 Direct marketing – the legal basis for processing is Art. 6 paragraph 1 letter f of the GDPR – processing is necessary for purposes arising from the legitimate interests of the Site Operator – consisting of taking care of the interests and good image of the Site Operator, its Site, and striving to sell Electronic Services. Data is stored for the duration of the Site Operator’s legitimate interest, but no longer than the period of the Site Operator’s claims against the person to whom the data relates, due to the business activities conducted by the Site Operator. As part of the Site Operator’s direct marketing, it processes the data provided in the contact form available on the Site.

2.8 Establishing, pursuing, or defending claims that the Site Operator may raise or that may be raised against it – the legal basis for processing is Art. 6 paragraph 1 letter f of the GDPR – processing is necessary for purposes arising from the legitimate interests of the Site Operator – consisting of managing and maintaining the Site. Data is stored for the duration of the Site Operator’s legitimate interest, but no longer than the period of the Site Operator’s claims against the person to whom the data relates, due to the business activities conducted by the Site Operator.

2.9 Conducting statistics and analyzing traffic on the Site – Art. 6 paragraph 1 letter f of the GDPR – processing is necessary for purposes arising from the legitimate interests of the Site Operator – consisting of conducting statistics and analyzing traffic on the Site to improve its functioning. Data is stored for the duration of the Site Operator’s legitimate interest, but no longer than the period of the Site Operator’s claims against the person to whom the data relates, due to the business activities conducted by the Site Operator.

3. Some categories of Participants’ Personal Data are considered sensitive and are subject to higher security and data protection requirements (special categories of personal data). The Site Operator collects Participants’ sensitive Personal Data only in exceptional circumstances when it is necessary to process the data to meet legal obligations. Such information will be processed in accordance with the GDPR.

The Site Operator processes only Participants’ personal data necessary for the recruitment to Universities to which the Participant has expressed the intention to apply. The Site Operator is not responsible for other data provided by Participants.

Collection of Personal Data

  1. The Site Operator collects Participants’ Personal Data directly from Participants, including by sending them via email to the Site Operator’s email address;
  2. from other external sources, including from Cooperating Entities that may provide the Participant’s Personal Data.

Methods of Processing Personal Data

  1. The main area of activity of the Site Operator is the provision of Electronic Services. Below are some examples of how Participants’ Personal Data is used and processed for this purpose:

1.1 Collecting Participants’ Personal Data directly or from other sources;

1.2 Storing (and updating if necessary) Participants’ Personal Data in the Site Operator’s database, including for contacting the Participant in connection with the provision of Services;

1.3 Providing Services by the Site Operator and improving the Application process referred to in the Terms of Use, recruitment;

1.4 Evaluating data about the Participant concerning their chances of admission to the University, which the Site Operator may consider appropriate;

1.5 Sending information about the Participant to Cooperating Entities for the purpose of applying to Universities or assessing the Participant’s qualifications;

1.6 Fulfilling the Site Operator’s obligations under any agreements concluded between the Site Operator and third parties in connection with the provision of Services by the Site Operator;

1.7 Verifying data provided by the Participant or the Cooperating Entity using external resources (such as psychometric tests or skill tests) or requesting information (such as references, qualifications, and potentially criminal records, to the extent appropriate and in accordance with the law);

1.8 Fulfilling the Site Operator’s legal obligations in connection with the detection of a crime.

Disclosure of Personal Data
  1. Authorized employees/contractors (collaborators) of the Site Operator have access to personal data.
  2. Participants’ Personal Data may be disclosed to external entities, including particularly Cooperating Entities, Universities, and other student recruitment agencies cooperating with the Site Operator. Personal data may be disclosed in the content provided by the Participant and in the form prepared by the Site Operator.
  3. The Site Operator reserves the right to disclose selected information about the data subject to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
  4. If one of the Cooperating Entities, a University expresses interest in the Participant, the Site Operator immediately informs the Participant by email or phone. After delivering or making available the data, including the Participant’s Personal Data, to the Cooperating Entity, the University, that entity is required to:

    5. 4.1 Use the data, including the Participants’ Personal Data, only for designated purposes;

    4.2 Ensure appropriate technical and organizational security measures;

    4.3 Refrain from further unauthorized disclosure of Participants’ Personal Data.

  5. In the event of a merger, acquisition, liquidation, or bankruptcy of the Site Operator or the sale of all or most of its assets, the Site Operator reserves the right to transfer Participants’ Personal Data to third parties after informing the Participant of the situation and allowing them to delete their data.

Period of Processing Personal Data

  1. Participants’ Personal Data is processed for the duration of the provision of Electronic Services by the Site Operator, until the withdrawal of consent or the submission of an effective objection to data processing in cases where the legal basis for data processing is the Site Operator’s legitimate interest, for the purpose of establishing or pursuing any claims or defending against such claims by the Operator, and for analytical and statistical purposes.
  2. The data processing period may be extended if processing is necessary to establish or pursue claims or defend against claims, and after this period – only if and to the extent required by law. After the processing period, the data is irreversibly deleted or anonymized.
  3. If the Site Operator has no significant contact with the Participant for two years, it may delete the Participant’s Personal Data from the Site unless applicable law requires its retention (particularly due to obligations to tax authorities or in connection with any anticipated legal proceedings).

Rights of Participants Related to the Processing of Personal Data

  1. Participants whose data is processed have the following rights:

1.1 Right of access to personal data– on this basis, a Participant who makes a request receives information from the Site Operator about the processing of their Personal Data, including the purposes and legal bases of processing, the scope of held data, entities, including Cooperating Entities to whom the data is disclosed, and the planned deletion date.

1.2 Right to data modification– on this basis, a Participant can request the modification of their Personal Data processed on the Site. If the Site Operator has disclosed these Personal Data to third parties, it will notify them of the corrections unless it is impossible or requires disproportionate effort. If the Site Operator considers it reasonable not to comply with the Participant’s request, it will explain the reasons for its decision.

1.3 Right to rectification– on this basis, a Participant can request the rectification of any inconsistencies or errors in the processed Personal Data and supplement it if it is incomplete. If the Site Operator has disclosed these Personal Data to third parties, it will notify them of the corrections unless it is impossible or requires disproportionate effort. If the Site Operator considers it reasonable not to comply with the Participant’s request, it will explain the reasons for its decision.

1.4 Right to data erasure (“right to be forgotten”)– on this basis, a Participant can request the deletion of data. These data must usually meet the following criteria:

a. The data is no longer necessary for the purposes for which it was originally collected and/or processed;

b. If the Participant previously consented to the processing of Personal Data and then withdrew it, and there is no other reasonable reason for continuing processing;

c. The data was processed unlawfully (i.e., in violation of the GDPR);

d. It is necessary to delete the data to fulfill the Site Operator’s legal obligations as the Site Operator;

e. If the Site Operator processes Personal Data because it considers it necessary for its legitimate interests, the Participant objects to the processing, and the Site Operator cannot demonstrate overriding legitimate reasons for continuing processing.

1.5 Right to obtain a copy of the data– on this basis, a Participant can request the delivery of a copy of the processed data concerning the requesting Participant.

1.6 Right to restrict processing– if such a request is made, the Site Operator stops performing operations on the Personal Data – except for operations to which the Participant has consented – and stores it in accordance with retention rules or until the reasons for restricting data processing cease to exist (e.g., a decision is issued by the supervisory authority allowing further data processing). If the Site Operator has disclosed Personal Data to third parties, it will notify them of the restriction unless it is impossible or requires disproportionate effort. The Site Operator will notify the Participant before imposing any restriction on processing the Participant’s Personal Data.

1.7 Right to data portability– on this basis – to the extent that the data is processed in connection with the expressed consent – the Site Operator delivers the data provided by the Participant to the requesting Participant in a format readable by a computer. It is also possible to request the transfer of these data to another entity – provided that there are technical possibilities both on the part of the Site Operator and that other entity.

1.8 Right to object to data processing for marketing purposes– the Participant to whom the data relates may at any time object to the processing of personal data for marketing purposes without the need to justify such an objection.

1.9 Right to object to other purposes of data processing – on this basis, the Participant may at any time object to the processing of their Personal Data, which takes place on the basis of the Site Operator’s legitimate interest (e.g., for analytical or statistical purposes or for reasons related to property protection); the objection in this regard should be justified. The Site Operator must comply with the Participant’s objection by ceasing the activities in question, unless:

a. It can prove that it has important, legitimate grounds for processing that outweigh the interests of the Participant; or

b. It processes the Participant’s Personal Data for the purpose of establishing, pursuing, or defending a legal claim.

1.10 Right to withdraw consent– if the data is processed based on expressed consent, the person to whom the data relates has the right to withdraw it at any time, which, however, does not affect the legality of processing carried out before the withdrawal of consent.

1.11 Right to lodge a complaint– if the processing of personal data is considered to violate the GDPR or other data protection regulations, the person to whom the data relates may lodge a complaint with the President of the Personal Data Protection Office.

Submitting Requests Related to the Exercise of Participants’ Rights

  1. The Participant may exercise their rights referred to in points 1.1. – 1.11. above at any time by sending appropriate statements to the Site Operator’s email address.
  2. The procedure for accessing data, including Personal Data, referred to in point 1.1. above is as follows: The Participant has the right to access their data, including Personal Data processed on the Site, at any time. The contact details of the Site Operator are available on the Site; the Participant contacts the Site Operator in their chosen manner and requests access to the data. After providing their email address, the full content of the data processed on the Site will be sent to the Participant’s email address.
  3. The procedure for changing or rectifying data, including Personal Data processed on the Site, referred to in point 1.2. above is as follows: The Participant has the right to change or rectify data, including Personal Data processed on the Site, at any time. To do this, the Participant should request the change or rectification of data from the Site by email and specify exactly which data should be changed or rectified.
  4. The procedure for deleting data, including Personal Data, referred to in point 1.3. above is as follows: The Participant has the right to request the deletion of their data, including Personal Data processed on the Site, at any time. To do this, the Participant should request the deletion of data from the Site by email.
  5. The procedure for withdrawing consent to the processing of Personal Data on the Site referred to in point 1.4. above is as follows: The Participant has the right to withdraw consent to the processing of their Personal Data on the Site at any time. To do this, the Participant should send an appropriate request by email. In such a situation, the Site Operator will cease the action for which the Participant previously gave consent unless there is another basis for further processing of Personal Data for that purpose, which the Site Operator will inform the Participant about.
  6. Requests concerning other Participant rights referred to in points 1.5. – 1.11. above can be submitted by email to: info@edu4us.org.
  7. Each request received from the Participant in accordance with the above provisions will be given special attention. When processing a request, the Site Operator reserves the right to verify the Participant’s identity to ensure that the Participant’s Personal Data is not disclosed to another person.
  8. If the Site Operator cannot identify the person making the request based on the submitted request, it will ask the applicant for additional information.
  9. A response to the request should be provided within a month of its receipt. If it is necessary to extend this period, the Site Operator will inform the applicant of the reasons for the delay. The response is provided via email unless the request was submitted in writing or a written response is requested.
  10. Handling requests is free of charge. Fees may be charged only in the case of:

10.1 Requesting the issuance of a second and each subsequent copy of the data (the first copy of the data is free); in such a case, the Site Operator may charge a fee of PLN 20. This fee includes administrative costs associated with fulfilling the request.

10.2 Submitting excessive (e.g., extremely frequent) or clearly unfounded requests by the same Participant; in such a case, the Site Operator may charge a fee of PLN 100. This fee includes communication costs and the costs associated with taking the requested actions.

11. If the decision to impose a fee is disputed, the person to whom the data relates may lodge a complaint with the President of the Personal Data Protection Office.

12. The Participant should inform the Site Operator of any changes to their Personal Data.

13. The Site Operator may contact Participants to request updates to their Personal Data.

Personal Data Security

  1. The Site Operator continuously analyzes risks and monitors the adequacy of the applied data security measures to the identified threats to ensure that personal data is processed securely – ensuring, above all, that only authorized persons have access to the data and only to the extent necessary to provide Services.
  2. The Site Operator protects Participants’ Personal Data using appropriate technical, physical, and organizational measures to ensure the confidentiality of Participants’ Personal Data and their protection against unauthorized access, destruction, loss, misuse, or any other form of unlawful processing.
  3. The Site Operator also takes necessary actions to ensure that its subcontractors and other Cooperating Entities provide guarantees of applying appropriate security measures whenever they process personal data on behalf of the Site Operator.
  4. The personal data provided to the Site Operator is stored in accordance with applicable regulations.
  5. In any case, the Site Operator recommends that Participants exercise caution and use software that protects against data protection threats occurring on the Internet (including antivirus software, firewall, and enabling an anti-phishing filter in the web browser).
  6. The Site may contain links to other websites. Clicking on such a link will transfer the Participant to another website. The Site Operator is not responsible for the functioning and processing of Participants’ Personal Data by other websites. The privacy policy of the respective website should be reviewed before using it.

Cookies

  1. The Site does not use its own cookies.
  2. The Site uses external services provided by Google, Inc. based in Mountain View (California, USA), which use their own cookies (“external” cookies).
  3. The rules for using external cookies are described in the document: Google Privacy Policy.
  4. Regarding information about the Participant’s preferences collected by the Google network, the Participant can view and edit the information resulting from cookies using the tool: Google Ads Settings.

Changes to the Privacy Policy

  1. This Privacy Policy may be changed by the Site Operator at any time. In such a case, it will be promptly posted on the Site so that Participants using it can review it.
  2. For any questions regarding this Privacy Policy, please contact us at: info@edu4us.org.
Contact Us