**Privacy Policy**
This privacy policy (hereinafter referred to as the “Policy”) pertains to the website with the domain www.pmbhurt.com (hereinafter referred to as the “Website”) and serves to inform Users about the principles of processing their personal data and their rights.
**I. DEFINITIONS.**
– **Personal Data** – all information about an identified or identifiable natural person through one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity.
– **GDPR** – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
– **User** – any natural person visiting the Online Store or using one or more services or functionalities described in the Policy.
– **Profiling** – any form of automated processing of personal data involving the use of personal data to evaluate certain personal factors of a natural person.
**II. STORAGE AND PROTECTION OF PERSONAL DATA.**
Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures. To ensure proper protection of personal data, the Service is secured with a certificate.
**III. PERSONAL DATA ADMINISTRATOR.**
The administrator of personal data processed through the Website is the company: Michał Borowiecki, ul. Brukowa 8, 91-341 Łódź, operating under the tax identification number (NIP): 728690030 (hereinafter referred to as the “Administrator”). The Administrator’s representative is Michał Borowiecki. Contact with the Administrator is possible via the contact form available on the website or at the email address info@pmbhurt.com.
**IV. PURPOSES AND LEGAL BASES FOR DATA PROCESSING.**
Below is a detailed description of the personal data of Users that will be processed by the Website when using its services, along with explanations of the purposes and legal bases for processing.
1. **To enable registration on the Website, the Administrator processes the following data:**
– Name and Surname,
– Email address,
– Phone number,
– Company name,
– Tax Identification Number (NIP),
– Password.
Providing the above personal data is voluntary but necessary to create a User account. Refusal to provide the above personal data will result in the inability to conclude the agreement.
– **Legal basis for data processing:** actions taken at the request of the person whose data is concerned (Article 6(1)(b) of the GDPR).
– **Data retention period:** the duration of the User’s account, and after this period, the data will be stored for the period resulting from the statute of limitations for potential claims (e.g., three years if the personal data concerns other entrepreneurs with whom agreements have been concluded in connection with business activities – Article 118 of the Civil Code).
2. **To facilitate contact with the Administrator, Users may provide a phone number.**
– **Legal basis for data processing:** User’s consent (Article 6(1)(a) of the GDPR).
– **Data retention period:** until the consent is withdrawn, but no longer than the period resulting from the statute of limitations for potential claims (e.g., three years if the personal data concerns other entrepreneurs with whom agreements have been concluded in connection with business activities – Article 118 of the Civil Code).
3. **To place an order, the User provides the following data:**
– Name and Surname,
– Email address,
– Phone number,
– Delivery address,
– Billing/invoicing address.
Providing the above personal data is voluntary but necessary to place an order. Refusal to provide the data will result in the inability to conclude the agreement.
– **Legal basis for data processing:** necessity of processing for the performance of the contract (Article 6(1)(b) of the GDPR).
– **Data retention period:** the period necessary for the performance of the contract, and after this period, the data will be stored for the period resulting from the statute of limitations for potential claims (e.g., three years if the personal data concerns other entrepreneurs with whom agreements have been concluded in connection with business activities – Article 118 of the Civil Code).
4. **For payment of the placed order, the User provides the following data:**
– Personal data required by the payment systems through which the User can pay for the placed order.
The above personal data is processed according to the privacy policy of the payment systems owners.
5. **To issue an Invoice, Users may provide:**
– Full company name,
– Tax Identification Number (NIP).
Providing the above data is not necessary for the execution of the agreement.
– **Legal basis for data processing:** User’s consent (Article 6(1)(a) of the GDPR), performance of the contract (Article 6(1)(b) of the GDPR), inclusion of the invoice in the accounting records (Article 6(1)(c) of the GDPR).
– **Data retention period:** data on completed payments will be processed for the time necessary to fulfill the order and then for the period of storing accounting records (according to Article 74 of the Accounting Act, this period is 5 years).
6. **To submit an inquiry via the contact form or email, the User provides the following data:**
– Email address,
– Name and Surname.
Providing the above data is voluntary but necessary to handle User inquiries. Failure to provide the above data will prevent the Administrator from handling inquiries.
– **Legal basis for data processing:** the Administrator’s legitimate interest in the necessity of handling User inquiries (Article 6(1)(f) of the GDPR).
– **Data retention period:** the period necessary to respond to the User’s inquiry, but no longer than until the User objects to the processing of the data.
7. **To deliver personalized advertisements, the Administrator collects the following data:**
– Browser type and settings,
– Information about the device’s operating system,
– Information contained in cookies,
– Information about other identifiers assigned to the device,
– IP address from which the device connects to the website or mobile application,
– Information about the User’s activity on the device, including visited or used websites and mobile applications,
– Information about the geographical location of the device when connected to the website or mobile application.
The above data will be subject to automated decision-making, including profiling. Based on this data, the advertising network operator selects a target group of Users, who are then shown advertisements tailored to their needs and interests.
Profiling, however, will not produce legal effects concerning Users or significantly affect their situation. Users have the right to object to profiling.
– **Legal basis for data processing:** the Administrator’s legitimate interest in the necessity of optimizing conducted marketing campaigns.
– **Data retention period:** data will be stored until it becomes outdated or no longer useful, but no longer than 3 years.
8. **To provide the newsletter service, the Administrator collects the following data:**
– User’s email address.
If subscribing to the newsletter, commercial information will be sent to the email address indicated by the User, from which the User can unsubscribe at any time by logging into their account on the Website or clicking the unsubscribe link in the footer of each newsletter. Users’ personal data will be processed to provide the newsletter service. Providing the data is voluntary but necessary to provide the service, and failure to provide the data will prevent the service from being provided.
– **Legal basis for data processing:** User’s consent (Article 6(1)(a) of the GDPR).
– **Data retention period:** data will be stored until the consent is withdrawn, but no longer than 3 years. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. **For establishing, asserting, and defending claims, and handling complaints, the Administrator may process the following data:**
– Name and Surname,
– Email address,
– IP address,
– Tax Identification Number (NIP) and full company name (if provided),
– Order number.
– **Legal basis for data processing:** the Administrator’s legitimate interest in the necessity of establishing, asserting, and defending claims and handling complaints (Article 6(1)(f) of the GDPR).
– **Data retention period:** data will be stored for the period resulting from the statute of limitations for potential claims (e.g., three years if the personal data concerns other entrepreneurs with whom agreements have been concluded in connection with business activities – Article 118 of the Civil Code).
10. **For analytical and statistical purposes, in particular studying User activity on the Website and the number of visits, the Administrator will process the following data:**
– Type of operating system,
– IP address,
– Data on activity on the Website (time spent on the site, viewed products).
– **Legal basis for data processing:** the Administrator’s legitimate interest in the necessity of studying User activity on the site and creating statistics (Article 6(1)(f) of the GDPR).
– **Data retention period:** personal data will be stored until they lose their relevance, but no longer than 3 years.
**V. USER RIGHTS.**
Individuals whose data is concerned have the following rights:
– **Right to information about personal data processing** – based on this, the Administrator provides the person requesting such information with details about the processing of personal data, including the purposes and legal bases for processing, the scope of held data, the entities to whom personal data is disclosed, and the planned date of their deletion;
– **Right to obtain
a copy of the data** – based on this, the Administrator provides a copy of the processed data concerning the person requesting it;
– **Right to rectification** – the Administrator is obliged to correct any inaccuracies in the processed personal data or complete them if they are incomplete;
– **Right to data deletion** – based on this, data subjects may request the deletion of data processed if:
– The data is no longer necessary for the purposes for which they were collected;
– The data subject has withdrawn their consent to data processing;
– The data subject has objected to the processing of their data;
– Data is processed unlawfully;
– Data should be deleted to fulfill a legal obligation;
– Data was collected in connection with the provision of information society services.
– **Right to restrict processing** – based on this, the Administrator ceases operations on personal data – except for operations agreed to by the data subject – and their storage following adopted retention rules or until the reasons for the restriction of data processing are resolved (e.g., issuance of a decision by a supervisory authority allowing further processing of data);
– **Right to data transfer** – based on this, to the extent that the data is processed based on an agreement or consent, the Administrator issues the data provided by the data subject in a machine-readable format. The data subject can also request the data to be sent to another entity;
– **Right to object to data processing for marketing purposes** – the data subject may at any time object to the processing of their personal data for marketing purposes without needing to justify such objection;
– **Right to object to other purposes of data processing** – the data subject may at any time object to the processing of their personal data due to the specific situation unless the processing is necessary for purposes arising from legitimate interests pursued by the Administrator;
– **Right to withdraw consent** – if data is processed based on consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of processing based on consent before its withdrawal;
– **Right to lodge a complaint** – if the processing of personal data is deemed to violate the provisions of the GDPR or other data protection regulations, the data subject can lodge a complaint with the supervisory authority responsible for personal data protection, which in Poland is the President of the Personal Data Protection Office.
**VI. COOKIES.**
Cookies are small text files sent by the server and stored by the device’s browser. When the browser reconnects with the website, the site recognizes the type of device the User is connecting from. The information collected relates to the IP address, browser type, language, operating system type, ISP, date/time, location, and information sent to the site via the contact form.
Cookies are used to:
– Adapt website content to User preferences and optimize the use of the website. They also allow the site to recognize the User’s device and appropriately display the website according to their needs;
– Create statistics that help to understand how Users use websites, which helps improve their structure and content;
– Maintain User sessions after logging in so that the User does not have to re-enter their login and password on each subpage of the website.
The Administrator uses two types of cookies:
– **Session cookies:** these are temporary files stored in the User’s device until logging out, leaving the website, or turning off the software (web browser);
– **Persistent cookies:** these are stored in the User’s device for the time specified in the cookie parameters or until they are deleted by the User.
The User can change the settings of their browser to block cookies or to notify them about sending cookies. However, it is worth noting that disabling cookies may affect the functionality of the website.
**VII. FINAL PROVISIONS.**
This Privacy Policy may be updated to reflect changes in the laws, practices, or website functionalities. The latest version of the Privacy Policy is always available on the website.
This Privacy Policy is valid from [insert the effective date here].
For any questions or concerns about the privacy policy, please contact the Administrator via the contact form available on the website or at the email address info@pmbhurt.com.
