Privacy policy
- GENERAL PROVISIONS
1.1. This Privacy Policy of the Internet Service is informative, which means that it is not a source of obligations for the Users of the Internet Service. The Privacy Policy mainly contains rules regarding the processing of personal data by the Administrator on the Internet Service, including the grounds, purposes, and scope of personal data processing, as well as the rights of individuals whose data is processed, and information on the use of cookies and analytical tools on the Internet Service.
1.2. The Administrator of personal data collected through the Internet Service www.witbar.pl is the company Witbar registered at Bogusławskiego 5, 63300 Pleszew, VAT: 6080122730, email address: [email protected], and contact phone number: 667 766 676 – hereinafter referred to as the „Administrator.”
1.3. Personal data on the Internet Service is processed by the Administrator in accordance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as „GDPR” or „GDPR Regulation.” Official text of the GDPR Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
1.4. The use of the Internet Service, including entering into agreements, is voluntary. Similarly, providing personal data by the User of the Internet Service or the Customer is voluntary, subject to two exceptions:
- entering into agreements with the Administrator – failure to provide personal data in cases and to the extent indicated on the Internet Service’s website and in the Internet Service Regulations and this privacy policy, necessary for the conclusion and performance of an Electronic Service Agreement with the Administrator will result in the inability to conclude such agreement. Providing personal data is a contractual requirement in such cases, and if the data subject wishes to conclude a specific agreement with the Administrator, they are obliged to provide the required data. The scope of data required to conclude an agreement is indicated on the Internet Service’s website and in the Internet Service Regulations beforehand;
- statutory obligations of the Administrator – providing personal data is a statutory requirement resulting from universally applicable legal provisions imposing on the Administrator the obligation to process personal data (e.g., processing data for tax or accounting purposes), and failure to provide them will prevent the Administrator from fulfilling these obligations.
1.5. The Administrator takes special care to protect the interests of the individuals whose personal data it processes, and in particular is responsible and ensures that the data collected by it are:
- processed lawfully;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
1.6. Taking into account the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, the Administrator implements appropriate technical and organizational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate that processing is performed in accordance with it. These measures are subject to review and update as necessary. The Administrator employs technical measures to prevent the acquisition and alteration by unauthorized persons of personal data sent electronically.
1.7. All words, expressions, and acronyms appearing in this Privacy Policy and starting with a capital letter (e.g., Service Provider, Internet Service, Electronic Service) shall be understood in accordance with their definitions contained in the Internet Service Regulations available on the Internet Service’s pages.
- PODSTAWY PRZETWARZANIA DANYCH
2.1. Administrator uprawniony jest do przetwarzania danych osobowych w przypadkach, gdy – i w takim zakresie, w jakim – spełniony jest co najmniej jeden z poniższych warunków:
1) osoba, której dane dotyczą wyraziła zgodę na przetwarzanie swoich danych osobowych w jednym lub większej liczbie określonych celów;
2) przetwarzanie jest niezbędne do wykonania umowy, której stroną jest osoba, której dane dotyczą, lub do podjęcia działań na żądanie osoby, której dane dotyczą, przed zawarciem umowy;
3) przetwarzanie jest niezbędne do wypełnienia obowiązku prawnego ciążącego na Administratorze; lub
4) przetwarzanie jest niezbędne do celów wynikających z prawnie uzasadnionych interesów realizowanych przez Administratora lub przez stronę trzecią, z wyjątkiem sytuacji, w których nadrzędny charakter wobec tych interesów mają interesy lub podstawowe prawa i wolności osoby, której dane dotyczą, wymagające ochrony danych osobowych, w szczególności gdy osoba, której dane dotyczą, jest dzieckiem
2.2. Przetwarzanie danych osobowych przez Administratora wymaga każdorazowo zaistnienia co najmniej jednej z podstaw wskazanych w pkt. 2.1 polityki prywatności. Konkretne podstawy przetwarzania danych osobowych Usługobiorców i Klientów Serwisu Internetowego przez Administratora są wskazane w kolejnym punkcie polityki prywatności – w odniesieniu do danego celu przetwarzania danych osobowych przez Administratora.
- PURPOSE, BASIS, PERIOD, AND SCOPE OF DATA PROCESSING ON THE INTERNET SERVICE
3.1. Each time the purpose, basis, period, and scope, as well as the recipients of personal data processed by the Administrator, result from the actions taken by a particular User or Customer on the Internet Service.
3.2. The Administrator may process personal data on the Internet Service for the following purposes, on the following bases, for the following periods, and to the following extent.
Purpose of Data Processing | Legal Basis for Processing and Data Retention Period | Scope of Processed Data |
Execution of an Electronic Service Agreement or taking action at the request of the data subject prior to the conclusion of the aforementioned agreements. | Article 6(1)(b) of the GDPR (performance of a contract) Data is retained for the period necessary for the performance, termination, or expiration of the concluded contract. | Maximum Scope: full name; email address; IP address; contact phone number; delivery address; business address (street, house number, apartment number, postal code, city, country); company name and tax identification number (NIP) of the User or Customer. |
Direct Marketing | Article 6(1)(f) of the GDPR (legitimate interest of the administrator) Data is retained for the period of existence of the legitimate interest pursued by the Administrator, but no longer than the statute of limitations for claims against the data subject arising from the Administrator’s business activities. The statute of limitations is determined by law, especially the civil code (the basic statute of limitations period for claims related to business activities is three years). The Administrator may not process data for direct marketing if the data subject has effectively objected to such processing. | phone number, email address |
Bookkeeping | Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act, i.e., from January 30, 2018 (Journal of Laws of 2018, item 395) Data is retained for the period required by law obliging the Administrator to keep accounting records (5 years, starting from the beginning of the fiscal year to which the data relates). | Scope: full name; residential/business address; company name and tax identification number (NIP) of the User or Customer |
Establishing, investigating, or defending claims that the Administrator may raise or that may be raised against the Administrator. | Article 6(1)(f) of the GDPR Data is retained for the period of the existence of the legitimate interest pursued by the Administrator, but no longer than the statute of limitations for claims against the data subject arising from the Administrator’s business activities. The statute of limitations is determined by law, especially the civil code (the basic statute of limitations period for claims related to business activities is three years). | In the case of Users or Customers who are not consumers, the Administrator may additionally process the company name and tax identification number (NIP) of the User or Customer. |
- DATA RECIPIENTS ON THE INTERNET SERVICE
4.1. For the proper functioning of the Internet Service, including the proper provision of Electronic Services by the Administrator, it is necessary for the Administrator to use the services of external entities (such as software providers). The Administrator exclusively utilizes services of such processing entities that provide sufficient guarantees for implementing appropriate technical and organizational measures to ensure that processing meets the requirements of the GDPR and protects the rights of the data subjects.
4.2. Data transmission by the Administrator does not occur in every case and not to all recipients or categories of recipients specified in the privacy policy – the Administrator transfers data only when necessary to achieve the specific purpose of processing personal data and only to the extent necessary to accomplish it.
4.3. Personal data may be transferred by the Administrator to a third country, whereby the Administrator ensures that such transfer is made to a country providing an adequate level of protection – in accordance with the GDPR, and the data subject has the possibility to obtain a copy of their data. The Administrator transfers collected personal data only when necessary and to the extent required to achieve the specific purpose of data processing in accordance with this privacy policy.
4.4. Personal data of Users and Customers of the Internet Service may be transferred to the following recipients or categories of recipients:
- Entities processing electronic payments or payments by credit card – in the case of a Customer who uses electronic payment methods or credit card payments on the Internet Service, the Administrator provides the collected personal data of the Customer to the selected entity processing such payments on behalf of the Administrator, to the extent necessary to process the payments made by the Customer.
- Providers of survey systems for feedback – in the case of a Customer who has agreed to provide feedback on concluded Sales Agreements, the Administrator provides the collected personal data of the Customer to the selected entity providing the survey system for feedback on concluded Sales Agreements on behalf of the Administrator, to the extent necessary for the Customer to provide feedback using the survey system.
- Providers of technical, IT, and organizational solutions enabling the Administrator to conduct business activities, including the Internet Service and the Electronic Services provided through it (in particular, providers of computer software for managing the Internet Service, email and hosting providers, and software providers for managing the company and providing technical support to the Administrator) – the Administrator provides the collected personal data of the Customer to the selected provider acting on its behalf only when necessary and to the extent required to achieve the specific purpose of data processing in accordance with this privacy policy.
- Providers of accounting, legal, and advisory services providing support to the Administrator in accounting, legal, or advisory matters (in particular, accounting firms, law firms, or debt collection companies) – the Administrator provides the collected personal data of the Customer to the selected provider acting on its behalf only when necessary and to the extent required to achieve the specific purpose of data processing in accordance with this privacy policy.
- Entities and partners cooperating with the Administrator who publish, advertise, or utilize the services of the administrator on their websites, web pages, or services. The Administrator provides collected data only to fulfill obligations arising from civil-law agreements.
- Entities with capital or personal ties to the Administrator for the purposes listed in this Privacy Policy.
- Other entities provided that data anonymization is ensured, meaning data that does not identify a specific user or Customer.
- Entities or public authorities in connection with combating violations of law, fraud, and abuse.
- In the event of restructuring or sale of the conducted business or part thereof and transfer of assets or part thereof to a new owner, the data of Users or Customers may be transferred to the Buyer to ensure the continuation of the Administrator’s services.
PROFILING ON THE INTERNET SERVICE
5.1. The GDPR imposes on the Administrator the obligation to inform about automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – essential information about the rules for making such decisions, as well as the significance and anticipated consequences of such processing for the data subject. Bearing this in mind, the Administrator provides information in this section of the privacy policy regarding potential profiling.
5.2. The Administrator may use profiling on the Internet Service for direct marketing purposes, but the decisions made by the Administrator based on it do not concern the conclusion or refusal to conclude an agreement for the provision of Electronic Services, or the possibility of using Electronic Services on the Internet Service. The result of using profiling on the Internet Service may include, for example, granting a discount to a specific person, sending them a discount code, reminding them of unfinished purchases, sending proposals for Products that may correspond to the interests or preferences of that person, or offering better terms compared to the standard offer of the Internet Service. Despite profiling, the individual freely decides whether they want to take advantage of the discount received in this way or better terms and make a purchase on the Internet Service.
5.3. Profiling on the Internet Service involves the automatic analysis or prediction of the behavior of a specific person on the Internet Service, for example, by adding a specific Product to the cart, browsing the page of a specific Product on the Internet Service, or by analyzing the previous history of actions taken on the Internet Service. The condition for such profiling is for the Administrator to have the personal data of the individual so that they can subsequently send, for example, a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
RIGHTS OF THE DATA SUBJECT
6.1. Right of access, rectification, restriction, erasure, or portability – the data subject has the right to request from the Administrator access to their personal data, rectification, erasure („right to be forgotten”), or restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above-mentioned rights are specified in Articles 15-21 of the GDPR.
6.2. Right to withdraw consent at any time – the data subject whose data is processed by the Administrator based on consent given (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – the data subject whose data is processed by the Administrator has the right to lodge a complaint with the supervisory authority in the manner and procedure specified in the provisions of the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
6.4. Right to object – the data subject has the right at any time to object, for reasons related to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests pursued by the controller), including profiling based on these provisions. In such a case, the Administrator may no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
6.5. Right to object to direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right at any time to object to the processing of their personal data for such marketing, including profiling to the extent that it is related to such direct marketing.
6.6. To exercise the rights mentioned in this section of the privacy policy, the data subject can contact the Administrator by sending an appropriate message in writing or by email to the address provided by the Administrator at the beginning of the privacy policy, or by using the contact form available on the Internet Service website.
COOKIES IN THE INTERNET SERVICE, USAGE DATA, AND ANALYTICS
7.1. Cookies are small text information files sent by the server and stored on the side of the person visiting the Internet Service website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone – depending on the device used by the visitor to our Internet Service). Detailed information about cookies and their history can be found, among other places, here: http://en.wikipedia.org/wiki/HTTP_cookie.
7.2. The Administrator may process data contained in cookies when visitors use the Internet Service website for the following purposes: a. Identification of Users as logged in to the Internet Service website and showing that they are logged in; b. Remembering data from completed forms, surveys, or login data to the Internet Service website; c. Customizing the content of the Internet Service website to the individual preferences of Users (e.g., regarding colors, font size, page layout) and optimizing the use of the Internet Service website; d. Conducting anonymous statistics showing how the Internet Service website is used; e. Remarketing, which involves analyzing the behavior characteristics of visitors to the Internet Service website through anonymous analysis of their actions (e.g., repeated visits to specific pages, keywords, etc.) to create their profile and provide them with advertisements tailored to their anticipated interests, even when they visit other websites in the advertising network of Google Inc. and Facebook Ireland Ltd.
7.3. Most internet browsers available on the market accept the storage of cookies by default. Everyone has the option to determine the conditions for using cookies using their own internet browser settings. This means that it is possible, for example, to partially limit (temporarily) or completely disable the option of saving cookies – however, in the latter case, it may affect some functionalities of the Internet Service website.
7.4. Internet browser settings regarding cookies are important from the point of view of consenting to the use of cookies by our Internet Service website – according to the regulations, such consent can also be expressed through internet browser settings. In the absence of such consent, it is necessary to appropriately change the internet browser settings regarding cookies.
7.5. Detailed information on changing settings regarding cookies and deleting them independently in the most popular internet browsers is available in the help section of the internet browser and on the following pages (just click on the respective link): in Chrome browser in Firefox browser in Internet Explorer browser in Opera browser in Safari browser in Microsoft Edge browser
7.6. The Administrator may use Google Analytics and Universal Analytics services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), services provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), and services provided by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) on the Internet Service website. These services help the Administrator analyze traffic on the Internet Service website. The collected data processed within the aforementioned services is anonymized (this is so-called usage data, which prevents the identification of individuals) to generate statistics helpful in administering the Internet Service website. This data is aggregate and anonymous, meaning it does not contain identifying characteristics (personal data) of visitors to the Internet Service website. By using the aforementioned services on the Internet Service website, the Administrator collects data such as the sources and medium of acquiring visitors to the Internet Service website and their behavior on the website, information about the devices and browsers they use to visit the website, IP and domain information, geographic data, as well as demographic data (age, gender), and interests.
7.7. It is possible for an individual to easily block the sharing of their activity information on the Internet Service website with Google Analytics – for this purpose, you can install a browser add-on provided by Google Inc. available here: https://tools.google.com/dlpage/gaoptout?hl=en.
FINAL PROVISIONS
8.1. The Internet Service may contain links to other websites. The Administrator encourages you to familiarize yourself with the privacy policy established there after moving to other websites. This privacy policy applies only to the Internet Service of the Administrator.