Privacy policy
§1. Personal Data Controller
1. The personal data controller within the meaning of Art. 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is the company: ASPIRR Spółka z Ograniczoną Odpowiedzialnością (Limited Liability Company) located at Stelmachów 58D/20, 31-341 Kraków, KRS: 0001152401, NIP: 9452305027, REGON: 540715212
2. The data controller's email address is contact@aspirr.pl.
3. The controller, in accordance with Art. 32(1) of the GDPR, observes the principles of personal data protection and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data processed in connection with its business activities.
4. Providing personal data by the customer is voluntary but necessary to conclude a contract with the data controller.
5. The data controller processes personal data to the extent necessary for the performance of the contract or provision of services to the data subject.
§2. Purpose and Legal Basis for Personal Data Processing
The controller processes personal data for the following purposes:
a) preparing a commercial offer in response to customer interest, which is the legitimate interest of the data controller (Art. 6(1)(f) GDPR);
b) concluding and executing sales contracts with customers, based on the concluded contract (Art. 6(1)(b) GDPR);
c) providing electronic services through the Online Store, based on the concluded contract (Art. 6(1)(b) GDPR);
d) handling the complaint process, based on the obligation incumbent on the data controller in connection with applicable law (Art. 6(1)(c) GDPR);
e) accounting related to issuing and receiving settlement documents, based on tax law (Art. 6(1)(c) GDPR);
f) archiving data for possible establishment, pursuit or defense against claims or the need to demonstrate facts, which is the legitimate interest of the data controller (Art. 6(1)(f) GDPR);
g) telephone or email contact, in particular in response to inquiries directed to the data controller, which is the legitimate interest of the data controller (Art. 6(1)(f) GDPR);
h) sending technical information regarding the functioning of the Online Store and services used by the customer, which is the legitimate interest of the data controller (Art. 6(1)(f) GDPR);
i) marketing, which is its legitimate interest (Art. 6(1)(f) GDPR) or is based on prior consent (Art. 6(1)(a) GDPR).
§3. Data Recipients. Transfer of Data to Third Countries
1. Recipients of personal data processed by the data controller may be entities cooperating with the data controller when it is necessary to perform the contract concluded with the data subject.
2. Recipients of personal data processed by the data controller may also be subcontractors - entities whose services the data controller uses when processing data, e.g., accounting offices, law firms, IT service providers (including hosting services).
3. The data controller may be obliged to disclose personal data on the basis of applicable law, in particular to disclose personal data to authorized state bodies or institutions.
4. Personal data, in connection with the use of tools for analyzing and tracking website traffic by the controller, may be transferred to an entity based outside the European Economic Area, e.g., to Google LLC or Meta Platforms Inc. As an appropriate data protection measure, the data controller has agreed to standard contractual clauses in accordance with Art. 46 GDPR with the providers of these services. More information on this topic is available here: https://commission.europa.eu/law/law-topic/data-protection_en.
§4. Personal Data Retention Period
1. The data controller stores personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the pursuit of claims related to the contract, performance of obligations resulting from applicable law, but for a period not longer than the limitation period in accordance with the provisions of the Civil Code.
2. The data controller stores personal data contained in accounting documents for the period specified by the provisions of the Value Added Tax Act and the Accounting Act.
3. The data controller stores personal data processed for marketing purposes for a period of 10 years, but no longer than until the withdrawal of consent for data processing or objection to data processing.
4. The data controller stores personal data for purposes other than those indicated in paragraphs 1-3 for a period of one year, unless consent for data processing has been withdrawn earlier, and data processing cannot be continued on any basis other than the consent of the data subject.
§5. Rights of the Data Subject
1. Every data subject has the right to:
a) access - obtain confirmation from the controller whether their personal data are being processed. If data about a person is processed, they are entitled to gain access to it and obtain the following information: about the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data has been or will be disclosed, about the period of data storage or the criteria for determining it, about the right to request rectification, erasure or restriction of processing of personal data concerning the data subject, and to object to such processing (Art. 15 GDPR);
b) receive a copy of the data - obtain a copy of the data subject to processing, with the first copy being free of charge, and for subsequent copies, the controller may charge a reasonable fee resulting from administrative costs (Art. 15(3) GDPR);
c) rectification - request the rectification of inaccurate personal data concerning them or the completion of incomplete data (Art. 16 GDPR);
d) erasure of data - request the erasure of their personal data if the controller no longer has a legal basis for processing them or the data is no longer necessary for the purposes of processing (Art. 17 GDPR);
e) restriction of processing - request the restriction of processing of personal data (Art. 18 GDPR) when:
- the data subject contests the accuracy of the personal data - for a period enabling the controller to verify the accuracy of this data,
- the processing is unlawful and the data subject opposes the erasure of the data, requesting the restriction of their use instead,
- the controller no longer needs the data, but they are required by the data subject for the establishment, exercise or defense of legal claims,
- the data subject has objected to processing - pending the verification whether the legitimate grounds of the controller override those of the data subject;
f) data portability - receive in a structured, commonly used and machine-readable format personal data concerning them, which they have provided to the controller, and request the transmission of this data to another controller, if the data is processed based on the consent of the data subject or a contract concluded with them and if the data is processed by automated means (Art. 20 GDPR);
g) objection - object to the processing of their personal data for the controller's legitimate purposes, for reasons related to their particular situation, including profiling. The controller then assesses the existence of valid legitimate grounds for processing that override the interests, rights and freedoms of data subjects, or grounds for the establishment, exercise or defense of legal claims. If, according to the assessment, the interests of the data subject will be more important than the interests of the controller, the controller will be obliged to cease processing data for these purposes (Art. 21 GDPR).
2. To exercise the above-mentioned rights, the data subject should contact the controller using the provided contact details and inform them which right and to what extent they want to exercise.
3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office in Warsaw.
§6. Profiling
1. Personal data obtained by the data controller may be processed automatically - including the form of profiling. Profiling of personal data by the data controller consists of evaluating selected information about the data subject for the purposes of analyzing and forecasting personal preferences and interests, in particular for the possibility of providing the data subject with a personalized offer.
2. Automated data processing performed by the data controller does not have any legal consequences for the data subject. The data subject may at any time object to the automated processing of their data.
§7. Google Analytics
1. The controller uses Google Analytics, an internet analytics service provided by Google Inc. based in the USA.
2. Google Analytics uses cookies that enable the analysis of website usage by the user. Information generated by the cookie about the use of the website is transmitted to and stored on Google's server. On behalf of the Controller, Google will use this information to analyze the use of the website by users in order to prepare reports on website activity and provide other services related to website and Internet usage for the commissioning entity.
3. The data will not be used to identify any natural person.
4. The user can prevent the storage of cookies by setting their browser accordingly; however, in this case, they may not be able to use the full functionality of the website. In addition, users can prevent Google from collecting data generated by cookies and related to their use of the website (including IP address) as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl.
5. At any time, the user can object to the collection and processing of data related to the use of the Google website by downloading and installing the browser plugin available at the following address: https://tools.google.com/dlpage/gaoptout?hl=en.
§8. Facebook Pixel
1. The controller uses Facebook Pixel, an analytical tool that helps measure the effectiveness of advertisements based on the analysis of actions taken by users on the website.
2. The controller uses the Facebook Pixel tool to target personalized ads to the Customer on Facebook. This involves the use of Facebook cookies. The legal basis for the controller's use of the Facebook Pixel tool is Art. 6(1)(f) GDPR.