We are certain safety and privacy are important for you. They are equally important for us. Our priority is to ensure high protection level to our Customers and guarantee their data is always available and secure. We process personal data and share it with others solely as specified by the applicable law and only when this is most required. We try to ensure your privacy is not compromised.
1. General provisions
1.2. The terms not defined herein shall be construed as specified in the Website Rules.
1.3. Personal data is information concerning an identified or identifiable data subject, e.g. the one who can be identified directly or indirectly, including but not limited to based on such an identifier (property) as name and surname, ID number, location data, Internet identifier or one or more factors describing the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
1.4. Processing means an operation or a set of operations made on personal data or personal data sets in an automated or non-automated way, including collection, saving, organising, ordering, storing, adapting or modifying, downloading, browsing, using, disclosing, sharing, matching or combining, limiting, deleting or destroying.
1.5. Customers' personal data is processed in accordance with the applicable regulations, including but not limited to the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR") and the Act of 10 May 2018 on protecting personal data.
1.6. To ensure security of the Customers' personal data, we apply relevant technical and organisational measures related to personal data processing security.
2. Data Controller
2.1. The Data Controller for the Customers' personal data is Cyfrowa Foto Sp z o.o. registered in Zaczernie, Zaczernie 190, 36–062 Zaczernie, entered in the National Court Register, Register of Entrepreneurs under KRS no. 0000259700, Tax Identification No. (NIP): 8133469935, National Business Registry Number (REGON) 180149478 (hereinafter "Cyfrowa Foto"). You can contact us in writing at our postal address or at email address firstname.lastname@example.org
3. Scope of the Customer's personal data processed
3.1. The scope of the Customer's personal data processed by the Data Controller comprises:
a) Customer's data provided when filling in the Registration Form, including name and surname, address, delivery address, email address, phone number, date of birth, and for customers other than Consumers also the company name and Tax Identification Number;
b) Customer's data, shared with the Data Controller via Facebook, if the Customer selected to register via Facebook (see 9.4);
c) Customer's data obtained by the Data Controller in connection with using cookie files or other, similar technologies (see 10);
d) Customer's data concerning the Order placed by them on the Website, including Customer's data included in the files shared by the Customer and Designs made;
e) other data of the Customer, shared by the Customer voluntarily using electronic forms available on the Website or another form of contact with the Data Controller's consultant.
3.2. As the services offered via the Website are dedicated to adults, the Data Controller does not process personal data of children using the services offered by them, provided they are aware of that.
4. Purposes and legal grounds of processing the Customers' personal data
4.1. The personal data of the Customers is or can be processed:
a) to execute and perform the sales agreement, executed via the Website — in this case processing by the Data Controller is required to execute and perform the agreement the Customer is a party to or to initiate any activities at the Customer's request, before the agreement is executed (Article 6(1)(b) GDPR);
b) to register and keep the Account on the Website — in this case processing by the Data Controller is required to perform the agreement on providing electronic services the Customer is a party to or to initiate any activities at the Customer's request, before the agreement is executed (Article 6(1)(b) GDPR);
c) to deliver a Newsletter — data processing by the Data Controller takes place in this case based on the Customer's consent (Article 6(1)(a) GDPR);
d) to act as described by the Customer in the electronic form available on the Website or in a chat with the account manager — in this case data processing by the Data Controller is required to execute and perform the agreement on providing electronic services (Article 6(1)(b) GDPR) and takes placed based on the legitimate interest of the Data Controller (Article 6(1)(f) GDPR) consisting in supporting sales;
e) to provide electronic services in relation to enabling the Customers to browse, play and read the information and materials shared on the Website — in this case data processing by the Data Controller is required to perform the agreement the Customer is a party to (Article 6(1)(b) GDPR);
f) to enable Design performance on the Website — in this case data processing by the Data Controller is required to perform the agreement the Customer is a party to (Article 6(1)(b) GDPR);
g) to pursue the legitimate interests of the Data Controller, related to running the Website, including analysing the use of the Website by the Customer, ensuring security and reliability of services provided via the Website and the Shop (Article 6(1)(f) GDPR);
h) to pursue the legitimate interests of the Data Controller which may include e.g. identification, pursuing and defending claims, preventing offences and running investigations related to them, managing business activity and its further development, including risk management (Article 6(1)(f) GDPR);
i) to survey Customer satisfaction (e.g. by surveys sent to the Customers in an electronic format) — in this case data processing by the Data Controller is based on the Data Controller's legitimate interest (Article 6(1)(f) GDPR);
j) for purposes of the Data Controller's direct marketing, including the choice of goods and services for the Customers' needs (including profiling) based on cookie files and other similar technologies, mentioned in section 10 — in this case data processing by the Data Controller is based on the Data Controller's legitimate interest (Article 6(1)(f) GDPR);
k) for marketing purposes of the Data Controller, resulting from the consent granted by the Customer (Article 6(1)(a) GDPR);
l) to ensure compliance with the legal obligations imposed on the Data Controller (including but not limited to the ones resulting from the Accounting Act and tax regulations), when the processing is required to fulfil the legal obligation of the Data Controller (Article 6(1)(c) GDPR).
4.2. Personal data is provided voluntarily on the Website, but it may be required to pursue one or more purposes and goals of personal data processing, as stipulated in 3.1 above, which the Data Controller will not be able to pursue unless the personal data is provided.
4.3. The Customer's personal data gathered in direct contacts of the Customer with people representing the Data Controller, including via the hotline or in contacts with the account manager, is used solely for contacting the Customer and providing them with information and advice.
5. Term of processing the Customer's personal data
5.1. The Data Controller processes the Customer's personal data in a way and for the period required to pursue the goals which the data was collected for.
5.2. If the data is collected:
a) to execute and perform the agreement (including sales agreement) — the Customer's data will be processed for the term of the agreement validity and performance;
b) based on the Customer's consent — the Customer's data will be processed until the consent is revoked;
c) to ensure compliance with the legal obligations of the Data Controller — the Customer's data will be processed for the term required by the applicable regulations;
d) for the purposes of the Data Controller's direct marketing, including the choice of goods and services for the Customer's needs (profiling) — the Customer's data will be processed until the Customer objects to it;
e) for the purposes of pursuing other legitimate interests of the Data Controller — the data will be processed until the objections made by the Customer are accepted or the limitation period expires.
5.3. After the processing period expires, the data is deleted or anonymised.
6. Customer's rights and obligations
6.1. If the personal data is processed based on the consent granted by the Customer, such a consent is voluntary and can be revoked any time, without affecting the legality of processing before the consent was revoked. The opt-out statement should be submitted by email at the Data Controller's address mentioned in 6.5.
6.2. The Customer shall have the following rights:
a) to have their personal data deleted;
b) to have processing of their personal data limited;
c) to access their personal data and adjust it (correct it);
d) to receive a copy of their personal data or have it transferred, this title not affecting the rights and freedoms of other people in any adverse way (including any business secrets and intellectual property rights) and being exercised in the scope possible for technical reasons;
e) to object to having their personal data processed if the processing is based on the legitimate interest of the Data Controller or any third party.
6.3. The Data Controller shall exercise the Customer's rights, with a reservation of the exceptions mentioned in the GDPR provisions.
6.4. A registered Customer may also adjust or update their personal data. For that purpose log in the Account, go to the "Account Settings" tab and make the relevant changes in the Personal Data fields.
6.5. To exercise the rights stipulated in 6.1 and 6.2., send an email to the Data Controller's address, i.e.: email@example.com if the Customer's personal data is processed in connection with the sales agreement the Data Controller is a subject to, and also in any other cases related to processing the Customer's personal data in connection with their use of the Website.
6.6. The Customer shall be authorised to make a complaint to the supervisory body Information Commissioner’s Office (ICO), if they believe processing of their personal data violates GDPR provisions.
6.7. Any incidents compromising or likely to compromise personal data security in the Website (including the suspected sharing of files containing viruses or other files of a similar nature or other than the malware files) shall be reported by the Customer immediately at: firstname.lastname@example.org
7. Entities whom the Customer's personal data is shared with
7.1. The Data Controller shares the Customer's personal data if they have legal grounds for it, including but not limited to the situation when this is required to perform the services for the Customers.
7.2. The Customer's personal information can be shared also at the request of public bodies or other entities authorised to access such data under the applicable regulations, including when this is required to ensure security of the Administrator's systems.
7.3. The recipients of the Customers' personal information may include, without being limited to:
7.3.1. entities authorised to obtain the Customer's data under the applicable regulations;
7.3.2. entities whose services are used by the Data Controller to deliver the goods or services to the Customer, including but not limited to:
a) entities servicing or providing the IT systems to the Data Controller;
b) entrepreneurs providing services related to the delivery and maintenance of the software used to operate the Website;
c) payment system operators;
d) entities providing postal and courier services;
e) lawyers' offices, counselling companies whom the Data Controller cooperates with;
7.3.3. trusted marketing partners of the Data Controller;
a) Google LLC in connection with using Google Analytics;
c) Facebook in connection with using Pixel;
8. Data transfer outside the EEA
8.1. The Data Controller shall transfer the personal data outside the European Economic Area (EEA) only when this is required, ensuring the appropriate protection level, primarily by means of:
a) cooperating with personal data processors in countries with respect to which a relevant decision of the European Commission was issued;
b) applying standard contractual clauses issued by the European Commission;
c) applying binding corporate rules, approved by the competent supervisory body;
d) with respect to transferring the data to the U.S. — cooperation with entities participating in the Privacy Shield scheme, approved by the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield (the list of this scheme participants is available at: https://www.privacyshield.gov/list).
8.2. Whenever applicable, the Data Controller always informs of their intention to transfer the personal data outside the EEA when it is collected. At the Customer's request, the Data Controller shall make a copy of their data which will be transferred outside the EEA available to them.
9. Social media
9.1. The Website may include functionalities enabling to share content via third party social media applications, including e.g. the "Like" button on Facebook or widgets on Instagram. All those social media applications may collect and use data on the users' activity on the Website. Any personal data provided by the Customer via such social media applications may be collected and used by other users of the above social media applications and the interactions carried out using them shall be subject to the provisions of the privacy policies of the application providers. We cannot control and shall not be held liable for the above entities and the use of the Customer's data by them.
9.2. Wishing to use the service of accessing the Account and related services, the Customer may register and log in using the Facebook account. In such a case Facebook may provide the following personal data of the Customer to the Data Controller automatically:
a) numerical social media identifier (ID)
b) name and surname
d) profile photo
f) other public information.
9.3. In the circumstances mentioned in 9.2, no extra registration is required to open an Account on the Website.
9.4. The legal grounds for processing the Customer's personal data in connection with their use of the optional registration and logging in via Facebook shall be the Customer's consent (Article 6(1)(a) GDPR).
10. Cookies and other similar technologies
10.1. According to the practice by most websites, when the Customer uses the Website, their personal data can be collected automatically in system logs by cookie files ("cookies"), Google Analytics system and Hubspot system.
10.2. Cookies are files stored on the Customer's end device, used to identify Customers and providing statistics on the Customers' traffic, Customers' activity and the way the Website is used. They enable e.g. to adapt the content and services to the Customers' preferences.
10.3. The Website uses session cookies which are deleted after the browser window is closed and permanent cookies stored for a specific time (specified in cookie file parameters or until they are deleted by the Customer) in the end devices used by the Customer.
10.4. The Data Controller uses the following cookie file types:
a) required to use the services, e.g. used for services requiring authentication;
b) used to facilitate the logging in to the Account via social media;
c) used to ensure security;
d) enabling to collect information on the service use method;
e) enabling to store the settings selected by the Customer and customise the Customer's interface;
f) enabling to provide the Customers with content better matching their preferences and interests.
10.5. The Customer may change their cookie file settings any time, specifying the terms and conditions of storing them and achieving access by the cookies to the Customer's end device, using the browser settings.
10.6. The Customer may delete cookies any time, using the available functions of their Internet browser. However, this may limit some functionalities of the Website.
10.8. Using the Website entails sending the queries to the server supporting the Website. Every query sent to the server is stored in the server logs. Logs cover e.g. the IP address, server date and time, information on the browser and operating system used by the Customer. Logs are saved and stored on the server. The data saved in the server logs is not associated with any specific individuals using the Website and is not used for identification. Server logs are solely auxiliary to help administering the Website, and their content is not disclosed to anyone other than people authorised to administer the server.
10.9. The Data Controller also uses the Hubspot system to collect and process Customers' data, including but not limited to their activity on the Website based on cookies, local storage and other technologies to customise the content provided to the Customers and optimise the sales process.
11. Processing third party personal data
11.1. If the Customer shares any third party personal data via the Website, they can do it solely provided they do not violate the legal regulations and personal interests of such people. Third people include individuals whose personal data is placed by the Customer on the website or when submitting or performing the Design.
11.2. The Data Controller may process the third party personal data entrusted to them by the Customer if the Customer confirms they are authorised to share such third party personal data.
11.3. If the Customer places any third party personal data on the Website or when performing the Design, within any other activity than the purely personal or domestic one, the Customer becomes the controller of such data as construed under GDPR.
11.4. In the circumstances mentioned in 11.3 above, the Customer executes the data processing agreement for the third party data with the Data Controller as stipulated in 11.6 to 11.10 below.
11.5. Third party data entrusted by the Customer shall be processed by the Data Controller to ensure proper performance of the agreement to provide electronic services executed with the Customer, in connection with the Customer's use of the Website or Order performance.
11.6. The scope of the entrusted data shall cover any third party personal data entrusted in connection with the Customer's use of the Website or with the Order placed, including but not limited to the name and surname, address, gender, image, date of birth or age.
11.7. The Customer agrees to have the third party personal data processing entrusted further to execute the agreement executed with the Customer.
11.8. The third party personal data entrusted by the Customer shall be processed as appropriate by the Data Controller pursuant to Article 28 of GDPR.
11.9. The third party personal data may be processed also by the Data Controller to determine and pursue claims or defend against them, with the legal grounds for processing being the legitimate interest of the Data Controller (Article 6(1)(f) GDPR), consisting in protecting their rights.
11.10. If the Data Controller believes the third party personal data is processed by the Data Controller violating GDPR regulations, provisions of the applicable law or personal interests of the third parties, the Data Controller shall initiate measures to delete such data as soon as possible.
12. Final provisions
12.2. The updated version is available on the Website.