Data Controller

  1. The controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is Spogle Spółka z ograniczoną odpowiedzialnością, with its registered office in Warsaw at ul. Włościańska 15 lok. 10, 01-710 Warsaw, entered in the Register of Entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number: 0000731827, Tax ID (NIP): 5252751151, National Business Registry Number (REGON): 380291299, share capital: PLN 20,000.
  2. Contact the data controller: kontakt@gamionary.pl.
  3. In accordance with Article 32(1) of the GDPR, the controller complies with the principle of personal data protection and implements appropriate technical and organizational measures to prevent the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data processed in connection with its business activities.
  4. Providing personal data is voluntary, but necessary in order to establish a business relationship and/or enter into a contract with the data controller.
  5. The data controller processes personal data only to the extent necessary to properly provide services or take action at the request of the data subject.

2. Purpose and legal basis for the processing of personal data

The controller processes personal data for the following purposes:

  1. providing services electronically via the Website, pursuant to the concluded agreement (Article 6(1)(b) of the GDPR);
  2. handling the complaint process, pursuant to the data controller’s obligation under applicable law (Article 6(1)(c) of the GDPR);
  3. accounting activities related to issuing and receiving billing documents, based on tax law provisions (Article 6(1)(c) of the GDPR);
  4. archiving data for the purpose of establishing, exercising, or defending against legal claims or demonstrating facts, which constitutes a legitimate interest of the data controller (Article 6(1)(f) of the GDPR);
  5. contact by telephone or email, in particular in response to inquiries addressed to the data controller, which is a legitimate interest of the data controller (Article 6(1)(f) of the GDPR);
  6. sending technical information regarding the operation of the Website and the services used by the customer, which constitutes a legitimate interest of the data controller (Article 6(1)(f) of the GDPR).

3. Data recipients. Transfer of data to third countries

  1. The recipients of personal data processed by the data controller may include entities cooperating with the data controller, where this is necessary for the performance of a contract concluded with the data subject.
  2. The recipients of personal data processed by the data controller may also include subcontractors—entities whose services the data controller uses in the processing of data, such as providers of IT services (including hosting services).
  3. The data controller may be required to disclose personal data in accordance with applicable laws, in particular to authorized government agencies or institutions.
  4. Personal data will not be transferred to entities based outside the European Economic Area.

4. Retention period for personal data

  1. The data controller retains personal data for the duration of the contract concluded with the data subject and, after its termination, for purposes related to the enforcement of claims arising from the contract and the fulfillment of obligations under applicable law, but for no longer than the statute of limitations period set forth in the Civil Code.
  2. The data controller retains personal data contained in billing documents (e.g., invoices) for the period specified by the Goods and Services Tax Act and the Accounting Act.
  3. The data controller retains personal data for purposes other than those specified in paragraphs 1 and 2 for a period of 3 years, unless consent to the processing of the data has been withdrawn earlier and the processing cannot continue on any basis other than the consent of the data subject.

5. Rights of the data subject

  1. Every data subject has the right to:
  2. access – to obtain confirmation from the controller as to whether their personal data is being processed. If personal data is being processed, the data subject is entitled to access it and to obtain the following information: the purposes of the processing, the categories of personal data, information about the recipients or categories of recipients to whom the data has been or will be disclosed, the data retention period or the criteria for determining it, the right to request rectification, erasure, or restriction of processing of personal data to which the data subject is entitled, and the right to object to such processing (Article 15 of the GDPR);
  3. to receive a copy of the data – to obtain a copy of the data being processed, with the first copy provided free of charge; for subsequent copies, the controller may charge a reasonable fee based on administrative costs (Article 15(3) of the GDPR);
  4. the right to rectification – the right to request the correction of personal data that is inaccurate or the completion of incomplete data (Article 16 of the GDPR);
  5. the right to erasure – the right to request the erasure of one’s personal data if the controller no longer has a legal basis for processing it or if the data is no
  6. to restrict processing – requests to restrict the processing of personal data (Article 18 of the GDPR) where:
    – the data subject contests the accuracy of the personal data – for a period enabling the controller to verify the accuracy of such data,
    – the processing is unlawful, and the data subject objects to the erasure of the data, requesting instead that its use be restricted,
    – the controller no longer needs the data, but the data subject needs it to establish, exercise, or defend legal claims,
    – the data subject has objected to the processing – until it is determined whether the controller’s legitimate grounds override the data subject’s grounds for objection;
  7. the right to data portability – to receive, in a structured, commonly used, and machine-readable format, the personal data concerning the data subject that the data subject has provided to the controller, and to request that such data be transmitted to another controller, provided that the data is processed on the basis of the data subject’s consent or a contract concluded with the data subject and that the data is processed by automated means (Article 20 of the GDPR);
  8. the right to object – to object to the processing of their personal data for the controller’s legitimate interests, on grounds relating to their particular situation, including profiling. In such cases, the controller shall assess whether there are compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or grounds for the establishment, exercise, or defense of legal claims. If, based on this assessment, the interests of the data subject are deemed to outweigh the controller’s interests, the controller shall be required to cease processing the data for those purposes (Article 21 of the GDPR).
  9. To exercise the rights listed above, the data subject should contact the controller using the contact information provided and inform the controller which right they wish to exercise and to what extent.
  10. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office in Warsaw.

6. Automated decision-making. Profiling

Personal data will not be processed automatically, including through profiling.

7. Google Analytics

  1. The administrator uses Google Analytics, a web analytics service provided by Google Inc. (“Google”), USA.
  2. Google Analytics uses cookies to analyze how users interact with the website. The information generated by the cookie regarding website usage is transmitted to and stored on a Google server. On behalf of the Administrator, Google will use this information to analyze how users use the website in order to prepare reports on website activity and to provide other services related to website and Internet usage to the client.
  3. The data will not be used to identify any individual.
  4. You can prevent cookies from being stored by adjusting your browser settings; however, in that case, you will not be able to use the full functionality of the website. In addition, users can prevent Google from collecting data generated by cookies and related to their use of the website (including their IP address), as well as from processing this data, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl.
  5. At any time, you may object to the collection and processing of data related to your use of the Google website by downloading and installing a browser plugin available at the following address: https://tools.google.com/dlpage/gaoptout?hl=en.

8. Piksel Facebook

  1. The administrator uses Facebook Pixel, an analytics tool that helps measure the effectiveness of ads by analyzing user activity on the website.
  2. The Administrator uses the Facebook Pixel tool to serve personalized ads to the Customer on Facebook. This involves the use of Facebook cookies. The legal basis for the Administrator’s use of the Facebook Pixel tool is Article 6(1)(f) of the GDPR.