In connection with the entry into force on 25 May 2018 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, we kindly ask you to ознакомиться with the information on the storage of personal data by REFSYSTEM Sp. z o.o. with its registered office in Grudziądz.
I. GENERAL PROVISIONS
1.1 This Privacy Policy is for informational purposes. It primarily sets out the rules for the processing of personal data by the Controller, including the legal basis, purposes, scope of processing, and the rights of data subjects.
1.2 Your personal data is processed on the basis of necessity for the purposes arising from the legitimate interests pursued by the Controller or a third party. Personal data is processed in accordance with applicable law, in particular Regulation (EU) 2016/679 (GDPR), as well as the Polish Personal Data Protection Act of 10 May 2018.
1.3 The controller of your personal data is the Iglotech Group, consisting of entities linked by ownership structure:
(hereinafter: “Iglotech Group”, “Controller”), acting as joint controllers pursuant to Article 26 GDPR.
Data subjects may exercise their rights against any of the above entities.
1.4 The entity responsible for personal data processing is Iglotech Sp. z o.o., ul. Toruńska 41, 82-500 Kwidzyn, Poland.
Contact: personaldata@iglotech.com.pl
1.5 The Controller ensures that personal data is:
1.6 The Controller implements appropriate technical and organizational measures to ensure compliance with GDPR and data security.
II. PURPOSE, LEGAL BASIS AND SCOPE OF DATA PROCESSING
2.1 The purpose and scope of processing depend on the user’s actions on the website.
2.2 The Controller processes personal data of individuals who:
2.3. Processed data may include:
name, email, phone number, address, company name, tax ID, bank account, website, F-GAS number.
2.4 Data is processed for:
a) Performance of a Sales Agreement or a Service Agreement, or taking steps at the request of the data subject prior to entering into the above-mentioned agreements – legal basis: Article 6(1)(b) of the GDPR (performance of a contract) – processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
The data are stored for the period necessary to perform, terminate, or otherwise expire the concluded Sales Agreement or Electronic Service Agreement.
b) Direct marketing – Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting in taking care of the Controller’s interests and good reputation and pursuing the sale of Products.
c) Marketing – Article 6(1)(a) of the GDPR (consent) – the data subject has given consent to the processing of their personal data for marketing purposes by the Controller.
d) Maintaining accounting records – Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act of January 30, 2018 (Journal of Laws 2018, item 395) – processing is necessary to comply with a legal obligation to which the Controller is subject.
e) Establishing, pursuing, or defending claims that may be raised by the Controller or against the Controller – Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting in establishing, pursuing, or defending such claims.
f) Use of the Website and ensuring its proper operation – Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting in operating and maintaining the Website.
g) Keeping statistics and analyzing traffic on the Website – Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, consisting in maintaining statistics and analyzing traffic in order to improve the functioning of the Website and increase the sale of Products.
h) Providing an opinion on a concluded Sales Agreement or Product – Article 6(1)(a) of the GDPR (consent) – the data subject has given consent to the processing of their personal data for the purpose of providing an opinion.
i) Conducting a recruitment process – Article 6(1)(c) of the GDPR (legal obligation) with regard to data required under the Labour Code, and Article 9(2)(a) of the GDPR with regard to special categories of personal data included in recruitment documents – for the purpose of selecting a candidate for employment.
III. GENERAL PROVISIONS REGARDING RECIPIENTS OF PERSONAL DATA
3.1 For the proper functioning of the Website, including the performance of concluded Agreements, it is necessary for the Controller to use the services of external entities (such as, for example, payment service providers, entities maintaining subscriber registers, marketing companies, legal services, accounting services, auditors, couriers). The Controller uses only the services of such processors that provide sufficient guarantees of implementing appropriate technical and organizational measures so that the processing complies with the requirements of the GDPR and protects the rights of data subjects.
3.2 The transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.
3.3 Personal data of Customers may be transferred to the following recipients or categories of recipients:
IV. PROFILING
4.1 The GDPR imposes an obligation on the Controller to inform about automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR, and—at least in such cases—to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides in this section of the privacy policy information regarding possible profiling.
4.2 The Controller may use profiling on the Website for the purposes of direct marketing; however, decisions made on its basis by the Controller do not concern the conclusion or refusal to conclude a Contract. The effect of using profiling may include, for example, granting a given person a discount, sending them a discount code, presenting an offer of a Service that may match their interests or preferences, or proposing more favorable conditions compared to the standard offer available on the Website. Despite profiling, the individual freely decides whether they wish to take advantage of the discount or improved offer conditions provided in this way.
4.3 Profiling consists of the automated analysis or prediction of a person’s behavior on the Website, for example by selecting a specific Service, browsing the description of a particular Service, or analyzing the history of Services previously purchased. A condition for such profiling is that the Controller has the personal data of the individual in order to subsequently send them, for example, a discount code.
4.4 The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
V. ONLINE MARKETING – GOOGLE ADS
5.1 The Controller uses the Google Ads advertising program operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in order to conduct advertising campaigns, including remarketing campaigns. These activities are carried out on the basis of the Controller’s legitimate interest consisting in marketing its own products or services.
5.2 When visiting the Website, a Google remarketing cookie is automatically stored on the user’s device. With the use of a pseudonymous identifier (ID) and based on the websites visited by the user, this enables the display of interest-based advertisements. Further data processing takes place only if the user has given consent to Google to link their browsing and app usage history with their account and to use information from their Google account to personalize ads displayed on websites.
5.3 If, in such a case, the user is logged into a Google service while visiting the Website, Google will use the data together with Google Analytics data to create and define target audience lists for remarketing purposes across devices. For this purpose, Google temporarily combines collected information with Google Analytics data in order to create audience groups.
5.4 When using Google Ads, the Controller does not collect any data that would allow for the identification of an individual. The Controller is only able to define audience groups to which it would like its advertisements to be displayed. On this basis, Google decides when and how a given advertisement will be presented to a user.
5.5 In order to use Google Ads, a special Google Ads conversion pixel has been implemented in the Website’s code. The pixel uses cookies from Google LLC related to the Google Ads service. From the level of the Controller’s Website, using a cookie management mechanism, it is possible to disable these cookies. It is also possible to manage advertising settings directly via Google at: https://adssettings.google.com/
VI. ONLINE MARKETING – META
6.1. In order to conduct effective marketing campaigns and promote products and services, the Controller uses the “Meta Pixel” provided by Meta Platforms, 1601 S California Ave, Palo Alto, California, USA, or—for users residing in the EU—Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”).
6.2. The Meta Pixel is a piece of code embedded in a website. It allows Meta to identify visitors to online content as a target group for displaying advertisements on Meta platforms and products, including social media profiles and applications (e.g., sponsored ads). This is considered a legitimate interest under Article 6(1)(f) of the GDPR.
6.3 As part of the Meta Pixel functionality, advertisements published by the Controller on Meta platforms may be displayed exclusively to users of Meta products who have shown an interest in the services or who share certain characteristics (such as interests in specific topics or products determined based on visited pages or viewed products), which are transmitted to Meta.
6.4 The Meta Pixel helps to understand the effectiveness of advertisements on Meta platforms for statistical and market research purposes by showing whether users were redirected to services after clicking on an advertisement within Meta products (so-called conversion, which allows determining on which devices users take action). It also enables the creation of so-called “lookalike audiences” and provides comprehensive statistics regarding website usage.
6.5 During a user’s visit to the Website, the Meta Pixel establishes a direct connection with Meta servers. In this way, the Meta server is informed that the user has visited the Website, and Meta assigns this information to the user’s personal account within its platform.
6.6 Further information on the collection and use of data by Meta, as well as the user’s rights and options regarding privacy protection, can be found in Meta’s privacy policy at:
https://www.facebook.com/privacy/policy/
6.7 Detailed information about the Meta Pixel and how it works is available in the help section at:
https://pl-pl.facebook.com/business/help/742478679120153?id=1205376682832142
6.8 This feature can be disabled as described on the following page:
https://www.facebook.com/settings?tab=ads
To do so, the user must be logged into their Facebook account.
VII. TRANSFER OF DATA OUTSIDE THE EEA
In certain situations, some of the technical solutions used for the purposes indicated in Sections V and VI are provided by entities located outside the European Economic Area (EEA). Personal data may be transferred to the countries where these service providers are established, including the United States.
Google LLC and Meta Platforms declare that they ensure an adequate level of protection for processed data by adopting and applying the EU Standard Contractual Clauses.
VIII. RIGHTS OF THE DATA SUBJECT
8.1 Right of access, rectification, restriction, erasure, or data portability
The data subject has the right to request from the Controller access to their personal data, rectification, erasure (“right to be forgotten”), or restriction of processing, as well as the right to object to processing and the right to data portability. Detailed conditions for exercising the above rights are set out in Articles 15–21 of the GDPR.
8.2 Right to withdraw consent at any time
Where personal data are processed by the Controller on the basis of consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR), the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
8.3 Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority in accordance with the procedures specified in the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
8.4 Right to object
The data subject has the right to object at any time—on grounds relating to their particular situation—to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the controller) of the GDPR, including profiling based on those provisions. In such a case, the Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for processing which override the interests, rights, and freedoms of the data subject, or grounds for the establishment, exercise, or defense of legal claims.
8.5 Right to object to direct marketing
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.
8.6 Right to obtain human intervention and to contest automated decisions
The data subject has the right to obtain human intervention from the Controller, to express their own point of view, and to contest a decision based solely on automated processing.
To exercise the rights referred to in this section of the privacy policy, the data subject may contact the Controller by sending an appropriate request in writing or by email to the address indicated at the beginning of the privacy policy, or by using the contact form available on the Website.
IX. COOKIES ON THE WEBSITE, OPERATIONAL DATA AND ANALYTICS
9.1 Cookies are small pieces of text information in the form of text files, sent by a server and stored on the side of the person visiting the Website (e.g., on a computer or laptop hard drive, or on a smartphone memory card—depending on the device used). Detailed information about cookies, as well as the history of their creation, can be found, among others, here:
https://en.wikipedia.org/wiki/HTTP_cookie
9.2 The Controller may process data contained in cookies while visitors use the Website for the following purposes:
9.3 By default, most web browsers available on the market accept the storage of cookies. Everyone has the option to define the conditions for the use of cookies via the settings of their own web browser. This means that it is possible, for example, to partially restrict (e.g., temporarily) or completely disable the storage of cookies—however, in the latter case, this may affect certain functionalities of the Website.
9.4 Web browser settings regarding cookies are important from the perspective of consent to the use of cookies—under applicable regulations, such consent may also be expressed through browser settings. If such consent is not given, the browser settings regarding cookies should be changed accordingly. Detailed information on how to change cookie settings and delete cookies in the most popular web browsers is available in the help section of the browser and on the following pages:
X. FINAL PROVISIONS
The Controller makes every effort to ensure all physical, technical, and organizational measures for the protection of personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, use, or access, in accordance with all applicable laws and regulations.