This document („Privacy Policy”) sets out the rules governing the processing and protection of Customers’ personal data, as well as the rules governing the storage of and access to information on Customers’ Devices via cookies.
I. Definitions
- Administrator – refers to the controller of customers’ personal data – Wojciech Ratajczyk, trading as Przedsiębiorstwo Innowacji PINI, with its registered office in Kraków at 21/23 Koszykarska Street, Tax Identification Number (NIP) 5631469140, email address: contact@surfstories.eu
- Cookies – refers to digital data, in particular small text files, which are saved and stored on the Devices through which the Customer uses the Website.
- Page – refers to the Controller’s website, hosted on the surfstories.eu domain
- Device – means the electronic device through which the Customer accesses the Website.
- Customer – means any Customer who uses the Website or contacts the Controller in any other way.
- GDPR – refers to the European Union’s General Data Protection Regulation 2016/679 of 27 April 2016.
II. Protection of personal data
- The Privacy Policy applies if you use the Controller’s services, i.e. if you use the Website, contact the Controller, for example via email or the form available on the Website, receive emails from the Controller, or contact the Controller by telephone.
- Depending on the services you use, the Controller processes the following personal data: email address, first name and surname, address, company name and details, tax identification number, bank account number, telephone number, message content, and any other data provided by the Customer in connection with the service entrusted to the Controller or prior to the conclusion of a contract.
- The Controller uses personal data to provide its services to Customers – to conclude a contract, as well as to receive and send emails in connection with the performance of the contract or prior to its conclusion. The legal basis for data processing is processing necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract (legal basis under Article 6(1)(b) of the GDPR), and in certain cases the legal basis may also be a specific provision of law which allows the Controller to process data in order to comply with a legal obligation – e.g. accounting and tax regulations (legal basis: Article 6(1)(c) of the GDPR).
- The Controller requires the Customer to provide the personal data necessary for the performance of the contract – the provision of services or a reply to a message. If the Customer fails to provide this information, the Controller will be unable to provide the services or respond to the enquiry. Where required by law, for example under tax legislation, the Controller may also require the provision of other necessary data. Apart from the above cases, the provision of personal data by the Customer is voluntary.
- The Data Controller entrusts the processing of personal data to service providers who carry out specific duties and functions on behalf of the Data Controller. The Controller discloses data to service providers for the purposes of: website support, email management, postal and courier services, data storage services, and the provision of legal services to the Controller. The Controller entrusts the service providers listed above only with such data as is necessary for the proper performance of services for or on behalf of the Controller. Where data is transferred, the Controller ensures that the service provider processes the data in accordance with security requirements and does not use the data for purposes other than the provision of services to the Controller.
- The Controller does not disclose personal data to any entities other than the service providers described in the paragraph above, except where this is necessary in accordance with legal provisions or a decision by public authorities, or where it is necessary to establish, exercise or defend the Controller’s rights.
- The data controller does not transfer personal data outside the European Union.
- The Controller processes Customers’ personal data only for as long as is necessary for the proper performance of contracts with Customers, i.e. the provision of services and the pursuit of claims arising from the performance of the contract, as well as for the period required by the legal obligations imposed on the Controller (e.g. in relation to the fulfilment of tax and accounting obligations, in accordance with the relevant legislation, for a period of 5 years), strictly to the extent necessary.
- The data controller ensures that appropriate technical and organisational measures are in place to safeguard personal data, in order to ensure an adequate level of security for the personal data being processed.
- Customers have the right to access their personal data, including the right to request information about their data or to be provided with a copy of such data processed by the Controller.
- Customers have the right to correct their personal data if it is incomplete, out of date or incorrect.
- Customers have the right to object to the processing of their personal data by the Controller. „Marketing” objection – Customers have the right to object to the processing of their data for the purposes of direct marketing. Objection on grounds of a particular situation – The customer also has the right to object to the processing of their data on the basis of a legitimate interest for purposes other than direct marketing, as well as where the processing is necessary for the Controller to carry out a task carried out in the public interest. In such cases, the data subject must specify the particular circumstances justifying the Controller’s cessation of the processing to which the objection relates. The Controller will cease to process the Customer’s data for these purposes, unless it demonstrates that the grounds for the Controller’s processing of the data override the Customer’s rights, or that the data is necessary for the Controller to establish, exercise or defend legal claims.
- Customers have the right to request that the Controller restrict the processing of their personal data.
- Customers have the right to request the erasure of their personal data.
- Customers have the right to request that their personal data be transferred to them or to a designated third party.
- Customers have the right to lodge a complaint with the supervisory authority responsible for personal data protection: the Office for Personal Data Protection (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, website: http://www.uodo.gov.pl/
- The Data Controller does not carry out data profiling. The Data Controller does not automatically collect any information, with the exception of information contained in cookies, provided the Customer has given their consent.
III. Cookie Policy
- The administrator collects information using cookies stored on customers’ devices.
- Cookies are IT data, specifically text files, which are stored on the Website User’s device and are intended to facilitate the use of the Website. Cookies usually contain the name of the website from which they originate, their storage duration on the device, and a unique number. Cookies enable us to identify the software used by the Customer and to tailor the Website to the individual needs of each Customer.
- The administrator collects information using cookies for the following purposes:
a) to tailor the services provided via the Website to the needs of Customers and to optimise the use of the Website;b) to compile general and anonymous statistics on Customers’ use of the Website, using analytical tools that help us understand how Users interact with the Website, which enables us to improve the structure and content - The administrator collects information using the following categories of cookies:
a) temporary files, which usually remain on the Customer’s Device until the web browser is closed. Once the browser is closed, the files are deleted. The Controller uses such cookies, amongst other things, to store the Customer’s data. b) persistent cookies, which remain on the Customer’s Device for a specified period or until the Customer deletes them. These files are not deleted when the browser is closed. - Using the Website without changing your web browser’s cookie settings means that cookies will be stored on your device.
- The customer may change their cookie settings at any time. The Customer may block or restrict the placement of cookies on their Device by changing their web browser settings. Detailed information on changing cookie settings is available in the settings of the web browser used by the Customer.
- Disabling or restricting the option in your web browser that allows cookies to be stored does not prevent Customers from using the Website, but it may affect certain features available on the Website.
- The above information will be processed for technical purposes relating to ensuring the proper functioning of the Website and for statistical purposes. The legal basis for data processing is the Controller’s legitimate interest (pursuant to Article 6(1)(f) of the GDPR)
IV. Social media plugins
- The Administrator uses technologies such as social media plugins, including the Facebook Social Plugin, which allow social media service providers to access the Customer’s data. The Administrator’s websites feature ‘Like’ and ‘Recommend/Share’ buttons linked to Facebook. To this end, code referring to Facebook is embedded in the relevant sections and pages. By using the ‘Like’ button or recommending an image or section of the website, the user logs into Facebook, where Facebook’s privacy policy applies. This policy can be viewed at: https://pl-pl.facebook.com/help/cookies. Detailed information on the scope and purpose of data processing via the Facebook Social Plugin can be found at the following link: https://www.facebook.com/full_data_use_policy
.