PRIVACY POLICY

www.planogroup.pro

§ 1 GENERAL PROVISIONS

The controller of personal data of users of the website available at www.planogroup.pro is BEATA CIEŚLUKOWSKA, conducting business under the name BEATA CIEŚLUKOWSKA NIERUCHOMOŚCI – BEATA CIEŚLUKOWSKA, entered into the Central Register and Information on Economic Activity of the Republic of Poland, maintained by the minister responsible for the economy, with its registered office at: Ogródek 14, 12-250 Orzysz, Poland, NIP: 8481751668, REGON: 301570285 (hereinafter referred to as the "Controller").

The Controller has established an electronic point of contact for direct communication with the authorities of Member States, the European Commission, and the Digital Services Board, available at the e-mail address: mariusz@planogroup.pro. This point of contact may also be used by any Client for direct and efficient contact with the Controller.

Contact with the Controller is also possible in writing, at the registered office address indicated above, via the contact form available on the website, as well as by phone at: +48 792 606 765 and +34 692 213 638 (during the Controller's business hours from 8:00 AM to 4:00 PM on business days; the cost of the call is in accordance with the tariff of the operator used by the Client).

Communication with the Controller can take place in Polish, Spanish, German, or English.

The purpose of this Policy is to define the rules and scope of actions taken regarding personal data obtained through the Controller's website and related services and tools used by users, as well as data processed in the course of concluding and performing contracts executed outside the website.

Each time the website is accessed, the server automatically saves only so-called server logs, such as in particular: the name of the requested file, IP address, date and time of access, volume of data transmitted, and the internet service provider of the entity making the request (so-called access logs), and also documents the access to the site itself. This data is used solely for the purpose of ensuring the proper functioning of the website and its further improvement and development of the offer. The basis for data processing is Article 6(1)(f) of the GDPR, i.e., the legitimate interest of the Controller consisting in the optimal and correct functioning and presentation of the website and the offer. All access data is deleted within seven days of the user's visit to the site.

If necessary, the provisions of this Policy may be changed. Users will be informed of any changes by publishing the new content of the Policy, and persons who have consented to the processing of personal data electronically or provided an e-mail address in connection with the performance of contracts will be additionally notified of the changes via e-mail.

§ 2 BASES FOR PROCESSING, PURPOSES, AND STORAGE OF PERSONAL DATA

The personal data of users are processed in accordance with the General Data Protection Regulation, the Act on the Protection of Personal Data of May 10, 2018, and the Act on Providing Services by Electronic Means of July 18, 2002, as amended, and for the purpose of making a report pursuant to Article 16(1) of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ EU L 277, 2022, p. 1, as amended; "DSA") also on the basis of Article 3(h) of the DSA.

The Controller may collect the following data for the following purposes:

  • For the duration of the aforementioned contract until the expiry of the legal obligation related to accounting.
  • Data will be processed until the expiry of the period during which claims may be asserted. * First and last name; * E-mail address; * Phone number; * Address (street, house number, apartment number, postal code, city, country); * Company name; * NIP (Tax Identification Number).
  • Until the withdrawal of consent – remember, you can withdraw your consent at any time. Processing of data until you withdraw your consent remains lawful.
  • Data will be processed until the expiry of the period during which claims may be asserted. * E-mail address; * Phone number.
  • Until the withdrawal of consent – remember, you can withdraw your consent at any time. Processing of data until you withdraw your consent remains lawful.
  • Data will be processed until the expiry of the period during which claims may be asserted.
  • Until unsubscribing from the newsletter. * First and last name; * E-mail address; * Phone number; * Address (street, house number, apartment number, postal code, city, country).
  • In the absence of an opinion, for a period of 30 days from your purchase or until an objection to processing is upheld; upon expressing an opinion – until its deletion or until an objection to processing is upheld.
  • Data will be processed until the expiry of the period during which claims may be asserted. * First and last name; * E-mail address; * Phone number.
  • Data is stored for the duration of our legitimate interest, but no longer than the limitation period for claims against the data subject arising from the business activity conducted. * First and last name; * E-mail address; * Phone number; * Address (street, house number, apartment number, postal code, city, country); * NIP; * Company name.
  • Data will be processed until the expiry of the period during which claims may be asserted.
  • Until the expiration or deletion of cookies used for analytical purposes. * Company name; * E-mail address; * Phone number; * Address (street, house number, apartment number, postal code, city, country); * Computer components; * Settings; * Installed software.
  • First and last name;
  • E-mail address;
  • Phone number;
  • Address (street, house number, apartment number, postal code, city, country);
  • Business entity data. * 5 years after the end of business relations with the Client.
  • 2 years after the last update of the Client's inquiry. * First and last name; * E-mail address; * Phone number; * Address (street, house number, apartment number, postal code, city, country); * Business entity data. * 5 years after the end of business relations with the Client.
  • As in the cell above. * Information on activities performed on the website (button clicks, visit duration, read notifications, other information depending on the specific business case). * 5 years after the end of business relations with the Client.
  • Transaction data;
  • Business entity data. * Duration of the Controller's legitimate interest, but no longer than the limitation period for claims against the data subject arising from the business activity conducted.
  • First and last name;
  • E-mail address;
  • Phone number;
  • Address (street, house number, apartment number, postal code, city, country);
  • NIP;
  • Company name. * Duration of the Controller's legitimate interest, but no longer than the limitation period for claims against the data subject arising from the business activity conducted.
  • First and last name;
  • E-mail address;
  • Phone number;
  • Address (street, house number, apartment number, postal code, city, country);
  • NIP;
  • Company name. * Until informed of:
  • First and last name;
  • E-mail address;
  • Phone number;
  • Address (street, house number, apartment number, postal code, city, country);
  • NIP;
  • Company name. * For the duration of such obligation.
  • First and last name;
  • E-mail address;
  • Phone number;
  • Address (street, house number, apartment number, postal code, city, country);
  • NIP;
  • Company name.

To the extent necessary to ensure the proper functioning of the website and its functionality, the site uses User metadata. Metadata is understood as the process of reading and identifying by the website's IT system the configuration parameters and hardware elements of the computer used by the User, in order to adapt the site to their technical capabilities and establish a secure connection between the User's computer and the website. It is important that this type of metadata does not allow for the identification of the User nor does it negatively affect the data stored on their device. Regardless of the above, the User has the right to withdraw consent for the processing of metadata at any time by configuring their web browser settings or installing an appropriate plugin provided by the browser manufacturer. In this regard, it is recommended to read the instructions and recommendations of the software manufacturer used.

The Client may subscribe to the newsletter, i.e., periodic shipment of information about the Controller's products and services. To sign up for the newsletter, the Client enters their e-mail address in the newsletter form located on the website, simultaneously confirming consent to the processing of their personal data for this purpose and the sending of promotional content to the provided e-mail (alternatively, joining the newsletter is also possible by filling out appropriate forms made available by the Controller on their social media). Messages sent as part of the newsletter will contain information about the possibility of unsubscribing, as well as an unsubscribe link. The Client may unsubscribe from the newsletter, without giving a reason and without incurring any costs, at any time, by sending a resignation statement via the Controller's e-mail or by selecting the unsubscribe link in the e-mail delivered with the newsletter.

The Controller may use profiling for direct marketing purposes, provided that decisions made by the Controller based on profiling do not concern the conclusion of a contract, refusal to conclude it, or the limitation or exclusion of the possibility of using services provided by electronic means.

To the extent necessary for the proper functioning of the website and its functionality, the site may, while being used by the User, collect other information, including but not limited to:

  • IP address;
  • Information about the device, hardware, and software, such as hardware identifiers, mobile device identifiers (e.g., Apple Identifier for Advertising ["IDFA"] or advertising identifier on an Android device ["AAID"]);
  • Platform type;
  • Settings and components;
  • Web browser data, including browser type and preferred language.

Taking into account the nature, scope, context, and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons with varying probability and severity of threat, the Controller implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller uses technical measures to prevent the acquisition and modification by unauthorized persons of personal data transmitted electronically.

§ 3 DATA SHARING

The Controller ensures that all collected personal data is used to fulfill obligations to users. This information will not be shared with third parties except in situations where:

  • Prior explicit consent of the persons concerned is given for such action, or
  • If the obligation to transfer this data results or will result from applicable laws, e.g., to law enforcement agencies.

Additionally, the personal data of service recipients and clients may be transferred to the following recipients or categories of recipients:

  • Service providers supplying the Controller with technical, IT, and organizational solutions enabling the Controller to conduct business, including the website and services provided electronically through it (in particular, computer software providers, marketing agencies, e-mail and hosting providers, providers of company management software and technical support for the Controller, and product delivery operators) – the Controller shares the collected personal data of the Client with a selected provider acting on its behalf only in the case and to the extent necessary to achieve the specific purpose of data processing consistent with this privacy policy.
  • Accounting, legal, and advisory service providers providing the Controller with accounting, legal, or advisory support (in particular, an accounting office, law firm, or debt collection agency) – the Controller shares the collected personal data of the Client with a selected provider acting on its behalf only in the case and to the extent necessary to achieve the specific purpose of data processing consistent with this privacy policy.

The Controller may share anonymized data (i.e., data that does not identify specific Users) with external service providers in order to better recognize the attractiveness of advertisements and services for users, and in this regard, due to the location of software providers, data may be transferred – while maintaining the principles of their protection – to third countries, which, however, provide standard contractual clauses approved by the European Commission regarding the processing of personal data or have appropriate authorizations for such action based on bilateral data processing entrustment agreements between the European Union and the given third country, which is not a member of the European Economic Area. In the case of the Controller, these entities are:

  • Google LLC. (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Google Analytics tools used for analyzing website statistics, Google Tag Manager: used for managing scripts by easily adding code snippets to the site or application and tracking actions performed by users on the website, Google Ads used for displaying sponsored links in Google search results and on sites cooperating within the Google AdSense program, Google Search Console, Google Workspace allowing for comprehensive site editing and coordination of work of people working on it (including Google Drive, Gmail, Google Sheets, Google Forms, Google Looker Studio);
  • Meta Platforms, Inc. (registered office: 1601 Willow Road Menlo Park, CA 94025, USA) for Facebook pixel used for tracking conversions from Facebook ads, optimizing them based on collected data and statistics, and building an audience list targeted for future ads.

The Controller continuously performs risk analysis to ensure that personal data processing is carried out in a secure manner, in particular, guaranteeing that only authorized persons have access to the data and only to the extent necessary to fulfill their assigned duties. The Controller ensures that all operations performed on personal data are recorded and carried out only by authorized employees and associates.

The Controller takes all necessary actions to ensure that entities to whom it entrusts the processing of personal data, as well as other cooperating partners, apply appropriate security measures in every case of personal data processing on behalf of the Controller.

Third-party analytical technologies integrated with the Controller's services, including in particular SDK (Software Development Kit) and API (Application Programming Interfaces), may combine data obtained in connection with the User's use of the Controller's site with information collected by these entities independently, over time and/or across different platforms. Many of these entities collect and process data in accordance with their own data protection policies, which are available on their websites. The Controller recommends familiarizing yourself with these rules.

The Controller's website may use Google Analytics – a website traffic analysis service provided by Google LLC ("Google"). Google Analytics uses cookies to enable the analysis of how visitors use the site. Information generated by cookies regarding the use of the website is generally transmitted to Google and stored on servers located in the United States. In accordance with applicable technological standards, the IP addresses of users visiting the Controller's site are shortened. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. On behalf of the Controller, Google uses this information to analyze how users use the site, compile reports on website traffic, and provide other services related to website traffic and internet usage to their operators. Google does not associate the IP address transmitted as part of Google Analytics with other data in its possession. Detailed information regarding the rules for collecting and using data by Google Analytics is available on the official Google website at: www.google.com/policies/privacy/partners. Each User can also prevent the collection and processing by Google of data regarding the use of the site by installing an appropriate browser plugin available at: http://tools.google.com/dlpage/gaoptout.

In the case of transferring personal data to third parties, the Controller makes every effort to ensure that this is done only to entities meeting the requirements set out in Article 46 or Article 49 of the GDPR. In justified cases, the Controller will rely on standard contractual clauses of the European Union and other appropriate legal safeguards to enable data transfer outside the European Economic Area. In accordance with the judgment of the Court of Justice of the European Union of July 16, 2020, the Controller continuously assesses the legal systems of the countries to which data is transferred and, if necessary, updates the measures used to ensure an adequate level of personal data protection.

Regarding personal data transferred to the United States, the Controller, when sharing data with third parties, makes every effort to ensure that this transfer takes place – in accordance with the European Commission's decision of July 10, 2023 – only to entities and organizations based in the USA that ensure compliance with the new "EU–US Data Privacy Framework". A list of these organizations has been published by the United States Department of Commerce. The transfer of personal data from the EEA to organizations participating in the "EU–US Data Privacy Framework" and included in this list may take place without the need to obtain additional permits or use legal instruments such as standard contractual clauses or binding corporate rules. However, in the event that a given data importer in the USA has not joined the "EU–US Data Privacy Framework" program, the transfer of personal data to this entity will be possible after meeting the conditions set out in Article 46 or Article 49 of the GDPR. In such situations, the Controller will apply EU standard contractual clauses and other appropriate safeguards enabling data transfer outside the EEA.

§ 4 USER RIGHTS

The user whose personal data is processed has the right to:

  • Access, rectification, restriction, deletion, or portability of data – the data subject is entitled to request from the Controller access to their personal data, their rectification, deletion (the so-called "right to be forgotten"), or restriction of their processing, as well as to object to processing and to data portability. Detailed rules for exercising these rights are set out in Articles 15–21 of the GDPR.
  • Withdraw consent at any time – in the case where the processing of personal data by the Controller is based on the consent of the data subject (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR), this person has the right to withdraw consent at any time, whereby the withdrawal of consent does not affect the lawfulness of processing carried out on its basis before the withdrawal.
  • Lodge a complaint with a supervisory authority – the person whose personal data is processed by the Controller has the right to lodge a complaint with the competent supervisory authority in the manner and on the principles set out in the provisions of the GDPR and national law, in particular the Act on the Protection of Personal Data. The supervisory authority competent in Poland is the President of the Personal Data Protection Office with its registered office in Warsaw.
  • Object – the data subject has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data based on Article 6(1)(e) (performance of a task carried out in the public interest or in the exercise of official authority) or (f) (legitimate interest of the Controller), including profiling based on these provisions. In such a case, the Controller is not entitled to further process personal data unless it demonstrates the existence of compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for establishing, exercising, or defending claims.
  • Object to direct marketing – if personal data is processed for direct marketing purposes based on the Controller's legitimate interest, and not on the basis of the data subject's consent, this person has the right to object at any time to the processing of their personal data for the purposes of such marketing, including profiling, to the extent that the processing is related to direct marketing.

The exercise of the above rights takes place based on a user request sent to the e-mail address indicated above. Such a request should contain the user's first and last name.

The user ensures that the data provided or published by them on the website is correct.

§ 5 Cookies

"Cookies" should be understood as IT data, in particular text files, stored on users' end devices (usually on a computer hard drive or mobile device) used by the user's browser to save specific settings and data for the purpose of using websites. These files allow the user's device to be recognized and the website to be displayed accordingly, ensuring comfort during its use. Storing "cookies" therefore enables the appropriate preparation of the website and offer in terms of user preferences – the server recognizes them and remembers, among other things, preferences such as: visits, clicks, previous actions.

The following Cookies are used on the site:

"Cookies" contain in particular the domain name of the website from which they originate, the time of their storage on the end device, and a unique number used to identify the browser from which the connection to the website is made.

"Cookies" are used for the purpose of:

  • Adapting the content of websites to user preferences and optimizing the use of websites,
  • Creating anonymous statistics which, by helping to determine how the user uses websites, allow for improving their structure and content,
  • Providing website users with advertising content tailored to their interests.

"Cookies" are not used to identify the user and their identity is not determined on their basis.

The fundamental division of "cookies" is their distinction into:

  • Necessary "cookies" – are absolutely essential for the proper functioning of the website or functionalities that the user wants to use, as without them we could not provide many of the services we offer. Some of them also ensure the security of the services we provide electronically.
  • Functional "cookies" – are important for the operation of the website due to the fact that: * – they serve to enrich the functionality of websites; without them, the website will work correctly, but it will not be adapted to the user's preferences, * – they serve to ensure a high level of website functionality; without them, the level of website functionality may decrease, but their absence should not prevent complete use of it, * – they serve most website functionalities; blocking them will cause selected functions not to work correctly.
  • Business "cookies" – enable the implementation of the business model on which the website is made available; blocking them will not cause the unavailability of all functionalities, but may lower the level of service provision due to the inability of the website owner to realize revenues subsidizing its operation. This category includes, for example, advertising "cookies".
  • "Cookies" used for website configuration – enable the setting of functions and services on websites.
  • "Cookies" used for website security and reliability – enable the verification of authenticity and optimization of website performance.
  • "Cookies" examining session status – enable saving information about how users use the website. They may concern the most visited pages or possible error messages displayed on some pages. "Cookies" used to save the so-called "session state" help improve services and increase browsing comfort.
  • "Cookies" examining processes occurring on the site – enable the efficient operation of the website and the functions available on it.
  • "Cookies" conducting analysis, research, or viewership audits – enable the website owner to better understand the preferences of their users and, through analysis, improve and develop products and services. Usually, the website owner or a research company collects information anonymously and processes data on trends, without identifying the personal data of individual users.

The use of "cookies" to adapt website content to User preferences generally does not lead to obtaining information allowing for the direct identification of the User, although in certain cases this information may constitute personal data, i.e., data allowing for the assignment of specific behaviors to a specific User. Personal data collected through "cookies" may be processed only for the purpose of implementing strictly defined functionalities for the User. This data is secured by encryption in a way that prevents access by unauthorized persons.

"Cookies" used on this website are not harmful to either the User or the end device used by them, therefore, to ensure the proper functioning of the service, it is recommended not to block their support in the web browser settings. In most cases, software used for browsing websites allows by default the saving of information in the form of "cookies" and other similar technologies on the User's end device. The User can change the way "cookies" are used at any time through appropriate browser settings configuration. The procedure for changing settings differs depending on the software used, and appropriate instructions are available on the websites of individual browser manufacturers.

As part of the cookie technologies used, the Controller may use tracking pixels or so-called clear GIFs to obtain information regarding how the User uses the offered services and their reaction to marketing communication sent electronically. A pixel is a piece of code allowing for embedding an object on a website, most often in the form of an image the size of one pixel, which allows for monitoring User behavior on the pages where it has been placed. After the User gives appropriate consent, the web browser establishes a direct connection with the server where the pixel is stored, therefore the processing of data obtained through it takes place in accordance with the data protection policy of the entity managing this server.

The Controller may use internet log files, containing technical data, including in particular the User's IP address, for the purpose of monitoring traffic within the provided services, diagnosing and removing technical problems, detecting and preventing abuse and fraud, as well as for enforcing the provisions of the Agreement concluded with the User.

Detailed information on changing settings regarding Cookies and their independent deletion in the most popular web browsers is available in the web browser's help section and on the following pages (just click on the given link):

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Opera
  • Safari macOS
  • Safari iOS/iPad OS

Detailed information about managing cookies on a mobile phone or other mobile device should be found in the user manual of the given mobile device.