Privacy Notice

General Information

1. This Privacy Policy is a set of principles which aims to inform you about all aspects of the process concerning the acquisition, processing, and safeguarding of your personal data. The Policy is addressed to all Users of the Administrator's Website and those using the Newsletter and Survey services.
2. The service of the IdoSell Internet shop for the benefit of the Administrator of the Personal Data is provided by IAI S.A., al. Piastów 30, 71-064 Szczecin, NIP: PL5252767146, KRS: 0000891870, Regon: 381595506. General information related to the handling of information collected by entities who are clients of IAI S.A. and who use the IdoSell system is available at https://www.iai-sa.com/en/privacy-and-safety-policy/.
3. This Policy sets out the principles relating to the processing of personal data by the Personal Data Controller who is:

   TIGRE sp. z o.o.,
   tel. +48 22 11 31 447,
   e-mail: info@venusti.eu,
   NIP 6121861477,
   REGON 367188870.
   Seller's registered address:
   Aleksandra Ostrowskiego 9/508, 53-238 Wrocław
   (hereinafter: ‘Administrator’)

   Contact with the Data Protection Inspector Ms. Daria Bartnicka is possible by means of snail mail addressed to the Administrator's registered office address or by e-mail to: iod@odokancelaria.pl
4. This Policy may be amended and updated in the event of changes in personal data processing practices (taking into account, among other things, the current case law and PUODO guidelines) or changes in generally applicable laws. The Administrator shall inform the Users of any changes to this Policy by posting the relevant information on the Website, and in the case of Users using the Newsletter service by sending this information directly to the User's e-mail address.
5. The use of the Administrator's Website requires the User to be acquainted with the content of this Privacy Policy and, in the case of Newsletter subscription, to accept it.
6. Providing personal data to the Administrator is voluntary; however, in the case of processing the data stored in necessary cookies or communication with the Administrator via the contact form, providing the data will be a necessary condition for the indicated purposes and proper functioning of the Website.

Definitions

1. Controller means the entity that determines the purposes and means of the Processing of Personal Data. The Controller is responsible for ensuring that the Processing is carried out in accordance with applicable data protection laws.
2. Personal Data means any information relating to an identified or identifiable natural person.
3. To Process, Processing or Processed means any operation or set of operations performed on Personal Data, whether or not by automated means, such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Processor means any natural or legal person who Processes Personal Data on behalf of the Controller (other than the Controller’s own employee).
5. Website - www.venusti.eu
6. Electronic Services - services provided via the Website. The provision of Electronic Services to Users through the Website is carried out under the terms set forth in this Privacy Policy.

Processing of Users' Personal Data

1. The Administrator may obtain Users' Personal Data in particular in the following cases:
   1. Provision of Personal Data by Users (e.g., contact by e-mail, telephone, through or by any other means) on the basis of Article 6(1)(f) of the RODO (legitimate interest of the Administrator - responding to a message, an enquiry) in connection with the need to deal with a reported matter or handle an enquiry,
   2. To assert claims and take action in connection with the defence of the Administrator's rights, to conduct legal proceedings and, inter alia, to enable the use of the Website via cookies, to prevent fraudulent use of the Website in particular to operate, maintain, improve and make available all its functions and to produce compilations, analyses and statistics for the Administrator's internal purposes. This includes, in particular: reporting, marketing research, planning the development of the Website and Electronic Services, development work, creation of statistical models on the basis of Article 6(1)(f) RODO (the aforementioned legitimate interest of the Administrator).
   3. Obtain Users' Personal Data published on social media (Administrator's Fanpage) (e.g., obtaining information from Users' private profile on social media, to the extent that this information is visible as public) on the basis of Article 6(1)(f) RODO (legally justified interest of the Administrator - promotion of own activity and services, running a social profile (Fanpage), building and strengthening relations with customers, conducting analyses and statistics concerning popularity and functioning of the profile, as well as determining, investigating and defending against possible claims concerning the use of the profile, responding to the contact),
   4. The User's consent to the processing of the personal data provided for the purpose of sending the Newsletter, on the basis of Article 6(1)(a) (consent) to send commercial information - Newsletter, to make marketing content available by means of electronic communication, in accordance with Article 398 and the Electronic Communications Law,
   5. Solicit or request Users' Personal Data when Users visit the Administrator's sites or use any features or resources available on or through the Site - cookies precisely and third parties. When Users visit the Website, Users' devices and browsers may automatically provide certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connection to the Website and other technical information regarding communication), some of which may constitute Personal Data. During a visit to the Website, no Personal Data of Users will be stored by the Administrator without an appropriate legal basis. With regard to cookies, the Administrator - apart from the necessary files - shall each time obtain the User's consent to install other cookies (including third-party Google Analytics files). The granting of the aforementioned consent is optional and does not affect the possibility of using the Website. Processing takes place on the basis of Article 6(1)(a) (consent - to the extent of other than essential cookies) and 399 of the Electronic Communications Law (legal provision - to the extent of essential cookies).
   6. User Account: on the basis of Article 6(1)(b) RODO (conclusion of a contract for the provision of electronic services).
   7. Survey: on the basis of Article 6(1)(b) RODO (conclusion of a contract for the provision of electronic services).
2. Provision of personal data is voluntary, not a statutory obligation. However, in certain cases, without providing personal data, it is not possible to use the full functionality of the Website or Electronic Services. Categories of Users' Personal Data processed by the Administrator may, in particular, include:
   1. Personal data: first name(s), last name(s).
   2. Contact details: company details, e-mail address, telephone number.
   3. Message content: all communications (queries, statements, views, and opinions) sent via the contact form or which have been published on the Administrator's website or its Fanpages by the User.
   4. IP number, cookies, and information about the use of our Website and Electronic Services.
   5. Image: in the event of publication of an opinion, leaving a comment, clicking on the "Like this" button on the Administrator's social network (Fanpage) (provided that the User has made his/her image available on his/her private account on this network).
   6. Behavioural data (consent to Google Ads): Information about user activity on websites, clicks on adverts, data on time spent on the website, and interactions with content.

Processing of Users' Personal Data

The Administrator uses fanpage-type profiles on social media. Public data shared by social media Users may be used for:

1. responding to private messages addressed to us,
2. discussion in the comments section under individual posts,
3. sharing our posts with those who follow our Fanpage,
4. marketing to inform you about our services and ourselves through posts we make on our Fanpage, including sponsored posts that are displayed to a wider range of Users,
5. statistical by presenting data on the display of our posts, their reach, the number of interactions; the data presented to us by the owners of the social networks are statistical, but are created on the basis of observation of behaviour on our Fanpage.

Upon liking an Administrator's post, leaving a comment, sending a private message, subscribing to a channel, the Administrator together with:

• Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland,
• Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland,
• TikTok Technology Limited, The Sorting Office, Ropemaker Place, Dublin 2, Dublin, D02 HD23, Ireland,
• Pinterest Europe Ltd. and Pinterest, Inc. Pinterest Europe Ltd. is an Irish company registered at: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

become Administrators of your personal data provided on their Fanpage in terms of data processing for statistical and advertising purposes.

We therefore encourage you to read the privacy policy:

• Facebook - https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0
• Instagram - https://privacycenter.instagram.com/policy/
• YouTube - https://policies.google.com/privacy?hl=pl
• TikTok - https://www.tiktok.com/legal/page/eea/privacy-policy/pl
• Pinterest - https://policy.pinterest.com/pl/privacy-policy

Sharing Personal Data with Third Parties

1. The Administrator may share Users' Personal Data:
   1. to persons authorized by the Controller to process the data;
   2. to entities entrusted with the processing of data, e.g., providers of technical services and entities providing advisory or consulting services;
   3. to other controllers, if required by law or in good faith when such disclosure is reasonably necessary to comply with applicable legal obligations, in particular in response to requests from courts or public authorities;
2. If we engage a third party to process Users’ Personal Data, then, pursuant to a data processing agreement concluded with such a party, the Processor will be obliged to:
   1. Process only the Personal Data specified in the prior, written instructions of the Controller; and
   2. Apply appropriate measures to ensure the confidentiality and security of the Personal Data and comply with all other requirements of applicable law.
3. Due to the use of services such as Facebook, Instagram, TikTok, and YouTube, data may be transferred by those entities to third countries – such as the United States of America (USA) or China – in connection with their internal transfers to entities such as Meta Platforms Inc., Google LLC (USA), or Beijing ByteDance Technology Co. Ltd. (China). The Controller has no influence over such transfers.

Third-party Services

1. The Website may contain features or links that redirect you to websites and services provided by third parties, which are not operated or controlled by us. Any information you provide on such websites or services will be subject to their own privacy policies and data processing procedures.
2. The Controller is not responsible for the data processing practices of independent controllers of third-party websites and service providers.
3. We strongly encourage you to review the privacy and security policies of any third-party websites before providing them with your information.

Data Protection

1. The Controller informs that appropriate technical and organizational measures have been implemented to protect Personal Data, in particular to safeguard against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and any other unlawful or unauthorized forms of Processing, in accordance with applicable law.
2. The Controller is not responsible for the actions or omissions of Users. Users are responsible for ensuring that all Personal Data is transmitted to the Controller in a secure manner.
3. Personal Data will not be subject to automated profiling, i.e., automated decision-making concerning the User, which means decisions made by technical means without human involvement that produce legal effects concerning the individual or similarly significantly affect them.

Data Accuracy

1. The Controller takes all appropriate measures to ensure that:
   1. the Users’ Personal Data processed by the Controller is accurate and, where necessary, kept up to date;
   2. all Users’ Personal Data processed by the Controller that is inaccurate (with regard to the purposes for which it is processed) is deleted or rectified without undue delay;
2. The Controller may, at any time, ask Users to confirm the accuracy of the Personal Data being processed.

Data Minimisation

The Administrator shall take all appropriate measures to ensure that the scope of Users' Personal Data it processes is limited to Personal Data adequately required for the purposes indicated in this Policy.

International Data Transfer

Personal data may be shared and processed outside the European Economic Area (the European Economic Area consists of: European Union and Iceland, Liechtenstein and Norway, collectively the "EEA"). If personal data is transferred outside the EEA, the Administrator requires appropriate safeguards. The Administrator will comply with its obligations under Chapter V of the RODO to ensure the correctness of such processing based, inter alia, on the European Commission's decisions on the appropriate level of privacy protection of the EU-US Data Privacy Framework.

Retention Period of Personal Data

1. The criteria determining the length of time for which the Controller stores Users’ Personal Data are as follows: the Controller retains copies of Users’ Personal Data in a form allowing identification only for as long as necessary to achieve the purposes set out in this Privacy Policy, unless a longer retention period is required by applicable law. In particular, the Controller may retain Users’ Personal Data for the entire period necessary to establish, pursue, or defend legal claims (in accordance with the limitation periods under Article 118 of the Polish Civil Code).
2. Personal Data is stored:
   1. for a period of 30 days from the moment of contact (via telephone or email through the Website); personal data may be stored for a longer period if, as a result of the inquiry, the User chooses to use the Controller’s services (e.g., Newsletter);
   2. in the case of using our services (conclusion of a contract), for the duration of the contract and the period necessary to handle submitted complaints, until the resolution of any disputes and final settlement of the parties, taking into account the applicable limitation periods;
   3. for internal administrative purposes of the Controller, as well as for other data processing purposes where the legal basis is the Controller’s legitimate interest—personal data will be stored until such legitimate interests have been fulfilled or until an objection is filed against such processing, provided that the Controller has carried out a proper balancing test of the User’s interests and the basis for the Controller’s processing;
   4. in the case of data processed on our Fanpage, until an objection to further processing is submitted by clicking "unlike", withdrawing a like on a post, deleting a post comment, or unsubscribing from the Fanpage;
   5. in the case of using our Newsletter services, for the duration of the service or until consent for receiving commercial information via electronic communication is withdrawn.

Google Analytics

1. The Controller uses the Google Analytics tool provided by Google LLC, with infrastructure managed by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Controller indicates that Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA) has joined the EU-U.S. Data Privacy Framework, which ensures an adequate level of personal data protection in accordance with the provisions of the GDPR.
2. Google Analytics enables the following:
   1. Tracking website traffic: information on the number of users, number of visits, and traffic sources (e.g., advertisements, search engines, social media platforms);
   2. Monitoring user behavior: analysis of which pages are most frequently visited, time spent on the site, and bounce rate;
   3. User segmentation: demographic, geographic, and technological data (e.g., device type, browser);
   4. Tracking goals and conversions: analysis of how users complete certain actions such as purchases, newsletter subscriptions, or downloads of materials.
3. Google Analytics processes data that may include:
   1. IP addresses: used to determine the geographical location of users, which—when combined with other information—may constitute personal data;
   2. Cookies: storing unique user and session identifiers that enable the tracking of user activity, but only after the User has given the appropriate consent;
   3. Technical data: such as browser type, operating system, screen resolution, and internet service provider.
4. The Controller uses the IP anonymization feature, which disables the possibility of identifying Users (the last octet of the IP address is masked before data is stored or processed).
5. The Controller processes data using the specified tool for the purpose of providing analytics and reports on website traffic and the effectiveness of marketing activities, based on the Controller’s legitimate interest and the User’s consent (acceptance of Google Analytics cookies). The Controller has concluded a Data Processing Agreement (DPA) with Google, which regulates data security requirements in accordance with applicable law.
6. The Controller uses the Consent Mode which enables measurement of traffic and conversions on the Website even if the User does not consent to the use of cookies—while maintaining full compliance with GDPR. In this case, a tracking code is implemented that allows the collection of only basic, anonymized, and aggregated data such as time spent on the Website and referring page information, and allows the measurement of conversions from advertising campaigns. If the User provides consent for specific types of data processing (e.g., Google Analytics cookies), the relevant tags will function fully. If consent is not given, the tools will still operate but in a limited mode, collecting anonymous information without any possibility of identifying the User. The Consent Mode helps meet the requirements of the GDPR and the ePrivacy Directive, respecting Users’ choices regarding cookie consent.
7. The retention period for data collected via Google Analytics cookies, in the case of consent, is 14 months.
8. We encourage you to review Google’s Privacy Policy available at: https://policies.google.com/privacy?hl=en.
9. Users may configure their browser settings to block cookies related to Google Analytics. Google Analytics uses cookies such as _ga, _gid, and _gat.
10. Users may also opt to block Google Analytics by using a browser add-on. Google offers a browser opt-out add-on, which can be downloaded from the official website: https://tools.google.com/dlpage/gaoptout. Once installed, the add-on prevents the transmission of data to Google Analytics from all websites visited.

Google Ads

1. The Controller uses the Google Ads advertising tool provided by Google LLC, with infrastructure operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Controller acknowledges that Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA) has joined the EU-U.S. Data Privacy Framework, which ensures an adequate level of protection for the processing of personal data in accordance with the GDPR.
2. The Google Ads service enables the use of tracking technologies such as cookies and remarketing tags, which allow for the display of advertisements tailored to users’ interests.
3. Google Ads may collect and process data concerning users’ interactions with our advertisements and website, including the following:
   • IP addresses,
   • device identifiers,
   • browser information,
   • geolocation data, and
   • browsing history.
   These data are collected for the purposes of evaluating the effectiveness of advertising campaigns and optimizing ad content.
4. Users can manage their advertising preferences through the Google Ads settings panel (https://adssettings.google.com) and can also opt out of personalized advertising by using the Network Advertising Initiative opt-out tool: https://www.networkadvertising.org/choices/
5. We encourage you to review Google’s Privacy Policy available at: https://policies.google.com/privacy?hl=en

Facebook Pixel

1. When using the Facebook Pixel service, the Controller becomes a joint controller of personal data together with the service provider, i.e., Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland. The scope of joint processing/joint controllership includes:
   1. the collection of personal data; and
   2. the transmission of such data to Facebook.
2. The categories of personal data subject to joint controllership in connection with the Controller’s use of the Pixel on its website include:
   1. HTTP header information, which contains details about the browser or app used (e.g., user agent, locale/country/language settings);
   2. Information regarding standard/optional events, such as "Page View" or "App Installation", additional object properties, as well as buttons clicked by website visitors, depending on the configuration of the Business Tool;
   3. Online identifiers, including IP addresses and, where provided, identifiers associated with Meta or device identifiers (e.g., advertising identifiers in mobile operating systems), as well as information about opt-outs or limits on ad tracking.

   Please note that subsequent processing of personal data by Meta Ireland is not part of the joint processing with the audited party (the Controller).

3. Third parties, including Meta, may use cookies, web beacons, and similar technologies to collect or receive information from your website and elsewhere on the internet and use that information to provide measurement services, targeted advertising, and ad delivery. Users can opt out of the collection and use of their information for ad targeting. More details are available at: https://pl-pl.facebook.com/business/help/165516217407801?id=1913105122334058 Additionally, Users may make choices using industry opt-out tools such as: http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.
4. We encourage Users to review Meta’s joint controllership terms, available at: https://www.facebook.com/legal/controller_addendum as well as the Facebook Business Tools Terms of Service available at: https://www.facebook.com/legal/terms/businesstools and to use available mechanisms to manage their preferences regarding data processing and advertising.

Cookies

1. When you use the Website, certain user-related information is collected automatically. This data may include:
   1. IP address,
   2. domain name,
   3. browser type,
   4. operating system type.
2. This data may be collected through:
   1. cookies,
   2. Google Analytics system,
   3. and may also be logged in the server logs.
3. Cookies are small text files stored by your browser on your computer’s hard drive or smartphone memory card. During subsequent visits to the Website, the data stored in the cookie file is sent back to the Website. This allows the Website to recognize you and tailor its content to your preferences.
4. In order to improve our Website, deliver the most relevant content, and analyze how Users interact with the Website, we may use cookies.
5. We may process data stored in cookies for the following purposes:
   1. personalizing the Website: remembering information about the User so they do not have to re-enter it during subsequent visits;
   2. delivering user-tailored advertisements, content, and information;
   3. monitoring aggregate metrics related to Website usage, such as total visits and page views.
6. We use the following types of cookies:
   1. session cookies, which are temporary files stored on the User’s device until they leave the Website;
   2. persistent cookies, which are stored on the User’s device for a specified period defined in the cookie parameters or until manually deleted.
7. We classify cookies into the following categories:
   1. Functional cookies – essential for the proper functioning of the Website. They are used to remember, for example, login sessions, language preferences, form inputs, and privacy settings. You may block them in your browser settings, but some parts of the Website may not function correctly as a result.
   2. Analytical cookies – help us analyze the number of visits and sources of traffic. They enable us to determine which pages are more or less popular and see how visitors navigate the Website. This helps us evaluate traffic and improve overall performance. Information collected by these cookies is aggregated and not intended to identify you directly. If you do not allow these cookies, we will not know when you visited our Website.
   3. Advertising cookies – allow us and our partners to tailor advertising content to your interests, not only on our Website but also on other websites. These cookies may be installed by advertising partners through our site. Based on the information from these cookies and your activity on other sites, an interest profile may be created. Advertising cookies do not directly store personal data, but identify your browser and device. If you do not allow these cookies, you will still see ads, but they will not be personalized.
8. We use analytics and similar services that include third-party cookies. While using the Website, third-party cookies may be used to enable Website functionality, support integration with other platforms, analyze the effectiveness of advertising campaigns, and collect anonymous statistical data related to Website usage.
9. This Privacy Policy does not regulate the use of third-party cookies. Each third party defines its own rules for cookie usage in its privacy policy. We encourage Users to review those policies. You can find more information about data processing in Google Analytics here:

   https://support.google.com/analytics/answer/6004245
   And regarding Facebook Pixel: https://www.facebook.com/privacy/policy

10. Users can manage their cookie preferences at any time using the dedicated cookie management tool available on the Website. Please note that refusing, deleting, blocking, or limiting cookies may make it difficult or even impossible to use certain features of the Website.

Newsletter

1. The use of the marketing communication service (Newsletter) for direct marketing purposes is voluntary and available only upon the prior consent of the individual concerned.
2. The Newsletter service is provided through the IdoSell platform: https://www.iai-sa.com/en/privacy-policy-and-security/.
3. Marketing communications are sent via the following channels and formats:
   1. by email in the form of electronic mail messages,
   2. via telecommunications end devices in the form of SMS text messages.
4. Subscription to the Newsletter is carried out by completing the registration form available on the Controller’s Website (by providing personal data such as name, phone number, and email address), and by accepting this Privacy Policy, which governs the rules of data processing and service provision.
5. The Newsletter service is provided free of charge for an indefinite period and may be sent irregularly.
6. The Service Recipient may unsubscribe from the Newsletter at any time with immediate effect by notifying the Service Provider via email at: kontakt@poyerbani.pl or by clicking the unsubscribe link included in every Newsletter message. Unsubscribing is equivalent to terminating the agreement for the provision of electronic services related to the Newsletter.
7. The Controller is not responsible for any false information provided by the User or for the non-delivery of the Newsletter due to reasons beyond the Controller’s control (e.g., technical issues on the part of the internet service provider).
8. The Controller undertakes to provide the Newsletter service in accordance with this Policy and applicable legal provisions, including the protection of Users’ personal data in accordance with the GDPR and the national data protection law. The User undertakes to use the service in compliance with applicable law and this Policy and not to provide any unlawful content.

Account

1. The Controller provides the Account service electronically. The service is provided in accordance with applicable law, in particular the Act of 18 July 2002 on the Provision of Electronic Services and the Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
2. The Account service consists in the creation of an individual User account on the Website, which enables the purchase of the Controller’s products. The Terms and Conditions are available at: https://www.venusti.eu/eng-terms.html

Survey

1. The Controller provides a service in the form of a survey. The purpose of the survey is to provide the User with its results in the form of:
   1. dedicated product recommendations.
2. The Controller will make every effort to respond to the User’s inquiry within no more than 24 hours.

Provision of Electronic Services

1. It is strictly prohibited for Users to provide or transmit any unlawful content.
2. The User is obligated to use the Controller’s Website and the Services offered in a manner that is compliant with applicable laws, good practices, and with the use of information that is factually accurate. The User must also refrain from any actions that violate this Policy. The Controller shall not be held liable for any false information provided by the User or for failure to deliver the service due to reasons beyond the Controller’s control (e.g., technical issues on the side of the internet service provider).
3. The User undertakes to maintain confidentiality and not to disclose to any third party any information obtained in connection with the provision of the Services by the Controller, including but not limited to commercial, organizational, technical, or financial information.
4. The technical requirements necessary for the proper functioning of the Services provided electronically include: access to the Internet; a device that enables such access such as a computer, laptop, or other mobile device with an internet browser; an active and properly configured email account; and an up-to-date version of a browser that supports cookies (e.g., Internet Explorer, Opera, Mozilla Firefox, Safari, Google Chrome).
5. The use of internet-based Services—despite the implementation of appropriate security measures by the Controller aimed at preventing or significantly impeding hacking attacks—may carry the risk of the User’s IT system being infected with malware. Therefore, the Controller additionally recommends the use of up-to-date antivirus software and an active, properly configured firewall by the User.
6. The User has the right to file a complaint regarding the provision of electronic services. Complaints should be submitted in writing to the Controller’s registered address or by email (as specified in Section I of this Policy). The complaint should include the User’s full name and email address (for email submissions), a detailed description of the issue that is the basis of the complaint, and the User’s specific request regarding the resolution. The Controller shall review the complaint within 14 days of its receipt. The User will be informed of the result of the complaint handling process via the same communication channel used to submit the complaint.

Users' Rights in Relation to the Processing of Their Personal Data

1. In connection with the processing of your personal data, you are entitled to the following rights:
   1. Right of access to personal data – upon your request, the Controller will provide information regarding the processing of your personal data, including in particular: the purposes, legal bases, scope of data being processed, recipients to whom the data is disclosed, and the planned retention period. Under this right, you may also request information about whether your data is subject to profiling or automated decision-making, and request a copy of your personal data;
   2. Right to rectification – upon your request, the Controller will correct any inaccuracies or errors in your personal data and supplement or update it if it is incomplete or outdated;
   3. Right to erasure (right to be forgotten) – upon your request, the Controller will delete your personal data if it is no longer necessary for the purposes for which it was collected, if you withdraw your consent for its processing, or if you object to its processing—unless retention is required for the establishment, exercise, or defense of legal claims by the Controller;
   4. Right to restriction of processing and right to data portability – upon your request, the Controller will suspend processing of your personal data in accordance with applicable law, and if legally permitted, provide you with a copy of the data in a structured, commonly used and machine-readable format;
   5. Right to lodge a complaint – if you believe that your personal data is being processed in violation of the applicable law, you have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) at ul. Stawki 2, 00-193 Warsaw, Poland;
   6. Right to object – you may object at any time to the processing of your personal data for purposes based on legitimate interest, including direct marketing. If personal data is processed for direct marketing purposes, you have the right to object at any time, and the Controller will cease processing your data for such purposes;
   7. Right to withdraw consent – if your personal data is processed on the basis of your consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. However, it means that we will no longer use your personal data for the purposes based on that consent from the moment of withdrawal.
2. A request to exercise any of the rights described above may be submitted by traditional mail to the Controller’s registered address, or via email to the address specified in Section I of this Privacy Policy.
3. To facilitate handling of your request, we ask that you provide as much detail as possible regarding the nature of your request—in particular, the recipient of the request and which specific right you wish to exercise. If the Controller is unable to determine the content of the request or identify the requesting person based on the submitted information, you may be asked to provide additional details.