+48 52 364 11 60
PRIVACY POLICY
1. This Privacy Policy sets out the rules for the collection, processing and use of personal data obtained by the following websites: planikafires.com, planikafires.pl, planikafires.es, planikafires.it, planikafires.fr, planikafires.de, sklep.planika.com, shop.planika.com, store.planika.com, q-boo.com (hereinafter referred to as: “the Websites”).
2. The owner of the Website is PLANIKA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Bydgoszcz (85-862), ul. Bydgoskich Przemysłowców 10, NIP: 5542520460, REGON: 093115222, entered in the Register of Entrepreneurs maintained by the District Court in Bydgoszcz, 13th Commercial Division of the National Court Register, under KRS number 0000151091, with share capital of PLN 50,000; email: [email protected], hereinafter referred to as PLANIKA SP. Z O.O. PLANIKA SP. Z O.O. is also the Data Controller.
3. Personal data collected by PLANIKA SP. Z O.O. via the Services is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as the GDPR.
4. PLANIKA SP. Z O.O. takes particular care to respect the privacy of Users visiting the Websites.
Article 1 – Type of data processed, purposes and legal basis
1. PLANIKA SP. Z O.O. collects data from natural persons conducting business or professional activities in their own name (hereinafter referred to as Entrepreneurs) and data from natural persons carrying out legal transactions not directly related to their business activities, hereinafter referred to as Customers.
2. Customers’ personal data is collected for the purpose of:
a) placing an order on the Website operating an online shop for the purpose of performing the sales contract. Legal basis: processing is necessary for the performance of the sales contract (Article 6(1)(b) of the GDPR);
b) using the contact form service to obtain answers to questions asked. Legal basis: processing is based on the user’s consent and for the purposes of the Data Controller’s business activities (Article 6(1)(a) and Article 6(1)(f) of the GDPR).
3. When placing an order on a website operating an online shop, the Customer provides the following data:
a) email address;
b) address details:
a. postcode and place of residence;
b. country;
c. street and house/flat number.
c) first name and surname;
d) telephone number;
4. In the case of business customers, the scope of data is further extended to include:
a) company name;
b) tax identification number.
5. When using the contact form service, the Customer provides the following details:
a) email address;
b) first name and surname;
c) telephone number;
6. Whilst browsing the Website, additional information may be collected, such as the IP address assigned to the User’s computer or the external IP address of the internet service provider, domain name, browser type, time of access, and operating system type.
7. Navigation data may also be collected from Customers, including information about the links and references they click on or other actions they take on the Websites. Legal basis – legitimate interest (Article 6(1)(f) of the GDPR), consisting in facilitating the use of services provided electronically and improving the functionality of those services.
8. For the purposes of establishing, pursuing and enforcing claims, personal data provided by the Customer whilst using the functionality of the Websites may be disclosed, such as: first name, surname, information on the use of services, if the claims arise from the manner in which the Customer uses the services, and other data necessary to prove the existence of a claim, including the extent of the damage suffered. Legal basis – legitimate interest (Article 6(1)(f) of the GDPR) in the form of establishing, pursuing and enforcing claims, and defending against claims in court proceedings and before other state authorities.
A detailed description of the purposes of personal data processing is set out in the table below:
| Purpose | Personal data | Legal basis for processing | Data retention period | ||||||||||
| USE OF THE WEBSITES By operating the Websites, the Data Controller enables Users to visit them and view the content posted there. | |||||||||||||
| Provision of electronic services relating to and the sharing of content collected on the Websites | IP address | Article 6(1)(b) of the GDPR, i.e. processing for the purpose of taking steps at your request prior to entering into a contract, as well as processing necessary for the performance of a contract to which you are a party | until the provision of the electronic service is completed | ||||||||||
| Conducting analyses and compiling statistics | information about actions taken on the website (on the Services), analysis of website traffic | Article 6(1)(f) of the GDPR, consisting of analysing Users’ activity and preferences in order to improve the functionalities used and the services provided | until a valid objection is made | ||||||||||
| Establishing and pursuing claims or defending against claims | information on actions taken on the website (on the Services), analysis of website traffic | Article 6(1)(f) of the GDPR, consisting of the protection of its rights and legitimate business interests | 6 years in the case of consumer claims; 3 years in the case of claims by businesses or against businesses | ||||||||||
| Marketing activities of the Controller and other entities | information about activities undertaken on the website (on the Services), analysis of website traffic | the rules for processing personal data for marketing purposes are described in the Marketing Activities section | |||||||||||
| CREATING AND MANAGING AN ACCOUNT ON THE WEBSITES To use the full functionality of the sales websites, you must register an Account. Creating and using an Account involves the ADO processing the personal data of account holders. | |||||||||||||
| Account creation and management – provision of electronic services | first name, surname, email address, telephone number, postal address – personal data necessary for the creation and management of an Account | Article 6(1)(b) of the GDPR, i.e. processing for the purpose of taking steps at your request prior to entering into a contract, as well as processing necessary for the performance of a contract to which you are a party | until the provision of the electronic service is completed | ||||||||||
| Handling of complaints submitted by customers | first name, surname, email address, telephone number, content of correspondence | Article 6(1)(c) of the GDPR in conjunction with the provisions of the Consumer Rights Act (relating to compliance with a legal obligation) | until the complaint process is completed | ||||||||||
| Pursuing claims and defending against claims arising from the concluded contract or related to the provision of services (including conducting court proceedings) | first name, surname, address, e-mail , telephone number, content of correspondence | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest in protecting its rights) | 6 years in the case of consumer claims; 3 years in the case of claims by businesses or by against businesses | ||||||||||
| PROVISION OF BASIC SERVICES – PLACING ORDERS, SALE OF GOODS | |||||||||||||
| Placing orders and fulfilling sales contracts | first name and surname, email address, telephone number, address details (street, building number, flat number, postcode, town, country), VAT number (if an invoice is issued), order details | Article 6(1)(b) of the GDPR, i.e. processing for the purpose of taking steps at your request prior to entering into a contract, as well as processing necessary for the performance of a contract to which you are a party | until the contract has been performed | ||||||||||
| Handling of complaints submitted by customers | first name, surname, email address, telephone number, country, product name, product serial number, type of fuel used in the product, place of purchase, content of correspondence, | Article 6(1)(c) of the GDPR in conjunction with the provisions of the Consumer Rights Act (relates to compliance with a legal obligation) | until the complaint process is concluded | ||||||||||
| Pursuit of claims and defence against claims arising from the concluded contract or related to the provision of services (including the conduct of court proceedings) | first name, surname, delivery address, e- mail address, content of correspondence, IP address, bank account number, payment card number, scope of order | Article 6(1)(f) of the GDPR (legitimate interest of the data controller, consisting in the protection of the data controller’s rights) | 6 years in the case of consumer claims; 3 years in the case of claims by or against businesses | ||||||||||
| Fulfilment of statutory obligations arising from tax and accounting regulations | scope of data specified by applicable regulations | Article 6(1)(c) of the GDPR in conjunction with tax regulations concerning personal income tax (relates to compliance with a legal obligation) | 5 years from the start of the year following the financial year in which the service was provided | ||||||||||
| Fulfilment of a legal obligation under the Goods and Services Tax Act – invoice data is transferred to the KSeF operated by the Head of the National Tax Administration. The Head of the National Tax Administration, as the body responsible for the operation of the KSeF, is in fact a separate controller of the personal data processed in this system. Planika sp. z o.o. is the controller of the data it enters into the system; however, once the data has been sent to KSeF, the Head of the National Tax Administration becomes the controller of that data in terms of its storage, security and disclosure to authorised bodies. | first name, surname, company name, address, name of the purchased goods, payment date, bank account details, contact details | Article 6(1)(c) of the GDPR in conjunction with Article 106e of the Goods and Services Tax Act | 10 years | ||||||||||
| ADDITIONAL SERVICES AND SUPPORT FOR SERVICES PROVIDED BY THIRD PARTIES We enable the use of additional services or services offered by third parties (related to the financing of goods purchases). | |||||||||||||
| Support for credit services provided by Shoppay, PayPal, GPay, przelewy24.pl, PayPro | first name, surname, email address, details of the order placed | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest in expanding the availability of its services) | until the end of the use of the data controller’s services or the effective objection to the processing of personal data | ||||||||||
| Provision of services – device management service (fireplaces) using the functionality of the Planika Control App | surname, first name, email address, postal address, country, telephone number, | Article 6(1)(a) of the GDPR (processing based on your consent to the processing of your personal data) | until you withdraw your consent to the processing of personal data | ||||||||||
| Provision of services – device (fireplace) maintenance service using the functionality of the Planika BEV App | email address, first name, chimney model ka, IP address | Article 6(1)(a) of the GDPR (processing based on your consent to the processing of your personal data) | until you withdraw your consent to the processing of personal data | ||||||||||
| Pursuing claims and defending against claims related to the provision of additional services (including conducting legal proceedings) | first name, surname, email address, telephone number, content of correspondence | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest in protecting its rights) | 6 years in the case of consumer claims; 3 years in the case of claims by or against businesses | ||||||||||
| NEWSLETTER DISTRIBUTION The newsletter is one of the tools used to communicate with customers. The data controller uses it to present and promote its commercial activities. The processing of personal data is based on the agreement concluded with us regarding the newsletter and consent to receive commercial content in accordance with the Electronic Communications Act (PKE) – which may be withdrawn at any time. | |||||||||||||
| Sending the newsletter – promotion of the ADO brand and products | email address , first name | Article 6(1)(b) of the GDPR, i.e. processing for the purpose of taking steps at your request prior to entering into a contract, as well as processing necessary for the performance of a contract to which you are a party in accordance with the provisions of the Electronic Communications Act | until the completion of the provision of the service by electronic means | ||||||||||
| USE OF THE FORM FOR DESIGN CONSULTATIONS WITH CUSTOMERS The form is one of the tools used to communicate with customers. ADO uses it to present and promote its commercial activities. | |||||||||||||
| Contact with a potential customer – promotion of the ADO brand and products | email address, first name, industry, subject of the conversation, message content, | Article 6(1)(a) of the GDPR (processing based on your consent to the processing of your personal data) | until consent to the processing of personal data is withdrawn | ||||||||||
| Prevention of breaches in communication – ensuring compliance regarding the removal or moderation of illegal content | email address, first name, bran , conversation topic, message content, | processing is necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR in conjunction with Regulation (EU) 2022/2065 of the European Parliament and of the Council (EU) 2022/2065 of 19 October 2022 on the Digital Services Act and amending Directive 2000/31/EC (Digital Services Act) | 3 years from the end of the year in which the infringement occurred | ||||||||||
| SENDING A LOOKBOOK ORDERED BY THE CUSTOMER | |||||||||||||
| Contact with a potential customer – promotion of the ADO brand and goods | email address, first name, industry, | Article 6(1)(a) of the GDPR (processing based on your consent to the processing of your personal data) | until consent to the processing of personal data is withdrawn | ||||||||||
| USE OF THE CONTACT FORM Using this feature enables ADO to contact you regarding matters related to its business activities. | |||||||||||||
| Contacting customers for purposes related to the provision of services, promotion of the ADO brand and goods via available communication channels, including email, telephone, chat and social media (Facebook, Instagram, YouTube, LinkedIn, Pinterest, TikTok) | first name, email address, industry, subject of correspondence ji, content of correspondence with regard to contact forms on social media: profile photo, information on education and professional experience , location details, comments and content you post on our social media profiles | Article 6(1)(a) of the GDPR (processing based on your consent to the processing of your personal data) | until you withdraw your consent to the processing of personal data | ||||||||||
| Prevention of breaches in communication – ensuring compliance regarding the removal or moderation of illegal content | name, email address, telephone number , content of correspondence in relation to social media contact forms: profile photo, information on education and professional experience , location information, comments and content that you post on our social media profiles | processing is necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR in conjunction with Regulation of the European Parliament and of the Council (EU) 2022/2065 of 19 October 2022 on the Digital Services Act and amending Directive 2000/31/EC (Digital Services Act) | 3 years from the end of the year in which the infringement occurred | ||||||||||
| Pursuit of claims and defence against claims arising from the concluded contract or related to the provision of services (including conducting court proceedings) | name, email address, telephone number , content of correspondence | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest in protecting the data controller’s rights) | 6 years in the case of consumer claims; 3 years in the case of claims by businesses or against businesses | ||||||||||
| USE OF THE CHAT FUNCTION The use of this function enables the Data Controller to contact you regarding matters related to its business activities. | |||||||||||||
| Contacting customers for purposes related to the provision of services, and the promotion of the Data Controller’s brand and goods | first name, email address, content of the conversation | Article 6(1)(a) of the GDPR (processing based on your consent to the processing of your personal data) | until you withdraw your consent to the processing of personal data | ||||||||||
| Preventing breaches in communication – ensuring compliance regarding the removal or moderation of illegal content | name, email address, content of the conversation | processing is necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR in conjunction with Regulation (EU) 2022/2065 of the European Parliament and of the Council (EU) 2022/2065 of 19 October 2022 on the Digital Services Act and amending Directive 2000/31/EC (Digital Services Act) | 3 years from the end of the year in which the breach occurred | ||||||||||
| Pursuit of claims and defence against claims arising from the concluded contract or related to the provision of services (including the conduct of court proceedings) | name, email address, content of the conversation | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest in protecting its rights) | 6 years in the case of consumer claims; 3 years in the case of claims by or against businesses | ||||||||||
| CONDUCTING ANALYSES AND STATISTICS The Data Controller uses personal data for analytical and statistical purposes. It analyses purchasing preferences and improves the quality and scope of services. The processing of personal data takes place via cookies and similar technologies, following consent to the storage of such information on the end device. | |||||||||||||
| Analysis of traffic on the Websites | IP address, time of visit, device and browser information, as well as information regarding the use of the Website | Article 6(1)(a) of the GDPR, i.e. processing based on your consent to the processing of your personal data | until you withdraw your consent to the processing of personal data | ||||||||||
| MARKETING ACTIVITIES ADO may also use personal data for the purpose of marketing the goods offered by ADO. Marketing activities may consist of: displaying marketing content on the website that is not tailored to your preferences – in which case the processing of personal data is based on ADO’s legitimate interest in promoting its business activities; displaying marketing content on the website that is tailored to your preferences (based on profiling). Personal data is processed for marketing purposes on the basis of consent, which you may withdraw at any time. This type of personal data processing also applies to situations where data collected via cookies is processed. | |||||||||||||
| Direct marketing of our own goods and services, including remarketing | name, IP address, email address, browser data | Article 6(1)(f) of the GDPR, i.e. processing for the purposes of our legitimate interest in direct marketing of our own services, including remarketing | until you object to the processing of your personal data | ||||||||||
| Displaying adverts based on previously viewed content (based on profiling) | first name, IP address, e-mail address, browser data, purchasing preferences | Article 6(1)(a) of the GDPR: processing based on the consent you have given to for the processing of your personal data | until you withdraw your consent to the processing of personal data | ||||||||||
| Sending commercial information electronically using various forms of communication | telephone number or email address | Article 6(1)(a) of the GDPR in conjunction with the provisions of the Electronic Communications Act | until consent to the processing of personal data is withdrawn | ||||||||||
| SOCIAL MEDIA PROFILES The Data Controller maintains public profiles on the social media platforms Facebook, Instagram, LinkedIn, Pinterest, YouTube, Pinterest and TikTok. We process data left by visitors to these profiles (e.g. comments, likes). | |||||||||||||
| Effective management of profiles, by providing users of these platforms with information about the Data Controller’s activities | ’s behaviour on the profile, likes, comments, opinions | Article 6(1)(f) of the GDPR (the legitimate interest of ADO, consisting in promoting its own brand and improving the quality of services provided | until an objection is raised against regarding the processing of personal data | ||||||||||
| Statistics and analysis of traffic on profiles | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest, consisting in promoting its own brand and improving the quality of the services provided | until you object to the processing of your personal data | |||||||||||
| Pursuit of claims and defence against claims | data disclosed in connection with a specific claim | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest in promoting its own brand and improving the quality of the services provided | until you object to the processing of your personal data | ||||||||||
| Prevention of breaches in communication – ensuring compliance regarding the removal or moderation of illegal content | name, email address, content of the post | processing is necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR in conjunction with Regulation (EU) 2022/2065 of the European Parliament and of the Council (EU) 2022/2065 of 19 October 2022 on the Digital Services Market and amending Directive 2000/31/EC (Digital Services Act) | 3 years from the end of the year in which the infringement occurred | ||||||||||
| PREVENTING ABUSE AND ENSURING THE SECURITY OF THE SERVICE In order to ensure the proper functioning of the Service, the ADO monitors the actions taken by users to ensure they do not engage in activities that hinder other customers from making purchases. This analysis is carried out based on users’ transaction history, without automated data processing. | |||||||||||||
| Preventing abuse | scope of activity on the Services, purchase history , first name and surname | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest, consisting in the protection of the data controller’s rights and its business activities | until a valid objection is lodged | ||||||||||
| Asserting claims and defending against claims (including conducting court proceedings) | scope of activity on the Websites, purchase history, first name and surname | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest, consisting in the protection of the data controller’s rights and its business activities | until a valid objection is lodged | ||||||||||
| Ensuring the security of the Services (services provided electronically), including enforcing compliance with the rules set out in the Terms and Conditions, in particular preventing breaches of applicable regulations, and removing and moderating illegal content | data relating to the use of the Service, history of activity on the website | Article 6(1)(b) of the GDPR (necessity for the conclusion and performance of the Contract) and Article 6(1)(c) of the GDPR in conjunction with Regulation (EU) 2022/2065 of the European Parliament and of the Council (EU) 2022/2065 of 19 October 2022 on the Digital Services Act and amending Directive 2000/31/EC (Digital Services Act) | 3 years from the end of the year in which the infringement occurred | ||||||||||
| To enable the proper performance of the contract | first name, surname, name and address of the organisation, position held | Article 6(1)(f) of the GDPR – for the purposes of the legitimate interests pursued by the data controller | for the period necessary to pursue the interests and fulfil the obligations | ||||||||||
| VERIFICATION OF PERSONS ON SANCTIONS LISTS The data controller is obliged to verify whether it cooperates, directly or indirectly, with entities on the list of entities maintained by the Minister of the Interior and Administration of the Republic of Poland, pursuant to: the Act on Special Measures to Counteract Support for Aggression against Ukraine and to Protect National Security of 13 April 2022;Council Regulation (EC) No 765/2006 of 18 May 2006 concerning restrictive measures in view of the situation in Belarus and Belarus’s involvement in Russia’s aggression against Ukraine;Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine. | |||||||||||||
| Fulfilment of obligations imposed by applicable legal provisions | first name, surname, inclusion on the sanctions list, country, type of sanctions | Article 6(1)(c) of the GDPR in conjunction with the Act on Special Measures to Counteract Support for Aggression against Ukraine and to Protect National Security of 13 April 2022 and the aforementioned regulations | for the duration of the data controller’s legal obligation, taking into account the period of cooperation with the contractor, which is subject to verification | ||||||||||
| NETWORKING The Data Controller participates in business events and meetings. Establishing business relationships is one of the purposes of such meetings – therefore, we process personal data. | |||||||||||||
| Building and utilising lasting mutual business contacts (networking) during business meetings, at industry events or through the exchange of business cards – for purposes related to initiating and maintaining business contacts | first name, surname, job title, name and address or of the organisation, telephone number, email address | Article 6(1)(f) of the GDPR – legitimate interest – networking in connection with business activities | until a valid objection is lodged | ||||||||||
| TELEPHONE CONTACT Customers may contact the Data Controller by telephone, both in matters related to and unrelated to the concluded contract or the services provided. Telephone contact is also possible via a dedicated helpline. | |||||||||||||
| Customer and client service | first name, surname, content of the conversation | Article 6(1)(f) of the GDPR – legitimate interest of the Data Controller – necessity of processing for the provision of services | until a valid objection is lodged | ||||||||||
| CCTV MONITORING In order to ensure the safety of persons and property, the Controller uses CCTV monitoring. Access to the premises and the grounds managed by the Controller is subject to monitoring. The area covered by the Controller’s monitoring is marked with appropriate signs. | |||||||||||||
| Ensuring the safety of persons and property and maintaining order on the premises | images of persons present on the premises belonging to the ADO | Article 6(1)(f) of the GDPR: the ADO’s legitimate interest – ensuring the safety of persons and property on the premises managed by the Controller | until a valid objection is lodged | ||||||||||
| Pursuing claims and defending against claims | image | Article 6(1)(f) of the GDPR: the data controller’s legitimate interest – protection of the data controller’s rights | until a valid objection is lodged | ||||||||||
| INFORMATION ON UNSAFE PRODUCTS In accordance with applicable product safety regulations, the ADO maintains an internal register of complaints regarding product safety. | |||||||||||||
| Maintenance of an internal register of product safety complaints | email address, first name and surname of the complainant, content of the report on the dangerous product | Article 6(1)(c) of the GDPR in conjunction with Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety | 5 years from the date of entry of personal data into the complaints register | ||||||||||
| Assertion of claims and defence against claims (including the conduct of court proceedings) | email address, first name and surname of the complainant, content of the report on the dangerous product | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest, consisting in the protection of the data controller’s rights and its business activities | until a valid objection is lodged | ||||||||||
| RECRUITMENT PROCESS The Data Controller conducts recruitment in accordance with applicable data protection rules. | |||||||||||||
| Conducting the recruitment process for specific positions | first name, surname, contact details, education, professional qualifications, employment history, image, email address, telephone number | Article 6(1)(a) of the GDPR in conjunction with Article 221 § 1 and 2 of the Labour Code, and Article 221 § 4 of the Labour Code, Article 6(1)(b), Article 6(1)(f) of the GDPR | the period necessary to complete the recruitment process, up to a maximum of 6 months from the start of the recruitment process | ||||||||||
| PROCESSING OF PERSONAL DATA OF CONTRACTORS’ STAFF | |||||||||||||
| Conclusion and performance of contracts entered into in the course of business activities | first name, surname, position, email address, | Article 6(1)(b) of the GDPR, i.e. processing for the purpose of taking steps prior to entering into a contract, as well as processing necessary for the performance of the contract | until the contract is terminated or expires | ||||||||||
| PERFORMANCE OF OTHER CONTRACTS | |||||||||||||
| Performance of contracts concluded in the course of business activities | first name, surname, job title, email address, telephone number, tax identification number (NIP), bank account number, information related to the performance of the contract, order history | Article 6(1)(b) of the GDPR, i.e. processing for the purpose of taking steps prior to entering into a contract, as well as processing necessary for the performance of the contract Article 6(1)(f) of the GDPR: the data controller’s legitimate interest in the performance of the contract | until the contract is terminated or expires | ||||||||||
| Fulfilment of statutory obligations arising from tax and accounting regulations | the scope of data specified by applicable regulations | Article 6(1)(c) of the GDPR in conjunction with tax regulations concerning personal income tax (relates to compliance with a legal obligation) | 5 years from the start of the year following the financial year in which the service was provided | ||||||||||
| Asserting claims and defending against claims (including conducting court proceedings) | first name, surname, job title, email address, telephone number, tax identification number, bank account number, information relating to the performance of the contract, order history | Article 6(1)(f) of the GDPR (the data controller’s legitimate interest, consisting in the protection of the data controller’s rights and its business activities | until a valid objection is lodged | ||||||||||
| PROCESSING OF PERSONAL DATA OF WHISTLEBLOWERS | |||||||||||||
| Receiving, verifying and investigating reports submitted by whistleblowers regarding legal violations committed by the Data Controller | first name, surname, telephone number, email address, role/position, data appearing in the content of the report, including special category data and data relating to criminal convictions or breaches of the law | Article 6(1)(c) of the GDPR in conjunction with the Whistleblower Protection Act of 14 June 2024 Article 6(1)(f) of the GDPR – the legitimate interest of the data controller, i.e. receiving, verifying and investigating reports of legal violations, as well as pursuing and defending against claims | 3 years from the end of the year in which the relevant proceedings concluded; any data processed in excess will be deleted immediately, within 14 days of determining that it is irrelevant to the case | ||||||||||
| Pursuing claims and defending against claims (including conducting court proceedings) | first name, surname, telephone number, email address, role/position, data appearing in the content of the notification, including special category data and regarding criminal convictions or breaches of the law | Article 6(1)(c) of the GDPR in conjunction with the Whistleblower Protection Act of 14 June 2024; Article 6(1)(f) of the GDPR – the legitimate interests of the data controller, namely the receipt, verification and investigation of reports of legal breaches, and the pursuit and defence against claims | for the duration of the limitation period for claims to which the Data Controller is entitled in connection with a given incident and the limitation periods for the criminal liability of acts subject to internal proceedings | ||||||||||
| Ensuring the security of the Services (services provided electronically), including enforcing compliance with the rules set out in the Terms and Conditions, in particular preventing breaches of applicable regulations, and removing and moderating illegal content | Article 6(1)(c) of the GDPR in conjunction with the Whistleblower Protection Act of 14 June 2024 Article 6(1)(f) of the GDPR – the data controller’s legitimate interest, i.e. ensuring compliance – in relation to the removal or moderation of illegal content Article 6(1)(c) of the GDPR in conjunction with Regulation (EU) 2022/2065 of the European Parliament and of the Council (EU) 2022/2065 of 19 October 2022 on the Digital Services Act and amending Directive 2000/31/EC (Digital Services Act) | ||||||||||||
9. Personal data is provided to PLANIKA SP. Z O.O. voluntarily.
Article 2 – To whom is the data disclosed or transferred, and for how long is it stored?
1. The Customer’s personal data is transferred to service providers used by PLANIKA SP. Z O.O. in the operation of the Services, depending on contractual arrangements and circumstances, or is subject to the instructions of PLANIKA SP. Z O.O. instructions regarding the manner and methods of data processing (processors) or independently determine the purposes and means of processing (controllers).
a) Data processors. PLANIKA SP. Z O.O. uses the services of data processors acting on behalf of PLANIKA SP. Z O.O.. These include, amongst others, hosting service providers, accounting service providers, providers of marketing systems, website traffic analysis systems, and marketing campaign effectiveness analysis systems;
b) Controllers. PLANIKA SP. Z O.O. uses suppliers who do not act solely on instructions and who themselves determine the purposes and means of using Customers’ personal data. They provide electronic payment services and banking services.
2. Location. Service providers are based mainly in Poland and other countries of the European Economic Area (EEA).
3. Customers’ personal data is stored:
a) If a Customer’s personal data is processed on the basis of consent, it will be processed by PLANIKA SP. Z O.O. until such time as consent is withdrawn, and following the withdrawal of consent, for a period corresponding to the limitation period for claims that may be brought by PLANIKA SP. Z O.O.. Unless otherwise provided by a specific provision, the limitation period is six years, and for claims for periodic payments and claims related to the conduct of business activities – three years;
b) Where the basis for the processing of personal data is the performance of a contract, the Customer’s personal data shall be processed by PLANIKA SP. Z O.O. for as long as is necessary to perform the contract, and thereafter for a period corresponding to the limitation period for claims. Unless otherwise provided by a specific provision, the limitation period is six years, and for claims for periodic payments and claims related to the conduct of business activities – three years.
4. In the event of a purchase made on a website operating an online shop, personal data may be transferred to a courier company for the purpose of delivering the ordered goods.
5. Where the Customer chooses to pay via the przelewy24.pl system, their personal data is transferred to the extent necessary for the payment to be processed to PayPro S.A., with its registered office in Poznań (60-198 Poznań, ul. Pastelowa 8, 60-198), entered in the Register of Entrepreneurs maintained by the District Court for Poznań – Nowe Miasto i Wilda in Poznań, 8th Commercial Division of the National Court Register, under KRS number 0000347935, NIP 7792369887, REGON 301345068.
6. Should the Customer choose to pay via the PayPro system, their personal data is transferred to the extent necessary for the processing of the payment to PayPro S.A., with its registered office in Poznań (60-327 Poznań, ul. Kanclerska 15), entered in the Register of Entrepreneurs maintained by the District Court for Poznań – Nowe Miasto i Wilda in Poznań, 8th Commercial Division of the National Court Register, under KRS number: 0000347935.
7. Navigation Data may be used to provide Users with a better service, to carry out statistical analyses, to tailor the Website to Users’ preferences, and to administer the Website.
8. Upon receipt of a relevant request, PLANIKA SP. Z O.O. shall disclose personal data to authorised state authorities, in particular to organisational units of the Public Prosecutor’s Office, the Police, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.
Article 3 – Cookies and IP addresses
1. The Website uses small files known as cookies. These are stored by PLANIKA SP. Z O.O. on the computer of a person visiting the Website, provided the web browser permits this. A cookie file typically contains the name of the domain from which it originates, its expiry time and a unique random number identifying the file. The information collected via such files enables PLANIKA SP. Z O.O. to tailor its offerings to the individual preferences and actual needs of visitors to the Website. It also allows for the compilation of general statistics regarding visits to the information presented on the Website.
2. PLANIKA SP. Z O.O. uses two types of cookies:
a) Session cookies: the stored information is deleted from the device’s memory once the browser session ends or the computer is switched off. The mechanism of session cookies does not allow for the collection of any personal data or confidential information from the User’s computer.
b) Persistent cookies: these are stored on the User’s computer hard drive until they are deleted. The mechanism of persistent cookies does not allow for the collection of any personal data or confidential information from the User’s computer.
3. PLANIKA SP. Z O.O. uses its own cookies for the following purposes:
a) analysis, research and audience auditing, and in particular to generate anonymous statistics that help us understand how Website Users interact with the web pages, thereby enabling us to improve their structure and content.
4. PLANIKA SP. Z O.O. uses third-party cookies for the following purposes:
a) promoting the website via the social media platform Facebook.com (third-party cookie controller: Facebook Inc, based in the USA, or Facebook Ireland, based in Ireland);
b) present multimedia content on the Websites, which is downloaded from the external website www.youtube.com (external cookie controller: Google Inc, based in the USA);
c) collecting general and anonymous statistical data via the Google Analytics tool (external cookie administrator: Google Inc, based in the USA);
d) displaying the Trusted Terms and Conditions Certificate via the website rzetelnyregulamin.pl (external cookie controller: Rzetelna Grupa Sp. z o.o., based in Warsaw, Poland).
5. The use of cookies is safe for the computers of Website Users. In particular, it is not possible for viruses, other unwanted software or malware to enter Users’ computers via this method. However, Users have the option to restrict or disable access by cookies to their computers in their web browsers. If this option is selected, use of the Website will remain possible, except for functions which, by their nature, require cookies.
6. Below is a guide on how to change your web browser settings regarding the use of cookies:
a) Chrome;
b) Facebook app browser;
c) Internet Explorer;
d) Microsoft Edge;
e) Mozilla Firefox;
f) Opera;
g) Safari;
h) Samsung Browser.
7. PLANIKA SP. Z O.O. may collect your IP address. An IP address is a number assigned to a visitor’s computer by their internet service provider. The IP address enables access to the Internet. In most cases, it is assigned dynamically, i.e. it changes with every connection to the Internet and is therefore generally considered to be non-personally identifiable information. The IP address is used by PLANIKA SP. Z O.O. to diagnose technical issues with the server, compiling statistical analyses (e.g. determining which regions generate the most visits), as information useful for administering and improving the Website, as well as for security purposes and the potential identification of unwanted automated programmes that overload the server whilst browsing the Website’s content.
8. The websites contain links and hyperlinks to other websites. PLANIKA SP. Z O.O. accepts no responsibility for the privacy policies applicable on those websites.
9. Cookies used:
| Cookie name | Cookie type | Expiry time |
| __cf_bm, _cfuvid | Functional (Cloudflare, HubSpot) | Session – 30 minutes |
| __hs_cookie_cat_pref, __hssc, __hssrc, __hstc | Analytics / Functional (HubSpot) | Session – 13 months |
| _clck, _clsk | Analytics (Microsoft Clarity) | 1 day – 1 year |
| _ga, _gid | Analytics (Google Analytics) | 24 hours – 13 months |
| __Secure-1PAPISID, __Secure-1PSID, __Secure-3PAPISID, __Secure-3PSID, __Secure-ENID, __Secure-1PSIDCC, __Secure-3PSIDCC, __Secure-1PSIDTS, __Secure-3PSIDTS | Marketing / Security (Google) | up to 2 years |
| pll_language (if applicable) | Functional (Preferred language) | 1 year |
Article 4 – Rights of data subjects
KSeF
With regard to data from invoices sent to KSeF, you have the right to access your data and the right to rectify (correct) it. As data processing is carried out on the basis of a legal obligation under the Goods and Services Tax Act, you do not have the right to erasure, the right to data portability, or the right to object to data processing.
However, you have the right to request the restriction of data processing, but only in the cases specified in Article 18(1) of the GDPR, in particular where the accuracy of the data is contested.
With regard to other personal data:
1. Right to withdraw consent – legal basis: Article 7(3) of the GDPR.
a) The customer has the right to withdraw the consent given to PLANIKA SP. Z O.O..
b) Withdrawal of consent takes effect from the moment it is withdrawn.
c) Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
d) Withdrawal of consent does not entail any negative consequences for the Customer; however, it may prevent the continued use of services or functionalities which, in accordance with the law, PLANIKA SP. Z O.O. provides exclusively with the Customer’s consent.
2. Right to object to the processing of personal data – legal basis: Article 21 of the GDPR.
a) The Customer has the right at any time to object – on grounds relating to their particular situation – to the processing of their personal data, including profiling, if PLANIKA SP. Z O.O. processes their data on the basis of a legitimate interest, such as, for example, marketing PLANIKA SP. Z O.O. products, compiling statistics on the use of specific features of the Websites and facilitating the use of the Websites, as well as conducting customer satisfaction surveys;
b) Opting out electronically of marketing communications regarding products or services shall constitute the Customer’s objection to the processing of their personal data, including profiling for these purposes;
c) If the Customer’s objection is valid and PLANIKA SP. Z O.O. has no other legal basis for processing personal data, the Customer’s personal data, the processing of which the Customer has objected to, will be deleted.
3. Right to erasure (“right to be forgotten”) – legal basis: Article 17 of the GDPR.
a) The Customer has the right to request the erasure of all or some of their personal data;
b) The Customer has the right to request the erasure of some personal data if:
a. the personal data is no longer necessary for the purposes for which it was collected or processed;
b. the Customer has withdrawn their consent to the extent that the personal data was processed on the basis of consent;
c. the Customer has objected to the use of their data for marketing purposes;
d. the personal data is being processed unlawfully;
e. the personal data must be erased to comply with a legal obligation under Union law or the law of a Member State to which PLANIKA SP. Z O.O. is subject;
f. the personal data has been collected in connection with the provision of information society services.
c) Notwithstanding a request for the erasure of personal data in connection with the lodging of an objection or the withdrawal of consent, PLANIKA SP. Z O.O. may retain certain personal data to the extent that processing is necessary to establish, asserting or defending claims, as well as to comply with a legal obligation requiring processing under Union law or the law of a Member State to which PLANIKA SP. Z O.O. is subject. This applies in particular to: first name, surname, email address, which data is retained for the purposes of handling complaints and claims relating to the use of the services of PLANIKA SP. Z O.O., or additionally the residential/correspondence address and order number, which data is retained for the purposes of handling complaints and claims relating to concluded sales contracts or the provision of services.
4. Right to restriction of processing – legal basis: Article 18 of the GDPR.
a) The customer has the right to request that the controller restrict the processing of their personal data. Submitting such a request, until it has been considered, prevents the use of certain features or services, the use of which would involve the processing of personal data covered by such a request. Furthermore, PLANIKA SP. Z O.O. will not send any messages, including marketing communications.
b) The customer has the right to request the restriction of the processing of their personal data in the following cases:
a. Where the Customer disputes the accuracy of their personal data; in such cases, PLANIKA SP. Z O.O. will restrict the use of such data for a period sufficient to verify the accuracy of the personal data, but for no longer than 7 days;
b. Where the processing of data is unlawful, and the Customer requests the restriction of its use rather than its erasure;
c. Where the personal data are no longer necessary for the purposes for which they were collected or used, but are required by the Customer to establish, exercise or defend legal claims;
d. where the Customer has objected to the processing of their data – in which case the restriction applies for the time needed to assess whether, in view of the specific circumstances, the protection of the Customer’s interests, rights and freedoms outweighs the interests pursued by the Controller in processing the Customer’s personal data.
5. Right of access to data – legal basis: Article 15 of the GDPR.
a) The Customer has the right to obtain confirmation from the Controller as to whether personal data is being processed, and if so, the Customer has the right to
a. access their personal data;
b. obtain information regarding the purposes of processing, the categories of personal data being processed, the recipients or categories of recipients of such data, the envisaged period for which the personal data will be stored, or the criteria used to determine that period (where it is not possible to specify the envisaged period of data processing), the Customer’s rights under the GDPR and the right to lodge a complaint with a supervisory authority, the source of the data, automated decision-making, including profiling, and the safeguards applied in connection with the transfer of such data outside the European Union;
c. to obtain a copy of their personal data.
6. Right to rectification – legal basis: Article 16 of the GDPR
a) The Customer has the right to request that the Controller rectify any inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the Customer has the right to request that incomplete personal data be completed, including by providing an additional statement, by sending their request to the email address specified in the Privacy Policy.
7. Right to data portability – legal basis: Article 20 of the GDPR.
a) The Customer has the right to receive the personal data they have provided to the Controller and then transmit it to another data controller of their choice. The Customer has the right to request that personal data be sent by us directly to another controller, provided this is technically feasible. In such a case, the Controller will send the Customer’s personal data in a CSV file, which is a commonly used machine-readable format, enabling the transferred data to be sent to another data controller.
8. Should the Customer wish to exercise any of the above rights, PLANIKA SP. Z O.O. shall comply with or refuse the request without delay, but no later than within one month of receiving it. However, if – due to the complex nature of the request or the number of requests – PLANIKA SP. Z O.O. is unable to comply with the request within one month, it shall comply within the following two months, having previously informed the Customer within one month of receiving the request of the intended extension of the deadline and of its own actions.
9. The Customer may submit complaints, questions or requests regarding the processing of their personal data and the exercise of this right.
10. The Customer has the right to request that PLANIKA SP. Z O.O. provide a copy of the standard contractual clauses by submitting a request in the manner specified in the Privacy Policy.
11. The Customer has the right to lodge a complaint with the President of the Personal Data Protection Office regarding any infringement of their rights concerning the processing of personal data or other rights granted under the GDPR.
Article 5 – Changes to the Privacy Policy
1. The Privacy Policy may be amended, in which case PLANIKA SP. Z O.O. will provide 7 days’ notice.
2. Please direct any further questions regarding the Privacy Policy to: [email protected].
3. Date of last amendment: 01/04/2026
