**Privacy Policy – Additional Information on Data Protection** This Privacy Policy describes how personal data is collected, used, stored, shared, and protected by us as the User through the public and private areas of the website (hereinafter referred to as the “Website”).

Your personal data will be processed effectively, proportionately, and responsibly, in accordance with the provisions of the EU General Data Protection Regulation (GDPR) 2016/679, Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), and other applicable legal regulations. Below we provide all the information you need to understand how your personal data is processed and how your privacy is protected in a clear and transparent manner.

As a User, you must ensure that:

(a) all data (in particular, but not limited to, personal data) provided through the Website is authentic and accurate;

(b) the personal data provided belongs to you; and

(c) you keep the information up to date so that it always reflects your current situation. You are solely responsible for any false or inaccurate statements you make, as well as for any damage resulting from them.

1. GENERAL PROVISIONS
   
   1. The controller of personal data collected via the website sklep-krysztaloweswiaty.pl is Katarzyna Wilczyńska – Kryształowe Światy, conducting business activity at Katarzyna Wilczyńska – Kryształowe Światy, Sucha Mała 1, 55-106 Zawonia Polska, NIP: 8942362799
      

       , email address: info@sklep-krysztaloweswiaty.pl(hereinafter referred to as the “Controller”), who is also the Service Provider. The place of business is  Sucha Mała 1, 55-106 Zawonia Polska, email address: contact@sklep-krysztaloweswiaty.pl, zwany/a dalej “Administratorem”.

   2. Personal data collected by the Controller via the website is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR) and the Polish Personal Data Protection Act of 10 May 2018.
   3. Email address of the Data Protection Officer: kontakt@sklep-krysztaloweswiaty.pl

In matters not regulated by this Privacy Policy, the provisions of the GDPR shall apply accordingly.

TYPE OF PERSONAL DATA PROCESSED, PURPOSE AND SCOPE OF DATA COLLECTION

PURPOSE OF PROCESSING AND LEGAL BASIS. The Controller processes personal data via the website www.sklep-krysztaloweswiaty.pl in the following cases:

– when the User uses the contact form. Personal data is processed on the basis of Article 6(1)(f) of the GDPR as the legitimate interest of the Controller;

– when the User subscribes to the Newsletter in order to receive commercial information electronically. Personal data is processed based on separate consent, pursuant to Article 6(1)(a) of the GDPR.

TYPE OF PERSONAL DATA PROCESSED. Administrator przetwarza następujące kategorie danych osobowych użytkownika:

– full name,

– address (residential address),

– email address,

– phone number,

– tax identification number (NIP).

DATA RETENTION PERIOD. The Controller stores Users’ personal data as follows:

– where the legal basis for processing is the performance of a contract, for as long as necessary to perform the contract, and thereafter for a period corresponding to the statute of limitations for claims. Unless otherwise provided by specific regulations, the limitation period is six years, and for claims concerning periodic performance and claims related to business activity – three years;

– where the legal basis for processing is consent, until the consent is withdrawn, and after withdrawal, for a period corresponding to the statute of limitations for claims that may be raised by or against the Controller. Unless otherwise provided by specific regulations, the limitation period is six years, and for claims concerning periodic performance and claims related to business activity – three years.

While using the website, additional information may be collected, in particular: the IP address assigned to the User’s computer or the external IP address of the Internet provider, domain name, browser type, access time, and operating system type.

Navigation data may also be collected from Users, including information about links and references they choose to click or other activities performed on the website. The legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting of facilitating the use of services provided electronically and improving their functionality.

Providing personal data by the User is voluntary.

Personal data may also be processed in an automated manner in the form of profiling, provided that the User has given consent pursuant to Article 6(1)(a) GDPR. The consequence of profiling will be the assignment of a profile to a given person for the purpose of making decisions concerning them or analyzing or predicting their preferences, behaviors, and attitudes.

The Controller exercises particular care to protect the interests of data subjects and, in particular, ensures that the data collected is:

– processed lawfully,

– collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes,

– factually accurate and adequate in relation to the purposes for which it is processed, and stored in a form that permits identification of data subjects for no longer than is necessary to achieve the purpose of processing.

DISCLOSURE OF PERSONAL DATA

Users’ personal data is shared with service providers used by the Controller in operating the website. Depending on contractual arrangements and circumstances, these service providers either act on behalf of the Controller and follow its instructions regarding the purposes and methods of data processing (processors), or independently determine the purposes and methods of processing (controllers).

Users’ personal data is stored exclusively within the European Economic Area (EEA).

RIGHT OF CONTROL, ACCESS TO PERSONAL DATA AND ITS CORRECTION

The data subject has the right to access the content of their personal data and the right to rectify, erase, or restrict processing, as well as the right to data portability, the right to object, and the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

Legal bases for user requests:

– Access to data – Article 15 GDPR – art. 15 RODO

– Rectification of data – Article 16 GDPR – art. 16 RODO.

– Erasure of data (“right to be forgotten”) – Article 17 GDPR – art. 17 RODO.

– Restriction of processing – Article 18 GDPR – art. 18 RODO.

– Data portability – Article 20 GDPR – art. 20 RODO.

– Objection – Article 21 GDPR

– Withdrawal of consent – Article 7(3) GDPR

To exercise the rights referred to above, a relevant request may be sent by email to: kontakt@sklep-krysztaloweswiaty.pl

If a user exercises any of the above rights, the Controller shall comply with the request or refuse to comply without undue delay, and no later than within one month of its receipt. However, if—due to the complexity of the request or the number of requests—the Controller is unable to respond within one month, it shall respond within a further two months, informing the user within one month of receiving the request about the extension and the reasons for it.

If it is determined that the processing of personal data violates the provisions of the GDPR, the data subject has the right to lodge a complaint with the Data Protection Authority.

“COOKIES” FILES

The Controller’s website uses cookies.

The installation of cookies is necessary for the proper provision of services on the website. Cookies contain information required for the proper functioning of the website and also enable the compilation of general statistics on website visits.

The following types of cookies are used on the website: session cookies.

Session cookies are temporary files stored on the User’s device until they log out (leave the website).

The Controller uses its own cookies to better understand how Users interact with the website’s content. These files collect information about how the User uses the website, the type of website from which the User was redirected, as well as the number of visits and the duration of the User’s visit to the website. This information does not record specific personal data of the User but is used to compile statistics on website usage.

The User has the right to decide on the access of cookies to their computer by selecting their preferences in the browser window. Detailed information on the possibilities and methods of handling cookies is available in the software settings (web browser).

FINAL PROVISIONS

The Controller applies technical and organizational measures ensuring the protection of personal data processed, appropriate to the risks and the category of data being protected. In particular, the Controller safeguards data against disclosure to unauthorized persons, acquisition by unauthorized persons, processing in violation of applicable regulations, and against alteration, loss, damage, or destruction.

The Controller provides appropriate technical measures to prevent unauthorized persons from obtaining or modifying personal data transmitted electronically.

In matters not regulated by this Privacy Policy, the provisions of the GDPR shall apply accordingly.