Privacy Policy
Using the service means acceptance of the Privacy Policy and the STORE REGULATIONS.
I. INTRODUCTION
- This Privacy Policy informs about the methods of processing personal data and their protection within the internet service registered at the electronic address antyksobieski.pl (hereinafter: the Service).
- The administrator of personal data is Paweł Kolata conducting business under the name ANTYKWARIAT SOBIESKI PAWEŁ KOLATA registered in the Central Registration and Information on Business, headquartered in Kalisz, address: ul. Pułaskiego 31/3, 62-800 Kalisz, NIP: 618-185-33-69; REGON 251642669 (hereinafter: Administrator).
- Any questions or doubts, especially regarding the processing of personal data, Users may direct:
- by correspondence – to the Administrator's registered office address;
- by electronic mail to the address: sklep@antyksobieski.pl
- via the website antyksobieski.pl
- The Administrator ensures that entrusted personal data are processed in compliance with the requirements of generally applicable law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal EU L 2016.119.1) – hereinafter referred to as GDPR.
- The primary goal of the Administrator is to ensure Users of the Service privacy protection at a level at least corresponding to the requirements set by applicable law, especially the GDPR provisions.
- Every person using the Service in any way accepts all the rules contained in this Privacy Policy.
- The Administrator reserves the right to make changes to the Privacy Policy if required by law or changes introduced in the Service's functionality.
- The Administrator will notify all its Users about relevant changes and the date they come into effect, in particular by posting an appropriate announcement on the Service.
II. BASIC CONCEPTS
- User – any natural person whose personal data are processed by the Administrator,
- Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural, or social identity, as well as device IP, location data, internet identifier, and information collected via cookies and similar technology.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
- Service – an organized IT solution located at the internet address antyksobieski.pl and possibly other internet addresses, as well as in applications and other IT tools, comprising a set of cooperating software programs, databases, and accompanying elements (e.g., graphical), connected into one IT system;
- Processing of personal data – any operations performed on personal data, such as collecting, recording, storing, processing, modifying, sharing, and deleting, especially those performed in IT systems;
- Personal data breach – a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored, or otherwise processed;
III. OBJECTIVES, LEGAL BASES, SCOPE OF DATA PROCESSING AND INFORMATION ABOUT FORMS
- The Administrator processes personal data only when at least one of the following conditions is met:
- when the User of the Service consents to it in forms placed on the Service, for the purpose of undertaking actions to which these forms relate (art. 6(1)(a) GDPR);
- when processing is necessary for the performance of a contract to which the User of the Service is a party (art. 6(1)(b) GDPR);
- for complaint handling – the legal basis for processing is the necessity to perform a contract (art. 6(1)(b) GDPR);
- to fulfill a legal obligation incumbent on the Administrator (art. 6(1)(c));
- to potentially establish and pursue claims or defend against them – the legal basis is the legitimate interest of the Administrator in protecting its rights (art. 6(1)(f) GDPR);
- for the Administrator's marketing purposes, consisting of informing the User about the current offer and new functionalities of the Service – the legal basis is consent (art. 6(1)(a) GDPR),
- to provide services of an assistant based on artificial intelligence (chatbot), involving processing Users' queries and generating responses – the legal basis is art. 6(1)(b) GDPR (service provision) or art. 6(1)(f) GDPR (legitimate interest of the Administrator to improve User service)
- The Administrator processes personal data of Service Users to the extent necessary for the purposes specified in point 1 above for the period necessary to achieve these purposes or until the User withdraws consent. Failure to provide data by the User may in some cases result in the inability to achieve the purposes for which the data provision is necessary.
- Data provided in forms placed on the Service are processed for purposes resulting from the function of the specific form; additionally, they may be used by the Administrator for archival and statistical purposes. Consent of the data subject is expressed by ticking the appropriate box in the form.
IV. DATA SECURITY
- The Administrator continuously conducts risk analysis to identify threats related to secure data processing and implements appropriate technical and organizational measures ensuring the protection of processed personal data.
- The Administrator ensures that only authorized persons have access to personal data and only to the extent necessary due to the tasks they perform.
- The Administrator keeps a record of persons authorized to process personal data. These persons are obliged to keep personal data and methods of their protection strictly confidential.
V. DATA RECIPIENTS
- Recipients of Users' personal data may be entities to which the Administrator outsources activities related to the necessity of processing such data, in particular regarding email handling, IT services, hosting, IT support, administrative services, legal or advisory services.
- A third party having access to personal data processes them solely based on a personal data processing agreement and only on the Administrator's instructions.
- Recipients of Users' personal data may also be entities and authorities entitled to receive such data – only in justified cases and based on generally applicable legal provisions.
- OpenAI Ireland Ltd. and OpenAI, L.L.C. – in the scope of providing artificial intelligence services (AI assistant / chatbot), including processing the content of Users' queries as a data processor on behalf of the Administrator in connection with the AI assistant service (chatbot), involving processing Users' query content to generate responses.
VI. RECEIVING COMMERCIAL INFORMATION
- The User of the Service, if the Service provides for it, may consent to receive commercial information via electronic communication means.
- If the User has consented to receive commercial information via electronic communication means, they have the right to withdraw such consent at any time.
- Exercising the right to withdraw consent to receive commercial information is done by sending an appropriate request to the Administrator's email address along with the User's first and last name.
VII. USER RIGHTS
- Every person whose data are processed has the following rights:
- the right to access data and information about the processing of personal data (art. 15 GDPR) – upon such a request, the Administrator provides the data and information about data processing, purposes and legal bases of processing, scope of data held, entities to whom personal data are disclosed, and planned deletion date;
- the right to obtain a copy of data (art. 15(3) GDPR) – the Administrator provides a copy of processed data concerning the requesting person, if possible and without infringing third parties' rights;
- the right to rectification (art. 16 GDPR) – the User has the right to request removal of inconsistencies or errors concerning processed personal data, as well as their completion or update if incomplete or changed;
- the right to erasure (art. 17 GDPR) – the User may request deletion of data no longer necessary for any of the purposes for which they were collected;
- the right to restriction of processing (art. 18 GDPR) – on this basis, the Administrator may cease operations on personal data, except for operations consented to by the data subject and their storage according to retention rules, or until reasons for restriction cease (e.g., supervisory authority decision allowing further processing);
- the right to data portability (art. 20 GDPR) – to the extent data are processed in connection with a contract or consent, the Administrator may provide data delivered by the data subject;
- the right to object to other processing purposes (art. 21 GDPR) – the data subject may object at any time to personal data processing. Such objection should include justification and is subject to the Administrator's assessment;
- the right to object to processing for marketing purposes (art. 21(2) GDPR) – the data subject may object at any time to personal data processing for marketing purposes without needing to justify the objection;
- the right to withdraw consent (art. 7(3) GDPR) – if data are processed based on consent, the data subject may withdraw it at any time, without affecting the lawfulness of processing before withdrawal;
- the right to lodge a complaint (art. 77 GDPR) – if the data subject considers that personal data processing violates GDPR or other data protection laws, they may file a complaint with the supervisory authority - President of the Personal Data Protection Office (https://uodo.gov.pl/pl/p/kontakt).
- Requests regarding the exercise of data subject rights can be submitted:
- in writing to the Administrator's registered office address;
- to the email address: sklep@antyksobieski.pl
- A response will be provided within one month of receipt. If an extension is necessary, the Administrator will inform the applicant of the reasons for the extension.
- The response will be sent to the email address from which the request was sent, or in case of postal requests, by registered mail to the address indicated by the applicant, unless the letter's content indicates a desire to receive feedback by email (in such case, an email address should be provided).
VIII. COOKIES AND SIMILAR TECHNOLOGY
- The Service uses cookies.
- Cookies (so-called "cookies") are IT data, especially text files, stored on the User's end device and intended for use on the Service's web pages. Cookies usually contain the name of the website they come from, the time they are stored on the end device, and a unique number.
- The entity placing cookies on the User's end device and accessing them is the Administrator.
- Cookies are used, among others, for:
- creating statistics that help understand how Users use the Service's web pages;
- maintaining the user's session (after logging in), so the User does not have to re-enter login and password on each subpage;
- determining the user's profile to display tailored materials in advertising networks, especially Google networks.
- The Service uses two main types of cookies: "session" cookies and "persistent" cookies. Session cookies are temporary files stored on the User's device until logout, leaving the website, or closing the browser. Persistent cookies are stored on the User's device for the time specified in the cookie parameters or until deleted by the User.
- Web browser software usually allows storing cookies on the User's device by default. Users can change these settings. The browser allows deleting cookies. Automatic blocking of cookies is also possible. Detailed information is available in the browser's help or documentation.
- The Administrator uses services of third parties, whose list changes constantly, which may use cookies for purposes such as:
- monitoring traffic on the Administrator's websites;
- collecting anonymous, aggregate statistics to understand how Users use the Administrator's website,
- controlling how often selected content is shown to users;
- controlling how often users choose a given service;
- examining newsletter subscriptions;
- using communication tools;
- integration with social media;
- The User can manage cookies used by the Administrator or any other external providers by changing their web browser settings. Further information is available in the COOKIE POLICY document available on the Service's website.
- Restrictions on using cookies may affect some functionalities available on the Service's web pages.
- For collecting statistics, the Administrator may use Google Analytics. In such case, User data visiting the Service is received by Google, 1600 Amphitheatre Parkway Mountain View, CA 94043 United States. The User can block Google Analytics access to their data by installing a plugin available at: https://tools.google.com/dlpage/gaoptout/
- The Administrator encourages familiarizing with detailed explanations related to data processing within Google Analytics, prepared by Google and available at: https://policies.google.com/privacy?hl=pl.
- The Administrator may also use marketing tools available within the Facebook social network service owned by Meta Platforms. Within these tools, ads may be targeted on Facebook. These activities are based on the Administrator's legitimate interest in marketing its own products or services (art. 6(1)(f) GDPR).
- To target personalized ads based on Users' behavior visiting the Service's website, the Meta Pixel may be implemented, which automatically collects information about Service usage. Information collected this way may be transferred to Facebook's servers in the United States and stored there.
- Information collected via Meta Pixel is anonymous, i.e., it does not allow User identification. The Administrator is only informed about actions the User took on its site. Meta Platforms may combine this information with other User data collected via Facebook and use it for its own purposes, including marketing. Such Facebook activities are beyond the Administrator's control, and information about them is described in Facebook's privacy policy: https://www.facebook.com/privacy/explanation. From their Facebook account, the User can also manage privacy settings. Meta Platforms is headquartered in the USA and uses technical infrastructure located, among others, in the USA.
IX. SOCIAL MEDIA
- The Administrator processes personal data of Users visiting the Administrator's profiles maintained on social media (e.g., Facebook, Instagram).
- These data are processed to inform Users about the Administrator's activity, offer services, and communicate with Users via tools available on social media. The legal basis for processing personal data for this purpose is the Administrator's legitimate interest (art. 6(1)(f) GDPR) consisting of promoting its brand and offered services and building and maintaining a community related to the brand. Further information is available in the FACEBOOK FANPAGE INFORMATION CLAUSE and YOUTUBE INFORMATION CLAUSE.
- The Service contains links to the Administrator's social media profiles, which have separate privacy policies accessible by visiting the respective page via the link marked with the appropriate icon.
- Regarding any websites linked on the Service that are not owned or controlled by the Administrator, the Administrator is not responsible for their content or privacy policies applicable to Users. When displaying a webpage containing such a link, the User's browser establishes a direct connection with the social media service providers' servers. The plugin content is delivered directly by the provider to the User's browser and integrated with the page. Through this integration, providers receive information that the User's browser displayed the Administrator's page, even if the User does not have a profile or is not logged in to the provider. Such information (including IP address) is sent directly to the provider's server (some servers are in the USA) and stored there. If the User is logged into one of the social media services, the provider can directly associate the visit to the Administrator's page with the User's profile in that service. If the User uses the plugin, e.g., clicking "Like" or "Share," the information is also sent directly to the provider's server and stored there. Additionally, this information is published on the social media service and shown to the User's contacts.
- The purpose and scope of data collection and further processing and use by providers, as well as contact possibilities and User rights and privacy settings, are described in the privacy policies of the respective providers. The Administrator encourages familiarizing with their content.
- If the User does not want social media services to associate data collected during visits to the Administrator's website directly with the User's profile in the service, they should log out of that service before visiting the site.
- The User can also completely prevent loading plugins on the page by using appropriate browser extensions, e.g., script blockers.
X. SERVER LOGS
- Using the Service's website involves sending requests to the server where it is stored. Each request to the server is recorded in server logs.
- Logs include, among others, the User's IP address, server date and time, information about the web browser and operating system used. Logs are saved and stored on the server.
- Data recorded in server logs are not associated with specific persons using the site and are not used by the Administrator to identify the User.
- Server logs serve only as auxiliary material for managing the Service's website, and their content is not disclosed to anyone except persons authorized to administer the server.
XI. TRANSFER OF DATA OUTSIDE THE EEA
- The Administrator may transfer Users' personal data to third countries, i.e., countries outside the European Economic Area. Data may be transferred only to third countries or entities for which the European Commission has issued an adequacy decision confirming an appropriate level of data protection.
- The list of countries for which the European Commission has issued such a decision is available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#relatedlinks.
- In the absence of a European Commission decision confirming an adequate level of protection under art. 45(3) GDPR, Users' personal data may be transferred to a third country only based on: binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by the Polish supervisory authority and approved by the Commission, an approved code of conduct, or an approved certification mechanism (art. 46 GDPR).
- In the absence of a European Commission decision confirming an adequate level of protection under art. 45(3) GDPR or appropriate safeguards under art. 46 GDPR, including binding corporate rules, the Administrator will request explicit consent from the User for such transfer to a third country or international organization, informing the User beforehand about the risks associated with such transfer under art. 49(1)(a) GDPR.
- Due to the use of artificial intelligence technology provider services (OpenAI), Users' personal data may be transferred to a third country – the United States of America. The transfer is based on standard contractual clauses approved by the European Commission (art. 46 GDPR) and implemented safeguards ensuring an adequate level of data protection.
XII. INFORMATION ABOUT AUTOMATED DECISION-MAKING
- Within the Service, the Administrator may automatically tailor certain content to the User's needs, i.e., perform profiling using the personal data provided by the User. This profiling mainly consists of automatically assessing which products the User may be interested in based on their previous online activities, including on the Administrator's websites, and displaying ads profiled in this way.
- Profiling performed by the Administrator does not result in decisions producing legal effects against the User or significantly affecting them in any other way.
XIII. AI-BASED ASSISTANT
- The Service may provide functionality of an assistant based on artificial intelligence (chatbot).
- Within the service operation, the content of Users' queries, which may contain personal data, is processed.
- These data are transferred to an external AI technology provider to generate responses.
- The Administrator does not use conversation content for profiling Users in a way that produces legal effects.
- The User should avoid providing special category data (e.g., sensitive data) unless necessary to obtain a response.
- Query contents may be temporarily processed in the AI provider's systems to generate responses and are not used by the Administrator to build user profiles or permanently store conversation history unless necessary to provide the service.
It is worth remembering:
- After each time you leave the computer or exit the online store page, click "log out" in the upper right corner of the screen after expanding "My account".
- Do not share your login or password with anyone!
- Store employees never ask customers for their account password.
Polish