PRIVACY

This Policy informs you about the purposes, methods of processing and security of your personal data as a user/customer/consumer of the komodee.com store.

The data administrator is – Extreme Furniture Spółka z Ograniczoną Odpowiedzialnością; Sosnowa 13, 83-330 Żukowo, Poland; KRS 0000820406, NIP 5892056649, REGON 385122822.

§ 1

DEFINITIONS

1. Personal data – all information about a natural person identified or identifiable by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including the IP of the device, location data, online identifier and information collected through cookies and other similar technology.
2. Policy – this Privacy Policy.
3. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
4. Website – a website run by the Administrator at komodee.com
5. User – any natural person visiting the Website or using one or more of the services or functionalities described in the Policy.

§ 2

DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE

1. The Website uses personal data for the following purposes:
   
   1. Running a newsletter
   2. Maintaining a comment system
   3. Online chat
   4. Handling inquiries via the form
   5. Preparing, packing, shipping goods
   6. Fulfillment of ordered products
   7. Presentation of the offer or information

Providing personal data by the User is voluntary. Refusal to provide them may prevent the Administrator from providing services by electronic means or answering questions and handling possible complaints.

§ 3

PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING ON THE WEBSITE

USE OF THE SERVICE

Personal data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies) and who are not registered Users (i.e. persons who do not have a profile on the Website) are processed by the Controller:

1. in order to provide services by electronic means in the scope of making available to Users the content collected on the Website, providing contact forms and enabling Users to purchase access to online courses organised by the Administrator and other services provided on or through the Website – then the legal basis for the processing is the necessity of processing for the performance of the contract (Article 6(1)(b) of the GDPR) and the legitimate interest of the Administrator consisting in maintaining relations with Users and responding to contact from Users (Article 6(1)(f) of the GDPR)
2. for marketing purposes of the Administrator and other entities, in particular related to the presentation of behavioral advertising – the rules for the processing of personal data for marketing purposes have been described in the “MARKETING” section, while the basis for data processing in this case is Article 6(1)(a) of the Agreement (User’s consent to send specific marketing content), Article 6(1)(b) of the Agreement (sending the ordered marketing content, including the newsletter) and Article 6(1)(f) of the GDPR (legitimate interest of the Controller consisting in marketing and advertising of the Website);
3. for the purpose of pursuing claims or defending against claims, including for the purpose of considering complaints from Users – the legal basis for the processing of personal data is Article 6(1)(f) of the GDPR (legitimate interest of the Administrator consisting in the protection of its rights)
4. The User’s activity on the Website, including their personal data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the Administrator). Information collected in the logs processed in connection with the provision of services. The Controller also processes them for technical purposes, in particular, the data may be temporarily stored and processed in order to ensure the security and proper functioning of IT systems, e.g. in connection with making backup copies, testing changes in IT systems, detecting irregularities or protection against abuse and attacks – the legal basis for data processing is Article 6(1)(f) of the GDPR (legitimate interest of the Controller, consisting in conducting analyses of the activity of the Website Users and the manner of using the Website in order to improve the functionalities used)

Contact forms

The Administrator provides the possibility of contacting him using electronic contact forms. The use of the form requires providing personal data necessary to contact the User and respond to the inquiry. The User may also provide other data to facilitate contact or to handle the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide them results in the inability to handle the inquiry. Providing other data is voluntary.

1. Personal data is processed:
2. in order to identify the sender and handle their inquiry sent via the provided form – the legal basis for the processing is the necessity of processing for the performance of the contract for the provision of services (Article 6(1)(b) of the GDPR) and the legitimate interest of the Administrator consisting in maintaining relations with Users and responding to contact from Users (Article 6(1)(f) of the GDPR);

Marketing

1. The Administrator processes Users’ personal data in order to carry out marketing activities (to the extent consistent with applicable law), which may consist of:

• sending e-mail notifications about interesting offers or content, which in some cases contain commercial information;
• conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).

2. The Administrator profiles persons whose data it processes for marketing purposes. Some of the decisions regarding the personalization of the offer will be made automatically, i.e. without human intervention. In the event that profiling or any other form of automated data processing could result in decisions that have legal effects on the User or affect the User in a similarly significant way, the Controller will carry them out only if the User gives their explicit consent or there are other cases of admissibility of such automated data processing indicated in Article 22 of the GDPR.

Direct marketing

1. If the User has consented to receive marketing information via e-mail, SMS and other electronic means of communication, the User’s personal data will be processed for the purpose of sending such information. The basis for data processing is: (i) the User’s consent to send them specific marketing content – Article 6(1)(a) of the GDPR; (ii) sending the ordered marketing content, including the newsletter, and providing a service (contract) in this respect (Article 6(1)(b) of the GDPR) and (iii) the legitimate interest of the Controller consisting in sending marketing information within the limits of the consent granted by the User (direct marketing) – Article 6(1)(f) of the GDPR. You have the right to object to the processing of your data for direct marketing purposes, including profiling. The data will be stored for this purpose for the duration of the legitimate interest of the Administrator, unless the User objects to receiving marketing information.

Social networks

1. The Controller processes the personal data of Users visiting the Controller’s profiles in social media (Facebook, YouTube, Instagram, LinkedIn, Twitter). These data are processed only in connection with maintaining the profile, including for the purpose of informing Users about the Administrator’s activity and promoting various types of events, services and products, as well as for the purpose of communicating with Users through functionalities available in social media. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR) consisting in promoting its own brand and building and maintaining a community related to the brand.

§ 4

COOKIES AND SIMILAR TECHNOLOGY

Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information that facilitates the use of the website – e.g. by remembering the User’s visits to the Website and the activities performed by the User.

“Service” cookies

The Administrator uses the so-called service cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Administrator and other entities providing analytical and statistical services to the Administrator use cookies, storing information or gaining access to information already stored on the User’s telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include:

1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
2. authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
3. cookies used to ensure security, e.g. used to detect fraud in the field of authentication (user centric security cookies);
4. multimedia player session cookies (e.g. Flash player cookies), for the duration of the session (multimedia player session cookies);
5. persistent cookies used to personalize the User’s interface for the duration of the session or a little longer (user interface customization cookies),
6. cookies used to remember the contents of the shopping cart for the duration of the session (shopping cart cookies);
7. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyse the manner in which the Website is used by the User, to create statistics and reports on the functioning of the Website). Google does not use the data collected to identify you, nor does it combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at the link: https://www.google.com/intl/pl/policies/privacy/partners

“Marketing” cookies

1. The Controller also uses cookies for marketing purposes, m.in. in connection with directing behavioural advertising to Users. For this purpose, the Controller stores information or accesses information already stored on the User’s telecommunications end device (computer, phone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular in the field of promoting services and goods of third parties, requires the User’s consent. This consent may be expressed through appropriate configuration of the browser, and may also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in the browser settings.

Period of personal data processing

1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service or execution of the order, until the consent is withdrawn or an effective objection to the processing of data is raised in cases where the legal basis for data processing is the legitimate interest of the Administrator.
2. The period of data processing may be extended if the processing is necessary to establish, pursue or defend against possible claims, and after this time only in the case and to the extent required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.

§ 5

USER RIGHTS

You have the following rights:

1. The right to information about the processing of personal data – on this basis, the Controller provides the person submitting such a request with information about the processing of personal data, including, in particular, the purposes and legal grounds for the processing, the scope of the data held, the entities to which the personal data are disclosed and the planned date of their removal;
2. Right to rectification – on this basis, the Administrator removes any inconsistencies or errors regarding the processed personal data, and completes or updates them if they are incomplete or have changed;
3. The right to delete data – on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
4. The right to restrict processing – on this basis, the Controller ceases to perform operations on personal data, except for operations to which the data subject has consented and their storage, in accordance with the adopted retention rules, or until the reasons for restricting data processing cease to exist (e.g. a decision of the supervisory authority is issued, allowing further data processing); the right to restriction of data processing is vested in provided that the legal requirements justifying such restriction as set out in detail in Article 18 of the GDPR are met;
5. The right to transfer data – on this basis, to the extent that the data is processed in connection with the concluded contract or the consent given, the Administrator issues the data provided by the data subject in a format that allows them to be read by a computer. It is also possible to request that this data be sent to another entity – provided that there are technical possibilities in this respect on the part of both the Administrator and the other entity;
6. The right to object to the processing of data for marketing purposes – the data subject may object to the processing of personal data for marketing purposes at any time, without the need to justify such an objection;
7. The right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the legitimate interest of the Administrator, i.e. data in relation to which the basis for their processing is Article 6(1)(f) of the GDPR, other than those listed in point 6 above (e.g. for analytical or statistical purposes or for reasons related to the protection of property). In such a case, the Controller is no longer allowed to process such personal data, unless it demonstrates the existence of compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
8. The right to withdraw consent – if the data is processed on the basis of consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the withdrawal of this consent;
9. Right to lodge a complaint – if you believe that the processing of personal data violates the provisions of the GDPR or other provisions on the protection of personal data, the data subject may lodge a complaint with the President of the Office for Personal Data Protection (address: 2 Stawki Street, 00-193 Warsaw).

A request for the exercise of the rights of data subjects (Users) can be submitted:

11. in writing to the following address: Extreme Furniture, 69 Gryfa Pomorskiego Street, 80-297 Miszewko, Poland.
12. by e-mail to the following address: [email protected]
13. it is necessary to indicate what right the person submitting the application wants to exercise (e.g. the right to receive a copy of the data, the right to delete the data, etc.);
14. it is necessary to indicate which processing process the request relates to (e.g. use of a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific e-mail address, etc.);
15. It is necessary to indicate the purposes of the processing to which the request relates (e.g. marketing purposes, analytical purposes, etc.).
16. If the Administrator is not able to determine the content of the request or identify the person submitting the request based on the submitted report, it will ask the applicant for additional information.
17. Responses will be given within one month of receipt. If it is necessary to extend this period, the Administrator will inform the applicant of the reasons for such extension.
18. A response will be given to the e-mail address from which the application was sent, and in the case of applications sent by post, by ordinary letter to the address indicated by the applicant, unless the content of the letter indicates a desire to receive feedback to the e-mail address (in this case, the e-mail address should be provided).

§ 6

DATA RECIPIENTS

1. In some situations, the Administrator has the right to transfer your personal data to other recipients, if it is necessary to perform the contract concluded with you or to perform the obligations incumbent on the Administrator. This applies to the following audiences:
   
   1. hosting company on the basis of entrustment
   2. Couriers
   3. Banks
   4. Payment Operators
   5. public authorities
   6. Online chat solution operators
   7. authorized employees and associates who use the data to achieve the purpose of the website
   8. companies providing marketing services to the Administrator.

Data transfers to third countries

In some cases, your personal data may be transferred outside the European Economic Area. This applies in particular to entities offering tools for monitoring, controlling and collecting information about your activity on our websites and the use of cookies, as well as entities offering e-mail dispatch, providing additional services through which you contact Us and entities being providers of Social Networking Sites on which we have accounts (e.g. Facebook, Instagram, YouTube).

The User’s data will be transferred to recipients who guarantee the highest protection and security of data, m.in. by:

• cooperation with entities processing personal data in countries with regard to which an appropriate decision of the European Commission has been issued,
• the use of standard contractual clauses issued by the European Commission,
• application of binding corporate rules approved by the competent supervisory authority,

Currently, the services offered by Google and Facebook are provided mainly by entities located in the European Union. However, you should always read the privacy policies of these providers in order to receive up-to-date information on the protection of personal data.

§ 7

SECURITY OF PERSONAL DATA

The Controller conducts risk analysis on an ongoing basis in order to ensure that personal data is processed by him in a secure manner – ensuring above all that only authorised persons have access to the data and only to the extent that it is necessary due to the tasks performed by them. The Administrator makes sure that all operations on personal data are registered and performed only by authorized employees and associates.

In order to ensure the security of personal data, m.in the following methods are used:

1. The login and personal data entry locations are protected in the transmission layer (SSL certificate). This ensures that the personal data and login data entered on the website are encrypted on the user’s computer and can only be read on the target server.
2. The operator periodically changes its administrative passwords.
3. In order to protect data, the Operator regularly makes backup copies.
4. An important element of data protection is the regular updating of all software used by the Operator to process personal data, which in particular means regular updates of programming components.

The Controller takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data at the request of the Controller.

§ 8

CONTACT

Contact with the Administrator is possible via e-mail address [email protected]

§ 9

CHANGE OF PRIVACY POLICY

The policy is reviewed on an ongoing basis and updated if necessary.