PRIVACY POLICY OF FLARE-AGENCY.COM
TABLE OF CONTENTS:
1. GENERAL PROVISIONS
1.1. This privacy policy is for informational purposes, meaning it is not a source of obligations for Service Users or Portal Users. The privacy policy primarily outlines the rules for the processing of personal data by the Administrator on the Portal, including the bases, purposes, and duration of personal data processing, the rights of data subjects, and information on the use of cookies and analytical tools.
1.2. The Administrator of personal data collected through the Portal is “FLARE Kordian Ojrzyński” a business registered in the Central Registration and Information on Economic Activity, NIP: 6282295474, REGON: 528197235, e-mail address: ojrzynski.kordian@gmail.com.
1.3. Personal data are processed by the Administrator in accordance with applicable legal provisions, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.4. The use of the Portal is voluntary. Similarly, the provision of personal data by the Portal user, Service User, or Client is voluntary, subject to two exceptions: (1) concluding contracts with the Administrator – failure to provide personal data necessary for the conclusion and performance of a Sales Agreement or an agreement for the provision of Electronic Services with the Administrator, in the cases and to the extent indicated on the website and in this privacy policy, results in the inability to conclude such an agreement. Providing personal data is in such a case a contractual requirement, and if the data subject wishes to conclude a given agreement with the Administrator, they are obliged to provide the required data. The scope of data required for concluding an agreement is always indicated beforehand on the website and in the Portal Regulations; (2) legal obligations of the Administrator – providing personal data is a legal requirement resulting from generally applicable legal provisions imposing an obligation on the Administrator to process personal data (e.g., processing data for the purpose of maintaining tax or accounting records), and failure to provide them will prevent the Administrator from fulfilling these obligations.
1.5. The Administrator takes special care to protect the interests of data subjects whose personal data are processed by them, and in particular is responsible and ensures that the data collected by them are: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) factually correct and adequate in relation to the purposes for which they are processed; (4) stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; and (5) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
1.6. Taking into account the nature, scope, context, and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons with varying probabilities and severity of the threat, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with this regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Administrator uses technical measures to prevent unauthorized persons from obtaining and modifying personal data transmitted electronically.
2. BASIS OF PERSONAL DATA PROCESSING
2.1. The Administrator is entitled to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2.2. The processing of personal data by the Administrator requires in each case the existence of at least one of the bases indicated in point 2.1 of the privacy policy. Specific bases for the processing of personal data of Service Users by the Administrator are indicated in the next point of the privacy policy – in relation to a given purpose of personal data processing by the Administrator.
3. PURPOSE, BASIS AND DURATION OF DATA PROCESSING
3.1. Each time, the purpose, basis, duration, and recipients of personal data processed by the Administrator result from the actions taken by the given Service User or by the Administrator.
3.2. The Administrator may process personal data for the following purposes, on the following bases, and for the periods indicated in the table below:
| Purpose of data processing | Legal basis for data processing | Data retention period |
| Execution of a contract for the provision of Electronic Services or taking steps at the request of the data subject prior to entering into the aforementioned contracts | Article 6(1)(b) of the GDPR Regulation (execution of a contract) – processing is necessary for the execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract | Data are stored for the period necessary for the execution, termination or expiration in any other way of the concluded contract for the provision of Electronic Services. |
| Direct marketing | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in caring for the interests and good image of the Administrator, and striving to sell Services | Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the period of limitation of the Administrator’s claims against the data subject arising from the Administrator’s business activities. The limitation period is determined by legal provisions, in particular the Civil Code (the basic limitation period for claims related to business activities is three years, and for a sales contract, two years). The Administrator may not process data for direct marketing purposes if the data subject has effectively objected to this. |
| Marketing | Article 6(1)(a) of the GDPR Regulation (consent) – the data subject has given consent to the processing of their personal data for marketing purposes by the Administrator | Data are stored until the data subject withdraws consent to further processing of their data for this purpose. |
| Maintaining accounting records | Article 6(1)(c) of the GDPR Regulation in conjunction with Article 74(2) of the Accounting Act of 30 January 2018 (Journal of Laws of 2018, item 395) – processing is necessary for compliance with a legal obligation to which the Administrator is subject | Data are stored for the period required by law obliging the Administrator to keep accounting records (5 years from the beginning of the year following the financial year to which the data relate). |
| Establishing, pursuing or defending claims that the Administrator may raise or that may be raised against the Administrator | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in establishing, pursuing or defending claims that the Administrator may raise or that may be raised against the Administrator | Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the period of limitation of claims that may be raised against the Administrator (the basic limitation period for claims against the Administrator is six years). |
| Use of the Website and ensuring its proper operation | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in running and maintaining the website | Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the period of limitation of the Administrator’s claims against the data subject arising from the Administrator’s business activities. The limitation period is determined by legal provisions, in particular the Civil Code (the basic limitation period for claims related to business activities is three years, and for a sales contract, two years). |
| Conducting statistics and analyzing traffic on the Portal | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the administrator) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator – consisting in conducting statistics and analyzing traffic to | Data are stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the period of limitation of the Administrator’s claims against the data subject 1 arising from the Administrator’s business activities. The limitation period is determined by legal provisions, in particular the Civil Code (the basic limitation period for claims related to 2 business activities is three years, and for a sales contract, two years). |
4. DATA RECIPIENTS
4.1. For the proper functioning of the Portal, including the execution of concluded Agreements, it is necessary for the Administrator to use the services of external entities (such as software providers, couriers, or payment service providers). The Administrator only uses the services of such processors who provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.
4.2. The transfer of data by the Administrator does not occur in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Administrator transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.
4.3. Personal data of Service Users may be transferred to the following recipients or categories of recipients:
4.3.1. Entities handling electronic or payment card payments – in the case of a Service User who uses electronic or payment card payment methods on the Portal, the Administrator shares the collected personal data of the Client with the selected entity handling these payments on behalf of the Administrator to the extent necessary to handle the payment made by the Client.
4.3.2. Service providers supplying the Administrator with technical, IT, and organizational solutions enabling the Administrator to conduct business and provide Electronic Services through it (in particular, providers of computer software for running the Portal, email and hosting providers, and providers of software for company management and technical support for the Administrator) – the Administrator shares the collected personal data of the Client with the selected provider acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.
4.3.3. Providers of accounting, legal, and advisory services providing the Administrator with accounting, legal, or advisory support (in particular, accounting offices, law firms, or debt collection companies) – the Administrator shares the collected personal data of the Client with the selected provider acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.
5. PROFILING
5.1. The GDPR Regulation imposes an obligation on the Administrator to provide information about automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR Regulation, and – at least in those cases – meaningful information about the logic involved, as well as the significance and the predicted consequences of such processing for the data subject. Bearing this in mind, the Administrator provides information about possible profiling in this section of the privacy policy.
5.2. The Administrator may use profiling for direct marketing purposes, but decisions made by the Administrator based on it do not concern the conclusion or refusal to conclude any Agreement, or the possibility of using Electronic Services. The effect of using profiling may be, for example, granting a discount to a given person, sending them a discount code, reminding them of unfinished activities on the Portal, sending a proposal for a Service that may correspond to the interests or preferences of a given person, or offering better conditions compared to the standard offer. Despite profiling, the given person freely decides whether they want to use the discount or better conditions received in this way.
5.3. Profiling consists of automatically analyzing or predicting the behavior of a given person on the website, for example, by analyzing the history of their previous activities. A condition for such profiling is the Administrator’s possession of the personal data of the given person, so that they can then send them, for example, a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
6. RIGHTS OF THE DATA SUBJECT
6.1. Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Administrator access to their personal data, rectification, erasure (“right to be forgotten”) or restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above rights are set out in Articles 15-21 of the GDPR Regulation.
6.2. Right to withdraw consent at any time – if the data subject’s data are processed by the Administrator on the basis of consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation), they have the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – the data subject whose data are processed by the Administrator has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Act on the Protection of Personal Data. The supervisory authority in Poland is the President of the Personal Data Protection Office.
6.4. Right to object – the data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) (public interest or tasks) or (f) (legitimate interest of the controller) of Article 6(1), including profiling based on those provisions. The Administrator shall no longer process the personal data unless the Administrator demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
6.5. Right to object to direct marketing – where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.
7. COOKIES AND ANALYTICS
7.1. Cookies are small pieces of text information in the form of text files, sent by the server and stored on the side of the person visiting the website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone – depending on which device the visitor uses to browse our website). Detailed information about cookies, as well as their history, can be found, among others, here: http://pl.wikipedia.org/wiki/Ciasteczko
7.2. The Administrator may process data contained in cookies when visitors use the website for the following purposes:
7.2.1. Identifying Service Users as logged in on the website and showing that they are logged in;
7.2.2. Remembering Products added to the shopping cart to place an Order;
7.2.3. Remembering data from filled-in Order Forms, surveys, or login data to the Portal;
7.2.4. Adapting the content of the website to the individual preferences of the Service User (e.g., regarding colors, font size, page layout) and optimizing the use of the pages;
7.2.5. Conducting anonymous statistics showing how the website is used;
7.2.6. Remarketing, i.e., examining the behavioral characteristics of visitors through anonymous analysis of their activities (e.g., repeated visits to specific pages, keywords, etc.) to create their profile and provide them with advertisements tailored to their anticipated interests, including when they visit other websites in advertising networks of Google (Alphabet Inc.) and Facebook (Meta Platforms, Inc.).
7.3. By default, most web browsers available on the market accept the storage of cookies. Everyone has the ability to define the conditions for using cookies through the settings of their own web browser. This means that you can, for example, partially limit (e.g., temporarily) or completely disable the ability to store cookies – in the latter case, however, this may affect some functionalities of the portal (for example, it may be impossible to complete the Order path through the Order Form due to the non-remembering of Products in the shopping cart during subsequent steps of placing the Order).
7.4. Web browser settings regarding cookies are important from the point of view of consent to the use of cookies by our portal – according to the regulations, such consent can also be expressed through web browser settings. In the absence of such consent, you should change the web browser settings regarding cookies accordingly.
7.5. Detailed information on changing cookie settings and their self-removal in the most popular web browsers is available in the help section of the web browser.
7.6. The Administrator may use Google Analytics services provided by Alphabet Inc. These services help the Administrator to conduct statistics and analyze traffic on the Portal. The collected data are processed within the above services to generate statistics helpful in administering and analyzing traffic. These data are aggregate. The Administrator, using the above services, collects data such as the sources and medium of visitor acquisition and their behavior on the Portal website, information about the devices and browsers they use to visit the website, IP and domain, geographic data, and demographic data (age, gender) and interests.
7.7. It is possible for a given person to easily block the sharing of information about their activity on flare-agency.com with Google Analytics – for this purpose, you can, for example, install a browser add-on provided by Google, available here: https://tools.google.com/dlpage/gaoptout?hl=pl
7.8. The Administrator may use the Facebook Pixel service provided by Meta Platforms, Inc. This service helps the Administrator to measure the effectiveness of advertisements and to learn what actions visitors take on the website, as well as to display tailored advertisements to these people. Detailed information about the operation of the Facebook Pixel can be found at the following web address: https://www.facebook.com/business/help/742478679120153?helpref=page_content
7.9. Managing the operation of the Facebook Pixel is possible through advertisement settings in your account on Facebook.com: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
8. FINAL PROVISIONS
The Portal may contain links to other websites. The Administrator encourages you to familiarize yourself with the privacy policy established there after going to other websites. This privacy policy applies only to the flare-agency.com Portal of the Administrator.
