§ 1 General Provisions
1 The administrator of personal data of users of the website located at the domain www.jamel.pl is JAMEL Limited Liability Partnership S.K.A., with its registered office in Gdańsk, at 3/7 Liczmańskiego Street, 80-322 Gdańsk, registered in the National Court Register kept by the Gdańsk-Północ District Court in Gdańsk, 7th Economic Division of the National Court Register, under the number KRS: 0000977600, NIP: PL 584-267-47-18, REGON: 220776820 (hereinafter referred to as the "Administrator").
2 Contact with the Administrator is possible:
3 The purpose of this Policy is to define the actions taken concerning personal data collected through the Administrator's website and related services and tools used by its users, as well as within the scope of entering into and performing contracts outside of the website.
4 In case it becomes necessary, the provisions of this Policy may be subject to change. Any changes will be communicated to users by publishing the new content of the Policy. For individuals who have provided consent for data processing via email or have provided their email addresses during contract execution, they will also be notified of the changes via email.
§ 2 Legal Bases for Processing, Purposes, and Data Retention
1 User's personal data are processed in accordance with the General Data Protection Regulation, the Personal Data Protection Act, the Act on the Protection of Personal Data of May 10, 2018, and the Act on the Provision of Electronic Services of July 18, 2002.
2 In the case of processing personal data based on an email provided by the user or a complaint, such processing is carried out in accordance with Article 6(1)(b) of the General Data Protection Regulation, which stipulates that data processing is necessary for the performance of actions upon the request of the data subject.
3 In the event of separate consent from the user, their personal data may also be processed by the Administrator for marketing purposes, including sending commercial information electronically to the email address provided by the user (Article 6(1)(a) of the General Data Protection Regulation).
4 In the event of the Administrator entering into and executing sales agreements or service agreements, the other party is obliged to provide the necessary data for the conclusion of the contract (as required by the contractual obligation and, in the case of tax identification numbers, by legal requirement), and for this purpose, the Administrator processes personal data (Article 6(1)(b) of the General Data Protection Regulation).
5 When conducting research and analysis to improve the functioning of available services (e.g., tracking tools), the legal basis for data processing is defined under Article 6(1)(f) of the General Data Protection Regulation.
6 User's personal data are retained no longer than necessary to achieve the purpose of processing, i.e., until consent is withdrawn if processing is based on such consent, until the expiration of the claims of the Administrator and the other party in the scope of contract performance (for sales agreements/service agreements, 2 years, counting from the end of the year), or until the completion of an email inquiry or the conclusion of the complaint review process.
7 In the scope necessary for the proper functioning of the website, its functionality, and the correct execution of payment operations (if carried out through the website), the website uses User metadata. By metadata, we mean the process of reading and recognizing the configuration and components of the user's computer by the website's computer system to tailor the website to its capabilities and establish a secure connection between the user's computer and the website. Importantly, such metadata cannot lead to the identification of the User, nor are they in any way harmful to the data stored on the computer. Nevertheless, the User has the right to withdraw consent to the processing of metadata at any time by configuring their browser accordingly or by downloading the appropriate plugin provided by the browser manufacturer. To do this, you should consult with the software manufacturer and follow their recommendations.
8 The Administrator may use profiling for direct marketing purposes, but decisions made on the basis of profiling by the Administrator do not concern the conclusion or refusal to conclude a contract or the possibility of using electronic services. The result of using profiling may include, for example, granting a discount to a specific person, sending them a discount code, reminding them of unfinished purchases, sending product suggestions that may match the interests or preferences of a particular individual, or proposing better terms compared to the standard offer. Despite profiling, the individual can freely decide whether they want to use the discount received in this way or better terms and make a purchase. Profiling involves the automatic analysis or prediction of the behavior of a specific person on the Administrator's website, such as adding a specific product to the cart, viewing a specific product page, or analyzing the individual's previous activity history on the website. A prerequisite for such profiling is that the Administrator has the personal data of the individual to subsequently send them, for example, a discount code.
9 In the scope necessary for the proper functioning of the website and its functionality, the website may collect other information while the User is using it, including, among others:
a) IP address;
b) information about the device, hardware, and software, such as hardware identifiers, mobile device identifiers (e.g., Apple Identifier for Advertising ["IDFA"] or advertising identifier on an Android device ["AAID"]),
c) platform type,
d) settings and components,
e) installed software,
f) the presence of necessary plugins;
g) approximate geolocation data (developed based on the IP address or device settings);
h) data about the web browser, including the browser type and preferred language.
10 Taking into account the nature, scope, context, and purposes of processing and the risk of violating the rights or freedoms of individuals with varying degrees of likelihood and severity of the threat, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the regulation and can be demonstrated as such. These measures are reviewed and updated as necessary. The Administrator uses technical measures to prevent unauthorized acquisition and modification of personal data transmitted electronically.
◦ Prior explicit consent of the individuals to whom they relate has been given for such actions, or
§ 3 Data Sharing
1 The Administrator ensures that all collected personal data are used to fulfill obligations towards users. This information will not be shared with third parties except in situations where:
2 Additionally, personal data of service recipients and customers may be shared with the following recipients or categories of recipients:
3 The Administrator may provide anonymized data (i.e., data that do not identify specific Users) to external service providers to better understand the attractiveness of advertisements and services for users. In this regard, due to the location of software providers, data may be transferred – while adhering to data protection principles – to third countries. These third countries either provide standard contractual clauses approved by the European Commission for the processing of personal data or have the appropriate authorization to do so based on bilateral data processing agreements between the European Union and the specific third country, provided that it is not a member of the European Economic Area. These entities for the Administrator include:
◦ Google LLC (headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Google Analytics tools used for website statistics analysis, Google Tag Manager used for managing scripts by easily adding code snippets to the website or application and tracking actions performed by users on the website, Google Ads used for displaying sponsored links in Google search results and on partner websites within the Google AdSense program.
◦ Facebook Inc. (headquarters: Facebook Inc., 1601 S. California Ave. Palo Alto, CA 94304, USA) for Facebook pixel used for tracking conversions from Facebook portal advertisements, optimizing them based on collected data and statistics, and building a target audience list for future advertisements.
4 Third-party analytical technologies integrated with the Administrator's services (including Software Development Kits [SDKs] and Application Program Interfaces [APIs]) may combine data collected in connection with a user's use of the Administrator's website with information that has been separately collected over time and/or across different platforms. Many of these companies collect and use information based on their own data protection policies, which can be found on their websites. The Administrator encourages you to review these policies.
6 When providing data to third parties, the Administrator makes every effort to ensure that this is only done with entities that have certificates under the (former) Privacy Shield programs EU–USA and Switzerland–USA, which are available at www.privacyshield.gov. In the case of entities using information from the European Economic Area (EEA), these entities will do so in accordance with the "Accountability for Onward Transfer" principle of the Privacy Shield program. In relevant cases, the Administrator will rely on EU standard contractual clauses and other safeguards to facilitate transfers outside the EEA. In line with the European Court of Justice's decision of July 16, 2020, regarding the EU–USA Privacy Shield, and the European Data Protection Board's guidelines, the Administrator continues to assess the legal system of countries to which data is transferred and, as necessary, updates measures to ensure adequate levels of protection.
§ 4 User Rights
1 A user whose personal data is processed has the right to:
a) access, rectify, restrict, delete, or transfer – the person whose data is concerned has the right to request access to their personal data, rectification, deletion ("the right to be forgotten"), or restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the aforementioned rights are indicated in Articles 15-21 of the GDPR.
b) withdraw consent at any time – a person whose data is processed by the Administrator based on their consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
c) lodge a complaint with the supervisory authority – a person whose data is processed by the Administrator has the right to lodge a complaint with the supervisory authority in the manner and according to the procedure specified in the provisions of the GDPR and Polish law, in particular the Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection in Warsaw.
d) object – a person whose data is concerned has the right to object, at any time, for reasons related to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the controller), including profiling based on those provisions. In such a case, the Administrator may no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
e) object to direct marketing – if personal data is processed for direct marketing purposes (based on the legitimate interests of the Administrator, not on the basis of the data subject's consent), the person whose data is concerned has the right to object at any time to the processing of their personal data for the purposes of such marketing, including profiling, to the extent that it is related to such direct marketing.
2 The implementation of the above rights is carried out based on a user's request sent to the email address firstname.lastname@example.org. Such a request should include the user's first and last name.
3 The user ensures that the data provided or published by them on the website is accurate.
§ 5 Cookies
2 "Cookies" contain, in particular, the domain name of the internet service from which they originate, the duration of their storage on the end-user's device, and a unique number used to identify the browser that connects to the website.
3 "Cookies" are used for the following purposes:
a) Customizing the content of websites to user preferences and optimizing the use of websites,
b) Creating anonymous statistics that, by helping to determine how users use websites, allow for the improvement of their structures and content,
c) Delivering website users advertising content tailored to their interests.
"Cookies" do not serve to identify the user, and their identity is not determined based on them.
4. The fundamental division of "cookies" distinguishes between:
a) Essential "cookies" – they are absolutely necessary for the proper functioning of the website or the functionalities that the user wants to use because without them, we would not be able to provide many of the services we offer. Some of them also ensure the security of the services we provide electronically.
b) Functional "cookies" – they are essential for the website's operation because they:
◦ Contribute to enriching the functionality of websites; without them, the website will work correctly but will not be customized to the user's preferences,
◦ Ensure a high level of website functionality; their absence may reduce the level of website functionality, but it should not prevent complete use of it,
◦ Serve most website functionalities; blocking them will result in selected functions not working correctly.
c) Business-oriented "cookies" – enable the implementation of a business model based on which the website is made available. Blocking them will not result in the unavailability of all functionalities but may reduce the level of service provided by the website owner due to the inability to generate revenue that subsidizes its operation. Examples of this category include advertising cookies.
d) Website configuration "cookies" – allow for the configuration of website functions and services.
e) Security and reliability "cookies" – enable authentication verification and optimize the performance of websites.
f) Authentication "cookies" – inform when a user is logged in, allowing the website to display relevant information and features.
g) Session state tracking "cookies" – store information about how users use the website, often related to the most frequently visited pages or error messages displayed on some pages. "Session state" cookies help improve services and enhance the browsing experience.
h) Process tracking "cookies" – ensure the efficient operation of the website and its available functions.
i) Advertising support "cookies" – enable the display of ads that are more interesting to users while being more valuable to publishers and advertisers. These cookies can also be used to personalize ads and display them beyond websites.
j) Location access "cookies" – allow for the customization of displayed information based on the user's location.
k) Analytics, research, or audit "cookies" – allow website owners to better understand user preferences and enhance and develop products and services through analysis. Typically, website owners or research firms collect anonymous information and process data about trends without identifying individual users.
l) Harmless "cookies" – include cookies necessary for the proper functioning of the website and required to enable website functionality. However, their operation is unrelated to user tracking.
m) Tracking "cookies" – used for user tracking but do not include information that allows the identification of a specific user without additional data.
7 Cookies are also used to facilitate user account logins, including through social media, and to enable users to navigate between subpages on websites without the need to log in again on each subpage. At the same time, cookies are used to secure websites, such as preventing unauthorized access.
8 Within the scope of cookie technology, the Administrator may use tracking pixels or clear GIFs to collect information about how users use their services and their responses to marketing messages sent via email. A pixel is a software code that allows an object, typically a one-pixel-sized image, to be embedded on a webpage, enabling the tracking of user behavior on websites where it is placed. After obtaining the appropriate consent, the browser automatically establishes a direct connection to the server hosting the pixel. Therefore, the processing of data collected by the pixel is done in accordance with the partner's data protection policy, which administers the server mentioned above.
9 The Administrator may use web logs (which contain technical data such as the user's IP address) to monitor traffic within their services, solve technical problems, detect and prevent fraud, and enforce the provisions of the User Agreement.
10 The Administrator informs that the website does not respond to Do Not Track (DNT) signals, but users can disable specific forms of tracking on the internet, including some analytical data and personalized advertising, by changing cookie settings in their browser or using our cookie consent tools (if applicable).
11 Detailed information on changing cookie settings and deleting cookies in the most popular web browsers is available in the help section of your web browser and on the following pages (simply click on the relevant link):