PRIVACY POLICY 

For website and online shop: https://exflo.eu/ and https://exflo.eu/store/. Effective from: 12/11/2024.

§1 Data controller identity.

1. The controller of personal data provided during the use of the Site and/or the Online Shop operated under the name www.exflo.pl is EXFLO Sp. z o.o., ul. Wejherowska 6b, 84-207 Koleczkowo, NIP: 5882394296, REGON: 221573710, KRS: 0000404477 District Court in Gdańsk, Share capital: PLN 100,000.00, phone: +48 602 241 000, e-mail: exflo@exflo.pl.

2. The data is processed in accordance with the currently applicable legislation, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR), the Data Protection Act of 10 May 2018, and the Act of 12 July 2024 on Electronic Communications Law.

3.The following Privacy Policy covers the rules for the processing of data of Users of the Site and/or the Shop, as well as of persons who conclude contracts with the Data Controller, including those related to the fulfilment of the Order and/or the contract, as well as data collected through contact with the Data Controller (e-mail address, telephone, traditional correspondence), as well as of persons who like and/or follow the Controller’s fanpage on social media, if any.

§2 Definitions.

1. The following definitions apply in this Policy:

    1. Data Controller – the entity that decides the purpose and means of data processing, in this Policy it is: EXFLO Sp. z o.o.ul. Wejherowska 6b, 84-207 Koleczkowo.
    2. Personal data – any information that, without unreasonable time and cost, can lead to the identification of a natural person, including their identification, address and contact details.
    3. Third country – a country outside the European Economic Area (EEA).
    4. Site – the website available at https://exflo.pl/ through which the User can browse the content of the website, subscribe to the newsletter or contact the Data Controller using the contact details or forms available on the website.
    5. Shop– the online shop available at https://exflo.pl/sklep/ where the Buyer may purchase certain Goods and/or Digital Products.
    6. User/data subject – a natural person being the data subject who uses the services available on the Site/Shop.

§3 Purposes of personal data processing.

1. The Data Controller shall only process personal data where this is permitted by current legislation, including for the purpose of:

    1. preparation and performance of the concluded sales contract, including the conclusion of a distance contract through the online shop (Order), to which the person is a party, as well as the exercise of the rights arising therefrom (non-conformity with the contract, withdrawal from the contract, etc.), and this processing takes place on the basis of Article 6(1)(b) of the GDPR;
    2. documenting the performance of concluded contracts, including issuing a bill or invoice, keeping accounting and tax records, on the basis of Article 6(1)(c) GDPR, i.e. for the purpose of fulfilling legal obligations incumbent on the Data Controller, on the basis of Article 70 of the Tax Ordinance Act of 29 August 1997;
    3. taking action at the request of the data subject, including responding to enquiries made via electronic means of communication or handling traditional correspondence, where this processing takes place on the basis of Article 6(1)(b) of the GDPR;
    4. sending solicited marketing information by electronic means (newsletter) to the e-mail address provided by the User for this purpose, and this processing takes place on the basis of the consent of the User being the data subject, in accordance with Article 6(1)(a) of the GDPR and Article 398 of the Act of 12 July 2024 on Electronic Communications Law;
    5. registering and setting up an Account in the Shop, where this processing takes place on the basis of Article 6(1)(a) of the GDPR, i.e. the consent of the data subject;
    6. marketing the Controller’s own products and services by traditional means, on the basis of Article 6(1)(f) of the GDPR, i.e. to pursue the legitimate interests of the Controller or the data subject;
    7. sending an e-mail requesting feedback on the Shop and/or the Goods/Product which is carried out on the basis of Article 6(1)(f) of the GDPR, and this processing is carried out for the legitimate purpose of the data controller (Seller), which is to improve the range and/or the Goods/Product and/or the Shop by the Shop owner collecting reliable opinions about them;
    8. sending a request for feedback on the Data Controller’s services and Goods/Products by external satisfaction survey services such as [e.g. Opineo, Ceneo, etc,.] with the data subject’s consent, i.e. on the basis of Article 6(1)(a) of the GDPR;
    9. the Controller or the data subject asserting rights and claims on the basis of Article 6(1)(f) of the GDPR for a legitimate purpose.

2. The provision of personal data is necessary for the performance of the distance contract, including the dispatch of the Goods or making the Digital Product available and/or issuing an accounting document, asserting claims, and answering the User’s questions. Otherwise, the provision of personal data is voluntary.

3. Failure to provide the required data prevents the performance of the distance contract (Order), the issuing of a bill or invoice or initiating contact at the request of the data subject.

§4 Method of obtaining personal data.

1. User’s personal data is collected directly from data subjects, i.e. through:

    1. filling in contact details when submitting an enquiry via the form on the website;
    2. filling in the newsletter subscription form;
    3. filling in the order form in the Shop;
    4. registering an account on the Site and/or in the Shop;
    5. the provision of data for the preparation, conclusion and performance of the contract (the Order) by the available means of contact;
    6. direct contact with the data controller using the contact details available on the website or in traditional form at the place of business.

§5 Scope of processed personal data.

1. The scope of processed personal data has been limited to the minimum necessary for the provision of services regarding:

    1. submitting an enquiry via the contact form or by using the contact details available on the Site: e-mail address, telephone number, first name, any other data voluntarily provided by the data subject;
    2. subscription to the newsletter: first name, e-mail address;
    3. placing an Order in the Shop: full name, e-mail address, telephone number, delivery address and, if applicable, collection point address;
    4. registration of an account on the Site and/or in the Shop: full name, e-mail address, password, login;
    5. issuing a bill or invoice or other accounting document: full name or business name, registered office address, tax identification number;
    6. preparation, conclusion and performance of the contract: full name, address, identity card number, etc.

§6 Personal data processing period.

1. The data processing period depends on the purpose for which the data was collected and for the purpose of:

    1. conclusion and performance of a sales contract, including distance sales contract (the Order), for the period necessary to document the performance of the contract, including the issuing a bill or invoice, is 5 years, counting from the end of the calendar year in which the tax payment deadline expired, pursuant to Article 112 of the Value Added Tax Act of 11 March 2004, in connection with Article 70 of the Tax Ordinance Act of 29 August 1997;
    2. sending commercial information by electronic means (newsletter) and/or for setting up an Account in the Shop/submitting a request for feedback by external satisfaction survey services will apply until the consent is revoked, without affecting the compatibility of the processing carried out prior to revocation;
    3. for the period necessary to respond to an enquiry sent via the contact form or made by telephone, but for no longer than 6 months, unless the person decides to conclude a contract with the Data Controller;
    4. for the purpose of asserting claims, pursuant to Article 118 of the Civil Code Act of 23 April 1964. Unless otherwise provided by a specific provision, the limitation period is six years, and three years for claims for periodic benefits and claims relating to the conduct of business.

§7 Personal data recipients.

1. The User’s personal data may be entrusted to other entities for the purpose of performing services at the request of the Data Controller, in particular to entities that support the operation of the Data Controller’s business in terms of:

    1. Site and/or Shop hosting;
    2. e-mail hosting;
    3. servicing and maintenance of the IT systems in which the data is processed, including for the automation of newsletters, issuing accounting documents, processing orders, etc.;
    4. bookkeeping (accounting office);
    5. providing office services (virtual assistant, virtual office, etc.);
    6. providing marketing services (virtual assistant, marketing agency, social media manager, etc.);
    7. courier broker (sites and websites that enable the dispatch of Goods by selected couriers, usually without the need to sign a permanent contract with a courier);
    8. logistical handling of Orders in the Shop (entities carrying out order picking and/or dispatch on behalf of the Seller).

2. The User’s personal data may also be shared with courier and/or postal service providers, banks and/or electronic payment operators of the Site and/or the Shop, as referred to in the Shop Terms of Use.

§8 Transferring data outside the European Economic Area (EEA).

1. The User’s personal data is not transferred to any third country or international organisations.

2. The User’s personal data will be processed by suppliers whose headquarters and/or servers are located in a third country, i.e. outside the European Economic Area. The transfer of data to the USA is based on the European Commission’s decision of 10 July 2023 stating an adequate level of data protection provided by the so-called “EU-US Data Privacy Framework” in relation to providers listed by the US Department of Commerce, such as: Google LLC. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; Meta Platforms, Inc., Menlo Park, California, USA.

§9 The Controller’s social media fanpage.

1. The Data Controller is also, at the same time, the co-controller of data of its followers on social media, especially persons who use electronic means of communication on the Facebook fanpage @Exflo, maintained by the Data Controller on these social networks.

2. For the remaining scope, the controller of data of the Users of these social networks is Meta Platforms, Inc., Menlo Park, California/Meta Platforms Ireland Limited (formerly: Facebook Inc., with its registered office at 1 Hacker Way, Menlo Park, CA 94025, USA), and the processing of this data is carried out in accordance with the terms and conditions described in the terms of use and privacy policies of the users of these websites, including: https://www.facebook.com/privacy

3. The personal data of the User who likes and/or follows the Controller’s fanpage on social media will be processed outside the European Economic Area in a so-called third country, in particular in the United States of America due to the use of IT solutions whose servers are located outside the European Economic Area.

4. The User’s personal data will be processed in the United States of America (USA). The transfer of data to the USA is based on the European Commission’s decision of 10 July 2023 stating an adequate level of data protection provided by the so-called “EU-US Data Privacy Framework” in relation to providers listed by the US Department of Commerce, such as: Meta Platforms, Inc., Menlo Park, California, USA.

§10 Rights of data subjects.

1. The data subjects have the right to:

    1. to access the content of personal data and receive a first copy of the content of personal data free of charge;
    2. to rectify data that is inaccurate or has been altered;
    3. to erase data, unless there are other legal provisions in force that oblige the data controller to archive the data for a specific period of time;
    4. to data portability, insofar as the processing is based on a contract or on the consent of the data subject and the processing is carried out by automated means;
    5. to revoke consent to the processing of personal data where the processing was based on the data subject’s consent. The withdrawal of consent does not affect the compatibility of the processing carried out before the withdrawal;
    6. to object, on grounds relating to the data subject’s particular situation, against the processing of personal data concerning the data subject based on Article 6(1)(e) or (f) of the GDPR, as well as the right to restrict processing;
    7. not to be subject to automated profiling if the controller would make decisions based solely on automated profiling and produce legal consequences for or similarly affect the data subject;
    8. to control the processing of data and to be informed of the controller’s identity and to be informed of the purpose, scope and means of data processing, the content of data, the source of data, and the manner of disclosure, including recipients or categories of data recipients.

2. The Data Controller can be contacted to exercise the right to information, access to the data content, data rectification, as well as other rights.

3. The data subject also has the right to lodge a complaint with the Personal Data Protection Office (PDPO) if the processing violates the General Data Protection Regulation (GDPR). The complaint may be lodged electronically or by post to: Urząd Ochrony Danych Osobowych [Personal Data Protection Office], ul. Stawki 2, 00-193 Warsaw.

§11 Final provisions.

In the event of a change to the applicable privacy policy, in particular if required by the technical solutions used or changes to the law relating to the privacy of data subjects, appropriate modifications will be made to this Privacy Policy (GDPR), which will be effective within 14 days of publication on the Site and/or the Shop.