PRIVACY POLICY

1. GENERAL INFORMATION

Information contained in this privacy policy concerns data processing by the following controller: SUPER SAVERS Spółka z ograniczoną odpowiedzialnością, ul. Łopuszańska 37,
02-220 Warszawa, entered into the register of entrepreneurs of the National Court Register kept the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register, with the number: 000071131, tax ID (NIP): 5223111029, statistical ID (REGON): 369295914. The Controller can be contacted at: biuro@esign.pl or by traditional mail at: SUPER SAVERS Spółka z ograniczoną odpowiedzialnością, ul. Łopuszańska 37, 02-220 Warszawa (Warsaw, Poland). The Controller has appointed a Data Protection Inspector, who can be contacted by e-mail at
daneosobowe@esign.pl in any matter relating to personal-data processing.

2. DEFINITIONS

1. Controller — SUPER SAVERS Spółka z ograniczoną odpowiedzialnością with its seat in Warsaw.
2. Personal Data — any information relating to a natural person already identified or identifiable by reference to one or more identifiers involving the person’s physical, physiological, genetic, mental, economic, cultural or social identity of that person, including the IP of the device, location data, Internet ID and information gathered through cookie files or other similar technology.
3. Policy — this Privacy Policy.
4. GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
5. Act of 10 May 2018 on Personal Data Protection (Polish Journal of Laws —
Dz.U.2018.1000 of 24 May 2018)
6. Website — the Controller’s website at www.esign.pl and www.supersavers.pl.
7. User — any natural person visiting the Website or using one or more of the services or functionalities described in the Policy.

3. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE

In connection with the User’s use of the Website the Controller collects data to the extent necessary in order to provide the various services available, as well as information about the User’s activity on the Website, in a manner and scope compliant with the provisions of GDPR and of the Act:
a) visiting the Website
After displaying the Website the browser used on the User’s device will automatically send information to the Website’s server. The following information is collected without the User’s participation and stored until automatically deleted:
1) IP address of the requesting computer;
2) access date and hour;
3) name and URL of any file being downloaded;
4) the referring page;
5) the browser used and, if necessary, the operating system on the User’s computer, and
6) the name of the User’s ISP.
b) signing up for our newsletter
If you have given your express consent in accordance with Article 6(1) GDPR, we will use your e-mail address to send the newsletter. For this purpose providing an e-mail address will suffice.
The subscription can be cancelled at any time, including without limitation via the link provided at the end of each newsletter issue. Alternatively, you can request this by e-mail to biuro@esign.pl
c) contact by e-mail or phone
For any questions you can contact us at the e-mail addresses or by phone at the numbers provided on the Website. Providing a valid e-mail, your name and surname is required when sending us a message, so we can know who sent it and so we can reply. Other information is optional.
Data processing for the purpose of contacting us is done in accordance with Article 6(1) GDPR on the basis of your free consent. Personal Data collected by contacting us by e-mail or phone will automatically be deleted after processing your request.

4. PURPOSES AND LEGAL BASES FOR DATA PROCESSING ON THE WEBSITE

All Website Users’ Personal Data is processed by the Controller for the following purposes:
1) electronic provision of services, in the scope of making available to Users the contents of the Website, product purchases, including without registration, as well as the processing of complaints — the legal basis is the necessity of the processing in order to perform a contract (Article 6(1)(b) GDPR);
2) for analytical purposes — the legal basis for such processing is the Controller’s
legitimate interest (Article 6(1)(f) GDPR) consisting in analysing User activity and User preferences so as to improve the functionalities used and the services provided;
3) for the Controller’s own and other entities’ marketing purposes;
4) for the determination and enforcement or defence of any claims — the legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in defending the Controller’s rights.
5. ORDERING
The making of an order (purchase of goods) by a Website’s User will involve the processing of such User’s data. The provision of data marked as mandatory is required for the acceptance and processing of the other; failure to provide such data will result in the order not being processed. Other data are optional.
Personal Data are processed:
1) for the purposes of processing the order — the legal basis for such processing is necessity in order to perform a contract (Article 6(1)(b) GDPR); for optional data the basis is consent (Article 6(1)(a) GDPR);
2) for the purposes of compliance with the Controller’s regulatory obligations arising, without limitation, from tax provisions or accounting provisions — the basis for such processing is a legal obligation (Article 6(1)(c) GDPR);
3) for analytical and statistical purposes — the legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in analysing User activity on the Website and User preferences so as to improve the functionalities used;
4) for the determination and enforcement or defence of any claims — the legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in defending the Controller’s rights.

6. MARKETING

The Controller processes User’s Personal Data for the purposes of marketing activities consisting in, without limitation:
1) sending e-mail notifications of interesting offers or consents containing, in some cases, commercial information;
2) other sort of activities connected with the direct marketing of goods and services (sending information electronically and telemarketing activities targeting telephone numbers previously provided to the Controller).
In some cases the Controller’s marketing activities involve profiling. This means that the Controller assesses certain factors relating to natural persons by automatic processing in order to analyse their behaviour or create a forecast for the future.

7. SOCIAL MEDIA

The Controller processes the Personal Data of users visiting the Controller’s social-media profiles (Facebook). Such data are processed solely in connection with the operation of such profile, including without limitation for the purpose of informing the Users about the Controller’s activities and for the promotion of products, as well as communication with the Users via functionalities available on social media. The legal basis for the Controller’s processing of Personal Data for this purpose is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in promoting the Controller’s brand and building and maintaining a
community associated therewith.

8. DURATION OF PROCESSING

The duration of the Controller’s data processing depends on the type of service provided and the purpose of the processing. In principle, data are processed for the duration of the service provided or order processed, until withdrawal of consent or an effective objection to data processing in cases relying on the Controller’s legitimate interest as the legal basis. The processing duration may be extended if necessary for the determination or enforcement of or defence against any claims, and thereafter only if and to the extent required by the
provisions of the law. After the end of the processing duration the data are irretrievably deleted or anonymized.

9. THE USER’S RIGHTS

The User has the following rights:
1. right to information about the data processing — pursuant to Article 15 GDPR the User may request information about the Controller’s data processing, including without limitation information on the purposes of the processing, the categories of data processed, the expected duration of the processing, the existence of the rights to rectification, erasure, objection and complaint;
2. right to rectification — pursuant to Article 16 GDPR the User may request
immediate correction (rectification) of any incorrect data or supplement data kept by the Controller;
3. right to obtain a copy — on this basis the Controller provides a copy of the data being processed in reference to the data subject;
4. right to erasure — pursuant to Article 17 GDPR the User may request the erasure of Personal Data kept by the Controller if the processing is no longer necessary for any of the purposes for which such data were collected;
5. right to restriction of processing — pursuant to Article 18 GDPR the User may
demand restriction of the processing of Personal Data if the User disputes the
correctness of the User’s data, the processing is illegal but you do not want the data deleted and we no longer need them but you need them in order to enforce, exercise or defend against legal claims in accordance with Article 21 GDPR or if you have objected to the processing in accordance with Article 21 GDPR;
6. right to data portability — pursuant to Article 20 GDPR the User has the right to receive the Personal Data referring to the User which the User has provided to the Controller, in a structured, commonly used and computer-readable format or may demand the data to be transmitted to a different controller;
7. right to withdraw consent — pursuant to Article 7(3) GDPR the User may withdraw consent for data processing;
8. right to lodge a complaint — if the User believes that the data processing violates the provisions of GDPR or other provisions on Personal Data protection, the data subject may lodge a complaint with the President of Polish Office for Personal Data Protection (www.giodo.gov.pl).

10. DATA RECIPIENTS

1. In connection with the performance of services data will be shared with external recipients, including without limitation suppliers responsible for the operation of IT systems, entities such as banks and payment operators, providers of accounting, legal, auditing or consulting services, couriers (in connection with the processing of an order) or marketing agencies (in the scope of marketing services).
2. With the User’s consent the User’s data may be shared with other entities for their own purposes, including marketing purposes.
3. The Controller reserves the right to disclose select information concerning the User to any competent authorities or third parties requesting such information in reliance on a suitable legal basis and in accordance with the provisions of the law in force.

11. MODIFICATIONS OF THE PUBLIC POLICY

The Controller undertakes to conduct regular reviews of this Privacy Policy and update it accordingly.

12. PERSONAL DATA PROCESSING BY ASSECO DATA SYSTEMS S.A.

Super Savers Sp. z o.o. notes that in the scope of the personal data processed by Asseco Data Systems S.A., as regards the terms of data processing, the provisions of this Privacy Policy shall apply, with the following reservations:
1. The Controller of data processed by Asseco Data Systems S.A. is Asseco Data
Systems S.A. with its seat in Gdynia, ul. Podolska 21, 81-321 Gdynia, Poland.
2. Asseco Data Systems S.A.’s Data Protection Inspector can be contacted by email at: IOD@assecods.pl, or by telephone at: +48 42 675 63 60.
3. Asseco Data Systems S.A. will process the data for purposes necessary in order to perform a contract, on the basis of Article 6(1)(b) GDPR.
4. Asseco Data Systems S.A. will keep the data for 20 years on the basis of Article 17(2) of the Act of 5 September 2016 on Trust and Electronic Identity Services (Polish Journal of Laws — Dz.U. 2016.1579).
5. The right of access to the contents of personal data shared with Asseco Data Systems S.A. and the right to the rectification, erasure (‘being forgotten’) or restriction of the processing of, or to the portability of, such data, the right to object or withdraw consent at any time without affecting the legality of prior processing on the basis of consent, may all be exercised by request submitted
via www.daneosobowe.assecods.pl.