Privacy Notice

§ 1 Personal Data Administration

1. The Controller of personal data is POLBERIS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Osowice 25, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court POZNAŃ – NOWE MIASTO I WILDA, 9th Commercial Division of the National Court Register under KRS number 0000905134, NIP: 6653039625, REGON 389146274, with share capital of 100,000.00 PLN.

1. You may contact the person supervising the processing of personal data electronically at biuro@polberis.pl, in writing at the Controller’s address, or by telephone at +48 632 614 202.
2. This Policy sets out the rules for the processing of personal data by the Controller on the Website, including the legal grounds, purposes, and scope of processing, as well as the rights of data subjects.
3. Personal data is processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
4. The User’s rights are not absolute and do not apply to all processing activities.

• 2 Definitions

1. Controller – POLBERIS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, as described above.
2. Personal Data – information about an identified or identifiable natural person, including device IP address, online identifiers, and information collected via cookies or similar technologies.
3. Policy – this Privacy Policy.
4. Cookie Policy – the document defining the rules for using cookies on the Website, available at: https://sklep.polberis.pl/pl/i/Cookies/28.
5. Profiling – automated processing of personal data involving the analysis and prediction of user behaviour.
6. GDPR – Regulation (EU) 2016/679.
7. Website – the online service operated by the Controller at sklep.polberis.pl.
8. User – any natural person visiting the Website or using one or more services or functionalities described in this Policy.

§ 3 Security

1. The Controller has implemented appropriate technical and organisational measures ensuring the security of personal data processing. In particular, the Controller ensures that data is:
• processed lawfully,
• collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes,
• factually correct and adequate for the purposes for which it is processed,
• stored in a form enabling identification of data subjects for no longer than necessary,
• processed in a manner ensuring appropriate security, including protection against unauthorised processing, accidental loss, destruction, or damage.

§ 4 Purposes and Legal Bases for Processing

1. Based on Article 6(1)(a) GDPR – Consent

Personal data may be processed for:

• Retargeting and behavioural advertising, including personalised ads based on user activity history.
• Sending newsletters.
• Storing data in cookies in accordance with the Cookie Policy.
• Managing and maintaining a user account.
• Contact via remote communication tools (phone, email, apps).
• Content moderation.
• Content personalisation.
• Marketing of the Controller’s and partners’ products and services.
• Participation in webinars or online training.
• Participation in competitions and loyalty programmes.
• Invitations to surveys and market research.

2. Based on Article 6(1)(b) GDPR – Contract Performance

Personal data may be processed for:

• Managing the user account.
• Performing a sales contract or service contract, including warranty rights and complaint handling.
• Handling complaints or withdrawal from distance contracts.

3. Based on Article 6(1)(c) GDPR – Legal Obligation

Personal data may be processed for:

• Issuing and storing invoices, accounting documents, and fulfilling tax obligations.
• Cooperation with law enforcement and public authorities.
• Creating registers and documentation required by GDPR.

4. Based on Article 6(1)(f) GDPR – Legitimate Interest

Personal data may be processed for:

• Operating the Website.
• Storing data necessary for proper Website functioning in cookies.
• Managing social media accounts and interacting with users.
• Ensuring Website security and proper functioning.
• Conducting statistics and traffic analysis.
• Direct marketing.
• Establishing or defending legal claims.
• Contact with the User.

5. Other Purposes

Personal data may also be processed for other purposes if the Controller has a valid legal basis and the purpose does not infringe the User’s rights.

 § 5 Profiling

1. The Controller does not use profiling that would result in automated decisions producing legal effects or significantly affecting the User.
2. Personal data is not used to analyse preferences or automatically tailor offers or advertisements.

§ 6 Data Retention Period

1. The retention period depends on the type of service and purpose of processing. Generally, data is processed for the duration of the service, until consent is withdrawn, or until an effective objection is raised.
2. The period may be extended if necessary for establishing or defending claims. After this period, data is irreversibly deleted or anonymised.
3. Examples:
• Contract-related data: stored for the duration of the contract and until claims expire (3 or 6 years).
• Accounting and tax data: stored for 5 years.
• Data processed based on consent: stored until consent is withdrawn.
• User enquiries: stored for up to 12 months after correspondence ends.

§ 7 User Rights

Users have the right to:

• access their personal data,
• rectify personal data,
• delete personal data,
• receive a copy of their data,
• restrict processing,
• object to processing,
• data portability,
• withdraw consent (without affecting prior lawful processing),
• object to processing based on legitimate interest, including direct marketing,
• lodge a complaint with a supervisory authority.

Requests may be submitted via biuro@polberis.pl or by post. The Controller will respond within 30 days. The Controller may refuse a request if further processing is required by law.

§ 8 Recipients of Personal Data

The Controller may disclose personal data when required by law, including to administrative authorities or law enforcement.

§ 9 Data Security

1. The Controller continuously analyses risk to ensure secure processing.
2. Only authorised persons have access to data, and only to the extent necessary.
3. All operations on personal data are logged and performed only by authorised entities.
4. The Controller ensures that cooperating entities provide adequate security measures.
5. Technical safeguards include SSL/TLS encryption, restricted system access, and protection procedures against unauthorised access.

§ 10 Changes to the Privacy Policy

1. The Policy is regularly reviewed and updated.
2. The current version has been in force since 26 January 2026.

Legal compliance of this document is ensured by the lawyers of Kancelaria KZ.