Privacy policy

PRIVACY POLICY

effective from [•] 2024

Ninanki Sp. z o.o., ul. Jerzego 6, 43-150 Bieruń, NIP: 6463016992 (the “Administrator”) owner of the portal www.ninanki.pl, together with all its subpages and subdomains (the “Service”) providing services for the sale of goods based on original “Ninanki” character designs and providing an e-commerce platform – an online store for this purpose, protects the privacy of persons using its services and their personal data.

In order to implement the principle of lawful, fair, and transparent processing of personal data while using the Service, the Administrator has adopted this “Privacy Policy”, which defines: the purposes and scope of processed personal data, the method of their protection, legal bases for processing, and the rights of data subjects.

I. Definitions of terms used in the Privacy Policy
  1. Administrator – Ninanki Sp. z o.o., ul. Jerzego 6, 43-150 Bieruń, NIP: 6463016992;
  2. Personal Data – any information about an identifiable User, i.e., a person who can be identified directly or indirectly, in particular based on an identifier such as name and surname, identification number, location data, online identifier, or one or more specific factors determining the physical, genetic, mental, economic, cultural, or social identity of a natural person;
  3. Account – an electronic service created and provided by the Administrator for the User within the Service, under a unique name (login) and secured with a password, constituting a space of exclusive access for the User in the IT system provided by the Administrator and a collection of resources where User data and information about their actions within the Service are stored;
  4. Profile – a collection of information about the User of a personal nature provided within the Account and behavioral, collected by the Administrator and determined based on the analysis of this information in the Profiling process, if used by the Administrator;
  5. Profiling – any form of automated processing of personal data, which consists of using data collected by the Administrator to evaluate certain personal factors of a natural person, in particular to analyze or predict aspects related to the data collected in the Profile or to infer about characteristics and personal factors of Users other than those collected by the Administrator;
  6. Regulations – the terms and conditions for the provision of electronic services via the Service, available at: www.ninanki.pl;
  7. Registration – the procedure for creating an Account;
  8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  9. Services – a set of services provided by the Administrator, in particular services provided electronically, as well as direct marketing services;
  10. Service Providers – all entities cooperating with the Administrator, its contractors, who provide their services to the Administrator and directly related marketing services;
  11. Settings – an Account feature, allowing the User using the Services to appropriately manage these services, including independently modifying their scope and selecting preferences regarding the scope and purposes of processing their personal data;
  12. User – a registered or unregistered User;
  13. Registered User – a User who has completed Registration, has an Account, and uses the Services;
  14. Unregistered User – a natural person who uses Services that do not require creating an Account, including placing Orders; an unregistered User shall also be understood as a registered User who is using the Service at a given time without being logged into their Account;
  15. Order – a declaration of intent to conclude a sales agreement submitted by the User to the Administrator and covering goods and services available in the Service.
II. Who is the administrator of my personal data, and who is the processor?

Your personal data, provided during Registration, are processed by the Administrator in the capacity of the administrator of Users’ Personal Data and are necessary for (i) the performance of the electronic services agreement concluded with the Administrator, covering maintaining the Account and providing the Services with all their functions, or for the performance of the sales agreement concluded with the Administrator following an Order.

Your personal data provided during Registration, subject to expressing appropriate consents – may be used by the Administrator for marketing purposes, and in relation to them, the Administrator will act in the same capacity.

Your personal data, provided during an Order, are additionally processed by carriers responsible for delivering the Order to the address specified by you, as entities processing Personal Data on behalf of the Administrator and are necessary for the performance of the sales agreement concluded with the Administrator following the Order, covering in particular the obligation to deliver purchased items.

In the case of Registration after placing an Order as an unregistered User, the Administrator becomes the administrator of this Personal Data on a separate basis, in accordance with the first paragraph.

In case of questions regarding the processing of Users’ Personal Data and their rights, contact with the Administrator is possible in the following ways:

  1. via email, at the address: kontakt@ninanki.pl;
  2. by phone, at the number +48 785 006 008;
  3. in writing, to the address Ninanki Sp. z o.o., ul. Jerzego 6, 43-150 Bieruń.

Legal basis: information obligation art. 13(1)(a) GDPR and art. 14(1)(a) GDPR

III. How and from whom does the Administrator obtain data?

Personal Data are obtained by the Administrator directly from the data subjects – in the case of Registration, placing an Order, or expressing consent to receive commercial information from the Administrator.

In isolated cases, Personal Data obtained by the Administrator may come from persons other than the data subjects – i.e., from Users placing Orders for delivery to third parties (both acting in their own name but on behalf of the shipment recipients and acting in the name and on behalf of those persons).

In the case referred to in the paragraph above, the Administrator takes necessary actions to fulfill the information obligation arising from art. 14 GDPR towards persons whose Personal Data were obtained in this manner, by sending them Order confirmation, in the case where Giglike has such contact details – i.e., if the User provided the email address of the Personal Data subject. Otherwise, the Administrator does not have the technical capability to communicate with the data subject due to the lack of their contact details and, guided by the principle expressed in art. 11 GDPR, does not collect additional contact details of the third party solely to fulfill the information obligation under art. 14 GDPR.

In the situation described above, the obligation to convey appropriate information, including a link to this Privacy Policy, passes to Users placing Orders on behalf of a third party – who are obliged to immediately provide the data subjects with the content of this Privacy Policy, with particular emphasis on its points II and III, along with information about the User’s person as the source of the personal data.

Remember!
Giglike does not have a database enabling the identification of such persons, therefore arts. 15–20 GDPR do not apply, unless the data subject provides additional information allowing their identification, in order to exercise their rights under these articles 15-20 GDPR. In such a case, Giglike will not refuse to accept additional information from the data subject, to facilitate the exercise of their rights.

Important!
The Administrator has no way to verify the entitlement to dispose of data and the possession of appropriate consents for their use in a manner other than through the User’s declaration – therefore if you believe someone has used your data unlawfully – inform us about it.

Legal basis: information obligation art. 11(2) GDPR and art. 14(2)(f) GDPR.

IV. Scope and purposes of processing Users’ personal data

Users’ personal data are obtained in connection with the conducted business activity and are processed by the Administrator in compliance with the principles specified in the GDPR and solely for the purpose of providing access to the Service’s functionalities and providing the Services.
Due to the fact that the Administrator provides various services for Users – users’ personal data are processed for various purposes, in different scopes, and on different legal bases specified in the GDPR. To ensure transparency of information, we have grouped them through the prism of data processing purposes.

Remember!
The purposes described below relate to every case in which the Administrator gains access to personal data. If the implementation of some purposes does not require the Administrator to process personal data, it takes place without their disclosure, or the disclosed data do not constitute personal data or are not protected, the Administrator applies the principle of minimization of processing and does not perform any actions leading to the processing of personal data (i) when it is not necessary or (ii) other than those necessary for the given Purpose.

Purpose 1: Providing Services not requiring Account creation. Using the Service, browsing the Service’s content

Types of Services: The Administrator processes Personal Data of registered and unregistered Users to enable Users to use the Service and browse its content, including access to the online store and current assortment.

Scope of data: For this purpose, the Administrator processes Users’ Personal Data concerning the User’s activity in the Service, including those recorded and stored via cookie files, i.e.: data on viewed subpages of the Service, as well as data concerning the User’s device session and operating system, browser, IP/MAC address, location, and unique ID.

Legal basis: necessity for the performance of the electronic services agreement, the parties to which are the Administrator and the User (art. 6(1)(b) GDPR), as well as the legitimate interests of the Administrator (art. 6(1)(f)), consisting in the proper and correct display of the Service and delivery of content in a defect-free manner.

Purpose 2: Using Services requiring Account creation. Creating an Account, using the Account

Types of Services: The Administrator processes Personal Data of registered Users to enable registered Users to use the Services, in particular managing the Account and Settings, changing data collected in the Profile, access to the history of placed Orders.

Scope of data: For this purpose, the Administrator processes Personal Data of registered Users provided during Registration, i.e., first name and surname, email address, as well as those provided or collected within the Profile.
For this purpose, the Administrator also processes Personal Data of registered Users, concerning the activity of registered Users in the Service, that is, data referred to in Purpose #1.

Legal basis: necessity for the performance of the electronic services agreement concluded for the benefit of the User, concluded as a result of Registration (art. 6(1)(b) GDPR), as well as the legitimate interests of the Administrator (art. 6(1)(f)), consisting in the continuous improvement of the quality of Services and in providing the Service and displaying content in a defect-free manner.

Important note: This Purpose as well as the above legal basis authorize the Administrator to send Users messages of a technical nature, related to the Services and the electronic services agreement concluded with the Administrator, both as a result of actions taken by Users in the Service, and in case of such need on the part of the Administrator (e.g., technical breaks in the Service’s operation, changes to the Regulations, or changes to the Service’s functionality).

Purpose 3: Statistics on the use of individual functions and parts of the Service and facilitating the use of the Service

Types of Services: The Administrator processes Users’ Personal Data to study how Users navigate the Service and to early detect any potential errors (bugs) and non-intuitive solutions.

Scope of data: For these purposes, Personal Data are processed by the Administrator and concern Users’ activity in the Service, such as: data on visited pages and subpages of the Service and the amount of time spent on each of them, mouse movements, as well as data concerning search history, IP address, location, device ID, and data concerning the browser, session, and operating system of Users.

Legal basis: legitimate interest of the Administrator (art. 6(1)(f) GDPR), consisting in improving the functionality of the Service and facilitating access to its functions.

Purpose 4: Placing Orders, making payments, and supervising the delivery process. Settlements, accounting, and legal obligations. Establishing, pursuing, and enforcing claims.

Types of Services: The Administrator processes Users’ Personal Data to enable them to place Orders for products offered by the Administrator, as well as to pay for placed Orders in forms of payment selected by Users. Furthermore, the Administrator processes Users’ Personal Data to fulfill concluded sales agreements, i.e., to deliver ordered products to the appropriate recipients.

The Administrator also processes Users’ Personal Data for the purpose of establishing, pursuing, and enforcing any potential claims against the User (related to payment for the Order) and for defense against claims or their realization, submitted by Users, e.g., under warranty for defects of sold items.

In connection with the above processing, the Administrator may be obliged to process specific categories of Users’ personal data in connection with legal, accounting, or archiving obligations incumbent upon it.

Scope of data: In this scope, the Administrator may process Personal Data including data necessary for the accounting kept by the Administrator, i.e., first name, surname, bank account number or payment instrument number, residence addresses, account or delivery addresses, data concerning the Order for which payment is made, NIP, company data (if applicable), any other data provided by the User during payment, other data concerning the use of Services and provided for the purpose of using the Services, in particular described in Purposes 1-3, as well as other data necessary to prove the existence of a claim, including the extent of the damage incurred.

Legal basis: necessity for the performance of the distance sales agreement concluded for the benefit of the User who placed the Order (art. 6(1)(b) GDPR), necessity to comply with legal obligations incumbent on the Administrator, in particular related to accounting for transactions (art. 6(1)(c) GDPR), as well as the legitimate interest of the data controller (art. 6(1)(f) GDPR), consisting in establishing, pursuing, and enforcing claims and in defense against claims in proceedings before courts and other state authorities.

Important note: Even in a situation where the User deletes all personal data from the Service, a copy of data necessary to carry out the actions discussed above, as well as data constituting part of the Administrator’s accounting books will remain in our database, due to the legally defined obligation to archive accounting documentation mentioned above and our legal interest in obtaining payment for the Order and respecting Users’ rights under warranty. The Administrator makes every effort to ensure that this data is anonymized or pseudonymized to the greatest extent possible.

Purpose 5: Handling complaints and requests, responding to questions

Types of Services: The Administrator processes Users’ Personal Data to enable them to contact the Administrator, submit complaints, claims, or ask questions related to the sales process service or products sold in the Service.

Scope of data: For this purpose, the Administrator processes personal data provided by the User and collected in the Profile, i.e., first name and surname, email address, phone number (if provided) as well as data concerning the use of Services that are the cause of the complaint, request, or inquiry and provided for the purpose of using the Services, as well as data contained in documents attached to the complaint, request, or inquiry.

Legal basis: legitimate interest of the Administrator (art. 6(1)(f) GDPR), consisting in improving the functioning of Services and building positive relationships with Users, and in appropriate cases also necessity to fulfill the distance sales agreement concluded for the benefit of the User who placed the Order (art. 6(1)(b) GDPR) or necessity to comply with a legal obligation incumbent on the Administrator (art. 6(1)(c) GDPR).

Purpose 6: Satisfaction surveys

Types of Services: The Administrator processes Users’ Personal Data to monitor Users’ satisfaction with using the Service, goods purchased by them, their quality, and identifying areas for improvement in the future.

Scope of data: For this purpose, the Administrator processes personal data provided by the User and collected in the Profile, i.e., first name and surname, email address, as well as data concerning the use of Services, information about placed Orders, as well as answers to questions prepared by the Administrator, contained in surveys and forms used for satisfaction surveys, suggestions for new functionalities, etc.

Legal basis: legitimate interest of the Administrator (art. 6(1)(f) GDPR), consisting in improving the functioning of Services and conducting periodic assessments of Users’ satisfaction with using the Services and the Service.

Purpose 7: Marketing and remarketing

Type of Services: In the event of granting appropriate consent by the User, the Administrator processes Users’ personal data for the purpose of direct marketing of own services or products, e.g., encouraging Users to use the Service in case of User inactivity, to use other Services of the Administrator, or to interest them in novelties and promotions offered by the Administrator.

Scope of data: For this purpose, the Administrator, depending on the case, processes personal data provided or collected in the Profile, in particular during Registration, i.e., first name and surname, email address, phone number (in cases where consent was given to use telecommunications terminal devices for direct marketing via electronic communication means) and concerning the User’s activity in the Service, recorded and stored via cookie files, in particular the history of visited subpages of the Service, Order history, clicks in the Service, login and registration dates, data concerning the display and use of specific Services in the Service.

Remarketing: To reach Users with marketing messages of the Administrator outside the Services, the Administrator may use the services of external providers. These services consist in displaying marketing messages from the Administrator, including commercial information, on other pages than the Service. For this purpose, the Administrator installs appropriate code, text file, or pixel of external providers (e.g., Google, Facebook) to collect information about activity in the Service. This information concerns Users’ activity in the Service, in particular the history of visited subpages of the Service.

Legal basis: legitimate interest of the Administrator (art. 6(1)(f) GDPR), consisting in direct marketing of own services or products and in appropriate cases – also the User’s consent (art. 6(1)(a) GDPR).

V. Cookies files

To facilitate the use of the Service, the Administrator may, via the Service, install cookie files (so-called “cookies”) on the User’s end device – i.e., IT data, in particular small text files, which are saved on your device (e.g., computer, tablet, smartphone) while using websites to store information used to identify the user or remember the history of actions taken by the user in the Service. Upon reconnection to a given page, cookie files can be read by it and used to adjust the page to the user’s remembered preferences or for statistical purposes.

Consenting to the installation of cookie files is in principle voluntary, and the expression of such will on the part of the User is either (i) appropriate settings of the web browser from which the connection to the Service is made – in the case of cookie files not containing Personal Data, or (ii) the User’s consent – in the case where cookie files contain data that may constitute Personal Data. The above principles are subject to several exceptions:

  1. in the case where cookie files do not contain Personal Data and are necessary for the proper functioning of the Service (essential) – the User’s consent is not required, therefore even refusal to use cookie files or lack of consent for their use will not prevent the use of this type of cookie files, solely to the extent necessary to deliver the Service;
  2. in the case where cookie files do not contain Personal Data but are not necessary for the proper functioning of the Service (optional) – the User’s consent is required, and its refusal or lack will result in refraining from installing this type of cookie files;
  3. in the case where cookie files contain Personal Data and are necessary for the proper functioning of the Service (essential) – the User’s consent is required, but its refusal or lack will prevent connection to the Service or using it in any scope, because, e.g., information about consent or lack of consent to install other cookie files is stored… in a cookie file 😊
  4. in the case where cookie files contain Personal Data and are not necessary for the proper functioning of the Service (optional) – the User’s consent is required, and its refusal or lack will result in refraining from installing this type of cookie files.

The purposes for which the Administrator uses cookie files do not require the identification of the data subject by him. Therefore, the Administrator has no obligation to retain, obtain, or process additional information to identify the data subject, solely to comply with the GDPR.

In connection with the above, the Administrator informs Users about this in this Privacy Policy. In such cases, the rights described in point XII do not apply, unless the User, whose data are concerned, in order to exercise his rights under the GDPR, provides additional information allowing his identification.

Legal basis: art. 11 GDPR.

Types of cookies

Based on their life cycle, cookie files are divided into:

  1. session – deleted simultaneously with closing the web browser,
  2. persistent – deleted after a predetermined time, regardless of closing the web browser.

Based on the internet domain they come from, cookie files are divided into:

  1. own – set by the web servers of our Service,
  2. third-party – set by the web servers of other sites than our Service.
Purposes of using cookie files

Optimizing the use of the Service (essential and analytical cookies)
The Administrator uses own cookie files to provide the User with convenience in using the Service, including to enable remembering the User’s login from a specific device and avoid the need to repeat the login procedure in the Service and limiting the number of displayed notifications (about updating the privacy policy and using cookie files). The Administrator also uses cookie files to check the security of the IT system and to remember User preferences.

Statistics of page and subpage views of the Service (analytical cookies)
The Administrator uses third-party cookie files (e.g., Google Analytics, Google Analytics 360) to count visits to the Service, their duration, and to determine which functions of the Service or its parts were most used or visited. Information collected in this way allows the Administrator to analyze the performance of the Service and determine directions for developing new functions and services.

Tracking activity in the Service (analytical cookies)
The Administrator uses own cookie files to identify the User for the purpose of analyzing the User’s activity in the Service, determining what actions the User took on the pages of the Service, in particular which subpages the User viewed and spent the most time on. Information collected in this way allows the Administrator to assess whether the message directed to the User via the Service is clear and whether the Service requires any changes to the layout of content.

Opting out of cookies

The User has the possibility to define the conditions for storing or accessing cookie files using the settings of the web browser or service configuration. In the browser’s menu bar in the “Help” section (or similar), you can find information on how to reject saving new cookie files, how to delete previously saved cookie files, how to request notification about saving a new cookie file, and how to block the operation of cookie files.

To obtain further information regarding the possibility of opting out of using cookie files and deleting all cookie files created by the Administrator, the Administrator encourages you to contact him in one of the possible ways described in this Privacy Policy.

VI. Mandatory provision of personal data and consequences of not providing it

Providing certain personal data is a condition for using the Services or concluding an agreement for the provision of electronic services or a distance sales agreement with the Administrator. Mandatory data are marked in the Service with “*”. The consequence of not providing this data is the inability for the User to use the Services or conclude a specific agreement. Apart from data marked as mandatory, providing other personal data is voluntary.

Regarding personal data that are collected automatically, their provision is also voluntary, and the expression of such will on the part of the User is visiting and using the Service combined with appropriate settings of the web browser from which the connection to the Service is made.

VII. Automated decision-making and Profiling

The Administrator makes every reasonable effort to tailor the offer of own services and any marketing messages directed to Users to their interests and preferences. For this purpose, it performs automated processing of personal data, which, however, does not take the form of Profiling. The Administrator may, however, use the effects of Profiling performed by third parties (e.g., Google, Facebook) when directing marketing and remarketing messages to Users.

The Administrator notes, however, that targeting and personalization of the Administrator’s marketing communication and other commercial information, solely based on collected behavioral data (related to Users’ behavior and their activity in the Service, in particular the history of visited subpages) or provided by the Users themselves, provided it is not the result of inferring about other characteristics and personal factors of the User based on data collected in the Profile, does not constitute Profiling.

The above actions and decision-making are of the nature of automated processing of personal data but do not constitute Profiling, as they occur in a situation where a specific action or omission by the User in the Service causes a specific message to be displayed to them – identical for all Users who behaved similarly. However, such a message is not directed to the User based on an assumption made in an automated manner by the Administrator, but in connection with specific information provided by the User.

Automated processing of personal data and decision-making does not pose a significant threat to the rights and freedoms of Users, does not produce significant legal effects concerning them and is not excessively burdensome, and consequently – there are no premises preventing the recognition of the Administrator’s interests as overriding. Therefore, such processing is not covered by the prohibition expressed in art. 22(1) GDPR and does not require the data subject’s consent, and therefore the implementation by the Administrator of appropriate safeguards of the rights, freedoms, and legitimate interests of the data subject, including the right to obtain human intervention on the part of the Administrator, the right to express one’s point of view, and the right to contest the automated decision, is not required.

The consequences of automated processing of Users’ personal data will only be the differentiation of messages directed to them, depending on their undertaken activities in the Services.

VIII. Processing of children’s personal data

To use the Services, the User must be at least 16 years old. The Administrator does not intend to knowingly collect personal data from persons under 16 years of age without obtaining the consent of their parent or guardian.

IX. Recipients of data

Users’ personal data, in respect of which the Administrator acts as the administrator of Personal Data, may be disclosed by the Administrator to other entities. Depending on the circumstances, these entities may be subject to the Administrator’s instructions regarding the purposes and methods of processing this data (processors) or independently determine the purposes and methods of processing Users’ personal data (separate controllers). The Administrator discloses Users’ personal data to the following categories of recipients:

1) Related entities
Users’ personal data may be disclosed to entities related to the Administrator, including Ninanki Sp. z o.o., ul. Jerzego 6, 43-150 Bieruń, NIP: 6463016992, provided there is a legal basis legitimizing such disclosure. These entities apply the same measures of personal data protection, principles, and purposes of their processing as the Administrator, and in relation to the disclosed data, they act as controllers.
Location. Related entities are based in Poland.

2) Service Providers
Users’ personal data may be disclosed to entities that provide services supporting the Administrator’s business activity, e.g., carriers handling Order delivery, providers of marketing tools, accounting, legal advisors.

Processors. The Administrator uses the services of entities that process Users’ personal data solely on its behalf. These include, among others, entities providing hosting services, cloud disk space, providing marketing systems (e.g., for sending newsletters and other emails), for analyzing traffic in the Service, for analyzing the effectiveness of marketing campaigns, etc.
Currently, the Administrator cooperates with the following Service Providers, which are data processors: electronic payment operators, hosting and server service providers, accounting firms, postal operators and courier companies, software and e-commerce system providers, entities providing IT and marketing services.

Controllers. The Administrator also uses the services of entities that do not act solely on its behalf and independently determine the purposes and methods of using Users’ personal data. These are entities providing mainly remarketing campaign services and conducting statistical research.
Currently, the Administrator cooperates with the following Service Providers, which are data controllers: Facebook Ireland Limited, Google Ireland Limited; Amazon EMEA Sarl; Bank ING Bank Śląski, Electronic payment operator – Przelewy24.
Location. Service Providers are based mainly in Poland and in other countries of the European Economic Area (EEA). However, some of the Service Providers may be based outside the EEA territory – in such a case, point X below applies.

3) Persons authorized by the Administrator to process data
The Administrator discloses personal data to persons authorized by the Administrator to process them, in particular employees and associates of the Administrator, solely to the extent necessary to perform their duties.

4) State authorities
Personal data are also disclosed when requested by authorized public authorities, in particular organizational units of the prosecutor’s office, Police, or the supervisory authority for personal data protection (President of the Personal Data Protection Office), to the extent they are obliged or entitled to receive or demand the transfer of such data.

X. Transfer of Personal Data to third countries or international organizations

The Administrator does not plan to transfer your personal data to recipients outside the European Economic Area, i.e., to third countries and international organizations. In the event that such transfer were to take place, the administrator will ensure that service providers give guarantees of a high degree of protection of personal data, and also that it will take place on the condition that the administrator has an appropriate legal basis, in a manner consistent with the provisions of Chapter V of the GDPR, i.e., based on lawful data transfer mechanisms that ensure an adequate level of protection, in particular based on the EU-US Data Privacy Framework, an adequacy decision issued by the European Commission, Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCCs).

In cases where none of the above mechanisms, instruments, guarantees, or requirements are present or are not met, the Administrator will ensure compliance of the processing of Personal Data with the GDPR by obtaining consent from Users for such transfer, and in the absence thereof – excluding such User’s Personal Data from transfer to a third country or international organization.

XI. Data retention period

Personal data of registered Users who have not placed any Order are stored by the Administrator for the entire period of having an Account in the Service for the purpose of providing the Services, as well as for marketing purposes. After deleting the Account, the data are anonymized, i.e., converted into a permanent string of characters preventing the identification of the person to whom the data pertained.

Personal data of registered Users who have placed at least one Order are stored by the Administrator for the entire period of having an Account in the Service for the purpose of providing the Services and until the expiry of the limitation period for claims applicable to the last Order, depending on which occurs later, unless during this time the running of the limitation period for claims was interrupted – in such a case until the expiry of the limitation period or enforcement of the claim. This data is not anonymized after deleting the Account, until the expiry of the last of the above limitation periods. The above does not apply to data contained in the Administrator’s accounting books, which are deleted or anonymized no earlier than after 5 years from the beginning of the year following the financial year in which the payment occurred or should have occurred, subject to the above rule regarding the limitation of claims.

Personal data of unregistered Users who have not placed any Order are stored for a period corresponding to the validity of cookie files saved on their devices, and if they used the Services – until the expiry of the limitation period for claims under the Services they used, depending on their type. After this period, the data are deleted.

Personal data of unregistered Users who have placed at least one Order are stored by the Administrator until the expiry of the limitation period for claims applicable to the last Order, unless during this time the running of the limitation period for claims was interrupted – in such a case until the expiry of the limitation period or enforcement of the claim. This data is not anonymized after deleting the Account, until the expiry of the last of the above limitation periods. The above does not apply to data contained in the Administrator’s accounting books, which are deleted or anonymized no earlier than after 5 years from the beginning of the year following the financial year in which the payment occurred or should have occurred, subject to the above rule regarding the limitation of claims.

Regardless of the above, Personal Data of Users who have consented to receiving commercial information via telecommunications terminal devices are stored by the Administrator to the minimum possible extent for the period useful for the indicated purpose, or until the objection to using their Personal Data for marketing purposes or withdrawal of the given marketing consent – whichever occurs earlier.

XII. Rights of data subjects

The Administrator, in relation to Personal Data of which it is the controller, ensures the realization of the following rights to Users, by contacting it in one of the ways indicated in point II. Additionally, some of the rights can be realized by logged-in Users through appropriate changes to the Settings.

Right to withdraw consent
The data subject has the right to withdraw any consent given at the time of Registration or Order, as well as while using the Services, Account functions, or Settings. Withdrawal of consent takes effect from the moment of withdrawal. Withdrawal of consent does not affect the processing carried out by the data controller lawfully before its withdrawal.
Withdrawal of consent does not entail any negative consequences. It may, however, prevent further use of the Services. Withdrawal of consent has no effect on processing that takes place on a basis other than the consent of the data subject.
Legal basis: art. 7(3) GDPR.

Right to object to the use of data
The data subject has the right to object at any time to the processing of his personal data, including automated, if the processing of data is based on the legitimate interest of the data controller.
Regardless of the above, the data subject has the right to object at any time to the processing of her personal data for direct marketing purposes, to the extent that the processing is related to such direct marketing.
If the data controller is unable to demonstrate another legal basis for processing the personal data of the data subject who has objected, overriding the interests, rights, and freedoms of that person or grounds for establishing, pursuing, or defending claims, it will immediately delete the personal data of such person.
Legal basis: art. 21 GDPR

Right to erasure of data (“right to be forgotten”)
The data subject has the right to request the erasure of all or some of her personal data processed by the data controller. A request for erasure of all personal data or data mandatory for Registration or Order, submitted by a logged-in User, will be treated, respectively, as a request to delete the Account or withdraw the Order (if technically possible and legally permissible).
The above right is available if at least one of the circumstances occurs:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the data subject has withdrawn consent on which the processing was based, and the controller has no other legal basis for processing;
  3. the data subject has objected to the processing and there are no overriding legitimate grounds for the processing or the data subject has objected to the processing of data for direct marketing purposes;
  4. the personal data have been unlawfully processed;
  5. the personal data must be erased to comply with a legal obligation under applicable law.

Despite a request for erasure of personal data, in connection with raising an objection or withdrawal of consent, the data controller may retain certain personal data to the extent necessary for the purposes of establishing, pursuing, or defending claims. This applies in particular to personal data including: first name, surname, email address, and transaction history (Orders), which data are retained for the purposes of handling complaints and pursuing claims.
Legal basis: art. 17 GDPR

Right to restriction of processing
The data subject has the right to request restriction of the processing of her personal data. This right is available if at least one of the following conditions is met:

  1. the data subject contests the accuracy of the personal data – restriction is made for a period allowing the data controller to verify the accuracy of this data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data, requesting instead the restriction of their use;
  3. the data controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
  4. the data subject has objected to the processing of personal data – restriction is made pending the verification whether the legitimate grounds of the data controller override those of the data subject.
    Legal basis: art. 18 GDPR

Right of access to data
Everyone has the right to obtain from the controller confirmation as to whether or not personal data concerning her are being processed, and if that is the case, the data subject has the right:

  1. to obtain access to her personal data;
  2. to obtain information about the purposes of processing, categories of personal data processed, about the recipients or categories of recipients of this data, the envisaged period for which the personal data will be stored or the criteria used to determine that period, about her rights under the GDPR and about the right to lodge a complaint with a supervisory authority, about the source of this data, about automated decision-making, including Profiling, and about safeguards applied in connection with the transfer of this data to a third country;
  3. to obtain a copy of her personal data.
    Legal basis: art. 15 GDPR

Right to rectification of data
The User has the right to rectification and completion of her personal data provided by herself. Exercising this right is possible from the level of the Account, through independent changes to the Settings and verification of the scope of data entered within the Account.
In relation to personal data not accessible from the level of the Account or a person other than a registered User, that person has the right to request from the Administrator rectification of this data (if incorrect) and their completion (if incomplete).
Legal basis: art. 16 GDPR

Right to data portability
The data subject has the right to receive her personal data, which are in the possession of the data controller, and then transmit them to another, chosen by herself, data controller.
The data subject also has the right to request that the personal data be transmitted directly from one controller to another, if technically feasible.
The data controller transmits the data in the form of a file in *.csv format. This format is a commonly used format, suitable for machine reading and allowing the transmission of the received data to another data controller.
Legal basis: art. 20 GDPR

Right to obtain human intervention on the part of the Administrator
In every case where automated processing of personal data takes place (automated decision-making, including Profiling), the User has the right to contest the decision taken in a solely automated manner, to express her point of view regarding the decision taken, and to request human intervention on the part of the Administrator. Human intervention is realized by reassessing the characteristics, factors, and premises that were taken into account in the automated decision-making by a person authorized by the Administrator and issuing a decision different from the previous one or upholding it.
The above right is not available if such a decision does not produce legal effects concerning the User or the impact on her situation is negligible.
If, however, the decision taken in an automated manner: (i) is not necessary for entering into, or performance of, a contract between the User and the Administrator; (ii) is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; and (iii) is not based on the data subject’s explicit consent – the expression of the above right, available to the User, is the right not to be subject to a decision based solely on automated processing. In the event of submitting a request to exercise this right, the Administrator takes all reasonable measures to ensure that the decision-making process does not remain solely automated, i.e., to ensure the presence of a human factor in at least one of its stages.
Legal basis: art. 22 GDPR.

XIII. Response time

If the data subject, exercising the rights described in point XII, submits an appropriate request to the Administrator, the Administrator immediately considers this request positively or negatively, but no later than within one month of receiving it. However, if, due to the complex nature of the request or the number of requests – compliance with the one-month deadline is impossible, the data controller will fulfill the obligation to consider the request within the next two months, after prior notification of the data subject about the existing circumstances.

XIV. Complaints and requests

The Administrator encourages asking questions and submitting requests regarding the processing of Users’ personal data and the realization of their rights.

Everyone has the right to lodge a complaint with the supervisory authority for personal data protection (PUODO), if she considers that her right to the protection of personal data or other rights granted to her under the GDPR have been infringed by the Administrator.

XV. Security of personal data

The Administrator makes every effort to ensure the security of personal data processed within the Service, among others, by using encrypted data transmission (SSL) while using the Services, which ensures the protection of entered authentication data and significantly hinders the interception of access to the Account by unauthorized systems or persons.

XVI. Changes to the Privacy Policy

As needed, the Administrator may change and update this Privacy Policy. Users will be informed about any changes or additions by posting appropriate information on the Service’s main page or via an email message sent to Users.

See also

About Ninanki Who we are? Regulamin