The administrator of personal data collected through the website aquaaga.pl is AGNIESZKA BARBARA HAFTARCZYK, born December 3rd, conducting business under the name FUNDACJA AQUA AGA NIEZWYKLI NURKOWIE, registered in the Central Registration and Information on Business of the Republic of Poland maintained by the minister responsible for the economy, business location: Olimpijska 4 B / 22, 87-100 Toruń, Poland, delivery address: Olimpijska 4 B / 22, 87-100 Toruń, Poland, NIP: 8792704062, REGON: 380851870, email address: [email protected], hereinafter referred to as the 'Administrator'.

Personal data collected by the Administrator through the website is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR, and the Personal Data Protection Act of 10 May 2018.

1. PURPOSE AND LEGAL BASIS OF PROCESSING

1. The Administrator processes personal data via the aquaaga.pl website in the case of:
2. a. use of the contact form by the user. Personal data is processed based on Article 6(1)(f) GDPR as a legitimate interest of the Administrator.
3. b. the user subscribing to the Newsletter for the purpose of sending commercial information electronically. Personal data is processed upon separate consent, based on Article 6(1)(a) GDPR.
4. c. Facebook Ads, Google Ads – the use of forms by the user and the sending of commercial information. Personal data is processed upon separate consent, based on Article 6(1)(a) GDPR.
5. d. Google Analytics analytical tools. Personal data is processed based on Article 6(1)(f) GDPR as a legitimate interest of the Administrator.

2. TYPES OF PERSONAL DATA PROCESSED

1. The Administrator processes the following categories of personal data of the user:
2. a. Name and surname,
3. b. Email address,
4. c. Phone number,
5. d. NIP (Tax Identification Number)

3. PERIOD OF PERSONAL DATA STORAGE

1. Personal data of users is stored by the Administrator:
2. a. in cases where the basis for data processing is the performance of a contract, as long as it is necessary to perform the contract, and after that time for a period corresponding to the period of limitation of claims. Unless a special provision states otherwise, the limitation period is six years, and for periodic benefits and claims related to business activities - three years.
3. b. in cases where the basis for data processing is consent, as long as the consent is not withdrawn, and after the withdrawal of consent for a period corresponding to the limitation period of claims that the Administrator may raise and that may be raised against him. Unless a special provision states otherwise, the limitation period is six years, and for periodic benefits and claims related to business activities - three years.

4. ADDITIONAL INFORMATION

1. While using the website, additional information may be collected, in particular: the IP address assigned to the user's computer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type.
2. Navigation data may also be collected from users, including information about links and references they decide to click on or other actions taken on the website. The legal basis for such activities is the legitimate interest of the Administrator (Article 6(1)(f) GDPR), aimed at facilitating the use of services provided electronically and improving the functionality of these services.
3. Providing personal data by the user is voluntary.
4. Personal data will also be processed in an automated manner in the form of profiling, provided that the user consents to it based on Article 6(1)(a) GDPR. The consequence of profiling will be the assignment of a profile to a given person in order to make decisions concerning them or to analyze or predict their preferences, behaviors, and attitudes.
5. The Administrator takes special care to protect the interests of persons whose data is concerned, and in particular ensures that the data collected by him is:
6. a. processed in accordance with the law,
7. b. collected for specified, lawful purposes and not subjected to further processing incompatible with those purposes,
8. c. factually correct and adequate in relation to the purposes for which they are processed, and stored in a form that permits the identification of persons to whom they relate, no longer than is necessary to achieve the purpose of processing.

Users' personal data is transferred to service providers used by the Administrator in running the website. Service providers to whom personal data is transferred, depending on contractual agreements and circumstances, either follow the Administrator's instructions as to the purposes and means of processing that data (processors) or independently determine the purposes and means of their processing (controllers).

Users' personal data is stored exclusively within the European Economic Area (EEA).

A person whose data is concerned has the right to access their personal data and the right to rectify, delete, limit processing, the right to data portability, the right to object, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Legal bases for the user's request:

a. Access to data – Article 15 GDPR

b. Rectification of data – Article 16 GDPR.

c. Deletion of data (the so-called 'right to be forgotten') – Article 17 GDPR.

d. Limitation of processing – Article 18 GDPR.

e. Data portability – Article 20 GDPR.

f. Objection – Article 21 GDPR

g. Withdrawal of consent – Article 7(3) GDPR.

To exercise the rights referred to in point 2, you can send an appropriate email to: [email protected].

In the event of a request by the user based on the above rights, the Administrator will comply with the request or refuse to comply with it immediately, but no later than within one month of receiving the request. However, if - due to the complex nature of the request or the number of requests - the Administrator cannot comply with the request within a month, he will comply within the next two months by informing the user in advance within a month of receiving the request - about the intended extension of the deadline and its reasons.

In case of determining that the processing of personal data violates the provisions of the GDPR, the person whose data is concerned has the right to lodge a complaint with the President of the Personal Data Protection Office.

The Administrator's website uses 'cookies' files.

The installation of 'cookies' is necessary for the proper provision of services on the website. 'Cookies' files contain information necessary for the proper functioning of the website, and they also allow for developing general statistics of website visits.

The website uses session and persistent 'cookies' files:

a. 'Session cookies' are temporary files that are stored on the user's terminal device until logging out (leaving the website).

b. 'Persistent cookies' files are stored on the user's terminal device for the time specified in the parameters of 'cookies' files or until they are deleted by the user.

The Administrator uses its own cookies to better understand how the user interacts with the website's content. The files collect information about how the user uses the website, the type of website from which the user was redirected, and the number of visits and the time of the user's visit to the website. These information do not record specific personal data of the user, but are used to compile statistics on the use of the website.

The user has the right to decide on the access of 'cookies' files to their computer through prior selection in their browser window. Detailed information on the possibilities and ways of handling 'cookies' files are available in the settings of the software (web browser).

The Administrator applies technical and organizational measures ensuring the protection of processed personal data appropriate to the risks and categories of data covered by the protection, and in particular, secures data against unauthorized disclosure, takeover by an unauthorized person, processing in violation of applicable regulations, and change, loss, damage, or destruction.

The Administrator provides appropriate technical measures to prevent the acquisition and modification by unauthorized persons, personal data sent electronically.

In matters not regulated by this Privacy Policy, the provisions of the GDPR and other relevant provisions of Polish law shall apply accordingly.