Menu
Catalog
Catalog
E-mail
sales@parason.pl
Phone
+48573569363
Location
Ludwika Idzikowskiego 16, 00-710 Warsaw
Opening hours
Mon - Fri: 9:00 - 17:30
Sat - Sun: Closed
en pl
Language:
en
en
pl
Select the currency for your contract
EUR PLN
Currency:
EUR
EUR
PLN
Telefony:
+48573569363
Godziny pracy:
Pn - Pt: 9:00 - 17:30 Sb - Nd: wolne
Zamów rozmowę telefoniczną
Log in
Log in to your account
Forgot your password?
No account yet? Register
Your cart is currently empty
  • Main
  • Personal Data Protection Policy and Privacy Policy

Personal Data Protection Policy and Privacy Policy

PARASON Limited Liability Company with its registered office in Warsaw at ul. Nowogrodzka 31, unit 413, 00-511 Warsaw, Tax Identification Number (NIP): 7011170703, National Business Registry Number (REGON): 526748441, and National Court Register Number (KRS): 0001065245.

Introduction

  1. The Personal Data Protection Policy describes the principles and obligations of the Controller in ensuring an adequate level of personal data protection.
  2. Compliance with this Personal Data Protection Policy is the responsibility of each Employee of the Controller.
  3. The Company's Management Board is responsible for implementing this Personal Data Protection Policy.
  4. This document specifies the principles for processing and protecting the personal data of Customers of the website available at https://parason.pl/personal_data (Privacy Policy).
  5. The Controller of the personal data (Personal Data) of Customers – natural persons – and users (data subjects) of the website https://parason.pl is PARASON Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw at ul. Nowogrodzka 31, lok. 413, 00-511 Warsaw, Tax Identification Number (NIP): 7011170703, National Business Registry Number (REGON): 526748441, and National Court Register number (KRS): 0001065245.
  6. You can contact the Administrator:
    a) at: ul. Nowogrodzka 31, lok. 413, 00-511 Warsaw;
    b) via email: mail@parason.pl
    c) by phone: +48573569363
  7. Personal data referred to in the Privacy Policy are information about an identified or identifiable natural person, i.e., one who can be identified directly or indirectly, in particular based on a characteristic such as: name and surname, identification number, location data, online identifier, or one or more characteristics defining the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  8. The Controller processes Personal Data of data subjects in accordance with applicable regulations, in particular Polish law and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
  9. Processing, within the meaning of the Privacy Policy, means an operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, or consulting.

Definitions

Data Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Customer A person using the Controller's services via the website https://parason.pl/
Special Categories of Data Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning that person's health, sex life, or sexual orientation.
Criminal Data Data relating to criminal convictions and violations of law or related security measures.
Set of (personal) data A structured set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized, or functionally or geographically dispersed.
Processing (data) An operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Restriction of processing Marking stored data to limit its future processing.
Profiling Any form of automated data processing consisting of the use of data to evaluate certain aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Pseudonymization Processing data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that they are not attributed to an identified or identifiable natural person.
Personal data breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Data deletion Destruction of data or its modification in such a way that the identity of the data subject cannot be established (e.g., anonymization).
Administrator
Personal Data Controller (PDA)/Entrepreneur/Seller 		PARASON Limited Liability Company with its registered office in Warsaw at ul. Nowogrodzka 31, apt. 413, 00-511 Warsaw, Tax Identification Number (NIP): 7011170703, National Business Registry Number (REGON): 526748441, and National Court Register Number (KRS): 0001065245.
Processor A natural or legal person, public authority, agency, or other entity that processes data on behalf of the Controller.
Data Protection Officer (DPO) A person appointed by the Controller, supervising compliance with personal data protection rules and performing other duties in accordance with Article 39 of the GDPR.
Authorized Person A person authorized by the Controller to process personal data. This may be an employee of the Company, a person performing work under a contract of mandate or other civil law contract, as well as a person undertaking volunteer work, an internship, or an apprenticeship.
Consent Consent of the Data Subject A voluntary, specific, informed, and unambiguous expression of the data subject's wishes by which the data subject, in the form of a declaration or a clear affirmative action, consents to the processing of data relating to them.
Supervisory Authority An independent public authority established by a Member State in accordance with Article 51 of the GDPR. In the Republic of Poland, the supervisory authority is the President of the Office for Personal Data Protection.
Third country A country outside the European Economic Area, i.e., European Union Member States and Iceland, Norway, and Liechtenstein.
Data confidentiality A property ensuring that data is not made available to unauthorized persons or entities.
Data integrity A property ensuring that data has not been altered or destroyed in an unauthorized manner.
Data Availability A property ensuring that data is accessible and usable upon request by an authorized person or entity.
Data Accountability A property ensuring that the actions of a person or entity can be uniquely attributed only to that person or entity.
Employee Any person employed by the Controller or any person cooperating with the Controller under civil law contracts.
Contractor A natural or legal person, public authority, entity, or other entity with which the Company has a business relationship. The term "contractor" does not include employees, temporary workers, trainees, or interns.
GDPR
GDRP 		Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
UODO
Personal Data Protection Act 		Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2018, item 1000, as amended).
PUODO
President of the Personal Data Protection Office 		President of the Personal Data Protection Office
Policy This personal data protection policy
Website Website https://parason.pl/

Principles of data processing

  1. The Controller processes data in accordance with the principles set out in Art. 5 GDPR, i.e.:
    • in accordance with the law, fairly, and transparently;
    • for specific and legitimate purposes;
    • limiting processing to what is necessary;
    • maintaining data accuracy;
    • for no longer than necessary;
    • ensuring data security, integrity, and confidentiality.
  2. The Controller maintains documentation confirming the compliance of data processing with the GDPR and other generally applicable data protection laws applicable to the Entrepreneur's activities. This is intended to implement the principle of accountability referred to in Art. 5 GDPR.

Basis for processing "ordinary" data

  1. The Administrator processes data on the basis of the legal grounds for data processing referred to in Art. 6 GDPR:
    • the data subject has consented to the processing of his or her personal data for one or more specific purposes;
    • processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
    • processing is necessary to comply with a legal obligation to which the controller is subject;
    • processing is necessary to protect the vital interests of the data subject or another natural person;
    • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  2. With respect to data processing based on consent, the Administrator:
    • ensures the voluntary and free nature of consent;
    • enables the withdrawal of consent to data processing (as easily as consent was granted);
    • is able to demonstrate that consent to data processing has been properly obtained; for this purpose, the Administrator has implemented a consent recording system.
  3. With respect to legitimate interests, the Administrator is always able to demonstrate a legitimate interest based on which the data is processed.
  4. In connection with the Customer's use of the Website, the Administrator collects data to the extent necessary to provide the individual services offered, conclude contracts, and also information about the Customer's activity on the Website. The detailed principles and purposes of processing Personal Data collected during the Customer's use of the Website are described below.

Basis for processing special categories of data and criminal data

The Entrepreneur processes special categories of data in accordance with Article 9(2) of the GDPR, i.e. on the basis of:

  • explicit consent to the processing of such data;
  • processing is necessary for the performance of obligations and the exercise of specific rights by the controller or the data subject in the field of labor law, social security, and social protection;
  • processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
  • processing is carried out within the framework of legitimate activities carried out, with appropriate safeguards, by a foundation, association, or other non-profit entity with political, philosophical, religious, or trade union objectives, provided that the processing relates solely to members or former members of that entity or persons maintaining regular contact with it in connection with its objectives, and that the data are not disclosed outside that entity without the consent of the data subjects;
  • the processing concerns data that has been manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise, or defense of legal claims or in the course of judicial proceedings;
  • processing is necessary for reasons of substantial public interest, based on Union or Member State law, which are proportionate to the purpose pursued, do not affect the substance of the right to data protection, and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject;
  • processing is necessary for the purposes of preventive or occupational health care, for the assessment of an employee's fitness for work, for medical diagnosis, for the provision of healthcare or social security, for treatment, or for the management of healthcare or social security systems and services based on Union or Member State law or in accordance with a contract with a healthcare professional and subject to conditions and safeguards;
  • processing is necessary for reasons of public interest in the area of ​​public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, based on Union or Member State law, which provide for appropriate and specific measures to safeguard the rights and freedoms of data subjects, in particular professional secrecy;
  • processing is necessary for the purposes archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) of the GDPR, based on Union or Member State law, which are proportionate to the pursued objective, do not undermine the essence of the right to data protection, and provide for appropriate, specific measures to protect the fundamental rights and interests of the data subject.

Basis for Processing Criminal Data

The Company may process data relating to criminal convictions and offences or related security measures pursuant to Article 6 of the GDPR, only under the supervision of public authorities or if the processing is authorized by Union or Member State law providing appropriate safeguards for the rights and freedoms of data subjects.

Authorized Persons

The Controller ensures that each Employee has appropriate authorization to process data. The authorization to process data corresponds to the actual data processing needs of the Employee and corresponds to the position/function the Employee holds at the Company. The Administrator maintains a register of authorizations and authorized persons.

Register of data processing activities

  1. The Entrepreneur has developed, maintains, and updates a register of data processing activities.
  2. The Register of Data Processing Activities includes:
    • the name and surname or business name and contact details of the controller and any joint controllers, and, where applicable, the controller's representative and the data protection officer;
    • the purposes of processing;
    • a description of the categories of data subjects and the categories of data;
    • the categories of recipients to whom the data have been or will be disclosed, including recipients in third countries or international organizations;
    • information on the transfer of data to a third country and information on the documentation of appropriate safeguards (where applicable);
    • planned dates for deletion of individual categories of data (if possible);
    • a general description of the technical and organizational security measures (if possible).
  3. At the Entrepreneur, the Management Board of the Company or a person designated by it is responsible for maintaining the Register of Data Processing Activities. All Employees of the Entrepreneur are obligated to report to the Management Board of the Company or a person designated by it all new data processing operations and changes to data processing operations already entered into the Register of Data Processing Activities (taking into account the elements indicated above).

Serving Individual Rights

  1. The Controller communicates with the data subject in a concise, transparent, and easily accessible manner, using simple, clear language. The Controller provides information in writing or by other means, including, where appropriate, electronically.
  2. The Controller fulfills the information obligations towards data subjects within appropriate deadlines, in particular:
    a) if data is collected directly from the data subject, the Controller shall provide the information obligation upon data collection;
    b) if data is collected about the data subject in a manner other than direct, the Controller shall provide the information upon data collection:
    • within a reasonable time after data collection – at the latest within one month – taking into account the specific circumstances of data processing;
    • if the data are to be used for communication with the data subject – at the latest upon the first such communication with the data subject; or
    • if it is planned to disclose personal data to another recipient – ​​at the latest upon their first disclosure.
    • if the Controller plans to further process the data for a purpose other than the purpose for which the data were collected, the Controller shall inform the data subject before such further processing.
  3. The Controller is able to demonstrate compliance with the information obligations.
  4. The Controller shall facilitate the exercise of the data subject's rights, i.e.:
    • right of access to data and a copy of the data;
    • right to rectification;
    • right to erasure;
    • right to restriction of processing;
    • right to data portability;
    • right to object;
    • right not to be subject to a decision based solely on automated processing, including profiling.
  5. The Controller shall, without undue delay – and in any case within one month of receiving the request – provide the data subject with information on the actions taken in connection with the request indicated above. The Controller has the right to extend this deadline by another two months due to the complex nature of the request or the number of requests. However, within one month of receiving the request, the Controller shall inform the data subject of such extension, stating the reasons for the delay.
  6. The Company's Management Board or a person designated by it is responsible for processing the individual's rights at the Entrepreneur. Each Employee of the Entrepreneur shall report the data subject's request to the Company's Management Board or a person designated by it within 24 hours of receiving the request. Each Employee of the Entrepreneur is obligated to cooperate with the Company's Management Board and the person designated by it in processing the individual's rights.

Contractors

The Controller takes appropriate measures to ensure compliance with personal data protection regulations when establishing business relationships with contractors. In this regard, the Controller assesses the validity of each data processing agreement or data sharing agreement. When concluding data processing agreements, the Controller undertakes measures to examine the potential Processor to ensure compliance with data protection regulations and takes measures to verify the performance of the concluded data processing agreements with the Processor.

Security

  1. The Controller ensures an appropriate level of security, taking into account the state of the art, implementation costs, nature, scope, context, purposes of data processing, and the risk of infringement of the rights and freedoms of natural persons.
  2. In this regard, the Controller conducts an analysis of the risk of infringement of the rights and freedoms of natural persons for data processing activities, taking into account their categories and the categories of data subjects.
  3. When assessing the level of security, the Controller takes into account the risks associated with processing, in particular those resulting from:
    • accidental or unlawful destruction,
    • loss,
    • alteration,
    • unauthorized disclosure, or
    • unauthorized access to personal data transmitted, stored, or otherwise processed.
  4. The Controller applies technical and organizational measures to ensure data security based on conducted risk analyses, in particular:
    • pseudonymization and data encryption;
    • the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services;
    • the ability to quickly restore data availability and access in the event of a physical or technical incident;
    • regular testing, measuring, and evaluating the effectiveness of technical and organizational measures intended to ensure the security of processing.

Data Protection Breach

  1. The Controller shall, without undue delay – if possible, no later than 72 hours after the breach is discovered – report the data protection breach to the Personal Data Protection Office (PUODO), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  2. If a data protection breach is reported to the PUODO after 72 hours, the Controller shall include an explanation of the reasons for the delay.
  3. The data protection breach report shall include, at least:
    • a description of the nature of the data protection breach, including, where possible, the category and approximate number of data subjects, and the category and approximate number of data entries affected by the breach;
    • the name and contact details of the Data Protection Officer (DPO) or another contact point from which more information can be obtained;
    • a description of the possible consequences of the data protection breach;
    • a description of the measures applicable or proposed to remedy the breach. Data breaches, including, where appropriate, measures to minimize their potential negative effects.
    • The Controller documents all data breaches, including the circumstances of the data breach, its effects, and the remedial actions taken. This documentation is intended to enable the Personal Data Protection Office (PUODO) to verify the actions taken by the Controller.
    • If it is determined that a data breach may pose a high risk to the rights and freedoms of natural persons, the Controller shall notify these persons without undue delay.
    • Each Employee of the Entrepreneur is obligated to immediately (within 2 hours) inform the Company's Management Board or a person designated by it of a suspected data breach.
    • Analysis of whether a data breach has occurred rests with the Company's Management Board or a person designated by it. If a data breach is detected, the Company's Management Board or a person designated by it prepares a report to the PUODO and, if applicable, prepares a data breach notification. The Company's Management Board or a person designated by it also maintains the documentation referred to in point 4 above.
    • The Controller conducts periodic training for Employees on data protection, including the identification of data protection breaches and security issues.

Using the Website

The personal data of all persons using the Website (including IP addresses or other identifiers and information collected through the tools used by the Controller) are processed by the Controller:

  1. for the purpose of providing electronic services by making content collected on the Website available to Customers – in such case, the legal basis for processing is the necessity of processing for the performance of the contract (Article 6, paragraph 1, letter b of the GDPR);
  2. for analytical and statistical purposes – the legal basis for processing is the Controller's legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in analyzing Customer activity and preferences in order to improve the functionalities and services provided;
  3. for establishing, pursuing, or defending against claims – the legal basis for processing is the Controller's legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in protecting their rights;
  4. for the Controller's marketing purposes.

Customer activity on the Website, including their Personal Data, is recorded in system logs. The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes it for technical and administrative purposes, to ensure the security of the IT system and to manage it, as well as for analytical and statistical purposes – in this respect, the legal basis for processing is the Controller's legitimate interest (Article 6, paragraph 1, letter f of the GDPR).

Registration and Management of an Account on the Website

Registration of an Account on the Website requires the provision of Personal Data necessary to create and manage the Account. Providing data marked as mandatory is required to create and manage the Account, and failure to provide this data will result in the inability to create one. Providing the remaining data is voluntary.

The Administrator processes personal data obtained during registration and management of the Account:

  • for the purpose of providing services related to maintaining and managing an account on the Website - the legal basis for processing is the necessity of processing for the performance of the contract (Article 6, paragraph 1, letter b of the GDPR), and in the case of additional data voluntarily provided by the Customer - the legal basis for processing is consent (Article 6, paragraph 1, letter a of the GDPR);
  • for analytical and statistical purposes - in this case, the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR), consisting in analyzing Customer activity and their preferences in order to improve the functionalities used and the services provided;
  • for the Administrator's marketing purposes - the principles of personal data processing for marketing purposes are described in the MARKETING section;
  • for the purpose of pursuing or defending against claims - the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter b of the GDPR). f GDPR), consisting in the protection of their rights.

Placing Orders and Reservations, and Concluding and Performing Contracts

Placing an Order or making a Reservation by the Customer involves the processing of their personal data. Providing the data indicated as mandatory is required to accept and process the Order or make a Reservation, and failure to provide such data will result in the Order or Reservation not being fulfilled.

In connection with placing an Order or making a Reservation by the Customer, their personal data will also be processed for the purpose of concluding and performing contracts, including Sales Agreements, Loan Agreements, Insurance Agreements, or other contracts described in accordance with the Website Terms and Conditions.

Personal data are processed:

  • for the purpose of fulfilling a placed Order or making a Reservation – the legal basis for processing is the necessity of processing for the performance of a contract (legal basis for processing: Article 6, paragraph 1, letter b of the GDPR);
  • for the purpose of concluding and implementing contracts, including Sales Agreements, Loan Agreements, Insurance Agreements, or other contracts described in accordance with the Website Terms and Conditions – the legal basis for processing is the necessity of processing for the performance of a contract (legal basis for processing: Article 6, paragraph 1, letter b of the GDPR);
  • for the purpose of fulfilling the statutory obligations incumbent on the Controller – arising in particular from tax and accounting regulations – the legal basis for processing is a legal obligation (legal basis for processing: Article 6, paragraph 1, letter c of the GDPR);
  • for analytical and statistical purposes – the legal basis for processing is the Controller's legitimate interest (legal basis for processing: Article 6, paragraph 1, letter f of the GDPR), consisting in streamlining the purchasing process, conducting analyses of Customer activity on the Website, and purchasing preferences in order to improve the functionalities used;
  • for the purpose of establishing and pursuing claims or defending against claims – the legal basis for processing is the Controller's legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in protecting its rights.

If the Customer posts any personal data of another person on the Website (including their name, address, telephone number, or email address), they may do so only if they do not violate the law or the personal rights of that person.

Marketing

The Administrator processes Customers' Personal Data for marketing purposes, which may include:

  • displaying marketing content to Customers that is not tailored to their preferences (contextual advertising);
  • sending commercial information via various channels, i.e., via email (including in the form of a newsletter), via SMS, or via push notifications, containing information about interesting offers or content regarding the Administrator's products and services or products and services available for purchase on the Website.

Contextual Advertising

The Administrator may process Customers' Personal Data for marketing purposes in connection with the delivery of contextual advertising to Customers. Personal Data processing is then carried out in connection with the Administrator's legitimate interest (Article 6, Section 1, Letter f of the GDPR).

Sending Commercial Information

Customers' personal data may also be used by the Controller to send them marketing content via email (including in the form of a newsletter), via SMS messages, or push notifications. Such actions are undertaken by the Controller only if the Customer has consented to receiving marketing content via the indicated channels, which they may withdraw at any time.

Personal data are processed:

  • for the purpose of sending the requested commercial information – the legal basis for processing is the Controller's legitimate interest (Article 6, Section 1, Letter f of the GDPR in conjunction with the relevant provisions on electronic communications), consisting in promoting the goods or services of the Controller or third parties in connection with the consent to receive commercial communications;
  • for analytical and statistical purposes – the legal basis for processing is the Controller's legitimate interest (Article 6, Section 1, Letter f of the GDPR), consisting in analyzing Customer activity on the Website in order to improve the functionalities used.

Handling notifications and forms

The Controller provides the ability to contact him using:

  1. e-mail,
  2. traditional mail,
  3. by phone.

Using any of the above-mentioned forms of contact requires Personal Data necessary to contact the Customer and respond to the inquiry. Providing the data indicated as mandatory is required to complete the requested contact or submit an inquiry. Failure to provide such data will result in the inability to complete the requested contact or process the submitted inquiry. Providing the remaining data is voluntary.

The Controller processes personal data obtained through the above-mentioned forms of contact:

  1. to identify the sender and process their inquiry, complaint, or notification, and to respond to the inquiry - the legal basis for processing mandatory data is the Controller's legitimate interest (Article 6, Section 1, Letter f of the GDPR), which consists in responding to inquiries submitted to them; In the scope of additional data provided voluntarily by the sender, the legal basis for processing is consent (Article 6, paragraph 1, letter a of the GDPR);
  2. for the purpose of handling complaints – the legal basis for processing is the necessity of processing for the performance of the contract (Article 6, paragraph 1, letter b of the GDPR);
  3. for the purpose of handling data subject requests – the legal basis for processing is the legal obligation of the controller (Article 6, paragraph 1, letter c in conjunction with Articles 12-21 of the GDPR);
  4. for analytical and statistical purposes – the legal basis for processing is the Controller's legitimate interest (Article 6, Section 1, Letter f of the GDPR), consisting in streamlining the purchasing process and maintaining statistics on inquiries submitted by Customers via the Website in order to improve its functionality;
  5. for pursuing or defending against claims – the legal basis for processing is the Controller's legitimate interest (Article 6, Section 1, Letter f of the GDPR), consisting in protecting its rights.

Social Media

The Controller processes the Personal Data of Customers visiting the Controller's social media profiles:

  1. Facebook: ..........
  2. YouTube: ..........
  3. Instagram: ..........
  4. X ..........

These data are processed:

  1. to administer and maintain a profile on a given social media platform, including informing Customers about the Administrator's activities and promoting various events, services, and products;
  2. to correspond with Users.

- the legal basis for the processing of Personal Data by the Administrator for this purpose is its legitimate interest (Article 6, Section 1, Letter f of the GDPR), consisting in promoting its own brand.

Period of Personal Data Processing

The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service provision, until the consent is withdrawn or an effective objection is raised to data processing in cases where the legal basis for data processing is the Administrator's legitimate interest.

The data processing period may be extended if processing is necessary to establish and pursue potential claims or defend against claims, and after that period only if and to the extent required by law. After the processing period, the data is irreversibly deleted or anonymized.

Cookies

The Administrator informs that when using the Website, Personal Data is collected automatically in the Website's system logs, through Cookies, the Web Beacon system, and via push notifications.

Information about the Administrator's Cookies and the purposes for which they are used is described in the Cookies Policy.

Data Recipients

The Administrator reserves the right to disclose selected Personal Data to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis, in accordance with applicable law.

The Administrator declares that it entrusts the processing of Personal Data, pursuant to a written agreement concluded in accordance with applicable regulations, to entities providing hosting, administration, maintenance, and management services for the Website, as well as services related to message optimization and promotional campaign management, as well as to suppliers of IT systems and IT tools used by the Administrator.

The Administrator declares that it shares Customer Personal Data with entities providing services to the Administrator to the extent necessary to use the Website, including the execution of concluded contracts, in particular, based on a written agreement concluded in accordance with applicable regulations. Customer Personal Data may be shared, in particular, with suppliers, couriers, banks, payment service providers, and entities providing consulting services.

Data Transfer Outside the EEA

Personal Data may be processed in Poland, a Member State of the European Union (EU), and in the territory of a signatory to the Agreement on the European Economic Area (EEA). Personal Data may also be processed outside the EEA, through transfer by the Controller or Processor, but only if this is necessary to achieve the purposes set out in Section III above, and while ensuring an adequate level of protection, primarily through:

  1. cooperation with entities processing Personal Data in countries for which an appropriate decision has been issued by the European Commission regarding the adequacy of Personal Data protection;
  2. use of standard contractual clauses issued by the European Commission;
  3. use of binding corporate rules approved by the relevant supervisory authority;

The Controller will inform the Data Controller of the intention to transfer Personal Data outside the EEA at the stage of data collection.

Rights and obligations of the data subject

Every Customer has the right to:

  • access their Personal Data, the right to rectify and erase it, and the right to request the restriction of its processing.
  • object to the processing of Personal Data, withdraw consent to the processing of Personal Data for one or more purposes for which it was granted, at any time without affecting the lawfulness of processing based on consent before its withdrawal, as well as the right to transfer their Personal Data.

To exercise the rights referred to in points 35 a) and b) above, please send an email to the following address: ................... call the telephone number ................... or send written notice of withdrawal of consent to receive commercial information to the Service Provider's address: ul. Nowogrodzka 31, lok. 413, 00-511 Warsaw, with the note "PERSONAL DATA."

Every Customer has the right to lodge a complaint with the President of the Personal Data Protection Office.

The Administrator has appointed a Data Protection Officer, who can be contacted via email at mail@parason.pl regarding any matter concerning the processing of personal data.

Personal Data Protection

The Administrator declares that it strives to provide Customers with a high level of security when using the Website, and for this purpose:

  • applies technical and organizational measures required by law, in particular regarding the security of Personal Data processing;
  • applies measures ensuring:
    i) the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services;
    ii) the ability to quickly restore the availability and access to Personal Data in the event of a physical or technical incident;
    iii) regular testing, measuring, and assessing the effectiveness of technical and organizational measures to ensure the security of processing.

Any incidents affecting the security of information and data transmission, including suspected sharing of files containing viruses and other files of a similar nature or containing destructive mechanisms other than files, should be reported to the Controller.

Final Provisions

  1. This Policy comes into effect on the date of its adoption in the manner approved by the Controller.
  2. The provisions of this Policy may be amended in the manner approved by the Controller.
  3. The provisions of this Policy apply to all Employees.
  4. The Controller reviews and updates this Policy at least once every six months.
  5. In matters not regulated in the Privacy Policy, the legal provisions regarding the processing of Personal Data, including the GDPR, shall apply.
  6. The Policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy was adopted and is effective from May 5, 2025.