Privacy Policy
This Privacy Policy outlines the principles of processing personal data obtained through the online store btloops.com (hereinafter referred to as the ‘Online Store’).
§ 1 General Provisions
- The owner and data controller of the store is BT LOOPS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, email contact@btloops.com, address Gdańska 46 / 1A, 85-006 Bydgoszcz, Polska, PL – Poland,
- Personal data collected by the controller through the online store is processed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).
- The controller takes special care to respect the privacy of customers visiting the online store.
§ 2 Types of Data Processing, Purposes, and Legal Basis
-
The controller collects information about individuals engaging in legal activities not directly related to their personal or professional business, individuals conducting business or professional activities on their own behalf, and individuals representing legal entities or organizational units not being legal persons but authorized to carry out economic or professional activities, collectively referred to as ‘Customers.’
-
Personal data of Customers are collected when using the contact form service on the online store for the purpose of executing an electronically provided service agreement.
● Legal Basis: Necessity for the performance of a contract for the contact form service (Article 6(1)(b) of the GDPR). -
When using the contact form service, Customers provide the following information: – Email address – First name – Phone number
-
When placing an order or registering on the store’s website, Customers provide the following information: – First name and last name – Company name (optional) – Country/region – Street – Tax identification number (NIP, optional) – City – Postal code – Phone number – Email address Note: Providing the above information is voluntary but necessary for registration or placing an order in the store.
-
Additional information, including IP address, assigned to the Customer’s computer or external IP address of the internet service provider, domain name, browser type, access time, and operating system type may be collected while using the online store.
-
Navigational data, such as information about links and references clicked or other actions taken on the online store, may also be collected.
● Legal Basis: Legitimate interest (Article 6(1)(f) of the GDPR), aimed at facilitating the use of electronically provided services and improving the functionality of these services. -
Providing personal data to the controller is voluntary.
§ 3 Disclosure, Storage, and Transfer of Data
- Customer’s personal data is transferred to service providers used by the controller in operating the online store. Service providers processing personal data either follow the controller’s instructions regarding the purposes and methods of data processing (data processors) or independently determine the purposes and methods of data processing (controllers). a) Data processors: The controller uses providers who process personal data exclusively on the controller’s instructions. These include hosting service providers, accounting services, marketing systems providers, systems for analyzing traffic on the online store, systems for analyzing the effectiveness of marketing campaigns, payment gateway providers, and shipping service providers. b) Controllers: The controller uses providers who do not act solely on the controller’s instructions and independently determine the purposes and methods of using Customer’s personal data. They provide electronic payment and banking services.
- Location: Service providers are primarily located in Poland and other countries within the European Economic Area (EEA).
- Customer’s personal data is stored: a) If the processing is based on consent, the Customer’s personal data is processed by the controller until the consent is withdrawn. After withdrawing consent, the data is retained for a period corresponding to the statute of limitations for claims that the controller may raise or that may be raised against the controller. Unless a specific provision states otherwise, the limitation period is six years, and for claims related to periodic benefits and business activities – three years. b) If the processing is based on the performance of a contract, the Customer’s personal data is processed by the controller for as long as necessary to perform the contract. After this period, the data is retained for a period corresponding to the statute of limitations for claims. Unless a specific provision states otherwise, the limitation period is six years, and for claims related to periodic benefits and business activities – three years.
- Upon the controller’s request, personal data may be disclosed to authorized state authorities, especially to the organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office for Competition and Consumer Protection, or the President of the Office of Electronic Communications.
- The controller may collect Customer’s IP addresses. An IP address is a number assigned to a visitor’s computer by the internet service provider. In most cases, it is assigned dynamically, meaning it changes with each internet connection. It is commonly treated as non-personal identifying information. The IP address is used by the controller to diagnose technical problems with the server, create statistical analyses (e.g., determining the regions with the most visits), assist in administering and improving the online store, and for security purposes and potential identification of server load, unwanted automated programs for browsing the store’s content.
§ 4 Data Subject Rights
- The Customer (data subject) has the right to withdraw consent for the processing of personal data – legal basis: Article 7(3) of the GDPR. The Customer has the right to withdraw any consent previously given. a) Withdrawal of consent takes effect from the moment of withdrawal. b) Withdrawal of consent does not affect processing carried out by the controller in accordance with the law before its withdrawal. c) Withdrawal of consent does not entail any negative consequences for the Customer, but it may prevent further use of services or functionalities that the controller can provide only with consent.
- The Customer (data subject) has the right to object to data processing – legal basis: Article 21 of the GDPR. a) The Customer has the right to object at any time – for reasons related to their specific situation – to the processing of their personal data, including profiling, when the controller processes their data based on a legitimate interest, e.g., marketing of products and services, conducting statistics on the use of specific functionalities of the online store, facilitating the use of the online store, and customer satisfaction surveys. b) Opting out of receiving marketing communications concerning products or services via email will constitute the Customer’s objection to the processing of their personal data, including profiling, for these purposes. c) If the Customer’s objection is justified, the controller will have no other legal basis for processing their personal data, and the data will be deleted upon objection.
- The Customer (data subject) has the right to erasure of data (‘right to be forgotten’) – legal basis: Article 17 of the GDPR. a) The Customer has the right to request the deletion of all or some of their personal data. b) The Customer has the right to request the deletion of personal data if: o the personal data is no longer necessary for the purposes for which it was collected or processed, o they have withdrawn a specific consent to the extent the personal data has been processed based on their consent, o they have objected to the use of their data for marketing purposes, o the personal data is processed unlawfully, o the personal data must be deleted to comply with a legal obligation under Union or Member State law to which the controller is subject, o the personal data has been collected in connection with the offer of information society services. c) Despite the request for erasure of personal data due to objection or withdrawal of consent, the controller may retain certain personal data to the extent necessary for establishing, investigating, or defending claims, as well as to comply with a legal obligation requiring processing under Union or Member State law. This particularly applies to personal data including: first name, last name, email address, which are retained for the purpose of handling complaints and claims related to the use of the controller’s services, as well as additional information such as residence/correspondence address and order number, which are retained for handling complaints and claims related to concluded sales agreements or service provision.
- The Customer (data subject) has the right to restrict data processing – legal basis: Article 18 of the GDPR. a) The Customer has the right to request the restriction of their personal data processing. Submitting a request prevents the use of specific functionalities or services that involve processing data covered by the request. The controller will not send any messages, including marketing messages, during the time of processing restriction. b) The Customer has the right to request the limitation of personal data use in the following cases: o when they challenge the accuracy of their personal data – the controller restricts their use for the time needed to verify the accuracy of the data, but not longer than for 7 days, o when data processing is unlawful, and instead of deleting the data, the Customer requests the restriction of its use, o when personal data is no longer necessary for the purposes for which it was collected or processed but is needed by the Customer to establish, assert, or defend claims, o when they object to the use of their data – in this case, the restriction lasts as long as needed to consider whether – due to the specific situation – the protection of the Customer’s interests, rights, and freedoms outweighs the interests pursued by the controller when processing the Customer’s personal data.
- The Customer (data subject) has the right to access data – legal basis: Article 15 of the GDPR. a) The Customer has the right to obtain confirmation from the controller on whether personal data concerning them is being processed, and if so, the Customer has the right to: o access their personal data, o obtain information about the purposes of processing, the categories of personal data processed, the recipients or categories of recipients of this data, the planned period of storing the Customer’s data, or criteria for determining this period (if determining the planned period of data processing is not possible), information about the rights granted to the Customer under the GDPR, and the right to lodge a complaint with the supervisory authority, the source of this data, automated decision-making, including profiling, and the safeguards applied when transferring this data outside the European Union, o obtain a copy of their personal data.
- The Customer (data subject) has the right to rectify data – legal basis: Article 16 of the GDPR. a) The Customer has the right to request the prompt correction of their inaccurate personal data. Considering the purposes of processing, the Customer, whose data is concerned, has the right to request the completion of incomplete personal data by providing additional statements, by directing the request to the email address in accordance with §6 of the Privacy Policy.
- The Customer (data subject) has the right to data portability – legal basis: Article 20 of the GDPR. a) The Customer has the right to receive their personal data provided to the controller, and then to transmit it to another selected data controller. The Customer also has the right to request that the controller transmit their personal data directly to such a data controller, if technically feasible. In this case, the controller will transfer the Customer’s personal data in the form of a csv file, which is a commonly used format suitable for machine-readable and enables sending received data to another data controller. b) If the Customer exercises the right resulting from the above rights, the controller will fulfill the request or refuse to fulfill it immediately, but no later than within one month of receiving it. However, if – due to the complex nature of the request or the number of requests – the controller cannot fulfill the request within one month, the controller will fulfill it within the next two months, informing the Customer in advance within one month of receiving the request about the intended extension and its reasons. c) The Customer can address complaints, inquiries, and requests regarding the processing of their personal data and the exercise of their rights to the controller. d) The Customer has the right to lodge a complaint with the President of the Office for Personal Data Protection regarding the violation of their rights to the protection of personal data or other rights granted under the GDPR.
§ 5 Final Provisions
- This Privacy Policy may change, and the controller is not obligated to inform about such changes.
- Questions related to the Privacy Policy should be directed to: contact@btloops.com.
- Last modification date: April 6, 2023.