PRIVACY POLICY OF THE SKYANDSAND.PL WEBSITE
TABLE OF CONTENTS:
1. GENERAL PROVISIONS
1.1. This privacy policy is for informational purposes only, meaning it does not impose any obligations on the Users. The privacy policy primarily sets out the principles of personal data processing by the Administrator, including the basis, purposes, and duration of personal data processing, as well as the rights of data subjects and information regarding the use of cookies and analytical tools.
1.2. The administrator of personal data collected through the skyandsand.pl website (hereinafter referred to as the “Service”) is Maria Smoleńska, conducting business under the company name SKY&SAND Maria SMOLEŃSKA, registered in the Central Registration and Information on Business (CEIDG) of the Republic of Poland, maintained by the minister responsible for the economy, with the following details: business location and correspondence address: Bolesława Chrobrego 91, 87-100 Toruń, NIP 878 175 55 93, REGON 340563688, email address: biuro@skyandsand.pl, telephone number: +48 512 417 904 – hereinafter referred to as the “Administrator” and at the same time the Service Provider of the “Service.”
1.3. Personal data in the Service is processed by the Administrator in accordance with applicable legal regulations, in particular, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or the “GDPR Regulation.” Official text of the GDPR Regulation: link.
1.4. The use of the Service is voluntary. Similarly, providing personal data by the User utilizing the Service is voluntary, except for two cases:
(1) Entering into contracts with the Administrator – failure to provide personal data required for concluding and executing a contract with the Administrator, as specified on the Service website and in this privacy policy, will result in the inability to conclude such a contract. Providing personal data in this case is a contractual requirement, and if the data subject wishes to enter into a contract with the Administrator, they must provide the required data. The scope of required data is always specified beforehand on the Service website.
(2) Statutory obligations of the Administrator – providing personal data is a statutory requirement arising from generally applicable legal provisions imposing an obligation on the Administrator to process personal data (e.g., data processing for accounting purposes), and failure to provide such data will prevent the Administrator from fulfilling these obligations.
1.5. The Administrator takes special care to protect the interests of individuals whose personal data it processes, and in particular, ensures that the collected data is:
(1) Processed lawfully;
(2) Collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes;
(3) Substantially correct and adequate in relation to the purposes for which they are processed;
(4) Stored in a form that allows the identification of the data subjects for no longer than necessary to achieve the processing purpose; and
(5) Processed in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
1.6. Taking into account the nature, scope, context, and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons with varying probabilities and severity of threats, the Administrator implements appropriate technical and organizational measures to ensure that processing complies with the GDPR Regulation and can demonstrate this compliance. These measures are reviewed and updated as necessary. The Administrator uses technical measures to prevent unauthorized persons from acquiring and modifying personal data transmitted electronically.
2. PRINCIPLES OF DATA PROCESSING
2.1. The Administrator is authorized to process personal data in cases where – and to the extent that – at least one of the following conditions is met:
(1) The data subject has given consent to the processing of their personal data for one or more specified purposes;
(2) Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
(3) Processing is necessary for compliance with a legal obligation to which the Administrator is subject; or
(4) Processing is necessary for the purposes of legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly when the data subject is a child.
2.2. The processing of personal data by the Administrator always requires the existence of at least one of the grounds specified in section 2.1 of this privacy policy. The specific legal grounds for the processing of Users’ and Clients’ personal data by the Administrator are specified in the following section of the privacy policy – with reference to the specific purpose of data processing by the Administrator.
3. PURPOSE, LEGAL BASIS, AND DATA RETENTION PERIOD IN THE SERVICE
3.1. The purpose, legal basis, period, and recipients of the personal data processed by the Administrator depend on the actions taken by the respective User or Client of the Service or by the Administrator.
3.2. The Administrator may process personal data within the Service for the following purposes, based on the legal grounds and retention periods indicated in the table below:
| Purpose of Data Processing | Legal Basis for Data Processing | Data Retention Period |
| Performance of a Contract or taking action at the request of the data subject prior to entering into the contract | Article 6(1)(b) GDPR (performance of a contract) – processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to entering into a contract | Data is stored for the period necessary to perform, terminate, or otherwise expire the concluded contract. |
| Direct Marketing | Article 6(1)(f) GDPR (legitimate interest of the Administrator) – processing is necessary for the purposes of the Administrator’s legitimate interests, which consist of taking care of the Administrator’s and the Service’s interests and good image. | Data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims of the Administrator against the data subject resulting from the Administrator’s business activities. The limitation period is defined by legal regulations, particularly the Civil Code (the basic limitation period for claims related to business activities is three years). The Administrator cannot process data for direct marketing if the data subject has effectively objected to such processing. |
| Marketing | Article 6(1)(a) GDPR (consent) – the data subject has given consent for their personal data to be processed for marketing purposes by the Administrator | Data is stored until the data subject withdraws their consent for further processing of their data for this purpose. |
| Customer review of a concluded contract | Article 6(1)(a) GDPR (consent) – the data subject has given consent for their personal data to be processed for the purpose of providing a review | Data is stored until the data subject withdraws their consent for further processing of their data for this purpose. |
| Maintaining tax records | Article 6(1)(c) GDPR (legal obligation) in conjunction with Article 86 § 1 of the Tax Ordinance Act of January 17, 2017 (Journal of Laws of 2017, item 201, as amended) – processing is necessary to comply with a legal obligation to which the Administrator is subject | Data is stored for the period required by legal provisions obliging the Administrator to retain tax records (until the expiration of the tax obligation limitation period unless tax laws specify otherwise). |
| Establishing, pursuing, or defending claims that the Administrator may raise or that may be raised against the Administrator | Article 6(1)(f) GDPR (legitimate interest of the Administrator) – processing is necessary for the purposes of the Administrator’s legitimate interests consisting of establishing, pursuing, or defending claims that the Administrator may raise or that may be raised against the Administrator | Data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims that may be raised against the Administrator (the basic limitation period for claims against the Administrator is six years). |
| Use of the Service and ensuring its proper functioning | Article 6(1)(f) GDPR (legitimate interest of the Administrator) – processing is necessary for the purposes of the Administrator’s legitimate interests in operating and maintaining the Service. | Data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims of the Administrator against the data subject resulting from the Administrator’s business activities. |
| Conducting statistics and analyzing traffic in the Service | Article 6(1)(f) GDPR (legitimate interest of the Administrator) – processing is necessary for the purposes of the Administrator’s legitimate interests in conducting statistics and analyzing traffic in the Service to improve its functionality. | Data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than the limitation period for claims of the Administrator against the data subject resulting from the Administrator’s business activities. |
4. DATA RECIPIENTS IN THE SERVICE
4.1. To ensure the proper functioning of the Service, including the execution of concluded contracts, the Administrator must use the services of external entities (such as software providers). The Administrator only uses the services of such data processors who provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure that processing complies with the GDPR and protects the rights of data subjects.
4.2. Personal data may be transferred by the Administrator to a third country, provided that the country ensures an adequate level of protection in accordance with the GDPR. In the case of other countries, data transfers will be based on standard contractual clauses. The Administrator ensures that the data subject can obtain a copy of their data. Data is transferred only when necessary for the purpose of processing in accordance with this privacy policy.
4.3. Data transfer by the Administrator does not occur in every case nor to all recipients or categories of recipients indicated in this privacy policy – the Administrator transfers data only when necessary to achieve a given processing purpose and only to the extent necessary.
4.4. Personal data of Users and Clients of the Service may be transferred to the following recipients or categories of recipients:
5. RIGHTS OF THE DATA SUBJECT
5.1. Right of access, rectification, restriction, deletion, or data portability – The data subject has the right to request from the Administrator access to their personal data, its rectification, deletion (“right to be forgotten”), or restriction of processing. They also have the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the aforementioned rights are set out in Articles 15-21 of the GDPR.
5.2. Right to withdraw consent at any time – If the Administrator processes the data based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR), the data subject has the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
5.3. Right to lodge a complaint with a supervisory authority – A data subject whose data is processed by the Administrator has the right to lodge a complaint with a supervisory authority in accordance with the provisions of the GDPR and Polish law, particularly the Act on Personal Data Protection. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
5.4. Right to object – The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the administrator), including profiling based on these provisions. In such cases, the Administrator may no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
5.5. Right to object to direct marketing – If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling to the extent that it is related to such direct marketing.
5.6. To exercise the rights referred to in this section of the privacy policy, one may contact the Administrator by sending an appropriate message in writing or by email to the Administrator’s address specified at the beginning of the privacy policy.
6. COOKIES AND ANALYTICS ON THE SERVICE
6.1. Cookies are small text files in the form of text files sent by a server and stored on the device of the person visiting the Service’s website (e.g., on a computer hard drive, laptop, or memory card of a smartphone, depending on the device used by the visitor). Detailed information about cookies, as well as their history, can be found, among others, here: https://en.wikipedia.org/wiki/HTTP_cookie.
6.2. Cookies that may be sent by the Service’s website can be categorized based on the following criteria:
6.3. The Administrator may process data contained in cookies when visitors use the Service for the following specific purposes:
6.4. It is possible to check which cookies (including their duration and provider) are being sent by the Service’s website in popular browsers as follows:
6.5. Most web browsers by default accept cookies. However, users can change cookie settings in their browser, including limiting or disabling them. Disabling cookies may affect some website functionalities.
6.6. Browser settings regarding cookies are relevant for granting consent for cookie use. According to regulations, such consent can also be given through browser settings. Detailed information on changing cookie settings and manually deleting them in the most popular browsers can be found in browser help sections.
6.7. The Administrator may use Google Analytics and Universal Analytics services provided by Google Ireland Limited to generate statistics and analyze traffic on the Service. These data are collected and processed in aggregate form to help manage and analyze traffic on the Service.
6.8. Users can block Google Analytics tracking on the Service by installing a browser add-on available here: https://tools.google.com/dlpage/gaoptout?hl=en.
6.9. The Administrator may use Facebook Pixel provided by Meta Platforms Ireland Limited to measure ad effectiveness and display targeted ads. More information about Facebook Pixel can be found here: https://www.facebook.com/business/help/742478679120153.
6.10. Users can manage Facebook Pixel settings via their Facebook ad preferences: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
7. FINAL PROVISIONS
7.1. The Service may contain links to other websites. The Administrator encourages users to review the privacy policies of those websites, as this privacy policy applies only to the Administrator’s Service.