Privacy Policy

version effective from 7.09.2022

1. What is a Privacy Policy?

We would like to provide you with details concerning our processing of your personal data in order to give you full knowledge and comfort in using our website.

Since we operate in the online sector, we know how important it is to protect your personal data. Therefore, we make particular efforts to protect your privacy and information you provide us with. 

We carefully select and apply appropriate technical measures, in particular programming and organisational measures, to ensure protection of the personal data we process. Our website uses encrypted data transmission (SSL), which ensures protection of your identity.

In our Privacy Policy you will find all key information regarding our processing of your personal data. 

Please read it, we promise it won’t take more than a few minutes.

1.1. Who is the administrator of the website: www.bitsofwar.com?

The administrator of the www.bitsofwar.com is Eliza Sęk, residing in Warsaw, at ul. Tołstoja 1/55, 01-910 Warsaw, Social Security Number (PESEL) 76041309022, conducting business activity under the business name  Kromlech Eliza Sęk, entered the Central Registration and Information on Economic Activity (CEIDG) maintained by the maintained by the Minister of Economy, with its registered office in Warsaw, at ul. Rydygiera 8, bud 18, 01-793 Warsaw, Poland, Taxpayer Identification (NIP) Number: 5581210002, National Official Register of Business Entities (REGON) Number: 363654200, Product, Packaging and Waste Management Database Registry (BDO): 000381342, Product, Packaging and Waste Management Database Registry (BDO): 000381342 (i.e.: We).

2. Personal data

 

2.1. What legal act governs the processing of your personal data?

Your personal data are collected and processed by us in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1), commonly referred to as: GDPR. In the scope not regulated by the GDPR, the processing of personal data is governed by the Personal Data Protection Act of 10 May 2018. 

2.2. Who is the controller of your personal data?

The controller of your personal data is:

Eliza Sęk, residing in Warsaw, at ul. Tołstoja 1/55, 01-910 Warsaw, Social Security Number (PESEL) 76041309022, conducting business activity under the business name  Kromlech Eliza Sęk, entered the Central Registration and Information on Economic Activity (CEIDG) maintained by the maintained by the Minister of Economy, with its registered office in Warsaw, at ul. Rydygiera 8, bud 18, 01-793 Warsaw, Poland, Taxpayer Identification (NIP) Number: 5581210002, National Official Register of Business Entities (REGON) Number: 363654200, Product, Packaging and Waste Management Database Registry (BDO): 000381342.

You can contact us about your personal data using the following methods:

 - e-mail: support@kromlech.eu,

 - ul. Rydygiera 8, bud 18, 01-793 Warsaw, Poland,

 - by phone: +48 601484728

3. How do we process your personal data, that you provide to us?

3.1. What personal data do we process and for what purposes?

On our website we offer a variety of services as part of which we process different personal data on different legal grounds.

Objective

Personal data

Legal basis for processing

Data retention time 

conclusion and performance of an agreement 

first name, last name, address for correspondence, e-mail address, telephone number

article 6(1)(b) of the GDPR, i.e. processing in order to take action at your request, prior to conclusion of a contract, and processing necessary for the performance of a contract to which you are party

until the expiry of the limitation period for claims concerning the performance of the agreement

creating and maintaining an account 

first name, last name, e-mail address, telephone number, address for correspondence

article 6(1)(b) of the GDPR, i.e. processing in order to take action at your request, prior to conclusion of a contract, and processing necessary for the performance of a contract to which you are party 

until the account is deleted

posting opinions

nick, e-mail address

article 6(1)(f) of the GDPR, i.e. processing for the purpose of pursuing our legitimate interest in presenting opinions about the Goods and the course of the transaction on the online shop website.

until you object to the processing of your personal data

newsletter

e-mail address, first name, last name

Article 6(1)(a) of the GDPR, i.e. processing based on the consent given by you to the processing of your personal data

until the day you withdraw your consent to personal data processing

loyalty program

e-mail address, first name, last name, telephone number

Article 6(1)(a) of the GDPR, i.e. processing based on the consent given by you to the processing of your personal data

until the moment you withdraw your consent to personal data processing

traffic analysis on the online shop website

first name, IP adress

Article 6(1)(f) of the GDPR, i.e.

processing for the purpose of

pursuing our legitimate interest in analysing customer traffic on the shop website

until you object to the processing of your personal data 

direct marketing of Goods and own services, including remarketing

first name, IP adress

Article 6(1)(f) of the GDPR, i.e.

processing for the purpose of

pursuing our legitimate interest in direct marketing of its own services, including remarketing

until you object to the processing of your personal data 

contests

first name, last name, e-mail address, telephone number, image

Article 6(1)(f) of the GDPR, i.e.

processing for the purpose of

pursuing Controller’s  legitimate interest in direct marketing of goods and own services and conducting discount programs and promotions.

until the day you withdraw your consent to personal data processing

determination, pursuit and enforcement of claims and defence against claims in proceedings conducted before courts and other state authorities

first name, last name, company name, address, PESEL number, tax identification number (NIP) or national business registry number (REGON), e-mail address, telephone number, IP number, bank account number

article 6(1)(f) of the GDPR, i.e. processing for the purpose of pursuing our legitimate interest in establishing, pursuing and enforcing claims and defending against claims in proceedings conducted before courts and other state authorities

until the expiry of the limitation period for claims concerning the performance of the agreement

fulfilling legal obligations arising from legal regulations, in particular tax and accounting regulations

first name, last name, company name, PESEL number, tax identification number (NIP) or national business registry number (REGON), e-mail address, telephone number, address for correspondence, bank account number, payment card number 

Article 6(1)(c) of the GDPR, i.e. processing is necessary to fulfil legal obligations incumbent of the Controller, resulting from legal regulations, in particular tax and accounting regulations

until the expiry of the legal obligations imposed on the Controller which justify the processing of personal data

3.2. Voluntary provision of personal data

Provision of the required personal data is voluntary, but it is necessary for us to provide services to you (e.g. to provide surveys or to create an account). 

3.3. Recipients of personal data 

The current list of entities to which we disclose your personal data can be found here: 

ENTITY

AIM

PKO Bank Polski S.A.

Execution of payment

Operator DPD sp. z o.o. located in Warsaw

Execution of order

Paypal Polska sp. z o.o. located in Warsaw

Execution of payment

Operator DHL Express (Poland) sp. z o.o. located in Warsaw

Execution of order

UPS Polska sp. z o.o. located in Warsaw

Execution of forwarding the order

PayU S.A. located in Poznan

Execution of payment

Dotpay S.A. located in Krakow

Execution of payment

DialCom24 sp. z o.o. located in Poznan

Execution of payment

ECARD S.A. located in Gdansk

Execution of payment

eService sp. z o.o.  located in Warsaw

Execution of payment

Poczta Polska S.A. (Polish Post) located in Warsaw

Execution of order

FedEx Express Polska  sp. z o.o. located in Warsaw

Execution of order

Google Ireland Ltd. (Google Cloud, Google Analytics, Google Analytics 360, Fabric Software) located in Ireland

Measuring website traffic, reporting application errors, creating statistics

Google Ireland Ltd. located in Ireland

Specifying Clients profile - Google AdSense and Google Adwords 

Google Ireland Ltd. located in Ireland

Analysing Client activity

Google Ireland Ltd. (Google Adwords, Double Click Manager,  Double Click Search, Remarketing Service, Firebase) located in Ireland

Measuring effectiveness of advertising campaigns, managing advertising campaigns

Facebook Ireland Ltd. located in Ireland

Popularizing the Online Shop through the social media service of Facebook.com

Facebook Ireland Ltd. located in Ireland

Popularizing the Online Shop through the social media services of Instagram.com

LinkedIn Ireland Ltd. located in Ireland

Popularizing the Online Shop through the social media services of LinkedIn.com

Twitter Inc. located in the USA

Popularizing the Online Shop through the social media service of twitter.com

3.4. Automated decision making (including profiling)

We do not make automated decision and we do not use profiling in relation to you.

3.5. Will we transfer your personal data outside the EEA or to an international organisation?

In order to use Google/Youtube tools for creating statistics and performing marketing and remarketing activities, your personal data may be transferred to the United States, where Google servers are located.

Google LLC is included in the list of entities participating in the Privacy Shield program and uses the model data security contractual clauses approved by the European Commission.

Google LLC is included in the list of entities participating in the Data Privacy Framework, therefore, the protection of personal data is adequate in relation to the regulations in force in the European Union, in accordance with the Commission Implementing Decision (EU) C(2023) 4745 of July 10, 2023 on the adequate level of protection of personal data in accordance with the EU-US Data Privacy Framework

In order to use Facebook/Instagram/Messenger tools, your personal data may be transferred to the United States, where Meta Inc. servers are located.

Meta Inc. is included in the list of entities participating in the Privacy Shield program, as regards the Workplace service, advertising options and measurement tools. Meta Platforms Ireland Limited transfers data to Meta Inc. on the basis of the Annex on Facebook's transmission of European data, which includes standard new contractual clauses that entered into force in 2022. For more information, see https://www.facebook.com/legal/terms/dataprocessing/update, https://www.facebook.com/legal/EU_data_transfer_addendum/update.

Meta Inc. is included in the list of entities participating in the Data Privacy Framework, therefore, the protection of personal data is adequate in relation to the regulations in force in the European Union, in accordance with the Commission Implementing Decision (EU) C(2023) 4745 of July 10, 2023 on the adequate level of protection of personal data in accordance with the EU-US Data Privacy Framework

In order to use Mailchimp tools, your personal data may be transferred to the United States, where The Rocket Science LLC, owned by Inuit Inc. servers are located.

Inuit Inc. is included in the list of entities participating in the Privacy Shield program, as regards the Workplace service, advertising options and measurement tools. Meta Platforms Ireland Limited transfers data to Meta Inc. on the basis of the Annex on Facebook's transmission of European data, which includes standard new contractual clauses that entered into force in 2022. For more information, see https://www.facebook.com/legal/terms/dataprocessing/update, https://www.facebook.com/legal/EU_data_transfer_addendum/update.

Inuit Inc. is included in the list of entities participating in the Data Privacy Framework, therefore, the protection of personal data is adequate in relation to the regulations in force in the European Union, in accordance with the Commission Implementing Decision (EU) C(2023) 4745 of July 10, 2023 on the adequate level of protection of personal data in accordance with the EU-US Data Privacy Framework

*Remember that the Privacy Shield is no longer a European Union law, but a program that sets certain standards for the protection of personal data for entities with their servers in the United States. Currently, it is a form of certification, and subjects included in the Privacy Shield meet certain standards for the protection of personal data.

How do we process your personal data, which we receive form other data controllers (e.g. Facebook)?

Our Online Shop allows you to:

  • log into account in the Shop via your Facebook profile,
  • log into account in the Shop via your Google account,
  • share the content of the Shop on your Facebook account,

In such cases, we receive your personal data not directly from you, but from websites that provide these functionalities i.e.: Facebook, Google. In order to give you full control over your data, we provide below information about how we process your personal data.

Categories of relevant personal data

We process the following categories of relevant personal data:

- identification data (i.e. personal data that you have published in your profile on Facebook, Google, first of all: name, surname, nick, e-mail address and your image).

Source of personal data

Your personal data comes from website:

  • Facebook, the administrator of which is Meta Platforms Ireland Limited.,
  • Google, the administrator of which is Google Ireland Ltd.

Purposes and legal basis for the processing of personal data

Your personal data that we have obtained will be processed for the following purposes:

Objective

Personal data

Legal basis for processing

Data retention time 

Sharing content on your Facebook profile 

name, surname, image

Article 6(1)(f) of the GDPR, i.e.

processing for the purpose of

pursuing the Controller’s legitimate interest in allowing you to distribute the content of the online shop using the functionality of Facebook

until you object to the processing of your personal data

logging into the account in the shop using the Facebook profile

name, surname, image

Article 6(1)(f) of the GDPR, i.e.

processing for the purpose of

pursuing the Controller’s legitimate interest in allowing you to log into your account in the Online Shop using your Facebook profile

until the account is deleted 

logging into the account in the shop using the Google account

name, surname, image

Article 6(1)(f) of the GDPR, i.e.

processing for the purpose of

pursuing the Controller’s legitimate interest in allowing you to log into your account in the Online Shop using your Google account

until the account is deleted 

4. What rights do you have with regard to our processing of your personal data?

Pursuant to the GDPR, you have the right to: 

  • request access to your personal data 
  • request rectification of your personal data
  • request deletion of your personal data
  • requests that the processing of your personal data is restricted
  • object to the processing of your personal data
  • requests transfer of your personal data

If you submit any of the above requests, without undue delay – and in any case within one month from receipt of the request – we will inform you of the actions taken in connection with your request. 

If necessary, we can extend the one-month period by another two months due to the complexity of the request or the number of requests. 

In any case, we will inform you within one month from receiving your request about any extension and give you the reasons for the delay. 

4.1. Right of access to personal data (Article 15 of GDPR)

You have the right to be informed whether we are processing your personal data. 

If we process your personal data, you have the right to:

  • access your personal data,
  • obtain information about the purposes of processing, categories of personal data processed, recipients or categories of recipients of these data, planned period of storage of your data or criteria for determining this period, your rights under the GDPR and about the right to lodge a complaint with the President of the Office for Personal Data Protection, about the source of these data, about automated decision making, including profiling, and about the safeguards applied in connection with the transfer of these data outside the European Union;
  • receive a copy of your personal data.

If you wish to request access to your personal data, please send your request to support@kromlech.eu. 

4.2. Right to correct your personal data (Article 16 of GDPR)

If your personal data are incorrect, you have the right to ask us to correct your personal data immediately. You also have the right to request that we supplement your personal data. 

If you wish to request correction or supplementation of your personal data, please send your request to support@kromlech.eu. 

4.3. The right to have your personal data deleted, i.e. the so-called “right to be forgotten” (Article 17 GDPR)

You have the right to request that your personal data be deleted when:

  • your personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you have withdrawn a specific consent, to the extent that your personal data were processed on the basis of your consent;
  • your personal data were processed illegally;
  • you have raised objections to the processing of your personal data for the purposes of direct marketing, including profiling, to the extent that the processing of personal data is connected to direct marketing;
  • you have objected to the processing of your personal data in connection with processing necessary for the performance of a task carried out in the public interest or processing necessary for the purposes of legitimate interests pursued by us or a third party.

Despite your request to delete your personal data, we may process your data further for the purpose of determining, pursuing or defending claims, of which you will be informed. 

If you wish to request deletion of your personal data, please send your request to support@kromlech.eu.

4.4. Right to submit a request to restrict processing of your personal data (Article 18 of GDPR)

You have the right to request restriction of the processing of your personal data when:

  • you are questioning the correctness of your personal data – in this case we will limit the processing of your personal data for a period of time that allows us to check the accuracy of the data;
  • the processing of your data is unlawful, and instead of deleting your personal data you request limited processing of your personal data;
  • your personal data are no longer needed for the purposes of processing, but is needed to establish, pursue or defend your claims;
  • you have objected to the processing of your personal data – until it is determined whether our legitimate interests take precedence over the grounds for objection.

If you wish to request restricted processing of your personal data, please send your request to support@kromlech.eu.

4.5. Right to submit an objection to the processing of your personal data (Article 21 of GDPR)

You have the right to object to the processing of your personal data at any time, including profiling, in connection with:

  • processing necessary for the performance of a task carried out in the public interest or processing necessary for purposes resulting from legitimate interests pursued by the Controller or a third party;
  • processing for direct marketing purposes.

If you wish to submit an objection to the processing of your personal data, please send your request to support@kromlech.eu. 

4.6. Right to request transfer of your personal data (Article 20 of GDPR)

You have the right to receive your personal data from us in a structured, commonly used machine-readable format and to send data to another personal data controller.

As standard, we will provide you with your personal data in CSV format. If you prefer to have your data provided to you in a different format, please indicate your preferred format in your request. As far as possible, we will try to provide your data in your preferred format. 

You can also request that we send your personal data directly to another controller (if technically possible). 

If you wish to request transfer of your personal data, please send your request to support@kromlech.eu.

4.7. Can you revoke your consent to personal data processing?

You may revoke your consent to the processing of your personal data at any time. 

Withdrawal of consent to personal data processing does not affect the legitimacy of processing carried out by us on the basis of your consent before it was withdrawn. 

If you wish to withdraw consent to the processing of your personal data, please send your request to support@kromlech.eu.

If you wish to withdraw consent to the processing of your personal data to provide surveys, you can do it in the “My account” tab after logging into the customer account in the shop.

4.8. Complaint to the supervisory authority 

If you believe that the processing of your personal data violates data protection regulations, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, your place of work or where the alleged infringement was committed.

In Poland, the supervisory authority within the definition of the GDPR is the President of the Office for the Protection of Personal Data, who replaced the GIODO as of 25 May 2018. 

You can find more information here

Unsubscribing from our newsletter is equivalent to withdrawing consent to the processing of your personal data (i.e. e-mail) for the purpose of sending the newsletter. More in the Privacy Policy.