BAFEO

Logo Bafeo

Privacy Policy

PRIVACY POLICY

We treat the security of personal data as a priority. We ensure that all our activities comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”). In fulfilling our information obligations and to maintain transparency and clarity regarding the principles we apply in protecting your personal data, we present this Privacy Policy.

GENERAL INFORMATION

The data controller of the Users’ (hereinafter “User”) personal data on the website bafeo.pl available at https://bafeo.pl/ is Tomasz Rybka, operating under the company CreoConcept Sp. z o.o. Sp. k., with its registered office in Kielce, ul. Olszewskiego 23, 25-663 Kielce, NIP: 9591972891, REGON: 364564456, email: rodo@bafeo.pl (hereinafter referred to as the “Controller”).

PRIVACY PROTECTION RULES

As the Controller of personal data, we place great importance on the protection of privacy and the confidentiality of the personal data provided to us by Users.

We, as well as the companies cooperating with us, carefully select and apply appropriate technical and organizational measures to ensure the protection of processed personal data. Full access to the databases is granted only to individuals properly authorized by the Controller.

We collect only data that is necessary to handle the matter at hand; we do not collect or process excessive data.

The data we collect is protected against unauthorized access and processing in violation of applicable law.

The Controller processes Users’ personal data:

– of those using the website for analytical and statistical purposes. The legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) GDPR), which is conducting analyses of Users’ activity and preferences to improve applied functionalities;

– who interact with the Controller via social media profiles:

– for the purpose of managing the Controller’s profile on Facebook/LinkedIn, responding to messages, comments, and reactions, and for statistical and advertising purposes using tools provided by these platforms;

– based on the Controller’s legitimate interest (Art. 6(1)(f) GDPR), which is business communication with social media users, marketing the Controller’s services and products by providing information about the Controller, its services, and products, and building the Controller’s brand.

The Controller processes publicly available User data on social media, such as name, surname, image, and, in the case of messages, any data voluntarily provided in the message content.

Additionally, your personal data may be processed to establish, exercise, or defend legal claims — the legal basis being the legitimate interest of the Controller (Art. 6(1)(f) GDPR), which is the protection of its rights.

The Controller processes personal data for marketing purposes, i.e.: displaying advertisements – including contextual ads (not tailored to User preferences) – the legal basis being the Controller’s legitimate interest (Art. 6(1)(f) GDPR).

PURPOSES OF PERSONAL DATA PROCESSING
The Controller processes Users’ personal data for the following purposes:

– Analytical and statistical purposes – the legal basis being the Controller’s legitimate interest (Art. 6(1)(f) GDPR), which is analyzing Users’ activity and preferences to improve functionalities and services.

– Concluding and performing a sales agreement or taking steps at the User’s request prior to entering into a contract, and handling complaints or withdrawal. The legal basis is the necessity of processing to perform the contract (Art. 6(1)(b) GDPR) and the User’s consent (Art. 6(1)(a) GDPR) for optional data.

– Fulfilling legal obligations of the Controller, e.g., related to accounting and issuing VAT invoices, handling complaints or returns (Art. 6(1)(c) GDPR).

SCOPE OF PERSONAL DATA PROCESSING

The Controller processes personal data entered by the User in the contact form: name, surname, email address, phone number, and any other data voluntarily provided in the message content.

The Controller processes personal data provided in order to:

– Contact the Controller via the contact form for handling and responding to inquiries – the legal basis is the necessity to perform a contract for electronic services (Art. 6(1)(b) GDPR) and the User’s consent (Art. 6(1)(a) GDPR) for optional data.

– Receive an offer of services provided by the Controller – the legal basis is the Controller’s legitimate interest in marketing its own services (Art. 6(1)(f) GDPR), along with the User’s consent under the Act on Providing Services by Electronic Means and Telecommunications Law.

– Send commercial information about the Controller and its business partners by email – the legal basis is the Controller’s legitimate interest in marketing its services (Art. 6(1)(f) GDPR) along with the User’s consent.

– The legal basis is the User’s consent (Art. 6(1)(a) GDPR); the Controller processes data entered by the User in a feedback form, such as name, surname, email address, and any other data voluntarily provided.

VOLUNTARY NATURE OF DATA PROVISION

Providing your personal data is always voluntary. However, it is necessary to communicate with you and to conclude and properly perform a contract.

Consent to process personal data for marketing and contact purposes is entirely voluntary and does not affect our service provision. However, without such consent, we cannot contact you to present our current offer.

DATA RETENTION PERIOD

Your personal data will be stored for the duration necessary to properly perform concluded contracts, and thereafter for the limitation period.

If a VAT invoice is issued, your data will be stored for at least 5 years due to tax and accounting regulations.

If you use electronic services, your data will be processed for the duration of the service and up to 3 years after it ends.

Data processed based on your consent will be retained until the consent is withdrawn or an objection is raised.

Data for commercial communication will be processed as long as the Controller has a legitimate interest, but no longer than until an objection is filed or consent is withdrawn under the Electronic Services Act or Telecommunications Law.

For data processed via social media platforms, it will be processed for the duration of the Controller’s legitimate interest, or until the User deletes their account.

RIGHTS OF DATA SUBJECTS

Each User whose personal data is processed by the Controller has the right to:

– request information on whether their personal data is being processed,

– access and view their data, and to supplement, update, or rectify it,

– request temporary or permanent suspension of processing,

– request data portability or erasure,

– object to processing or request restriction of processing,

– lodge a complaint with the President of the Personal Data Protection Office (UODO), if they believe their data is processed in breach of GDPR.

If data is processed based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

You may object at any time to the processing of your data for direct marketing purposes, including profiling, where the basis is the Controller’s legitimate interest.

You may also object to processing on grounds related to your particular situation.

To exercise these rights, please email rodo@bafeo.pl.

For jointly administered data via social networks, you may exercise your rights directly with the platform operator:

– Facebook: https://www.facebook.com/privacy/explanation
– LinkedIn: https://pl.linkedin.com/legal/privacy-policy

DATA RECIPIENTS

Your personal data may be disclosed to authorized entities, including law enforcement and judicial authorities, under applicable law.

Recipients may also include third-party entities cooperating with the Controller, such as:

– suppliers and installers of purchased products,
– hosting and website maintenance service providers,
– email service providers,
– email marketing tools providers,
– invoicing software providers,
– customer service providers,
– accounting and financial service providers,
– courier companies,
– payment intermediaries,
– legal service providers,
– operators of Facebook and LinkedIn.

These third parties are bound by agreements to use entrusted data only for the purposes indicated by the Controller, and to maintain appropriate security and confidentiality.

DATA TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
The Controller may transfer personal data outside the EEA only to the following entities due to their international operations:

– Meta Platforms Inc., California, USA – responsible for the Administrator’s Facebook fan page. Privacy policy: https://www.facebook.com/privacy/explanation. Meta has implemented standard contractual clauses: https://www.facebook.com/business/help/336550838147603.

– Google LLC, California, USA – enables website traffic analytics. Privacy policy: https://policies.google.com/privacy
SCC details:
https://support.google.com/analytics/answer/9012600
https://business.safety.google/adsprocessorterms/
https://business.safety.google/adscontrollerterms/

– LinkedIn Corporation, California, USA – responsible for the Administrator’s LinkedIn profile. Privacy standards: https://www.linkedin.com/help/linkedin/answer/62533

AUTOMATED DECISION-MAKING AND PROFILING

Your personal data will not be subject to automated decision-making that produces legal effects concerning you.

Your data may be profiled to personalize content and offer recommendations, but this will not negatively affect your rights or freedoms.

JOINT CONTROLLERS

The Controller uses “social plugins” in the form of banners for Facebook and LinkedIn, redirecting to:

– the Facebook page of the Controller: https://www.facebook.com/pprzedsiebiorcy/
– the LinkedIn page of the Controller: https://www.linkedin.com/company/poradnikprzedsiebiorcy-pl/

As a result, Meta Platforms Ireland Limited (Ireland) and LinkedIn Ireland Unlimited Company (Ireland) are joint controllers with the Administrator (“Joint Controllers”).

Joint control includes aggregate analysis of user activity on the Facebook and LinkedIn profiles and advertising actions using platform tools.

More information can be found in:

– Facebook’s privacy policy: https://www.facebook.com/privacy/explanation and https://www.facebook.com/legal/terms/page_controller_addendum
– LinkedIn’s privacy policy: https://pl.linkedin.com/legal/privacy-policy

Cookies

Cookies are small text files saved on the user’s device while browsing websites. They store information about preferences, sessions, and track user activity. They allow websites to function more effectively and offer personalized content.

Cookies used on the BAFEO website

Google Analytics (_ga_35DFXLZRV6)
These cookies are used to analyze website traffic.
They allow tracking the number of visits, time spent on the site, and user interactions.
They are stored for 2 years or until deleted by the user.