PRIVACY POLICY of MAXCOM SA with its registered office in Tychy

§ 1. Definitions

1. Administrator – MAXCOM Spółka Akcyjna with its registered office in Tychy (postal code: 43 – 100), 23a Towarowa Street, registered by the District Court Katowice-Wschód in Katowice, 0000410197th Commercial Division of the National Court Register, under the KRS number 626, NIP 25 37 364 277703221, REGON XNUMX.
2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information collected via cookies and other similar technology.
3. Data processing – means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, disseminating or otherwise making available, matching or combining, limiting, deleting or destroying.
4. Policy – this Privacy Policy.
5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
6. UODO – Act of 10 May 2018 on the protection of personal data
7. Online Store – online store run by the Administrator at www.maxcom.pl
8. Website – the website run by the Administrator at www.maxcom.pl
9. Customer – any natural person visiting the Website and the Online Store or using one or more services or functionalities described in the Policy.
10. Profiling – means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse or forecast aspects relating to the performance of that natural person at work, their economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

§ 2. Processing of personal data in connection with the use of the Website and the Online Store and the security of personal data processing

1. In connection with the Customer's use of the Website and the Online Store, the Administrator collects data to the extent necessary to provide the offered services, as well as information about the Customer's activity on the Website and the Online Store on the terms and for the purposes described in this Policy.
2. The Controller ensures transparency in data processing, in particular by always providing information about data processing at the time of personal data collection, including the purpose and legal basis for processing. The Controller collects personal data to the extent necessary for the indicated purpose and processes personal data only for the period necessary.
3. The Administrator ensures the security and confidentiality of personal data processing and the exercise of data subject rights at every stage of personal data processing in accordance with applicable regulations. In the event that, despite the organizational and technical measures used, an incident related to personal data protection occurs, the Administrator will inform data subjects of such incident in a manner consistent with applicable regulations.
4. Only authorized employees and associates of the Administrator have access to personal data.

§ 3. Purposes and legal basis for processing personal data on the Website and Online Store

1. Personal data of all persons using the Website and the Online Store (including IP address or other identifiers and information collected via cookies or other similar technologies) and who have not created an account in the Online Store are processed by the Controller for the following purposes:
a. providing services electronically in the scope of making the content collected on the Website and the Online Store available to Users – legal basis: Article 6, paragraph 1, letter b of the GDPR,
b. fulfillment of orders placed without registration in the Online Store – legal basis: Article 6, paragraph 1, letter b of the GDPR,
c. handling complaints – legal basis: Article 6, paragraph 1, letter b of the GDPR,
d. exercising the right to withdraw from the contract – legal basis: Article 6(1)(b) of the GDPR
e. analytical and statistical – legal basis: Article 6, paragraph 1, letter f of the GDPR. The Controller's legitimate interest is to conduct analyses of Customer activity and their preferences in order to improve the functionalities used and the services provided,
f. establishing and pursuing claims or defending against claims – legal basis: Article 6(1)(f) of the GDPR. The legitimate interest of the Controller is to protect its rights in connection with the operation of the Website and the Online Store.
g. marketing purposes of the Administrator and other entities – legal basis: Article 6 paragraph 1 letter a) and f). The legitimate interest of the Administrator is to send advertising content to the Customer (more: read § 3 point 5 of the Regulations)

2. All users of the Website and Online Store who have created an account in the Online Store are asked by the Data Controller to provide the personal data necessary to create and manage the account. Providing the personal data marked as mandatory is necessary to create and manage the account, and failure to provide this data prevents the creation of an account in the Online Store. To improve service, the Customer may provide additional data. Providing such data is voluntary, and the Customer consents to its processing. Additional data can be deleted at any time. The data provided is processed for the following purposes:
a. providing services electronically in the scope of making the content collected on the Website and the Online Store available to Users – legal basis: Article 6, paragraph 1, letter b of the GDPR,
b. fulfillment of orders placed in the Online Store – legal basis: Article 6, paragraph 1, letter b of the GDPR,
c. handling complaints – legal basis: Article 6, paragraph 1, letter b of the GDPR,
d. exercising the right to withdraw from the contract – legal basis: Article 6(1)(b) of the GDPR,
e. providing services related to maintaining and servicing an account on the Website – legal basis: Article 6, paragraph 1, letter b of the GDPR, in the scope of voluntary data – legal basis: Article 6, paragraph 1, letter a of the GDPR,
f. analytical and statistical – legal basis: Article 6, paragraph 1, letter f of the GDPR. The Controller's legitimate interest consists in conducting analyses of Customer activity on the Website and Online Store, as well as the manner of using the account in the Online Store, and their preferences in order to improve the functionalities used,
g. establishing and pursuing claims or defending against claims – legal basis: Article 6(1)(f) of the GDPR. The legitimate interest of the Controller is to protect its rights in connection with the operation of the Website and the Online Store,
h. for marketing purposes of the Controller and third parties – legal basis: Article 6 paragraph 1 letter a) and f) of the GDPR. The Controller's legitimate interest is to send advertising content to the Client (more: read § 3 point 5 of the Regulations),
i. account management in the Online Store – legal basis: Article 6, paragraph 1, letter a) of the GDPR.

3. The submission, acceptance, and fulfillment of an order, as well as the exercise of the right to withdraw from the contract by the Customer, involves the processing of their personal data. Providing data marked as mandatory is required to submit, accept, and fulfill an order, as well as to exercise the right to withdraw from the contract. Failure to provide such data prevents the submission, acceptance, and fulfillment of an order, as well as the exercise of the right to withdraw from the contract. Providing the remaining data is voluntary, and the Customer consents to its processing. The data provided is processed for the following purposes:
a. fulfillment of the placed order – legal basis: Article 6 paragraph 1 letter b of the GDPR, and in the scope of additional data – legal basis: Article 6 paragraph 1 letter a of the GDPR,
b. fulfillment of statutory obligations incumbent on the Controller, resulting in particular from tax and accounting regulations – legal basis: Article 6, paragraph 1, letter c of the GDPR,
c. analytical and statistical – legal basis: Article 6, paragraph 1, letter f of the GDPR. The Controller's legitimate interest consists in conducting analyses of Customer activity on the Website and Online Store, as well as the manner of using the account in the Online Store, and their preferences in order to improve the functionalities used;
d. establishing and pursuing claims or defending against claims – legal basis: Article 6(1)(f) of the GDPR. The Controller's legitimate interest is to protect its rights in connection with the operation of the Website and the Online Store.

4. The Administrator allows Customers to contact him using the contact form provided on the Website and Online Store. Using the form requires providing personal data necessary to contact the Customer and answer the question. Providing data marked as mandatory is required to contact the Customer and answer the question. Failure to provide data marked as mandatory results in the inability to contact the Customer and answer the question. The Customer may provide additional data to facilitate contact; providing additional data is voluntary, and their provision signifies that the Customer consents to their processing. The data provided is processed for the following purposes:
a. identifying the Customer and handling their inquiry sent via the contact form – legal basis: Article 6, paragraph 1, letter a of the GDPR,
b. for analytical and statistical purposes – legal basis: Article 6, paragraph 1, letter f of the GDPR. The Controller's legitimate interest consists in conducting analyses of Customer activity on the Website and Online Store, as well as the manner of using the account in the Online Store, and their preferences in order to improve the functionalities used.

5. The Administrator processes the personal data of Customers for the purpose of conducting marketing activities, which may consist of:
a. displaying marketing content to the Customer that is not tailored to their preferences/tastes (so-called contextual advertising, in this case the Controller’s legitimate interest is to direct contextual advertising content to the Customer) – legal basis: Article 6 paragraph 1 letter f of the GDPR,
b. displaying marketing content to the Customer that corresponds to their interests (so-called behavioral advertising – including Google AdWords cookies – in this case, personal data are collected via cookies and other similar technologies for marketing purposes, the processing of personal data then also includes customer profiling. The use of personal data collected via this technology for marketing purposes, in particular in the scope of promoting goods, including goods of third parties, is based on the legitimate interest of the controller and only on the condition that the Customer has consented to the use of cookies. Consent to the use of cookies can be expressed through the appropriate configuration of the browser and can also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in the browser settings; withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal) – legal basis: Article 6 paragraph 1 letter aif GDPR,
c. sending e-mail notifications about interesting offers or content, which in some cases contain commercial information (newsletter) – legal basis: Article 6, paragraph 1, letter a of the GDPR,
d. conducting other types of activities related to the direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities – in such case the Customer always has the right to withdraw consent at any time, and the withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal) – legal basis: Article 6 paragraph 1 letter a of the GDPR,
In some cases, the Administrator uses profiling to implement marketing activities. This means that through automated data processing, the Administrator evaluates selected factors relating to individuals in order to analyze their behavior or create forecasts for the future.

6. The Controller processes the personal data of individuals visiting the Controller's profiles on Facebook, YouTube, and Instagram. These data are processed solely for the purpose of maintaining the profile, including for the purpose of providing information about the Controller's activities and promoting various events, activities, and products, as well as for the purpose of communicating with individuals visiting the Controller's profiles through the functionalities available on social media – legal basis: Article 6, paragraph 1, letter f of the GDPR. The Controller's legitimate interest lies in promoting its own brand and building and maintaining a community associated with the brand.

7. The Controller also uses social plugins from the social networking sites Facebook, Instagram, and YouTube on the Website and Online Store to promote its own brand. The plugin provider stores the collected data in the form of a usage profile and uses it for advertising purposes, market research, and/or optimizing its website based on user preferences, in order to present advertisements that are relevant to users' interests, and to inform other social network users about activities on the Controller's Website and Online Store. Everyone has the right to object to the creation of such user profiles. To exercise this right, please contact the relevant plugin provider.

Social media plugins on our website are disabled by default. Activation occurs only by clicking on the respective plugin symbol, and personal data is transferred to the relevant social media provider only after activating the plugin. Data transfer occurs regardless of whether you have an account with the plugin provider and are logged in. If you are logged in to the account of the plugin provider, the data collected on our website will be directly associated with that account – legal basis: Article 6, paragraph 1, letter f of the GDPR. The Controller's legitimate interest lies in promoting its own brand and building and maintaining a brand-related community.

The controller uses social media plug-ins from the following providers: Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA https://www.facebook.com/privacy/explanation Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA https://policies.google.com/technologies/partner-sites?hl=pl. YouTube address and privacy policy: Google LLC, 1600 Amphitheater Parkway. Mountain View, CA 94043, USA https://policies.google.com/privacy?hl=pl&gl=de.

8. The Administrator uses cookies primarily to provide the Customer with electronic services and to improve the quality of these services. Cookies are small pieces of information, called cookies, sent by the website the Customer visits (even when the Customer is only browsing the Website and Online Store) and stored on the end device (computer, laptop, smartphone) used by the Customer while browsing the websites (i.e., the Website and Online Store). Therefore, the Administrator and other entities providing analytical and statistical services to the Administrator use cookies to store information or access information already stored on the Customer's end device (e.g., computer, phone). Cookies used for this purpose include cookies containing data entered by the Customer (session identifier) for the duration of the session, authentication cookies used for services requiring authentication for the duration of the session, persistent cookies used to personalize the Customer interface for the duration of the session or slightly longer, cookies used to remember the contents of the shopping cart, and cookies used to monitor website traffic, i.e., data analytics, including Google Analytics cookies (these are cookies used by Google to analyze how the User uses the Website and to create statistics and reports on the operation of the Website). Detailed information on the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.

The Customer may block the storage of cookies in their web browser. However, in this case, the full functionality of the Website and Online Store may not be available. Furthermore, the Customer may block the storage of data collected by cookies regarding website usage (including IP address) and its transmission to Google, as well as the transfer of this data by Google, by downloading and installing the plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl.

9. The Administrator reserves that in the event of providing personal data of other persons (including name, address, telephone number or e-mail address) on the Website and/or Online Store, this may only be done provided that it does not violate the provisions of applicable law and the personal rights of such persons.

§ 4. Duration of personal data processing

The period of data processing by the Controller depends on the type of service provided and the purpose of processing. Generally, data is processed for the duration of the service provision or order fulfillment, until the statute of limitations for claims expires, consent is withdrawn, or an effective objection is raised in cases where the legal basis for data processing is the Controller's legitimate interest, as well as until the expiry of the period specified by law. The data processing period may be extended if processing is necessary to establish, pursue, or defend against legal claims. After the processing period expires, the data is deleted.

§ 4. Rights of data subjects and contact details

1. Data subjects have the right to access their personal data, the right to request their rectification, erasure or restriction of processing, the right to data transfer, the right to object, the right to withdraw consent, provided that the withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal of consent, and the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office.
2. A request regarding the exercise of data subject rights may be submitted in writing to: MAXCOM SA, ul. Towarowa 23A, 43-100 Tychy, with the note "Personal data" or via e-mail to: daneosobowe@maxcom.pl. Further information regarding the processing of personal data can be obtained at the above-mentioned postal address and e-mail address.
3. If the Administrator is unable to determine the content of the application or identify the person submitting the application based on the submitted notification, it will ask the applicant for additional information.
4. The Administrator will respond to the request within one month of its receipt. Due to the complex nature of the request or the number of requests, the Administrator may extend the response deadline by another two months. If it is necessary to extend the response deadline, the Administrator will inform the requester of the reasons for such extension.

§ 5. Recipients of personal data

1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, auditing and consulting services, couriers (in connection with the execution of the order), marketing agencies (in the scope of marketing services) and entities associated with the Controller, including companies from its capital group and business partners.
2. The Administrator has the right to disclose the Customer's personal data to competent authorities or third parties who submit a request for such information on the basis of and in accordance with applicable regulations.

§ 6. Transfer of personal data outside the EUROPEAN ECONOMIC AREA (EEA)

Subject to § 3 paragraphs 5-8, the Controller does not transfer personal data to recipients based outside the European Union or the European Economic Area. The types of data processing described in the aforementioned provision of the Regulations result in the transfer of data to Google LLC servers. Some of these servers are located in the USA. Data transfer to the United States takes place pursuant to the European Commission Implementing Decision of 12.07.2016 July 45 on the adequacy of the protection provided by the EU-US Privacy Shield (the so-called "adequacy decision" pursuant to Article XNUMX of the GDPR).

§ 7. Changes to the Privacy Policy

1. The Administrator verifies and updates the content of this Policy on an ongoing basis.
2. The changes come into effect on the date of their publication on the website www.maxcom.pl.
3. Each Client is bound by the current Privacy Policy.