Privacy Policy

artcasse.com

§ 1 GENERAL PROVISIONS

The administrator of the personal data of users of the website located at the domain www.artcasse.com is ART CASSE PROSTA SPÓŁKA AKCYJNA, based in Łódź, at ul. Prezydenta Gabriela Narutowicza 40/1, 90-135 Łódź, registered in the National Court Register maintained by the District Court for Łódź-Śródmieście in Łódź, 20th Economic Department of the National Court Register, under KRS number: 0001018969, NIP: 7252328270, REGON: 5244385410 (hereinafter referred to as the “Administrator”).
The Administrator has designated an electronic contact point intended for direct communication with the authorities of member states, the Commission, and the Council of Digital Services: [email protected]. This same contact point may be used by any Client for direct and prompt communication with the Administrator. The Administrator can also be contacted in writing at the following address: ul. Prezydenta Gabriela Narutowicza 40/1, 90-135 Łódź, or through the contact form available on the website. Communication may be conducted in Polish or English.
The purpose of this Policy is to define the actions taken regarding personal data collected through the Administrator’s website, as well as related services and tools used by its users, and in connection with the conclusion and execution of contracts outside the website.
If necessary, the provisions of this Policy may be amended. Changes will be communicated to users through the announcement of the new content of the Policy, and for individuals who have consented to the processing of data via email or provided email addresses in connection with the execution of contracts, they will also be notified of the changes via email.

§ 2 BASIS FOR PROCESSING, PURPOSES AND STORAGE OF PERSONAL DATA

The personal data of users are processed in accordance with the General Data Protection Regulation, the Act on Personal Data Protection, the Personal Data Protection Act of May 10, 2018, and the Act on Providing Electronic Services of July 18, 2002, along with their subsequent amendments, and for the purpose of making a notification pursuant to Article 16(1) of Regulation (EU) 2022/2065 of the European Parliament and of the Council of October 19, 2022, on a single market for digital services and amending Directive 2000/31/EC (Digital Services Act) (OJ EU L 2022.277.1, as amended; “DSA”), also based on Article 3(h) of the DSA.
The Administrator may collect the following data for the following purposes:

Purpose of data processing	Legal basis processing and data retention period	Data retention period	Scope of data processed
Performing a contract with the customer or taking action at the request of the data subject before entering into the aforementioned contracts	Article 6(1)(b) of the GDPR (performance of a contract).	– for the duration of the aforementioned contract until the expiration of the legal obligation related to accounting – the data will be processed until the expiration of the period during which claims can be asserted	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – company name, – TIN
Direct Marketing	Article 6(1)(f) of the GDPR (legitimate interest of the administrator). The Administrator may process data for direct marketing purposes only after obtaining consent and in the absence of an objection from the data subject.	– until you withdraw your consent – remember, you can withdraw your consent at any time. The processing of data until you withdraw your consent remains lawful. – data will be processed until the expiration of the period during which it is possible to assert claims	– email address; – telephone number;
Marketing	Article 6(1)(a) of the GDPR (consent)	– until you withdraw your consent – remember, you can withdraw your consent at any time. The processing of data until you withdraw your consent remains lawful. – data will be processed until the expiration of the period during which it is possible to assert claims – until you unsubscribe from the newsletter.	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country),
Bookeeping	Article 6(1)(c) of the GDPR Regulation in conjunction with Article 86(1) of the Tax Ordinance i.e. dated January 17, 2017. (Journal of Laws of 2017, item 201) or Article 74(2) of the Accounting Act, i.e. of January 30, 2018. (Journal of Laws of 2018, item 395).	– data will be processed until the expiration of the period during which it is possible to assert claims – the data shall be kept for the period required by law mandating the retention of tax books (until the expiration of the statute of limitations for tax liabilities, unless otherwise provided by tax laws) or accounting books (5 years, counting from the beginning of the year following the fiscal year to which the data refer).	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – TIN; – company name;
Money return	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) of the RODO).	– 5 years after the termination of business relations with the customer	– name; – e-mail address; – telephone number; – PESEL; – address (street, house number, apartment number, postal code, city, country), – business entity data.
Establish, assert or defend claims that the Administrator may assert or that may be asserted against the Administrator	Article 6(1)(f) of the GDPR Regulation	– the data are kept for the period of our legitimate interest, but no longer than the period of the statute of limitations for claims against the data subject for business activities.	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – TIN; – company name;
Conduct research and analysis to improve the performance of available services	Article 6(1)(f) of the GDPR Regulation	– the data will be processed until the expiration of the period during which claims can be asserted – until the expiration or deletion of cookies used for analytical purposes	– company name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – computer components, – settings, – installed software.
Telemetry	Article 6(1)(f) of the GDPR Regulation	– Until expiration or deletion of cookies used for analytical purposes	– IP address, – approximate location based on IP address, – user ID, – sharing and use of software.
Account registration	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) GDPR	5 years after the termination of business relations with the customer	– name; – e-mail address; – telephone number; – PESEL; – address (street, house number, apartment number, postal code, city, country), – business entity data.
Customer service	Performing the Contract or taking action at the request of the data subject prior to entering into the Contract (Article 6(1)(b) GDPR)	– 5 years after termination of business relationship with the Customer – 2 years after the last update of the Customer’s inquiry	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – data of the business entity,
Service functioning	Maintaining the performance of the Service and improving it (Article 6(1)(f) GDPR)	– 5 years after the termination of business relations with the customer	– As in the cell above, – Information about the activities performed on the site (button clicks, time of visits, notifications read, other information depending on the specific business case).
Allowing the customer to reset the password	Protecting and securing the service, customers’ interests, safeguarding the customer’s security (Article 6(1)(f) GDPR)	– 5 years after the termination of business relations with the customer	– name; – e-mail address; – business entity data, – Customer’s password, – User ID.
Oversee compliance with regulations, contracts, privacy policies	Protecting and securing the service, customers’ interests, safeguarding the customer’s security (Article 6(1)(f) GDPR)	– 5 years after the termination of business relations with the customer	– transaction data, – data of the business entity.
Processing of requests for personal data,	Article 6(1)(c) GDPR	– The period of existence of the Administrator’s legitimate interest, but no longer than the period of the statute of limitations for claims against the data subject for business activities.	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – TIN; – company name.
Provide information to authorities, law enforcement and other state institutions,	Article 6(1)(c) GDPR	– The period of existence of the Administrator’s legitimate interest, but no longer than the period of the statute of limitations for claims against the data subject for business activities.	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – TIN; – company name.
Fulfillment of the legal obligation set forth in Article 16 (1), (4), (5) and (6) of the DSA to: 1. accepting from a request for the presence in the hosting service of information that the requester believes constitutes illegal content, as defined in Article 3(h) of the DSA; 2. processing the notification; 3. to inform about the decision made on the notification made; 4. to inform about the possibility of appealing against the decision made, as referred to in 3).	Article 6(1)(c) GDPR	– Until informed of: 1) the decision made by the Administrator on the application made; 2) the possibility to appeal the decision referred to in point 2).	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – TIN; – company name.
Processing of personal data to the extent, to the extent that on the basis of proceedings conducted before authorized public administration authorities, including law enforcement agencies, on matters relating to the purposes or grounds for processing personal data, the Administrator obliged to process them.	Article 6(1)(c) GDPR	– For the duration of such obligation	– name; – e-mail address; – telephone number; – address (street, house number, apartment number, postal code, city, country), – TIN; – company name.

The personal data of users are stored for no longer than is necessary to achieve the purpose of processing, i.e., until consent is withdrawn if the processing is based on such consent, until the limitation period for claims of the Administrator and the other party regarding the fulfillment of concluded contracts (in the case of sales contracts/service contracts, 2 years, counting to the end of the year), and until the query sent via email is fulfilled or until the complaint handling is completed. After this period, the personal data of the Client will be processed by the Administrator based on Article 6(1)(f) of the GDPR, i.e., for purposes arising from the legitimate interests pursued for the purposes of marketing campaigns.
The Administrator may use profiling for direct marketing purposes; however, decisions made on the basis of profiling by the Administrator do not concern the conclusion or refusal to conclude a contract, nor the ability to use electronic services. The result of profiling may be, for example, granting a discount to a specific person, sending a discount code, reminding about unfinished purchases, sending product proposals that may match the interests or preferences of that person, or offering better conditions compared to the standard offer. Despite profiling, the individual freely decides whether to take advantage of the discount or better conditions received in this manner and make a purchase. Profiling involves the automated analysis or prediction of a person’s behavior on the Administrator’s website, e.g., by adding a specific product to the cart, viewing a specific product page, or analyzing the history of previous activity on the site. The condition for such profiling is that the Administrator has the personal data of that person in order to subsequently send them, for example, a discount code.
To the extent necessary for the proper functioning of the website and its functionalities, the site may collect other information while being used by the User, including but not limited to:

a) IP address;
b) information about the device, hardware, and software, such as hardware identifiers, mobile device identifiers (e.g., Apple Identifier for Advertising [“IDFA”] or advertising identifier on an Android device [“AAID”]);
c) type of platform;
d) data regarding the web browser, including the type of browser and preferred language;
Considering the nature, scope, context, and purposes of processing as well as the risk of infringement of the rights or freedoms of individuals of varying likelihood and severity of threat, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Administrator employs technical measures to prevent unauthorized persons from obtaining and modifying personal data transmitted electronically.

§ 3 DATA SHARING

The Administrator ensures that all collected personal data serves to fulfill obligations to users. This information will not be shared with third parties except in situations where:

a) explicit consent has been previously given by the individuals concerned for such action, or
b) the obligation to provide this data arises or will arise from applicable law, e.g., to law enforcement authorities.
Additionally, the personal data of service users and customers may be shared with the following recipients or categories of recipients:

a) service providers supplying the Administrator with technical, IT, and organizational solutions enabling the Administrator to conduct business, including the website and electronic services provided through it (in particular, software providers, marketing agencies, email and hosting providers, business management software providers, and technical support for the Administrator and product delivery operator) – the Administrator shares collected personal data of the Client with a selected provider acting on its behalf only when necessary to achieve a specific data processing purpose consistent with this privacy policy.
b) providers of accounting, legal, and advisory services providing the Administrator with accounting, legal, or advisory support (in particular, accounting firms, law firms, or debt collection agencies) – the Administrator shares collected personal data of the Client with a selected provider acting on its behalf only when necessary to achieve a specific data processing purpose consistent with this privacy policy.
c) payment gateway providers and payment processing solutions for the website – the Administrator shares collected personal data of the Client with a selected provider acting on its behalf only when necessary to achieve a specific data processing purpose consistent with this privacy policy.
The Administrator may share anonymized data (i.e., data that does not identify specific Users) with external service providers to better understand the attractiveness of advertisements and services for users, and in this regard, due to the location of software providers, data may be transferred – while ensuring their protection principles – to third countries that provide standard contractual clauses approved by the European Commission regarding personal data processing or that have appropriate authorizations to act based on bilateral data processing agreements between the European Union and a specific third country, which is not a member of the European Economic Area. These entities in the case of the Administrator are:
- Google LLC (headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Google Analytics tools used to analyze website statistics, Google Tag Manager used to manage scripts by easily adding code snippets to a website or application and tracking user actions on the website, Google Ads for displaying sponsored links in Google search results and on cooperating sites within the Google AdSense program, Google Workspace for comprehensive website editing and coordinating work among team members (including Google Drive, Gmail, Google Sheets, Google Forms, Google Looker Studio);
- Meta Platforms, Inc. (headquarters: 1601 Willow Road, Menlo Park, CA 94025, USA) for Facebook Pixel used to track conversions from Facebook ads, optimizing them based on collected data and statistics, and building a targeted audience list for future advertisements;
- WordPress (headquarters: CT Corporation System, 330 N Brand Blvd., Glendale, California 91023-2336) for website hosting and construction, as well as analyzing website statistics and tracking user actions on the website;
- Stripe, Inc. (headquarters: 354 Oyster Point Boulevard, South San Francisco, California, 94080, USA or 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland) for data necessary for processing, authorizing, and verifying payments and the parties involved.
The Administrator always informs about the intention to transfer personal data outside the EEA at the stage of data collection.
The Administrator continuously conducts risk assessments to ensure that personal data is processed securely, ensuring primarily that access to data is limited to authorized individuals and only to the extent necessary for the tasks they perform. The Administrator ensures that all operations on personal data are recorded and conducted only by authorized employees and collaborators.
The Administrator takes all necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator.
The Administrator’s website may utilize Google Analytics functionality, a web traffic analysis service provided by Google, LLC (“Google”). Google Analytics uses cookies to help website operators analyze how visitors use the site. Information generated by cookies about website usage by visitors is usually transferred to Google and stored on its servers in the United States. According to current IT standards, IP addresses of users visiting the Administrator’s site are truncated. Only in exceptional cases is the complete IP address sent to a Google server in the United States and truncated there. At the request of the Administrator, Google will use this information to evaluate the website for its users, compile reports on site traffic, and provide other services related to website traffic and internet usage for website operators. Google will not associate the IP address transmitted via Google Analytics with any other data in its possession. More information on how Google Analytics collects and uses data can be found on Google’s official site at www.google.com/policies/privacy/partners. Additionally, every User can prevent the collection and processing of data by Google regarding their use of the website by downloading and installing a browser add-on at the following link: http://tools.google.com/dlpage/gaoptout.
When sharing data with third parties, the Administrator makes every effort to ensure that this occurs only with entities that meet the criteria and requirements specified in Articles 46 or 49 of the GDPR. In appropriate cases, the Administrator will rely on standard EU contractual clauses and other safeguards to enable transfers outside the EEA. According to the ruling of the Court of Justice of the European Union on July 16, 2020, the Administrator continues to assess the legal systems of countries to which data is transferred and, as necessary, updates measures to ensure adequate levels of protection.
Regarding data transferred to the United States, when sharing data with third parties, the Administrator makes every effort to ensure that this occurs, in accordance with the European Commission’s decision of July 10, 2023, only with entities and organizations in the USA that ensure compliance with the new “EU-U.S. Data Privacy Framework.” A list of these organizations has been published by the U.S. Department of Commerce. The transfer of personal data from the EEA to organizations that have joined the “EU-U.S. Data Privacy Framework” program and are on this list is possible without the need for additional authorizations or the application of legal instruments such as standard contractual clauses or binding corporate rules. However, if a particular data importer in the USA has not joined the “EU-U.S. Data Privacy Framework” program, the transfer of personal data to them is possible and will occur upon meeting the conditions specified in Articles 46 or 49 of the GDPR. In such cases, the Administrator will rely on standard EU contractual clauses and other safeguards to enable transfers outside the EEA.

§ 4 USER RIGHTS

The user whose personal data is being processed has the right to:

a) Access, rectification, restriction, deletion, or transfer – the individual whose data is concerned has the right to request access to their personal data, rectification, deletion (“the right to be forgotten”), or restriction of processing, as well as the right to object to processing and the right to data portability. The detailed conditions for exercising these rights are specified in Articles 15-21 of the GDPR.
b) Withdraw consent at any time – an individual whose data is processed by the Administrator based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw their consent at any time without affecting the lawfulness of processing carried out based on consent prior to its withdrawal.
c) Lodge a complaint with a supervisory authority – an individual whose data is processed by the Administrator has the right to lodge a complaint with the supervisory authority in the manner and procedure specified in the GDPR and Polish law, in particular, the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office in Warsaw..
d) Object – an individual whose data is concerned has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or task) or (f) (legitimate interest of the administrator), including profiling based on these provisions. In such cases, the Administrator is no longer permitted to process such personal data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for establishing, exercising, or defending claims.
e) Object to direct marketing – if personal data is processed for the purposes of direct marketing (based on the legitimate interest of the Administrator, not on the consent of the data subject), the individual whose data is concerned has the right to object at any time to the processing of their personal data for such marketing purposes, including profiling, insofar as the processing is related to such direct marketing.
The realization of the above rights occurs upon a request from the user sent to the email address [email protected]. Such request should include the user’s first and last name.
The user ensures that any data provided or published by them on the service is accurate.

§ 5 COOKIES

By “cookies,” we mean IT data, particularly text files, stored on users’ end devices (usually on the hard drive of a computer or on a mobile device) that serve to save specific settings and data by the user’s browser for the purpose of using websites. These files allow the user’s device to be recognized and the website to be displayed accordingly, providing comfort during its use. The storage of cookies enables the proper preparation of the website and the offering tailored to the user’s preferences—the server recognizes and remembers preferences such as visits, clicks, and previous actions.
Cookies contain, in particular, the name of the domain of the website from which they originate, the duration of their storage on the end device, and a unique number used to identify the browser from which the connection to the website is made.
Cookies are used for:

a) Adapting website content to user preferences and optimizing the use of websites.
b) Creating anonymous statistics that help determine how users interact with the websites, allowing for improvements in their structure and content.
c) Delivering content that is advertising-oriented and tailored to users’ interests. Cookies do not serve to identify the user, and no identity can be established based on them.
The fundamental division of cookies distinguishes them as:

a) Essential cookies – absolutely necessary for the proper functioning of the website or functionalities that the user wants to utilize, as many of our services cannot be provided without them. Some of them also ensure the security of electronic services.
b) Functional cookies – important for the operation of the website due to the fact that:
– They enrich the functionality of the websites; without them, the website will operate correctly but will not be tailored to user preferences.
– They ensure a high level of functionality; their absence may lower the functionality level of the website, but should not prevent complete use.
– They support most of the functionalities of the websites; blocking them will cause selected features to not work correctly.
c) Business cookies – enable the realization of the business model based on which the website is provided; blocking them will not result in unavailability of all functionalities, but may lower the level of service provision due to the inability of the website owner to generate income that subsidizes its operation. This category includes, for example, advertising cookies.
d) Configuration cookies – allow settings for functions and services on websites.
e) Security and reliability cookies – enable the verification of authenticity and optimization of website performance.
f) Authentication cookies – inform when a user is logged in, allowing the website to display appropriate information and functions.
g) Session state cookies – save information about how users utilize the website, which may include the most frequently visited pages or error messages displayed on certain pages. These cookies help improve services and enhance the browsing experience.
h) Process monitoring cookies – enable the efficient functioning of the website and available functions.
i) Advertising cookies – allow the display of ads that are more interesting to users and more valuable for publishers and advertisers; cookies may also be used for ad personalization and displaying ads outside of websites.
j) Location access cookies – adjust displayed information to the user’s location.
k) Analytical cookies – enable the website owner to better understand user preferences and improve and develop products and services through analysis. Typically, the website owner or research firm collects anonymous information and processes data on trends without identifying individual users’ personal data.
The use of cookies to tailor website content to user preferences does not generally mean the collection of any information that allows for user identification; however, this information may at times have the nature of personal data, allowing certain behaviors to be assigned to a specific user. Personal data collected using cookies may only be gathered to perform specific functions for the user. Such data is encrypted in a way that prevents unauthorized access.
The cookies used by this website are not harmful to the user or the end device they are using, so to ensure the proper functioning of the service, it is recommended not to disable their handling in browsers. In many cases, software for browsing websites (web browsers) defaults to allowing the storage of information in the form of cookies and other similar technologies on the user’s end device. Users can change how cookies are used through their browser at any time. To do this, they should change their browser settings. The method for making changes varies depending on the software (web browser) used. Appropriate guidance can be found on subpages, depending on the browser being used.
Cookies are also used to facilitate logging into user accounts, including via social media, and to enable navigation between subpages on websites without the need to log in again on each subpage. At the same time, cookies are used to secure websites, such as preventing unauthorized access.
Within cookie technology, the Administrator may use tracking pixels or clear GIF files to gather information about how the user interacts with their services and their responses to marketing messages sent by email. A pixel is a piece of software code that allows for embedding an object on a page, usually an image the size of a pixel, which enables tracking user behavior on websites where it is placed. Upon providing the appropriate consent, the browser automatically establishes a direct connection with the server storing the pixel, so the processing of data collected by the pixel occurs under the data protection policy of the partner managing that server.
The Administrator may use web log files (containing technical data, such as the user’s IP address) to monitor traffic within its services, troubleshoot technical problems, detect fraud and counteract it, and enforce the provisions of the User Agreement.
The Administrator informs that the website does not respond to DNT (Do Not Track) signals; however, users can disable certain forms of tracking online, including some analytical data and personalized ads, by changing their cookie settings in their browser or by using our consent tools for the use of cookies (if applicable).
Detailed information on changing cookie settings and manually deleting them in the most popular web browsers is available in the help section of the web browser.
Detailed information on managing cookies on mobile phones or other mobile devices should be included in the user manual for the specific mobile device.