PRIVACY PROTECTION POLICY alfathrust.pl

1. The Administrator may engage in profiling for marketing purposes directly targeted at the user; however, such activities do not influence decisions regarding the conclusion of contracts, refusal to provide services, or access to website functionalities. The effects of profiling activities may include, for example, granting an individual discount, sending a discount code, reminding about an abandoned shopping cart, presenting a product consistent with previous preferences, or offering more favorable terms than those usually available. Despite the use of profiling mechanisms, the final decision to accept the offered terms always rests with the user. This process involves the automated evaluation or prediction of user activity on the website—for example, based on adding a product to the cart, browsing specific subpages, or analyzing visit history. The prerequisite for conducting such analysis is that the Administrator already possesses the personal data of the individual, making it possible, for example, to send a personalized promotional code.
2. To ensure the proper functioning of the service and its features, during the user’s visit to the website, technical data may be collected automatically, including but not limited to:

a) the user’s IP address;

b) information about the device, operating system, and its components, such as hardware or mobile device identification numbers;

c) data about the operating platform used;

d) technical settings and active modules;

e) details of the web browser, including its type and preferred interface language.

1. Taking into account the scope, nature, purpose, and context of the data processing, as well as the degree and type of risk to the rights or freedoms of natural persons, the Administrator implements appropriate technical and organizational measures to ensure that the processing complies with applicable laws—particularly the GDPR. The implemented safeguards are regularly monitored and updated as necessary. The Administrator also employs protections preventing unauthorized persons from accessing electronically transmitted data and from unlawful modification thereof.

§ 3 DISCLOSURE OF DATA TO THIRD PARTIES

1. The Administrator ensures that all collected personal data is used solely for the purpose of fulfilling obligations toward the users of the service. Such information shall not be disclosed to third parties, except where:

a) the user has given explicit and prior consent; or

b) such disclosure is required or may be required by applicable law, e.g., upon request of authorized public authorities.

1. Personal data of users and customers may also be disclosed to certain recipients or groups of entities, in particular:

a) providers of technological, IT, and organizational tools supporting the Administrator in conducting business activities and managing the website (e.g., software providers, hosting services, marketing services, helpdesk systems, or order and payment processing solutions) — data is shared strictly to the extent necessary to fulfill the specific purpose and in compliance with this policy;

b) companies providing accounting, legal, and advisory services (e.g., accounting offices, law firms, debt collection agencies), which process data solely to the extent necessary and under the Administrator’s instructions;

c) payment system operators — to enable the processing of payments by the user; data is shared only to the minimal extent necessary for payment processing. For this service, the payment gateway provider is:

• Tpay (Krajowy Integrator Płatności S.A.);

d) courier, logistics companies, and delivery intermediaries — if the customer selects physical delivery, the Administrator discloses personal data to carriers only to the extent necessary to deliver the order.

1. The Administrator may also disclose anonymized data (which does not allow user identification) to external providers, e.g., for evaluating the effectiveness of advertising and marketing activities. Due to the location of such providers, data may be transferred outside the European Economic Area, but only in compliance with applicable data protection standards—e.g., based on European Commission-approved contractual clauses or appropriate agreements between the EU and the third country. In particular, data may be disclosed to:

a) Google LLC — in connection with the use of tools such as Google Analytics (statistical analysis), Google Tag Manager (script management), Google Ads (advertising), Google Search Console (website visibility monitoring), Google Workspace (collaboration and communication tools: Gmail, Google Drive, etc.);

b) Meta Platforms, Inc. — for the use of Facebook Pixel functionality, used for analyzing ad effectiveness and creating personalized audience groups;

c) TikTok Technology Limited — within the TikTok Ads system for advertising analytics and remarketing list creation;

d) GetResponse Sp. z o.o. — for conducting mailing activities and email marketing automation campaigns.

1. The Administrator continuously monitors and assesses risks related to personal data processing, ensuring that data access is granted solely to authorized personnel and only to the extent necessary for performing their duties. All data operations are logged and may be performed only by authorized individuals.
2. The Administrator strives to ensure that all third parties with whom it cooperates and to whom it entrusts data implement adequate and effective personal data protection measures and maintain security at a level at least equivalent to the standards required in the EU.
3. The Administrator’s service may use Google Analytics provided by Google LLC to analyze website traffic. This tool collects information using cookies. Data about user activity on the site is usually sent to Google servers in the USA. Typically, the user’s IP address is truncated before transmission — only in exceptional cases is it sent in full. Google acts on behalf of the Administrator and does not combine the user’s IP address with other data held by Google. Details on Google’s data processing are available at: www.google.com/policies/privacy/partners. The user can also block data collection by installing the appropriate browser plugin available at http://tools.google.com/dlpage/gaoptout.
4. When transferring data to third parties, the Administrator exercises the utmost diligence to ensure compliance with Articles 46 and 49 of the GDPR. In practice, this means applying the EU standard contractual clauses or other mechanisms guaranteeing an adequate level of data protection. The Administrator also evaluates applicable laws in destination countries and updates safeguards and transfer mechanisms as necessary.
5. If personal data is transferred to entities in the United States, the Administrator does so only with companies covered by the European Commission’s decision of 10 July 2023 on the “EU–US Data Privacy Framework.” These organizations are listed on a special register maintained by the US Department of Commerce, which allows for lawful data transfer without additional authorizations. If the data recipient does not participate in this program, data is transferred based on Articles 46 or 49 GDPR, using standard contractual clauses or other safeguards for transfers outside the European Economic Area.

§ 4 USER RIGHTS

1. The data subject whose personal data is processed by the Administrator has a number of rights arising from the provisions of the GDPR, including:

a) Right of access, rectification, restriction, erasure, and data portability – every natural person has the right to request from the Administrator access to their personal data, correction of errors, deletion of data (the so-called “right to be forgotten”), temporary restriction of processing, as well as the transfer of data to another entity. The scope and rules for exercising these rights are defined in Articles 15 to 21 of the General Data Protection Regulation (GDPR).

b) Right to withdraw consent – where the legal basis for data processing is the consent of the data subject (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR), the data subject has the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

c) Right to lodge a complaint with a supervisory authority – any person may file a complaint with the relevant supervisory authority responsible for monitoring compliance with data protection laws if they consider that the Administrator’s actions violate their rights. In Poland, this authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) based in Warsaw.

d) Right to object to data processing – at any time, the data subject may object to the processing of their data where the basis for processing is the public interest (Article 6(1)(e) GDPR) or the legitimate interest of the Administrator (Article 6(1)(f) GDPR), including profiling. In such cases, the Administrator may no longer continue processing unless it demonstrates the existence of overriding legitimate grounds or the necessity to establish, assert, or defend legal claims.

e) Right to object to marketing activities – where personal data is processed for the purpose of direct marketing based on the legitimate interest of the Administrator, the data subject may request at any time that the processing of their data for this purpose cease, including profiling related to direct marketing.

1. Exercise of the above rights is made by submitting a relevant request via email to the address specified by the Administrator. The request must include the full name of the data subject.
2. The user declares that all personal data provided or posted in the service is accurate and truthful.

§ 5 COOKIES

1. Cookies are small data packets—usually in the form of text files—that are saved and stored on the end devices of persons visiting the website, such as desktop computers, laptops, or smartphones. Their purpose is to enable the user’s browser to remember certain information, which allows, among other things, the personalization of the way the website is displayed and its adaptation to the visitor’s preferences. This enables the website to recognize returning users and remember their previous interactions, such as visited subpages, clicks, or selected settings.
2. A standard cookie contains, among other things, the domain name from which it originates, a unique identifier associated with the user’s browser, and the duration for which the cookie will be stored on the end device.
3. The purposes of using cookies on the website include:

a) tailoring the content and functionality of the site to the user’s preferences and expectations, as well as facilitating the use of the service;

b) creating anonymous statistical analyses concerning the use of the website, allowing its optimization;

c) presenting advertising content that corresponds to the user’s interests and previous activities.

Cookies are never used to identify visitors directly or establish their identity.

1. Cookies are divided into various types according to their functions:

a) Essential cookies – enable the proper functioning of key website features and are necessary for accessing many basic services. Disabling them will prevent the proper operation of the service;

b) Functional cookies – support additional website features, allowing, among other things, customization of the site’s appearance and content to individual user settings. Their absence may reduce user comfort, although the website will still function;

c) Configuration cookies – enable the personalization of settings and functions offered on the site;

d) Security cookies – responsible for protecting the service and verifying user authenticity, while also enhancing server performance;

e) Authentication cookies – allow the system to recognize that a given user is logged in, thereby displaying the appropriate features and information;

f) Session cookies – track user actions during a single visit session, e.g., noting visited subpages or display errors. This information helps improve the service;

g) Advertising cookies – allow for the presentation of personalized advertisements aligned with the user’s interests and for the assessment of their effectiveness;

h) Analytical cookies – used to collect data on general user behavior, which is used to create reports and statistical analyses without identifying specific individuals.

1. Although cookies generally do not collect data enabling direct identification of individuals, in certain cases they may process data considered personal—e.g., session identifiers linked to a particular user. Such data are used solely to provide a specific website function and are protected by encryption to prevent unauthorized access.
2. Cookies used on the website do not pose a threat to the user’s device or data. On the contrary, they are necessary for the proper operation of the service. Most web browsers accept cookies by default. However, users may manually change these settings by accessing their browser’s configuration options. The method of changing settings varies depending on the software and is described in the help section of the respective browser.
3. The Administrator may also use so-called server logs, which record technical data related to visits, such as IP addresses. These data are used to monitor traffic, detect technical problems, prevent abuses, and ensure compliance with the terms of use of the service.
4. Detailed information on how to disable, modify, or delete cookies in the most commonly used browsers can be found in the “Help” section of the respective program.
5. When accessing the service via smartphone, tablet, or other mobile devices, instructions for managing cookies are available in the user manual of the device or on the operating system manufacturer’s website.