CAT&CAT INTERNET STORE PRIVACY POLICY (hereinafter: “Privacy Policy”).

CONTENTS:

1. INTRODUCTION (GENERAL INFORMATION)
2. DEFINITIONS OF TERMS USED IN THE PRIVACY POLICY
3. ENTITY RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE OPERATION OF THE “CAT&CAT” STORE (PERSONAL DATA CONTROLLER) AND CONTACT WITH THE CONTROLLER
4. THE SCOPE OF DATA PROCESSED IN THE COURSE OF CAT&CAT STORE’S ACTIVITIES, THE PURPOSES OF THEIR PROCESSING AND THE LEGAL BASIS FOR PROCESSING
5. SHARING OF PERSONAL DATA BY THE CONTROLLER WITH OTHER ENTITIES
6. THE DURATION OF PROCESSING OF PERSONAL DATA BY THE CONTROLLER
7. SECURITY OF PERSONAL DATA
8. COOKIES” FILES USED BY THE ADMINISTRATOR
9. PROFILING OF PERSONAL DATA (ASSESSMENT OF USER INTERESTS AND PREFERENCES)
10. RIGHTS OF THE PERSON WHOSE PERSONAL DATA IS PROCESSED BY THE CONTROLLER
11. BALANCE OF INTERESTS
12. MAKING CHANGES TO THE PRIVACY POLICY AND INFORMING ABOUT THEM

§ 1. INTRODUCTION (GENERAL INFORMATION)

1. This Privacy Policy applies to the CAT&CAT Online Store (hereinafter referred to as the “Store” or “Online Store” or “CAT&CAT Store”), available on the Internet at the domain: www.catandcat.eu, used to place Orders for Goods presented therein by the Seller and to provide services electronically in terms of presenting the Content on the Store’s pages and allowing the Customer to read it, as well as allowing the Customer to place Orders, maintain an Account and send a newsletter.
2. The Store Administrator respects the privacy of Users and ensures that their personal data is processed in a transparent manner with the security rules required by law (including RODO and the Personal Data Protection Act). In connection with the above, this Privacy Policy specifies the handling of personal data in connection with the activities of the Store and the Administrator, informs about the rights of data subjects and the laws aimed at providing the aforementioned persons and their personal data with adequate protection. With the above in mind, each User is required to read the Privacy Policy before using the Store.
3. Privacy policy applies to the processing of personal data as part of any services provided through the CAT&CAT Shop and other activities undertaken using the Shop (e.g. placing orders or concluding a sales agreement).
4. A person whose personal data is processed in connection with the operation of the Store may perform different roles in relations with the Administrator, depending on which functionalities of the Store he/she uses (i.e. he/she may be an unregistered User, a User with an Account or a party to a sales contract – a buyer). All the aforementioned categories of persons using the Store include the term User, so whenever this Privacy Policy refers to a User, the given provision applies to all persons using the CAT&CAT Store.
5. As part of its activities, the Administrator, in addition to data from data subjects (Users), may also process personal data obtained from third parties or publicly available sources. These include, in particular: information of a technical nature and resulting from the use of the Store from providers of analytical services (e.g. as part of the Google Analytics service), contact details related to the business conducted by the User (from business intelligence agencies or public registers), data provided to the Administrator by other Users of the Store (e.g. in connection with reported complaints). in connection with reported complaints), data from the User who uses – with his/her knowledge and consent – the data of the person to whom they relate as part of the activities undertaken in the Store (e.g., data of the person to whose address the Goods are to be shipped or who is to receive the goods), as well as personal data from payment operators made as part of the Store’s activities (i.e., payment identifier, payment amount, its status, date of creation, e-mail address and payment method and transaction title).
6. The store is not intended for underage users, including children under 16. years of age, therefore, the Administrator does not knowingly obtain and process personal data of such persons, and if such data is found in the Administrator’s resources, it will be promptly deleted.
7. The Privacy Policy does not limit any of the User’s rights under the Terms of Use and common law.
8. The CAT&CAT store may contain links to third-party websites (e.g., entities providing goods delivery services or billing agents). When the User clicks on such a link, he/she will be redirected to a third-party website, which has a separate privacy policy and through which its owner may also process the personal data of its visitors for its own purposes and to the extent it determines. The Administrator has no influence on and is not responsible for the purpose, scope and manner of processing of personal data by the aforementioned third parties. Accordingly, you should familiarize yourself with the privacy policy of each site you visit when leaving the CAT&CAT Store.

§ 2. DEFINITIONS OF TERMS USED IN THE PRIVACY POLICY

1. The terms used in this Privacy Policy mean respectively:
   1. “Personal data” – any information about an identified or identifiable natural person (“data subject”), i.e. to a person who can be directly or indirectly identified, in particular by name, identification number, location data, Internet identifier or other specific factors identifying the natural person (Article 4 (1) RODO);
   2. “Processing of personal data” – an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, i.e. collecting, capturing, organizing, arranging, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or combining, limiting, deleting or destroying (Article 4(2) RODO);
   3. “Personal data profiling” or “Profiling” – any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyze or predict aspects relating to personal preferences, interests, reliability, behavior, location or movement (Article 4(4) of the RODO);
   4. “Personal data controller” – a natural or legal person, public authority, entity or other body that alone or jointly with others determines the purposes and means of processing personal data. As part of the activities of the CAT&CAT Store, the controller of personal data is its Administrator, i.e. Marcin Robak and Aleksandra Robak, jointly conducting business in the form of a civil partnership under the name: CAT & CAT ALEKSANDRA ROBAK MARCIN ROBAK S.C., address: ul. Lublinek 26D, 93-469 Łódź, NIP: 727-278-49-30, REGON: 101317457, e-mail address: kontakt@catandcat.eu, phone: 668443189;;
   5. “Regulations” – Regulations of the online store “CAT&CAT” available at: www.catandcat.eu/regulamin/.
   6. “Privacy settings” – functionality of the Store or Account that allows Users to manage the Services provided through the Store, in particular to modify the scope of individual Services and to express or withdraw consents for the processing of personal data or sending marketing materials (e.g. Newsletter);
   7. “On-line payment” – a payment system that allows payment for Goods ordered by the User through the Store, operated by entities external to the Administrator (billing agents), with whom the Administrator has signed appropriate contracts for the provision of services in the above-mentioned scope.
2. In addition to the terms indicated above, the Privacy Policy also uses the terms defined in detail in the Regulations of the “CAT&CAT” online store (§ 1 of the Regulations).

§ 3. ENTITY RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE OPERATION OF THE “CAT&CAT” STORE (PERSONAL DATA CONTROLLER) AND CONTACT WITH THE CONTROLLER

1. The administrator of the personal data of Users of the CAT&CAT Shop is its owner, i.e. Marcin Robak and Aleksandra Robak, jointly conducting business activity in the form of a civil partnership under the name: CAT & CAT ALEKSANDRA ROBAK MARCIN ROBAK S.C., registered in the Central Registration and Information on Business Activity of the Republic of Poland, conducted by the minister responsible for economy, address: ul. Lublinek 26D, 93-469 Łódź, NIP: 727-278-49-30, REGON: 101317457.
2. On matters related to the processing of personal data and the rights vested therein, the User to whom the data relate may contact the Data Controller through the following communication channels:
   1. via postal operator, to the address: CAT & CAT ALEKSANDRA ROBAK MARCIN ROBAK S.C., ul. Lublinek 26D, 93-469 Lodz;
   2. via e-mail, at: rodo@catandcat.eu

§ 4. THE SCOPE OF DATA PROCESSED IN THE COURSE OF CAT&CAT STORE’S ACTIVITIES, THE PURPOSES OF THEIR PROCESSING AND THE LEGAL BASIS FOR PROCESSING

1. The diverse range of services provided through the Store results in personal data of Users being processed by the Administrator for different purposes, to a different extent and on separate legal bases. Accordingly, the information within this section of the Privacy Policy has been grouped according to the actual purpose of its processing.
2. The Administrator provides the following Services to Users through the Store:
   1. The service of presenting Content on the websites of the CAT&CAT Store and allowing Customers to read this Content;
   2. The service of creating, maintaining and enabling the Customer to use the Account;
   3. The Service of providing the User with a form that allows him to place an Order for Goods;
   4. Service to enable the Customer to join the Newsletter and to send the Newsletter periodically to the Email Address indicated by the Customer.
3. The Administrator, using the Store, also enters into contracts with customers for the sale of goods, in which the Administrator acts on the side of the seller and the customer on the side of the buyer.
4. W zakresie Usługi prezentowania Treści na stronach internetowych Sklepu CAT&CAT i umożliwiania Klientom zapoznawania się z tymi Treściami:
   1. The Administrator, in order to carry out the provision of this Service, processes data on the User’s activity in the Store, in particular: session data, the device used by the User, software (e.g. Internet browser and operating system) and IP number and device identifier, as well as data on the content viewed by a given User in the Store, including Goods and their descriptions;
   2. the processing of personal data is carried out in connection with the performance of a contract for the provision of electronic services (i.e., pursuant to Article 6(1)(b) of the RODO).
5. Regarding the Service of creating, maintaining and enabling the Customer to use the Account:
   1. The Administrator, in order to provide this Service, processes data, including personal data of the User, in the form of:
      1. When registering an Account: first name, last name, username, e-mail address;
      2. when maintaining an Account: name, surname, username, email address, contact telephone, home (or business) address, shipping address, order history, return history, and accounting data (e.g., tax ID), if applicable to the User;
   2. the processing of personal data is carried out in connection with the performance of a contract for the provision of electronic services (i.e., pursuant to Article 6(1)(b) of the RODO).
6. With respect to the Service of providing the User with a form that allows the User to place an Order for Goods:
   1. The Administrator, in order to provide this Service (i.e. to enable the User to place an Order), processes data, including the User’s personal data, entered by the User in the Order form, in particular: name, surname, residential or shipping address, e-mail address, telephone number, data necessary to issue an accounting document (if applicable);
   2. The processing of personal data takes place in order to take, at the request of the User, actions aimed at concluding a sales contract and necessary for the performance of the contract (i.e. on the basis of Article 6(1)(b) RODO).
7. With regard to the Service of enabling the Customer to join the Newsletter and sending the Newsletter periodically to the Email Address indicated by the Customer:
   1. The Administrator, in order to provide this Service, processes data, including personal data of the User, in particular in the form of his e-mail address, to which the Newsletter is sent;
   2. processing of the aforementioned personal data takes place on the basis of the User’s consent to receive the Newsletter, i.e. based on art. 6 paragraph. 1(a) RODO.
8. Regarding the conclusion and performance of the Agreement for the sale of Goods and their delivery:
   1. The Administrator, in order to conclude and perform this Agreement in accordance with the terms and conditions specified in the Order and the Regulations, processes the Customer’s personal data included by the Customer in the Order form, in particular the name, surname, residential or shipping address, e-mail address, telephone number, data necessary to issue an accounting document (if applicable), as well as data on the payment made by the Customer;
   2. The processing of the aforementioned personal data takes place in order to take steps, at the request of the User, to conclude a sales contract, and then in order to perform it (i.e. on the basis of Article 6(1)(b) RODO).
9. Administrator może też prowadzić statystyki funkcjonowania Sklepu i korzystania z niego przez Użytkowników oraz podejmować działania w celu zapewnienia lub zwiększenia bezpieczeństwa informatycznego Sklepu CAT&CAT, w związku z czym:
   1. The Administrator takes measures on an ongoing basis to monitor how Users use the Store, its various functionalities, including data profiling. The purpose of such action is both to make it easier for Users to use the Store, to improve the functioning of the Store, and at the same time to increase the security of its Users, their personal data and the CAT&CAT Store itself, by detecting possible errors or threats in its functioning;
   2. For the purpose indicated above, the Administrator processes the User’s personal data concerning his/her activity in the Store, including session data, login data, the device, software (e.g. Internet browser and operating system) used by the User, IP number, device identifier, as well as data concerning the Content viewed by a given User in the Store, including pages, subpages, time spent on these pages and subpages;
   3. The Administrator processes the aforementioned User’s personal data due to its legitimate interest in the form of improving the functioning of the Store and the quality of the services provided electronically in accordance with the Terms and Conditions, as well as in order to facilitate the use of these services and improve their security level (i.e., Article 6(1)(f) RODO).
10. Administrator może też badać zadowolenie Użytkowników Sklepu CAT&CAT:
    1. The User Satisfaction Survey can take the form of, among other things. the form of surveys or forms made available to the User on the Store’s web pages, containing questions concerning his/her evaluation of the Store’s operation, particular Services or functionalities, as well as their effectiveness. User participation in the aforementioned surveys is voluntary and does not affect the ability to use the Store.
    2. For the above-mentioned purpose, the Administrator may process the User’s personal data, including e-mail address, information regarding the purchased Goods or the manner of fulfillment of the Orders, as well as answers to the questions contained in the above-mentioned surveys or forms.
    3. The Data Controller processes the aforementioned User’s personal data due to its legitimate interest in the form of improving the functioning of the Store and the quality of the services provided electronically in accordance with the Terms and Conditions, as well as facilitating the use of these services and assessing User satisfaction (i.e. based on Article 6(1)(f) of the RODO).
11. According to the Terms and Conditions, the Administrator is obliged to handle complaints about the operation of the Store or orders placed through it, as well as other requests or questions about the Store or services provided through it:
    1. For the above purpose, the Administrator may process the User’s personal data provided by the User in the Order form or when registering the Account, data concerning the User’s use of the Store, in particular to the extent covered by a given complaint, claim, application or question, as well as personal data contained in a given complaint, claim or application and the documents attached thereto;
    2. The Personal Data Administrator processes the above personal data of the User or Users concerned by a given complaint, claim, application or question, due to its legitimate interest in the form of improving the functioning of the Store and the quality of services provided electronically, ensuring compliance with the provisions of the Rules and Regulations and the security of use of the Store, i.e. the “Store”. based on art. 6 paragraph. 1(f) RODO, and in cases of complaints regarding Goods or services provided, based on Art. 6 paragraph. 1(b) of the DPA (i.e., for the purpose of performing the contract).
12. Administratorowi jako stronie umowy sprzedaży lub umowy o świadczenie usług drogą elektroniczną, zawartych za pośrednictwem Sklepu, przysługują uprawnienia do egzekwowania zawartych Umów, w tym obowiązków określonych w Regulaminie lub przepisach prawa powszechnie obowiązującego. W związku z niewykonaniem lub niewłaściwym wykonaniem Umowy przez Użytkownika, w szczególności w związku z naruszeniem przez niego postanowień Regulaminu, Administratorowi mogą przysługiwać względem Użytkownika określone roszczenia (roszczenia odszkodowawcze, roszczenia o zapłatę, roszczenia o powstrzymanie się od naruszania dóbr osobistych lub usunięcie naruszeń). Podobne roszczenia mogą być też kierowane przez Użytkowników lub inne podmioty względem Administratora. W związku z powyższym:
    1. In order to determine the existence and then the scope of the claims referred to above, as well as their subsequent assertion or defense against them, the Administrator may process the User’s personal data relating to the Order placed by him, his activity in the Store, as well as the User’s data contained within the Account (e.g. name, surname, name, contact details) and other data necessary to prove the existence of the
       claim or defense against it;
    2. The Data Controller processes the aforementioned User’s personal data due to its legitimate interest in establishing, investigating or defending against claims both at the pre-court stage and in proceedings before courts or other public authorities (i.e., pursuant to Article 6(1)(f) of the RODO).
13. The Administrator, as part of the Store’s operations, may organize contests or marketing campaigns. If the Administrator uses the aforementioned option, it will make available an entry form on the Store’s pages, the completion and submission of which will enable the User to participate in such a contest or marketing action. The application form will include mandatory data, the provision of which is necessary to participate in a given contest or marketing action (sending an application), and may additionally include additional (optional) data, the provision of which is not required. The user will be informed about the requirement or optionality of certain data contained in the application form before it is filled out.
14. The Administrator processes the aforementioned personal data of a person who declares his/her willingness to participate in a given contest or marketing action (sends an application form) due to his/her legitimate interest in the form of promoting the Administrator’s Goods or Services, as well as increasing interest in the Administrator’s offerings and building relationships with Users (legal basis: Article 6(1)(f) RODO).
15. At the same time, in the case of winners or beneficiaries of contests or marketing actions, the Administrator may also process their personal data for purposes necessary to fulfill the Administrator’s legal obligation (e.g., to fulfill the Administrator’s obligations to tax authorities resulting from the need to account for the prize or other benefits obtained by the User in connection with the contest or marketing action), i.e. based on art. 6 paragraph. 1(c) RODO).

§ 5. SHARING OF PERSONAL DATA BY THE CONTROLLER WITH OTHER ENTITIES

1. The User’s personal data referred to in this Privacy Policy may be processed on behalf of the Administrator by its employees or associates. The processing of personal data by the Administrator’s employees or associates takes place on the basis of an appropriate authorization to process personal data, granted by the Administrator to a given employee or associate, specifying both the scope and purpose of personal data processing by a given employee or associate, as well as obliging him/her to maintain the confidentiality of the processed data.
2. In addition to the Administrator’s employees or associates, to the extent necessary for the performance of certain services, Users’ personal data may also be entrusted to be processed or made available by the Administrator to external entities referred to, among others. in the Regulations, as well as to other entities that support the Administrator in its day-to-day operations.
3. As part of its operations, the Administrator uses the services of external entities (e.g. for accounting services, legal services, technical services, administrative services, postal or courier services, etc.). Accordingly, the Administrator may provide these entities with Users’ personal data to the extent necessary for the performance of certain services.
4. Depending on the terms and circumstances of cooperation with a given entity, the aforementioned entities may be subject to the Administrator’s instructions regarding the purposes and means of processing the personal data provided to them (they are then processors) or decide on such purposes and means themselves (separate controllers of personal data).
5. Processors shall process personal data provided to them by the Administrator only for the purposes and scope specified by the Administrator. Such service providers are, for example, accounting firms, law firms, IT service providers or providers of relevant software. The processing of personal data by the aforementioned service providers is carried out on the basis of an agreement for entrustment of personal data processing previously concluded by this entity with the Administrator.
6. Entities that are separate controllers of personal data provided to them by the Administrator do not act solely on the Administrator’s instructions, and consequently, they themselves determine the purposes and uses of the User’s personal data. An example of this type of entity is the provider of the Google Analytics tool, i.e. Google LLC.
7. Some of the entities providing services to the Administrator may be located outside the European Economic Area where the DPA applies. At the same time, in the event that the Administrator uses the services of such an entity and transfers the User’s personal data to it, the Administrator will ensure that the entity provides guarantees of a high degree of personal data protection coinciding with that specified by the RODO.
8. The Administrator may also share the User’s personal data with entities providing payment processing services to the Administrator:
   1. The Administrator shall make available to the entity in question the data necessary for it to process the payment in question, including data collected exclusively for this purpose, necessary to verify and identify the User as a customer of the bank or other financial institution in question;
   2. The scope of the aforementioned personal data may vary depending on the payment method selected by the User. At the same time, the Administrator does not store the data needed to process the payment (e.g., credit card data), only passes it to the payment operator for processing.
9. The Administrator may also make the User’s personal data available to state authorities (e.g. law enforcement agencies, courts, tax authorities):
   1. The Administrator will also make the User’s personal data available to broad state authorities, including but not limited to. police, prosecutor’s office, courts, the President of UODO, the President of UOKiK or the President of UKE. when such an obligation arises from generally applicable law or a ruling of a competent authority, i.e. based on art. 6 paragraph. 1(c) RODO.

§ 6. THE DURATION OF PROCESSING OF PERSONAL DATA BY THE CONTROLLER

1. The Administrator processes Users’ personal data for different purposes and to different extents, so the processing time varies depending on the specific category of personal data. Personal data of Users using the Store who do not have an Account, including data collected and stored by means of “cookies” are processed by the Administrator for the period of their storage on the User’s devices used to use the Store, which depends on individual settings of the software used by a given User (e.g. Internet browser settings), and in the case of session “cookies” for the duration of a given session.
2. Personal data of a User with an unconfirmed Account, i.e. data indicated in the registration form, the Administrator processes to the extent and under the terms of the Regulations for a period of 30 days from the date of sending the activation link to the User’s e-mail address (indicated in the aforementioned registration form). After the ineffective expiration of the aforementioned deadline, i.e. failure to confirm the creation of an Account using the activation link within 30 days of its sending, the personal data of the User in question will be deleted. In the case of confirmation of Account registration, the aforementioned data will be processed for a period of time appropriate to the data processed in the performance of the Agreement for the provision of electronic services in the form of an Account.
3. User’s personal data that the Administrator processes, including but not limited to. stores, in connection with the conclusion and performance of a contract, in particular a sales contract or a contract for the provision of electronic services, will be processed by the Administrator for the period of performance of the contract, and thereafter for a period corresponding to the statute of limitations for claims under the contract in question. Unless otherwise provided by common law, the statute of limitations for claims is 6 years, and in the case of claims for periodic benefits or claims related to the conduct of business, 3 years. The statute of limitations for claims arising from, among other things. from sales made within the scope of the seller’s business is 2 years. In the case of the User’s personal data related to transactions made through the Store (e.g. payments), the Administrator processes these data for a period of 5 years counted from the end of the calendar year in which the transaction (payment) took place for tax purposes (e.g. related to the obligation to store accounting documents).
4. Personal data processed by the Administrator on the basis of the consent of the User to whom the data relates (e.g. consent to receive a newsletter) shall be processed by the Administrator until such consent is effectively withdrawn by the User in question, with the proviso that the withdrawal of consent shall not affect the legality of prior processing of personal data on the basis thereof. After withdrawal of the consent referred to above, the Administrator will continue to process the User’s personal data for a period of time corresponding to the statute of limitations for claims that the Administrator may raise or that may be raised against the Administrator. Unless otherwise provided by common law, the statute of limitations for claims is 6 years, and in the case of claims for periodic benefits or claims related to the conduct of business, 3 years.
5. Personal data processed on the basis of the legitimate interest of the Administrator (i.e., Article 6(1)(f) of the DPA) referred to in the content of this Privacy Policy shall be processed by the Administrator until the User concerned raises an effective objection in this regard (i.e., objects to the processing of his/her personal data for these purposes).

§ 7. SECURITY OF PERSONAL DATA

1. The Administrator strives to ensure the security of the operation of the Store and the personal data it processes. One of the solutions implemented by the Administrator to ensure the aforementioned security is the use of encrypted data transmission when registering, logging into the Account or placing Orders, which significantly hinders access to the User’s personal data by unauthorized persons. However, it should be pointed out that in order to increase the security of the use of the Store, also the User should take precautions concerning the use of the CAT&CAT Store (among others, those referred to in the content of the Regulations), in particular, keep the login data for themselves.

§ 8. COOKIES” FILES USED BY THE ADMINISTRATOR

1. The Administrator uses “cookies” and other similar technologies in the operation of the Store.
2. “Cookies” are information in the form of text files, sent by the server used by the Administrator and stored on the User’s device from which he uses the Store (e.g. on a computer, tablet or other mobile device). Cookies include, among others. information used to identify a given User, as well as to remember actions taken by the User in the Store.
3. The Administrator also uses tools to recognize the devices of a given User, which by analyzing information about these devices (e.g. information about the browser, operating system, time zone, installed plug-ins and other configurations) and juxtaposing the aforementioned information with data about the operations of a given User allows it to recognize a given User (i.e. to identify him/her), as well as to verify whether it is the same User using the Store using different devices, or an unauthorized person.
4. Administrator może wykorzystywać różnego rodzaju pliki „cookies”, np. sesyjne (tj. tymczasowe pliki „cookies” przechowywane na urządzeniu Użytkownika do czasu wylogowania, opuszczenia Sklepu lub wyłączenia przeglądarki internetowej, które są usuwane po zakończeniu danej sesji) lub trwałe (tj. pliki „cookies” przechowywane są na urządzeniu danego Użytkownika przez czas określony w parametrach plików „cookies” lub do czasu ich usunięcia przez Użytkownika). Ze względu na pochodzenie danych plików „cookie” można rozróżnić także:
   1. The Administrator’s own “cookies” files (used by the Administrator in connection with the functioning of the Store) and the Partners’ “cookies” files (related to the functioning of other services and websites, not belonging to the Administrator).
5. Cookies used by the Administrator also differ by the purpose of their use and are divided into:
   1. “essential cookies”, which are always active (impossible to turn off) and can be used without the User’s consent, used to ensure correct and safe use of the Store and its functionality (e.g. logging in, accessing the Account), as well as to detect errors and prevent abuse within the CAT&CAT Store;
   2. “Functional cookies”, which the User must agree to, and which provide the User with the ability to use various functions in the Store, as well as remember the User’s settings and preferences (e.g. preferred language, remembering login data and data on forms filled out) and analyze the User’s interests (e.g. types of Goods viewed);
   3. “advertising cookies”, requiring the User’s consent to their use, allowing the Administrator to tailor advertisements in the Store to the User’s preferences (based on analysis of the User’s activity), as well as to study the effectiveness of individual marketing campaigns;
   4. “analytical cookies” to which the User must agree, i.e. cookies” files, which allow the Administrator to measure the number of visits and collect information about the sources of traffic in the Store and on its individual pages and subpages, making it possible, among other things, to to improve the performance of the Store’s website, as well as to learn about the popularity of its various pages and how Users navigate the Store;
   5. “Cookies from other services”, which the Administrator may receive from its Partners and which allow it to learn about the activity of a given User also in other services (not only in the CAT&CAT Store) and to combine the aforementioned information (e.g. information on visited sites or frequency of use) with data on the User’s activity within the Store, which in turn allows the Store’s offer and advertisements displayed therein to be adjusted to the individual preferences of a given User (the use of this type of “cookies” requires the User’s consent);
   6. “plug-ins”, allow the User to share content from the Store on other sites, especially social media, and also allow the Administrator to obtain information on whether the User is a user of particular social networks and whether he/she is logged into them (the use of such “cookies” requires the User’s consent).
6. The administrator by means of “cookies” may obtain information concerning:
   1. use of the Store by a given User, including the date, time and season of such use, length of the visit, sub-pages visited;
   2. Goods viewed by a given User in the Store, advertisements, links clicked, etc.;
   3. activity of a given User on sites other than the Store’s websites, provided that the User gives separate consent in this regard;
   4. devices used by a given User to use the Store (so-called “terminal equipment”), including the identifier of a given device, type and model, Internet browser and operating system, IP number and Internet Provider IP number (i.e., a unique number assigned to a given computer or device, based on which such information can be obtained, such as the country from which that device connects to the Internet) and other device settings;
   5. the location of the device through which a given User uses the Store (if he/she agrees in this regard).
7. Cookies may be collected directly by the Administrator, as well as obtained by the Administrator from Partners or entities that provide services to the Administrator in this regard.
8. Cookies may be used by the Administrator on its own or transferred to entities providing certain services to the Administrator (e.g. marketing or IT services).
9. The Administrator may use Google Analytics, a web audience analysis service provided by Google Inc. (“Google”). Google Analytics uses the “cookies” referred to above. Google may provide the information it develops to third parties if it is required to do so under applicable law.
10. The Administrator may also cooperate with other entities offering IT services, including those compiling statistics on the use of the Store, on terms and conditions detailed in separate agreements. The cooperation referred to in the preceding sentence may consist, in particular, in the use of “cookies” to create anonymous statistics, the purpose of which is to determine the preferences and expectations of Users, and consequently the development of the CAT&CAT Store.
11. The user will be informed about the Administrator’s use of cookies the first time he or she accesses the Store’s website. At that time, the User will be able to consent to the Administrator’s use of all cookies or make a selection of individual cookies (i.e. give consent to all types of cookies or to their individual categories, according to his/her preferences). At the same time, you may change your existing cookie preferences at any time via the appropriate tab located in the Store.
12. Lack of the User’s consent to the processing of optional cookies or a part of them, as well as the withdrawal of such consent during the use of the Store, may result in hindering or preventing the use of particular functionalities that require the processing of a particular type of cookies.
13. The user can also make settings regarding “cookies” through the settings of the Internet browser he uses. These settings can be changed depending on the User’s preferences and the capabilities of a given web browser, in particular in such a way as to block the automatic handling of “cookies” or inform about each time a “cookie” file is placed on a given device. Detailed information about the possibility and methods of handling “cookies” is available in the settings of the software (web browser) used by the User.
14. The user may at any time delete the “cookies” stored on his device, by using the appropriate option in the menu of the relevant program (web browser). Detailed instructions in this regard depend on the type of software, and you should therefore look for them in the user manual of the particular program (web browser) you are using.

§ 9. PROFILING OF PERSONAL DATA (ASSESSMENT OF USER INTERESTS AND PREFERENCES)

1. The Administrator strives to best match the content presented to a given User in the Store to his/her individual preferences and interests. For this purpose, the Administrator may perform automated operations on the User’s personal data (i.e. profiling).
2. The Administrator performs profiling of the User’s personal data in order to:
   1. To recommend Goods that may be of interest to a particular User;
   2. to encourage the use of the Services available through the Store and to assist in such use (e.g. by filling out forms);
   3. Marketing of the Administrator’s services and Goods.
3. Recommending Goods to the User that match his/her preferences and interests is done automatically. The Administrator’s system analyzes the User’s personal data obtained by means of “cookies” (e.g. information on the activity of a given Employee in the Store). The above-mentioned data are used by the Administrator to create a virtual profile of the User, on the basis of which the Goods matching the User are selected and presented. The presentation of recommended Goods takes place both before and after a given User logs in to the Account and may have different forms (e.g. pop up and web push). The Administrator processes (profiles) the User’s personal data in the above-mentioned scope due to its legitimate interest in the form of facilitating the use of the Store and presentation of its Goods to the User to whom the data relates (legal basis: Article 6(1)(f) RODO).
4. For the purpose of marketing the Administrator’s services or Goods, the Administrator may process the User’s personal data concerning his/her activity in the Store obtained and processed through “cookies” files (data concerning the use of the Services, registration and logging into the Account, visits to the Store and its individual subpages, clicks in the Store, as well as Order history), as well as data indicated by the User in the Account registration process, within the Account (after its registration), as well as in other forms and surveys filled out by him/her in the Store (e.g. newsletter form, contest forms). On the basis of the indicated data, the Administrator creates a profile of a given User, which is the basis for matching and sending to the User marketing information that may be of interest to him/her regarding the Administrator’s products or Services. The Administrator processes (profiles) the User’s personal data in the above-mentioned scope due to its or its Partners’ legitimate interests, in the form of marketing the Administrator’s or its Partners’ Services or products (legal basis: Article 6(1)(f) RODO).
5. The User may at any time object to the profiling of his/her personal data through one of the communication channels indicated in § 3, paragraph. 2 of the Privacy Policy or independently change your cookie preferences on the Store’s website.

§ 10. RIGHTS OF THE PERSON WHOSE PERSONAL DATA IS PROCESSED BY THE CONTROLLER

1. The User whose personal data is processed by the Administrator is entitled to the rights referred to in the RODO (indicated in detail below). In order to implement each of them, the User may contact the Data Controller through one of the communication channels indicated in the text of § 3. paragraph. 2 of the Privacy Policy or by making changes through the privacy functionality in the Account.
2. With respect to the processing of personal data, the User to whom the data relate has the following rights:
   1. The right to withdraw consent to the processing of personal data (Article 7(3) RODO), which means that the User may withdraw any consent to the processing of his/her personal data expressed in the Store (e.g. for marketing purposes). Withdrawal of a given consent shall have effect from the moment of its withdrawal and shall not affect the lawfulness of the processing of personal data covered by the withdrawn consent performed by the Administrator before its withdrawal. A User who exercises the right to withdraw consent will not suffer any negative consequences as a result (other than the inability to use the Services that can only be provided on the basis of consent), in particular it will not affect the User’s ability to use the Store and its functionalities where personal data is processed on a legal basis other than the consent of the data subject;
   2. The right of access to data, as well as the right to obtain information regarding the purpose of processing and the manner in which personal data is processed (Article 15 of the RODO), which means that the User may request information from the Administrator as to whether it processes the User’s personal data. If the Administrator processes personal data of such User, the User has the right to request from the Administrator information about the purposes of processing such data, the categories of data processed, the recipients or categories of recipients of such data, as well as the planned period of processing by the Administrator. At the same time, the User to whom the data pertains may also request information from the Administrator regarding his or her rights in connection with the processing of his or her personal data, as well as the source of the User’s data processed by the Administrator, automated decision-making (e.g., data profiling), and safeguards applied when data is transferred outside the European Union. In addition, based on Art. 15 RODO, you may also ask the Administrator to provide you with a copy of the personal data processed by the Administrator;
   3. The right to rectify personal data (Article 16 of the RODO), which means that the User to whom the data relates may rectify or supplement his/her personal data processed by the Administrator on an ongoing basis. The User may exercise the aforementioned entitlement on his/her own, by making changes to incorrect data or completing incomplete data through the appropriate functionality of the Account, and in cases where this is impossible from within the Account, request the Administrator to make the aforementioned changes (through one of the communication channels indicated in the contents of § 3. paragraph 2 of the Privacy Policy).
   4. Prawo do usunięcia danych osobowych (art. 17 RODO), co oznacza, że Użytkownik może zażądać od Administratora usunięcia lub samodzielnie usunąć za pośrednictwem Konta część lub wszystkie swoje dane osobowe przetwarzane przez Administratora. W przypadkach, w których żądanie usunięcia lub usunięcie będzie dotyczyło wszystkich danych osobowych lub danych osobowych obligatoryjnych do założenia Konta, w/w działanie będzie przez Administratora traktowane jako żądanie usunięcia Konta. Uprawnienie do usunięcia danych osobowych przysługuje Użytkownikowi, którego dane dotyczą, gdy:
      1. he or she withdrew a particular consent (to the extent that personal data was processed on the basis of that consent);
      2. certain personal data are no longer necessary for the purposes for which they were processed;
      3. the User in question has reasonably objected to the use of his/her personal data for marketing purposes or for Store usage statistics or satisfaction surveys;
      4. User’s personal data is processed in violation of the law. Despite the User’s exercise of the right to request deletion of personal data, the Administrator may retain certain personal data of the User for the purpose of determining the existence of claims and their scope, as well as their investigation or defense against claims, as well as for the purpose of handling complaints, claims, requests or questions (e.g. name, surname, name, e-mail address, contact details, history of Orders, as well as the history of settlements between the Administrator and the User).
   5. The right to request the Controller to restrict the processing of personal data (Article 18 of the RODO), which means that a Data Subject may request that his/her personal data not be processed in situations where:
      1. The user questions the correctness of his personal data (for a period that allows the Administrator to check the correctness of such data, i.e. up to 30 days);
      2. processing is, according to the User, unlawful, and at the same time the User objects to the deletion of his/her personal data, requesting instead the restriction of its use;
      3. The Administrator no longer needs the User’s personal data for the purposes of processing for which they were obtained, but they are needed by that User, to establish, assert or defend against claims;
      4. The data subject has objected to the processing of his/her personal data (until it is determined whether the legitimate grounds on the part of the Controller override the grounds of the data subject’s objection). In the event of a restriction of the processing of personal data, in connection with a User’s request in this regard, the Administrator may process such data, to the extent beyond storage, only with the consent of the User to whom the data relates, or for the purpose of establishing, asserting or defending against claims, as well as for the protection of the rights of another natural or legal person, or for compelling reasons of public interest of the European Union or a Member State. If the restriction on the processing of personal data is revoked (prior to such revocation), the Administrator will inform the User who requested the restriction on the processing of his/her personal data.
   6. The right to data portability (Article 20 of the RODO), which means that the User to whom the data pertains may request the Administrator to transfer his/her personal data processed by the Administrator (in a format suitable, among other things, for reading on a computer) or to send the aforementioned data directly to another Administrator designated by the User in question (if such technical possibility exists). The right to data portability, applies to data that are processed by the Controller by automated means based on the data subject’s consent or for the performance of a contract.
   7. The right to object to the processing of personal data (Article 21 RODO), which means that the User to whom the data pertains may object at any time to the processing of his/her personal data processed in connection with the legitimate interests of the Controller (e.g., conducting statistics, profiling, facilitating the use of the Store or User satisfaction surveys), including profiling on that basis. If the User raises an objection as mentioned above, the Administrator shall not process such personal data of the objecting User, unless the legitimate grounds for such processing override the interests, rights and freedoms of the User to whom the data relate, and also when the basis for such processing is the establishment, investigation or defense against claims.
3. In the case of resignation by the User from receiving marketing information concerning the Store or CAT&CAT, the Administrator will treat such resignation as an objection of a given User to the processing of his/her personal data for these purposes. The User’s personal data against the processing of which the User has objected will be deleted by the Administrator, provided that the aforementioned objection proves to be legitimate and the Administrator has no other legal basis for processing such data.
4. A user whose personal data concerns him/her may address requests, questions and complaints to the Administrator (through the communication channels indicated in § 3. paragraph 2 of the Privacy Policy) regarding the processing of his/her personal data and his/her rights. The Administrator will promptly inform the User making a specific request about the actions taken in connection with it, as well as about the fulfillment or refusal to fulfill this request (along with the reasons for the refusal). The above information will be provided to the user by the Administrator no later than one month from the date of receipt of the request, however, in cases of a large number of requests or the complicated nature of the request, this period may be extended by another two months. The Administrator will inform the User of its intention to extend the term for another two months (before the expiration of the original one-month term).
5. The right to lodge a complaint with a supervisory authority, which means that a User who believes that his/her right to personal data protection or other rights granted under the RODO have been violated may lodge a complaint in this regard with the President of the Office for Personal Data Protection (address: 2 Stawki Street, 00-192 Warsaw, web address: www.uodo.gov.pl).

§ 11. BALANCE OF INTERESTS

1. In determining the legal basis for the processing of the User’s personal data referred to in this Privacy Policy, to the extent that the aforementioned data is processed on the basis of the Administrator’s legitimate interest (i.e. under Article 6(1)(f) of the RODO, the Administrator has weighed its own and the User’s interests. The above analysis leads to the conclusion that the processing of the User’s personal data on the aforementioned legal basis does not unduly interfere with the sphere of the User’s rights and freedoms, including privacy, and the aforementioned processing will not be unduly burdensome. The following circumstances support the above conclusion:
   1. The user has detailed information regarding the scope and purposes of the processing of his personal data taking place under Art. 6 paragraph. 1(f) RODO;
   2. The processing of personal data on the aforementioned legal basis, in particular for the purpose of conducting complaint proceedings, profiling of data to facilitate the use of the Store and Services and suggesting Goods tailored to the User’s preferences is beneficial to the User;
   3. Profiling is aimed at, among other things. increase the efficiency of the User’s activities in the Store, including making it easier to find the Goods sought, which in turn leads to the conclusion that it is objectively beneficial to the User;
   4. It is reasonable to expect that a User who has expressed a desire to receive marketing information in the form of e-mail (and has the ability to revoke it at any time) wants to receive such information tailored to his or her preferences;
   5. The Administrator does not provide the User’s personal data to its Partners in the marketing of their products and services, which significantly limits the circle of recipients of such data;
   6. The user can (at any time) easily withdraw consent to receive marketing information, or data profiling for such purposes. This can be done from the Account or through the functionality of the Store itself. Withdrawal of such consent will be tantamount to an objection to the profiling of his personal data for marketing purposes.

§ 12. MAKING CHANGES TO THE PRIVACY POLICY AND INFORMING ABOUT THEM

1. The Administrator may supplement, update or amend the Privacy Policy, in particular in connection with changes in the operation of the Store, its development and the introduction of new Services or functionalities. The User will be informed of any changes or modifications to the Privacy Policy, by posting information in this regard on the main pages of the Store or through e-mails addressed to the User’s e-mail address indicated in the Account registration process.
2. In matters not regulated by the Privacy Policy, the provisions of RODO and other relevant provisions of Polish law, including the Personal Data Protection Act, shall apply accordingly.