We know very well that security and privacy are important to you. For us, they are equally important. Our priority is to provide you with a high level of protection and to ensure that your data is always accessible and secure. We process personal data and share it with others only within the limits of the law, and only when it is most necessary. We make every effort to ensure that your privacy is not violated.


 

  1. General provisions

    1. This Privacy Policy sets out the principles for the processing and protection of the personal data of the Customers using the Website available at https://www.colorland.com/us/.

    2. Terms which are not defined in this Privacy Policy are understood as specified in the Regulations of the Website.

    3. Personal data is information about an identified or identifiable natural person to whom the data relates, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier (characteristic) such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person..

    4. Processing means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, ordering, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, adjustment or combination, restriction, erasure or destruction.

    5. Your personal data shall be processed in accordance with the applicable legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR") and the Act of 10 May 2018 on the protection of personal data.

    6. In order to ensure the security of your personal data, we use appropriate technical and organisational measures for the secure processing of personal data.


 

  1. Data Controller

Your data are jointly controlled by:

  • MPP sp. z o.o. with a seat at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register against KRS number: 0000259700, with share capital of 50,000.00 PLN, Tax Identification Number: 8133469935, National Business Registry Number: 180149478; contact in writing to the above address, or by e-mail to odo@mpp.com.pl.

  • Piotr Leszczyński, conducting business operation under the name: najlepszefoto.pl Piotr Leszczyński with a seat at Zaczernie 190, 36-062 Zaczernie, Tax Identification Number: 8132260802, National Business Registry Number: 691668352, contact in writing to the above address, or by e-mail to odo@nphoto.com.

  • Focus sp. z o.o. with a seat at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register against KRS number: 0000815538, o with share capital of 5,000.00 PLN, Tax Identification Number: 5170403426, National Business Registry Number: 384947680, contact in writing to the above address, or by e-mail to odo@myfocus.pl.

referred to collectively as the Controller, in this Policy.

The Joint Controllers have entered into a personal data co-management agreement specifying the mutual obligations arising from the joint control of data.

  1. The scope of Customers' personal data subject to processing

    1. The following Customer personal data are subject to processing by the Controller:

      1. Customer data provided during registration on the website and used on the Order Form, in particular: first name, last name, residential address, delivery address, e-mail address, phone number, date of birth, and in the case of Customers who are not Consumers, additionally company name and Tax Identification Number (NIP);

      2. Customer personal data provided to the Controller via the account held on Facebook or Google, if the Customer has selected this Registration option (see clause 9.2.);

      3. Customer data obtained by the Controller in connection with the use of cookies and other similar technologies (see clause 10);

      4. Customer data relating to the Purchase Order placed via the Website, including the Customer's data contained in the files provided by the Customer and the Designs produced;

      5. other Customer data voluntarily provided by the Customer by means of electronic templates available on the Website or by any other form of contact with the Controller's consultant.

    2. Given the fact that the services offered on the Website are dedicated to adults, the Controller does not knowingly process any personal data of children using the services.

  2. Purposes of and legal grounds for processing Customers' personal data

    1. The Customers' personal data are or may be processed:

      1. in order to conclude and perform an agreement executed through the Website – in this case processing by the Controller is necessary for the conclusion and performance of the agreement to which the Customer is a party, or to take action at the Customer's request, prior to the conclusion of the agreement (Art. 6(1)(b) GDPR);

      2. for the purpose of Registration to and maintaining an Account on the Website - in this case data processing by the Controller is necessary for the performance of the agreement for the delivery of services by electronic means, to which the Customer is a party, or to take action at the Customer's request, prior to the conclusion of the agreement (Art. 6.1.b GDPR);

      3. for the purpose of delivering the Newsletter – in this case data processing by the Controller is based on the Customer's consent (Art. 6(1)(a) GDPR);

      4. in order to handle the matter described by the Customer in the electronic form available on the Website or during a chat with the Customer's account manager – in this case data processing by the Controller is necessary for the conclusion and performance of the agreement for the delivery of services by electronic means (Article 6(1)(b) GDPR), and also takes place based on the Controller's legitimate interest (Article 6(1)(f) GDPR) which involves sales support;

      5. in order to deliver services by electronic means, i.e. to make it possible for Customers to view, reproduce and read the information and materials accessible on the Website – in this case the processing of data by the Controller is necessary for the performance of the agreement to which the Customer is a party (Art. 6(1)(b) GDPR);

      6. in order to make it possible to make the Design on the Website – in this case the processing of data by the Controller is necessary for the performance of the agreement to which the Customer is a party (Art. 6(1)(b) GDPR);

      7. for the purposes of the Controller's legitimate interests relating to the operation of the Website, conducting analysis of the Customer's use of the Website, and ensuring the security and reliability of the services provided on the Website and in the Store (Article 6(1)(f) GDPR);

      8. for the purposes of the Controller's legitimate interests, which may include, but are not limited to, determination, investigation and defence of claims, prevention and investigation of criminal offences, management and further growth of the business, including risk management (Article 6(1)(f) GDPR);

      9. to assess Customer satisfaction (e.g. through surveys sent to Customers by email) - data processing carried out by the Controller is based on the Controller's legitimate interest (Art. 6(1)(f) GDPR);

      10. for the purposes of direct marketing carried out by the Controller, related to selection of goods and services to meet the Customers' needs (including profiling), based on cookies and other similar technologies referred to in point 10 – in this case data processing is carried out by the Controller based on the Controller's legitimate interest (Article 6(1)(f) GDPR);

      11. for the Controller's marketing purposes arising from the consent given by the Customer (Art. 6(1)(a) GDPR);

      12. to ensure compliance with the legal obligations applicable to the Controller (in particular those arising from the provisions of the Accounting Act and tax laws), where the processing is necessary for the fulfilment of a legal obligation incumbent on the Controller (Article 6(1)(c) GDPR).

    2. Personal data are provided on the Website voluntarily, however they may be necessary for the performance of one or more of the services and purposes of personal data processing set out in 4.1 above, which the Controller will not be able to execute unless personal data have been provided.

    3. The Customer's personal data collected through contact between the Customer and persons acting on behalf of the Controller, including via the helpline or through contact with the Customer's account manager, is used solely for the purpose of contacting the Customer and providing information and advice to the Customer.


 

  1. The duration of the Customer's personal data processing

    1. The Controller shall process the Customer's personal data in the manner and for the period necessary for the fulfilment of the purposes for which the data were collected.

    2. If the data are processed:

      1. in order to enter into and perform an agreement (including a sales contract) - the Customer's data will be processed throughout the validity period and during the performance of the agreement;

      2. based on the Customer's consent - the Customer's data will be processed until such consent is withdrawn;

      3. to ensure compliance with the legal obligations applicable to the Controller - the Customer's data will be processed for the period required by law;

      4. for the Controller's direct marketing purposes, including selection of goods and services to meet the Customers' needs (profiling) - the Customer's data will be processed until the Customer raises an objection;

      5. in relation to other legitimate interests of the Controller - the data will be processed until the objection raised by the Customer has been accepted, or until the expiry of the prescription period for that claim.

    3. At the end of the processing period, the data are deleted or made anonymous.


 

  1. Customer's rights and obligations

    1. Where the processing of personal data takes place pursuant to the Customer's consent, such consent is voluntary and may be withdrawn at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal of consent. The declaration of withdrawal of consent should be made by e-mail, to the Controller's address specified in clause 2.

    2. The customer shall also have the following rights:

      1. to have his/her personal data deleted;

      2. to restrict the processing of his/her personal data;

      3. to access the content of his/her data as well as to rectify (amend) it;

      4. to obtain a copy of his/her data or to have them transferred, whereby this right shall not adversely affect the rights and freedoms of others (including trade secrets or intellectual property rights) and shall be exercised to the extent which is technically feasible;

      5. to object to the processing of his/her personal data when the processing is based on a legitimate interest of the Controller or a third party.

    3. The Controller will exercise the Customer's rights, subject to the exceptions set out in the provisions of GDPR.

    4. As registered users, the Customers may also correct or update by themselves the personal data related to the Account. To do this, it is necessary log into the Account, go to the "Account Settings" tab and enter the relevant changes in the Personal Data field.

    5. To exercise the rights set out in 6.1 and 6.2, an e-mail should be sent to the address of any of the Joint Controllers - if the Customer's personal data is processed in connection to an agreement to which the Controller is a party, and in other cases concerning the processing of the Customer's personal data, in connection with his/her use of the Website.

    6. The customer may lodge a complaint with the supervisory authority of the President of the Office for Personal Data Protection if he/she believes that the processing of data affecting him/her violates the provisions of GDPR.

    7. All and any incidents which impact or may impact the security of personal data on the Website (including any cases of suspected sharing of files containing viruses, files of a similar nature, or any files other than destructive mechanisms) shall be promptly reported by the Customer to the e-mail address of any Joint Controller.


 

  1. Entities which may receive access to Customers' personal data

    1. The Controller shall disclose the Customers' personal data if there is a legal basis for doing so, in particular when it is necessary for the delivery of the services provided to the Customers.

    2. Customers' personal data may also be disclosed at a request of public authorities or other entities entitled to acquire such information by law, in particular when this is necessary to ensure the security of the Controller's systems..

    3. Entities which may receive access to Customers' personal data include, in particular::

      1. entities entitled to obtain the Customer's data on the basis of applicable legal provisions;

      2. entities whose services are used by the Controller to deliver goods and services to Customers, in particular:

        1. entities delivering IT services or providing access to IT systems for the Controller;

        2. enterprises rendering the services related to supply and maintenance of software used to operate the Website;

        3. payment system operators;

        4. postal and courier service providers;

        5. law firms, consulting firms with which the Controller cooperates;

    4. the Controller's trusted marketing partners; the current list of these is attached as Appendix 1 hereto.

     

  1. Transfers of data outside the EEA

    1. The Controller shall transfer personal data outside the European Economic Area (EEA) only when necessary and with an adequate level of protection, to be ensured in particular by:

      1. cooperation with entities that process personal data in countries for which a relevant decision of the European Commission has been issued;

      2. application of the standard contractual clauses issued by the European Commission;

      3. application of binding corporate rules approved by the competent supervisory authority.

    2. Where applicable, the Controller shall always give notice of its intention to transfer personal data outside the EEA at the time they are being collected. Upon request, the Controller shall provide the Customer with a copy of his/her data that will be transferred outside the EEA.


 

  1. Social media

    1. The Website may include features that allow content to be shared via third-party social media applications, such as, but not limited to, the Facebook "Like" button or widgets on Instagram. All of these social media applications may collect and make use of data related to user activity on the Website. Any personal data provided by the Customer through such social media applications may be collected and used by other users of the aforementioned social media applications, and any interactions carried out through these are subject to the privacy policies of the companies that provide these applications. We have no control over and accept no responsibility for the above entities and their use of Customer data.

    2. To use the service of access to the Account and the services associated with it, the Customer may register and log in via his/her account on the social network of Facebook. Facebook may then automatically transfer the following personal data of the Customer to the Controller:

      1. the social network's numerical identifier (ID)

      2. name

      3. gender

      4. profile photo

      5. age

      6. other publicly available information.

    3. The Controller may also provide option of logging in via other accounts held by the user, under similar terms to those described above.

    4. In the case referred to in clauses 9.2 and 9.3, no additional registration is necessary to set up an Account on the Website.

    5. The processing of personal data in the case of Customers using the option of Registration and login via Facebook is based on the Customers' consent (Art. 6(1)(a) GDPR).

    6. To measure the reactions of visitors to the Website, the Controller uses the Pixel tool which is provided via Facebook by Meta Platforms Inc., 1601 Willow Rd, Menlo Park, CA, USA and Meta Platforms Ireland Limited, 4 Grand Canal Square Grand Canal Harbour Dublin 2Dublin 662881. We want to find out how our marketing activities on Facebook are perceived and how they can be improved. The data collected is anonymous and does not allow us to draw any conclusions about you. The data is stored and processed by Facebook so that a connection can be made to the user's Facebook profile and Facebook can use the data in accordance with Facebook's privacy policy (https: www.facebook.com/about/privacy). If you wish to object to the use of Facebook's Pixel user response survey, you can do so at: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen


 

  1. Cookies and other similar technologies

    1. In line with the practices applied by most websites, during his/her visit to the Website the Customer's personal data may be collected automatically in system logs, by cookie files ("cookies"), the Google Analytics system, Survey Sparrow, Getresponse and the Hubspot system.

    2. Cookies are files stored on the Customer's terminal equipment, and are used to identify Customers and provide statistical information about Customer traffic, Customer activity and Website usage. They make it possible e.g., to adjust the content and services to the Customers' preferences.

    3. The Website uses session cookies, which are deleted once the browser window is closed, as well as persistent cookies, which are stored for a specific period of time (as defined in the parameters of the cookies or until they are deleted by the Customer) in the terminal equipment used by the Customer.

    4. The Controller applies the types of cookies:

      1. necessary for the use of the services, e.g., in the case of services requiring authentication;

      2. used to facilitate logging into the Account via social media;

      3. used for security-related purposes;

      4. making it possible to collect information on the use of the services;

      5. making it possible to store the settings selected by the Customer, and to personalise the Customer's interface;

      6. making it possible to provide contents matching Customer's preferences and interests.

    5. The Customer may, at any time, change his/her cookie settings, by specifying the conditions for storing and accessing cookies on his/her terminal equipment, through his/her web browser settings or by means of an appropriate tool made available on the Website.

    6. The Customer may delete cookies at any time using the available functions in the Internet browser he/she is using. However, this may affect certain functionalities available on the Website.

    7. The Controller uses Google Analytics tools. For more information on the functioning of Google Analytics tools, please visit: http://www.google.com/analytics/learn/privacy.html. Google has developed a browser add-on to block Google Analytics. The add-on communicates with the Google Analytics JavaScript protocol (ga.js) to provide information that website visit data should not be sent to Google Analytics. The Google Analytics blocking browser add-on does not block the transmission of data to the website itself or other web analytics services. The Customer has the option to use the aforementioned add-on whenever he/she does not want his/her data to be processed for analytical purposes via Google Analytics..

    8. The use of the Website involves sending requests to the server on which the Website operates. Each request made to the server is recorded in the server logs. The logs include the IP address, server date and time, information about the Internet browser and the operating system used by the Customer. The logs are saved and stored on the server. The data stored in the server logs are not associated with specific persons using the Website and are not used by the Website for identification purposes. The server logs constitute only ancillary material for the administration of the Website, and their contents are not disclosed to anyone other than those authorised to administer the server.

    9. The Controller also uses Hubspot and Getresponse to collect and process Customers' data, in particular related to their activity on the Website, based on cookies, local storage and other technologies, in order to personalise the content presented to the Customer and to optimise the sales process.

    10. The Controller uses the SurveySparrow tool to measure Customer satisfaction. Survey Sparrow may use Customer data related to the use of this tool, such as IP, location, device and browser information, activities and redirection source. The Controller may also independently create survey mailing lists in the tool that contain Customers' email addresses. This type of data is not used or transferred by SurveySparrow in any way independently.


 

  1. Processing of Third Party's personal data

    1. If the Customer posts any personal data of Third Parties on the Website, he/she may only do so on the condition that he/she does not violate the provisions of the applicable law and the personal rights of these individuals. Third Parties are natural persons whose personal data the Customer posts on the Website or as part of the Design submitted.

    2. The Controller may process Third Party personal data entrusted to them by the Customer, if the Customer confirms that he/she is entitled to transfer the personal data of such Third Party.

    3. In the cases where the Customer posts Third Party data on the Website or within the Design performed, as part of an activity other than purely personal or domestic operation, the Customer acts as a controller of such data within the meaning of the provisions of the GDPR.

    4. In the case referred to in clause 11.3 above, the Customer shall enter into an agreement with the Controller, entrusting the processing of the Third Party's data under the terms of clauses 11.5 - 11.10 below..

    5. Third Party Data, entrusted by the Customer, will be processed by the Controller for the purpose of the proper performance of the agreement for the provision of electronic services concluded with the Customer - in connection with the Customer's use of the Website or the delivery of the Order.

    6. The data entrusted includes all personal data of Third Parties provided in connection with the Customer's use of the Website or in connection with an Order placed, in particular: name, address, gender, image, date of birth or age.

    7. The Customer agrees for the Third Party data to be further entrusted for processing (so-called sub-entrustment), in connection with the performance of the agreement concluded with the Customer.

    8. Third Party data entrusted by the Customer shall be processed by the Controller, in accordance with Art. 28 GDPR.

    9. Third Party personal data may also be processed by the Controller if it is necessary to establish, assert or defend against claims - the legal basis for the processing is the Controller's legitimate interest (Article 6(1)(f) GDPR) in protecting their rights.

    10. If the Controller becomes aware that Third Party personal data are processed by the Controller in violation of the provisions of GDPR, or applicable laws or in conflict with Third Party personal rights, the Controller shall take steps to delete such data as soon as possible.


 

  1. Final Provisions

    1. Our Privacy Policy is regularly reviewed and updated as necessary to reflect any changes in the way we process personal data.

    2. A change to the annexes of this Policy does not constitute an amendment to the Policy.

    3. The current version is available on the Website.

    4. This Privacy Policy in its current form is applicable as of 03.01.2023.


 

Appendix No. 1 to Privacy Policy of https://www.colorland.com/us/ website, dated 03.01.2023.


 

List of Controller's trusted marketing partners to whom Customers' personal data may be transferred:

  1. Google LLC in connection to the use of Google Analytics tools;

  2. Hubspot Inc. in connection to the use of Hubspot marketing tools;

  3. Smartlook.com, s.r.o., Reg. no.: 09508830 in connection to the use of the Smartlook tool for the analysis of user activity on websites (heatmap);

  4. Facebook in connection to the use of the Pixel tool;

  5. SurveySparrow Inc. in connection to the use of customer satisfaction survey tools;

  6. Trustpilot A/S (registration number 30276582), in connection to the use of customer satisfaction measuring tools;

  7. Ringier Axel Springer Polska sp. z o.o. in connection to the cooperation with Opineo - in order to improve the quality of services through customer feedback;

  8. GetResponse S.A. in connection to the use of GetResponse marketing tools;

  9. Refericon sp. z o.o. in connection to the use of the referral programme

PP_09122022/EUS/EN

 

pdf_image
Privacy Policy valid until 28.02.2023