Privacy Policy

1. General Provisions

1.1. This Privacy Policy defines the method of collecting, processing, and storing personal data necessary for the provision of electronic services through the online service under the domain goodiebag.global (hereinafter: the Service).

1.2. The Controller of Users’ personal data is GODDIE BAG sp. z o. o. (hereinafter: the Controller).

1.3. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR).

1.4. The data collected by the Controller will be:

  • processed lawfully,
  • processed for clearly defined purposes and not subjected to further processing incompatible with those purposes,
  • factually correct and adequate in relation to the purposes for which they are processed,
  • stored no longer than is necessary to achieve the purpose of processing.

2. Purpose and Legal Basis of Data Processing

2.1. The Controller processes personal data necessary for the provision and development of services available through the Service and its particular functionalities.

2.2. Personal data will be processed for the following purposes:

  1. Communication with the User in order to provide necessary information and build positive and reliable relations, which constitutes the Controller’s legitimate interest (Article 6(1)(f) GDPR).
  2. Promotion by the Controller of its own products and/or services and those of its Partners by sending marketing information (newsletter) electronically, provided that the User has consented to receiving such notifications via e-mail (Article 6(1)(a) GDPR).
  3. Analytical and statistical purposes, based on the Controller’s legitimate interest consisting in verifying User activity and preferences to optimize services, products, and functionalities of the Service (Article 6(1)(f) GDPR).
  4. Possible establishment, exercise, or defense of claims, based on the Controller’s legitimate interest consisting in the protection of its rights (Article 6(1)(f) GDPR).

2.3. In each of the above cases, providing data is voluntary, but necessary to conclude a contract or to use other functionalities of the Service.

3. Period of Processing of Personal Data

3.1. Personal data will be processed for as long as the person remains an active User of the Service (has a User account).

3.2. After that period, data will be processed for the time necessary to comply with legal obligations, establish or defend against potential claims, but no longer than 3 years from the date of termination of the electronic services agreement.

3.3. Data processed on the basis of consent will be processed until such consent is withdrawn, provided that the withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Information on Processing

4.1. Depending on the purpose of processing, personal data may be disclosed to:

  • entities affiliated with the Controller,
  • entities cooperating with the Controller,
  • subcontractors, in particular entities providing and maintaining selected IT systems and solutions.

4.2. Personal data processed by the Controller will not / will be transferred outside the European Economic Area or to international organizations.

5. Rights of Data Subjects

5.1. A User of the Service has the right to:

  1. access their personal data,
  2. rectify data,
  3. erase data,
  4. restrict processing of data,
  5. data portability,
  6. object to processing carried out on the basis of the Controller’s legitimate interest,
  7. withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

5.2. The User has the right to lodge a complaint with the President of the Personal Data Protection Office if they consider that the processing violates their rights and freedoms.

5.3. No automated decision-making, including profiling, takes place in the process of data processing.

6. Final Provisions

6.1. The Controller reserves the right to make changes to this Privacy Policy while ensuring that Users’ rights under this document are not limited.

6.2. The User will be informed of any changes to the Privacy Policy through a notice available in the Service.