Privacy PolicyATEPAA Sp. z o. o. Bielsko-Biała

Introduction

We treat personal data protection as one of the most important aspects of ATEPAA Sp. z o. o. (hereinafter: "ATEPAA") activity.

As an entrepreneur, responsible in particular for the sale of furniture and fitness equipment, who is also the administrator of personal data, we feel particularly responsible for their security. Our goal is also to properly inform you about matters related to the processing of personal data, especially in relation to the content of the provisions on the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR"). For this reason, in this document we inform about the legal basis for the processing of personal data, the methods of collecting and using them, as well as the rights of data subjects related to them. ATEPAA, being a reliable entrepreneur, also implements the requirements set out in the Act of 15 September 2017 - Telecommunications Law in connection with the use of cookies.

ATEPAA as the owner of the website https://www.atepaa.com.pl/ is obliged to inform the website users about the above files that the website places on the user's computer and for what purpose it does so.

2. Personal data

2.1 What are personal data and what does their processing mean? Personal data means information about an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. Processing of personal data is in principle any action on personal data, regardless of whether it is carried out by automated means or not, such as collection, storage, recording, organization, modification, consultation, use, disclosure, restriction, deletion or destruction. ATEPAA processes personal data for various purposes, and depending on the purpose, different methods of collection, legal bases for processing, use, disclosure and storage periods may apply.

2.2 When does this Privacy Policy apply?

This Privacy Policy applies to all cases in which ATEPAA is the controller of personal data and processes personal data. This applies both to cases in which ATEPAA processes personal data obtained directly from the data subject and to cases in which we have obtained personal data from other sources. ATEPAA fulfils its information obligations in both of the above cases, i.e. in accordance with Article 13 and Article 14 of the GDPR.

3 The term data administrator shall be understood as:

a natural or legal person, public authority, unit or other entity that alone or jointly with others determines the purposes and means of processing personal data, in this case the data controller is ATEPAA, in accordance with the information below: ATEPAA sp. z o. o. with its registered office in Bielsko-Biała (43-300), ul. Wędrowców 112, registration files in the Register of Entrepreneurs of the National Court Register in the District Court in Bielsko-Biała, 8th Commercial Division of the National Court Register, KRS number 0000636102, NIP: 5472165082, share capital of PLN 7,505,000.00. ATEPAA has appointed a person within its structures responsible for contact in matters related to personal data, available at the e-mail address: info@atepaa.com.

Should you have any questions or concerns regarding the processing of your personal data by ATEPAA, please contact us at the above e-mail address.

2.3 How, on what legal basis and what types of personal data does ATEPAA process?

We want to be transparent about the methods and legal basis for processing personal data, as well as the purposes for which ATEPAA processes personal data. We make sure to always indicate the necessary information in this regard to each person whose personal data we process as the data controller. In order to make our explanation of these issues as clear as possible, we present the following summary of personal data processing operations in connection with the website we run. At the same time, we would like to point out that whenever we process personal data based on the legitimate interest of the data controller (Article 6, paragraph 1, letter f of the GDPR), we try to analyze and balance our interest and the potential impact on the data subject (positive and negative) and the rights of that person resulting from the provisions on personal data protection. We do not process personal data based on our legitimate interest if we conclude that the impact on the data subject would outweigh our interests (then we can process personal data if, for example, we have the appropriate consent or if the law requires or permits it).A. Processing of personal data of persons visiting the website operated by ATEPAA In connection with the use of our website, we process your data sent by your browser to our server. The processing of this data is necessary for the proper operation of our website and to ensure the stability and security of the user. The processing is carried out on the basis of art. 6 sec. 1 letter f of the GDPR. The processed data include: IP address, date and time of the start of the session, time zone information, information about the source page, access status/http access code, address of the page from which the entry was made, type of browser, operating system and its interface, language and version of the browser software.Explanations regarding cookies can be found in point 3 of this Privacy Policy.

B. Processing of personal data as part of the contact form In the "contact" tabIn the "contact" tab on our website you can find a contact form enabling the user to submit an inquiry regarding the business activity conducted by ATEPAA.

The contact form collects the following data from the user: name, e-mail address and subject of the question. Optionally, within the content of the question, the user may provide ATEPAA with other personal data, which is provided voluntarily and in accordance with the will of the user. Data in the form of name and e-mail address are necessary for the user to provide, because by providing them we will be able to achieve the intended purpose, i.e. to provide an answer to the question posed by the user. The contact form meets the requirements of art. 5 sec. 1 letter c of the GDPR, i.e. the processed personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"). Personal data are processed on the basis of the consent of the user using the contact form, expressed by entering data in the form and sending it to PENT, i.e. on the basis of art. 6 sec. 1 letter a of the GDPR. Consent is voluntary and the user decides which data to provide in the contact form, excluding the necessary minimum in the form of name and e-mail address. The full scope of the user's rights and obligations in connection with the processing of personal data (in accordance with Art. 13 of the GDPR) is included in the information clause in point 2.6 of the Privacy Policy.C. Processing of personal data within Google servicesGoogle AnalyticsOur website uses Google Analytics, a web analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies stored on the user's computer, which enable an analysis of the use of the website by the user. The information generated by the cookies about the use of our website is usually transferred to a Google server in the USA and stored there. On behalf of the operator of this website, Google uses this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website use and internet usage to the website operator. In exceptional cases where personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield. The IP address transmitted by Google Analytics will not be combined with other data by Google. You can prevent cookies from being stored by selecting the appropriate settings on your browser software. However, please note that if you do this, you may not be able to use all the functions of this website. You can also prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by Google by using a browser plug-in. We use Google Analytics to analyse and regularly improve the use of our website. These statistics allow us to improve our offer and make it more interesting for you as a user. This website also uses Google Analytics to analyse visits across devices using a user ID. The legal basis for processing personal data is Article 6 (1) (f) GDPR.

5 The full scope of the user's rights and obligations in connection with the processing of personal data (in accordance with Art. 13 of the GDPR) is included in the information clause in point 2.6 of the Privacy Policy. Google Ads Remarketing We use the Google Ads advertising program operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to conduct advertising campaigns, including remarketing. We carry out activities in this area based on our legitimate interest in marketing our own products or services. When you visit our website, a Google remarketing cookie is automatically left on your device, which, with the help of a pseudonymous identifier (ID) and based on the pages you visit, allows the display of interest-based advertising. Further processing of information only takes place if you have consented to Google linking your browsing history and use of the application with your account and using information from your Google account to personalize ads that are displayed on websites. If you are logged in during your visit to my website on Google, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing purposes. For this purpose, Google combines the temporarily collected information with Google Analytics data to create target groups. We emphasize that we, using Google Ads, do not collect any data that would allow you to be identified. Any combination of data in such a way that it takes on the nature of personal data may be carried out by Google, but we are no longer responsible for this, because Google performs these activities on the basis of an agreement concluded with you as a user of Google services. We, using Google Ads, are only able to define groups of recipients that we would like our advertisements to reach. On this basis, Google decides when and how to present our advertisements to you. In order to use Google Ads, we have implemented a special Google Ads conversion pixel in the code of our website. The pixel uses cookies from Google LLC regarding the Google Ads service. From our website, using the mechanism for managing cookies, you can disable these cookies. You can manage your ad settings directly on the Google website: https://adssettings.google.com/.If you are interested in details related to data processing within Google Ads, we encourage you to read Google's privacy policy: https://policies.google.com/privacy.Facebook Ads and Insights. We use marketing and analytical tools available within Facebook. The provider of these tools is Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA. We carry out activities in this area based on our legitimate interest, consisting in the marketing of our own products or services and analysis and statistics.In order to direct personalized ads to you in terms of your behavior on our website, we have implemented Facebook Pixel on our website, which automatically collects information about your use of our website in terms of the pages viewed. The information collected in this way is most often transferred to a Facebook server in the United States and stored there. The information collected as part of Facebook Pixel is anonymous, i.e. it does not allow us to identify you. We only know what actions you have taken on our site. We can also check your age, gender, and where you are connecting to the Internet from. Facebook Insights can also provide us with more information about you, but this information will never allow us to identify you. However, we inform you that Facebook may combine the information it collects with other information about you collected as part of your use of Facebook and use it for its own purposes, including marketing. Such Facebook activities are no longer dependent on us, and you can find information about them directly in Facebook's privacy policy: https://www.facebook.com/privacy/explanation. You can also manage your privacy settings from your Facebook account. You will find useful information in this regard here: https://www.facebook.com/help/568137493302217.D. Social MediaOn our website you will find links to social media portals where information about us and our activities is posted. The data controller within the social media portal is both PENT as the owner of the social media account within the social media portal and the owner of the social media portal.E. Embedding YouTube videos on the websiteOur website may contain videos that are stored within the www.youtube.com service and can be played directly from our website. All of them are included in extended privacy mode, which means that you do not send any data about yourself as a YouTube user if you do not play the videos. Only when the videos are played will the data referred to in point A be sent. We have no influence on the above data transfer. YouTube receives information about the page from which the call was made. This happens regardless of whether YouTube provides a user account to which you are logged in or whether there is no user account. After logging in your account to Google, your data will be assigned directly to your account. If you do not want to associate your profile with YouTube, you must log out of your Google account before activating the video play button. YouTube stores the data as user profiles and uses them for the purposes of advertising, market research or the design of its website. This evaluation is used in particular to provide appropriate advertising and to inform other users of the social network about the activities on our website. You have the right to object to the creation of these user profiles by YouTube by requiring an automatic redirection to the YouTube website to use it. Further information on the scope and purpose of data collection and its processing by YouTube can be found in its Privacy Policy. F. Integration of the website with Google Maps We can also use Google Maps as part of our website. This allows us to display an interactive map directly on the website and to make the map function convenient to use. The provisions in section C apply accordingly to the use of Google Maps.

2.4 How long do we process personal data? The period for which we may process personal data depends on the legal basis that constitutes the legal premise for the processing of personal data by ATEPAA. In the policies in force at ATEPAA, we specify that we are never allowed to process personal data for a period longer than that resulting from the above-mentioned legal basis. Accordingly, we inform you that: a) in the event that ATEPAA processes personal data based on consent, the processing period lasts until the intended purpose is achieved, the established archiving period expires or the consent is withdrawn, and so in the case of: - contact form - for the period of correspondence between the parties regarding the submitted question. in the event that ATEPAA processes personal data for the purposes of performing a contract or taking action before performing a contract (order execution), for the period of order execution, and after its completion for the period of limitation of claims and archiving of accounting documentation, in accordance with applicable law. c) in the event that ATEPAA processes personal data based on the legitimate interest of the data controller, the processing period lasts until the above-mentioned ceases. interest (e.g. limitation period for civil claims) or until the data subject objects to further such processing - in situations where such an objection is available under the law. d) in the case where ATEPAA processes personal data because it is necessary due to applicable legal regulations, the periods of data processing for this purpose are specified in these regulations.2.5. When and how do we share personal data with third parties? Do we transfer data to third countries? We transfer personal data to others only when permitted by law. In such a case, in an appropriate agreement concluded with a third party, we provide for security provisions and mechanisms to protect data and maintain our standards in the field of data protection, confidentiality and security. In a situation where we transfer personal data of which we are the administrator to other entities for the performance of specific activities on our behalf, we conclude a special agreement with such entity. Such agreements are called personal data processing entrustment agreements (Article 28 of the GDPR), thanks to which ATEPAA has control over how and to what extent the entity to which ATEPAA has entrusted the processing of specific categories of personal data processes such data. Data processing agreements contain obligations that the processor:– processes personal data only on documented instructions from the controller – which also applies to the transfer of personal data to a third country or an international organisation – unless such an obligation is imposed on it by Union law or the law of the Member State to which the processor is subject; in such a case, the processor informs the controller of this legal obligation before starting processing, unless that law prohibits the provision of such information on important public interest grounds;– ensures that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality;– takes all measures required under Article 32 of the GDPR;– takes all measures required under Article 32 GDPR;– taking into account the nature of the processing, where possible, assists the controller, through appropriate technical and organisational measures, in meeting the obligation to respond to requests from the data subject to exercise their rights set out in Chapter III of the GDPR;– taking into account the nature of the processing, where possible, assists the controller, through appropriate technical and organisational measures, in meeting the obligation to respond to requests from the data subject to exercise their rights set out in Chapter III of the GDPR;– upon termination of the provision of services relating to processing, at the controller's discretion, deletes or returns all personal data to the controller and deletes any existing copies, unless Union or Member State law requires the storage of the personal data;– makes available to the controller all information necessary to demonstrate compliance with the obligations set out in Art. 28 of the GDPR and enables and contributes to audits, including inspections, carried out by the controller or an auditor authorised by the controller. In relation to personal data collected by ATEPAA as part of the website https://www.atepaa.com.pl/, it is not envisaged to share personal data with third parties, excluding the possibility of possible access by: – an IT company operating the website on behalf of ATEPAA; – entities providing hosting services for ATEPAA; – entities implementing marketing or sales campaigns for ATEPAA; – other subcontractors of ATEPAA, providing services in the field of software delivery, software maintenance services, including the website.<br/>.In addition, certain personal data may be transferred to other companies from the capital group to which ATEPAA belongs, which constitutes a legitimate interest of the administrator (Article 6 paragraph 1 letter f of the GDPR). In the case of personal data transferred outside the territory of the Republic of Poland, it should be noted that: cross-border transfer may concern countries outside the European Economic Area ("EEA") and countries in which there are no regulations specifying special protection of personal data. We have taken steps to ensure adequate protection of all personal data and compliance with the law of transferring personal data, including outside the EEA. In the case of transferring personal data outside the EEA to a country that, according to the European Commission, does not provide an adequate level of protection for personal data, the transfer takes place only on the basis of an agreement that takes into account EU requirements for the transfer of personal data outside the EEA.2.6. What rights do data subjects have and how can they be exercised? [information clause]Individuals have specific rights regarding their personal data, and ATEPAA as the data controller is responsible for the implementation of these rights in accordance with applicable law. In the case of any questions and requests regarding the scope and implementation of rights, as well as to contact us wishing to exercise a specific right in the field of personal data protection, please contact us at the following e-mail address: info@atepaa.com We reserve the right to exercise the following rights after positive verification of the identity of the person applying for the performance of a given activity. Access to personal dataIndividuals have the right to access the data that we store as the data controller. This right can be exercised by sending an e-mail to the address: info@atepaa.comChanging personal data, rectifying or deleting themChanges, including updating, rectifying or deleting personal data processed by ATEPAA can be made by sending an e-mail to the address: info@atepaa.comThe right to delete data can be exercised, for example, when the data of an individual is no longer necessary for the purposes for which it was collected by ATEPAA or when an individual withdraws their consent to the processing of data by ATEPAA. In addition, in the event that an individual objects to the processing of their data or when their data is processed unlawfully. The data should also be deleted in order to fulfill the obligation resulting from the law.Withdrawal of consentIn the case of processing personal data based on consent, individuals have the right to withdraw this consent at any time. We inform about this almost at any time of collecting consents and enable the withdrawal of consent in as easy a way as it was granted. In the absence of any other information, i.e. if we have not provided another address or contact number for the purpose of withdrawing consent, please send us an e-mail at the following address: info@atepaa.comD. Right to restrict processing or object to the processing of personal dataIndividuals have the right to restrict processing or object to the processing of their personal data at any time, due to their particular situation, unless processing is required by law.A natural person may object to the processing of their personal data when: - the processing of personal data takes place on the basis of the legitimate interest of the administrator or for statistical purposes, and the objection is justified by the special situation in which they find themselves; - personal data are processed for the purposes of direct marketing of the administrator, including profiling for this purpose. In turn, with regard to the request to limit the processing of data, we inform you that it is available when: - the data subject questions the accuracy of the personal data - for a period enabling the administrator to check the accuracy of this data; - the processing is unlawful, and the data subject objects to the deletion of the personal data, requesting instead the restriction of their use; – the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; – the data subject has objected to the processing of the personal data by the controller pursuant to Article 21(1) of the GDPR, pending the determination of whether the legitimate grounds of the controller override those of the data subject.Right to data portabilityThe data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and has the right to transmit such personal data to another controller without hindrance from the controller to whom the personal data have been provided, where:– the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR; or– the processing is based on a contract pursuant to Article 6(1)(b) of the GDPR; and– the processing is carried out by automated means. When exercising the right to transfer data, the User has the right to request that personal data be sent by the administrator directly to another administrator, if technically possible. The right to transfer data may not adversely affect the rights and freedoms of others. If you wish to exercise these rights, please send an e-mail to: info@atepaa.comF. Any other questions, concerns or complaintsIf you have any questions, concerns or concerns regarding the content of this Privacy Policy or the way in which we process personal data, as well as complaints regarding these matters, please send an e-mail with detailed information regarding the complaint to: info@atepaa.comAll complaints received will be considered and we will provide answers to them. Persons whose personal data is processed by ATEPAA also have the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.3. CookiesAs explained in point 2.3. And as part of this website, we use cookies. Therefore, we would like to inform you about the most important elements of cookies so that the use of our website is transparent and understandable for you.

3.1. What are cookies? Cookies are small files saved on your electronic device by websites that you visit. Cookies contain various information that is often necessary for the website to function properly. Cookies are encrypted in such a way that unauthorized persons do not have access to them. Information collected on the basis of cookies can only be read by ATEPAA and - for technical reasons - trusted partners whose services we use. Most importantly, cookies cannot run programs or transfer viruses to electronic devices. 3.2. For what purpose do we use cookies? Cookies are divided into the following categories depending on the purpose for which they are used: Basic cookies - installed if the user has expressed consent using the settings of the software installed on their electronic device. Within basic cookies, we distinguish technical and analytical cookies. Technical cookies - are necessary for the website to function properly. We use them to: – ensure proper display of the website – depending on the device you are using, – adapt our services to your choices that are technically significant for the operation of the website, e.g. the selected language, – remember whether you consent to the display of certain content. Analytical cookies – are necessary to settle accounts with business partners or measure the effectiveness of our marketing activities without identifying personal data and to improve the functioning of our website. We can use them to: – examine statistics on traffic on the website and check traffic sources (redirection directions), – detect various types of abuse, e.g. artificial Internet traffic (bots).

3.3 How long will we use cookies? We also divide all cookies according to the time for which they are installed in the user's browser into: Session cookies - they remain on the user's device until leaving the website or disabling the software (internet browser). These are primarily technical cookies. Persistent cookies - they remain on the user's device for the time specified in the file parameters or until they are manually deleted by the user.

3.4 Can I refuse to accept cookies? You can always change your browser settings and reject requests to install cookies. However, before you decide to change your settings, please note that cookies serve your convenience of using the website. Disabling cookies may affect how our website is displayed in your browser. In some cases, the website may not be displayed at all.

3.5 How to disable cookies? You can delete cookies from your browser at any time and block their reinstallation. Depending on the browser you use, the option to delete or withdraw consent to the installation of cookies may vary. In such a situation, please refer to the user manual available within the given browser on your electronic device.

4. Final provisionsAre changes to this Privacy Policy possible and when?We undertake to regularly review this Privacy Policy and change it when it proves necessary or desirable due to: new legal regulations, new guidelines from authorities responsible for supervising personal data protection processes, best practices in the area of ​​personal data protection (Codes of good practices, if ATEPAA is bound by such Codes, about which we will then inform). We also reserve the right to change this Privacy Policy in the event of changes in the technology by which we process personal data (if the change affects the wording of this document), as well as in the event of changes in the methods, purposes or legal basis for processing personal data by us.In order to ensure the best possible contact with us regarding personal data protection, we also enable direct contact at ATEPAA's headquarters, as well as contact by letter (post) or telephone, and for this purpose we provide the following contact details:

ATEPAA Sp. z o. o. Ulica Wędrowców 112, 43-300 Bielsko-Biała, PolandT:0048 578 973 333

E: info@atepaa.com