I. Data Controller

Identification data:

• Name: Spyra Prime Limited Liability Company
• Headquarters: Przelotowa 33, 41-190 Mikołów
• Contact details:
  
  • Contact person: Anna Brzana
  • Email: kadry@spyraprime.pl
  • Telefoon: 323300941
• Registration data:
  
  • NUMBER: 0000158712
  • NIP: 6350009571
  • REGÓN: 271779996
  • Registration date: April 14, 2003
  • Legal form: Limited Liability Company
  • Representatives: Czesław Spyra, Mirosław Mika

The Administrator is responsible for the lawful processing of personal data of website users and the implementation of appropriate protection measures.

II. Scope of Data Processing, Purposes and Legal Bases

Types of Data Collected:

• Data provided directly by Users: name, surname, e-mail address, telephone number, correspondence address — provided during registration, quotation requests, contact forms.
• Data collected automatically: IP address, browser data, session information, metadata to customize the content of the website and cookies.

Purposes of processing:

1. Implementation of the Service:
   
   • Data necessary for the conclusion and performance of the contract (provision of services, handling of inquiries, execution of orders).
2. Marketing:
   
   • Sending commercial information, promotional offers (based on user consent) and conducting advertising campaigns, including using Meta Ads and Google Ads platforms.
3. Statistics and Analysis:
   
   • Monitoring site traffic and analyzing user behavior in order to optimize the functionality of the website.
4. Research and Development:
   
   • Profiling and data analysis, which allow us to better adapt the offer to the needs of users and implement improvements in the operation of the website.

Legal bases and detailed conditions of processing:
Users' personal data are processed in accordance with the General Regulation on Personal Data Protection, the Personal Data Protection Act, the Personal Data Protection Act of 10.05.2018 and the Act on the Provision of Electronic Services of 18.07.2002.

• In the case of processing of personal data on the basis of an e-mail sent by the user or a complaint, the processing is carried out on the basis of Article 6 (1) (b) of the GDPR — it is necessary to take action at the request of the data subject.
• After obtaining a separate consent, the data may also be processed for marketing purposes, including for the purpose of directing commercial information by electronic means (Article 6 (1) (a) of the GDPR).
• When concluding and performing sales contracts or contracts for the provision of services, the other party is obliged to provide the data necessary for the conclusion of the contract (contractual and statutory requirement), which is carried out on the basis of Article 6 (1) (b) of the GDPR.
• In the case of research and analysis, Article 6 (1) (f) of the GDPR is indicated as the basis for processing.

Personal data are stored no longer than necessary to achieve the purpose of processing - until the withdrawal of consent, limitation of claims (usually 2 years, counting until the end of the year) or the execution of the inquiry/complaint.
For the proper functioning of the website, its functionality and the implementation of payment operations, the website uses user metadata (reading device configurations that do not allow identification, and serve to adjust the site to the user's capabilities). The user has the right to withdraw consent to the processing of metadata at any time through the appropriate configuration of the browser or the installation of a dedicated plugin.
The administrator may use profiling for direct marketing purposes (e.g. granting a discount, sending a discount code, reminding about unfinished purchases), the final decision being up to the user. Profiling is based on the analysis of behavior on the website, and its application is the possession of data that allows you to send a suitable offer.

In addition, for the proper functioning of the website, other information may be collected, including:

• IP address,
• device, hardware and software data (hardware identifiers, mobile device identifiers — e.g. IDFA or AAID),
• type of platform, settings, installed software, the presence of plug-ins,
• approximate geolocation data,
• information about the browser (type, language).

Taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights of individuals, the Controller implements appropriate technical and organizational measures to ensure compliance of the processing with the regulations and to enable its demonstration. These measures shall be regularly reviewed and updated and shall prevent unauthorised access to data transmitted by electronic means.

III. Cookie Files

Definition and Application:
Cookies are small text files saved on the user's device, allowing, among others, personalization of content, analysis of statistics and adjustment of the functionality of the website.

Purposes of the use of cookies:

• Personalization: adjusting the content of the page to the individual preferences of the user.
• Statistical analysis: collecting anonymous data on the use of the website, which allows its optimization.
• Marketing activities: Display personalized ads using tools such as Meta Ads and Google Ads.
• Security: help in maintaining the proper functioning of the website and facilitating login.

Additional technical description and division:

“Cookies” contain in particular the domain name of the website from which they come, the storage time on the device and a unique number used to identify the browser from which the connection to the site is made.
Cookies are used to:

• adapt the content of the websites to the user's preferences and optimize the use of the pages,
• creation of anonymous statistics, allowing to improve the structure and content of the pages,
• to provide users with advertising content tailored to their interests.

Cookies are not used to identify the user — their identity is not established on their basis.
The main division of cookies:

• Necessary cookies: absolutely necessary for the proper functioning of the website or the use of its functions (they also ensure the security of services).
• Functional cookies: they allow to enrich the functionality of the website; without them the website works but is not adapted to the user's preferences, and some functions may not work properly.
• Business cookies: they enable the implementation of a business model; blocking them may reduce the level of services provided (e.g. advertising cookies).
• Configuration cookies: allow you to set functions and services on websites.
• Cookies for security and reliability: verify the authenticity and optimize the performance of the website.
• Authentication cookies: they inform when the user is logged in, allowing the display of relevant content.
• Session state cookies: they record information about how you use the website, helping to improve services and improve your browsing experience.
• Process-analysis cookies: enable the smooth operation of the website and its functions.
• Advertising cookies: they allow the display of advertisements tailored to the interests of users and personalize the message, also outside the website.
• Location access cookies: allow the information displayed to be adapted to the location of the user.
• Cookies for analysis, research or audience audit: allow us to better understand user preferences and develop products and services; they are collected anonymously, without identifying a specific person.
• Harmless cookies: necessary for the correct operation of the website, not used to track the user.
• Investigative cookies: used to track behavior, but without the possibility of unambiguous identification of the user.

The use of cookies to customize the content of the website does not imply the collection of information enabling the identification of the user — this data is purely functional and is encrypted to prevent access by unauthorized persons.
Cookies used by the website are not harmful to either the user or the device, so it is recommended to enable them. The user can change the settings of cookies in his browser, which, however, may affect the functionality of the website.
Cookies are also used to facilitate login, switch between subpages without the need to log in again and protect the site from unauthorized access.

As part of the cookie technology, the Administrator may use tracking pixels (e.g. GIF files) and web log files to monitor traffic, solve technical problems and prevent fraud. The website does not respond to DNT (Do Not Track) signals, but the user can disable certain forms of tracking by changing cookie settings or using consent tools.

Detailed information on changing cookie settings and deleting them is available in the instructions for browsers (Chrome, Firefox, Opera, Safari, Microsoft Edge) and in the documentation for mobile devices.

IV. Data Sharing

Sharing Policy:
Personal data are transferred to third parties only to the extent necessary to achieve certain purposes, such as:

• Subcontractors: hosting companies, IT service providers, marketing agencies and payment system operators.
• Business partners: entities providing administrative, accounting, legal or advisory support.
• International transfer: as part of the use of analytical and advertising tools, data may be transferred to third countries, subject to appropriate safeguards resulting from standard contractual clauses or other transfer mechanisms.

Additional provisions regarding the sharing of data:
The administrator ensures that all personal data collected are used to fulfill obligations towards users. This information will not be shared with third parties except where:

• the express prior consent of the persons concerned has been given, or
• the obligation to provide this data arises or will result from applicable law (e.g. to law enforcement authorities).

In addition, personal data of service recipients and customers may be transferred to the following recipients or categories of recipients:

• Providers of technical, IT and organizational services: enabling the Administrator to conduct business activities, including the operation of the website and the provision of electronic services (e.g. software providers, marketing agencies, providers of e-mail, hosting, company management systems and product delivery operators). These data are transmitted only to the extent necessary to fulfill the purpose of processing in accordance with this Policy.
• Providers of accounting, legal and advisory services: supporting the Administrator in accounting, legal or advisory matters (e.g. accounting offices, law firms, debt collection companies). These data are transmitted only to the extent necessary to achieve the purposes of the processing.

The administrator may share anonymized data (that is, those that do not identify specific users) with external service providers in order to better recognize the attractiveness of advertisements and services. In this respect, due to the location of the software providers, the data may be transferred, subject to protection rules, to third countries which provide standard contractual provisions approved by the European Commission or which have appropriate powers under bilateral data processing agreements between the European Union and the third country concerned (even if that country is not part of the European Economic Area).

These entities, in the case of the Administrator, are among others:

• Google LLC. (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — for tools such as Google Analytics (statistical analysis), Google Tag Manager (script management and user activity tracking) and Google Ads (displaying sponsored links in search results and on partner sites within the Google AdSense program).
• Facebook Inc. (Address: 1601 S. California Ave. Palo Alto, CA 94304, USA) — for Facebook Pixel, which is used to track conversions from ads, optimize campaigns based on collected data, and build an audience list for future ads.

Third-party analytics technologies (including SDKs and APIs) may combine data collected on the Administrator's website with information collected separately over time or across platforms. The administrator encourages you to familiarize yourself with the data protection rules applied by these entities, available on their websites.

The Administrator's website may use the functionality of Google Analytics, which uses cookies to analyze how the website is used. The data collected by Google Analytics is transmitted to Google and stored on servers in the USA, whereby the IP addresses are truncated. Google uses this data to evaluate traffic, compile reports and provide other services. You can prevent the collection of data by Google by installing a dedicated plugin (http://tools.google.com/dlpage/gaoptout).

The controller makes every effort to ensure that the data is shared only with entities certified under the (former) EU-US and Swiss-US Privacy Shield programs (available on www.privacyshield.gov). These entities, when using data originating in the EEA, operate in accordance with the principle of “responsibility for secondary transfer”. If necessary, the Controller bases the transfer of data outside the EEA on EU standard contractual clauses and other safeguards and, in accordance with the decision of the CJEU of 16 July 2020, updates the applicable safeguards.

V. Data Retention Period

Storage rules:
Personal data are stored for the period necessary to achieve the purposes for which they were collected:

• Execution of the contract: until the limitation of claims (usually 2 years from the end of the year in which the contract was executed).
• Marketing and analytics: until you withdraw your consent or complete the marketing objectives.

Removal procedure:
After a certain period of time, the data is deleted or anonymized in such a way that the data subject cannot be identified.

VI. Rights of Data Subjects

Eligible rights:
The user has the right to:

• access, rectification, restriction, deletion or portability — the data subject has the right to request from the Controller access to their personal data, rectification, deletion (“right to be forgotten”) or restriction of processing and has the right to object to processing, as well as the right to transfer their data. The detailed conditions for exercising the above rights are indicated in Article 15-21 of the GDPR Regulation.
• withdrawal of consent at any time — the person whose data are processed by the Administrator on the basis of the consent given (pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the GDPR), has the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal.
• lodge a complaint with the supervisory authority — the person whose data are processed by the Administrator has the right to lodge a complaint with the supervisory authority in the manner and manner specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection in Warsaw.
• objection — the data subject has the right at any time to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on Article 6 (1) (e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling on the basis of those provisions. In such a case, the controller may no longer process these personal data, unless he demonstrates the existence of compelling legitimate grounds for the processing, overriding the interests, rights and freedoms of the data subject, or grounds for establishing, exercising or defending claims.
• objection to direct marketing — if personal data are processed for the purposes of direct marketing (based on the legitimate interest of the Controller, not on the basis of the consent of the data subject), the data subject has the right at any time to object to the processing of his personal data for the purposes of such marketing, including profiling, to the extent that the processing is related to such direct marketing.

Procedure for the exercise of rights:
In order to exercise the above rights, the user should send a corresponding request to the indicated e-mail address or by letter to the address of the Controller's registered office.

VII. Procedures in the Event of a Data Protection Breach

Action plan:
In case of violation of personal data protection, the Administrator takes the following steps:

• Immediate remedial action: reduce the impact of a breach and secure systems.
• Notification of supervisory authorities: in high-risk situations, immediate notification to the relevant authorities (e.g. the Office for Personal Data Protection) in accordance with the GDPR.
• Informing users: promptly notifying those whose data has been compromised about the incident and corrective actions taken.
• Incident analysis: detailed analysis of the causes of the breach, implementation of additional security and updating of internal procedures.

XIII. Changes to the Privacy Policy

Document update:
The Privacy Policy is a dynamic document that may be changed in connection with changes in legal regulations or the way data is processed.

Communication of changes:
Any changes will be posted on the website, and users who have given their consent by email will be notified of the new version of the document.

IX. Contact Details

Contact in matters of personal data protection:
All questions, requests and complaints regarding data processing should be directed to:

• Contact person: Anna Brzana
• Email: kadry@spyraprime.pl
• Telefoon: 323300941
• Address: Spyra Prime Sp. z o.o.

summary

This Privacy Policy has been developed in accordance with applicable laws (including GDPR) and best practices in the field of personal data protection. The document is a comprehensive description of the principles of processing, sharing and securing the data of users of the website. It is recommended that you regularly review the current version of the Policy, as changes in the regulations or the way of processing may lead to modifications of this document.

‍