Privacy Policy

1. This Privacy Policy sets out the principles for the processing of personal data obtained via the website gebar.pl, hereinafter referred to as the “Website.” 2. The owner of the website and the Data Controller is GEBAR AGATA BARCZYK I GRZEGORZ BARCZYK SPÓŁKA JAWNA, 41-100 Siemianowice Śląskie, ul. Komuny Paryskiej 14, NIP: 6431764917, hereinafter referred to as the Controller. 3. Personal data collected by the Administrator via the Website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as the GDPR. 4. The Administrator takes special care to respect the privacy of Customers visiting the Website.

§ 1 Type of data processed, purposes, and legal basis

1. The Administrator collects information about individuals who perform legal acts not directly related to their business activities, individuals who conduct business or professional activities on their own behalf, and individuals representing legal entities or organizational units that are not legal entities, to which the law grants legal capacity, conducting business or professional activities on their own behalf, hereinafter collectively referred to as Customers. 2. The Administrator processes the personal data of Customers within the scope of using the contact form service on the Website for the purposes necessary to perform a contract or take steps prior to entering into a contract – the basis for processing is Article 6, paragraph 1, letter a of the GDPR. b GDPR 3. When using the contact form service, the Client provides the following data:
  • email address
  • name
  • telephone number
4. When using the Website, additional information may be collected, in particular: the IP address assigned to the Client’s computer or the external IP address of the Internet service provider, domain name, browser type, access time, and operating system type. Navigational data may also be collected from Clients, including information about links and references they choose to click or other actions taken on the Website for purposes related to the provision of services, as well as for technical, administrative, analytical, and statistical purposes – in this respect, the basis for processing is also Article 6 paragraph 1 letter b of the GDPR. f GDPR, i.e., necessary for the purposes of the Controller’s legitimate interest in ensuring IT security and managing the Website, as well as improving the functionality of the Website and the services provided.

§ 2 Data Recipients

1. The Customer’s personal data is transferred to service providers used by the Controller to operate the Website. Service providers to whom personal data are transferred, depending on contractual arrangements and circumstances, are either subject to the Controller’s instructions regarding the purposes and methods of processing such data (processors) or independently determine the purposes and methods of processing (controllers).
  • 1.1. Processors The Controller uses providers who process personal data only on the Controller’s instructions. These include, among others, Providers providing hosting services, accounting services, marketing systems, Website traffic analysis systems, and marketing campaign effectiveness analysis systems.
  • 1.2. Controllers. The Controller uses providers who do not act solely on instructions and independently determine the purposes and methods of using Customers’ personal data. They provide electronic payment and banking services.
2. Location. Service providers are based primarily in Poland and other countries of the European Economic Area (EEA). 3. If requested, the Controller provides personal data to authorized state authorities, in particular organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.

§ 3 Data Retention Period

1. Customers’ personal data are stored:
  • 1.1. If consent is the basis for personal data processing, the Customer’s personal data are processed by the Controller until consent is withdrawn, and after consent is withdrawn, for a period corresponding to the limitation period for claims that may be brought by the Controller and against it. Unless a specific provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to running a business, three years.
  • 1.2. If the basis for data processing is the performance of a contract, the Customer’s personal data are processed by the Controller for as long as necessary to perform the contract, and after that time, for a period corresponding to the limitation period for claims. Unless a specific provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to running a business, the limitation period is three years.

§ 4 Cookie Mechanism, IP Address

1. The Website uses small files called cookies. They are saved by the Administrator on the end device of the Website visitor, if the web browser allows it. A cookie file typically contains the name of the domain from which it originates, its “expiration time,” and an individual, randomly selected number identifying the file. Information collected using this type of file helps tailor the products offered by the Administrator to the individual preferences and actual needs of Website visitors. 2. The Administrator uses two types of cookies:
  • 2.1. Session Cookies: After the browser session ends or the computer is turned off, the saved information is deleted from the device’s memory. The session cookie mechanism does not allow for the collection of any personal data or any confidential information from Customers’ computers.
  • 2.2. Persistent cookies: are stored in the memory of the Customer’s end device and remain there until they are deleted or expire. The persistent cookie mechanism does not allow for the collection of any personal data or any confidential information from Customers’ computers.
3. The Administrator uses its own cookies for the following purposes:
  • 3.1. analyses, research, and audience audits, in particular to create anonymous statistics that help understand how Customers use the Website, which allows for the improvement of its structure and content.
4. The Administrator uses external cookies for the following purposes:
  • 4.1. presenting a map indicating the location of the Administrator’s office on the Website’s information pages using the maps.google.com website (external cookie administrator: Google Inc., based in the USA).
5. The cookie mechanism is safe for the computers of Customers visiting the Website. In particular, it is impossible for viruses or other unwanted software or malware to reach Customers’ computers this way. However, Customers have the option of limiting or disabling cookies’ access to their computers in their browsers. If this option is used, the use of the Website will be possible, except for functions that by their nature require cookies. 6. The Administrator may collect Customers’ IP addresses. An IP address is a number assigned to the computer of a Website visitor by the Internet service provider. The IP number enables access to the Internet. In most cases, it is assigned to the computer dynamically, meaning it changes with each Internet connection and is therefore generally treated as non-personally identifiable information. The IP address is used by the Administrator to diagnose technical problems with the server, create statistical analyses (e.g., to determine which regions receive the most visits), as information useful in administering and improving the Website, as well as for security purposes and to identify any unwanted automated programs that burden the server and browse the Website’s content.

§ 5 Rights of Data Subjects

Data subjects have the following rights: 1. The right to withdraw consent to data processing at any time:
  • 1.1. The Client has the right to withdraw any consent they have given.
  • 1.2. Withdrawal of consent takes effect from the moment of withdrawal.
  • 1.3. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • 1.4. Withdrawal of consent does not entailThe right to object to data processing:
    • 2.1. The Customer has the right to object at any time – for reasons relating to their particular situation – to the processing of their personal data based on Article 6(1)(e) or (f) of the GDPR, including profiling based on these provisions. The Controller is no longer permitted to process these personal data unless they demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for establishing, exercising, or defending legal claims.
    • 2.2. Opting out of receiving marketing communications about products or services via email will constitute the Customer’s objection to the processing of their personal data, including profiling for these purposes. 3. Right to erasure (“right to be forgotten”):
      • 3.1. The Customer has the right to request the erasure of all or some of the personal data.
      • 3.2. The Customer has the right to request the erasure of the personal data if:
        • 3.2.1. The personal data are no longer necessary for the purposes for which they were collected or processed.
        • 3.2.2. The Customer has withdrawn specific consent, to the extent that the personal data were processed based on consent.
        • 3.2.3. The Customer has objected to the processing under Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the Customer has objected to the processing under Article 21(2) of the GDPR.
        • 3.2.4. The personal data are processed unlawfully.
        • 3.2.5. Personal data must be erased to comply with a legal obligation under EU or Member State law to which the Controller is subject.
        • 3.2.6. Personal data have been collected in connection with the provision of information society services.
      • 3.3. Despite a request to erase personal data, in connection with an objection or withdrawal of consent, the Controller may retain certain personal data to the extent that processing is necessary for the establishment, exercise, or defense of legal claims, as well as for compliance with a legal obligation requiring processing under EU or Member State law to which the Controller is subject. This applies in particular to personal data including: first name, last name, email address, which are retained for the purpose of handling complaints and claims related to the use of the Controller’s services, or additionally, residential address/mailing address, order number, which are retained for the purpose of handling complaints and claims related to concluded sales contracts or the provision of services.
      4. Right to restrict data processing:
      • 4.1. The Customer has the right to request the restriction of the processing of their personal data. Submitting a request, until it is considered, prevents the use of certain functionalities or services, the use of which will involve the processing of the data covered by the request. The Controller will also not send any communications, including marketing communications.
      • 4.2. The Customer has the right to request the restriction of the use of personal data in the following cases:
        • 4.2.1. when the Customer contests the accuracy of their personal data – the Controller will limit their use for the time needed to verify the accuracy of the data, but no longer than 7 days.
        • 4.2.2. when the data processing is unlawful, and instead of deleting the data, the Customer requests the restriction of their use.
        • 4.2.3. when the personal data are no longer necessary for the purposes for which they were collected or used, but are required by the Customer to establish, pursue, or defend legal claims.
        • 4.2.4. when the data subject has objected to the processing of their data – until it is determined whether the legitimate grounds on the part of the controller override the grounds for objection of the data subject.
      5. The right to request access to their personal data from the Controller and to receive a copy thereof:
      • 5.1. The Customer has the right to obtain confirmation from the Controller as to whether they are processing personal data, and if so, the Customer has the right to:
        • 5.1.1. obtain access to their personal data
        • 5.1.2. obtain information on the purposes of processing, the categories of personal data being processed, the recipients or categories of recipients of such data, the planned period of storage of the Customer’s data or the criteria for determining this period (when determining the planned period of data processing is not possible), about the processingThe Customer has the right to lodge a complaint with a supervisory authority, provided that the personal data were not collected from the data subject – all available information about their source, about automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR, and – at least in these cases – relevant information about the principles underlying such decision-making, as well as the significance and envisaged consequences of such processing for the data subject, and about the safeguards applied in connection with the transfer of personal data outside the European Union.
        • 5.1.3. Obtain a copy of their personal data. The right to obtain a copy must not adversely affect the rights and freedoms of others.
      6. Right to rectification (correction) of data:
      • 6.1. The Customer has the right to request the Controller to immediately rectify any inaccurate personal data concerning them. Taking into account the purposes of processing, the Customer whose data is processed has the right to request the completion of incomplete personal data, including by submitting an additional declaration, by sending a request to the email address specified in §6 of the Privacy Policy.
      7. Right to data portability:
      • 7.1. The Customer has the right to receive their personal data provided to the Controller and then send it to another personal data controller of their choice. The Customer also has the right to request that the personal data be sent by the Controller directly to such controller, if technically feasible. In such a case, the Controller will send the Customer’s personal data in a CSV file, which is a commonly used, machine-readable format that allows the data received to be sent to another personal data controller.
      8. Right to lodge a complaint with a supervisory authority:
      • 8.1. The Customer has the right to lodge a complaint with the President of the Personal Data Protection Office regarding a violation of their personal data protection rights or other rights granted under the GDPR. 9. If the Customer exercises the rights arising from the above rights, the Administrator shall comply with or refuse to comply with the request immediately, but no later than one month after receiving it. However, if – due to the complex nature of the request or the number of requests – the Administrator is unable to comply within one month, the Administrator shall comply within the next two months, informing the Customer within one month of receiving the request of the intended extension and the reasons for it. 10. The Customer may submit complaints, inquiries, and requests to the Administrator regarding the processing of their personal data and the exercise of their rights.

§ 6 Changes to the Privacy Policy

1. The Privacy Policy may change, of which the Administrator is not obligated to notify. 2. Please send any questions regarding this Privacy Policy to the following email address: biuro@gebar.pl 3. Last modified: 04/08/2025