Privacy Policy

This Privacy Policy (hereinafter referred to as the “Policy”) applies to the website with the domain  www.byLama.eu (hereinafter referred to as the “Website”) and is intended to inform Users about the rules for processing their personal data as well as their rights.

I DEFINITIONS.

1. Personal Data – any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, by one or more specific factors determining their physical, physiological, genetic, mental, economic, cultural, or social identity.
2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
3. User – any natural person visiting the Online Store or using one or more of the services or functionalities described in the Policy.
4. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal factors relating to a natural person.

II STORAGE AND PROTECTION OF PERSONAL DATA

1. Personal data are processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, using appropriate technical and organizational measures.
2. To ensure proper protection of personal data, the Website is secured with a certificate

III PERSONAL DATA CONTROLLER

1. The controller of personal data processed through the Website is: Franzo Group Sp. z o.o., ul. Lipowa 1, 63-023 Sulęcin, operating under NIP: 7861725317, REGON: 389616024, and KRS: 0000915165 (hereinafter referred to as the “Controller”).
2. The representative of the Controller is Przemysław Pawlak.
3. The Controller can be contacted via the contact form available on the Website or at the email address [info@bylama.eu](mailto:info@bylama.eu).

IV PURPOSES AND LEGAL BASES FOR DATA PROCESSING 

Below is a detailed description of the Users’ personal data that will be processed by the Website when using its pages, along with an explanation of the purposes and the legal basis for their processing.

1. To enable registration on the Website, the Controller processes the following data:

1. First and Last Name,

2. email address,

3. password.

Providing the above-mentioned personal data is voluntary but necessary to create a User account. Refusal to provide the above data will result in the inability to conclude the agreement.

Legal basis for data processing: taking steps at the request of the data subject (Article 6(1)(b) GDPR).

Data retention period: the duration of the User account’s existence, and after that period, the data will be stored for the period resulting from the statute of limitations for potential claims (e.g., three years if the personal data concern other entrepreneurs with whom agreements were concluded in connection with business activity – Article 118 of the Civil Code).

2. To enable easier contact with the Controller, Users may provide their phone number.

Legal basis for data processing: the User’s consent (Article 6(1)(a) GDPR).

Data retention period: the data will be stored until consent is withdrawn, but no longer than the period resulting from the statute of limitations for potential claims (e.g., three years if the personal data concern other entrepreneurs with whom agreements were concluded in connection with business activity – Article 118 of the Civil Code).

3. To enable placing an order, the User provides the following data:

1. First and Last Name,

2. email address

3. phone number

4. delivery address

5. billing address / invoice address

Providing the above-mentioned personal data is voluntary but necessary to place an order. Refusal to provide the data will result in the inability to conclude the contract.

Legal basis for data processing: necessity of processing for the performance of a contract (Article 6(1)(b) GDPR).

Data retention period: the period necessary to perform the contract, and after that period, the data will be stored for the duration resulting from the statute of limitations for potential claims (e.g., three years if the personal data concern other entrepreneurs with whom agreements were concluded in connection with business activity – Article 118 of the Civil Code).

4. To enable payment for the placed order, the User provides the following data:

Personal data required by the payment systems through which the User can pay for the placed order.

The above-mentioned personal data are processed in accordance with the privacy policies of the payment system providers.

5. To enable the issuance of an invoice Users may provide:

1. full company name,

2. Tax Identification Number (NIP).

Providing the above-mentioned data is not necessary for the performance of the contract.

Legal basis for data processing: the User’s consent (Article 6(1)(a) GDPR), performance of the contract (Article 6(1)(b) GDPR), inclusion of the invoice in accounting records (Article 6(1)(c) GDPR).

Data retention period: data about completed payments will be processed for the time necessary to fulfill the order, and then for the period of bookkeeping retention (according to Article 74 of the Accounting Act, this period is 5 years).

6. To enable submitting an inquiry via the contact form or email, the User provides the following data:

1) email address

2. first and last name

Providing the above-mentioned data is voluntary, but necessary for handling User inquiries. Failure to provide the above-mentioned data will prevent the Administrator from processing inquiries.

Legal basis for data processingthe legitimate interest of the Administrator in the form of the necessity to handle User inquiries (Article 6(1)(f) GDPR).

Data retention periodthe period necessary to respond to the User's inquiry, but no longer than until the moment the User objects to the processing of their data.

7. To enable the delivery of personalized advertisements to the User,the Administrator collects the following data:

• the type of browser and its settings
• information about the device's operating system
• information contained in cookies
• information about other identifiers assigned to the device
• the IP address from which the device connects to the website or mobile application
• information about the User's activity on this device, including visited or used websites and mobile applications
• information about the device's geographical location during the connection to the website or mobile application.

The above-mentioned data will be subject to automated decision-making, including profiling. Based on this data, the advertising network operator selects the target group of Users, to whom ads tailored to their needs and interests are then displayed.

However, profiling will not have legal effects on Users nor will it significantly affect their situation. The User has the right to object to profiling.

Legal basis for processing: the legitimate interest of the Administrator in the form of the necessity to optimize ongoing marketing campaigns.

Data retention periodthe data will be stored until it becomes outdated or loses its relevance, but no longer than for 3 years.

8. To enable the provision of the newsletter service, the Administrator collects the following data:

– the User's email address.

In case of subscribing to the newsletter, commercial information will be sent to the email address provided by the User. The User can unsubscribe at any time by logging into their account on the Website or by clicking the unsubscribe link found in the footer of every newsletter. Users’ personal data will be processed for the purpose of providing the newsletter service. Providing data is voluntary but necessary to provide the service, and failure to provide the data will make the service impossible to deliver.

Legal basis for processing: the User’s consent (Article 6(1)(a) GDPR).

Data retention period: the data will be stored until consent is withdrawn, but no longer than 3 years. Withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal.

9. To enable the establishment, pursuit, defense against claims, and handling of complaints, the Administrator may process the following data:

• first and last name,
• email address,
• IP address,
• NIP number and full company name (if provided),
• order number.

Legal basis for processingthe legitimate interest of the Administrator in the form of the necessity to establish, pursue, and defend against claims, as well as to handle complaints (Article 6(1)(f) GDPR).

Data retention period: The data will be stored for the period resulting from the statute of limitations for potential claims (e.g., three years, if the personal data concerns other entrepreneurs with whom contracts have been concluded in connection with business activity – Article 118 of the Civil Code).

10. For analytical and statistical purposes, for the purpose of analyzing User activity on the Website and the number of visits, the Administrator will process the following data:

• type of operating system,
• IP address,
• data about activity on the Website (time spent on the site, viewed products).

Legal basis for processing: the legitimate interest of the Administrator in the form of the necessity to analyze User activity on the website and create statistics (Article 6(1)(f) GDPR).

Data retention periodthe personal data will be stored until it becomes outdated, but no longer than for 3 years.

V USER RIGHTS

1. Data subjects have the following rights:

• the right to information about the processing of personal data – based on this, the Administrator provides the person submitting such a request with information about the processing of personal data, including primarily the purposes and legal basis for processing, the scope of the data held, the entities to which personal data is disclosed, and the planned deletion date.
• the right to obtain a copy of the data – based on this, the Administrator provides a copy of the processed data concerning the person submitting the request.
• the right to rectification of data – based on this, the Administrator removes any inconsistencies or errors regarding the processed personal data, and supplements or updates it if it is incomplete or has changed.
• the right to erasure of data ("right to be forgotten") – based on this, one can request the erasure of data that is no longer necessary for the purposes for which it was collected.
• the right to restriction of processing – based on this, the Administrator stops performing operations on personal data, except for operations that the data subject has consented to, and stops storing the data according to the established retention policy (i.e., the data retention period), or until the reasons for restricting the processing of data cease (e.g., a decision is issued by a supervisory authority permitting further data processing).
• the right to data portability – based on this, to the extent that the data is processed in connection with a concluded contract or consent given, the Administrator provides the data provided by the data subject in a format that allows for its computer-readable use. It is also possible to request the transfer of this data to another entity – provided that there are technical capabilities for this, both on the part of the Administrator and the other entity.
• the right to object to the processing of data for marketing purposes and for the purpose of user satisfaction research– the data subject may at any time object to the processing of personal data for marketing purposes, without the need to provide a justification for such objection.
• the right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data based on the legitimate interest of the Administrator (e.g., for analytical or statistical purposes). The objection should include justification and will be assessed by the Administrator.
• the right to withdraw consent – if the data is processed based on consent, the data subject has the right to withdraw it at any time, however, this does not affect the lawfulness of the processing carried out before the withdrawal of the consent.
• the right to lodge a complaint – if it is considered that the processing of personal data violates the provisions of the GDPR or other data protection regulations, the data subject may lodge a complaint with the President of the Personal Data Protection Office.

2. These rights can be exercised:

• via email to the address: [info@bylama.eu](mailto:info@bylama.eu)
• in some cases (e.g., withdrawal of consent for the processing of personal data) through dedicated functions on the Website.

VI TRANSFER OF PERSONAL DATA TO THIRD PARTIES

1. Due to the necessity of fulfilling orders and maintaining the Website, the Controller uses services of third parties to whom Users’ personal data will be entrusted.
2. When entrusting processing activities to a data processor, the Controller uses only those processors who provide sufficient guarantees of implementing technical and organizational measures that meet the requirements of the GDPR, including processing security requirements.
3. Data processors obtain access to User data only to the extent and for the period necessary to perform the specified service.
4. Users’ personal data will be entrusted particularly to:

• PayNow
• PayPal

VII STORAGE AND PROTECTION OF PERSONAL DATA

1. Personal data are processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, using appropriate technical and organizational measures.
2. To ensure proper protection of personal data, the Website is secured with a certificate

VIII FINAL PROVISIONS

1. The Controller will inform Users about changes to this Policy by email, sending the consolidated text of the Policy along with information about the changes at least 7 days before the new version of the Policy is published.
2. The new version of the Policy will be published on the website at: https://www.bylama.eu/polityka-prywatnosci/