PRIVACY POLICY

  1. This Privacy Policy sets out the rules for processing personal data collected through the website hartnett.website, hereinafter referred to as the “Website.”
  2. The owner of the Website and the Data Controller is Anna Hartnett, hereinafter referred to as the Administrator.
  3. The personal data collected by the Administrator via the Website is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as GDPR.
  4. The Administrator takes special care to respect the privacy of Clients visiting the Website.

§ 1 Type of data processed, purposes, and legal basis

  1. The Administrator collects information about individuals engaging in legal transactions not directly related to their business, individuals conducting business or professional activity in their own name, as well as individuals representing legal entities or organizational units not being legal entities, which have legal capacity, conducting business or professional activity in their own name, hereinafter collectively referred to as Clients.
  2. Personal data of Clients is collected in the following cases:
    • When using the contact form service on the Website to perform a contract provided electronically. Legal basis: necessity for the performance of the contract for the contact form service (Article 6(1)(b) GDPR).
  3. When using the contact form service, the Client provides the following data:
    • Email address
    • Name
    • Phone number
  4. Additional information may be collected while using the Website, including: the IP address assigned to the Client’s computer or the external IP address of the Internet provider, domain name, browser type, access time, and operating system type.
  5. Navigation data may also be collected from Clients, including information about links and references they decide to click on or other actions taken on the Website. Legal basis: legitimate interest (Article 6(1)(f) GDPR), aimed at facilitating the use of electronically provided services and improving the functionality of these services.
  6. Providing personal data to the Administrator is voluntary.

§ 2 To whom data is shared or entrusted, and how long is it stored?

  1. The Client’s personal data is transferred to service providers used by the Administrator in the operation of the Website. Service providers to whom personal data is transferred, depending on contractual arrangements and circumstances, either follow the Administrator’s instructions regarding the purposes and methods of data processing (processors) or determine the purposes and methods of data processing themselves (controllers).

1.1. Processors: The Administrator uses providers who process personal data only on the Administrator’s instructions. These include, among others, providers offering hosting services, accounting services, marketing systems, website traffic analysis systems, and systems for analyzing the effectiveness of marketing campaigns.

1.2. Controllers: The Administrator uses providers who do not act solely on instructions and determine the purposes and methods of using the Clients’ personal data. They provide electronic payment services and banking services.

2. Location: Service providers are mainly based in Poland and other countries of the European Economic Area (EEA).

3. Clients’ personal data is stored:

3.1. In cases where the basis for processing personal data is consent, the personal data is processed by the Administrator as long as the consent is not withdrawn, and after withdrawal of consent, for a period corresponding to the statute of limitations for claims that the Administrator may raise or that may be raised against them. Unless a special provision provides otherwise, the statute of limitations is six years, and for periodic benefits and claims related to business activities, it is three years.

3.2. In cases where the basis for data processing is the performance of a contract, the personal data is processed by the Administrator as long as it is necessary to perform the contract, and after that time, for a period corresponding to the statute of limitations for claims. Unless a special provision provides otherwise, the statute of limitations is six years, and for periodic benefits and claims related to business activities, it is three years.

4. Upon request, the Administrator makes personal data available to authorized state authorities, in particular to the Prosecutor’s Office, Police, President of the Personal Data Protection Office, President of the Office of Competition and Consumer Protection, or President of the Office of Electronic Communications.

§ 3 Cookies mechanism, IP address

1. The Website uses small files called cookies. They are stored by the Administrator on the device of the person visiting the Website, provided that the web browser allows it. A cookie file usually contains the domain name it originates from, its “expiration time,” and an individual, randomly selected number identifying the file. The information collected by these files helps tailor the products offered by the Administrator to the individual preferences and real needs of the people visiting the Website.

2. The Administrator uses two types of cookies:

2.1. Session cookies: After the session of a given browser ends or the computer is turned off, the stored information is deleted from the device’s memory. The session cookies mechanism does not allow the collection of any personal data or any confidential information from the Clients’ computers. 2.2. Persistent cookies: These are stored in the memory of the Client’s device and remain there until they are deleted or expire. The persistent cookies mechanism does not allow the collection of any personal data or any confidential information from the Clients’ computers.

3. The Administrator uses its own cookies for:

3.1. Analysis and research, and audit of viewership, particularly for creating anonymous statistics that help understand how Clients use the Website, which allows improving its structure and content.

4. The Administrator uses external cookies for:

4.1. Presenting, on the Website’s informational pages, a map showing the location of the Administrator’s office via the maps.google.com website (external cookie administrator: Google Inc., based in the USA).

5. The cookie mechanism is safe for the computers of the Clients visiting the Website. In particular, it is not possible for viruses or other unwanted or malicious software to enter the Clients’ computers this way. Nevertheless, Clients can limit or disable cookies in their web browsers. If this option is used, using the Website will be possible, except for functions that, by their nature, require cookies.

6. The Administrator may collect Clients’ IP addresses. An IP address is a number assigned to the computer of a person visiting the Website by the Internet service provider. The IP number allows access to the Internet. In most cases, it is assigned to the computer dynamically, i.e., it changes with each connection to the Internet and is therefore commonly considered a non-personal identifying information. The IP address is used by the Administrator for diagnosing technical problems with the server, creating statistical analyses (e.g., determining from which regions we record the most visits), as information useful for managing and improving the Website, as well as for security purposes and possible identification of undesirable automatic programs loading content on the Website.

§ 4 Rights of data subjects

1. Right to withdraw consent – Legal basis: Article 7(3) GDPR.

1.1. The Client has the right to withdraw any consent they have given.

1.2. The withdrawal of consent takes effect from the moment of withdrawal.

1.3. The withdrawal of consent does not affect the processing carried out by the Administrator in accordance with the law before its withdrawal.

1.4. The withdrawal of consent does not entail any negative consequences for the Client, but it may prevent further use of services or functionalities that, according to the law, the Administrator can only provide with consent.

2. Right to object to data processing – Legal basis: Article 21 GDPR.

2.1. The Client has the right to object at any time – for reasons related to their particular situation – to the processing of their personal data, including profiling, if the Administrator processes their data based on a legitimate interest, e.g., marketing of the Administrator’s products and services, keeping statistics on the use of individual functionalities of the Website, and facilitating the use of the Website, as well as satisfaction surveys.

2.2. Opting out via email from receiving marketing communications regarding products or services will mean the Client’s objection to the processing of their personal data, including profiling for these purposes.

2.3. If the Client’s objection proves justified and the Administrator has no other legal basis for processing personal data, the Client’s personal data will be deleted, which was the subject of the objection.

3. Right to erasure of data (“right to be forgotten”) – Legal basis: Article 17 GDPR.

3.1. The Client has the right to request the deletion of all or some personal data.

3.2. The Client has the right to request the deletion of personal data if:

3.2.1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed. 3.2.2. They withdrew specific consent to the extent that personal data was processed based on their consent.

3.2.3. They objected to the use of their data for marketing purposes.

3.2.4. Personal data is processed unlawfully.

3.2.5. Personal data must be erased to comply with a legal obligation under Union law or the law of a Member State to which the Administrator is subject.

3.2.6. Personal data was collected in connection with the offering of information society services.

3.3. Despite the request to delete personal data in connection with the objection or withdrawal of consent, the Administrator may retain certain personal data to the extent that processing is necessary to establish, assert, or defend claims, as well as to comply with a legal obligation requiring processing under Union law or the law of a Member State to which the Administrator is subject. This particularly applies to personal data including: name, surname, email address, and the history of the services provided, which data is retained for the purpose of handling complaints and claims related to the use of the Administrator’s services.

4. Right to restriction of data processing – Legal basis: Article 18 GDPR.

4.1. The Client has the right to request the restriction of the processing of their personal data. The submission of a request, until it is considered, prevents the use of certain functionalities or services, the use of which will involve the processing of the data covered by the request. The Administrator will also not send any messages, including marketing ones.

4.2. The Client has the right to request the restriction of the use of personal data in the following cases:

4.2.1. When they question the accuracy of their personal data – then the Administrator limits its use for the time needed to verify the correctness of the data, but no longer than within 7 days.

4.2.2. When the processing of data is unlawful, and instead of deleting the data, the Client requests limiting its use.

4.2.3. When personal data is no longer needed for the purposes for which it was collected or used, but it is needed by the Client to establish, assert, or defend claims.

4.2.4. When they objected to the use of their data – then the restriction is made for the time needed to consider whether – due to the particular situation – the protection of the Client’s interests, rights, and freedoms outweighs the interests the Administrator pursues by processing the Client’s personal data.

5. Right to access data – Legal basis: Article 15 GDPR.

5.1. The Client has the right to obtain confirmation from the Administrator as to whether they process personal data, and if so, the Client has the right to:

5.1.1. Access their personal data;

5.1.2. Obtain information about the purposes of processing, the categories of personal data processed, the recipients or categories of recipients of this data, the planned period of storing the Client’s data or criteria for determining this period (when determining the planned period of data processing is impossible), the Client’s rights under GDPR, and the right to lodge a complaint with a supervisory authority, the source of this data, automated decision-making, including profiling, and the security measures used in connection with the transfer of this data outside the European Union;

5.1.3. Obtain a copy of their personal data.

6. Right to rectification – Legal basis: Article 16 GDPR.

6.1. The Client has the right to request the Administrator to correct inaccurate personal data. Considering the purposes of processing, the data subject has the right to request the completion of incomplete personal data, including by submitting an additional statement by sending a request to the email address provided in §6 of the Privacy Policy.

7. Right to data portability – Legal basis: Article 20 GDPR.

7.1. The Client has the right to receive their personal data, which they provided to the Administrator, and then send it to another personal data administrator of their choice. The Client also has the right to request that the personal data be sent by the Administrator directly to such an administrator, if technically possible. In this case, the Administrator will send the Client’s personal data in the form of a CSV file, which is a commonly used, machine-readable format that allows the data received to be sent to another personal data administrator.

8. In the event that the Client exercises the rights arising from the above-mentioned provisions, the Administrator shall comply with the request or refuse to comply without delay, but no later than within one month of receiving the request. However, if due to the complex nature of the request or the number of requests, the Administrator is unable to comply within one month, the Administrator shall comply within the next two months, informing the Client in advance, within one month of receiving the request, about the intended extension of the deadline and the reasons for it.

9. The Client may submit complaints, inquiries, and requests to the Administrator regarding the processing of their personal data and the exercise of their rights.

10. The Client has the right to lodge a complaint with the President of the Personal Data Protection Office concerning the violation of their rights to personal data protection or other rights granted under GDPR.

§ 5 Changes to the Privacy Policy

1. The Privacy Policy may be subject to change, and the Administrator is not obliged to inform about such changes.

2. For questions related to the Privacy Policy, please contact: aniahartnett@gmail.com

3. Last modified: August 20, 2024