1. Names and definitions used within this Policy

All names written with a capital letter within this Policy correspond to the names written with a capital letter in the content of the Terms and Conditions, as they also correspond to the definitions contained in these Terms and Conditions, to which this Policy is Appendix number 2.

2. General Information

2.1. This Policy concerns the processing of personal data and the use of cookies within the Portal by the Seller, who is also the data controller of Users’ personal data – LET’S GET CLOUD Limited Liability Company with its registered office in Krakow, at ul. Bociana 22, 31-231 Krakow, entered into the Register of Entrepreneurs of the National Court Register by the District Court in City, XI Commercial Division of the National Court Register, under the number 0001181673, with Tax Identification Number (NIP): 9452313400, having a share capital of 5000 Polish zlotys.

2.2. Within the Portal, the Seller performs the functions of obtaining information about Users and their behavior in the following ways:

1. by obtaining information voluntarily entered by Users in the appropriate forms,
2. by saving information in Users’ end devices in the form of cookies,
3. by collecting www server logs by the Portal’s hosting operator, which are necessary for the proper functioning of the Portal.

2.3. The term “User” used within this Policy should also be understood as an unregistered User who provides the Seller with information, including their personal data, as part of placing an order as a guest, in accordance with point 9 of the Terms and Conditions.

2.4. The rights and obligations of the User (as the data subject) and the Seller (as the controller of the User’s personal data) are regulated in detail by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR”.

3. Information, in particular personal data, provided by Users through filling out forms within the Portal

3.1. The Seller collects information, in particular the User’s personal data, provided voluntarily by the User.

3.2. The Seller may automatically record information about connection parameters, primarily concerning the time stamp and IP address of the User’s end device.

3.3. Data entered by the User in forms within the Portal is not shared with third parties other than with the User’s consent, unless there is another legal basis allowing the Seller to share this data or obliging them to do so.

3.4. Data entered by the User in forms within the Portal is processed for the purpose resulting from the function of a specific form, which may take place in order to: conduct the registration process aimed at creating a User Account in the Portal (as part of the Sales Agreement or Service Agreement concluded by the Seller with the User), subscribe the User to the newsletter (placing the User’s email address on the list of Users receiving the newsletter) or for the Seller to perform the Sales Agreement concluded with the User, which means comprehensive handling of the Order placed by the User, including primarily handling the payment process, shipping, the User’s use of the statutory right of withdrawal and handling the complaint process in the event of non-conformity of the Product(s) with the concluded Sales Agreement or, respectively, the service with the concluded Service Agreement.

4. Purpose, basis, and period of processing User’s personal data

4.1. The Seller is authorized to process Users’ personal data in cases where – and only to the extent that – at least one of the following conditions is met:

1. The User whose data is concerned has given consent to the processing of their personal data for one or more specific purposes,
2. Processing of the User’s personal data is necessary for the performance of a contract to which the User is a party, or to take steps at the request of the User prior to entering into a Sales Agreement or Service Agreement,
3. Processing of the User’s personal data is necessary for compliance with a legal obligation to which the Seller is subject,
4. Processing is necessary for the purposes of the legitimate interests pursued by the Seller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the User which require protection of personal data, in particular where the User is a child.

4.2. The processing of personal data by the Seller requires the existence of at least one of the bases indicated in the above sub-point of this Policy in each case.

4.3. In each case, the purpose, basis, and period of processing the User’s personal data, as well as the circle of recipients of their personal data, results from the exact scope of services offered by the Seller that the User intends to use as part of a given Order placed through the Portal. For example, this means that if the User chooses personal collection of the purchased Product as part of the placed Order, then their personal data will be processed in order to perform the concluded Sales Agreement, but will not be shared with the carrier carrying out shipments on behalf of the Seller, which would take place if the User chose courier delivery as part of the delivery option for the purchased Product.

4.4. The Seller may process the User’s personal data within the Portal for the following purposes, on the bases and for the periods indicated in the table below:

No.	Purpose of data processing	Legal basis for data processing	Data retention period
4.4.1.	Performance of the concluded Sales Agreement or Service Agreement, as well as taking actions at the User’s request before concluding the aforementioned Agreements	Art. 6 par. 1 letter b GDPR (contract performance) – processing is necessary for the performance of one of the aforementioned Agreements to which the User is a party or to take steps at the User’s request prior to entering into these Agreements	Data is stored for the period necessary for performance, as well as until the termination or expiration in any other way of the concluded Sales Agreement or Service Agreement.
4.4.2.	Direct marketing	Art. 6 par. 1 letter f GDPR (legitimate interest of the Seller) – processing is necessary for the purposes of the legitimate interests pursued by the Seller, consisting of caring for the interests and good image of the Seller, the Portal operated by them and aiming at constant sales of Products	Data is stored for the period of existence of the legitimate interest pursued by the Seller, but no longer than for the period of limitation of claims that the Seller may have against the User in connection with the Seller’s business activity. The indicated limitation period is determined by law, in particular the relevant provisions of the Act of 23 April 1964 Civil Code, whereby, as a rule, the limitation period for claims related to conducting business activity is three years, while for claims arising from sales made in the scope of the seller’s business activity – two years. The Seller cannot process data for direct marketing purposes if the User expresses objection.
4.4.3.	Marketing	Art. 6 par. 1 letter a GDPR (consent) – The User has given consent to the processing of their personal data for marketing purposes by the Seller	Personal data is processed by the Seller until the User withdraws consent for further processing of their data for this purpose. However, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.4.4.	Keeping tax books	Art. 6 par. 1 letter c GDPR in connection with art. 86 § 1 of the Act of 29 August 1997 Tax Ordinance – processing is necessary for compliance with a legal obligation to which the Seller is subject Article 86 § 1 of the Act of August 29, 1997, Tax Ordinance – processing is necessary to fulfill the legal obligation incumbent on the Seller	Data is stored for the period required by law obliging the Seller to keep tax books, i.e., until the expiry of the tax liability limitation period, unless tax laws provide otherwise.
4.4.5.	Establishment, exercise, or defense of claims by the Seller or claims that may be raised against the Seller	Art. 6 par. 1 letter f GDPR (legitimate interest of the Seller) – processing is necessary for the purposes of the legitimate interests pursued by the Seller, consisting of the establishment, exercise, or defense of claims that may be raised by the Seller or that may be raised against the Seller	Data is stored for the period of existence of the legitimate interest pursued by the Seller, but no longer than for the period of limitation of claims that may be raised against the Seller, whereby the basic limitation period for these claims is six years.
4.4.6.	Use of the Portal and ensuring its proper functioning	Art. 6 par. 1 letter f GDPR (legitimate interest of the Seller) – processing is necessary for the purposes of the legitimate interests pursued by the Seller, consisting of running and maintaining the Portal	Data is stored for the period of existence of the legitimate interest pursued by the Seller, but no longer than for the period of limitation of the Seller’s claims against the User in connection with the Seller’s business activity. The indicated limitation period is determined by law, in particular the relevant provisions of the Act of 23 April 1964 Civil Code, whereby, as a rule, the limitation period for claims related to conducting business activity is three years, while for claims arising from sales made in the scope of the seller’s business activity – two years.
4.4.7.	Conducting statistics and analyzing traffic within the Portal	Art. 6 par. 1 letter f GDPR (legitimate interest of the Seller) – processing is necessary for the purposes of the legitimate interests pursued by the Seller, consisting of conducting statistics and analyzing traffic within the Portal, which aims to improve the functioning of the Portal and increase sales of offered Products	Data is stored for the period of existence of the legitimate interest pursued by the Seller, but no longer than for the period of limitation of the Seller’s claims against the User in connection with the Seller’s business activity. The indicated limitation period is determined by law, in particular the relevant provisions of the Act of 23 April 1964 Civil Code, whereby, as a rule, the limitation period for claims related to conducting business activity is three years, while for claims arising from sales made in the scope of the seller’s business activity – two years.

5. Recipients of personal data

5.1. In order to ensure the proper functioning of the Portal, including the proper implementation of concluded Sales Agreements and Service Agreements, it is necessary for the Seller to use the services of external entities, which primarily include: software provider, entity offering courier services, and entity handling payments. The Seller uses only the services of such external entities in the above-mentioned scope that provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing of Users’ personal data meets the requirements of GDPR and properly protects the rights of Users as data subjects.

5.2. Personal data may be transferred by the Seller to a third country, provided that the Seller ensures that in such a case this will be done in relation to a country ensuring an adequate level of protection resulting from GDPR, and in the case of other countries, that the transfer will be based on standard data protection clauses. The Seller also ensures that the User has the possibility to obtain a copy of their data that has been transferred in the manner described above. The Seller stipulates that the transfer of collected personal data of Users will only concern cases where it is necessary, and to the extent necessary to achieve a given data processing purpose consistent with this Policy.

5.3. The transfer of Users’ personal data by the Seller will not occur in every case and not to all recipients or categories of recipients indicated in this Policy. The Seller transfers the indicated data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it. The above results from the exact scope of services offered by the Seller that the User intends to use as part of a given Order placed through the Portal. For example, this means that if the User chooses personal collection of the purchased Product as part of the placed Order, then their personal data will be processed in order to perform the concluded Sales Agreement, but will not be shared with the carrier carrying out shipments on behalf of the Seller, which would take place if the User chose courier delivery as part of the delivery option for the purchased Product.

5.4. Users’ personal data may be transferred to the following recipients or categories of recipients:

1. carriers/forwarders/courier brokers/entities handling warehouse and/or shipping process – in the case of a User who, as part of the Order placed in the Portal, used a method of Product delivery other than personal collection; in such a case, the Seller shares the collected personal data of the User with the selected carrier, forwarder or intermediary carrying out shipments on behalf of the Seller, and if the shipment is from an external warehouse, also with the entity handling the warehouse and/or shipping process, but only to the extent necessary to deliver the Product to the User,
2. entities handling electronic or card payments – in the case of a User who, as part of the Order placed in the Portal, uses electronic or card payment methods; in such a case, the Seller shares the collected personal data of the User with the selected entity handling the above-mentioned payments in the Portal on behalf of the Seller, but only to the extent necessary to handle the payment made by the User,
3. service providers supplying the Seller with technical, IT and organizational solutions, enabling the Seller to conduct business activities, including within the Portal and electronic services provided through it, which in particular concerns the provider of computer software for running the Portal, email and hosting provider, and software provider for company management and providing technical support to the Seller; in such a case, the Seller shares the collected personal data of the User with the selected provider acting on its behalf only when necessary and to the extent necessary to achieve a given data processing purpose consistent with this Policy,
4. providers of accounting, legal and advisory services providing the Seller with accounting, legal or advisory support, which in particular concerns the accounting office or accounting firm and law firm; in such a case, the Seller shares the collected personal data of the User with the selected provider acting on its behalf only when necessary and to the extent necessary to achieve a given data processing purpose consistent with this Policy.

5.5. Users’ personal data may be shared by the Seller with external entities only within the limits permitted by generally applicable law, in particular by the relevant provisions of GDPR.

5.6. Moreover, the Seller may be obliged to transfer information, including the User’s personal data, collected within the Portal by the Seller to authorized bodies on the basis of lawful requests, whereby the Seller will transfer to these bodies the requested information, including the User’s personal data, only to the necessary extent specified in the request, while informing the User about this disclosure.

5.7. The Seller may share Users’ personal data with an entity taking over the rights and obligations of the Seller related to the Portal, as the Seller’s legal successor. In the event that the rights and obligations of the Seller related to the Portal are taken over by its legal successor, Users will be informed about this fact, as well as about the identification data of the new controller of their personal data, in accordance with the applicable legal provisions in this regard.

6. Protection of personal data

6.1. The Seller undertakes to ensure the security of the Users’ personal data entrusted to them. To fulfill this obligation, the Seller ensures that wherever Users are required to provide personal data, the internet connection between the User’s end device and the Seller’s server is appropriately encrypted to protect data transmitted to or from the Seller’s server against interception or use by unauthorized third parties.

6.2. The Seller is the data controller of Users’ personal data and has not appointed a data protection officer, due to the absence of conditions specified in Article 37 paragraph 1 of GDPR. Users can contact the Seller as the controller of their personal data by mail at Bociana 22, 31-231 Kraków, by email at office.PL@letsgetcloud.com or by phone at +48 12 350 28 92.

6.3. Users provide information, including personal data, to the Seller knowingly and voluntarily, however, failure to provide data makes it impossible to place an Order, including entering into a Sales Agreement, as well as creating an Account on the Portal and subscribing to the newsletter, including entering into a Service Agreement. Personal data collected by the Seller will be processed solely for the purposes described in this Policy.

6.4. The Seller stipulates that without the User’s explicit consent, their personal data will not be shared with other data recipients, except for the Seller’s subcontractors mentioned in point 5 of this Policy, aimed at ensuring proper functioning of the Seller’s business and proper administration of the Portal.

7. User Rights Related to the Processing of Personal Data by the Seller

7.1. In accordance with the relevant provisions of GDPR, particularly Articles 15-21 of GDPR, the Seller ensures each User free access to their personal data collection, its rectification, erasure (as part of the User’s “right to be forgotten”) or restriction of processing (point 7.6. below). Users also have the right to object to the processing of their personal data and to data portability.

7.2. Users whose data is processed by the Seller based on previously given consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of GDPR) have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

7.3. Users have the right to lodge a complaint with a supervisory authority in the manner and procedure specified in GDPR provisions and relevant Polish law provisions, particularly the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.

7.4. Users have the right to object at any time to processing of personal data concerning them which is based on Article 6(1)(e) (public interest or tasks) or Article 6(1)(f) (legitimate interests of the Seller), which may occur due to grounds relating to their particular situation. 6 paragraph 1(f) (the Seller’s legitimate interests), which may occur for reasons related to their particular situation. This right also includes the possibility to object to processing in the form of profiling. If a User objects, the Seller loses the right to process personal data, including in the manner specified in the objection, unless the Seller simultaneously demonstrates compelling legitimate grounds for processing that override the interests, rights and freedoms of the User or grounds for the establishment, exercise or defense of legal claims.

7.5. When personal data is processed for direct marketing purposes, Users have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

7.6. Users also have the right to request erasure of their personal data (“right to be forgotten”) and the right to restrict its processing, with the grounds and procedures for exercising these rights specified respectively in Articles 17 and 18 of GDPR.

7.7. To exercise these rights, as well as to access their personal data and make changes or corrections, Users can at any time use the functionality of their Account on the Portal, after prior registration (creating an Account) and logging into the Account. Users, as well as unregistered Users, can also contact the Seller directly by mail at Bociana 22 31-231 Kraków, by email at office.PL@letsgetcloud.com or by phone at +48 12 350 28 92.

7.8. Through the Account functionality on the Portal, after prior registration (creating an Account) and logging into their Account, Users can also exercise their rights to withdraw consent for processing their personal data, not including consent for processing cookies, as the procedure for withdrawing consent for cookie processing by the Seller is separately described in point 11 of this Policy. Users, as well as unregistered Users, can also contact the Seller directly to submit a statement withdrawing marketing consents by mail at Bociana 22 31-231 Kraków, by email at office.PL@letsgetcloud.com or by phone at +48 12 350 28 92.

7.9. Users can obtain all information regarding access, modification, correction, and deletion of their personal data by contacting the Seller by mail at Bociana 22 31-231 Kraków, by email at office.PL@letsgetcloud.com or by phone at +48 12 350 28 92, as well as by using the contact form available at www.letsgetcloud.pl/contact/.

7.10. The Seller stipulates that the consent given by Users for personal data processing may specify a period for which the consent remains valid. However, if the aforementioned consent does not specify a validity period, the User’s consent remains valid until potential withdrawal, and after such withdrawal statement is submitted, for the limitation period of any claims available to or against the Seller, unless the processing of personal data is based on grounds other than User consent.

8. Information About Profiling

8.1. In accordance with relevant GDPR provisions, the Seller is obligated to inform Users about automated decision-making, including profiling, as referred to in Article 22 of GDPR. The Seller is also obligated to provide Users with meaningful information about the logic involved in automated decision-making, as well as the significance and envisaged consequences of such processing for Users.

8.2. The Seller may use profiling for direct marketing purposes as part of its business activities conducted through the Portal, but decisions made by the Seller based on it will not concern the conclusion or refusal to conclude a Sales Agreement or Service Agreement, regarding the possibility of creating an Account on the Portal or subscribing to the newsletter.

8.3. The consequences of the Seller’s use of profiling within the Portal may primarily include granting a User a discount, sending them a discount code, reminding about unfinished purchases, sending Product proposals that may match the interests or preferences of a given User, or offering better contractual terms compared to the Portal’s standard offer. At the same time, the Seller stipulates that despite the use of profiling by the Seller, it is ultimately the User who makes an independent and free decision regarding the use of the discount received in this way or other benefits, as well as regarding subsequent Order placement in the Portal.

8.4. If the Seller decides to implement profiling within the Portal, it will consist of automatic analysis or prediction of a given User’s behavior on individual Portal subpages, e.g., through adding a specific Product to the cart, browsing a specific Product subpage in the Portal, or through analysis of previous purchase history. The condition for using the profiling described above is the Seller’s possession of the User’s personal data to subsequently send the given User a generated discount code or offer other benefits mentioned above.

8.5. Users have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

9. Information About Cookies

9.1. The Seller uses cookies within the Portal. Cookies are IT data, particularly text files, stored on the User’s end device and intended for use with the Portal’s website. Cookies usually contain the name of the website they come from, their storage time on the User’s end device, and their unique number.

9.2. The entity placing cookies on the User’s end device and accessing them is the Seller, as the Portal administrator.

9.3. The Seller uses cookies for the following purposes:

1. creating statistics that help understand how Portal Users use its web pages, which enables improving their structure and content,
2. maintaining User sessions (after login), thanks to which Users don’t have to re-enter their login and password on every Portal webpage,
3. determining User profiles to display matched materials in advertising networks, particularly in the Google network.

9.4. Within the Portal, the Seller uses two main types of cookies: “session” cookies and “persistent” cookies. “Session” cookies are temporary files stored on the User’s end device until logging out of the Portal, leaving the website, or closing the software (web browser). “Persistent” cookies are stored on the User’s end device for the time specified in the cookie parameters or until they are deleted by the User.

9.5. The Seller notes that web browsing software (web browser) usually allows cookies to be stored on the User’s end device by default. Users can independently change their web browser settings in this regard and also delete already saved cookies. Users can also enable automatic cookie blocking within their web browser. Detailed information on this topic is contained in the help or documentation of the web browser used by the User.

9.6. The Seller stipulates that changes made by Users to browser settings regarding cookies, particularly limiting cookie use, may affect some functionalities available in the Portal or make them completely unavailable.

9.7. The Seller also stipulates that cookies may be placed on the User’s end device and used by cooperating advertisers or other partners.

9.8. Cookies may also be used by advertising networks, particularly the Google network, to display advertisements matched to how the User uses the Portal. For this purpose, cookies may store information about the User’s navigation path on Portal subpages or the time spent on a given subpage.

9.9. Users are entitled to not consent to cookie processing by the Seller, which occurs by not accepting the consent displayed after first entering any Portal subpage, although not consenting to cookie processing may cause the Portal to function incorrectly.

9.10. The Seller informs that regarding information about User preferences collected by the Google advertising network, Users can access and edit this information using the tool available at: https://www.google.com/ads/preferences/.

10. Server Logs

10.1. Information about certain User behaviors is logged at the server level. Data saved in this way is then used by the Seller exclusively for Portal administration and to ensure the most efficient hosting service provision.

10.2. Resources viewed by Users are identified through Portal subpage URLs, and the following may also be recorded as described in the above point:

1. time of request or query arrival,
2. time of response sending,
3. User station name – identification performed by HTTP protocol,
4. information about errors that occurred during HTTP transaction execution,
5. URL of the page previously visited by the User (referrer link), which occurs only if the transition to any Portal webpage was made through a link,
6. information about the User’s browser,
7. information about the IP address of the User’s end device.

10.3. The data described above is not associated with specific individuals browsing Portal pages, meaning it is completely anonymous.

10.4. The above-described data will be used by the Seller only to ensure proper administration of the server where the Portal is located.

11. Cookie Management, Principles for Expressing and Withdrawing User Consent for Processing

11.1. If Users do not want to use cookies, they can appropriately change their web browser settings or not consent to cookie processing by the Seller, which they will be asked about upon first entering any Portal subpage.

11.2. However, the Seller stipulates that disabling cookies necessary for authentication processes, security, maintaining User preferences may make it difficult or impossible for Users to use the Portal.

11.3. To manage cookie settings in their web browser or operating software, Users can visit the appropriate webpage regarding cookie handling within their web browser or operating system.