Privacy Policy

Privacy policy valid from January 1, 2022

1. This Privacy Policy sets out the rules for the processing of personal data obtained via the online store. endo.pl (hereinafter referred to as the " Online Store ").

2. The owner of the Store and the data controller is "STUDIO MK" SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Warsaw (02-222), ul. Aleje Jerozolimskie 185, entered into the register of entrepreneurs of the National Court Register maintained by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under the KRS number 0000935987, Tax Identification Number (NIP): 7010345945, National Business Registry Number (REGON): 146172015, hereinafter referred to as ENDO.

3. Personal data collected by ENDO via the Online Store are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as GDPR .

4. ENDO takes special care to respect the privacy of Customers visiting the Online Store.

§ 1 Type of data processed, purposes and legal basis

1. ENDO collects information on natural persons performing legal acts not directly related to their business activity, natural persons conducting business or professional activity on their own behalf, and natural persons representing legal persons or organizational units that are not legal persons but which are granted legal capacity by law, hereinafter collectively referred to as Clients.

2. Customers' personal data are collected in the event of:

a) registering an account in the Online Store in order to create an individual account and manage this account. Legal basis : necessity to perform the contract for the provision of the Account service (Article 6, paragraph 1, letter b of the GDPR);

b) placing an order in the Online Store in order to execute the sales contract. Legal basis: necessity for the performance of the sales contract (Article 6, paragraph 1, letter b of the GDPR); c) subscription to the newsletter (Newsletter), in order to perform the contract, the subject of which is a service provided electronically. Legal basis - consent of the data subject to the performance of the contract for the provision of the Newsletter service (Article 6, paragraph 1, letter a of the GDPR);

d) using the contact form service in the Online Store for the purpose of performing a contract provided electronically. Legal basis: necessity for the performance of the contract for the provision of the contact form service (Article 6 paragraph 1 letter b of the GDPR); e) using the recommend-a-friend service in order to perform the contract provided electronically. Legal basis - necessity for the performance of the contract for the provision of the recommend-a-friend service (Article 6 paragraph 1 letter b of the GDPR) in relation to the Customer providing personal data, and necessity for the purposes of legitimate interests pursued by the controller or a third party (Article 6 paragraph 1 letter f of the GDPR) in relation to the recipient of the message.

f) using the ask about the product service for the purpose of performing a contract the subject of which is a service provided electronically. Legal basis: necessity for the performance of the contract for the provision of the service ask about the product (Article 6 paragraph 1 letter b of the GDPR);

g) use the availability notification service in the Online Store for the purpose of performing a contract provided electronically. Legal basis: necessity for the performance of the contract for the provision of the service notify about availability (Article 6, paragraph 1, letter b of the GDPR).

3. When registering an account in the Online Store, the Customer provides:

a) email address;

b) name and surname;

c) telephone number.

4. When registering an account in the Online Store, the Customer independently sets a unique password for access to their account. The Customer may change the password at a later time, as described in §6.

5. When placing an order in the Online Store, the Customer provides the following data:

a) email address;

b) address details:

a. postal code and city;

b. street and house/apartment number.

c) name and surname;

d) telephone number.

6. In case of using the Newsletter service, the Customer provides his/her e-mail address or telephone number - as selected by the Customer, and additionally his/her name.

7. When using the contact form service, the Customer provides the following data:

a) email address;

b) name and surname;

c) telephone number.

8. In case of using the recommend to a friend service, the Customer provides:

a) name of the addressee;

b) the recipient's e-mail address;

c) your name;

d) your email address.

9. When using the ask about the product service, the Customer only provides his/her e-mail address.

10. In case of using the availability notification service, the Customer only provides his/her e-mail address.

11. When using the Store Website, additional information may be downloaded, in particular: the IP address assigned to the Customer's computer or the external IP address of the Internet provider, domain name, browser type, access time, type of operating system.

12. Navigational data may also be collected from Customers, including information about links and references they choose to click on or other activities undertaken in the Online Store. Legal basis - legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in facilitating the use of services provided electronically and improving the functionality of these services.

13. In order to establish, pursue and enforce claims, certain personal data provided by the Customer when using the functionalities in the Online Store may be processed, such as: first name, last name, data regarding the use of services, if the claims result from the way in which the Customer uses the services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis - legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in establishing, pursuing and defending against claims in proceedings before courts and other state authorities.

14. ENDO processes personal data, including: first name, last name, email address, as well as responses to questions submitted as part of the satisfaction survey and forms used for satisfaction surveys. Participation in such activities is voluntary. If the Client does not consent to participation, they may notify ENDO at any time at the address specified in §7, and ENDO will then block the relevant data. Legal basis - legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in improving the functionality of services provided electronically and assessing satisfaction with the services we provide.

15. The provision of personal data to ENDO is voluntary, in connection with concluded sales contracts or the provision of services via the Online Store Website, provided, however, that failure to provide the data specified in the data forms during the Registration process prevents Registration and establishment of a Customer Account, and in the case of placing an order without Registration of the Customer Account, placement and fulfilment of the Customer order will be impossible.

§ 2 Who is the data shared or entrusted to and how long is it stored?

1. Customer personal data is transferred to service providers used by ENDO to operate the Online Store. Depending on contractual arrangements and circumstances, service providers to whom personal data is transferred are either subject to ENDO's instructions regarding the purposes and methods of processing such data (processors) or independently determine the purposes and methods of processing (controllers).

a) Processors . ENDO uses suppliers who process personal data only at ENDO's request. These include, among others, suppliers of hosting services, accounting services, marketing systems, systems for analyzing traffic in the Online Store, and systems for analyzing the effectiveness of marketing campaigns;

b) Administrators. ENDO uses suppliers who do not act solely on instructions and independently determine the purposes and methods of using customer personal data. They provide electronic payment and banking services.

2. Location. Service providers are based in Poland and other countries of the European Economic Area (EEA).

3. Customers' personal data are stored:

a) If consent is the basis for personal data processing, the Client's personal data will be processed by ENDO until consent is revoked, and after consent is revoked, for a period corresponding to the limitation period for claims that may be brought by ENDO and against it. Unless specific provisions provide otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity, three years.

b) If the basis for data processing is the performance of a contract, the Client's personal data is processed by ENDO for as long as necessary to perform the contract, and thereafter for a period corresponding to the limitation period for claims. Unless specific provisions provide otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity, three years.

4. In the event of a purchase in the Online Store, personal data may be transferred, depending on the Customer's choice, to the following entities for the purpose of delivering the ordered goods:

a) courier company;

b) InPost Paczkomaty Sp. z o. o. with its registered office in Kraków, providing delivery services and operating a system of post office boxes (Paczkomaty);

c) Poczta Polska SA with its registered office in Warsaw;

d) Ruch SA with its registered office in Warsaw, providing delivery services within points of sale;

e) DHL Parcel Polska Sp. z o. o. with its registered office in Warsaw, providing the Delivery service within DHL Parcel points (DHL Parcelshop).

5. If the Customer chooses to pay via the PayU or Visa Checkout system, his/her personal data is transferred to the extent necessary to process the payment to PayU SA with its registered office in Poznań (60-166), at ul. Grunwaldzka 182, entered into the register of entrepreneurs maintained by the District Court Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under the KRS number 0000274399

6. If the Customer selects payment via the "PayU I Pay Later" payment system, his or her personal data are transferred to the extent necessary for execution of the payment to PayU SA with its registered office in Poznań (60-166), at ul. Grunwaldzka 182, entered into the register of entrepreneurs maintained by the District Court Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under KRS number 0000274399, and to the Seller's lending partner, i.e. to the extent necessary for execution of the payment to Twisto Polska sp. z o. o. with its registered office in Warsaw (02-566), at ul. Puławska 2, entered into the register of entrepreneurs maintained by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under KRS number 0000689624, and ING Bank Śląski SA with its registered office in Katowice (40-086), at ul. Sokolska 34, entered into the register of entrepreneurs maintained by the District Court Katowice-Wschód in Katowice, 8th Commercial Division of the National Court Register under the KRS number 0000005459.

7. Navigation data may be used to provide Customers with better service, analyze statistical data and adapt the Online Store to Customer preferences, as well as to administer the Online Store.

8. If the Customer subscribes to the newsletter (Newsletter), ENDO will send electronic messages to his/her e-mail address containing commercial information about promotions and new products available in the Online Store.

9. In the event of a request, ENDO makes personal data available to authorized state authorities, in particular organizational units of the Prosecutor's Office, the Police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.

§ 3 Cookie mechanism, IP address

1. The Online Store uses small files called cookies. ENDO stores them on the end device of a visitor to the Online Store, if the web browser allows it. A cookie file typically contains the name of the domain it comes from, its expiration date, and an individual, randomly selected number identifying the file. Information collected using this type of file helps ENDO tailor the products offered to the individual preferences and actual needs of visitors to the Online Store. They also enable the development of general statistics on visits to the products presented in the Online Store.

2. ENDO uses two types of cookies:

and) Session cookies: Once a browser session ends or the computer is turned off, the stored information is deleted from the device's memory. The session cookie mechanism does not allow for the collection of any personal data or confidential information from customers' computers.

b) Persistent cookies: They are stored in the memory of the Customer's end device and remain there until they are deleted or expire. The persistent cookie mechanism does not allow the collection of any personal data or any confidential information from the Customer's computer.

3. ENDO uses its own cookies for the following purposes:

b) analyses, research and audience audits, in particular to create anonymous statistics that help understand how Customers use the Store Website, which enables the improvement of its structure and content.

4. ENDO uses external cookies to:

a) authenticating the Customer in the Online Store and ensuring the Customer’s session in the Online Store (after logging in), thanks to which the Customer does not have to re-enter the login and password on each subpage of the Online Store, using the Facebook.com social networking site (external cookie administrator: Facebook Inc. based in the USA or Facebook Ireland based in Ireland);

b) collecting general and anonymous statistical data via Google Analytics analytical tools (external cookie administrator: Google Inc. based in the USA) https://www.googl e.com/intl/pl/about/company/user-consent-policy-help/;

c) operation of the external payment system Visa Checkout (external cookie administrator: Visa USA Inc. with its registered office in Foster City)

5. The cookie mechanism is safe for the computers of Online Store Customers. In particular, it is impossible for viruses or other unwanted software or malware to enter Customers' computers this way. However, Customers have the option of limiting or disabling cookie access to their computers in their browsers. If this option is used, the Online Store will still be available for use, except for functions that, by their nature, require cookies.

6. Below we present how you can change the settings of popular web browsers regarding the use of cookies:

7. ENDO may collect Customer IP addresses. An IP address is a number assigned to the computer of a visitor to the Online Store by the Internet service provider. The IP number provides access to the Internet. In most cases, it is assigned to the computer dynamically, meaning it changes with each Internet connection. ENDO uses the IP address to diagnose technical problems with the server, create statistical analyses (e.g., determine which regions receive the most visits), as information useful in administering and improving the Online Store, as well as for security purposes and to identify server-burdening, unwanted automated programs for browsing the Online Store's content.

8. The Online Store contains links and references to other websites. ENDO is not responsible for the privacy policies applicable therein.

§ 4 Rights of data subjects

1. The right to withdraw consent - legal basis: Article 7(3) of the GDPR.

a) The Client has the right to withdraw any consent given to ENDO.

b) Withdrawal of consent takes effect from the moment of withdrawal of consent.

c) Withdrawal of consent does not affect the processing carried out by ENDO in accordance with the law before its withdrawal.

d) Withdrawal of consent does not entail any negative consequences for the Customer, but may prevent further use of services or functionalities which, according to the law, ENDO may only provide with consent.

2. The right to object to data processing - legal basis: Article 21 of the GDPR.

a) The Customer has the right to object at any time - for reasons related to his/her particular situation - to the processing of his/her personal data, including profiling, if ENDO processes his/her data based on a legitimate interest, e.g. marketing of ENDO products and services, keeping statistics on the use of individual functionalities of the Online Store and facilitating the use of the Online Store, as well as satisfaction surveys.

b) Unsubscribing via e-mail from receiving marketing communications regarding products or services will mean the Customer's objection to the processing of his or her personal data, including profiling for these purposes.

c) If the Customer's objection proves to be justified and ENDO has no other legal basis for processing personal data, the Customer's personal data will be deleted to the processing of which the Customer has objected.

3. The right to delete data ("the right to be forgotten") - legal basis: Article 17 of the GDPR.

a) The Customer has the right to request the deletion of all or some of his/her personal data.

b) The Customer has the right to request the deletion of personal data if:

a. the personal data are no longer necessary for the purposes for which they were collected or processed;

b. withdrew a specific consent to the extent that personal data were processed based on his consent;

c. has objected to the use of his data for marketing purposes;

d. personal data are processed unlawfully;

e. personal data must be erased in order to comply with a legal obligation under Union law or the law of the Member State to which ENDO is subject;

f. the personal data were collected in connection with the provision of information society services.

c) Despite a request to delete personal data, in connection with an objection or withdrawal of consent, ENDO may retain certain personal data to the extent that processing is necessary to establish, pursue, or defend legal claims, as well as to comply with a legal obligation requiring processing under EU or Member State law to which ENDO is subject. This applies in particular to personal data including: first name, last name, and email address, which are retained for the purpose of handling complaints and claims related to the use of ENDO services, and additionally, residential/mailing address and order number, which are retained for the purpose of handling complaints and claims related to concluded sales contracts or the provision of services.

3. Despite a request to delete personal data, in connection with an objection or withdrawal of consent, ENDO may retain certain personal data to the extent that processing is necessary to establish, pursue, or defend legal claims, as well as to comply with a legal obligation requiring processing under EU or Member State law to which ENDO is subject. This applies in particular to personal data including: first name, last name, and email address, which are retained for the purpose of handling complaints and claims related to the use of ENDO services, and additionally, residential/mailing address and order number, which are retained for the purpose of handling complaints and claims related to concluded sales contracts or the provision of services.

4. The right to limit data processing - legal basis: Article 18 of the GDPR.

a) The Client has the right to request the restriction of the processing of their personal data. Submitting a request, until it is resolved, will prevent the use of certain functionalities or services that would involve the processing of the data covered by the request. ENDO will also not send any communications, including marketing communications.

b) The Customer has the right to request the restriction of the use of personal data in the following cases:

a. when he/she questions the accuracy of his/her personal data – then ENDO limits their use for the time needed to check the accuracy of the data, but no longer than for 7 days;

b. when the data processing is unlawful and instead of deleting the data, the Customer requests the restriction of their use;

c. when personal data are no longer necessary for the purposes for which they were collected or used but are still needed by the Client to establish, pursue or defend claims;

d. when he has objected to the use of his data – then the restriction takes place for the time needed to consider whether – due to the specific situation – the protection of the Client’s interests, rights and freedoms outweighs the interests pursued by the Controller in processing the Client’s personal data.

5. Right of access to data - legal basis: Article 15 of the GDPR.

a) The Customer has the right to obtain confirmation from the Controller whether he processes personal data, and if so, the Customer has the right to:

a. access your personal data;

b. obtain information about the purposes of processing, the categories of personal data being processed, the recipients or categories of recipients of such data, the planned period of storage of the Customer's data or the criteria for determining this period (when it is not possible to determine the planned period of data processing), the Customer's rights under the GDPR and the right to lodge a complaint with a supervisory authority, the source of such data, automated decision-making, including profiling, and the safeguards applied in connection with the transfer of such data outside the European Union;

c. obtain a copy of your personal data.

6. Right to rectification - legal basis: Article 16 of the GDPR.

a) The Customer has the right to request immediate rectification of any inaccurate personal data concerning them by the Controller. Taking into account the purposes of processing, the Customer whose data is processed has the right to request the completion of incomplete personal data, including by providing an additional statement, by sending a request to the email address specified in §7 of the Privacy Policy.

7. Right to data portability - legal basis: Article 20 of the GDPR.

a) The Client has the right to receive their personal data provided to the Controller and then transmit it to another personal data controller of their choice. The Client also has the right to request that the Controller transmit their personal data directly to such controller, if technically feasible. In such a case, the Controller will transmit the Client's personal data in the form of an XML file, which is a commonly used, machine-readable format that allows the data to be transmitted to another personal data controller.

8. If the Client exercises the above rights, ENDO will either comply with the request or refuse to comply with it immediately, but no later than one month after receiving it. However, if – due to the complex nature of the request or the number of requests – ENDO is unable to comply with the request within one month, it will comply within the next two months, informing the Client within one month of receiving the request of the intended extension and the reasons therefor.

9. The Customer may submit complaints, inquiries and requests to the Administrator regarding the processing of his or her personal data and the exercise of his or her rights.

10. The Client has the right to request from ENDO a copy of the standard contractual clauses by sending an inquiry in the manner indicated in §7 of the Privacy Policy.

11. 1. The Customer has the right to lodge a complaint with the President of the Personal Data Protection Office regarding the violation of his/her rights to personal data protection or other rights granted under the GDPR.

§ 5 Services tailored to preferences and interests (profiling)

1. Profiling means any form of automated Processing of Personal Data which involves the use of Personal Data to evaluate certain personal factors relating to a Natural Person, in particular to analyse or forecast aspects relating to the performance of that Natural Person at work, their economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

2. Customers' personal data may be processed in an automated manner (profiling), however, this will not produce any legal effects or have a similar significant impact on the situation of Customers.

3. Profiling of personal data by ENDO involves the processing of Customer data in an automated and manual manner, by using it to evaluate certain information about the Customer, in particular to analyze or forecast his or her personal preferences and interests.

4. In order to reach the Customer with marketing messages via the Online Store Website, ENDO uses the services of external providers. These services consist of displaying marketing messages on the Online Store Websites. For this purpose, external providers install, for example, appropriate code or pixels to retrieve information about the Customer's activity on the Online Store Website. Details regarding the cookies used can be found in §3. Legal basis - legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in tailoring marketing messages to preferences and interests.

5. In order to reach the Customer with marketing messages via the Online Store Website, ENDO uses its own cookie mechanisms to collect information about the Customer's activity on the Online Store Website. Details regarding the cookies used can be found in §3. Legal basis - legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in tailoring marketing messages to preferences and interests.

§ 6 Security management - password

1. ENDO provides Customers with a secure and encrypted connection when transmitting personal data and when logging into the Customer Account on the Website. ENDO uses an SSL certificate issued by one of the world's leading companies in the field of security and encryption of data transmitted over the internet.

2. If a Customer with an Online Store account has lost their password in any way, the Online Store allows them to generate a new password. ENDO does not send password reminders. The password is stored in an encrypted form, making it unreadable. To generate a new password, enter your email address in the form available under the "Forgot Password" link provided in the Online Store account login form. The Customer will receive an email at the email address provided during registration or saved in the last account profile change, redirecting you to a dedicated form available on the Store's website, where you will be able to set a new password.

3. ENDO never sends any correspondence, including electronic correspondence, with a request to provide login details, in particular the access password to the Customer's account.

§ 7 Changes to the Privacy Policy

1. The Privacy Policy may be subject to change, of which ENDO will inform Customers 7 days in advance.

2. Please send any questions regarding the Privacy Policy to: e-sklep@endo.pl

3. Date of last modification: 01/01/2022