Łódź, January 09, 2024

Privacy Policy

§1 General Provisions

  1. This privacy policy for the mghost.pl website (hereinafter referred to as the "Website") is informative in nature, which means that it is not a source of obligations for Service Recipients using the Website. The privacy policy primarily contains rules regarding the processing of personal data by the Administrator on the Website during the use of services provided by the Administrator of personal data, including the basis, purposes and scope of personal data processing, as well as the rights of individuals whose data is being processed, and information on the use of cookies and analytical tools on the Website.

  2. The Administrator of personal data collected through the Website is Miracle Group Paulina Chmielewska, with registered office in Łódź, address: ul. Gabriela Narutowicza 126a, 90-145 Łódź, tax identification number: 7292740083, REGON: 389810223, email address contact@mghost.pl - hereinafter referred to as the "Administrator" and also the Service Provider of the services presented on the Website.

  3. Personal data processing is carried out in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) of 27 April 2016 (EU Official Journal L No. 119), hereinafter referred to as the GDPR, taking into account the provisions of the Act on the provision of electronic services and other generally applicable provisions of law.

  4. The Administrator takes special care to protect the interests of individuals whose personal data is processed by them, and in particular is responsible for and ensures that the data collected by them are:

    1. processed lawfully,

    2. collected for specified, lawful purposes and not subjected to further processing incompatible with those purposes,

    3. factually correct and adequate in relation to the purposes for which they are processed,

    4. stored in a form that allows for the identification of the persons to whom they relate, for no longer than is necessary to achieve the purpose of the processing,

    5. processed in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

  5. All words, phrases, and acronyms appearing in this Privacy Policy and beginning with a capital letter should be understood in accordance with their definition contained in the General Terms and Conditions for the provision of electronic services.

  6. The Service performs the function of collecting information about Users and their behavior in the following way:

    1. through voluntarily entered data in the forms, which are entered into the Service Provider's systems,

    2. through the use of the Service Provider's services,

    3. by storing cookie files on end devices,

    4. by storing technical information in http server logs, email, or other network services and applications of the Service Provider (system logs).

  7. Providing personal data is voluntary, but the Service Provider informs that unless otherwise indicated in the content of individual forms (e.g. that providing data is optional), the Service Provider's services cannot be used anonymously or using a pseudonym. Therefore, refusing to provide data may result in refusal to conclude an agreement and provide the ordered service.

 

§2 Basics of Data Processing

  1. The administrator is authorized to process personal data in cases where, and to the extent that, at least one of the following conditions is met:

    1. The person whose data is being processed has given consent for their personal data to be processed for one or more specific purposes.

    2. The processing is necessary for the performance of a contract to which the person whose data is being processed is a party, or for the taking of steps at the request of the person whose data is being processed prior to entering into a contract.

    3. The processing is necessary to fulfill a legal obligation incumbent upon the administrator.

    4. The processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the person whose data is being processed, requiring protection of personal data, in particular where the person whose data is being processed is a child.

  2. Processing of personal data by the administrator requires the occurrence of at least one of the bases indicated in point 2.1 of the privacy policy. The specific bases for processing personal data of Service recipients by the administrator are indicated in the next point of the privacy policy – with respect to the specific purpose of processing personal data by the administrator.

  3. The administrator makes every effort to protect data from unauthorized access, unauthorized modification, disclosure, and destruction of information held by the administrator. In particular:

    1. The administrator controls the methods of collecting, storing, and processing information, including physical security measures to prevent unauthorized access to the system.

    2. Access to personal data is granted only to those employees, contractors, and representatives who need to have access to them to process them for the purposes of the Service.

 

§3 Purpose, basis, period, and scope of personal data processing

  1. The personal data of the Service Recipient is processed for the following purposes:

    1. conclusion and performance of the Service Agreement in accordance with the General Terms and Conditions, including consideration of any complaints and provision of technical support – the legal basis for processing is the necessity of processing for the conclusion and performance of the Agreement,

    2. keeping of the Administrator's accounts – the necessity of processing is to fulfill the legal obligation incumbent on the Administrator arising from generally applicable laws, in particular the Tax Ordinance Act of August 29, 1997, the Accounting Act of September 29, 1994, and the Value Added Tax Act of March 11, 2004,

    3. preventing and detecting abuses, verifying the Service Recipient's payment credibility, determining and defending against claims and pursuing claims – the legal basis for processing is the necessity of processing for the realization of the Administrator's legitimate interests,

    4. direct marketing of own products and services – the legal basis for processing is the necessity of processing for the realization of the Administrator's legitimate interests,

    5. conducting statistical and qualitative analyses – the legal basis for processing is the necessity of processing for the realization of the Administrator's legitimate interests.

  2. Personal data provided by Service Users for the purpose of using the Services are used in the process of their activation and provision. This includes, above all, such actions as:

    1. technical activation of the services,

    2. payment processing and invoicing,

    3. processing and storage of financial documents based on specific regulations: tax, financial and accounting, etc.,

    4. informing about the expiration dates of the Service and the possibility of their extension,

    5. informing about planned technical works and failures,

    6. informing about significant configuration changes,

    7. informing about changes in regulations,

    8. providing technical support, including answering User questions,

    9. clarifying settlement issues,

    10. direct sales contact (if requested by the User),

    11. sending marketing information - if the User gives consent to it.

  3. The Service Provider, offering hosting services, may also be a personal data processor - with regard to data whose administrators are Service Users and which have been entrusted to him through the conclusion of an appropriate personal data processing agreement. The detailed rules are then specified in that agreement, and this privacy policy does not apply to the use of this type of data. In relation to these data, the Service Provider is not an administrator.

  4. For the proper functioning of the Portal, including the performance of concluded agreements, it is necessary for the Administrator to use the services of external entities (such as entities handling payments, entities maintaining subscriber registers, marketing entrepreneurs, legal services, accounting, auditors, and couriers). The Administrator uses only the services of processing entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of the persons whose data are processed.

  5. The transfer of data by the Administrator does not occur in all cases or to all recipients or categories of recipients indicated in the privacy policy - the Administrator transfers data only when necessary to achieve the specific purpose of processing personal data and only to the extent necessary to achieve it.

  6. The Administrator may transfer personal data to a third country or international organization, but only if they provide adequate safeguards and provided that the enforceable rights of the persons whose data are processed and effective legal protection (Art. 46 of the GDPR) are in place. In the event of a lack of adequate safeguards specified in Art. 46 of the GDPR, the transfer of personal data by the Administrator may only take place as a result of explicit and voluntary consent of the Service Recipient, who has been informed of the potential risk of transferring his/her data to a third country that does not provide adequate protection for personal data.

  7. If the Administrator processes personal data based on consent, such consent may be withdrawn at any time. However, this may result in the loss of access to the service provided based on the previously given consent. Withdrawal of consent does not affect the lawfulness of the processing carried out by the Administrator before its withdrawal.

  8. The Administrator may process Personal Data for the following purposes, on the following legal bases, for the periods, and to the following extent:

Data processing purpose

Legal basis for processing and data retention period

Scope of data processing

Performing the Agreement or taking actions at the request of the data subject prior to the conclusion of the Agreement, including responding to questions asked by the Service Recipient.

Article 6(1)(b) of the GDPR (performance of a contract)

The data is stored for the period necessary for the performance, termination, or other expiration of the contract concluded.

Maximum scope: first name and last name, email address, contact phone number, address (street, house number, apartment number, postal code, city, country), residential address/business address/registered office, PESEL number.

In the case of Service Recipients who are not consumers, the Administrator may additionally process the name of the company and the tax identification number (NIP) of the Service Recipient.

Direct marketing

Article 6(1)(f) of the GDPR (legitimate interest of the controller).

Direct marketing - until the data subject objects under Article 21-22 of the GDPR.

Email address.

Marketing, sending commercial information by electronic means.

Article 6(1)(a) of the GDPR in connection with Article 172(1), Article 173(1) of the Telecommunications Law, and Article 10(2) of the Act on the provision of electronic services (Consent).

The data is kept until the consent is withdrawn or the person whose data it concerns objects to further processing of their data for this purpose.

Name, email address.

Maintaining accounting records

Tax Ordinance of 17 January 2017 (Journal of Laws of 2017, item 201) (fulfillment of legal obligations in the field of accounting)

The data is stored for the duration of the Agreement, and then for the period of time required by law, which obliges the Administrator to keep tax records (until the expiry of the limitation period for the tax liability, unless tax laws provide otherwise).

Name and surname, address of residence/business registered office, company name and tax identification number (NIP) of the Service Recipient, bank account details.

This also includes data necessary for the settlement of the service - all data regarding orders (order history).

Establishment, investigation, or defense of claims that the Controller may raise or that may be raised against the Controller.

Article 6(1)(f) of the GDPR (legitimate interest).

The data will be stored for as long as there is a legitimate interest pursued by the Controller, but no longer than the period of limitation of claims against the person to whom the data relates, in connection with the Controller's business activities. The limitation period is determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years, and for sales contracts two years).

Name and surname, telephone number, email address, address (street, house number, apartment number, postal code, city, country), address of residence/business/registered office, PESEL number.

In the case of Service Recipients who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Service Recipient.

Data characterizing the way of using the electronically provided service (ensuring the quality parameters of the service, maintaining security measures, handling inquiries, determining cases of unauthorized use of the service, and providing data to authorized bodies).

Art. 18 (5)-(6) of the Act on the provision of electronic services.

Art. 6 (1)(f) of the GDPR (legitimate interest).

The data is stored for the duration of the service and then until the expiration of the limitation period for any claims.

Name, surname, phone number, email address, address (street, house number, apartment number, postal code, city, country), address of residence/place of business/registered office, PESEL number.

In the case of Service Recipients who are not consumers, the Administrator may additionally process the company name and tax identification number (NIP) of the Service Recipient.

Data contained in correspondence with the Administrator, data obtained in connection with handling complaints, requests, inquiries or claims. The content of statements or requests submitted by the Service Recipient.

Art. 6 (1)(f) of the GDPR (legitimate interest)

Art. 6 (1)(c) of the GDPR (compliance with a legal obligation to respond to requests from data subjects)

Data is stored for the duration of the service and then until the expiration of any claims limitation period.

Name and surname, contact telephone number, email address, address (street, house number, apartment number, postal code, city, country), place of residence/business address/headquarters, PESEL number.

In the case of Service Recipients who are not consumers, the Administrator may additionally process the company name and tax identification number (NIP) of the Service Recipient.

Data requested by public authorities or authorized entities on the basis of legal provisions.

Art. 6(1)(c) GDPR (compliance with a legal obligation)

 

Performing and keeping backup copies. Maintaining the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services. Ensuring the ability to quickly restore access to personal data in the event of a physical or technical incident. Regular testing, measuring, and evaluating the effectiveness of technical and organizational measures to ensure processing security.

Art. 6(1)(c) in conjunction with Art. 32(1) GDPR (fulfillment of legal obligations regarding data security, integrity, and availability)

All of the above-described personal data is processed by the Controller in IT systems.

 

§4 Profiling

  1. The GDPR imposes on the Administrator the obligation to inform about automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and - at least in those cases - the essential information on the rules of their adoption, as well as the meaning and anticipated consequences of such processing for the person whose data is concerned. With this in mind, the Administrator provides information on possible profiling in this point of the privacy policy.

  2. The Administrator may use profiling on the Portal for direct marketing purposes, but the decisions made by the Administrator on its basis do not concern the conclusion or refusal to conclude the Agreement. The effect of using profiling may be, for example, granting a discount to a particular User, sending them a discount code, offering a Service that may correspond to the User's interests or preferences, or proposing better conditions compared to the standard offer available on the Portal. Despite profiling, the person concerned makes a free decision whether to take advantage of the discount or better offer received in this way.

  3. Profiling involves automatic analysis or prediction of the behavior of a particular person on the Portal, e.g. by selecting a specific Service, browsing the description of a particular Service, or analyzing the previous history of purchased Services. A condition for such profiling is for the Administrator to have the personal data of the person concerned to subsequently send them, for example, a discount code.

  4. The person whose data is concerned has the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on them or similarly significantly affects them.

 

§5 Rights of the data subject

  1. Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the controller access to their personal data, its rectification, erasure ("right to be forgotten") or restriction of processing, and has the right to object to processing, as well as the right to data portability. The detailed conditions for exercising the above rights are set out in Articles 15-21 of the GDPR.

  2. Right to withdraw consent at any time – the data subject, whose data is processed by the controller on the basis of consent given (under Article 6(1)(a) or Article 9(2)(a) of the GDPR), has the right to withdraw the consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

  3. Right to lodge a complaint with a supervisory authority – the data subject, whose data is processed by the controller, has the right to lodge a complaint with a supervisory authority in the manner and under the procedure specified in the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.

  4. Right to object – the data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1)(e) (public interest or task) or (f) (legitimate interests of the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  5. Right to object to direct marketing – if personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling, to the extent that it is related to such direct marketing.

  6. In order to exercise the rights referred to in this section of the privacy policy, the data subject may contact the controller by sending an appropriate message in writing or by electronic means to the address of the controller specified at the beginning of the privacy policy, or by using the contact form available on the Portal.

§6 Cookie Policy

  1. Cookies are small text information in the form of text files that are sent by a server and saved on the side of the person visiting the Portal (for example, on the hard drive of a computer, laptop, or on the memory card of a smartphone - depending on the device the client is using). Detailed information about cookies, as well as their history, can be found, among others, here.

  2. The Service uses "session" cookies stored on the client's end device until logging out, closing the website, or closing the web browser, and "persistent" cookies stored on the client's end device for the time specified in the cookie parameters or until deleted by the client.

  3. We use the following cookies:

    1. "necessary" cookies, allowing the use of services available within the service, e.g., authentication cookies used for services requiring authentication within the service,

    2. cookies used to ensure security, e.g., used to detect abuse in the authentication process within the service,

    3. "performance" cookies, allowing the collection of information about how the Portal website is used,

    4. "functional" cookies, allowing the "remembering" of the user's chosen settings and personalization of the user interface, e.g., in terms of the selected language or region the user comes from, font size, website appearance, etc.,

  4. Cookies customize and optimize the Service and its offers for the needs of customers through actions such as creating statistics on the Service's visits and ensuring the security of the Service. Cookies are also necessary to maintain the customer's session after leaving the website, allowing them to return to the contents of their shopping cart without losing its parameters, which would require them to choose services again.

  5. The Administrator/Service processes the data contained in Cookies every time the website is visited by visitors for the following purposes:

    1. identification of Service recipients as currently logged in to the Service,

    2. remembering data filled in automatically and manually, placed in Order Forms, or provided by visitors logging into the Service,

    3. remembering all Products added to the shopping cart to facilitate placing an Order.

  6. The user can completely block and delete the collection of Cookies at any time using their internet browser. Blocking the possibility of collecting Cookies on the user's device may make it difficult or impossible for the user to use some of the Service's functionalities, for which the user is fully authorized, but in such a situation, they must be aware of the limitations of the Service's functionality. Information on managing cookies is available on the websites: wszystkoociasteczkach.pl or allaboutcookies.org.

  7. The user who does not want to use cookies for the purpose described above can manually delete them at any time. To become familiar with detailed instructions on how to proceed, the user should visit the website of the manufacturer of the internet browser currently used by the user.

  8. More information about Cookies is available in the help menu of each internet browser. Sample internet browsers that support cookies include:

    1. Internet Explorer cookie settings,

    2. Chrome cookie settings,

    3. Firefox cookie settings,

    4. Opera cookie settings,

    5. Safari cookie settings,

    6. Cookies in Android,

    7. Cookies in Blackberry,

    8. Cookies in iOS (Safari),

    9. Cookies in Windows Phone.

  9. The Service Provider reserves the right to collect IP addresses of visitors to the Service Provider's Service, which may be helpful in diagnosing technical problems with the server, creating statistical analyses, administering, and improving the Service.

§7 Disclaimer

  1. The Privacy Policy does not cover any information regarding services other than those provided by the Service Provider that have been posted on the Service Provider's website commercially, as a guest, on a reciprocal basis, or not intended to achieve a commercial effect.

  2. The Service Provider is not responsible for the actions or omissions of Service Recipients, as a result of which the Service Provider processes the personal data provided by them in the manner specified in the Privacy Policy.

  3. The Service Provider reserves the right to introduce changes, withdraw or modify the functions or properties of the Service Provider's website, as well as to discontinue its activities, transfer rights to the Service Provider's website, and perform all legal acts permitted by applicable law. For the avoidance of doubt, Service Recipients have no claims against the Service Provider in this respect.

§8 Final provisions

  1. Any additional questions related to the Privacy Policy should be directed to the Service Provider's email address.

  2. The Service Provider reserves the right to introduce changes to the Privacy Policy if required by law or changes made to the Service Provider's website, as well as to improve the operation of the Service Provider's website.

  3. The Privacy Policy is effective from January 09, 2024.