- Controller – LUCKYYOU Interactive sp. z o.o., ul. Zakręt 8, 60-352 Poznań, NIP (tax identification number): 7811883362, KRS (National Court Register): 0000451138, share capital: PLN 50,000 (paid in full).
- Services – any product, service, web service limited by logging, content, functionality, technology or function, all related websites and applications that we offer to you – permanently or occasionally.
- Website – www.luckyyou.pl.
- GDPR – the Regulation of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
- User – any person using the Services offered by the Controller using the Website.
02. Basic Information
We are the Controller within the meaning of the GDPR in relation to the personal data of Users who are natural persons. The Controller determines the purposes and means of processing the Users' personal data on its own and under its own responsibility. We do not have a Data Protection Officer. If you have any questions or concerns about how your personal data is protected, please contact us at: firstname.lastname@example.org. Personal data is any information that can be used to identify an individual, for example name, telephone number, email address, delivery address.
03. Collection of personal data
Collecting personal data directly from the User:
- The website offers the possibility to contact the Controller or his/her employees by e-mail or telephone.
- In the case of telephone or email contact, we collect all the information you choose to provide during a conversation or during correspondence with our employees or representatives.
- Please be advised that in the case of telephone contact, no conversations are recorded.
- The Controller also offers access to selected Services in a login-restricted manner (available for logged-in Users).
Data collected automatically when the User uses the Services. When you use the Website and the Services, the following information is automatically collected:
- Device Data – we collect information about the device you are using, such as operating system version and unique identifiers.
- Location information – depending on the privacy settings of the device you use, we automatically collect and process information about your current location. We use a variety of technologies to determine your location, including IP address, GPS, Wi-Fi access points and mobile base stations. Your location data allows us to tailor a more personalised (local) offer if you are interested in the Services provided by the Controller and, based on your prior consent, to send you commercial and marketing information about contests or events organised by the Controller near your location.
- Log-in data – we collect technical details, including the internet protocol address (IP address) of your device, time zone information and operating system. We also store information about your login and the type and kind of web browser you use.
- Website activity data – we collect information about your activity on the Website, in particular information about the pages from which you arrive at our Website, the date of each visit, the results of your searches, the duration of your visit to the Website, and the order in which sections (sub-pages) of our Website are visited.
Data obtained from third parties or publicly available sources. We do not exclude that we may also obtain your personal data in other ways, such as:
- Obtaining certain technical and usage-based information from providers of analytical services (e.g. Google).
- Obtaining address and contact data related to your business from information providers, such as business intelligence providers and entities building databases of potential contractors and from publicly available registers (e.g. Central Register and Information on Business Activity).
- Other Users, to the extent that they correspond with us regarding our Services (e.g. an email enquiry regarding an issue previously agreed with you, and subsequent reference to these issues – including personal data – by a third party).
Collection of personal data from children:
- Our Services are not directed at children under the age of 16 and we do not knowingly obtain information about them. If we discover that a person under the age of 16 has provided us with personal data, we shall immediately delete that data if we are unable to determine whether the child's parent or guardian has consented or permitted the child to use our Services.
04. Purposes and legal basis for the processing of personal data
Your personal data shall only be used by us if it is in accordance with the law. Most commonly, the processing of your personal data shall take place when:
- It is necessary for the conclusion or performance of the Agreement (please note that by using our Services you are entering into an agreement to provide Service Agreements by electronic means).
- It is necessary for the purposes of our legitimate interests in improving our Services and providing you with access to a secure and efficient Website.
- It is necessary for you to log in to or access your chosen Service of the Controller.
- It is necessary to comply with a legal obligation incumbent upon us.
We would like to inform you that we process your personal data when you visit the Controller's profiles maintained on social media (Facebook, Instagram, Linkedin). This data is processed exclusively in connection with the operation of the profile, including for the purpose of informing Users about the Controller's activities and promoting various events, services and products, as well as for the purpose of communicating with Users through the functionalities available on social media. The legal basis for the Controller's processing of your personal data for this purpose is its legitimate interest (Article 6 section 1(f) of the GDPR) in promoting its own brand and building and maintaining a brand-related community.
In certain circumstances, we may also process your personal data on the basis of consent obtained from you. In such cases, we shall inform you at the time of obtaining your consent about the purpose of the processing and the category of personal data processed.
05. User Rights
The applicable laws grant you a number of rights related to the processing of your personal data. If you wish to exercise any of the rights described below, you should, for this purpose, contact the Controller by email at the address indicated in part 2.
In relation to the processing of your personal data, the GDPR provides the following rights for data subjects affected by the processing:
- The right of access to your personal data – this right allows you to be informed whether we process personal data about you and, if so, the right to receive a copy of the personal data we process. The right of access to your personal data allows you to verify that we process it lawfully.
- The right to rectification of personal data – this right provides you with the opportunity to request the rectification of incomplete, inaccurate or outdated data that we process. In some cases, in fulfilling your request we will need to verify the accuracy of the new data you provide to us.
- The right to restrict the processing of your personal data – this right allows you to request us to stop the processing of your personal data in the following situations: (i) where it is your wish that we verify the accuracy of the data; (ii) where our processing is unlawful; (iii) where you have lodged an objection to our processing, but we need to verify that we still have an overriding and legitimate basis to continue processing your personal data.
- Right to erasure – this right allows you to request the erasure of your personal data if it is no longer necessary for the purpose for which it was collected. You can also request us to erase your personal data if you have successfully exercised your right to object to processing (see below), if we process your data unlawfully or if we are obliged to erase your personal data for the purpose of complying with a legal obligation under applicable law. Please note that in some cases, we are obliged to process your data on the basis of applicable law and cannot comply with the request.
- The right to object to the processing of data relating to you if we process the data on the basis of a legitimate interest premise (ours or third parties) – you can object on grounds relating to your particular situation when you believe the processing affects your rights or freedoms. You also have the right to object if we process your data for direct marketing purposes. In some cases, we can demonstrate that we have legitimate grounds for processing that override your rights and freedoms (e.g. the need to ensure the security of the Website and to prevent fraud). In such cases, the right to object is not combined with the erasure of your personal data.
- Right to data portability – in exercising this right, we shall provide you or a third party designated by you with your personal data in a structured, commonly used, machine-readable format. You are only entitled to this right in relation to data processed on the basis of consent or a prerequisite for the performance of an Agreement you have concluded with us, and the processing itself is carried out by automated means (in IT systems).
If you have given us consent to process your personal data, you have the right to withdraw it at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. You can withdraw your consent by directing your request to the email address indicated in part 2 of this Policy or, in each case, by clicking on the link in the email sent to you as a result of obtaining your prior consent.
The exercise of rights is, as a rule, free of charge – there is no charge for exercising the right to access your personal data (or for exercising any other rights). However, we may charge a reasonable fee if the request made is manifestly unreasonable or excessive, in particular due to their continuing nature. In such cases, we may also refuse to comply with the request.
We endeavour to respond to all legally justified requests within one month. If the request is particularly complex or several requests have been made, it may take us longer than one month to process them. In this case, we shall inform you of the extension of the deadline and provide you with up-to-date information on the fulfilment of the request.
You also have the right to lodge a complaint with the competent supervisory authority at any time. We would be grateful if, before lodging a complaint with a supervisory authority, you would give us the opportunity to address your case and your concerns about our performance. For this reason, please contact us by e-mail at the address indicated in part 2.
06. Sharing of personal data
For the purposes indicated in part 4, we may share your personal data with the following categories of recipients:
- Third party service providers – we use third parties to help provide us with certain solutions in relation to our Services, e.g. cloud storage, hosting providers, entities that carry out marketing campaigns on our behalf. Service Providers of such services may be based both within and outside the 'EEA'.
- Marketing and analytics providers – for the purpose of improving our Services, we sometimes share information about you in non-identifiable form with analytics providers who help us analyse how Users use our Website. For the purposes of monitoring and reporting on the effectiveness of our business partners' campaigns and for internal business analytics purposes, we share information with them in a manner that does not identify Users.
- Law enforcement, supervisory authorities and others – we may disclose your personal data to law enforcement, supervisory authorities, public authorities, entities performing public tasks or acting on behalf of public authorities and other third parties. Such disclosure is made in connection with the performance of legal obligations.
07. Transfer of personal data to third countries
We do not exclude the possibility that situations may arise when your personal data is transferred outside the 'EEA'. In such a situation, we guarantee that a similar level of protection shall be provided by implementing one or more of the following safeguards:
08. Period and place of storage of personal data
The data we collect about you shall be stored and processed within the ‘EEA’ on appropriately secure servers for the purpose of providing you with the best possible service.
We keep your data for as long as necessary to fulfil the purposes for which it was collected, including in the fulfilment of legal, tax and accounting obligations or for reporting purposes.
W celu określenia odpowiedniego okresu retencji danych osobowych, uwzględniamy ilość i charakter przetwarzanych danych, w tym charakter danych szczególnej kategorii. Bierzemy także pod uwagę potencjalne ryzyko niedozwolonego wykorzystania lub nieuprawnionego ujawnienia Państwa danych osobowych, możliwość realizacji celów przetwarzania za pomocą innych środków oraz treść przepisów odnoszących się do przetwarzanych danych osobowych.
Personal data related to cookie technology is stored for a period of time corresponding to the life cycle of cookies or until it is deleted by the User.
09. Organisational and technical measures and security of personal data processing
The information we obtain about you, including information containing personal data, is stored on appropriately secured servers.
In order to ensure the security of the processing of your personal data, appropriate and necessary technical and organisational measures for the protection of your personal data are also implemented. In particular, we ensure that the personal data we process is:
- Correct and processed in a lawful manner.
- Obtained only for the purposes specified and not further processed in a manner incompatible with those purposes.
- Adequate, relevant and not excessive in relation to the purposes of their processing.
- Accurate and up-to-date.
- Not kept longer than necessary.
- Safely stored.
- Not transferred to a country outside the EEA without adequate protection.
Despite the data protection measures we have implemented, your sharing of information via the Internet or publicly accessible networks can never be considered completely secure and there is a risk of unauthorised third parties gaining access to your personal data.
10. Automated personal data processing and profiling
The information we collect in connection with your use of our Website online may be processed by automated means (including profiling), but this shall not have any legal effect on you or similarly materially affect you.
With regard to the issue of profiling, we inform you that:
- We do not process any sensitive data for the purposes of profiling.
- For the purposes of profiling, we generally process data that has previously been pseudonymised or such data that we have aggregated.
- If we cannot achieve the purpose otherwise than by profiling personal data that has not been pseudonymised or aggregated, we use typical data for this purpose: e-mail and IP address or cookies.
- We profile for the purpose of analysing or predicting the personal preferences and interests of people using our Website and Services and adapting the content on our Website to these preferences.
- We profile for marketing purposes, i.e. to match marketing offers to the above preferences.
The Policy is reviewed on an ongoing basis and updated if necessary.