Privacy policy

The following Privacy Policy defines the rules for storing and accessing data on Users' Devices using the Service to provide electronic services by the Administrator, as well as the rules for collecting and processing personal data of Users provided by them personally and voluntarily through the tools available on the Service.

The following Privacy Policy is an integral part of the Service Regulations, which define the rules, rights, and obligations of Users using the Service.

§1 Definitions

• Service - the internet service "businesscardstudio.com" operating at https://businesscardstudio.com
• External Service - internet services of partners, service providers or service recipients cooperating with the Administrator
• Service Administrator / Data - The Service Administrator and Data Administrator (hereinafter referred to as the Administrator) is the company "Pracownia Znaku Michal Stencel," operating at the address: ul. Zaglebiowska 37, 52-007 Wroclaw, Poland, providing electronic services through the Service
• User - a natural person for whom the Administrator provides electronic services through the Service.
• Device - an electronic device with software through which the User gains access to the Service
• Cookies - text data collected in the form of files placed on the User's Device

• GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

• Personal data - means information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• Restriction of processing - means the marking of stored personal data with the aim of limiting their processing in the future
• Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
• Consent - consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

• Personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

• Pseudonymisation - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
• Anonymisation - Data anonymization is the irreversible process of operations on data that destroys/overwrites "personal data," making it impossible to identify or associate a given record with a specific user or individual.

§2 Data Protection Officer

Based on Article 37 of the GDPR, the Administrator has not appointed a Data Protection Officer.

Regarding matters related to data processing, including personal data, you should directly contact the Administrator.

§3 Types of Cookie Files

• Internal Cookies - files placed and read from the User's Device by the Service's teleinformatics system.
• External Cookies - files placed and read from the User's Device by the teleinformatics systems of external services. Scripts from external services that can place Cookie files on the User's Device have been consciously placed on the Service through scripts and services provided and installed in the Service.
• Session Cookies - files placed and read from the User's Device by the Service during one session of a given Device. After the session ends, the files are removed from the User's Device.
• Persistent Cookies - files placed and read from the User's Device by the Service until they are manually deleted. The files are not automatically removed after the Device's session ends, unless the User's Device is configured to delete Cookie files after the Device's session ends.

§4 Data Storage Security

• Storage and Retrieval Mechanisms of Cookie Files - The mechanisms for storing, reading, and exchanging data between Cookie Files stored on the User's Device and the Service are implemented through the built-in mechanisms of web browsers. These mechanisms do not allow for the retrieval of other data from the User's Device or data from other websites visited by the User, including personal data or confidential information. It is also practically impossible to introduce viruses, Trojan horses, or other malware to the User's Device.
• Internal Cookies - The Cookie Files used by the Administrator are safe for the User's Devices and do not contain scripts, content, or information that could pose a threat to the security of personal data or the security of the User's Device.
• External Cookies - The Administrator makes every effort to verify and select partners of the service in terms of User security. The Administrator chooses well-known, large partners with a global social reputation. However, the Administrator does not have full control over the content of Cookie Files originating from external partners. The Administrator is not responsible, to the extent permitted by law, for the security of Cookie Files, their content, or their use in accordance with the license by scripts installed on the Service from external services. The list of partners is provided later in this Privacy Policy.
• Cookie Control - The User may change the settings related to the storage, deletion, and access to data stored in Cookie Files by any website at any time. Information on how to disable Cookie Files in the most popular computer browsers is available on the website: [links to browser-specific instructions]. The User can also delete all previously stored Cookie Files at any time using the tools of the User's Device, through which the User uses the services of the Service.
• User-Side Threats - The Administrator employs all possible technical means to ensure the security of data placed in Cookie Files. However, it should be noted that ensuring the security of this data depends on both sides, including the User's activities. The Administrator is not responsible for data interception, session hijacking, or deletion caused by the User's intentional or unintentional actions, viruses, Trojan horses, or other spyware that may infect the User's Device. To protect against these threats, Users should follow the principles of safe internet use.
• Storage of Personal Data - The Administrator assures that every effort is made to ensure that voluntarily provided personal data by Users is secure and that access to this data is limited and used in accordance with its purpose and processing objectives. The Administrator also ensures that all necessary steps are taken to protect the data against loss, including implementing appropriate physical and organizational safeguards.
• Password Storage - The Administrator declares that passwords are encrypted, using the latest standards and guidelines. Decrypting passwords used to access User accounts in the Service is practically impossible.

§5 Purposes for which Cookies are used

1. Enhancing and facilitating access to the Service.
2. Personalizing the Service for Users.
3. Enabling login to the service.
4. Marketing and remarketing on external websites.
5. Conducting statistics (users, visit counts, types of devices, connections, etc.).
6. Providing multimedia services.
7. Providing social media services.

§6 Purposes of processing personal data

Personal data voluntarily provided by Users are processed for one of the following purposes:

1. Execution of electronic services:

   • User account registration and maintenance services in the Service and related functionalities.
   • Newsletter services (including sending promotional content with consent).
   • Sharing information about the content posted on the Service in social media or other websites.
   • Communication between the Administrator and Users regarding the Service and data protection.

2. Ensuring the legitimate interest of the Administrator:

   • Anonymously and automatically collecting and processing User data for the following purposes:
     • Conducting statistics.
     • Remarketing.
     • Ensuring the legitimate interest of the Administrator.

§7 Cookies from external services

The Administrator of the Service uses JavaScript scripts and web components from partners who may place their own cookies on the User's Device. Please note that in your browser settings, you can decide which cookies are allowed to be used by individual websites. Below is a list of partners or their services implemented in the Service that may place cookies:

Social Media / Connected Services: (Registration, Login, content sharing, communication, etc.) Facebook

Content Sharing Services: Pinterest Instagram

Newsletter Services: GetResponse

Statistics Tracking: Google Analytics

Services provided by third parties are beyond the control of the Administrator. These entities may change their terms of service, privacy policies, data processing purposes, and cookie usage methods at any time.

§8 Types of collected data

The service collects data from users, including both automatically gathered anonymous data and personal data voluntarily provided by users during registration for various services offered by the service.

Automatically collected anonymous data may include:

• IP address
• Browser type
• Screen resolution
• Approximate location
• Visited subpages of the service
• Time spent on specific subpages of the service
• Operating system type
• Referring webpage address
• Browser language
• Internet connection speed
• Internet service provider
• Demographic data (age, gender)

Data collected during registration may include:

• First name / last name / pseudonym
• Username
• Email address
• Residential address
• Phone number
• IP address (collected automatically)
• Tax identification number (NIP)

Data collected during newsletter subscription may include:

• First name / last name / pseudonym
• Email address
• Residential address
• IP address (collected automatically)

Some data (without identifying information) may be stored in cookies. Some data (without identifying information) may be transmitted to a statistical service provider.

§9 Access to personal data by third parties

The data provided by users is primarily processed by the Administrator. Data collected within the services provided is not transferred or sold to third parties.

However, certain entities responsible for maintaining the infrastructure and services necessary for operating the website may have access to data, typically under a data processing agreement. These entities include:

1. Hosting companies providing hosting services or related services for the Administrator.
2. Companies facilitating online payments for goods or services offered on the website (in the case of online transactions).
3. Companies responsible for accounting for the Administrator (in the case of online transactions).
4. Companies responsible for delivering physical products to the User (postal/courier services in the case of online transactions).

Data Processing – Newsletter

For the purpose of providing the Newsletter service, the Administrator uses the services of a third-party provider, GetResponse. Data entered in the newsletter signup form is transferred, stored, and processed by this external service provider.

Please note that the mentioned partner may modify its privacy policy without the Administrator's consent.

Data Processing – Hosting Services, VPS, or Dedicated Servers

For website operation, the Administrator uses the services of an external hosting, VPS, or dedicated server provider, dhosting.pl Sp. z o.o. All data collected and processed on the website are stored and processed within the service provider's infrastructure located within the European Union. There is a possibility of access to data due to service-related work carried out by the service provider's personnel. Access to this data is governed by an agreement between the Administrator and the service provider.

Data Processing for Online Payments

In the case of online payments, all payment-related data is directly provided by the User to the payment processor, PayU S.A. Selected data necessary for transaction processing is then transferred by this entity to the Administrator. The transfer of data is governed by an agreement between the Administrator and the service provider.

Data Transfer – Accounting Services

In the event of a transaction, part of the personal data of individuals or data of individuals conducting business activities is transferred to the accounting service provider, inFakt Sp. z o.o., which provides accounting services to the Administrator. The transfer of this data is governed by relevant laws and regulations, as well as an agreement between the Administrator and the service provider.

Data Transfer – Courier Services

In the case of a transaction that requires the transfer of an item related to the transaction through mail or courier services, part of the personal data of individuals or data of individuals conducting business activities is transferred to the mail/courier service provider chosen by the User. The transfer of this data is governed by an agreement between the Administrator and the service provider.

§10 Method of processing personal data

Personal data provided voluntarily by users:

Personal data will not be transferred outside the European Union, unless it has been published as a result of an individual user's action (e.g., posting a comment), which will make the data accessible to anyone visiting the website. Personal data will not be used for automated decision-making (profiling). Personal data will not be sold to third parties. Anonymous data (without personal data) collected automatically:

Anonymous data (without personal data) may be transferred outside the European Union. Anonymous data (without personal data) may be used for automated decision-making (profiling). Profiling of anonymous data (without personal data) does not have legal consequences or significantly affect the individual whose data is subject to automated decision-making. Anonymous data (without personal data) will not be sold to third parties.

§11 Legal basis for personal data processing

The website collects and processes user data based on:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Art. 6(1)(a) - the data subject has given consent to the processing of their personal data for one or more specific purposes. Art. 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Art. 6(1)(f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Personal Data Protection Act of May 10, 2018 (Journal of Laws of 2018, item 1000) Telecommunications Law of July 16, 2004 (Journal of Laws of 2004, No. 171, item 1800) Copyright and Related Rights Act of February 4, 1994 (Journal of Laws of 1994, No. 24, item 83)

§12 Data processing period

Personal data provided voluntarily by users:

As a general rule, the personal data provided is stored only for the duration of the service provided within the website by the Administrator. They are deleted or anonymized within 30 days from the end of the service (e.g., deletion of a registered user account, unsubscribing from the newsletter, etc.).

An exception is a situation that requires the protection of the legitimate interests of further data processing by the Administrator. In such a case, the Administrator will retain the specified data for no longer than 3 years from the date of the User's request for deletion, in the event of a violation or suspected violation of the website's regulations by the User.

Anonymous data (without personal data) collected automatically:

Anonymous statistical data, not constituting personal data, is stored by the Administrator for an indefinite period.

§13 User rights related to personal data processing

The website collects and processes user data based on:

Right of access to personal data: Users have the right to access their personal data, exercised upon a request submitted to the Administrator.

Right to rectification of personal data: Users have the right to request the Administrator to rectify inaccurate or incomplete personal data, exercised upon a request submitted to the Administrator.

Right to erasure of personal data: Users have the right to request the Administrator to erase personal data, exercised upon a request submitted to the Administrator. In the case of user accounts, the deletion of data involves anonymizing data that could identify the user. The Administrator reserves the right to suspend the execution of the data deletion request in order to protect the legitimate interests of the Administrator (e.g., when the User has violated the website's regulations or the data was obtained as a result of correspondence).

Right to restriction of processing: Users have the right to request the restriction of the processing of their personal data in cases specified in Article 18 of the GDPR, including questioning the accuracy of personal data, exercised upon a request submitted to the Administrator.

Right to data portability: Users have the right to receive the personal data concerning them in a structured, commonly used, and machine-readable format from the Administrator, exercised upon a request submitted to the Administrator.

Right to object to the processing of personal data: Users have the right to object to the processing of their personal data in cases specified in Article 21 of the GDPR, exercised upon a request submitted to the Administrator.

Right to lodge a complaint: Users have the right to lodge a complaint with the supervisory authority responsible for personal data protection.

§14 Contact to Administrator

Users can contact the Administrator in one of the following ways:

Postal address: Business Card Studio, ul. Zaglebiowska 37, 52-007 Wroclaw, Poland
Email address: contact@businesscardstudio.com

§15 Website requirements

Limiting the storage and access to Cookie files on the User's device may result in improper functioning of some website functions. The Administrator is not responsible for the improper functioning of website functions if the User restricts the ability to store and read Cookie files in any way.

§16 External links

In the website's articles, posts, entries, or user comments, there may be links to external websites with which the website owner does not cooperate. These links and the pages or files they point to may be dangerous for your device or pose a threat to your data security. The Administrator is not responsible for the content beyond the website.

§17 Changes to the Privacy Policy

The Administrator reserves the right to change this Privacy Policy at any time without the need to inform Users regarding the application and use of anonymous data or the use of Cookie files.

The Administrator reserves the right to change this Privacy Policy regarding the processing of Personal Data. Users with user accounts or newsletter subscriptions will be informed of such changes via email within 7 days of the change. Further use of the services means that the User has read and accepted the introduced changes to the Privacy Policy. If the User does not agree with the changes, they are obliged to delete their account from the Website or unsubscribe from the newsletter.

The changes to the Privacy Policy will be published on this subpage of the Website and take effect upon publication.