I. Who we are
1. The administrator of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is Renata Kucharska conducting business activity under the name Renata Kucharska Malarstwo i Ty, ul. A. i Z. Pronaszków 8, 30-498 Kraków, Poland, NIP: PL 9440000664, REGON: 350838019.
2. The contact details of the data controller are as follows: info@paintingandyou.com
3. Our website address is: https://paintspace.online/.
4. Pursuant to Article 32(1) of the GDPR, the Controller observes the principle of personal data protection and applies appropriate technical and organisational measures to prevent accidental or unlawful destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data processed in connection with its business activity.
5. Providing personal data is voluntary, but necessary in order to establish cooperation and/or conclude a contract with the data administrator.
6. The data controller processes personal data only to the extent necessary for the proper provision of services or taking action at the request of the data subject.
II. Purpose and grounds for the processing of personal data
The Administrator processes personal data for the following purposes:
a. preparation of a commercial offer in response to the customer’s interest, which is a legitimate interest of the data controller (Article 6(1)(f) of the GDPR);
b. provision of services by electronic means via websites, on the basis of a concluded contract (Article 6(1)(b) of the GDPR);
c. handling the complaint process, on the basis of the obligation incumbent on the data controller in connection with the applicable law (Article 6(1)(c) of the GDPR);
d. accounting services related to the issuance and acceptance of settlement documents, on the basis of tax law (Article 6(1)(c) of the GDPR);
e. archiving data for the possible determination, investigation or defence against claims or the need to demonstrate facts, which is the legitimate interest of the data controller (Article 6(1)(f) of the GDPR);
f. contact by phone or e-mail, in particular in response to inquiries addressed to the data controller, which is a legitimate interest of the data controller (Article 6(1)(f) of the GDPR);
g. sending technical information on the functioning of the website and services used by the customer, which is a legitimate interest of the data controller (Article 6(1)(f) of the GDPR);
h. marketing of the data controller’s own products, which is its legitimate interest (Article 6(1)(f) of the GDPR) or takes place on the basis of a previously granted consent (Article 6(1)(a) of the GDPR).
III. Data recipients. Data transfers to third countries
1. The recipients of personal data processed by the data controller may be entities cooperating with the data controller, when it is necessary for the performance of the contract concluded with the data subject.
2. The recipients of personal data processed by the data controller may also be subcontractors – entities whose services are used by the data controller for data processing, e.g. accounting offices, law firms, entities providing IT services (including hosting services).
3. The data administrator may be obliged to make personal data available on the basis of applicable law, in particular to make personal data available to authorized state authorities or institutions.
4. Personal data may be transferred to an entity based outside the European Economic Area, i.e. to Google LLC (USA). The transfer of data takes place, among others, on the basis of appropriate legal safeguards, which are standard contractual clauses for the protection of personal data approved by the European Commission.
IV. Period of storage of personal data
1. The Data Controller stores personal data for the duration of the contract concluded with the data subject and after the end of its term for the purposes related to the pursuit of claims related to the contract, performance of obligations resulting from applicable law, but for a period not longer than the limitation period in accordance with the provisions of the Civil Code.
2. The data controller stores personal data contained in settlement documents (e.g. invoices) for the period of time specified in the provisions of the Value Added Tax Act and the Accounting Act.
3. The Data Controller stores personal data processed for marketing purposes for a period of 10 years, but not further than until the consent to the processing of data is withdrawn or an objection is raised to the processing of data.
4. The Data Controller stores personal data for purposes other than those indicated in sections 1-3 for a period of 3 years, unless the consent to data processing has been withdrawn earlier and the data processing cannot be continued on a basis other than the consent of the data subject.
V. Rights of the data subject
1. Every data subject has the right to:
a. access – obtain confirmation from the controller as to whether or not their personal data is being processed. If data about a person is processed, he or she is entitled to access them and obtain the following information: about the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data have been or will be disclosed, about the period of data storage or about the criteria for their determination, about the right to request rectification, deletion or restriction of processing of personal data to which the person is entitled, data subject and to object to such processing (Article 15 of the GDPR);
b. to receive a copy of the data – to obtain a copy of the data subject to processing, with the first copy being free of charge and for subsequent copies a reasonable fee resulting from administrative costs (Article 15(3) of the GDPR);
c. for rectification – to request the rectification of inaccurate personal data concerning him or her or the completion of incomplete data (Article 16 of the GDPR);
d. to erasure of data – to request the erasure of their personal data, if the controller no longer has a legal basis for their processing or the data is no longer necessary for the purposes of the processing (Article 17 of the GDPR);
e. to restriction of processing – to request restriction of processing of personal data (Article 18 of the GDPR) when:
– the data subject questions the accuracy of the personal data – for a period enabling the controller to verify the accuracy of the data,
– the processing is unlawful and the data subject opposes their deletion, requesting the restriction of their use,
– the controller no longer needs the data, but they are needed by the data subject to establish, pursue or defend claims,
– the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the controller override the grounds for the objection of the data subject;
f. data portability – to receive in a structured, commonly used and machine-readable format, the personal data concerning him/her, which he/she has provided to the controller, and to request the transfer of such data to another controller, if the data is processed on the basis of the consent of the data subject or a contract concluded with him/her and if the data is processed by automated means (Article 20 of the GDPR);
g. to object to the processing of their personal data for the legitimate purposes of the Controller, for reasons related to their particular situation, including profiling. In such a case, the controller assesses whether there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects, or the grounds for the establishment, exercise or defence of claims. If, according to the assessment, the interests of the data subject outweigh the interests of the controller, the controller will be obliged to stop processing the data for these purposes (Article 21 GDPR).
2. In order to exercise the above-mentioned rights, the data subject should contact the controller using the contact details provided and inform him which right and to what extent he wants to exercise.
3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.
VI. How we process personal data
1. Comments
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called
a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
2. Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
3. Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
4. Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
5. Who we share your data with
If you request a password reset, your IP address will be included in the reset email.
6. How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
7. What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
8. Where your data is sent
Visitor comments may be checked through an automated spam detection service.
VII.Memberships
When you purchase a membership on our site, we collect and store personal data such as your name, email address, and account details. This information is used exclusively to manage your access to members-only content and services provided through our WooMemberships plugin. Your membership data may include your purchase history, membership status, and access permissions.
We process this data based on the performance of a contract (Article 6(1)(b) of the GDPR). Your data is retained for the duration of your membership and as long as required by applicable laws. We do not share this information with third parties unless legally obligated to do so.
You have the right to access, correct, or delete your membership data at any time. To exercise these rights, please contact us using the details provided in the “Contact Information” section of this policy.