Privacy policy

PRIVACY POLICY

LOFALO.COM WEBSITE

1. DEFINITIONS

1.1. Data Controller – Lofalo Monika Bukowiec with its registered office in Zegartowice, address: Zegartowice 160, 32-415 Raciechowice, NIP: 7371813586, REGON: 121428603, represented by: Monika Bukowiec, phone: +48 12 271 52 23, e-mail: lo@lofalo.com
1.2. Personal Data – all information about an identified or identifiable natural person based on one or more specific factors determining physical, physiological, genetic, mental, economic, cultural, or social identity, including device IP, location data, online identifier, and information collected via cookies or similar technologies.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
1.5. Service – the website operated by the Controller at: lofalo.pl
1.6. User – any natural person visiting the Service or using one or more of the services or functionalities described in the Policy.

2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE SERVICE

2.1. When a User uses the Service, the Controller collects data necessary to provide specific services, as well as information about the User’s activity on the site. Below are detailed rules and purposes for processing personal data collected during the use of the Service.

3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING IN THE SERVICE

USE OF LOFALO.PL SERVICE

3.1. Personal data of all persons using the Service (including IP address or other identifiers, and information collected via cookies or similar technologies), who are not registered Users, are processed by the Controller:

• 3.1.1. to provide electronic services – legal basis: performance of a contract (Art. 6(1)(b) GDPR);

• 3.1.2. to process purchases without registration – legal basis: performance of a contract (Art. 6(1)(b) GDPR);

• 3.1.3. to handle complaints – legal basis: performance of a contract (Art. 6(1)(b) GDPR);

• 3.1.4. for analytical and statistical purposes – legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR);

• 3.1.5. to establish, pursue, or defend claims – legal basis: legitimate interest (Art. 6(1)(f) GDPR);

• 3.1.6. for marketing purposes, especially behavioral advertising – see section “MARKETING” for details.

3.2. User activity in the Service, including personal data, is recorded in system logs. These logs are used for service provision, system security, backups, testing, troubleshooting, and protection against abuse or attacks.

REGISTRATION IN THE SERVICE

3.3. Users registering in the Service must provide data necessary to create and manage an account. Optional data may be provided voluntarily to facilitate service. Mandatory data is required for account creation.
3.4. Personal data is processed:

• 3.4.1. for account operation – legal basis: performance of a contract (Art. 6(1)(b) GDPR), and for optional data – consent (Art. 6(1)(a) GDPR);

• 3.4.2. for analytics and statistics – legal basis: legitimate interest (Art. 6(1)(f) GDPR);

• 3.4.3. to pursue or defend claims – legal basis: legitimate interest (Art. 6(1)(f) GDPR);

• 3.4.4. for marketing purposes – see section “MARKETING”.

3.5. If the User provides personal data of third parties, they must ensure it is done in compliance with the law and those individuals’ rights.

PLACING ORDERS

3.6. Placing an order requires processing personal data. Mandatory data is required for order processing.
3.7. Data is processed:

• 3.7.1. to fulfill the order – legal basis: performance of a contract (Art. 6(1)(b) GDPR);

• 3.7.2. to comply with legal obligations, e.g. tax and accounting – legal basis: legal obligation (Art. 6(1)(c) GDPR);

• 3.7.3. for analytics – legal basis: legitimate interest (Art. 6(1)(f) GDPR);

• 3.7.4. to pursue or defend claims – legal basis: legitimate interest (Art. 6(1)(f) GDPR).

CONTACT FORMS

3.8. The Controller provides a contact form. Required fields must be completed to enable response. Additional fields are optional.
3.9. Data is processed:

• 3.9.1. to identify and respond to the sender – legal basis: consent (Art. 6(1)(b) GDPR);

• 3.9.2. for statistics – legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4. MARKETING

4.1. The Controller processes User data for marketing, including:

• 4.1.1. displaying non-personalized ads (contextual advertising);

• 4.1.2. displaying personalized ads based on interests (behavioral advertising);

• 4.1.3. sending email notifications, including commercial content.

4.2. Some marketing activities involve profiling – automated evaluation of behavior and preferences to forecast interests.

CONTEXTUAL ADVERTISING

4.3. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

BEHAVIORAL ADVERTISING

4.4. Uses cookies and similar technology. Legal basis: legitimate interest, and subject to User consent for cookies.
4.5. Consent can be withdrawn anytime.

DIRECT MARKETING

4.6. If consent is given, the Controller may send marketing information via email, phone, or SMS. Legal basis: legitimate interest. Users can object at any time.

5. SOCIAL MEDIA

5.1. The Controller processes personal data of Users interacting with its social media profiles (e.g. Facebook) to promote activities, events, services, and engage with the community. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

6. COOKIES AND SIMILAR TECHNOLOGIES

SERVICE COOKIES

6.2. Used for providing electronic services and improving quality. Includes:

• session cookies (user input);

• authentication cookies;

• security cookies;

• multimedia player cookies;

• UI customization cookies;

• shopping cart cookies;

• analytics cookies, including Google Analytics.

More about Google’s data practices: Google Partner Sites

MARKETING COOKIES

6.3. Used for behavioral advertising. Requires User consent, which can be managed through browser settings and withdrawn at any time.

7. DATA RETENTION

7.1. Data is processed for the duration of service provision or until consent is withdrawn or objection is raised.
7.2. May be extended to handle legal claims, after which data is anonymized or deleted.

8. USER RIGHTS

8.1. Data subjects have the following rights:

• 8.1.1. Right to information

• 8.1.2. Right to access data (copy)

• 8.1.3. Right to rectification

• 8.1.4. Right to erasure

• 8.1.5. Right to restrict processing

• 8.1.6. Right to data portability

• 8.1.7. Right to object to marketing

• 8.1.8. Right to object to other processing

• 8.1.9. Right to withdraw consent

• 8.1.10. Right to lodge a complaint – with the Polish Data Protection Authority (UODO)

8.2. Rights requests can be submitted:

• 8.2.1. by mail: Lofalo Monika Bukowiec, Zegartowice 160, 32-415 Raciechowice

• 8.2.2. by e-mail: lo@lofalo.com

8.3. If clarification is needed, the Controller may request additional information.
8.4. A response will be given within one month.
8.5. Replies are sent by the same method used by the User, unless specified otherwise.

9. DATA RECIPIENTS

9.1. Data may be shared with third parties such as IT providers, banks, payment processors, accountants, lawyers, auditors, couriers, and affiliated entities.
9.2. Data may also be disclosed to authorities if legally required.

10. TRANSFER OF DATA OUTSIDE THE EEA

10.1. Data is transferred outside the European Economic Area only with proper safeguards, including:

• adequacy decisions by the European Commission;

• standard contractual clauses;

• binding corporate rules;

• cooperation with U.S. entities under the Privacy Shield.

10.2. The Controller informs Users when such transfers occur.

11. CONTACT INFORMATION

11.1. Contact the Controller at:
Email: lo@lofalo.com
Mail: Lofalo Monika Bukowiec, Zegartowice 160, 32-415 Raciechowice, Poland
NIP: 7371813586, REGON: 121428603

12. POLICY UPDATES

12.1. The Policy is regularly reviewed and updated as needed.