Appendix 3 to the Regulations 

1. The Personal Data Controller is the Service Provider – Lumag Sp. z o.o. with its registered office in Budzyń (64-840), ul. Rogozińska 72, NIP: 7642400940, REGON: 57210841500000, entered into the Register of Entrepreneurs of the National Court Register under the KRS number: 0000158327, whose registration files are kept by the District Court Poznań – Nowe Miasto and Wilda in Poznań, 9th Commercial Division of the National Court Register, with the share capital of PLN 14,903,000.00, phone: +48 67 28 44 800, e-mail address: ecommerce@lumag.pl
2. In matters related to personal data, contact the Service Provider by phone at +48 67 28 44 800 or by e-mail at: ecommerce@lumag.pl 
3. Personal data collected by the Service Provider through the Website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR” and the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2018, item 1000).
4. The Service Provider processes personal data of Customers – natural persons not conducting business activity, natural persons conducting business activity on their own behalf and individuals representing legal persons or organisational units who are not legal persons to whom the Act grants legal capacity, conducting business activity.
5. Personal data of Customers are collected when the account is registered on the Website. Data collection may also take place when the Customer fills in the form containing the data necessary to complete the Order.
6. The Service Provider may collect the following personal data of Customers:

a. e-mail address,

b. first name,

c. surname,

d. city,

e. postal code,

f. address,

g. country,

h. telephone number,

i. company,

j. NIP (Tax ID Number),

k. bank account number, payment card details. 

7. Providing the above data may be necessary to fully use the Website’s resources.

8. The Service Provider may also collect other data of Customers, i.e.:

a. data about the device with the help of which the Customer uses the Website,

b. login details,

c. data on activity in the Website,

d. cookies,

e. contact and address details connected with the conducted business activity, obtained from publicly available registers (e.g. Central Register and Information on Economic Activity, National Court Register).

9. Data processing is based on the following grounds:

a. processing is necessary for the Service Provider to perform an agreement for the provision of services consisting in the provision of the Website resources in order to make it possible to place an order for the Products available in the Shop,

b. processing is necessary for the conclusion and performance of agreements for the sale of the Products available in the Shop,

c. processing is necessary for the purposes resulting from legitimate interests of the Service Provider, consisting in improving services and providing Customers with access to a safe and efficient Website,

d. processing is necessary for the establishment, exercise or defence of claims, if the claims result from the manner in which the Customer uses the Service Provider's Website,

e. under certain circumstances, the processing of data may take place on the basis of the consent expressed by the Customer, e.g. in order to receive the newsletter, marketing activities.

10. Personal data of Customers are not made available to third parties, except as expressly provided in the Privacy Policy.

11. The Service Provider may share personal data of the Customers to the following entities:

a. suppliers – courier companies,

b. entities providing accounting and legal services,

c. entities handling payments with the use of cards, DotPay,

d. third parties providing services to the Service Provider – suppliers of IT, marketing, analytical services,

e. entities authorised to receive data under applicable laws, including state administration bodies, law enforcement agencies and judicial authorities, at their express request and only in cases specified by law.

Data are made available only to the extent necessary for the purpose for which they are processed.

12. Data will not be transferred to third countries.

13. The data collected are kept as long as necessary for the purposes for which they were collected. The data will be stored for the period of using the Website services for the purposes of performing these services in accordance with the Regulations, as well as for marketing purposes, if the Customer expressed its consent. After the Service Provider ceases to use the Website, the Service Provider may store the Customer’s personal data in the scope and for the period necessary to fulfil its obligations under the provisions of law or legitimate interests, including claims under concluded sales agreements. Personal data related to cookies are stored for a period corresponding to the life cycle of cookies or until the Customer deletes them.

14. Providing personal data is voluntary, however, to the extent specified in the Regulations, the provision of personal data is necessary to fully access the Website’s resources, including to submit and execute the Order.

15. The data subject is entitled to:

a. obtain access to his/her data from the Service Provider,

b. request an immediate rectification of his/her personal data being incorrect,

c. request an immediate deletion of his/her personal data,

d. request restriction of processing,

e. object to the processing,

f. if the processing takes place on the basis of consent - to withdraw consent at any time, provided that the withdrawal of consent does not affect the processing performed by the Service Provider in accordance with the law prior to its withdrawal,

g. at any time lodge a complaint with the competent supervisory authority, which is the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw

16. The Service Provider may refuse to delete data if it is obliged to process them on the basis of applicable laws.

17. The Service Provider reserves the right to amend the Privacy Policy in accordance with the provisions concerning the amendment of the Regulations.