Privacy Policy

ON THE WEBSITE

IPH.COM.PL

Definicje
1. Controller – Innowacyjna Platforma Handlu Sp. z o.o. with its registered office in Komorniki, ul. Wiśniowa 11, 62-052 Komorniki.
2. Personal data – information about a natural person who is identified or can be identified by one or more factors that are unique to them, like physical, physiological, genetic, mental, economic, cultural, or social identity, including device IP, location data, online identifier, and info collected through cookies and other similar tech.
3. Policy – this Privacy Policy.
4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
5. Website – the website operated by the Controller at www.iph.com.pl and the mobile application.
6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
Przetwarzanie danych w związku z korzystaniem z Serwisu
1. In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the individual services offered, as well as information about the User’s activity on the Website. Below are detailed rules and purposes for processing Personal Data collected during the User’s use of the Website.
Purposes and legal bases for data processing on the Website

USE OF THE WEBSITE

Dane osobowe wszystkich osób korzystających z Serwisu (w tym adres IP lub inne identyfikatory oraz informacje gromadzone za pośrednictwem plików cookies czy innych podobnych technologii), a niebędących zarejestrowanymi Użytkownikami (tj. osób, które nie posiadają konta w Serwisie), przetwarzane są przez Administratora:
1. for the purpose of providing electronic services in the scope of making the content collected on the Website available to Users – in this case, the legal basis for processing is the necessity of processing for the performance of the contract (Article 6(1)(b) of the GDPR);
2. for analytical and statistical purposes – in which case the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in conducting analyses of Users’ activity and preferences in order to improve the functionalities and services provided;
3. for the purpose of possible establishment and pursuit of claims or defense against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of his rights;
4. for marketing purposes of the Controller and other entities – the rules for the processing of Personal Data for marketing purposes are described in the MARKETING section.
The User’s activity on the Website, including their Personal Data, is recorded in system logs (a special computer program used to store chronological records containing information about events and actions that relate to the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes it for technical and administrative purposes, for the purposes of ensuring the security of the IT system and managing this system, as well as for analytical and statistical purposes – in this respect, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).

CONTACT FORMS

The Controller provides the possibility to contact them using electronic contact forms. Using the form requires providing Personal Data necessary to contact the User and respond to the inquiry. The User may also provide other data to facilitate contact or handling of the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide such data will result in the inability to provide service. Providing other data is voluntary.
Depending on the specific form used by the User, personal data is processed:
1. to handle a request for cooperation via the contact form, and in the event of a decision to cooperate, to establish cooperation. The legal basis for processing is taking action at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR); with regard to the processing of optional data, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
2. in the scope of using the form – for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in keeping statistics of queries submitted by Users via the Website in order to improve its functionality.
3. with regard to the use of the form – for the purpose of pursuing or defending against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.
Marketing
1. displaying marketing content to the User that is not tailored to their preferences (contextual advertising);
  1. displaying marketing content to the User that corresponds to their interests (behavioral advertising);
  2. conducting other types of activities related to the direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
  3. In order to carry out marketing activities, the Controller in some cases uses profiling, i.e. the assessment of the User’s previous activity on the Website in order to predict the User’s possible behavior in the future. This allows for better matching of the displayed content to the individual preferences and interests of the User.
2. For the purpose of carrying out marketing activities, the Controller may in some cases use profiling, i.e., the assessment of the User’s past activity on the Website to predict possible future behavior. This enables better customization of displayed content to the User’s individual preferences and interests.

CONTEXTUAL ADVERTISING

The Controller processes Users’ Personal Data for marketing purposes in connection with the targeting of contextual advertising (i.e. advertising that is not tailored to the User’s preferences) to Users. The processing of Personal Data is then carried out in connection with the pursuit of the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

BEHAVIORAL ADVERTISING

The Controller and its trusted partners process Users’ Personal Data, including Personal Data collected through cookies and other similar technologies, for marketing purposes in connection with targeting Users with behavioral advertising (i.e., advertising that is tailored to the User’s preferences).
The processing of Personal Data also includes profiling of Users.
The list of the Controller’s trusted partners can be found here.

DIRECT MARKETING

The User’s Personal Data may also be used by the Controller to direct marketing content to the User through various channels, i.e. via e-mail or MMS/SMS. Such activities are undertaken by the Controller only if the User has given their consent, which may be withdrawn at any time.
Social media
1. The Controller processes the Personal Data of Users visiting the Controller’s profiles on social media (YouTube). This data is processed in connection with the maintenance of the profile, including to inform Users about the Controller’s activities and to promote various events, services, and products. The legal basis for the processing of Personal Data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in the promotion of its own brand.
Cookies and similar technologies
1. Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information that facilitates the use of the website, e.g. by remembering the User’s visits to the Website and the actions they take.

SERVICE COOKIES

Administrator wykorzystuje tzw. cookie serwisowe przede wszystkim w celu dostarczania Użytkownikowi usług świadczonych drogą elektroniczną oraz poprawy jakości tych usług. W związku z tym Administrator oraz inne podmioty świadczące na jego rzecz usługi analityczne i statystyczne korzystają z plików cookies, przechowując informacje lub uzyskując dostęp do informacji już przechowywanych w telekomunikacyjnym urządzeniu końcowym Użytkownika (komputer, telefon, tablet itp.). Pliki cookies wykorzystywane w tym celu obejmują:
1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
2. authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
3. cookies used to ensure security, e.g. used to detect authentication abuse (user centric security cookies);
4. session cookies of multimedia players (e.g. flash player cookies) for the duration of the session (multimedia player session cookies);
5. permanent cookies used to personalize the User interface for the duration of the session or slightly longer (user interface customization cookies).

MARKETING COOKIES

The Controller and its trusted partners also use cookies for marketing purposes, including in connection with behavioral advertising directed at Users. For this purpose, the Controller and its trusted partners store information or gain access to information already stored on the User’s telecommunications terminal equipment (computer, phone, tablet, etc.).
Analytical and marketing tools used by the Controller’s partners
1. The Controller and its Partners use various solutions and tools for analytical and marketing purposes. Below you will find basic information about these tools. Detailed information in this regard can be found in the privacy policy of the respective partner.

GOOGLE ANALYTICS

Google Analytics cookies are files used by Google to analyze how you use the Website, to compile statistics and reports on the functioning of the Website. Google does not use the collected data to identify you or combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.

GOOGLE ADS

Google Ads is a tool that allows the Controller to measure the effectiveness of advertising campaigns, enabling the analysis of data such as keywords or the number of unique users. The Google Ads platform also allows us to display our ads to people who have visited the Website in the past. Information on data processing by Google in relation to the above service is available at: https://policies.google.com/technologies/ads?hl=pl.

GOOGLE TAG MANAGER

This tool allows website owners to add, modify, and manage tracking codes and other analytics tools on their websites. Google Tag Manager works on the basis of containers that are placed on a website and contain all the tags that the website owner wants to implement, which facilitates the management of tags on the website. Google Tag Manager also offers advanced features such as event tracking (e.g., button clicks), content personalization on the website, and the creation of triggers, i.e., conditions that must be met for a tag to be activated. Detailed information on Google’s data processing in relation to the above service is available at: https://www.google.com/analytics/terms/tag-manager/.

CUX.IO

Cux.io is a tool that allows you to learn about and collect information about user behavior on a website. Personal data is processed to improve the quality of services and functionality of the website www.iph.com.pl based on the analysis of user behavior on the website. When using the cux.io tool, the following data is collected: metadata describing the user’s path, device data, browser language settings, usage interactions, and page display duration. Detailed information about this service is available at: https://cux.io/legal/privacy-policy/

Cookie settings management
1. The use of cookies to collect data, including access to data stored on the User’s device, requires the User’s consent. This consent may be withdrawn at any time.
2. Permission is not required only for cookies that are necessary for the provision of a telecommunications service (data transmission for the purpose of displaying content).
3. You can withdraw your consent to the use of cookies via your browser settings. Detailed information on this subject can be found at the following links:
  1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
  2. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
  3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
  4. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
  5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
4. Użytkownik może w każdej chwili zweryfikować status swoich aktualnych ustawień prywatności dla wykorzystywanej przeglądarki przy wykorzystaniu narzędzi dostępnych pod poniższymi linkami:
  1. http://www.youronlinechoices.com/pl/twojewybory
  2. http://optout.aboutads.info/?c=2&lang=EN
Period of Personal Data processing
1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service or order, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Controller.
2. The data processing period may be extended if processing is necessary to establish and pursue possible claims or defend against claims, and after that time only if and to the extent required by law. After the processing period has expired, the data is irrevocably deleted or anonymized.
Rights related to the processing of personal data

DATA SUBJECT RIGHTS

Data subjects have the following rights:
1. the right to information about the processing of personal data – on this basis, the Controller provides the natural person making the request with information about the processing of data, including, in particular, the purposes and legal grounds for the processing, the scope of the data held, the entities to which the data is disclosed, and the planned date of deletion of the data;
2. the right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed data concerning the natural person making the request;
3. the right to rectification – the Controller is obliged to remove any inconsistencies or errors in the Personal Data processed and to supplement them if they are incomplete;
4. the right to erasure – on this basis, you may request the erasure of data whose processing is no longer necessary for the purposes for which it was collected;
5. right to restriction of processing – upon such a request, the Controller shall cease to perform operations on Personal Data – except for operations to which the data subject has consented – and to store them in accordance with the accepted retention rules or until the reasons for restricting the processing of data cease to exist (e.g. a decision of a supervisory authority authorizing further processing of the data is issued);
6. the right to data portability – on this basis – to the extent that the data are processed by automated means in connection with a contract or consent – the Controller shall provide the data provided by the data subject in a format that allows the data to be read by a computer. It is also possible to request that this data be transferred to another entity, provided that this is technically possible for both the Controller and the designated entity;
7. the right to object to data processing for marketing purposes – The data subject may at any time object to the processing of Personal Data for marketing purposes without having to justify such objection;
8. right to object to other purposes of data processing – The data subject may at any time object, on grounds relating to his or her particular situation, to the processing of Personal Data based on the legitimate interests of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); an objection in this regard should include a justification;
9. right to withdraw consent – if the data is processed on the basis of consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out prior to its withdrawal;
10. right to lodge a complaint – if the Data Subject considers that the processing of Personal Data violates the provisions of the GDPR or other provisions relating to the protection of Personal Data, the Data Subject may lodge a complaint with the supervisory authority responsible for the processing of Personal Data, competent for the place of the Data Subject’s habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
SUBMITTING REQUESTS RELATED TO THE EXERCISE OF RIGHTS
1. Requests regarding the exercise of Data Subjects’ rights may be submitted:
  1. in writing to the Controller’s address;
  2. by email to the following address: iod_iph@eurocash.pl
2. The request should, as far as possible, specify the subject matter of the request, i.e. in particular:
  1. which right the person submitting the request wishes to exercise (e.g. the right to receive a copy of the data, the right to erase the data, etc.);
  2. which processing operation the request relates to (e.g. use of a specific service, activity on a specific website, receipt of a newsletter containing commercial information to a specific email address, etc.);
  3. the purposes of the processing to which the request relates (e.g. marketing purposes, analytical purposes, etc.).
3. If the Controller is unable to identify the natural person on the basis of the request, it will ask the applicant for additional information. Providing such data is not mandatory, but failure to do so will result in the request being denied.
4. The request may be submitted in person or through a representative (e.g. a family member). For data security reasons, the Controller encourages the use of a power of attorney certified by a notary public or an authorized legal advisor or attorney, which will significantly speed up the verification of the authenticity of the request.
5. A response to the request should be provided within one month of receipt. If it is necessary to extend this period, the Controller shall inform the applicant of the reasons for doing so.
6. If the request was sent to the Company electronically, the response shall be provided in the same form, unless the applicant has requested a response in another form. In other cases, the response shall be provided in writing. If the deadline for fulfilling the request makes it impossible to provide a response in writing, and the scope of the applicant’s data processed by the Controller allows for electronic contact, the response shall be provided electronically.
FEE COLLECTION RULES
1. The processing of submitted requests is free of charge. Fees may only be charged in the following cases:
  1. request for a second and each subsequent copy of the data (the first copy of the data is free of charge); in such a case, the Controller may request a fee of PLN 250. The above fee covers the administrative costs associated with processing the request;
  2. excessive (e.g. unusually frequent) or clearly unjustified requests by the same person; in such a case, the Controller may request a fee of PLN 250. The above fee covers the costs of communication and the costs associated with taking the requested actions;
2. If the decision to impose a fee is contested, the data subject may lodge a complaint with the supervisory authority responsible for the processing of personal data, competent for the place of habitual residence of the data subject, his or her place of work or the place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
Recipients of data
1. 13.1. In connection with the provision of services, Personal Data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, marketing agencies (in the scope of marketing services) and entities related to the Controller, including companies from its capital group.
2. 13.2. The Controller reserves the right to disclose selected information about the User to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
Transfer of data outside the EEA
1. 1.Poziom ochrony Danych osobowych poza Europejskim Obszarem Gospodarczym (EOG) różni się od tego zapewnianego przez prawo europejskie. Z tego powodu Administrator przekazuje Dane osobowe poza EOG tylko wtedy, gdy jest to konieczne, i z zapewnieniem odpowiedniego stopnia ochrony, przede wszystkim poprzez:
  1. cooperation with entities processing Personal Data in countries for which the European Commission has issued an appropriate decision confirming the adequacy of the level of protection of Personal Data;
  2. the use of standard contractual clauses issued by the European Commission;
  3. the use of binding corporate rules approved by the competent supervisory authority;
2. 14.2. The Controller shall inform you of its intention to transfer Personal Data outside the EEA at the stage of collection.
Security of Personal Data
1. The Controller shall conduct ongoing risk analysis to ensure that Personal Data is processed by it in a secure manner, ensuring in particular that access to the data is limited to authorized persons and only to the extent necessary for the performance of their tasks. The Controller shall ensure that all operations on Personal Data are recorded and carried out only by authorized employees and associates.
2. The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Controller.
Contact
1. The Controller can be contacted via email at bok@mojpos.pl or at the Controller’s mailing address.
2. The Controller has appointed a Data Protection Officer who can be contacted by email at iod_iph@eurocash.pl in any matter relating to the processing of Personal Data.
Changes to the Privacy Policy
1. The Policy is reviewed on an ongoing basis and updated as necessary.
2. The current version of the Policy was adopted and is effective as of April 1, 2025.