1. DATA CONTROLLER

The administrator of personal data within the meaning of Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (RODO) is Arina Sp. z.o.o., 05-091 Ząbki, 6/106 Drewnicka Street, NIP 1251461785.

Contact details of the data controller:
Email address: zamowienia@giftgamesstudio.com

The controller pursuant to Article 32(1) of the RODO shall observe the principle of personal data protection and shall use appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data processed in connection with its operations.

Provision of personal data is voluntary, but necessary in order to establish cooperation and/or conclude a contract.

The data controller processes personal data only to the extent required for the proper performance of the service to the data subject.

2. PURPOSE AND GROUNDS FOR PROCESSING PERSONAL DATA

The Administrator processes personal data for the following purposes:

  • Provision of services through the Web Portal (https://giftgames.store) and performance of contractual obligations, based on the concluded agreement (Article 6(1)(b) of the DPA);

  • execution of orders of personalized products

    In order to process orders for personalized products, the Administrator processes personal data provided by the customer in the order form and through a separate personalization form. The scope of processed data may include: name of the ordering person, e-mail address and contact telephone number, shipping data (name, surname, address), personal data of the recipient (name, nickname, other data disclosed by the customer required in the form), data of third parties indicated by the customer as participants in the game/gift (name, nickname), photos, images, graphics or other graphic files containing the image of persons indicated by the customer, additional content included by the customer in the personalization form (e.g. quotes, descriptions of situations, references to third parties). The customer declares that he/she owns full copyrights to the attached photos, images, graphics, and has obtained permission to process the images of the people in the photos for the purpose of processing the order.

    Data storage period: Data related to the order may be stored for the period resulting from tax and accounting laws, as well as for the period of limitation of civil law claims. Image files and photos are stored on the server for a maximum of 4 months from the date of the order, for the sole purpose of ensuring that corrections can be made, material can be re-downloaded or any complaints can be processed. After this period, the data are permanently deleted from the system.

    In order to process orders and support personalization of content, the Administrator uses artificial intelligence (AI) based services provided by OpenAI, L.L.C. (ChatGPT service) and Perplexity AI, Inc. (Perplexity service).

    The mentioned services may be used to automate text analysis or content generation. The transmitted data (including images or content sent by the customer) may be processed only for the purpose of fulfilling a specific order or inquiry.

    Personal data and files sent by customers are not used to train AI models, according to assurances from service operators:

    OpenAI Privacy Policy (ChatGPT)
    Perplexity AI Privacy Policy (Perplexity)

  • handling of the complaint process, based on the data controller’s obligation under applicable laws (Article 6(1)(c) of the DPA);
  • Accounting related to the issuance and acceptance of billing documents, based on the provisions of tax law (Article 6(1)(c) of the DPA);
  • Archiving data for possible establishment, investigation or defense against claims or the need to prove facts, which is a legitimate interest of the data controller (Article 6(1)(f) RODO);
  • contact by phone or email, in particular in response to inquiries made to the data controller, which is a legitimate interest of the data controller (Article 6(1)(f) RODO);
  • Sending technical information regarding the operation of the Web Portal and the services used by the customer, which is a legitimate interest of the data controller (Article 6(1)(f) RODO);
  • marketing of the controller’s own products, which is its legitimate interest (Article 6(1)(f) of the DPA) or is based on previously granted consent (Article 6(1)(a) of the DPA).
3. RECIPIENTS OF DATA. TRANSFER OF DATA TO THIRD COUNTRIES


(1) Recipients of personal data processed by the data controller may be entities cooperating with the data controller when it is necessary for the performance of the contract concluded with the data subject, in particular:

Entities performing shipping and logistics:
– InPost Sp. z o.o. ( 4 Pana Tadeusza Street, 30-727 Kraków) – for shipment and delivery
 Apaczka Sp. z o.o. (427 Pulawska St., 02-801 Warsaw) -. For the purpose of shipment and delivery, logistics operator intermediating shipping through courier companies (InPost, DPD, DHL, FedEx and others).

Payment Operators:
– WooPayments / Automattic Inc. (60 29th Street #343, San Francisco, CA 94110, USA) – to process online payments in the online store
– Autopay S.A. (ul. Powstańców Warszawy 6, 81-718 Sopot) – in order to handle online payments in the online store
– PayPal (Europe) S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, L-2449 Luxembourg) – in order to process online payments on the online store
– Stripe Payments Europe Ltd. (The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland) -. in order to process online payments in the online store

Artificial intelligence (AI)-based services

– OpenAI, L.L.C. (3180 18th Street, San Francisco, CA 94110, U.S.A.) – for generating or analyzing content as part of the fulfillment of an order, and for supporting textual or graphical content when personalizing products.
– Perplexity AI, Inc. (2261 Market Street #4668, San Francisco, CA 94114, USA) -. In terms of generating or analyzing content as part of order fulfillment and in terms of supporting textual or graphic content for product personalization.


Hosting services, infrastructure and security

HOSTIDO.PL GAŁĄZKA SPÓŁKA JAWNA (5 Kartuska Street, 80-103 Gdansk) – Hosting provider, provides server support, data security and backups of the Portal
– Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) – to provide security, performance and protection against DDoS attacks.

Data may be transferred to the U.S. based on Standard Contractual Clauses (SCC) approved by the European Commission, guaranteeing an adequate level of protection.

– Email and notification system provider (ShopMagic for WooCommerce / WP Desk sp. z o.o.) – to send order processing messages

(2) Recipients of personal data may also be subcontractors – entities whose services are used by the controller for data processing, including:

– law firms and consulting companies,
– providers of IT, marketing and analytical services (e.g. Google Ireland Ltd., Meta Platforms Ireland Ltd., TikTok Technology Limited, LinkedIn Ireland Unlimited Company)
– providers of hosting and IT services – to ensure the maintenance and security of the Portal
– providers of tools to optimize the operation of the Portal (e.g. Cloudflare, Inc. – for security and site performance)

All of these entities process personal data only on the basis of data processing entrustment agreements and only to the extent necessary to perform the activities entrusted to them.

3. The data controller may be obliged to make personal data available under applicable laws, in particular to authorized state bodies or institutions.

4. Personal data may be transferred to entities based outside the European Economic Area (EEA), in particular:

– Google LLC (Google Analytics, Google Ads services)
– Meta Platforms Inc. (Facebook, Instagram Pixel)
– TikTok Inc. (TikTok Pixel)
– OpenAI, L.L.C. (ChatGPT service)
– Perplexity AI, Inc. (Perplexity Service)
– Automattic Inc. (WooPayments)
– Cloudflare, Inc. – ‘s security and CDN business.

The transfer of data to third countries is carried out only to the extent necessary to perform the services indicated above.

5. In any case, the transfer of personal data to third countries is carried out in accordance with the provisions of the RODO, in particular, on the basis of:

– decision of the European Commission finding an adequate level of protection
– Standard Contractual Clauses (SCC) approved by the European Commission
– other mechanisms to ensure adequate safeguards for personal data

Data transferred to entities outside the EEA is not sold or used for purposes other than those arising from the contract with the customer.

Specifically, the data submitted to AI-based services (OpenAI, Perplexity) is solely for the execution of a specific order or request and is not used to train AI models.

4. STORAGE PERIOD OF PERSONAL DATA

The data controller shall keep personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the assertion of claims related to the contract, the performance of obligations under applicable laws, but for no longer than the statute of limitations under the Civil Code.

The data controller shall keep personal data contained on billing documents (e.g., invoices) for the period of time indicated by the provisions of the Value Added Tax Law and the Accounting Law.

The data controller shall keep personal data processed for marketing purposes for a period of 10 years, but no longer than until you withdraw your consent to the processing or object to the processing.

The data controller shall keep personal data for purposes other than those indicated in paragraphs 1 through 3 for a period of 3 years, unless consent to data processing has been previously withdrawn, and data processing cannot be continued on any other basis than the consent of the data subject.

The data controller stores photos and other content sent for personalization are on the servers for no longer than 4 months from the date of the order. After this period, these files are permanently deleted from the system. The customer, by submitting any graphic or textual content (e.g. photos, images, graphics) as part of an order, declares that he/she has the full right to use them, including the right to process personal data of persons visible on the submitted materials. In the event that the Administrator obtains a reasonable suspicion of infringement of third-party rights (e.g. image or copyright infringement), he reserves the right to refuse to use the material in question and to withhold personalization of the product until the matter is clarified.

5. RIGHTS OF THE DATA SUBJECT

(1) Every data subject has the right to:

(a) access – to obtain confirmation from the controller as to whether his personal data is being processed. If data about a person is processed, he or she is entitled to access it and obtain the following information: the purposes of the processing, categories of personal data, information about the recipients or categories of recipients to whom the data have been or will be disclosed, the duration of data storage or the criteria for determining it, the right to request rectification, erasure or restriction of the processing of personal data of the data subject, and the right to object to such processing (Article 15 RODO);

(b) to obtain a copy of the data – to obtain a copy of the data being processed, with the first copy being free of charge, and for subsequent copies the controller may charge a reasonable fee based on administrative costs (Article 15(3) RODO);

(c) to rectify – to request the rectification of personal data pertaining to it that is incorrect or the completion of incomplete data (Article 16 of the RODO);

(d) to erasure – to request the deletion of her personal data if the controller no longer has a legal basis for processing or the data are no longer necessary for the purposes of processing (Article 17 of the DPA);

(e) to restrict processing – to request the restriction of the processing of personal data (Article 18 RODO) when:

– the data subject questions the accuracy of the personal data – for a period that allows the controller to verify the accuracy of the data, – the processing is unlawful, and the data subject objects to the erasure of the data by requesting a restriction on its use;

– the controller no longer needs the data, but it is needed by the data subject to establish, assert or defend a claim;

– the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the controller override the grounds of the data subject’s objection;

(f) to data portability – to receive in a structured, commonly used machine-readable format the personal data concerning him or her that he or she has provided to the controller, and to request that the data be sent to another controller if the data are processed on the basis of the data subject’s consent or a contract with him or her, and if the data are processed by automated means (Article 20 RODO);

(g) to object – to object to the processing of his or her personal data for legitimate purposes of the controller, on grounds related to his or her particular situation, including profiling. The controller shall then assess the existence of valid legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or grounds for establishing, asserting or defending claims. If, according to the assessment, the interests of the data subject outweigh the interests of the controller, the controller will be obliged to cease processing for those purposes (Article 21 of the DPA).

(2) In order to exercise the aforementioned rights, the data subject shall contact, using the contact details provided, the controller and inform him/her of which right and to what extent he/she wishes to exercise it.

(3) The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.

6. PROFILING

(1) Personal data obtained by the controller may be processed by automated means – including profiling. The profiling of personal data
carried out by the controller consists of evaluating selected information about the data subject for the purpose of analyzing and forecasting personal preferences and
interests, in particular for the possibility of providing the data subject with a personalized offer.

(2) The automated processing performed by the data controller shall have no legal effect on the data subject. The data subject
may object to the automated processing of his/her data at any time.

7. ANALYTICAL DATA

1 The administrator uses mechanisms for analyzing Internet services. Detailed information can be found in the Cookies Policy.