Privacy Policy

PRIVACY POLICY

  1. This Privacy Policy sets out the principles for the processing of personal data collected via the online store tosabikes.com (hereinafter referred to as the “Online Store”).
  2. The owner of the Online Store and the data controller is MD GROUP LIMITED LIABILITY COMPANY, based in Rybnik (44-200), Kościelna 15 street, entered into the register of entrepreneurs of the National Court Register kept by the District Court in Gliwice, X Economic Department of the National Court Register under the number KRS 0000950543, with a share capital of 5,000 PLN, NIP: 6423235475, REGON: 5211499770, hereinafter referred to as MD GROUP SP. Z O.O.
  3. Personal data collected by MD GROUP SP. Z O.O. through the Online Store are processed in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as GDPR.
  4. MD GROUP SP. Z O.O. takes special care to respect the privacy of the Customers visiting the Online Store.

§ 1 Type of Processed Data, Purposes and Legal Basis

  1. MD GROUP SP. Z O.O. collects information on natural persons conducting legal transactions not directly related to their business activity, natural persons conducting business or professional activity on their own behalf, and natural persons representing legal persons, or organizational units not being legal persons to which the law grants legal capacity, collectively referred to as Customers.
  2. Customer personal data is collected in the case of: —registering an account in the Online Store, to create an individual account and manage it. Legal basis: the necessity to perform the account service agreement (Art. 6 para. 1 letter b of GDPR); —placing an order in the Online Store, to perform the sales agreement. Legal basis: the necessity to perform the sales agreement (Art. 6 para. 1 letter b of GDPR); —using the contact form service in the Online Store to perform the electronic service agreement. Legal basis: the necessity to perform the contact form service agreement (Art. 6 para. 1 letter b of GDPR); —using the post a review service to perform the agreement, which involves an electronic service. Legal basis – the necessity to perform the post a review service agreement (Art. 6 para. 1 letter b of GDPR).
  3. When registering an account in the Online Store, the Customer provides: —email address; —first and last name.
  4. During the account registration in the Online Store, the Customer independently sets a personal password for their account. The Customer may change the password later, according to the rules described in §5.
  5. When placing an order in the Online Store, the Customer provides the following data: —email address; —address data (postal code and city; country; street along with house/apartment number, first and last name; phone number)
  6. For Entrepreneurs, the above data range is additionally extended to include: —the Entrepreneur’s company name; —VAT number.
  7. When using the contact form service, the Customer provides the following data: —email address; —first and last name; —phone number.
  8. When using the post a review service, the Customer provides the following data: —email address; —nickname; —first and last name.
  9. While using the Online Store Website, additional information may be collected, in particular: the IP address assigned to the Customer’s computer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type.
  10. Navigational data among Customers may also be collected, including information about links and references they decide to click on or other actions taken in the Online Store. Legal basis – legitimate interest (Art. 6 para. 1 letter f of GDPR), aimed at facilitating the use of services provided electronically and at improving the functionality of these services.
  11. For establishing, pursuing, and enforcing claims, some personal data provided by the Customer during the use of functionalities in the Online Store, such as first and last name, details regarding the use of services, if the claims result from the way the Customer uses the services, and other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis – legitimate interest (Art. 6 para. 1 letter f of GDPR), consisting in establishing, pursuing, and enforcing claims and defending against claims in proceedings before courts and other state authorities.
  12. Providing personal data to MD GROUP SP. Z O.O. is voluntary, related to the concluded sales agreements, or the provision of services via the Online Store Website, with the reservation that not providing specified data in the forms during the Registration process prevents Registration and Account creation, and in the case of placing an order without Customer Account Registration, prevents the submission and execution of the Customer’s order.

§ 2 To Whom are the Data Disclosed or Entrusted, and How Long are They Stored?

  1. Customer personal data are provided to service providers used by MD GROUP SP. Z O.O. in operating the Online Store. Depending on contractual arrangements and circumstances, service providers to whom personal data are transferred may either follow the instructions of MD GROUP SP. Z O.O. regarding the purposes and means of processing those data (processors) or independently define the purposes and means of their processing (administrators). —Processors: MD GROUP SP. Z O.O. uses providers who process personal data exclusively on the instruction of MD GROUP SP. Z O.O. This includes providers offering hosting services, accounting services, marketing systems, traffic analysis systems in the Online Store, systems for analyzing the effectiveness of marketing campaigns. —Administrators: MD GROUP SP. Z O.O. uses providers who do not act exclusively on the instructions and independently determine the purposes and methods of using customer personal data. They provide electronic payment and banking services.
  2. Location: Service providers are based in Poland and other countries of the European Economic Area (EEA).
  3. Customer personal data are stored: —In the case where the basis for data processing is consent, then the personal data of the Customer are processed by MD GROUP SP. Z O.O. as long as the consent is not revoked, and after the withdrawal of consent for a period corresponding to the period of limitation of claims that MD GROUP SP. Z O.O. may raise and which may be raised against it. Unless a specific provision provides otherwise, the limitation period is six years, and for claims for periodic performances and claims related to business activity – three years. —In the case where the basis for processing is the performance of a contract, then the Customer’s personal data are processed by MD GROUP SP. Z O.O. as long as it is necessary to perform the contract, and afterwards for a period corresponding to the period of limitation of claims. Unless a specific provision provides otherwise, the limitation period is six years, and for claims for periodic performances and claims related to business activity – three years.
  4. In case of making a purchase in the Online Store, personal data may be transferred to a courier company to deliver the ordered goods.
  5. If the Customer selects payment through the AutoPay system, their personal data are transferred to the extent necessary for the payment execution to the AutoPay company.
  6. Navigational data may be used to provide better service to Customers, analyze statistical data, and tailor the Online Store to Customer preferences, as well as manage the Online Store.
  7. In case of a request directed to MD GROUP SP. Z O.O., personal data are made available to authorized state bodies, in particular to organizational units of the Prosecutor’s Office, Police, President of the Personal Data Protection Office, President of the Office of Competition and Consumer Protection, or President of the Office of Electronic Communications.

§ 3 Cookies Mechanism, IP Address

  1. The Online Store uses small files called cookies. They are saved by MD GROUP SP. Z O.O. on the terminal device of a person visiting the Online Store if the web browser allows it. A cookie file usually contains the domain name from which it comes, its “expiry time”, and an individual, randomly selected number identifying the file. The information collected using this type of files helps adjust the products offered by MD GROUP SP. Z O.O. to individual preferences and actual needs of people visiting the Online Store. It also provides the opportunity to develop general statistics of visits to the products presented in the Online Store.
  2. MD GROUP SP. Z O.O. uses two types of cookies: —Session cookies: after the session of a given browser or turning off the computer, the saved information is removed from the device memory. The session cookies mechanism does not allow for any personal data or any confidential information from Customer computers to be retrieved. —Permanent cookies: they are stored in the terminal device of the Customer and remain there until they are deleted or expire. The permanent cookies mechanism does not allow for any personal data or any confidential information from Customer computers to be retrieved.
  3. MD GROUP SP. Z O.O. uses its own cookies to: —Authenticate the Customer in the Online Store and ensure the Customer’s session in the Online Store (after logging in), so the Customer does not have to re-enter the login and password on every subpage of the Online Store; —Analyze and research and audit viewership, and in particular to create anonymous statistics that help understand how Customers use the Online Store Website, which allows improving its structure and content.
  4. MD GROUP SP. Z O.O. uses external cookies to: —Present the Reliable Regulations Certificate through the rzetelnyregulamin.pl website (external cookie administrator: Rzetelna Grupa sp. z o.o. based in Warsaw).
  5. The cookies mechanism is safe for the Online Store Customer’s computers. In particular, this way, it is not possible for viruses or other unwanted or malicious software to get into Customer’s computers. Nevertheless, in their browsers, Customers have the option to limit or disable the access of cookies to computers. If you use this option, the use of the Online Store will be possible, apart from the functions that by their nature require cookies.
  6. Below we show how you can change the settings of popular web browsers in terms of using cookies: —Internet Explorer browser; —Microsoft EDGE browser; —Mozilla Firefox browser; —Chrome and Chrome Mobile browser; —Safari and Safari Mobile browser; —Opera browser.
  7. MD GROUP SP. Z O.O. may collect Customer’s IP addresses. The IP address is a number assigned to the computer of the person visiting the Online Store by the internet service provider. The IP number allows access to the Internet. In most cases, it is dynamically assigned to the computer, i.e., it changes every time you connect to the Internet. The IP address is used by MD GROUP SP. Z O.O. in diagnosing technical problems with the server, creating statistical analyses (e.g., determining from which regions we record the most visits), as useful information in administering and improving the Online Store, and for security purposes and possible identification of server burdening, unwanted automatic programs for viewing the Online Store content.
  8. The Online Store contains links and references to other websites. MD GROUP SP. Z O.O. is not responsible for the privacy practices applicable to them.

§ 4 Rights of Data Subjects

  1. The Right to Withdraw Consent – Legal basis: Article 7(3) of GDPR. —The Customer has the right to withdraw any consent given to MD GROUP SP. Z O.O. —Withdrawal of consent takes effect from the moment of withdrawal. —Withdrawal of consent does not affect the processing carried out by MD GROUP SP. Z O.O. in accordance with the law before its withdrawal. —Withdrawal of consent does not carry any negative consequences for the Customer, but it may prevent further use of services or functionalities that, according to the law, MD GROUP SP. Z O.O. can only provide with consent.
  2. The Right to Object to Data Processing – Legal basis: Article 21 of GDPR. —The Customer has the right at any time to object – for reasons related to his particular situation – to the processing of his personal data, including profiling, if MD GROUP SP. Z O.O. processes his data based on a legitimate interest, e.g., marketing of products and services of MD GROUP SP. Z O.O., conducting statistics on the use of individual functionalities of the Online Store and facilitating the use of the Online Store, as well as customer satisfaction research. —Resignation in the form of an email message from receiving marketing communications concerning products or services will mean the Customer’s objection to the processing of his personal data, including profiling for these purposes. —If the Customer’s objection turns out to be justified and MD GROUP SP. Z O.O. has no other legal basis for processing personal data, the Customer’s personal data will be deleted against which the Customer has objected.
  3. The Right to Erasure of Data (“The Right to be Forgotten”) – Legal basis: Article 17 of GDPR. —The Customer has the right to request the deletion of all or some personal data. —The Customer has the right to request the deletion of personal data if: -the personal data are no longer necessary for the purposes for which they were collected or processed; -the Customer withdraws the specific consent to the extent that the personal data were processed based on his consent; -the Customer objects to the use of his data for marketing purposes; -the personal data are processed unlawfully; -the personal data must be deleted to comply with a legal obligation under Union or Member State law to which MD GROUP SP. Z O.O. is subject; -the personal data have been collected in relation to the offer of information society services.
  4. The Right to Restrict Data Processing – Legal basis: Article 18 of GDPR. —The Customer has the right to request the restriction of the processing of his personal data. Submitting a request, until its consideration, will prevent the use of certain functionalities or services that involve the processing of the data covered by the request. MD GROUP SP. Z O.O. will also not send any communications, including marketing ones. —The Customer has the right to request the restriction of the use of personal data in the following cases: —when the Customer disputes the accuracy of his personal data – then MD GROUP SP. Z O.O. restricts their use for the time needed to verify the accuracy of the data, but no longer than 7 days; —when the processing of data is unlawful, and instead of erasing the data, the Customer requests the restriction of their use; —when the personal data are no longer needed for the purposes for which they were collected or used but are needed by the Customer to establish, assert or defend claims; —when the Customer has objected to the use of his data – then the restriction occurs for the time needed to consider whether – due to the special situation – the protection of the interests, rights and freedoms of the Customer prevails over the interests that the Administrator pursues by processing the personal data of the Customer.
  5. The Right to Access Data – Legal basis: Article 15 of GDPR. —The Customer has the right to obtain confirmation from the Administrator whether personal data is being processed, and if so, the Customer has the right: -to access his personal data; -to obtain information about the purposes of processing, the categories of personal data processed, about the recipients or categories of recipients of this data, the planned period of storage of the Customer’s data or about the criteria for determining this period (when determining the planned period of data processing is not possible), about the rights granted to the Customer under GDPR and about the right to lodge a complaint with the supervisory authority, about the source of these data, about automated decision-making, including profiling, and about the safeguards applied in connection with the transfer of these data outside the European Union; -to obtain a copy of his personal data.
  6. The Right to Rectification of Data – Legal basis: Article 16 of GDPR. —The Customer has the right to request the Administrator to immediately rectify data concerning him that is incorrect. Taking into account the purposes of processing, the Customer who is the data subject has the right to request the completion of incomplete personal data, including by providing an additional declaration, directing the request by email in accordance with §6 of the Privacy Policy.
  7. The Right to Data Portability – Legal basis: Article 20 of GDPR. —The Customer has the right to receive his personal data, which he provided to the Administrator, and then send it to another personal data administrator of his choice. The Customer also has the right to request that personal data be sent by the Administrator directly to such an administrator, if it is technically possible. In such a case, the Administrator will send the Customer’s personal data in a csv file format, which is a commonly used, machine-readable format that allows sending received data to another personal data administrator.
  8. In the event that the Customer exercises the right resulting from the above rights, MD GROUP SP. Z O.O. fulfills the request or refuses to fulfill it immediately, but not later than within a month after receiving it. However, if – due to the complex nature of the request or the number of requests – MD GROUP SP. Z O.O. will not be able to fulfill the request within a month, it will fulfill it within the next two months, informing the Customer in advance within a month from receiving the request – about the intended extension of the deadline and its reasons.
  9. The Customer may submit complaints, queries, and requests regarding the processing of his personal data and the exercise of his rights to the Administrator.
  10. The Customer has the right to request MD GROUP SP. Z O.O. to provide copies of standard contractual clauses by directing an inquiry in the manner indicated in §6 of the Privacy Policy.
  11. The Customer has the right to lodge a complaint with the President of the Personal Data Protection Office, in the scope of violation of his rights to personal data protection or other rights granted under GDPR.

§ 5 Security Management – Password

  1. MD GROUP SP. Z O.O. provides Customers with a secure and encrypted connection when sending personal data and when logging into the Customer Account on the Website. MD GROUP SP. Z O.O. uses an SSL certificate issued by one of the world’s leading companies in terms of security and encryption of data transmitted over the Internet.
  2. In case the Customer having an account in the Online Store has lost the access password in any way, the Online Store allows generating a new password. MD GROUP SP. Z O.O. does not send password reminders. The password is stored in encrypted form, in a way that prevents its reading. To generate a new password, it is necessary to provide an email address in the form available under the “Forgot Password” link, provided at the login form to the account in the Online Store. The Customer will receive an email to the email address provided during registration or saved in the last account profile change containing a redirection to a dedicated form provided on the Online Store Website, where the Customer will be able to set a new password.
  3. MD GROUP SP. Z O.O. never sends any correspondence, including electronic correspondence, with a request for login data, and especially the access password to the Customer account.

§ 6 Changes to the Privacy Policy

  1. The Privacy Policy may be subject to change, of which MD GROUP SP. Z O.O. will inform Customers in advance of 7 days.
  2. Questions related to the Privacy Policy should be directed to: info@tosabikes.com
  3. Last modification date: 01.02.2021

Shopping Cart0

Basket