Privacy policy | Studio Sante

Privacy policy

Preliminary Information

Respecting your right to privacy, Sante sp. z o.o. (formerly: Sante A. Kowalski Sp. j.), with its registered office in Warsaw (03-301), at ul. Jagiellońska 55A, entered into the Register of Entrepreneurs of the National Court Register, maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS No. 0000050433, NIP No. 524-10-06-610, REGON No. 010827252 (hereinafter referred to as the “Controller”), processes your personal data in accordance with the applicable national and European legal provisions.

The Controller ensures the security of personal data by maintaining their confidentiality, availability, integrity and accountability in relation to its processing activities. In order to ensure that our data processing operations are transparent, this Privacy Policy sets out the key information regarding the processing of personal data by the Controller pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”).

 

Data Controller

The Controller, being the entity that determines the purposes and means of processing personal data, is Sante sp. z o.o. (formerly: Sante A. Kowalski Sp. j.), with its registered office in Warsaw (03-301), at ul. Jagiellońska 55A. In matters relating to the processing of your personal data, you may also contact us by email at: iod@sante.pl.

Sante sp. z o.o. attaches particular importance to the protection of personal data and has therefore appointed a Data Protection Officer, whom you may contact by email at iod@sante.pl or by post at the Controller’s registered office address. Should you have any questions or concerns regarding the processing of your personal data, you are encouraged to contact the Data Protection Officer.

Collection of Personal Data and Purposes of Processing

Within Studio Sante, we process personal data for the following purposes:

1. Correspondence by Email and Traditional Mail

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
For the purpose of conducting correspondence and ensuring the circulation and archiving of documents, which constitutes the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).
Information regarding the purpose of processing the personal data contained in the correspondence and the related legal bases is provided in the remaining sections of this Privacy Policy, depending on the subject matter of the correspondence.
As a general rule, personal data are processed for the periods prescribed by applicable law. Where no such periods are specified for particular documents, the data shall be retained for as long as their storage falls within the Controller’s legitimate interest, taking into account the applicable limitation periods for the assertion of legal claims.
The retention period for personal data contained in correspondence depends on the purpose of the processing to which the correspondence relates. Where different data retention periods apply, information in this regard is provided in the relevant separate privacy notice.
As a general rule, we process the personal data provided directly by you.

 

2. Newsletter Subscribers and Recipients of Marketing Communications

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
We process your personal data on the basis of the Controller’s legitimate interests (Article 6(1)(f) of the GDPR), consisting of the marketing of the Controller’s own products and services and, where your prior explicit consent has been obtained, also the products and services of entities cooperating with the Controller (Article 6(1)(a) of the GDPR), using the following forms of communication selected by you:
– newsletter (distribution of newsletters),
– voice calls (marketing communications by telephone),
– commercial information by electronic mail (email),
– commercial information by SMS,
– distribution of promotional materials by traditional mail,
– for the purposes specified in the content of the consents to the processing of personal data, where such consents have been granted (Article 6(1)(a) of the GDPR),
– for the purpose of complying with legal obligations imposed on the Controller (Article 6(1)(c) of the GDPR).
Your personal data are also processed for the purposes of the Controller’s other legitimate interests (Article 6(1)(f) of the GDPR), including:
– the establishment, exercise or defence of legal claims,
– statistical purposes related to improving the efficiency of our operations, enhancing the quality of the services provided, and adapting those services to the needs of their recipients.
Your personal data will be retained until you withdraw your consent or object to the processing, i.e. until you notify us, in any manner, that you no longer wish to remain in contact with us or receive information regarding our activities.
Following the withdrawal of your consent or the submission of an objection, your personal data may continue to be retained for the purposes of demonstrating the Controller’s compliance with its legal obligations incumbent upon the Controller and in connection with any related legal claims.
Where we have not obtained your personal data directly from you, the source of such data is an entity that held your consent to disclose your personal data to the Controller or another valid legal basis for such disclosure.
In such cases, the personal data obtained comprise the data necessary for carrying out the relevant marketing activities, typically including your first name, surname, email address, telephone number and/or correspondence address.

 

Users of the Studio Sante Website

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
We process your personal data for the following purposes:
– to ensure the functionality of the Website and facilitate its use (Article 6(1)(f) of the GDPR); further information regarding the use of cookies is provided in the relevant section of this Privacy Policy;
– where applicable, to fulfil accounting, bookkeeping and financial reporting obligations (Article 6(1)(c) of the GDPR);
– on the basis of the Controller’s legitimate interests consisting of the marketing of the Controller’s own products and services (Article 6(1)(f) of the GDPR), and, where your explicit consent has been obtained, also the products and services of entities cooperating with the Controller (Article 6(1)(a) of the GDPR), using the following forms of communication:
• newsletter (distribution of newsletters);
• marketing communications by telephone;
• commercial information by electronic mail (email);
• commercial information by SMS;
• distribution of promotional materials by traditional mail;
• delivery of personalised content and advertisements.
– for the purposes specified in the content of the consents to the processing of personal data, where such consents have been granted (Article 6(1)(a) of the GDPR).
We also process your personal data on the basis of the Controller’s legitimate interests pursuant to Article 6(1)(f) of the GDPR for the following purposes:
– the establishment, exercise or defence of legal claims;
– statistical purposes related to improving the efficiency of our operations, enhancing the quality of the services provided, and adapting those services to the needs of their recipients.
Your personal data will be retained until you withdraw your consent or object to the processing, i.e. until you notify us, in any manner, that you no longer wish to remain in contact with us or receive information regarding our activities.
Following the withdrawal of your consent or the submission of an objection, your personal data may continue to be retained for the purpose of demonstrating the Controller’s compliance with its legal obligations or until the expiry of the applicable statutory limitation periods for legal claims, whichever period is longer.
Where you have entered into an agreement with the Controller (for example, in relation to the provision of electronic services or the use of the online store), your personal data will be processed for the duration of the agreement and, following its termination, until the expiry of the applicable statutory limitation periods for any claims arising therefrom.
As a general rule, we process the personal data provided directly by you. Where you have not provided your personal data to us directly, the source of such data is an entity that held your consent to disclose your personal data to the Controller or another valid legal basis for such disclosure.
In such cases, the personal data obtained comprise the data necessary for carrying out the relevant marketing activities, typically including your first name, surname, email address, telephone number and/or correspondence address.

 

4. Purchase of a Gift Card

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
For the purpose of:
– entering into and performing Gift Card sale agreements, including the issuance and administration of the Gift Card (the legal basis for the processing is Article 6(1)(b) of the GDPR);
– the recipient’s personal data will be processed for the above purpose on the basis of Article 6(1)(f) of the GDPR, i.e. on the basis of the Controller’s legitimate interests, which shall be understood as the necessity to ensure the proper performance of the Gift Card sale agreement concluded between the Controller and the purchaser;
– compliance with legal obligations, in particular the obligation to maintain financial records and prepare financial reporting (the legal basis for the processing is Article 6(1)(c) of the GDPR);
– pursuing the Controller’s legitimate interests (the legal basis for the processing is Article 6(1)(f) of the GDPR), which shall be understood as:
– responding to enquiries submitted via contact forms or by electronic mail;
– the establishment, exercise or defence of legal claims arising from the Gift Card sale agreement.
Your personal data will be processed:
– until the expiry of the statutory data retention obligation, in particular the obligation to retain accounting records relating to the sale agreement;
– until a justified objection to the processing is submitted, where the legal basis for the processing of personal data is the Controller’s legitimate interests.
As a general rule, we process the personal data provided directly by you. Where you have not provided your personal data to us directly, the source of such data is an entity that held your consent to disclose your personal data to the Controller or another valid legal basis for such disclosure. In such cases, the personal data obtained comprise the data necessary for carrying out the relevant marketing activities, typically including your first name, surname, email address, telephone number and/or correspondence address.

 

5. User Account

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
You may create an account to facilitate future purchases. In such case, your personal data will be processed for the following purposes:
– the creation and operation of a Studio Sante Store account (the legal basis for the processing is Article 6(1)(b) of the GDPR);
– pursuing the Controller’s legitimate interests (the legal basis for the processing is Article 6(1)(f) of the GDPR), which shall be understood as:
– responding to enquiries submitted via contact forms or by electronic mail;
– the establishment, exercise or defence of legal claims relating to the user account or Gift Cards.
Your personal data will be processed until:
– the termination of the agreement for the provision of electronic services (e.g. deletion of the user account);
– a justified objection to the processing is submitted, where the legal basis for the processing of personal data is the Controller’s legitimate interests.
As a general rule, we process the personal data provided directly by you. Where you have not provided your personal data to us directly, the source of such data is an entity that held your consent to disclose your personal data to the Controller or another valid legal basis for such disclosure.

 

6. Appointment Bookings

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
For the purpose of:
– the performance of agreements concluded with Studio Sante clients, including the booking of treatments and services provided by Studio Sante (the legal basis for the processing is Article 6(1)(b) of the GDPR);
– where applicable, compliance with accounting, bookkeeping and financial reporting obligations (the legal basis for the processing is Article 6(1)(c) of the GDPR).
We also process your personal data on the basis of the Controller’s legitimate interests pursuant to Article 6(1)(f) of the GDPR for the following purposes:
– the establishment, exercise or defence of legal claims;
– statistical purposes related to improving the efficiency of our operations, enhancing the quality of the services provided, and adapting those services to the needs of their recipients.
Your personal data may continue to be retained for the purpose of demonstrating the Controller’s compliance with its legal obligations or until the expiry of the applicable statutory limitation periods for legal claims, whichever period is longer.
Where you have entered into an agreement with the Controller (for example, in relation to the provision of electronic services or the use of the booking system), your personal data will be processed for the duration of the agreement and, following its termination, until the expiry of the applicable statutory limitation periods for any claims arising therefrom.
As a general rule, we process the personal data provided directly by you. However, in the case of appointments booked through the Booksy system, following the completion of the booking, we receive your personal data from the operator of the Booksy service, Booksy International sp. z o.o.

 

7. Handling of Complaints and Withdrawal from Distance Contracts

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
For the purpose of:
– handling a complaint or a request to withdraw from a distance contract (Article 6(1)(c) of the GDPR);
– performing the agreement to which the request relates (Article 6(1)(b) of the GDPR, where you are a party to the agreement; Article 6(1)(f) of the GDPR, where you act on behalf of our client or business partner);
– where applicable, compliance with accounting, bookkeeping and financial reporting obligations (Articles 6(1)(c) and 6(1)(f) of the GDPR);
– compliance with other legal obligations imposed by applicable law (Article 6(1)(c) of the GDPR);
– the purposes specified in the consent, where such consent has been granted (Article 6(1)(a) of the GDPR).
We also process your personal data on the basis of the Controller’s legitimate interests pursuant to Article 6(1)(f) of the GDPR for the following purposes:
– the establishment, exercise or defence of legal claims;
– statistical purposes related to improving the efficiency of our operations, enhancing the quality of the services provided, and adapting those services to the needs of their recipients.
Please note: where the description of the circumstances contains special categories of personal data, such data will be processed for the purpose of the establishment, exercise or defence of legal claims (Article 9(2)(f) of the GDPR).
Your personal data will be retained until the request has been resolved and until the expiry of the applicable statutory limitation periods for legal claims. As a general rule, we process the personal data provided directly by you. Where you have not provided your personal data to us directly, the source of such data is the person who included your personal data in the request. We obtain personal data to the extent necessary for handling the request, which most commonly include your first name and surname, email address, telephone number, correspondence address, the circumstances giving rise to the request, and your bank account number (in the case of refunds).

 

8. Studio Sante Clients

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
The personal data of Studio Sante clients are processed for the following purposes:
– registration via the Booksy platform, booking or purchasing a treatment (Article 6(1)(b) of the GDPR);
– ensuring the safe provision of the treatment ordered by you, on the basis of your explicit consent (Article 9(2)(a) of the GDPR).
We also process your personal data for the purposes of the Controller’s legitimate interests (Article 6(1)(f) of the GDPR), namely:
– where your prior consent has been obtained, direct marketing of our services through the communication channel indicated by you;
– the establishment, exercise or defence of legal claims (in the case of special categories of personal data – Article 9(2)(f) of the GDPR);
– handling your complaints and comments;
– sending notifications regarding upcoming treatments.
Your personal data collected in connection with the treatment provided will be retained for a period of 3 years from the date on which the questionnaire was completed or until you withdraw your consent to the processing of your personal data, whichever occurs first. In the event of claims relating to personal injury, your personal data will be retained for the duration of the applicable statutory limitation period for such claims.
Personal data processed for the purpose of sending commercial information will be processed until you withdraw your consent or object to the processing.
As a general rule, we process the personal data provided directly by you.

 

9. Protection of Minors (Standards for the Protection of Minors)

Purpose of Processing and Legal Basis Data Retention Period Where Personal Data Have Not Been Obtained Directly from You – Source of Personal Data and Categories of Personal Data
The personal data of adults and children are processed for the purpose of implementing the Standards for the Protection of Minors and complying with the obligations arising under the Act of 13 May 2016 on Counteracting Threats of Sexual Crime and the Protection of Minors (Article 6(1)(c) of the GDPR), namely:
– identifying a minor staying at Hotel Sante or Studio Sante and determining the minor’s relationship with the adult accompanying them at the premises;
– where the welfare of a minor is at risk, responding to such risk, securing evidence and submitting notifications to the competent authorities.
In the event of any legal claims:
– for the purpose of the establishment, exercise, preservation or defence of legal claims, which constitutes the Controller’s legitimate interests (Article 6(1)(f) of the GDPR).
– for the duration of the guest’s stay at Hotel Sante or Studio Sante;
– where the welfare of a minor has been placed at risk or legal claims have arisen in connection with the implementation of the Standards for the Protection of Minors, for the duration of the relevant proceedings or until the expiry of the applicable statutory limitation period for such claims.
– if you are the parent or legal guardian of a minor, we have obtained your personal data from the hotel guest with whom your child is staying at our Hotel or Studio. The personal data obtained include: first name, surname, telephone number, and the nature of the family relationship or other relationship;
– if you are a minor, we have obtained your personal data from the hotel guest with whom you are staying at our Hotel. The personal data obtained include: first name, surname, PESEL number, and the nature of the family relationship or other relationship.

 

Detailed information regarding the processing of personal data is available on the Studio Sante website at https://www.studiosante.pl/.

Social Media
Our Website contains links to our social media profiles. To the extent that we manage these profiles, we act as the Controller or, depending on the particular service, as a joint controller together with the operator of the relevant social media platform. Accordingly, we process the personal data of visitors to our social media profiles (Facebook, LinkedIn, Twitter) solely for the following purposes:

  • operating our social media profiles (including publishing information about promotions, our services and the activities of Sante);
  • obtaining anonymised analytical and statistical data made available by the relevant social media platform on the basis of parameters previously defined by us, taking into account the characteristics of our clientele and our promotional and marketing objectives;
  • direct marketing;
  • communicating with our customers using the tools made available by the relevant social media platform.

We also process personal data:

  • for the establishment, exercise or defence of legal claims;
  • for statistical purposes related to improving the efficiency of our operations, enhancing the quality of the services provided, and adapting those services to the needs of their recipients.

The legal basis for the processing of personal data for the above purposes is the Controller’s legitimate interests (Article 6(1)(f) of the GDPR).
In the case of Facebook, the controller or joint controller (e.g. in relation to Facebook Page Insights) of your personal data is Meta Platforms Ireland Ltd., with its registered office in Dublin (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The Joint Controller Addendum is available at: https://www.facebook.com/legal/controller_addendum.
The use of Facebook is governed by its applicable terms and privacy policies. To learn more about Facebook’s Privacy Policy, please visit: https://www.facebook.com/privacy/explanation.
Your personal data will be retained until the relevant request has been fully handled and until the expiry of the applicable statutory limitation periods for legal claims.
As a general rule, we process the personal data provided directly by you. Where you have not provided your personal data to us directly, the source of such data is the person who included your personal data in the request. We obtain personal data to the extent necessary for handling the request, which most commonly include your first name and surname, email address, telephone number, correspondence address, the circumstances giving rise to the request, and your bank account number (in the case of refunds).

Facebook Lead Ads
Within the Facebook platform, the Controller uses Facebook Lead Ads, which enable users to provide their contact details and submit them to the Controller. Until the User’s personal data provided through the relevant Lead Ad form are submitted, the controller of the User’s personal data is Meta Platforms Inc., the operator of Facebook Upon submission of the personal data through the Lead Ad form, the Controller becomes the controller of the User’s personal data within the scope provided. Depending on the content of the relevant Lead Ad, the User’s personal data may be processed for the following purposes:

  • responding to the User’s enquiry submitted through the Lead Ad form;
  • where consent to receive commercial information has been granted, promoting the Controller’s products and services, including by telephone or email contact;
  • where consent to receive commercial information has been granted, sending the Controller’s Newsletter to the email address provided by the User,

– which constitutes the Controller’s legitimate interests (Article 6(1)(f) of the GDPR).
The Controller receives the User’s personal data provided in the form (first name, surname, email address and telephone number) from Facebook (Meta Platforms Inc.).
The User’s personal data will be retained until the withdrawal of consent or the submission of an objection. Following the withdrawal of consent or the submission of an objection, the personal data may continue to be retained for the purpose of demonstrating the Controller’s compliance with its legal obligations and in connection with any related legal claims.
In the context of contact initiated through a Lead Ad, the Controller does not make decisions based solely on automated processing, including profiling.
In all other respects, the provisions of this Privacy Policy shall apply.

Cookies and Other Similar Technologies
Subject to the User’s prior consent, Studio Sante automatically collects information contained in cookies and other similar technologies (e.g. tracking pixels). The Website operator informs you that cookies are IT data, in particular text files, which are stored on the User’s terminal device. Cookies generally contain the name of the website from which they originate, the period for which they are stored on the terminal device, and a unique identifier. Cookies are used for the following purposes:

  • adapting the content of the Website to the User’s preferences and optimising the use of the Website; in particular, these files enable the User’s device to be recognised and the Website to be displayed appropriately, tailored to the User’s individual needs;
  • compiling statistics that help us understand how Users interact with the Website, thereby enabling us to improve its structure and content;
  • maintaining the User’s session on the Website.

The following types of cookies are used on the Website:

  • “strictly necessary” cookies, which enable the use of the services available through the Website, for example authentication cookies used for services requiring authentication within the Website; cookies used to ensure security, including those used to detect authentication abuse within the Website;
  • “performance” cookies, which enable information to be collected about the manner in which the Website is used;
  • “functional” cookies, which enable the Website to remember the User’s selected settings and personalise the User interface, for example with regard to the selected language or region, font size or the appearance of the Website;
  • “advertising” cookies, which enable advertising content to be delivered to Users in a manner more closely tailored to their interests.

The following cookies are placed on your terminal device:

Google Analytics
This Website uses Google Analytics, a web analytics service provided by Google Inc. (hereinafter referred to as “Google”). Google Analytics uses cookies. The information generated by cookies about your use of this Website is generally transmitted to and stored on a Google server in the United States. However, due to the activation of IP anonymisation on this Website, your IP address will first be truncated by Google within the Member States of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. On behalf of the operator of this Website, Google will use this information for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services relating to Website activity and Internet usage for the Website operator. The IP address transmitted by Google Analytics will not be associated with any other data held by Google.
The purpose of the processing is to evaluate the use of the Website and to compile reports on Website activity. On the basis of the use of the Website and the Internet, other related services will be provided. The processing is based on the legitimate interests of the Website operator.
Google Analytics collects data relating to IP addresses, network location, date of visit, operating system and browser type. You may prevent the storage of cookies by selecting the appropriate settings in your browser software; however, please note that if you do so, you may not be able to use all the features of this Website to their fullest extent.

Use of Google Ads
Our Website uses Google Conversion Tracking. If you access our Website via an advertisement served by Google, Google Ads will place a cookie on your device. The conversion tracking cookie is used when a User clicks on an advertisement served by Google. These cookies expire after 30 days and are not used for personal identification purposes. If the User visits certain pages of our Website before the cookie expires, we and Google are able to recognise that the User clicked on the advertisement and was redirected to that page. Each Google Ads customer receives a different cookie. Cookies cannot be tracked through the websites of Google Ads advertisers. The information collected through the conversion tracking cookie is used to generate conversion statistics for Google Ads advertisers using this functionality. Advertisers receive information only about the total number of Users who clicked on their advertisement and were redirected to their Website. They do not receive any information that would enable the identification of individual Users.
If you do not wish your activity on the Website to be tracked, you should change your browser settings, for example by blocking cookies from the “googleleadservices.com” domain.
Please note that you cannot opt out of the use of cookies if you wish measurement data to continue to be recorded. If you delete all cookies stored in your browser, you will need to set the relevant cookie preferences again.

Server Logs

  • Use of the Website involves sending requests to the server on which the Website is hosted.
  • Each request sent to the server is recorded in the server logs. The logs include, among other things, the User’s IP address, the server date and time, information about the web browser used by the User, and the User’s operating system.
  • The server logs are recorded and stored on the server.
  • The data recorded in the server logs are not associated with specific individuals using the Website and are not used by the Controller to identify the User.
  • The server logs are used solely as supporting material for the administration of the Website, and their contents are not disclosed to any persons other than those authorised to administer the server.

 

Recipients of Personal Data

Within Studio Sante, the Controller may disclose your personal data to the following recipients:

  • public authorities or other entities authorised under applicable law, where such disclosure is necessary to comply with legal obligations;
  • entities supporting the Controller’s business activities on its behalf, in particular providers of external IT systems supporting the Controller’s operations, subcontractors, entities conducting audits of the Controller’s activities, or experts, provided that such entities process the personal data on the basis of an agreement concluded with the Controller and solely in accordance with the Controller’s instructions;
  • providers of accounting, payroll or legal services, to the extent necessary to ensure compliance with legal obligations or for the establishment, exercise or defence of legal claims;
  • entities providing document destruction or document archiving services, to the extent that personal data are stored in paper form or on such media;
  • providers of courier and postal services;
  • entities providing marketing services;
  • Booksy International sp. z o.o., to the extent necessary for intermediary services relating to the booking of treatments or other services.

 

Rights Relating to the Processing of Personal Data

Every individual whose personal data are processed by the Controller has the right to:

  • access their personal data;
  • rectify their personal data;
  • erase their personal data;
  • restrict the processing of their personal data;
  • object to the processing of their personal data (in accordance with Article 21(1) of the GDPR, when submitting an objection, you should specify the reasons relating to your particular situation);
  • data portability.

You also have the right to lodge a complaint with the supervisory authority, namely the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych). Further information is available at: https://uodo.gov.pl/pl/526/2464.

Where consent has been given for the processing of personal data or for the sending of commercial information via the selected communication channel, you are informed that you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out on the basis of that consent before its withdrawal.

In the case of the Newsletter, consent may be withdrawn through your user account, via the footer of our marketing communications, or by contacting us at: iod@sante.pl.

Provision of Personal Data

The provision of personal data is necessary for the conclusion and performance of agreements, the settlement of the Controller’s business activities, and the Controller’s compliance with its legal obligations. In all other cases (in particular where personal data are processed by the Controller for marketing purposes), the provision of personal data is voluntary.

Transfers of Personal Data to Third Countries or International Organisations

Your personal data will be transferred outside the European Economic Area.

In the case of our providers of IT solutions, social media services, as well as cookies and other tracking technologies, your personal data may be transferred to the United States. We transfer personal data to entities established in the United States that participate in the Data Privacy Framework programme. Further information is available at: https://www.dataprivacyframework.gov/s/.

In all other cases, we enter into the Standard Contractual Clauses with our service providers. Further information, including copies of the Standard Contractual Clauses used by us, may be obtained by contacting our Data Protection Officer at: iod@sante.pl.

Automated Processing of Personal Data

As part of the collection of statistical and analytical data, as well as contextual and behavioural advertising, automated decision-making, including profiling, takes place.

Profiling is carried out through the collection and processing of your personal data by means of automated analyses of your behaviour while using social media platforms and our online store, for the purpose of continuously improving their operation and the services provided by us.

Such profiling serves solely to improve the quality of our services and does not produce legal effects concerning you or similarly significantly affect you in any other way.