PRIVACY AND COOKIES POLICY

I. GENERAL INFORMATION.

The Policy is addressed to the users of the tmtoys.com website [hereinafter referred to as “the Website”]. The Policy sets out the rules of storing and processing the Users’ personal data that have been provided by them personally and voluntarily via tools available on the Website and the rules of recording and obtaining access to the data on the devices of the Users’ using the Website for the purposes of the provision of electronic services.

1. The User is a natural person taking advantage of electronic services available as part of the Website.

II. DATA CONTROLLER AND CONTACT.

1. The following companies are the data controller jointlyi:
   1. TM Toys spółka z ograniczoną odpowiedzialnością with registered office in Szczecin, ul. Zbożowa 4, 70-653 Szczecin, NIP (VAT ID): 8511021941, entered in the Business Register of the National Court Register under KRS number: 0000035010, share capital PLN 4,000,000, hereinafter referred to as “Primary Joint Controller”;
   2. TM Invest spółka z ograniczona odpowiedzialnością with registered office in Szczecin, ul. Zbożowa 4, 70-653 Szczecin, NIP (VAT ID): 8542268200, entered in the Business Register of the National Court Register under KRS number: 0000243479, share capital PLN 50,000, hereinafter referred to as “Joint Controller 1”;
   3. EVO C.E. spółka z ograniczoną odpowiedzialnością with registered office in Warsaw, ul. Jutrzenki 137, 02-231 Warszawa, NIP (VAT ID): 5213166247, entered in the Business Register of the National Court Register under KRS number: 0000012459, share capital 50,000,
      hereinafter referred to as „Joint Controller 2”;

hereinafter collectively referred to as “Controller” or „Joint Controller”.

The Controller has not appointed a Data Protection Officer; therefore, for matters relating to data processing by the Controller, contact the Primary Joint Controller directly, using the following address and contact details: Szczecin (70-653), ul. Zbożowa 4, tel. (91) 4317929, email: rodo@tmtoys.pl.

III. SCOPE OF DATA COLLECTION

1. The Website allows the User to contact the Controller and provide them with the User’s personal data, such as:
   1. identification data (e.g. name and surname),
   2. contact details (address of residence, e-mail address, telephone number), as well as
   3. data related to the content of messages addressed to the Controller.
2. The Controller stores the data related to the Users’ activity, e.g. time spent on the website, search phrases, the number of subpages viewed, the date and source of the visit (more information – see section XI of this Policy).

IV. DATA SOURCE.

The data comes from the following sources:

1. direct interactions – when the User contacts the Controller, e.g. in order to ask a question or file an application, etc.;
2. from third parties, e.g. information that the User shared for public viewing, information on third-party websites or information delivered by data resellers;
3. automatic tracking technologies, such as cookie files. We obtain such data as automatically collected information on your interactions with our Services and websites via various technologies, such as cookie files.

V. LEGAL BASIS AND PURPOSE OF DATA PROCESSING

1. The Controller stores and processes the Users’ data based mostly on the following regulations:
   1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”;
   2. Electronic Services Act of 18 July 2002;
   3. Data Protection Act of 10 May 2018;
   4. internal documentation and procedures applicable at the Controller’s, aimed at preventing the data from being made available to unauthorised persons, revised on an ongoing basis in terms of compliance with the generally applicable law.
2. The User’s personal data can be processed for the following purposes:
   1. network traffic analysis, ensuring security as part of the Website and adapting the content to the Users’ needs based on the Controller’s legitimate interest (Article 6(1)(f) of GDPR);
   2. answering questions, providing requested offer and correspondence aimed at handling the matter, based on the User’s consent and the Controller’s legitimate interest, which is fulfilling the User’s requests (Article 6(1)(a) and (f) of GDPR);
   3. sending a newsletter or presenting commercial information at an explicit request of the User and based on the User’s consent given together with the request, for the purposes of direct marketing relating to the Controller’s offered products and services, pursuant to GDPR (based on Article 6(1)(f) of GDPR);
   4. associated with the satisfaction of potential claims and handling dispute resolution proceedings, including for the purpose of asserting claims and defending against claims or debt collection (pursuant to Article 6(1)(f) of GDPR).

VI. CONSENT TO THE PROCESSING OF PERSONAL DATA.

1. The Controller process personal data only after obtaining the User’s prior consent. The consent is entirely voluntary. Providing personal data by the User for the purposes of handling a matter is voluntary, although necessary.
2. A refusal to provide personal data may hinder or prevent the examination of the matter. The User can withdraw the consent to the processing of their data at any time without any justification by contacting the Controller in a way described in this Policy (Section II).
3. Consent withdrawal can refer to all the purposes of processing or one specific purpose of processing indicated by the User (e.g. withdrawal of consent to receiving commercial information).
4. The withdrawal of consent does not affect activities already performed, but might hinder or prevent contact with the User for the purpose of fulfilling their requests in the future.

VII. RIGHTS ARISING FROM GDPR IN TERMS OF PERSONAL DATA PROCESSING.

1. The User has the right to:
   1. demand, from the Controller, access to the User’s data and to receive their copy, as well as information on the scope of data processing;
   2. demand, from the Controller, to rectify or correct the data – for the data rectification request, when the User notices the data are incorrect or incomplete;
   3. demand, from the Controller, to delete the data without justification;
   4. demand, from the Controller, to restrict the processing of the User’s data, for a specific period or permanently, e.g. when the User notices the data are incorrect (in such a case, the User can demand that the processing of their data be restricted for a period allowing the data correctness to be verified);
   5. at any time, object to the processing of the User’s personal data (all the data or an explicitly specified scope – e.g. a specific processing purpose);
   6. demand that the User’s personal data processed by the Controller be transferred to a different entity, specifying the details of the entity and a specific scope of data to be transferred;
   7. lodge a complaint to the processing of the User’s data by the Controller with the President of the Office for Personal Data Protection.

VIII. RECIPIENTS OF PERSONAL DATA.

1. The recipients of the User’s personal data can only be entities that are entitled to receive these data in accordance with the law, especially public authorities and entities performing public tasks or acting upon the order of public authorities, within the scope and for the purposes that arise from the law.
2. The Controller can entrust the processing of personal data to entities that cooperate with the Controller in the scope necessary to perform the activities requested by the User, e.g. to answer questions, including delivering answers by mail, providing commercial information, such as sending a newsletter (if the User consents to such a transfer of information).
3. The User’s personal data can be shared with couriers, postal operators, hosting provider, e-mail server provider or other entities that support the Controller in business processes.
4. Apart from the aforementioned purposes, the personal data will not be provided to third parties in any manner.

IX. DATA STORAGE DURATION.

1. The personal data shall be stored until the User withdraws their consent or until the matter in question is handled and the limitation period of the parties’ claims associated with the matter lapses.
2. Data associated with network traffic analysis, collected via cookie files, can be stored until the cookie file expires. Some cookies do not expire; therefore, the data shall be store for as long as it is necessary for the Controller to fulfil the purposes associated with data storage, such as the security and historical data analysis associated with the Website traffic.

X.  TRANSFERRING DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION.

1. Personal data provided voluntarily by the Users:
   1. are not transferred outside the European Union unless the data have been published as a result of the User’s individual action (e.g. a comment or an entry), which makes them visible for every person visiting the Website, which is beyond the Controller’s control;
   2. are not used for automated decision-making (profiling);
   3. are not resold to third parties.
2. Anonymous data (not containing personal data):
   1. can be transferred outside the European Union;
   2. are not used to automated decision-making (profiling);
   3. are not resold to third parties.

XI.  USE OF COOKIES AND SIMILAR TECHNOLOGIES.

1. The Website uses network traffic analysis tools and other tools that allow for collecting information on the Users, i.e. cookies and similar technologies, such as logs, web beacons and internet markers (hereinafter collectively referred to as “cookies”). Cookies are small text files or pixels that can be stored on the User's computer or mobile device. Cookies can be necessary to facilitate browsing a webpage and make it more User-friendly.
2. Cookies from third parties may collect information to analyse individual searching behaviour. We use such systems as:
   1. Google Analytics, which collects information on the number of visits to the Website, subpages visited, time spent on the Website, transitions between specific subpages (Google Analytics Privacy Policy:.https://marketingplatform.google.com/about/analytics/terms/pl; additional information: https://policies.google.com/technologies/partner-sites)
   2. GetResponse – which collects information on newsletter recipients and sends the newsletter to specific e-mail addresses (GetResponse Privacy Policy: https://www.getresponse.pl/informacje-prawne/polityka-prywatnosci);
   3. Facebook Pixel in order to provide the Users with personalised advertisements.
3. The Website is protected with an SSL certificate from an accredited certifying institution (Asseco). The certificate was granted to the Primary Joint Controller.
4. The Website allows for collecting information on the User via cookies, which usually work by means of placing a marker on the User’s device (computer, smartphone, etc.). This information is used to identify the User (the User’s IP address, domain name, web browser type, etc.), recording their behaviour on the Website (e.g. choosing a tab on the website, downloading files, accepting a policy, etc.) and maintaining the User’s session (e.g. after logging in), as well as for providing safety, visit analysis and content adaptation. These data can be collected by cookies and also can be recorded in the server’s logs.
5. The Website uses the following cookies:
   1. internal cookies – files placed and read on the User’s device by the Website’s IT system
   2. external cookies – files placed and read on the User’s device by the IT systems of external websites. Scripts of external websites, which can place cookies on the User’s devices have been intentionally integrated with the Website through scripts and services made available and installed on the Website;
   3. session cookies – files placed and read on the User’s device by the Website during a single session of the device. After the session is finished, the files are deleted from the User’s device;
   4. permanent cookies – files placed and read on the User’s device by the Website until they are manually deleted. The files are not deleted automatically after the end of a device's session unless the User’s device configuration is set to deleting cookies after the end of each session.
6. The information obtained via cookies are not combined with other data of the Website Users and are not used by the Controller to identify the Users.
7. The User can block cookies files in the web browser. By default, most web browsers allow using all cookies, but the User can change these settings at any time or can delete cookies already installed. Each web browser allows such an action by one of the options available in the settings or preferences.
8. The User can use the Website in the so-called incognito mode, which prevents the collection of data associated with the User’s visit.
9. Using the website without changing web browser settings, i.e. accepting cookies by default, means their use for the aforementioned purposes.

XII.  LINKS TO OTHER WEBSITES

1. The Website may contain links to third party websites, the privacy policies of which may differ from this Policy. The Controller is not responsible for the collection, processing or disclosure of personal data collected via third party websites, nor for the information or content posted on such websites.
2. Links to other websites are given only for convenience. Using and browsing such websites by the Users is subject to the provisions specified in their policies.
3. The User should become familiar with privacy policies posted on third party websites that they can visit via the Website. The Controller may provide the User with additional or different privacy policies related to the manner in which personal data are collected and used in relation to using third party websites.

XIII.  PRIVACY POLICY UPDATE

This Privacy Policy may be updated. Having introduced changes to this Privacy Policy, the Controller will add an effective date. This version takes effect from 18 December 2020.