1. Definitions

Administrator – Data Controller, the entity that determines the purposes and means of processing personal data. The Data Controller is:

Personal Data – any information about an identified or identifiable natural person (“data subject”); an identifiable person is one who can be directly or indirectly identified.

Policy – privacy policy of the website:

GDPR – General Data Protection Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

EEA – European Economic Area, a zone of free trade and a common market, including the EU member states and the European Free Trade Association (EFTA) countries, excluding Switzerland. It is the area where the free flow of personal data occurs.

Data Recipient – a natural or legal person, an organizational unit without legal personality, a public authority, body, or another entity to which personal data is disclosed, regardless of whether it is a “third party.”

Cookies – small text files stored on the user’s device (computer, tablet, phone) that allow remembering the user’s preferences for future visits to the website.

President of the Office – President of the Personal Data Protection Office, the supervisory authority under the GDPR, which oversees the compliance with personal data protection regulations in Poland.

Profiling – any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of a natural person, especially the analysis or prediction of aspects related to the person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movement of the data subject—provided that such processing produces legal effects concerning the person or similarly significantly affects them.

SSL Protocol – a network protocol used for secure internet connections, adopted as the encryption standard for websites. The SSL certificate ensures the confidentiality of data transmission over the Internet.

Processing – an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2. Contact Regarding Personal Data Processing

The Administrator has appointed a Data Protection Specialist, who can be contacted regarding all matters related to personal data processing via email at office@roim.pl or by sending a letter to the Administrator’s address.

3. Processing of Personal Data in Connection with Using the Service

We would like to inform you about the processing of your personal data in connection with using our service. Our goal is to ensure full transparency and protect your privacy, which is why we have prepared this brief information to explain how we process your data.

Newsletter: If you decide to subscribe to our newsletter, we will process your data, such as your email address, in order to send you updates, product information, or promotions. Data processing for this purpose is based on your voluntary consent, which you can withdraw at any time via a link available in each message received.

Contact Form: If you use the contact form on our website, we will process the contact data you provide, such as your name, surname, and email address, in order to respond to your inquiry or request.

Account Registration: If you decide to register an account on our service, we will process personal data such as your name, surname, and email address to enable you to use the features available to registered users. Processing of this data is necessary to fulfill the contract between us.

Purchasing: When making purchases on our website, we will process data regarding the order, such as the recipient’s name and surname, delivery address, selected products, transaction amount, and payment details. This information is necessary to fulfill your order.

Delivery: In order to deliver the ordered products, we will share some of your personal data with courier companies or logistics operators responsible for the delivery. We will limit the sharing of data to the minimum necessary for the delivery process.

IP Address: When visiting our website, we automatically collect your device’s IP address. The IP address is a unique identifier assigned to your device when accessing the internet. We process this data using cookies to manage the service, analyze trends, and track user activity on the site. This information helps us better understand how users interact with our service and adjust it to your needs. More information about cookies can be found in section 10.

Social Media Plugins: Our website includes social media plugins, such as Facebook and Instagram. Using these plugins is voluntary. If you choose to use these plugins, your personal data may be processed by these social media platforms in accordance with their own privacy policies. We encourage you to read these policies to understand how your data is processed by these platforms.

4. Purpose and Legal Basis for Data Processing

We process personal data for the following purposes:

• To conclude and execute the sales agreement in connection with your purchases on our online store, training platform, and the provision of customer account services on our service (Article 6(1)(b) GDPR);

• To assert claims related to business activities and to defend against those claims within the framework of the legitimate interest of the administrator (Article 6(1)(f) GDPR);

• To fulfill our legal obligations, such as keeping accounting records and tax documentation (Article 6(1)(c) GDPR);

• To conduct marketing activities in the form of a newsletter (Article 6(1)(a) GDPR in conjunction with Article 10 of the Act of July 18, 2002, on providing electronic services);

• To respond to inquiries submitted via the contact form within the framework of the legitimate interest of the administrator (Article 6(1)(f) GDPR);

• To set user preferences and facilitate the use of the service using cookies (Article 173 of the Telecommunications Law of July 16, 2004, and Article 6(1)(f) GDPR);

• To manage the fanpage on social media, under the terms and conditions specified by the administrators of those platforms and in accordance with their applicable regulations, as well as to inform and promote our activities, events, promotions, build and maintain our community, and communicate through available platform functionalities (Article 6(1)(f) GDPR).

5. Data Recipients

The recipients of your personal data may only be entities authorized to receive it under applicable law. Additionally, data may be disclosed to entities authorized under data processing agreements, including, for example, providers of software used to operate the online store, training platform, and payment systems. To fulfill your order, data may also be shared with courier and postal operators.

6. Data Retention Period

Depending on the purposes for which we collect and process your personal data, the retention period may vary. We aim to keep your data only for as long as necessary to achieve the intended processing purposes. We store your personal data in compliance with applicable legal regulations, including specific retention and data storage requirements. However, we strive to limit this period to the minimum required.

If data is necessary for the execution of a contract or the provision of services, we will retain it for the period necessary to fulfill these purposes. After the contract ends or you stop using our services, data may be retained for an additional period for:

• Claiming rights arising from the contract;

• Fulfilling legal obligations, such as tax and accounting duties;

• Preventing fraud and abuse;

• Statistical and archival purposes, for a maximum period of 3 years after the end of the year in which the contract was executed or terminated.

For data processed based on voluntary consent, the data will be retained until the purpose for which they were collected ends or the consent is withdrawn, whichever occurs first.

In cases where you exercise your right to delete or rectify your personal data, we will make efforts to fulfill this request as quickly as possible unless there are other legitimate legal grounds or legitimate interests that require the data to be retained.

If you have any questions about the period of retention of your personal data, please feel free to contact us.

7. Exercising Rights of Data Subjects

What rights do you have and what do they entail?

Right of Access to Data
This right allows you to check whether the administrator processes your personal data and to obtain detailed information on the processing.

You can request information such as:

• The purpose of processing your data;

• The exact data the administrator holds about you;

• How the administrator acquired your data;

• The period for which your data will be stored and when they will be permanently deleted.

Right to Object to Processing
This right allows you to object to the further processing of your personal data by the administrator. This right applies when the data is processed:

• For the performance of a public interest task;

• Based on the legitimate interest of the administrator (e.g., for direct marketing);

After filing an objection to direct marketing, the company is no longer allowed to use the personal data for such purposes and must comply with the request free of charge.

However, there are situations where the company may continue to process the data despite the objection:

• For scientific, historical, or statistical research, processing is necessary for performing a task in the public interest;

• In cases where the company demonstrates that its legitimate interest outweighs the objection raised by the data subject.

Right to Rectification of Data
If a person believes their data is inaccurate, incomplete, or incorrect, they may request the company to rectify their data. The data must be corrected without delay, and if not, an explanation must be provided for not fulfilling the request.

Right to Restriction of Processing
This right means that the administrator can retain the data but cannot perform any other processing actions, e.g., cannot use the data in statistics or other reports.

Right to Restrict Processing

This right allows the data controller to store data but prevents them from carrying out any further processing activities, such as including the data in statistics or other reports.

When can the right to restrict processing be exercised?

• When an individual questions the accuracy of the data – the restriction lasts for the time needed to verify the correctness of the data.

• When an individual claims that the processing is unlawful but does not request the permanent deletion of their data.

• When an individual has objected to the processing of their data – the restriction applies until it is determined whether the objection is justified.

• When personal data is no longer necessary for the purposes for which it was collected but cannot be deleted due to legal obligations.

Right to Erasure, “Right to be Forgotten”

This right allows an individual to request the permanent deletion of their personal data from the data controller’s database or other resources. This applies when:

• The data is no longer necessary for the purposes for which it was collected.

• The individual has withdrawn consent for data processing.

• The data has been processed unlawfully.

However, there are situations where this right cannot be exercised, for example, if the data controller can demonstrate that there are still legal grounds for processing the data. This may occur, for instance, if the customer has not fully repaid a debt. In such cases, the individual cannot request the deletion of their personal data.

Right to Data Portability

This right allows an individual to transfer their personal data to another data controller. In practice, this means that an individual can request that the data controller, if technically feasible, transfers their personal data, which is processed in digital form and is based on consent or a contractual agreement, to another controller.

Right Not to Be Subject to Automated Decision-Making

Profiling occurs when personal factors are assessed to develop predictions about an individual, even if this does not result in a decision. For example, when a company or organization analyzes personal characteristics (such as age, gender, height) or categorizes an individual into a specific group, this is profiling.

An automated decision is one made solely by technical means without human intervention. It does not necessarily involve profiling.

Data protection regulations state that everyone has the right not to be subject to a decision based solely on automated processing if the decision produces legal effects or similarly significantly affects the individual.

An automated decision may be allowed if:

• The regulations permit the use of algorithms and ensure adequate safeguards.

• It is necessary (i.e., the only way to achieve a common goal) for the performance of a contract with the individual concerned.

• The individual has given explicit consent.

How to Exercise Your Rights

To exercise your rights, you must submit a request to us for the realization of rights related to the data subject. Before responding, we will need to verify the identity of the requester. Therefore, the request must contain the following elements:

• Identification details: The request should include your full identification details such as your name, address, email address, and phone number. This will help us identify you as the individual making the request.

• Specification of the right: The request should clearly specify which specific right related to personal data protection you wish to exercise.

• Scope of the request: The request should specify exactly what actions you want us to take in relation to the exercise of the right. For example, if you wish to exercise your right of access to personal data, specify the exact information you wish to receive and the format you prefer.

• Signature and date: The request must be signed by you personally. The signature confirms that you are the individual making the request. Additionally, provide the date of the request to determine when it was submitted.

• Response delivery method: The request should include information about how you wish to receive the response. This can be an email address, postal address, or another preferred method of contact.

It is important that the request is clear, precise, and complete so that we can process it effectively. If you have any doubts about the content of the request or the procedures for exercising your rights, we recommend consulting the data controller or a data protection specialist.

Where to Submit the Request

You can submit the request in person at our organization’s office, by mail, or by email.

Contact with the Administrator:

Contact with the Data Protection Specialist:

Response Time

We will respond to your request without undue delay, but no later than one month from the date of submission.

In justified cases (e.g., due to the complexity of the request or the number of requests), we may extend this period by up to two additional months. In such cases, we will inform you of the delay, the reason for it, and the expected response time, while still ensuring a response within the original one-month period.

In case of refusal to fulfill the request, we will notify you of the reasons for not taking action and the possibility of lodging a complaint with the President of the Personal Data Protection Office.

Transfer of Personal Data Outside the EEA

As a data controller, we do not transfer your information outside the European Economic Area. However, there may be instances where your personal data is transferred to countries outside this area, such as the United States, and to international organizations like the Google Group. This can occur due to the use of social media platforms like Facebook, Instagram, Twitter, or YouTube. In such cases, the entities involved typically use standard contractual clauses approved by the European Commission or rely on decisions by the European Commission confirming that an adequate level of data protection exists in those specific countries. Further details can be found on the respective social media platforms’ websites.

Profiling and Automated Data Processing

In certain cases, your personal data may be processed automatically without human intervention. This means that we use tools and technologies that analyze your data in an automated manner to perform specific functions, such as personalizing content, providing recommendations, or analyzing user behavior.

We may use profiling techniques, which involve automatically processing personal data to assess, analyze, or predict certain aspects regarding your preferences, behavior, interests, or needs. This helps us provide you with more personalized content, offers, or recommendations that may be more relevant to you.

Cookies

The website www.roim.pl uses cookies. These are small text files sent by the web server and stored by the browser software. When the browser reconnects to the site, the website recognizes the type of device being used. The parameters allow only the server that created the cookies to read the information they contain. Cookies thus make it easier to use previously visited websites. Information gathered includes IP address, browser type, language, operating system, internet service provider, time and date, location, and information submitted through the contact form.

The collected data is used to monitor and evaluate how users interact with our websites to improve site functionality, ensuring more efficient and seamless navigation. User information is monitored using Google Analytics, which tracks user behavior on the site. Cookies identify the user, allowing content to be tailored to their needs. We use cookies to ensure the highest level of convenience for our service, and the collected data is used only internally for optimization purposes.

Our website uses the following types of cookies:

• “Necessary” cookies, which allow the use of the services available on the site, such as authentication cookies used for services that require authentication.

• Security cookies, used for detecting misuse in authentication within the service.

• “Performance” cookies, which collect information about how users interact with the site.

• “Functional” cookies, which allow the site to “remember” selected user settings and personalize the user interface.

• “Advertising” cookies, used to deliver content more relevant to the user’s interests.

If a user does not wish to receive cookies, they can adjust their browser settings. Please note that disabling necessary cookies for authentication, security, and user preference maintenance may hinder or, in extreme cases, prevent access to the website.

Users can disable or enable cookie collection at any time by adjusting their browser settings. Instructions for managing cookies are available on the following pages:

• Chrome

• Safari

• Firefox

• Opera

• Internet Explorer

• Android

• Safari (iOS)

• Windows Phone

• Blackberry

Website Security

We inform you that the Administrator applies appropriate technical and organizational measures to ensure the maximum level of protection for individuals using the website and providing their personal data via the website.

To guarantee the highest level of security when using the website, it is secured with SSL protocol.

Final Provisions

ROIM Sp. z o.o. reserves the right to change this Privacy Policy at any time due to the scope of services offered or adaptations to updated laws. Whenever possible, we will inform you about the policy update before it takes effect.

Last update of the Privacy Policy: April 8, 2025.

This policy has been developed in collaboration with:

Polskie Centrum Audytu (PCA).