In connection with the implementation of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”), we inform you about the principles of processing your personal data and your rights related to it.

1. General Information

1. The administrator of personal data is
   Essence Of… Sp. z o.o., with its registered office in Sosnowiec, registered in the National Court Register (KRS) under the number 0001068751, Tax Identification Number (NIP): NIP 6443578882, and National Business Registry Number (REGON): 526919552
2. Data protection is carried out in accordance with the requirements of generally applicable law, in particular, the Act of 10 May 2018 on the protection of personal data, the Act of 18 July 2002 on the provision of electronic services, and the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”).
3. Personal data provided by Users are treated as confidential and are not visible to unauthorized persons.
4. The Administrator has not appointed a Data Protection Officer.

1. Data Management

The Administrator will process personal data such as: first name, last name, address, email address, phone number, IP address, and data provided by the customer to the extent necessary for the performance of the contract.

III. Purposes of Processing Personal Data, Legal Basis, and Administrator’s Legitimate

Interest

1. The following purposes of data processing are distinguished:
   1. Initiating contact to provide all necessary information and explanations related to the subject of services provided by the Administrator – based on Article 6(1)(a) of the GDPR (consent); You have the right to withdraw your consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
   2. Entering into a contract for the provision of services offered by the Administrator, communication between the parties, and the performance of the concluded contract – based on Article 6(1)(b) of the GDPR (performance of a contract),
   3. Entering into a sales contract for vouchers offered by the Administrator, communication between the parties, and the performance of the concluded contract – based on Article 6(1)(b) of the GDPR (performance of a contract),
   4. Securing information in case of legal need to demonstrate facts – based on Article 6(1)(f) of the GDPR (Administrator’s legitimate interest),
   5. Establishing, pursuing, or defending against claims – based on Article 6(1)(f) of the GDPR (Administrator’s legitimate interest),
   6. Settling the service – based on Article 6(1)(c) of the GDPR (performance of a legal obligation incumbent on the Administrator),

7. Marketing of services and goods offered by the Administrator – based on Article 6(1)(a) of the GDPR (consent); You have the right to withdraw your consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Providing personal data is not obligatory; however, failure to provide them will make it impossible to perform the services provided by the Administrator.
8. Data Recipients

1. Your data may be disclosed to the following entities (only to the extent that it does not violate professional secrecy):
   1. Entities authorized under the provisions of the law,
   2. Entities with whom the Administrator has entered into a cooperation agreement,
   3. Payment system providers,
   4. Entities processing personal data on behalf of the Administrator, including IT service providers, hosting service providers, providers of email maintenance services, or entities handling the Administrator’s accounting services.

1. Transfer of Data to Third Countries or International Organizations

1. As a rule, your personal data are processed within the territory of Poland.
2. Exceptions may occur when the Seller sends Vouchers outside the territory of Poland and is obliged to provide contact details for the purpose of delivery.

1. Data Retention Period

1. 1. Your personal data will be retained by the Administrator: In the case where the basis for data processing is the performance of a contract, for as long as necessary to perform the contract, and thereafter for a period corresponding to the statute of limitations. If a specific provision states otherwise, the limitation period is 6 years, and for claims related to periodic benefits and claims related to business activities – three years.
   2. In the case where the basis for processing personal data is consent, for as long as the consent is not withdrawn, and after the withdrawal of consent, for a period corresponding to the statute of limitations that may be raised by the Administrator or against the Administrator. If a specific provision states otherwise, the limitation period is 6 years, and for claims related to periodic benefits and claims related to business activities – three years.

VII. Rights of the Data Subject

In connection with the processing of your personal data, you have the following rights:

1. The right to be informed about the processing of data (Art. 12 GDPR).
2. The right to access personal data (Art. 15 GDPR).
3. The right to request correction (rectification) of personal data (Art. 16 GDPR).
4. The right to request the erasure of personal data (Art. 17 GDPR).
5. The right to request a restriction of the processing of personal data (Art. 18 GDPR).
6. The right to data portability (Art. 20 GDPR).
7. The right to object to the processing of personal data not related to the provision of legal assistance by the Administrator (Art. 21 GDPR in conjunction with Art. 16a(2) of the Advocacy Act).
8. The right to lodge a complaint with the President of the Personal Data Protection Office or another relevant supervisory authority (Art. 77 GDPR).

VIII. Securing Personal Data

The Administrator makes every effort to ensure a high level of security in the processing of your personal data, and to this end:

1. Implements technical and organizational measures required by law, especially in the area of the security of personal data processing.
2. Implements measures to ensure the ability to continuously guarantee the confidentiality, integrity, availability, and resilience of processing systems and services.
3. Ensures a secure and encrypted connection during the transmission of personal data.

1. Information on the Requirement/Voluntariness of Providing Data

1. I inform you that providing your data is voluntary.
2. If you do not provide basic data, the Administrator may refuse to enter into a contract.

1. Other Information

1. Your personal data will not be subject to profiling.
2. The automated decision-making process will not be applied to you.

XII. Contacting the Administrator

1. For all matters related to the processing of your personal data by the Administrator and the exercise of rights related to the processing of personal data, you can contact us via email, phone, or traditional mail:
   • • Email address: club@orderyoni.com
     • Mailing address: ul. Braci Mieroszewskich, nr 59C, 41-219  Sosnowiec, Poland
   •  
2. If you contact the Administrator, any personal data voluntarily provided will be used solely for communication and handling inquiries.