PRIVACY POLICY

OF THE ONLINE SHOP BUY.NOTENOUGHMANA.COM

• DEFINITIONS

1. Controller 
   Board and Dice Sp. z o.o.,
   ul. Ryszarda Wagnera 34/14,
   52-129 Wrocław, Poland
   Tax ID No. (NIP): 899-285-40-85, National Business Registry no. (REGON): 381892339,
   KRS: 0000759675
2. Personal Data – information relating to a natural person, identified or identifiable by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet identifier and information collected through cookies and other similar technology.
3. Policy – this Privacy policy.
4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
5. Website – the website operated by Controller at buy.notenoughmana.com.
6. User – any natural person visiting the Website or using one or more of the services or functionalities described in the Policy.

• PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE WEBSITE

1. In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the individual services offered, as well as information about the User’s activity on the Website. The detailed rules and purposes of processing Personal Data collected during the User’s use of the Website are described below.

• PURPOSES AND LEGAL BASIS OF DATA PROCESSING ON THE WEBSITE

USE OF THE WEBSITE

1. Personal Data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies), and who are not registered Users (i.e. persons who do not have a profile on the Website), are processed by the Controller:
1. for the purpose of providing services electronically in the scope of making the content collected on the Website available to Users – then the legal basis for processing is the necessity of processing to perform the contract (Article 6(1) point (b) of the GDPR);
2. for analytical and statistical purposes – then the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR), consisting in conducting analyses of Users’ activities, as well as their preferences in order to improve the functionalities used and services provided;
3. for the purpose of possible establishment and exercise of claims or defence against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR), consisting in the protection of his rights;
2. The User’s activity on the Website, including his/her Personal Data, is recorded in system logs (a special computer program used to store a chronological record of information about events and activities that relate to the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical, administrative purposes, for the purposes of ensuring the security of the IT system and managing of this system, as well as for analytical and statistical purposes – in this regard, the legal basis for processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR).  

PLACING ORDERS (PURCHASE OF GOODS ON THE WEBSITE)

1. Placing an order (purchase of goods) by a User of the Website involves the processing of his/her Personal Data. Provision of data marked as mandatory is required in order to accept and handle the order, and failure to provide such data will result in failure to process the order. Provision of other data is optional.
2. Personal Data are processed:
1.  for the purpose of processing an order placed – the legal basis for processing is the necessity of processing to perform the contract (Article 6(1) point (b) of the GDPR); for data provided optionally, the legal basis for processing is consent (Article 6(1) point (a) of the GDPR);
2. for the purpose of performing statutory obligations of the Controller, in particular under tax and accounting regulations – the legal basis for processing is a legal obligation (Article 6(1) point (c) of the GDPR);
3. for analytical and statistical purposes – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR), consisting in conducting analyses of Users’ activities on the Website, as well as their shopping preferences in order to improve the functionalities used;
4. for the purpose of possible establishment and exercise of claims or defence against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR), consisting in the protection of his rights;

CONTACT FORMS

1. The Controller shall provide the possibility of contacting him with the use of electronic contact forms. Using the form requires the User to provide Personal Data necessary to contact the User and respond to the inquiry. The User may also provide other data in order to facilitate contact or handle the inquiry. Provision of data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide such data will result in the failure to handle the inquiry. Provision of other data is voluntary.
2. Personal Data are processed:
1. for the purpose of identifying the sender and handling his/her inquiry sent through the form provided – the legal basis for processing is the necessity of processing to perform the contract for the provision of service (Article 6(1) point (b) of the GDPR); with regard to data provided optionally, the legal basis for processing is consent (Article 6(1) point (a) of the GDPR);
2. for analytical and statistical purposes – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR), consisting in keeping statistics of inquiries submitted by Users through the Website in order to improve its functionalities.

• MARKETING

1. The Controller provides the newsletter service under the terms set out in the terms and conditions to the persons who have given their e-mail address for this purpose. Provision of data is required to provide the newsletter service, and failure to do so will result in the inability to send the newsletter.  
2. Personal Data are processed:
1. for the purpose of providing the newsletter service – the legal basis for processing is the necessity of processing to perform the contract (Article 6(1) point (b) of the GDPR);
2. in the case of directing marketing content to the User as part of a newsletter – the legal basis for processing, including with the use of profiling, is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR) in connection with the consent given to receive the newsletter;
3. for analytical and statistical purposes – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR), consisting in conducting analyses of Users’ activities on the Website in order to improve the functionalities used;
4. for the purpose of possible establishment and exercise of claims or defence against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR), consisting in the protection of his rights;

• SOCIAL NETWORKS

1. The Controller processes Personal Data of Users visiting the Controller’s social media profiles (Facebook, YouTube, Instagram, Twitter). These data are processed exclusively in connection with the managing of the profile, including for the purpose of informing Users about the Controller’s activities and promoting various events, services and products. The legal basis for the Controller’s processing of Personal Data for this purpose is his legitimate interest (Article 6(1) point (f) of the GDPR) in promoting his own brand.

• COOKIES AND SIMILAR TECHNOLOGY

1. Cookies are small text files installed on the User’s device when browsing the Website. Cookies collect information facilitating the use of the Website – e.g. by remembering the User’s visits to the Website and actions performed by him/her.

“WEBSITE” COOKIES

1. The Controller uses so-called website cookies primarily to provide the User with electronic services and to improve the quality of such services. In this regard, the Controller and other entities providing analytical and statistical services to the Controller use cookies, storing information or accessing information already stored in the User’s telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include:
1. cookies with user input data (session ID) for the duration of the session (user input cookies);
2. authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
3. cookies serving to ensure security, such as those used to detect authentication abuse (user centric security cookies);
4. multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
5. persistent cookies used to personalize the User’s interface for the duration of the session or slightly longer (user interface customization cookies).

• ANALYTICAL AND MARKETING TOOLS USED BY THE CONTROLLER’S PARTNERS

1. The Controller applies various solutions and tools used for analytical and marketing purposes. Below you will find basic information about these tools. The detailed information in this regard, on the other hand, can be found in the privacy policy of the respective partner.

GOOGLE ANALYTICS

1. Google Analytics cookies are the files used by Google to analyse how the User uses the Website, to create statistics and reports on the functioning of the Website. Google does not use the collected data to identify the User, nor does it combine this information to enable identification. The detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.

GOOGLE ADS

1. Google Ads is a tool that allows to measure the effectiveness of advertising campaigns carried out by the Controller, allowing for analytics of data such as keywords or the number of unique users. The Google Ads platform also allows our advertisements to be displayed to people who have visited the Website in the past. The information on Google’s data processing with regard to the above service is available at the following link: https://policies.google.com/technologies/ads?hl=pl.

FACEBOOK PIXEL

1. Facebook Pixel is a tool that allows to measure the effectiveness of advertising campaigns carried out by the Controller on Facebook. The tool allows advanced data analytics in order to optimise the Controller’s activities also with the use of other tools offered by Facebook. The detailed information on data processing by Facebook can be found at this link: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.

• COOKIES SETTINGS MANAGEMENT

1. Website cookies, which are necessary to use the Website, are automatically installed on the User’s device. Their use is necessary for the provision of the telecommunications service (data transmission in order to display the content) – the User does not have the possibility to opt out of these cookies if he/she wishes to use the Website.
2. Analytical cookies are not automatically installed by the Controller. The User may grant the Controller permission to install analytical cookies by giving his/her consent when opening the Website (entering the website).
3. The User may give his/her consent to the installation of analytical cookies by clicking on the “ Allow All” button on the banner that appears when entering the website. The Controller will then be entitled to install analytical cookies in accordance with the settings of the browser used by the User (in the case of default settings, all cookies are installed).
4. The User may agree to the installation of only the chosen analytical cookies. In order to do so, he/she should click on the “Allow Selection” button on the banner that appears when entering the website and select the cookies that the User consents to the installation of (each type and each cookie provider separately).
5. Withdrawal of the consent to the use of cookies is also possible via the browser settings. The detailed information on this can be found at the following links:
1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorerdelete-manage-cookies
2.   Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
4. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
6. In the absence of consent or in the case of withdrawal of consent for a given type and a given provider of cookies (in the case of not accepting the installation of cookies in accordance with the settings of the browser), the Controller shall not install such cookies on the User’s end device.
1. The user can at any time verify the status of his/her current privacy settings for the browser he/she is using with the use of the tools available at the links below:
2. http://www.youronlinechoices.com/pl/twojewybory
3. http://optout.aboutads.info/?c=2&lang=EN

• DURATION OF DATA PROCESSING

1. The duration of data processing performed by the Controller depends on the type of service provided and the purpose of processing. As a rule, data shall be processed for the duration of the provision of service or the processing of the order, until the withdrawal of the consent given or until an effective objection is raised against the data processing in cases where the legal basis of the data processing is the legitimate interest of the Controller.
2. The data processing period may be extended if the processing is necessary for the establishment and exercise of possible claims or defence against claims, and thereafter only if and only to the extent required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymised.

• USER RIGHTS IN RELATION TO DATA PROCESSING

DATA SUBJECT RIGHTS

• Data subjects shall have the following rights:

1. the right to be informed about the processing of personal data – on this basis the Controller shall inform the natural person making the request about data processing, including in particular about the purposes and legal basis for processing, the scope of  data held, the entities to which the data are disclosed and the planned date of data erasure;
2. the right to obtain a copy of the data – on this basis the Controller shall provide a copy of the processed data concerning the natural person making the request;
3. the right to rectification – the Controller is obliged to rectify any inconsistencies or errors in the Personal Data processed and to complete them if they are incomplete;
4. the right to data erasure – on this basis one can request the erasure of data the processing of which is no longer necessary for any of the purposes for which they were collected;
5. the right to restrict processing – if such a request is made, the Controller shall cease performing operations on the Personal Data – with the exception of operations authorised by the data subject – and their storage, in accordance with the retention rules adopted or until the reasons for restricting the processing cease to exist (e.g. a decision is issued by a supervisory authority authorising further processing);
6. the right to data portability – on this basis – to the extent that the data are processed by automated means in connection with the contract concluded or consent given, the Controller shall hand over the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity, provided, however, that it is technically feasible both on the part of the Controller and the designated entity;
7. the right to object to processing for marketing purposes – the data subject may object at any time to the processing of Personal Data for marketing purposes, without the need to justify such objection;
8. the right to object to other purposes of data processing – the data subject may object at any time, for the reasons relating to his/her particular situation, to the processing of Personal Data which is carried out on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons relating to the protection of property); the objection in this respect shall contain a justification;
9. the right to withdraw consent – if the data are processed on the basis of the consent given, the data subject shall have the right to withdraw the consent at any time, which however does not affect the lawfulness of the processing carried out before the withdrawal;
10. the right to lodge a complaint – if the processing of Personal Data is considered to be in breach of the provisions of the GDPR or other provisions relating to the protection of Personal Data, the data subject may lodge a complaint with the supervisory authority for the processing of Personal Data, which has jurisdiction over the data subject’s habitual place of residence, place of work or place where the alleged breach has been committed. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.

• SUBMITTING REQUESTS FOR THE EXERCISE OF RIGHTS

1. The request concerning the exercise of rights of data subjects can be submitted:
1. In writing to the Controller’s address;
2. By means of electronic communication to the e-mail address: contact@boardanddice.com
   
2. The request should, as far as possible, indicate precisely what is being requested, i.e. in particular:
1. what right does the requesting party wish to exercise (e.g. right to obtain a copy of data, right to data erasure, etc.);
2. what processing does the request concern (e.g. use of a particular service, activity on a particular website, receipt of a newsletter containing commercial information to a particular e-mail address, etc.);
3. which purposes of the processing does the request concern (e.g. marketing purposes, analytical purposes, etc.).
3. In the event that the Controller is unable to identify the natural person on the basis of the request submitted, the Controller will request additional information from the requesting party. The provision of such data is not mandatory, but failure to do so will result in the refusal to fulfill the request.
4. The request may be submitted in person or through a proxy (e.g. a family member). For reasons of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or an authorised legal advisor or attorney, which will significantly accelerate the verification of the authenticity of the request.
5. The response to the request should be given within one month of its receipt. If it results necessary to extend this period, the Controller shall inform the requesting party of the reasons thereof.
6. Where the request has been sent to the Company by electronic means of communication, the response shall be given in the same form, unless the requesting party has requested a response in another form. In other cases, the response shall be given in writing. In case the deadline for fulfilling the request makes it impossible to respond in writing and the extent of the requesting party’s data processed by the Controller allows the contact by electronic means of communication, the response shall be given electronically.

• DATA RECIPIENTS

1. In connection with the provision of services, Personal Data will be disclosed to the external entities, including in particular the suppliers responsible for the operation of IT systems, the entities such as banks and payment operators, accounting service providers, couriers (in connection with the processing of the order), marketing agencies (with regard to marketing services) and the entities related to the Controller, including companies forming part of his capital group.
2. In the event of obtaining the User’s consent, his/her data may be also made available to other entities for their own purposes, including marketing purposes.
3. The Controller reserves the right to disclose selected information concerning the User to the competent authorities or to third parties who submit a request for such information based on the appropriate legal basis and in accordance with the provisions of the applicable law.

• TRANSFER OF DATA OUTSIDE THE EEA

1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, in particular by:
1. cooperating with processors of Personal Data in the countries which obtained a relevant decision of the European Commission, determining an adequate level of protection of Personal Data;
2. using the standard contractual clauses issued by the European Commission;
3. using the binding corporate rules approved by the competent supervisory authority;
2. The Controller shall always give notice of its intention to transfer Personal Data outside the EEA at the stage of their collection.

• CONTACT DETAILS

1. The Controller can be contacted at the e-mail address contact@boardanddice.com or correspondence address ul. Ryszarda Wagnera 34/14, 52-129 Wrocław, Poland.
   

• CHANGES TO THE PRIVACY POLICY

1. The Policy is verified on an ongoing basis and updated as necessary.
2. The current version of the Policy has been adopted and remains in force since 10th September 2024.