This privacy policy (hereinafter referred to as the “the Policy”) of the website https://cdrl.pl/ (hereinafter “the Website”) is intended for users of the Website who are natural persons (hereinafter “Users” or “User”). It contains information about the processing of Users’ personal data in respect of their use of the Website, as required by Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (The General Data Protection Regulation, hereinafter “the GDPR”), as well as information about cookies used by the Website.
The controller of the Users’ personal data, as defined in Article 4(7) of the GDPR (i.e. the entity that determines the purposes and means of the processing of personal data), is CDRL Spółka Akcyjna with its registered office in Pianowo, ul. Kwiatowa 2, 64-000 Pianowo, entered into the Register of Entrepreneurs of the National Court Register under number KRS 0000392920, NIP (tax identification number): 6981673166, email address: bok@coccodrillo.pl (hereinafter “the Controller”).
The Controller has designated a Data Protection Officer, whom Users may contact with respect to matters regarding their personal data, at the email address: iodo@cdrl.pl.
The Controller processes Users’ personal data for the following purposes:
For the purpose of responding to a message from a User who is a franchisee, directed to the Controller via contact form, email, or phone, the Controller processes the personal data provided by the User via contact form (such as name, email address and any other personal data provided by the User), email or phone. The legal basis for processing the User’s data for this purpose is Article 6(1)(a) of the GDPR, i.e. the User’s consent to the processing of their personal data entered in the contact form, email, or provided during the phone call.
The Controller may process the User’s personal data in order to analyze the User’s activity on the Website. In this case, the data processed include information about the User’s session on their device, operating system, browser, location, and a unique IP address identifier. The legal basis for processing the User’s personal data for this purpose is Article 6(1)(f) of the GDPR, i.e. the Controller’s legitimate interest in analyzing the User’s activity on the Website.
The Controller may process the User’s personal data to compile statistics on the use of particular functionalities of the Website, to facilitate the use of the Website, and to ensure the IT security of the Website. In this case, the data processed include personal data regarding the User’s activity on the Website, the amount of time spent on each subpage of the Website, the User’s search history, location, IP address, device ID, and data regarding the User’s web browser and operating system. The legal basis for processing the User’s data for this purpose is Article 6(1)(f) of the GDPR, i.e. the Controller’s legitimate interest in processing the User’s personal data.
The User’s personal data may be transferred by the Controller to external recipients if it is necessary for the proper functioning of the Website. Users’ personal data is most likely to be transferred to entities providing IT services to the Controller with respect to the functioning of the Website.
In each case, the Controller ensures that any entities to whom Users’ personal data is transferred provide a high level of protection for that data, and that appropriate agreements for the processing of Users’ personal data are concluded with all such entities.
The Controller also ensures that Users’ personal data is not to be transferred to any countries outside the European Economic Area or to any international organizations.
The User’s personal data processed for the purpose of responding to their message (via contact form, email or phone) does not have a fixed storage period; however, it is stored no longer than necessary to achieve the purposes of processing and the Controller’s legitimate interests.
The User’s personal data obtained through cookies saved on the User’s end device is stored for a period corresponding to the lifespan of the cookies saved on the User’s end device, or until they are deleted from the device by the User.
The User has the right to withdraw consent given to the processing of their personal data at any time if their consent is the legal basis for processing their personal data (Article 6[1][a] of the GDPR). The User may withdraw consent to processing their data by sending the Controller a statement expressing their desire to withdraw consent (for example, via email). Withdrawal of consent takes effect from the moment the Controller receives the withdrawal statement and does not affect the lawfulness of the processing of the User’s personal data by the Controller prior to the withdrawal.
Legal basis: Article 7(3) of the GDPR
The User has the right to obtain from the Controller confirmation as to whether or not their personal data is being processed, and, where that is the case, the User has the right to:
a) obtain access to their personal data;
b) obtain access to the following information: the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients of the data, the envisaged period of storage of the User’s data or the criteria for determining that period, the User’s rights under the GDPR, the right to lodge a complaint with a supervisory authority, the source of the data, the existence of any automated decision-making (including profiling), and the safeguards provided in respect of the transfer of the data outside the European Economic Area;
c) obtain a free copy of their personal data. For any further copies requested by the User, the Controller may charge a fee reflecting the cost of preparation.
Legal basis: Article 15 of the GDPR
The User has the right to rectify and complete their personal data. The User can do so by submitting a request to rectify the data (if it is inaccurate) or to complete the data (if it is incomplete).
Legal basis: Article 16 of the GDPR
The User has the right to request the erasure of all or some of their personal data.
The User may request the erasure of their personal data if:
a) the User’s personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) the User’s personal data is processed unlawfully;
c) the User objects to the processing based on the Controller’s legitimate interest;
d) the personal data has to be erased in order to comply with a legal obligation in Union or Member State law to which the Controller is subject;
e) the personal data has been collected in relation to the offer of information society services.
If the request for the erasure of personal data is based on the User’s objection (see point VII [D][c] of the Policy), the Controller may continue to process the User’s personal data to the extent necessary for establishing, exercising or defending claims, as well as to the extent necessary to comply with a legal obligation which requires processing by Union or Member State law to which the Controller is subject.
Legal basis: Article 17 of the GDPR
The User has the right to request that the Controller restrict the processing of their personal data, i.e. refrain from processing the data with the exception of storage, in the following cases:
a) when the User contests the accuracy of their personal data – for a period enabling the Controller to verify the accuracy of the data;
b) when the processing of the data is unlawful, but the User opposes the erasure of the data and requests the restriction of their processing instead;
c) when the User’s personal data is no longer necessary for the purposes for which it was collected or used, but it is required for the establishment, exercise or defense of legal claims;
d) when the User has objected to the use of their data – then the restriction applies for the time needed to determine whether the protection of the User’s interests, rights, and freedoms overrides the interests pursued by the Controller in processing the User’s data.
Legal basis: Article 18 of the GDPR
If the User’s personal data is processed by the Controller on the basis of the User’s consent or for the purpose of entering into a contract with the User (Article 6[1][a] and [b] of the GDPR), the User has the right to receive, in a structured, commonly used, machine-readable format, the personal data that they have provided to the Controller, and the right to transmit that personal data to another controller without hindrance from the Controller, if technically feasible.
Legal basis: Article 20 of the GDPR
The User has the right to object at any time to the processing of their personal data if the processing is based on the Controller’s legitimate interest (Article 6[1][f] of the GDPR). If the User’s objection is found to be justified and the Controller has no other legitimate legal basis for processing the User’s personal data, as well as no basis for establishing, exercising, or defending its claims, the Controller will erase the User’s personal data to the use of which the User has objected.
Legal basis: Article 21 of the GDPR
If, in exercising the rights described above in points VII (A-G) of the Policy, the User submits a request to the Controller, compliance with or refusal to comply with the request will occur without undue delay and no later than within one month of receiving the request. If, however, due to the complex nature of the request or the number of requests, the Controller is unable to comply with the User’s request within one month, the Controller will comply with the request no later than within two further months, after first informing the User of the need to extend the deadline.
If the User believes that the right to the protection of personal data or other rights granted to the User under the GDPR have been violated, the User has the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
Legal basis: Article 77 of the GDPR
Providing personal data by the User is always voluntary; however, it is necessary in order for the Controller to perform the actions listed in point IV of the Policy.
The consequence of the User failing to provide the data required for the purposes mentioned above will be the inability for the User to perform the aforementioned actions.
Users’ personal data will not be subject to profiling by the Controller, nor will they be subject to any other automated decision-making processes.
The Controller informs that when using the Website, short text files called “cookies” are saved on the User’s end device. Cookies contain such IT data as: the IP address of the User, the name of the website from which they originate, the time they are stored on the User’s end device, saved parameters and statistics, and a unique identifier. Cookies are sent to the Website’s server via the web browser installed on the User’s end device. Cookies are used for the following purposes:
a) to maintain the technical functionality and continuity of the session between the Website’s server and the User’s end device;
b) to optimize the User’s experience of the Website and to adjust the way it is displayed on the User’s end device;
c) to ensure the safe use of the Website;
d) to collect statistics about Users’ visits to the Website’s web pages in order to improve their structure and content;
e) to display advertising content on the User’s end device, optimally tailored to the User’s preferences.
Within the Website, two types of cookies are used: “session cookies” and “persistent cookies”. Session cookies are files that are automatically deleted from the User’s end device after logging out of the Website, leaving the Website, or closing the web browser. Persistent cookies are stored on the User’s end device for the time specified in the cookies’ parameters or until they are deleted by the User. Persistent cookies are installed on the User’s end device only with their consent.
The Controller further informs that:
Access to cookies processed by the Website’s server is only available to the Controller.
The Controller may also use third-party cookies:
a) _GRECAPTCHA – set by the Google reCAPTCHA service to identify bots in order to protect the Website from malicious spam attacks (cookie controller: Google LLC based in the USA; storage period: 6 months);
b) Turnstile – to identify bots in order to protect the Website from malicious spam attacks (cookie controller: Cloudflare, Inc. based in the USA; storage period: 6 months);
c) to display multimedia content on the Website that is fetched from the external website YouTube.com (cookie controller: Google LLC based in the USA; storage period: 6 months).
If the User does not consent to the storage and receipt of information in cookies, they can change the cookie settings via their web browser:
d) Internet Explorer;
e) Microsoft Edge;
f) Mozilla Firefox;
g) Chrome (and Chrome Mobile);
h) Safari (and Safari Mobile);
i) Opera.
If it becomes necessary to update the information contained in the Policy or to ensure its compliance with applicable law or with the technological conditions of the Website, the Policy may be subject to change. Users will be informed of any changes to the Policy by a notice displayed on the Website.
This website uses small files called cookies. They are stored by CDRL S.A. on the end device of the person visiting the website if the web browser allows it. The cookie file usually contains the domain name from which it comes, its “expiration time” and an individual, randomly selected number identifying this file. Information collected through such files helps to adjust products offered by CDRL S.A. to individual preferences and actual needs of people visiting the online store. They also allow for the development of general statistics of visits to products presented in the online store.
CDRL S.A. uses two types of cookies:
a) Session cookies: after ending a session of a given browser or turning off a computer, saved information is deleted from the device’s memory. The session cookie mechanism does not allow for downloading any personal data or any confidential information from customers’ computers.
b) Persistent cookies: they are stored in the end device memory of the customer and remain there until they are deleted or expire. The persistent cookie mechanism does not allow for downloading any personal data or any confidential information from customers’ computers.
CDRL S.A. uses first-party cookies for:
a) Authenticating customers in the online store and providing customer sessions in the online store (after logging in), so that customers do not have to re-enter their login and password on each subpage of the online store;
b) Analysis and research as well as auditing viewership, in particular for creating anonymous statistics that help understand how customers use the Store’s Website, which allows for improving its structure and content.
CDRL S.A. uses third-party cookies for:
a) Promoting the online store using facebook.com social networking site (third-party cookie administrator: Facebook Inc based in USA or Facebook Ireland based in Ireland);
b) Collecting general and anonymous statistical data through analytical tools Gemius Traffic (third-party cookie administrator: Gemius S.A. based in Warsaw);
c) Collecting general and anonymous statistical data through analytical tools Google Analytics (third-party cookie administrator: Google LLC based in USA);
d) Internet analytics through the Google Analytics tool (measuring traffic and monitoring user behavior) (third-party cookie administrator: Google LLC based in USA).
Information from Google accounts used to display ads includes: gender, age range, preferred language.
e) Conversion analysis of marketing campaigns conducted using the Facebook Pixel Code tool, using facebook.com social networking site (third-party cookie administrator: Facebook Inc based in USA or Facebook Ireland based in Ireland). Pixel collects user data that allows measuring conversions, optimizing ads, creating custom audiences groups and running remarketing campaigns;
f) Presenting ads tailored to customer preferences using the Google AdSense online advertising tool (third-party cookie administrator: Google Inc based in USA);
g) Presentation of Rzetelny Regulamin Certificate through rzetelnyregulamin.pl website (third-party cookie administrator: Rzetelna Grupa sp. z o.o. based in Warsaw).
RTB House – remarketing ads – information about users’ online activity on advertiser’s website. This information includes online identifiers (cookie ID), information about views of individual pages or subpages of the website and information about views or adding individual products available on the site to cart, as well as timestamps and technical information about devices and search engines. The client (advertiser) orders RTB House as its subcontractor and advertising technology provider to conduct advertising campaigns and personalize ads for users based on this information. To the extent that this information constitutes “personal data” within the meaning of GDPR, the client (advertiser) is an administrator, and RTB House is a data processor.
The mechanism of cookies is safe for customers’ computers used to access the online store. In particular, this method does not allow viruses, other unwanted software or malicious software to enter customers’ computers. Nevertheless, customers have the option to limit or disable access to cookie files on their computers through their web browsers. If this option is used, using the online store will be possible except for functions that require cookie files.
Below are instructions on how to change cookie settings in popular web browsers:
b) Microsoft EDGE;
c) Mozilla Firefox;
f) Opera.
CDRL S.A. may collect customer IP addresses. An IP address is a number assigned to a computer of a person visiting a website by an internet service provider. The IP number allows access to the Internet. In most cases, it is assigned dynamically, i.e. it changes with each connection to the Internet. The IP address is used by CDRL S.A. for diagnosing technical problems with the server, creating statistical analyses (e.g. determining which regions have the most visits), as information useful for administering and improving the Online Store, as well as for security purposes and possible identification of unwanted automatic programs for browsing Online Store content that overload the server.
The Online Store contains links and references to other websites. CDRL S.A. is not responsible for privacy policies applicable to them.
This page uses cookies. By clicking “Accept cookies”, you agree to store cookie files on your device. You can specify the conditions for storing or accessing the cookie mechanism in your browser. More information can be found in the Privacy Policy tab.