Privacy Policy

§ 1

Legal definitions

This Privacy Policy uses the following definitions:

GDPR – this means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Personal data – this means any information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, the economic, cultural or social identity of the individual;

Data administrator – this means an entity called Brikido Sp. z o. o., which independently determines the purposes and methods of processing personal data;

Website – this means the website/web application/online store under which the Data Controller runs a website that operates in the Brikido.com domain (as well as Brikido.pl and Brikido.eu).

User – this means a person using the Website;

User’s end device – this means the electronic device through which the User gains access to the Website

Cookies – this means IT data, in particular text files, which are stored on the User’s end device and are intended for using the Website.

§ 2

Identity of the Data Controller

1.       The administrator of your personal data is Brikido Sp. z o. o., based at Świeradowska 47 Street, 02-665 Warsaw, Poland, KRS: 0000977295, Tax ID NIP: 5213974585, REGON: 52244558300000.

2.       You can contact the Data Administrator via the e-mail provided in the footer of Brikido.com.

§ 3

Purposes and legal basis for the processing of personal data

1.       Your personal data is and/or may be processed for the purpose of:

1)      provision of services provided by the Website consisting in the proper execution of the order placed by you, including enabling you to set up an account via the Website under which you will have access to your orders – pursuant to Art. 6 section 1 letter b GDPR (processing is necessary to perform a contract to which the data subject is a party or to take action at the request of the data subject before concluding a contract);

2)      issuing an invoice – pursuant to Art. 6 section 1 letter c GDPR (processing is necessary to fulfill the legal obligation of the administrator);

3)      sending a newsletter, including promotion and advertising of activities, products and services offered by the Data Administrator, provided that you consent in this regard – pursuant to Art. 6 section 1 letter a GDPR (the data subject has consented to the processing of his or her personal data for one or more specific purposes) and in accordance with Art. 10 section 2 of the Act of 18 July 2002 on the provision of electronic services;

4)      pursuing or defending against claims, including complaint analyses, if you submit one to us – pursuant to Art. 6 section 1 letter f of GDPR (processing is necessary for the purposes of the legitimate interests pursued by the administrator);

5)      answering your questions via all possible external communication mechanisms (e.g. e-mail, contact form, telephone call, chat, instant messaging supervised by social networking sites) – pursuant to Art. 6 section 1 letter f GDPR (processing is necessary for the purposes of the legitimate interests pursued by the administrator);

6)      data archiving in connection with the legal obligation of the Data Administrator resulting from the provisions of tax law – pursuant to Art. 6 section 1 letter c GDPR (processing is necessary to fulfill the legal obligation of the administrator);

7)      archiving information, including personal information, in order to provide you with access to the history of your orders visible on the Website as part of the account you created – pursuant to Art. 6 section 1 letter f GDPR (processing is necessary for the purposes of the legitimate interests pursued by the administrator);

8)      monitoring your activity within the Website in connection with ensuring the security and proper functioning of the Website, adapting the content displayed to your needs – pursuant to Art. 6 section 1 letter f GDPR (processing is necessary for the purposes of the legitimate interests pursued by the administrator);

9)      monitoring your activity within the Website for analytical purposes in connection with collecting information on how the Website is used – pursuant to Art. 6 section 1 letter a GDPR (the data subject has consented to the processing of his or her personal data for one or more specific purposes);

10)   monitoring your activity on the Website for marketing purposes via both cookies and other related technologies (our own and external partners) – pursuant to Art. 6 section 1 letter a GDPR (the data subject has consented to the processing of his or her personal data for one or more specific purposes).

2.       Additionally, we would like to inform you that the Data Administrator may use automated processing mechanisms, including profiling – in order to properly adapt the final product to your expectations (in connection with the state of your possession of bricks and/or sets of bricks that you enter via the account created under Website) – such a process is necessary for the provision of the service, i.e. performance of the contract – pursuant to Art. 22 section 2 letter a GDPR. In addition, the Data Administrator may use profiling mechanisms for marketing purposes, for which the Data Administrator obtains your consent in accordance with this Privacy Policy.

 § 4

Scope of personal data processed

1.       When you use the Website, we may process the following categories of personal data:

1)      registration data in connection with setting up an account on the Website (e-mail address, user password) – data whose processing is necessary for the purposes of fulfilling the contract;

2)      transaction data in connection with the purchase of our products (in particular such data as: payment information, including amount and currency, order number, name and surname, e-mail, User name, User country) – data whose processing is necessary for the purposes of fulfilling the contract, as well as due to the tax obligation imposed on the Data Administrator;

3)      information necessary to issue an invoice in terms of your name, surname and residential address – data the provision of which is necessary due to the legal obligation imposed on the Data Administrator;

4)      information of a non-personal nature, but which you provide in connection with the need to complete the order, in particular regarding what specific resources you have (what bricks and/or sets of bricks you currently have at your disposal) – information whose processing is necessary for the purposes of processing the order;

5)      information that you additionally provide on your own initiative, e.g. how long it took you to build a specific structure – providing information is optional;

6)      information used for sending the newsletter – providing information is optional;

7)      personal information provided by you as part of e-mail and/or telephone communication with the Data Controller and/or via contact forms and/or chat and/or via social networking sites, mainly such as Facebook and/or Instagram (e.g. name and surname, telephone number, e-mail address, order information, other personal information provided by you) – providing data is optional in connection with the communication path you have chosen;

8)      information about the User’s location or IP address in connection with monitoring your activity on the Website – in accordance with the cookie policy referred to in § 10 below,

9)      other information processed in connection with cookies or related technologies – in accordance with the cookie policy referred to in § 10 below.

2.       The personal data processed by the Data Controller are ordinary category personal data. The data administrator does not require you to provide particularly protected personal data referred to in Art. 9 section 1 GDPR or of a highly personal nature referred to in Art. 10 GDPR. The data controller applies the principles of minimization in the processing of personal data, as well as adequacy in the context of the processing purposes pursued. The so-called excess data may be processed by the Data Administrator only with the User’s consent.

 § 5

Recipients of personal data

1.       Personal data may be made available to other data recipients such as:

1)      entities conducting payment/transaction activities;

2)      entities cooperating with the Data Administrator in handling accounting, tax and legal matters;

3)      IT service providers, including entities providing the Data Administrator with server space in accordance with the current needs of the Data Administrator, including suppliers of the so-called cloud solutions;

4)      suppliers providing central data repositories;

5)      providers of technological solutions for the analysis of User behavior, including queries submitted to the server or errors occurring;

6)      entities providing technical solutions in the field of product and service marketing.

2.       The recipients of personal data may be both separate personal data administrators and processing entities with which the Data Controller concludes an agreement to entrust the processing of personal data in accordance with Art. 28 GDPR and who are obliged to keep data confidential.

3.       The data administrator may also transfer personal data to competent state authorities if he is obliged or authorized to do so due to a legal obligation (in particular, if it is necessary in connection with the prosecution of crimes or securing rights or claims).

§ 6

Criterion of the period of storage of personal data

The data administrator stores your personal data until the purpose for which they were collected is achieved, i.e. for the duration of the order, and after that time for the period in which the regulations require the data administrator to store them. The basic criterion for data storage will result in particular from the provisions of tax law, however, the Data Administrator also takes into account additional criteria for the duration of data storage (depending on the personal data processing process carried out). Such an additional criterion for storing personal data may be the time necessary to establish, defend and pursue claims. If the data processing process is based on your voluntarily granted consent, the criterion for storing personal data will be the revocation of your consent. Another criterion that may determine the period of storage of your personal data is the fact that, as a rule, the account created by you on the Website will be maintained for the period of time necessary for the Administrator to fulfill tax obligations, and after that time until you contact us to delete your account or delete it yourself (this solution allows you to have constant access to the history of your orders – according to your will).

 § 7

Rights of data subjects under Art. 15 – 22 GDPR

1.       Each person whose personal data is processed has the right to request:

1)      access to the content of your data – pursuant to Art. 15 GDPR (the data subject may find out, among other things, what personal data the Data Controller processes, how, for what purpose and on what legal basis);

2)      correction of your data – pursuant to Art. 16 GDPR (the data subject may request that incorrect data be corrected or missing data be supplemented);

3)      deletion of your data – pursuant to Art. 17 GDPR (if one of the conditions arising from Article 17(1) of the GDPR is met; the conditions excluding the possibility of fulfilling the request to delete data are provided for in Article 17(3) of the GDPR);

4)      processing restrictions – pursuant to Art. 18 GDPR (the person whom data processing concerns, may submit an application to limit processing. If the request is justified, the Administrator may process data for storage while being in accordance with Article 18(2) of the GDPR);

5)      the right to transfer data – pursuant to Art. 20 GDPR (right that can be exercised when the legal basis for processing is the consent of the person to whom the processing concerns or the implementation of the contract and processing takes place under conditions of full automation);

6)      the right to object to processing – pursuant to Art. 21 GDPR (upon receipt of such a request, the Data Controller stops processing personal data to which the objection has been expressed, unless it demonstrates the existence of valid legitimate grounds for processing, overriding the interests of the applicant, rights and freedoms or grounds for establishing, pursuing or defending against claims);

7)      the right not to be subject to a decision based solely on automated processing, including profiling – pursuant to Art. 22 GDPR (the above does not apply if automated processing, including profiling, is necessary to conclude or perform a contract between the data subject and the administrator);

8)      the right to withdraw consent at any time without affecting the lawfulness of processing (if processing is based on consent), which was made on the basis of consent before its withdrawal – pursuant to Art. 7 GDPR.

2.       Natural persons affected by the processing may carry out the above-mentioned activities. law by submitting an application via the following communication channel by sending an e-mail to the address provided in the footer of Brikido.com.

3.       The data controller shall, without undue delay – and in any case within one month from the date of receipt of the application – provide the data subject with information about the actions taken in connection with the implementation of the above-mentioned. rights. If necessary, this deadline may be extended by a further two months due to the complexity of the request or the number of requests. Within one month of receiving the request, the Data Controller informs the data subject about such extension of the deadline, specifying the reasons for the delay. If the data subject has submitted his request electronically, the information will also be transmitted electronically, where possible, unless the data subject requests a different form.

4.       Any person whose personal data is processed has the right to place a complaint with the supervisory authority responsible for the protection of personal data in the Member State of your habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the Personal Data Protection Office with its registered office in Warsaw at Stawki 2 Street, 00-193 Warsaw, Poland.

 § 8

Transfer of personal data to third countries

1.       Generally speaking, a third country is a country where the GDPR is not a binding legal act.

2.       Due to the Data Administrator’s use of technological solutions of partners who process personal data in third countries (e.g. Google, Microsoft), including the use of their server resources, and also due to the fact that you can communicate with the Administrator data via social networking sites mainly such as Facebook and/or Instagram, whose owners also process personal data in a third country, the Data Controller informs that it transfers your personal data outside the EEA (European Economic Area).

3.       The Data Controller may transfer personal data to a third country if it has appropriate legal grounds to do so, including to recipients located in a country that ensures an adequate level of personal data protection, or as part of other procedures that meets the requirements of the European Union regarding transfer of personal data to data processors outside the EEA, in particular on the basis of standard data protection clauses adopted by the European Commission, referred to in Art. 46 section 2 letter c GDPR. Information on how personal data is processed by Google is available at: https://policies.google.com/privacy. In the case of Microsoft, this information can be obtained at: https://privacy.microsoft.com/privacystatement. In turn, communicating with the Administrator via Facebook and/or Instagram, Messenger or liking the Fanpage is understood by the Data Administrator as a clear action confirming that the user wishes this type of processing. In this case, the processing of personal data is based on Art. 49 section 1 letter a GDPR – as a result of the lack of a decision confirming the appropriate level of protection specified in Art. 45 section 3 GDPR or lack of appropriate safeguards specified in Art. 46 GDPR, including binding corporate rules. The owners of Facebook/Instagram process personal data on their own terms set out in their own privacy policy available at: https://www.facebook.com/about/privacy – therefore, the Data Controller has no influence on the effects of such processing.

 § 9

Obligation or voluntariness to provide personal data

1.       Providing personal data is a contractual requirement, which means that it is necessary for the User to create an account, place and process an order. Providing personal data may also be a legal requirement (in particular due to tax law provisions). Failure to provide personal data marked as necessary (in the frame of § 4 above) will result in the inability to complete the order. The data administrator additionally informs that he requires you to create an account due to the fact that the subject of the order is made available under this account.

2.       Providing data for marketing purposes is voluntary.

§ 10

Cookie policy

1.       Cookies (so-called “cookies”) are IT data, in particular text files, which are stored on the Website User’s end device and are intended for using the Website. Cookies usually contain the name of the website they come from, their storage time on the end device and a unique number.

2.       Cookies may be used for the purposes referred to in point 4 below (including, depending on your consent, in the case of analytical or marketing cookies).

3.       The Website uses two basic types of cookies: “session cookies” and “persistent cookies”. “Session” cookies are temporary files that are stored on the User’s end device until logging out, leaving the website or turning off the software (web browser). “Permanent” cookies are stored on the User’s end device for the time specified in the cookie parameters or until they are deleted by the User.

4.       The following types of cookies are used on the Website:

1)      “essential cookies”: are required to ensure efficient and safe use of the Website (necessary for technical reasons) – e.g. selected language settings, presentation of content and images in an optimized way, website accessibility, prevention of abuse/fraud in connection with the registration of login processes. You cannot disable this category of cookies and your consent in this regard is not required or you are deemed to consent by continuing to visit the website (depending on the legal form adopted in the User’s national law);

2)      “analytical cookies” – analytical cookies collect information about how the Website is used by visiting Users, the type of website from which the Users were redirected, the number of visits by Users and the duration of the visit to this website. These files are used to compile statistics on the use of the Website by Users. Deleting these files does not prevent the use of the Website. For “analytical cookies” in an extended format, we use solutions from Google Inc. i.e. “Google Analytics”. Information about how Google uses cookies is available at https://policies.google.com/technologies/cookies?#how-google-uses-cookies

3)      “advertising cookies (within our website)” – they enable the collection of information about your interests, preferences, products that you browse and/or buy on the Website. This information allows us to present you more personalized marketing content regarding our products – in the context of your behavior on the Website. Deleting these files does not prevent the use of the Website;

4)      “advertising cookies (from other entities)” – enable us to present you personalized marketing content regarding our products and services on websites other than the one managed by the Data Controller, including social networking sites. Deleting these files does not prevent the use of the Website. Consent to this type of cookies means that you allow entities such as Google, Facebook, Instagram to place cookies containing information about your interests and behavior, including information about the products and services you browse and/or buy, on our website and other websites and social media. Ownership bodies of the above-mentioned social networking sites process personal data on their own terms set out in their own privacy policies available at:

a)       https://policies.google.com/technologies/partner-sites

b)      https://www.facebook.com/privacy/center/

c)       https://privacycenter.instagram.com/

5.       The legal basis for the processing of personal data in connection with cookies marked as “necessary” is Art. 6 section 1 letter f GDPR (processing is necessary for the purposes of the legitimate interests pursued by the administrator). In the case of cookies marked as “analytical cookies”, “advertising cookies (within our website)” and “advertising cookies (from other entities)”, the legal basis for data processing is the voluntary consent of the Website User, i.e. Art. 6 section 1 letter a GDPR. You can change your cookie settings at any time and delete cookies saved in your browser at any time. Detailed information about the possibilities and methods of handling cookies are available in the software (web browser) settings. To manage cookie settings, select your web browser/system from the list below and follow the instructions:

§  Microsoft Edge

§  Internet Explorer

§  Chrome

§  Safari

§  Firefox

§  Opera

§  Android

§  Safari (iOS)

§  Windows Phone

6.       The Website also uses “cookie-independent technologies enabling the display of marketing content”. These technologies enable us to display to you via the Website personalized marketing information that is important to you. Personalized information may be the result of analyzing your profile, including your purchase history or the sets of blocks you enter. Failure to consent in this respect does not prevent the use of the Website.

7.       When you visit the Data Administrator’s website for the first time, you will receive a message regarding cookies and related technologies. At this stage you can select the following options: “I accept and go to the Website” or “Advanced settings”. By clicking “I accept and go to the Website”, you consent to all cookies, i.e. “analytical cookies”, “advertising cookies (within our website)” and “advertising cookies (from other entities)”, as well as to related technologies ( independent of cookies). If you want to personalize the settings, click “Advanced settings” and select according to your preferences.

 § 11

Security mechanisms introduced by the Data Administrator

1.       It is obvious that the Data Controller cannot publish detailed information on the security mechanisms used, hence it only provides a few of the many technical and organizational measures used, including:

1)      appropriate data protection policies have been implemented;

2)      carrying out the risk assessment process, including impact assessment due to Art. 35 GDPR;

3)      applying authorizations to process personal data for persons processing personal data at the request of the Data Administrator and obliging these persons to keep personal data confidential;

4)      the use of cryptographic security where, in the opinion of the Data Administrator, it is necessary, including in the context of the use of mobile devices used to process personal data;

5)      use of professional entities processing personal data on behalf of the Data Administrator in the context of providing server space,

6)      making copies of databases and testing their integrity;

7)      connections between the server resource and the Website are encrypted with a security protocol (SSL/TLS Certificate).

§ 12

Changes to the Privacy Policy

1.       The data administrator reserves the right to make changes to this Privacy Policy.

2.       New versions of the Privacy Policy will be posted on the Website along with an appropriate message. The amended Privacy Policy will be effective from the date of posting the appropriate notice on the Data Administrator’s website.