I. DEFINITIONS

1.1. Controller or Souve – Souve Szymon Machniak, with its registered address at ul. Dunikowskiego 14/7, 40-127 Katowice, Poland, NIP: 6343065999.

1.2. Personal Data – any information relating to an identified or identifiable natural person, identified or identifiable by reference to one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of that person, including device IP, location-related data, online identifier and information collected via cookies and similar tracking technologies.

1.3. Policy – this Privacy Policy, containing information on the processing of Personal Data within the Service.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1.5. Service – the website operated by the Controller in the domain https://souve.eu, available via internet browsers and, where applicable, via mobile or progressive web application solutions made available by the Controller.

1.6. Store – the Souve online store available through the Service, through which Souve offers products and related services at a distance.

1.7. User – any natural person visiting the Service or using one or more services or functionalities described in this Policy.

1.8. Device – an electronic device through which the User accesses the Service.

1.9. Account – an individual user account in the Service enabling use of additional functionalities, order history, wishlist, preferences and other account-based features.

1.10. Loyalty Program – any current or future customer loyalty, rewards or membership program operated by the Controller within the Service, mobile application or related channels.

1.11. Marketplace – functionality within the Service enabling the offering or fulfilment of products by third-party partners or suppliers cooperating with the Controller.

II. GENERAL INFORMATION

2.1. In connection with your use of the Service, we collect the data necessary to provide the services offered, process orders, handle returns and complaints, communicate with you, carry out marketing activities and ensure the proper functioning and security of the Service. In this respect, we act as the controller of your Personal Data and attach great importance to its proper protection.

2.2. We make sure that our Personal Data processing operations comply with applicable law, in particular the GDPR. Our objective is to provide you with full information regarding the processing of your Personal Data and to make available tools enabling you to exercise your rights.

2.3. We process your Personal Data lawfully and take appropriate steps to ensure that the data remains up to date and correct. For this reason, we may from time to time remind you to update your data by sending a message to the e-mail address provided by you or by displaying an appropriate notice in the Service after logging in to your Account.

2.4. This Policy applies to Personal Data processed through the Service, including in connection with browsing the Service, setting up and maintaining an Account, placing orders, handling returns and complaints, contacting us, using social login, receiving marketing communications, using wishlist and personalized functionalities, participating in any Loyalty Program, and using any current or future mobile application or PWA.

III. HOW CAN I CONTACT THE CONTROLLER AND THE DATA PROTECTION CONTACT?

3.1. If you have any questions related to the processing of your Personal Data by us or wish to exercise your rights, you may contact us directly at: hello@souve.eu or by post at: Souve Szymon Machniak, ul. Dunikowskiego 14/7, 40-127 Katowice, Poland.

3.2. The Controller personally handles data protection matters. For the purposes of this Policy, all privacy-related communications may be addressed to the contact details indicated above.

3.3. The e-mail address indicated above is intended for privacy and data protection matters. Messages unrelated to such matters, including unsolicited commercial offers, may remain unanswered.

IV. HOW DO WE OBTAIN YOUR PERSONAL DATA?

4.1. We obtain your Personal Data primarily directly from you in order to properly provide our services and ensure the efficient functioning of the Service.

4.2. You provide us with your data mainly by using dedicated forms when placing orders in the Store, registering and maintaining an Account, subscribing to the newsletter, managing your communication and shopping preferences, using the wishlist, submitting a return or complaint, contacting us via contact forms, support forms, chat or messenger tools, using social login, participating in any current or future Loyalty Program, or using any current or future mobile application or PWA.

4.3. We also receive certain data when you use the Service, including when you browse products, add products to cart or wishlist, abandon a cart, interact with marketing content, respond to campaigns, use support functionalities or otherwise engage with the Service.

4.4. Some data may also be obtained from trusted partners and service providers acting on our behalf or jointly with us in specific contexts, in particular payment operators, logistics partners, analytics and advertising providers, customer communication platforms, CRM and marketing automation tools, and social login providers.

4.5. In the case of social login, we receive the data made available to us by the relevant social media or identity provider, to the extent necessary for registration and account management and depending on the scope of permissions granted by you.

V. IS THE PROVISION OF PERSONAL DATA MANDATORY?

5.1. It is your decision whether and which Personal Data you provide to us; however, in some cases the provision of Personal Data is necessary for the proper performance of the services offered by us or for the conclusion and performance of a contract.

5.2. If you fail to provide data marked as required, it may not be possible to create and maintain an Account, place and complete an order, process a payment, deliver goods, handle a complaint or return, provide support, or enable certain Service functionalities.

5.3. Providing optional data is voluntary, but it may facilitate the use of the Service, improve the quality of support, personalize your shopping experience, tailor marketing communication, or enable participation in additional functionalities.

VI. HOW DO WE PROCESS YOUR PERSONAL DATA?

USE OF THE SERVICE

6.1. When you use the Service and you are not a registered User, your Personal Data, including IP address or other identifiers and information collected through cookies or similar technologies, is processed by us:

6.1.1. for the purpose of providing services by electronic means within the scope of making the content collected in the Service available to you – in such case the legal basis is the necessity of processing for the performance of a contract or for taking steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);

6.1.2. for analytical and statistical purposes – in such case the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in conducting analyses of Users’ activity, preferences and shopping behavior in order to improve functionalities and services provided;

6.1.3. for the purpose of establishing, pursuing or defending against claims – in such case the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in protecting its rights and business interests;

6.1.4. for marketing purposes of the Controller and third parties, in particular related to the presentation of behavioral advertising – the principles of Personal Data processing for marketing purposes are described in the section MARKETING.

6.2. Your activity in the Service, including your Personal Data, is recorded in system logs. Information collected in logs is processed primarily for purposes related to the provision of services, and also for technical, administrative, security, system management, analytical and statistical purposes. In this respect, the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

REGISTRATION AND ACCOUNT MANAGEMENT

6.3. Persons who register in the Service are asked to provide data necessary to create and maintain an Account. To facilitate the use of the Account, you may provide additional data, thereby consenting to its processing where consent is the appropriate legal basis. Such data may be removed at any time. Failure to provide data marked as required prevents Account registration and operation. Provision of other data is voluntary.

6.4. Your Personal Data is processed:

6.4.1. for the purpose of providing services related to the creation and maintenance of the Account in the Service – the legal basis is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR), and in the case of optional data, where applicable, consent (Article 6(1)(a) GDPR);

6.4.2. for analytical and statistical purposes – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in analyzing Users’ activity in the Service, the use of the Account, wishlist, saved preferences and related functionalities in order to improve the Service;

6.4.3. for the purpose of establishing, pursuing or defending against claims – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR);

6.4.4. for marketing purposes of the Controller and third parties – the principles are described in the section MARKETING.

6.5. You may also log in to your Account via social login providers, including Facebook, Google, X, TikTok and LinkedIn, and in the future possibly other providers such as Apple. In such a case, the Service obtains from your account with the relevant provider only the data necessary for registration and account management, in particular your name, e-mail address and profile picture/avatar, depending on the scope made available by the provider and accepted by you.

6.5.1. The scope of data to which we gain access is indicated in the message displayed together with the request to continue login. Continuing the login process means transferring the indicated data to our Service.

6.5.2. Detailed information regarding the scope and purposes of processing by the relevant provider, as well as related rights and privacy protection options, is described in the privacy policy of that provider.

6.6. If the User places in the Service any Personal Data of other persons, including their name, surname, address, telephone number or e-mail address, they may do so only provided that they do not infringe the law or the personal rights of such persons.

6.7. Account data may be retained until the Account is deleted by the User or, in the case of prolonged inactivity, removed by the Controller in accordance with the adopted retention rules. As a rule, inactive Accounts may be deleted after 3 years of inactivity, unless a longer retention period is required for legal or claim-related purposes.

PLACING ORDERS

6.8. Placing an order for goods or services offered by us involves the processing of your Personal Data. Provision of data marked as required is necessary in order to accept and handle the order, and failure to provide such data results in the inability to complete the order. Provision of other data is optional.

6.9. Your Personal Data is processed:

6.9.1. for the purpose of performing the placed order – the legal basis is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR); in the case of optional data, where relevant, the legal basis may be your consent (Article 6(1)(a) GDPR);

6.9.2. for the purpose of fulfilling statutory obligations incumbent on the Controller, resulting in particular from tax and accounting regulations – the legal basis is compliance with a legal obligation (Article 6(1)(c) GDPR);

6.9.3. for analytical and statistical purposes – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in analyzing Users’ activity in the Service and shopping preferences in order to improve the functionalities used;

6.9.4. for the purpose of establishing, pursuing or defending against claims – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

6.10. In connection with order handling, we may also process information about selected payment methods, preferred shipping methods, order history, communication history, shopping preferences and other data related to order fulfillment and post-sale support.

6.11. In some cases, order fulfillment may involve cooperation with logistics partners, payment operators, customer service systems, invoicing tools, product suppliers and fulfilment partners acting on behalf of the Controller or supporting the performance of the contract.

COMPLAINTS AND RETURNS

6.12. Submitting a complaint or return involves the processing of your Personal Data. Providing data in the complaint form is not strictly mandatory in abstract, but is necessary for proper complaint handling. Providing data in the return form is not strictly mandatory in abstract, but is necessary for an effective withdrawal from the contract or return handling.

6.13. Your Personal Data is processed:

6.13.1. for the purpose of handling a complaint – the legal basis is the Controller’s legal obligation arising from applicable law, including consumer and civil law provisions (Article 6(1)(c) GDPR);

6.13.2. for the purpose of handling a return – the legal basis is the Controller’s legal obligation arising from consumer protection law (Article 6(1)(c) GDPR) or the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR), depending on the basis of the return;

6.13.3. for the purpose of performing other statutory obligations incumbent on the Controller, resulting in particular from tax and accounting regulations – the legal basis is Article 6(1)(c) GDPR;

6.13.4. for analytical and statistical purposes – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR);

6.13.5. for the purpose of establishing, pursuing or defending against claims – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

6.14. In the course of handling complaints and returns, we may process, in particular, order data, product details, reason for return, description of defect, supporting photographs of the product where provided, communication history and any data necessary to assess and complete the process.

CONTACT FORMS, SUPPORT, CHAT AND COMMUNICATION

6.15. We provide the possibility of contacting us through contact forms, support forms, chat tools, chatbot tools, messenger functionalities and similar communication channels. Using these channels requires providing Personal Data necessary to contact you and respond to your inquiry. Failure to provide required data may result in the inability to handle the request. Providing additional information is voluntary.

6.16. Your Personal Data is processed:

6.16.1. for the purpose of identifying and handling your inquiry sent through the made available communication channels – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in handling the reported matter and conducting correspondence related to its business activity;

6.16.2. for analytical and statistical purposes – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in compiling statistics regarding inquiries and improving Service functionalities and support quality;

6.16.3. where the inquiry relates to an order, complaint, return or contract performance – the legal basis may also be Article 6(1)(b) GDPR or Article 6(1)(c) GDPR, depending on the nature of the request.

6.17. Support and communication functionalities may be operated using tools provided by external service providers, including customer communication and messaging platforms. Such providers process data on our behalf or as separate controllers where required by the nature of the service.

ABANDONED CART

6.18. If you add products to your cart but do not complete your order, we may process your Personal Data in order to remind you about the incomplete purchase and support the completion of your order.

6.19. In such a case, the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the recovery of potentially interrupted sales and improving the effectiveness of the sales process, or your consent where required under applicable marketing or e-privacy rules.

6.20. Data related to abandoned cart processes may be retained for up to 90 days, unless a longer period is justified by legal obligations or claims.

ANTI-ABUSE AND SECURITY VERIFICATION

6.21. In order to ensure the proper functioning of the Store and protect our business, users and partners, we verify whether users undertake actions that may hinder other customers from making purchases or may indicate abuse, fraud or conduct inconsistent with the intended use of the Store. Such analysis may include order history, payment behavior, return patterns, account behavior and other indicators relevant to transaction security.

6.22. The purpose of such processing is fraud prevention, abuse prevention, transaction security, protection of the Controller’s rights and ensuring the reliability of the Store. The legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR), and where relevant also the necessity of processing for the performance of the contract (Article 6(1)(b) GDPR).

6.23. Some orders or accounts may be automatically flagged or temporarily held for human review. However, Souve does not make decisions producing legal effects or similarly significantly affecting you solely on the basis of automated processing. Final decisions on suspension, refusal of completion, account limitation or other significant consequences are subject to human verification.

GEOLOCATION, MOBILE APP, PWA

6.24. If we make available location-based functionalities in the Service, mobile application or PWA, your Personal Data including location information may be processed in order to provide location-dependent functionalities, improve usability, personalize your experience or support delivery-related features.

6.25. Use of geolocation functionalities is optional and not required for proper use of the Service. The legal basis for such processing is your consent (Article 6(1)(a) GDPR), expressed, for example, by granting the browser or mobile application permission to access location services on your Device.

6.26. We process location data only if you grant such permission. Consent may be withdrawn at any time by changing the relevant settings of your browser, Device, mobile application or PWA environment. Withdrawal of consent does not affect the lawfulness of processing performed before its withdrawal.

6.27. In connection with any current or future mobile app or PWA, we may also process technical data related to the Device, app instance, push notification token, operating system, app interactions and other data necessary to provide and secure the application environment.

LOYALTY PROGRAM

6.28. If the Controller introduces a Loyalty Program, Personal Data of participants may be processed for the purposes of registration, management of participation, assigning benefits, calculating points or status, handling rewards, communicating program information and verifying eligibility.

6.29. The legal basis for such processing is the necessity of processing for the performance of a contract or program terms accepted by the participant (Article 6(1)(b) GDPR), compliance with legal obligations where applicable (Article 6(1)(c) GDPR), and the Controller’s legitimate interest in managing and developing the program (Article 6(1)(f) GDPR).

6.30. If the Loyalty Program involves profiling or segmentation for reward, recommendation or communication purposes, such activity will be carried out in accordance with the rules set out in the MARKETING section and subject to applicable legal requirements.

MARKETPLACE AND PARTNER-FULFILLED SALES

6.31. If the Controller introduces Marketplace or partner-fulfilled sales functionalities, Personal Data may be processed in order to present third-party offers, conclude and perform contracts, coordinate fulfilment, process payments, handle returns and complaints, prevent abuse and maintain the quality and security of the Service.

6.32. Depending on the adopted Marketplace model, selected partners may act as separate controllers or processors with respect to the data necessary to fulfil an order. In such cases, we will provide additional information in the Service or in dedicated terms and policies.

6.33. The legal basis for such processing will depend on the specific purpose, including performance of a contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR).

VII. MARKETING

7.1. We process your Personal Data for the purpose of carrying out marketing activities, which may consist in:

7.1.1. displaying marketing content corresponding to your interests, including behavioral advertising;

7.1.2. carrying out activities related to direct marketing of goods and services, including sending commercial information by electronic means, SMS/MMS communications, push notifications and similar channels where permitted by law;

7.1.3. segmenting users based on shopping behavior, preferences, activity and campaign interaction in order to better tailor communication and offers;

7.1.4. conducting audience matching, conversion measurement, campaign optimization and similar activities using trusted advertising platforms.

7.2. For the purpose of carrying out marketing activities, in some cases we use profiling. This means that through automated processing of data we assess selected factors concerning you in order to analyze your behavior or create future predictions. This allows better adaptation of displayed content, product recommendations, promotions and communication to your individual preferences and interests.

7.3. Such profiling does not produce legal effects concerning you and does not similarly significantly affect you. Its consequence is, in principle, a better adjustment of content, product suggestions, campaigns and advertising.

BEHAVIORAL ADVERTISING

7.4. Together with our trusted partners, we process your Personal Data, including data collected through cookies and similar technologies, for marketing purposes related to directing behavioral advertising to you, i.e. advertising tailored to your preferences.

7.5. In such cases, the processing of Personal Data may also include profiling, the consequence of which is only the display of tailored advertisements based on the Personal Data obtained by us and our partners.

7.6. Trusted partners may include, in particular, providers of analytics, ad delivery, retargeting, audience building, social media advertising and conversion measurement services.

DIRECT MARKETING

7.7. If you have given the relevant consent where required, your data may be used by us to send you marketing content through various channels, i.e. by e-mail in the form of a newsletter, by SMS/MMS, via push notifications, via in-app communication or other direct communication channels.

7.8. The legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in connection with your consent where required under applicable electronic communications or e-privacy laws, consisting in the marketing of offered goods and services.

7.9. Such actions are undertaken only if you have granted the relevant consent where required. You may withdraw your consent at any time, for example by clicking the unsubscribe link contained in a marketing e-mail, changing the relevant settings in your Account or contacting us at hello@souve.eu. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

7.10. We may also carry out direct marketing by traditional mail to the postal address provided by you where applicable. In such case, the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR). You may object to such processing at any time.

PUSH NOTIFICATIONS

7.11. If you grant separate consent to receive push notifications, you may receive notifications displayed on your Device and/or browser containing marketing content related to our offers, services and promotions.

7.12. The legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in connection with your consent where required, consisting in marketing of offered goods and services.

7.13. You may withdraw consent to receive push notifications at any time by changing your browser, app, PWA or Device settings. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

GOOGLE ADS CUSTOMER MATCH AND SIMILAR TOOLS

7.14. Marketing of products and services offered by us may be carried out using tools such as Google Ads Customer Match or similar audience matching solutions offered by advertising partners.

7.15. Such tools allow the Controller to upload a hashed database of customer identifiers, such as e-mail addresses, in order to verify whether user accounts corresponding to such identifiers exist within the partner ecosystem, and to display Souve advertisements to those users when permitted by law.

7.16. We may also use enhanced conversion or similar privacy-protected measurement tools in order to improve the accuracy of measuring the effectiveness of our marketing activities, including purchases resulting from ad interactions.

META CUSTOM AUDIENCES AND SIMILAR TOOLS

7.17. Marketing of products and services offered by us may also be carried out using tools such as Meta Custom Audiences or similar audience-building functionalities of advertising platforms.

7.18. Such tools may allow us to upload hashed identifiers in order to verify whether corresponding user accounts exist on a given platform and, if so, to display Souve advertisements to those users.

NEWSLETTER PREFERENCES AND SEGMENTATION

7.19. If you subscribe to our newsletter or similar communication, we may process information concerning your activity, clicks, purchases, browsing behavior, campaign response, saved preferences and selected interests in order to tailor the communication sent to you.

7.20. Newsletter-related data may be retained until you unsubscribe or object, and inactive marketing contacts may be removed after 24 months of inactivity, unless a longer retention period is justified by another lawful purpose.

VIII. SOCIAL MEDIA

8.1. We process Personal Data of persons visiting our profiles maintained on social media platforms, including in particular Facebook, Instagram, TikTok, X, LinkedIn and similar services.

8.2. Such data may be processed in order to communicate with users, present content, conduct marketing activities, analyze activity on our profiles and build our brand presence.

8.3. In some cases, the operator of the social media platform and the Controller may act as joint controllers for selected processing operations related to page insights, audience statistics or campaign tools, to the extent provided by the platform.

8.4. Detailed rules for the processing of Personal Data by the operators of social media services are set out in their respective privacy policies.

IX. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?

9.1. We may disclose your Personal Data to entities with whom we cooperate in the performance of the services provided by us.

9.2. Depending on the method of delivery or return chosen by you, we will provide the data necessary for the performance of delivery or return to logistics or courier partners cooperating with us.

9.3. Depending on the payment method chosen by you, we will provide the data necessary to collect or process payment to payment operators cooperating with us.

9.4. If you consent to receive commercial information by e-mail, phone number, push or similar communication channel, we may transfer your data to entities providing such communication services on our behalf.

9.5. Your data may also be entrusted to entities processing Personal Data on our behalf to the extent necessary for hosting the Store, maintaining its infrastructure, analytics, customer service, marketing automation, CRM, communication tools, invoicing support, order processing, support systems and IT maintenance.

9.6. Depending on the current technical setup, cooperating entities may include in particular: hosting and infrastructure providers, including Hostinger and related hosting/CDN services; payment providers, including Stripe and Przelewy24; logistics and delivery partners, including DHL, UPS and other fulfilment or delivery partners; analytics and advertising providers, including Google, Meta and TikTok; CRM, segmentation, automation and integration providers, including FluentCRM and WP Fusion; communication and support providers, including Tawk.to, Messenger-based tools and other support systems; accounting, legal, tax, IT, hosting, security and consulting service providers.

9.7. In the context of partner-fulfilled sales, dropshipping or future Marketplace models, some Personal Data may also be transferred to product suppliers or fulfilment partners to the extent necessary to complete an order, handle logistics, support after-sales service or prevent abuse.

9.8. We are also entitled to disclose selected information concerning our Users to competent authorities or third parties making a request for such information based on an appropriate legal basis and in accordance with applicable law.

X. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?

10.1. The period for which we process your Personal Data depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service provision, order fulfillment, support handling, or until withdrawal of consent or effective objection where the legal basis is the Controller’s legitimate interest.

10.2. The processing period may be extended where processing is necessary to establish, pursue or defend against claims, and thereafter only where and to the extent required by law. After expiry of the processing period, data is irreversibly deleted or anonymized.

10.3. By way of clarification, selected retention periods may include in particular: order and accounting-related data – for the period required by tax and accounting law and for the limitation period of claims; Account data – until deletion of the Account or up to 3 years of inactivity; newsletter and direct marketing data – until withdrawal of consent or objection, and inactive contacts may be deleted after 24 months of inactivity; abandoned cart data – up to 90 days; complaint and return data – for the period necessary to handle the case, comply with legal obligations and protect against claims; support and communication data – for the period necessary to handle the matter and, where justified, to protect legal interests.

XI. WHAT RIGHTS DO YOU HAVE IN CONNECTION WITH THE PROCESSING OF YOUR PERSONAL DATA?

11.1. In connection with our processing of your Personal Data, you have the following rights:

11.1.1. the right to information on the processing of Personal Data – on this basis the Controller provides you with information on the processing of your Personal Data, including in particular the purposes and legal bases of processing, the scope of data held, entities to whom it is disclosed, and the planned deletion date;

11.1.2. the right to obtain a copy of the data – on this basis the Controller provides you with a copy of the Personal Data processed concerning you;

11.1.3. the right to rectification – the Controller is obliged to remove any inconsistencies or errors in the processed Personal Data and complete it if it is incomplete;

11.1.4. the right to erasure – on this basis you may demand deletion of data whose processing is no longer necessary for any of the purposes for which it was collected;

11.1.5. the right to restriction of processing – in the event of such a request, the Controller ceases to perform operations on your Personal Data, except for operations to which you have consented and for storage, until the reasons for the restriction no longer exist;

11.1.6. the right to data portability – on this basis, to the extent that the data is processed in an automated manner in connection with a contract or consent, the Controller issues the data provided by you in a format allowing it to be read by a computer; it is also possible to request that such data be sent to another entity, if technically feasible;

11.1.7. the right to object to processing for direct marketing purposes – you may at any time object to the processing of your Personal Data for direct marketing purposes without having to justify such objection;

11.1.8. the right to object to other processing based on legitimate interest – you may at any time object, on grounds relating to your particular situation, to processing carried out on the basis of the Controller’s legitimate interest; such objection should include justification where applicable;

11.1.9. the right to withdraw consent – if data is processed on the basis of your consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal;

11.1.10. the right to lodge a complaint – if you consider that the processing of your Personal Data violates the GDPR or other data protection provisions, you may lodge a complaint with the competent supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

11.2. Some of the above rights may also be exercised independently through your Account, where available, including updating or correcting selected Personal Data.

11.3. You may submit a request regarding all of the above rights by contacting us at hello@souve.eu or by post at the Controller’s registered address.

11.4. We will endeavor to respond to your request as soon as possible and, in any event, within the time limits required by law. If, due to the complexity of the request or the number of requests received, we are unable to provide a full response within the standard period, we will inform you of the extension.

11.5. If we have doubts as to whether the request is submitted by you, we may ask additional questions enabling verification of your identity. Failure to provide data necessary for verification may result in refusal to process the request.

11.6. The request may be submitted personally or through an authorized representative. Where necessary for data security, we may request an appropriate authorization document.

11.7. We retain information concerning submitted requests and the person submitting the request in order to demonstrate compliance, maintain the request register and establish, pursue or defend against claims. Such register is stored in a manner ensuring integrity and confidentiality.

XII. CHANGES TO THE PRIVACY POLICY

12.1. This Policy is reviewed on an ongoing basis and updated where necessary, in particular in the event of changes in law, changes in the technological setup of the Service, introduction of new functionalities, launch of a mobile application, PWA, Loyalty Program or Marketplace, or changes in the scope of services, partners or processing purposes.

12.2. The current version of the Policy is published in the Service and becomes effective from the date indicated by the Controller.

12.3. This version has been prepared for the Store Souve available at souve.eu.