Privacy Policy

§1 Personal information management

  1. The Controller of personal information is TOMA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in WYSOGOTOWO, ul. SZPARAGOWA 10, entered in the register of companies of the National Court Register of the District Court for POZNAŃ, 21st Commercial Division of the National Court Register under number KRS 0000084017, NIP [tax identification number]: 7772194812, REGON [statistical identification number]: 631035381, with a share capital of PLN 1,394,000.00.
  2. Contact with the person supervising the processing of personal data within the organisation is possible by e-mail at the following e-mail address: info@toma.com.pl, by regular mail by writing to the Controller’s address or by phone at +48 61 896 28 28.
  3. This Policy sets out the principles relating to the Controller’s processing of personal data on the Website, including the legal grounds, purpose and scope of the processing of personal data and the rights of data subjects.
  4. Personal data shall be processed by the Controller in accordance with the applicable legislation, in particular in conformity with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). The official text of the GDPR is available at: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
  5. User's rights are not absolute and do not apply with regard to all personal data processing activities.

§2 Definitions

  1. Controller: TOMA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in WYSOGOTOWO, ul. SZPARAGOWA 10, Poland, entered in the register of companies of the National Court Register of the District Court for POZNAŃ, 21st  Commercial Division of the National Court Register under number KRS 0000084017, NIP: 7772194812, REGON: 631035381, with a share capital of PLN 1,394,000.00.
  2. Personal data: any information relating to an identified or identifiable natural person, who can by identified by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including the IP of the device, Internet identifier or information collected through cookies and other similar technologies.
  3. Policy: This Privacy Policy.
  4. Cookie Policy: a document defining the rules for the use of cookies on the Website, available at: toma.com.pl/polityka-cookies.html.
  5. Profiling: automated processing of personal data which involves analysing and predicting user behaviour.
  6. The GDPR/ GDPR Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
  7. Website: the Internet web page operated by the Controller at: toma.com.pl.
  8. User: each and every natural person visiting the Website or using one or more services or functionalities described in the Policy.

§3 Security

  1. The Controller has implemented appropriate technical and organisational measures to ensure the security of the processing of personal data and hereby warrants and represents that the data it collects are:
    1. processed lawfully;
    2. collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    3. substantively correct and adequate to the purposes for which they are processed;
    4. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data processed; and
    5. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

§4 Purposes and legal grounds for personal data processing

  1. Pursuant to Article 6(1) letter a) of the GDPR Regulation (consents) personal data may be processed for the following purposes:
    1. Marketing of products and services of the Controller and the Controller's partners.
    2. Retargeting and behavioural advertising, including the display of personalised advertisements based on the user's activity history on the Website and on other websites. Data processing for these purposes is carried out solely on the basis of the user's explicit consent given in the cookie banner. Data may be collected via cookies and similar technologies, in accordance with the Cookie Policy.
    3. Sending newsletter.
    4. Moderation of the Website’s content.
    5. Saving data in cookies in accordance with the Cookie Policy.
    6. Publishing reviews for products and services.
    7. Participating in webinars or online training.
    8. Contacts by distance communication means, including in particular by phone, email or applications.
    9. Participating in competitions and loyalty schemes.
    10. Inviting participation in surveys and market research.
    11. Personalisation of the Website’s content.
  2. Pursuant to Article 6(1) letter b) of the GDPR Regulation (performance of a contract) personal data may be processed for the following purposes:
    1. Performance of a contract of sale or a contract for the provision of a service or undertaking actions at the request of the data subject before or after the conclusion of the contract, including in particular: right to a warranty, consideration of claims
    2. Filing complaints or terminating distance contracts.
  3. Pursuant to Article 6(1) letter c) of the GDPR Regulation (legal obligation to which the Controller is subject), personal data may be processed for the following purposes:
    1. Issuing and storing invoices and bills, performing other tax and accounting duties, (archiving accounting records)
    2. Cooperating with law enforcement agencies and public institutions.
    3. Maintaining registers and other records required pursuant to the GDPR.
  4. Pursuant to Article 6(1) letter f) of the GDPR Regulation (legitimate interest pursued by the Controller), personal data may be processed for the following purposes:
    1. Proper performance of a contract – the data will be processed throughout the term of the contract and the duration of the rights resulting therefrom, such as the right to lodge a complaint. The provision of data is voluntary but necessary.
    2. Ensuring the security of the Website, Website management and its proper operation.
    3. Keeping track of the Website statistics and monitoring Website traffic.
    4. Direct marketing.
    5. Determination of claims pursued by or against the Controller.
    6. Contact with the user.
    7. Operating the toma.com.pl website
    8. Using cookies to save data indispensable for the proper functioning of the Website in accordance with the Cookie Policy.
    9. Operating a Facebook, Instagram or YouTube account and interacting with users of these portals.
    10. Personal data may be transferred to the following recipients or categories of recipients: courier companies, postal operators, law firms, accounting firms, IT service providers and IT technicians.
  5. Personal data may also be processed for other purposes to the extent that there exist relevant legal grounds to do so, in particular arising from Article 6 of the GDPR, provided that the respective purpose does not infringe the rights and freedoms of the user. In such case, the user shall be informed of the new purpose of the processing before such processing is commenced.

§5 Profiling

  1. The Controller uses profiling in order to carry out marketing activities. They involve analysing user behaviour on the Website with the help of cookies and similar technologies.
  2. Profiling may include:
    1. customised advertising based on user’s browsing history,
    2. analysis of user’s interaction with the Website’s content,
    3. customising advertising content displayed on other websites (Google Ads, Facebook).
  3. Profiling is allowed subject to the user’s consent.
  4. Any user may withdraw consent to profiling at any time by changing the settings or by notifying the Controller at: info@toma.com.pl.

§6 Processing period for personal data

  1. The period of data processing by the Controller depends on the type of service rendered and the purpose of processing. As a rule, data is processed for the duration of the service provision, until the consent is withdrawn or an effective objection is raised against data processing in instances where the Controller’s legitimate interest is the lawful basis for data processing.
  2. The period of data processing may be extended if processing is necessary to determine and pursue claims or defend against claims, and thereafter only if and to the extent required by law. After the processing period expires, the data shall be irretrievably deleted or anonymized.
  3. Different retention periods depending on the purpose of data processing, for example:
    1. Contract performance related data – retained throughout the term of the contract, and thereafter until the end of the prescriptive period for claims (3 or 6 years).
    2. Accounting and tax data – stored for a period required pursuant to tax regulations (currently 5 years).
    3. Marketing data (newsletter, behavioural advertising) – retained until consent is withdrawn.
    4. User enquiries data – retained for up to 12 months after the correspondence ended.

§7 User’s rights

  1. The user has the following rights regarding their personal data:
    1. right to access their personal data,
    2. right of personal data rectification at any time,
    3. right to personal data erasure at any time,
    4. right to receive a copy of their personal data,
    5. right to restriction of personal data processing,
    6. right to object to personal data processing,
    7. right to personal data portability,
    8. right to withdraw consent; withdrawal of consent shall not affect the lawfulness of processing carried out before its withdrawal,
    9. right to object to personal data processing on the basis of the Controller’s legitimate interest for marketing, direct marketing and non-marketing purposes,
    10. right to lodge a complaint with a supervisory authority.
  2. In order to exercise the above rights, the user may contact the Controller by email at info@toma.com.pl or by sending a letter to the Controller’s registered office address. The Controller shall consider the request within 30 days of its receipt.
  3. In some instances, the Controller may refuse to comply with the user's request, if it is legally obliged to further process the data.

§8 Recipients of personal data

  1. In order to properly operate the Website, the Controller may transfer user’s personal data to third party entities, including in particular the hosting company.
  2. The Controller reserves the right to disclose personal data where this is required by applicable law, including where information must be provided to competent administrative or law enforcement authorities.

§9 Transfers of personal data outside the EEA

  1. The level of personal data protection outside the European Economic Area (EEA) may differ from that provided by European law. For this reason, the Controller transfers personal data outside the EEA in the following instances:
    1. The transfer is necessary for the performance of a contract.
    2. Where the Controllers uses technology and infrastructure providers from outside the EEA, including but not limited to providers of marketing, analytics, and advertising services.
  2. The Controller ensures an adequate level of protection, particularly through:
    1. cooperation with personal data processors in countries for which the European Commission has confirmed a suitable level of personal data protection on the basis of an adequacy decision;
    2. adherence to binding corporate rules approved by international certification standards and the competent supervisory authority;
    3. use of standard contractual clauses issued by the European Commission in accordance with Article 46 of the GDPR.
    4. Personal data may also be transferred outside the EEA based on the user's consent. The user shall be informed in advance.

§10 Personal data security

  1. The Controller shall conduct a risk analysis on an ongoing basis to ensure that personal data is processed thereby in a secure manner. In its actions, it shall ensure in particular that only authorised persons have access to the data to the extent necessary for the performance of their tasks.
  2. The Controller is obliged to take all measures permitted by law to ensure that all operations involving personal data are recorded and performed exclusively by an authorised entity.
  3. The Controller is also obliged to ensure that any other entities cooperating with the Controller should guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller.
  4. The Controller applies technical safeguards such as encryption of data transmission (SSL/TLS), restriction of access to systems and procedures preventing unauthorised access to data.

§11 Changes to the Privacy Policy

  1. The Policy is reviewed and updated on an ongoing basis.
  2. The current version of the Policy has been adopted and is effective as of 2025-02-24.
By clicking Consent, you accept the saving of all cookie data on your device. If you click Denied, only the data necessary for the website to function is saved. More information about cookies in the privacy policy.
×
Essential Cookies

These cookies are necessary for the website to function and cannot be turned off. They are used, for example, to maintain the contents of the user's basket. You can set your browser to block these cookies, but then the website will not function prope

Always active
Analytical cookies

These cookies allow you to count visits and traffic sources. Thanks to these files, it is known which pages are more popular and how the website visitors navigate. All information these cookies collect is anonymous.