§ 1. General Information

1. This Privacy Policy defines the rules for processing and protecting personal data of users of the Tarotelly.pl service.
2. The data controller is Tarotelly (hereinafter: “Controller”).
3. The Controller takes special care to protect the interests of data subjects, and in particular ensures that the data collected is processed in accordance with the law.
4. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

§ 2. Types of Data Processed

The Controller may process the following personal data of Users:

1. Data provided during registration:
   • First and last name
   • Email address
   • Password (in encrypted form)
2. Data collected automatically:
   • IP address
   • Browser type
   • Operating system
   • Date and time of Service use
   • Cookie files
3. Payment-related data:
   • Transaction history
   • Selected service packages

§ 3. Purposes of Data Processing

Users' personal data is processed for the following purposes:

1. Providing electronic services
2. Creating and managing User Accounts
3. Performing service agreements
4. Processing payments
5. Communication with Users
6. Marketing of own products and services (with User consent)
7. Conducting statistics and analyses
8. Ensuring Service security
9. Pursuing claims and defending against claims

§ 4. Legal Basis for Processing

Personal data is processed based on:

1. Art. 6(1)(a) GDPR – consent of the data subject
2. Art. 6(1)(b) GDPR – performance of a contract
3. Art. 6(1)(c) GDPR – compliance with a legal obligation
4. Art. 6(1)(f) GDPR – legitimate interests of the Controller

§ 5. Data Retention Period

1. Personal data is stored for the period necessary to achieve the purposes for which it was collected.
2. Data processed based on consent – until withdrawal of consent.
3. Data processed for contract performance – for the duration of the contract and after its termination for tax and accounting purposes.
4. Data processed based on legitimate interest – until an effective objection is raised.

§ 6. Data Recipients

Personal data may be shared with:

1. Entities processing data on behalf of the Controller:
   • Hosting service providers
   • Payment system providers (Stripe)
   • Email service providers
   • Analytics tool providers
2. Government authorities authorized by law.

§ 7. User Rights

Users have the following rights:

1. Right to access personal data
2. Right to rectify data
3. Right to erasure (“right to be forgotten”)
4. Right to restrict processing
5. Right to data portability
6. Right to object to processing
7. Right to withdraw consent at any time
8. Right to lodge a complaint with a supervisory authority

§ 8. Cookies

1. The Service uses cookies for proper functioning, adapting content to User preferences, and for statistical purposes.
2. Types of cookies used:
   • Session cookies – deleted after the session ends
   • Persistent cookies – stored for a specified time
   • Analytics cookies – used to analyze how the Service is used
   • Functional cookies – remembering User preferences
3. Users can change cookie settings in their browser at any time or disable them completely.

§ 9. Data Security

1. The Controller implements appropriate technical and organizational measures to ensure the security of processed personal data.
2. Only authorized persons who are obligated to maintain confidentiality have access to personal data.
3. User passwords are stored in encrypted form.
4. Data transmission occurs through encrypted SSL connection.

§ 10. Transfer of Data to Third Countries

1. Personal data may be transferred to third countries only when an adequate level of data protection is ensured.
2. When using services from providers based outside the EEA, the Controller ensures the use of appropriate safeguards, such as standard contractual clauses.

§ 11. Children's Data

1. The Service is not intended for persons under 18 years of age.
2. The Controller does not knowingly collect personal data from minors.
3. If information about processing a minor's data is obtained, the Controller will immediately delete such data.

§ 12. Privacy Policy Changes

1. The Controller reserves the right to make changes to the Privacy Policy.
2. Users will be informed about changes through an announcement in the Service.
3. Changes take effect on the date of publication.

§ 13. Contact

1. For matters related to personal data protection, you can contact the Controller through the contact form available in the Service.
2. The Controller responds to inquiries regarding personal data processing without undue delay, no later than within one month of receiving the inquiry.