Privacy

PRIVACY POLICY www.archemielno.pl
Table of Contents
PREAMBLE............................................................................................................................................1 §1 Definitions..........................................................................................................................................2
§2 Data Controller and Data Protection Officer..............................................................................2
§3 Data Protection Officer................................................................................................................2
§4 Objectives of processing your personal data...............................................................................3
§4A Processing of personal data for the purpose of responding to your requests/inquiries that you direct us through contact sources available on the website, including through our fanpages on social platforms and through the contactform................................................................................3
§4B Processing of personal data for the conclusion and proper performance of the contract for
the provision of services or taking action at your request before its conclusion..............................4
§5 Co-administration of personal data within the framework of sending commercial information
about promotions, offers and events organized by Joint Controllers, including sending a
newsletter (direct marketing)............................................................................................................5
§6 Your rights..................................................................................................................................6
§7 Automated decision making.........................................................................................................7
§8 Personal data security..................................................................................................................8
§9 Cookies................................................................................................................................................8 PREAMBLE
The privacy policy defines the principles on which your data will be processed and the entity that
will be responsible for their processing - in accordance with generally applicable laws. The privacy
policy also defines the purposes for which your personal data will be processed, the scope of their
processing and the rights you are entitled to in connection with the processing of your personal
data by us. §1 Definitions The terms used in this document mean:

1. Policy - Privacy policy of the website www.archemielno.pl
2. Website - www.archemielno.pl
3. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (OJ. EU. L. from 2016, No. 119, item 1, as amended).
4. Personal data - all information on an identified or identifiable natural person (to whom the data relates); an identifiable natural person is a person who can be identified, directly or indirectly,in particular by an identifier such as a name and surname, identification number, location data, an online identifier or one or more specific factors determining the physical, physiological,genetic, mental, economic, cultural or social identity of the natural person;
5. Processing - an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organising,ordering, storing, adapting or modifying, downloading, viewing, using, exposing through transmission, spreading or any other form of making available, matching or combining,restricting, deleting or destroying;
6. Data Controller - a natural or legal person, public authority, unit or any other entity which alone or jointly with others determines the purposes and ways of processing personal data;
7. Joint controller - at least two controllers jointly determining the purposes and ways of

processing your personal data;

8. Processor - a natural or legal person, public authority, unit or any other entity that processes personal data on behalf of the controller;
9. Recipient - a natural or legal person, public authority, unit or any other entity to which personal data is disclosed, whether it is a third party or not. However, public authorities that may receive personal data in a specific proceeding under Union law or the law of a Member State are not considered recipients.

§2 Data Controller and Data Protection Officer

1. The Data Controller of your personal data is Arche S.A. with its registered office in Warsaw (postal code: 02-801) at ul. Puławska 361, entered into the register of entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register under the number: 0000831001, NIP: 8211639335, REGON: 71002127700000, having a share capital of 2,982,300.00 PLN - paid in full.
2. You can contact the Data Controller via traditional mail at the address of the Data Conroller's headquarters indicated above or via e-mail at: rodo@arche.pl.

§3 Data Protection Officer

1. The Data Controller has appointed a Data Protection Officer with whom you can contact in all matters related to the processing of your personal data by us via:

1. traditional mail at the address of the Data Controller’s headquarters indicated in §2 clause 1 of this policy with a note - Data Protection Officer.
2. via e-mail address: rodo@arche.pl.

§4 Purpose of processing your personal data

1. Your personal data will be processed by us for the following purposes:

1. Responding to your requests/inquiries, which you direct to us through the contact sources available on the Website, including through our fan pages on social media platforms Facebook and YouTube as well as through contact form.
2. Conclusion and correct execution of the service contract or undertaking steps at your request before it is concluded.
3. You are sending commercial information about promotions, offers, and events organized by the joint controllers, including sending newsletters to your e-mail address (direct marketing) - if you consent to such action. This action will be carried out during the co-administration of personal data - as stated in §5 of the Policy.

§4A Processing of personal data in order to respond to your requests/inquiries, which you direct to us through the contact sources available on the Website, including through our fan pages on social media platforms as well as contact forms

1. Your personal data will be processed by us in order to respond to your message/request if you decide to contact us through our communication channels available on the Website (including, among others, through the contact form, by e-mail, or through our fan pages on social platforms such as: Facebook and Instagram).
2. The legal basis for processing your personal data will be Art. 6 para. 1 lit. f) GDPR i.e. the legitimate interest of the Data consisting in serving your requests or inquiries directed to us and providing answers to them.
3. If you direct a query or request to us via our profile on a social media platform:

1. Facebook and Instagram - the recipient of your personal data will be Meta Platforms Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter: Meta Facebook Platforms).

More information about the processing of your personal data by Facebook and Instagram can be found at the following link:

• https://www.facebook.com/privacy/center/.
• https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

4. If your data is transferred within fan pages on the aforementioned social platforms to a location in a third country (outside the European Economic Area), this will only occur with adequate data protection measures (standard contractual clauses).
5. Additionally, recipients of your personal data may be entities providing IT and legal services on behalf of the Data Controller.
6. We will store your personal data for the period necessary to conduct correspondence with you, in particular for the period necessary to respond to your messages/inquiries.
7. Providing your personal data is mandatory if you want to contact us and receive a response to your inquiry or request.

§4B Processing of personal data in order to conclude and properly implement the service contract or to undertake actions at your request before it is concluded

1. Your personal data will be processed for the following purposes:

1. the conclusion and proper implementation of the service contract (hereinafter: Agreement) or
2. fulfilling legal obligations imposed on the Data Controller by universally applicable legal regulations.
3. pursuit or defense against potential claims that may arise in the course of the Agreement's implementation or after its termination.
4. ensure the safety of hotel guests and other persons staying on the premises of the Arche Fabryka Samolotów Mielno by means of video surveillance.

2. The legal basis for processing your personal data by us will be:

1. for the purpose of concluding and properly implementing the Agreement or taking action upon your request before its conclusion - art. 6 par. 1 letter b) GDPR.
2. to fulfill legal obligations imposed on the Data Controller by universally applicable legal regulations – art. 6 par. 1 letter c) GDPR in connection with art. 70 of the Act of 29 August 1997 - Tax Ordinance and art. 74 of the Act of 29 September 1994 - Accounting Act.
3. for the purpose of asserting or defending against possible claims that arise in the course of the performance of the Agreement or after its termination as well as ensuring the safety of hotel guests and other persons staying on the premises of Arche Fabryka Samolotów Mielno by means of video surveillance - our legitimate interest consisting in the realization of the aforementioned purposes (i.e. Article 6(1)(f) GDPR).

3. Recipients of your personal data will be entities providing legal, financial, and IT services on behalf of the Data Controller.
4. Your personal data will be stored:

1. for the purpose of concluding and proper implementation of the Agreement or taking action upon your request before its conclusion - for the duration necessary for its conclusion or proper implementation.
2. in order to fulfill legal obligations imposed on the Data Controller by universally applicable legal regulations - no longer than 5 years, counted from the end of the calendar year in which the basis for imposing a public law liability occurred.
3. for the purpose of pursuing or defending against potential claims, which may arise in the course of implementing the Agreement or after its termination - for the period prescribed in universally applicable legal regulations, depending on the legal relationship from which the claim will be derived.
4. to ensure the safety of hotel guests and other persons staying on the premises of the Arche Fabryka Samolotów Mielno by means of video surveillance - for a period not exceeding 90 days. However, if the video surveillance footage will be used as evidence in proceedings: civil, criminal or misdemeanor, the video surveillance footage will be stored until the legal conclusion of the proceedings in question.

5. The provision of your personal data (referred to in Section 4B, Subsection 1, Point a of the Policy) is a prerequisite for concluding the contract; without their provision, we will not be able to conclude it with you. Providing the remaining personal data by you is obligatory, without their provision it will not be possible for us to fulfill legal obligations imposed on us nor will we be able to pursue our legitimate interests.

§5 Co-administration of personal data in the context of directing commercial information about promotions, offers, and events organized by joint controllers, including also sending newsletters (direct marketing).

1. The joint controllers of your personal data will be the following entities, which will process your personal data on the basis of the agreement on joint controller (hereinafter: Joint controllers):
   a) "ARCHE" S.A. with its registered office in Warsaw (postal code: 02 - 801) at Puławska 361.
   b) Lena Grochowska Foundation with its registered office in Siedlce (postal code: 08 - 110) at Brzeska 134.
   We note that the current list of Joint controllers may change in the future - an up-to-date list of Joint controllers can always be found at www.arche.pl.
2. Joint controllers are jointly responsible for the protection of your personal data.
3. The point of contact for you in matters regarding the protection of your personal data is Auraco Sp. z o.o. with its registered office in Warsaw (postal code: 00 - 382) at Solec 81B/73A, which you can contact at the office address indicated above or via the e-mail address: arche.marketing@auraco.pl.
4. Joint controllers will process your personal data for the purpose of carrying out marketing activities towards you by sending personalized commercial information about promotions and current offers of products and services of jointcontroller and about events concerning joint controllers and actions taken by them to your e-mail address and/or phone number.
5. The legal basis for processing your personal data will be your consent to their processing for the aforementioned purposes (i.e., Article 6 par. 1)1 lit. a) GDPR), which you can withdraw at any time - however, its withdrawal will not affect the legality of the processing that was carried out on the basis of consent before its withdrawal.
6. The recipients of your personal data may be intermediaries offering our services or products or supporting our initiatives, as well as entities assisting our marketing activities, i.e. suppliers of systems used to manage marketing databases and entities providing IT and telecommunications services on our behalf. Under no circumstances will your personal data be transferred by Joint controllers s outside the European EconomicArea.
7. We will store your personal data until you withdraw your consent to their processing or until the Joint controllers purposes for which they were collected are no longer applicable (e.g., in case of discontinuation of marketing campaigns).
8. Providing your personal data is entirely voluntary, and without providing them, the Joint controllers will not be able to send commercial information about promotions and current offers of their products and services to your email address and/or phone number.
9. We will analyze your relationship history with us (e.g., services you have used) and information obtained through analysis of interactions with our websites in order to determine your preferences and interests, which will allow us to send personalized commercial information about products, offers and events organized by Joint controllers.
10. We will not process your personal data for automated decision making.
    

§6 Your rights

1. In relation to our processing of your personal data, you have the right to:

1. Withdraw consent to the processing of your personal data at any time (in the case where we process your personal data based on your consent).
2. Object to the processing of personal data (in cases specified in art. 21 and 22 GDPR).
3. Transfer of your personal data - when the legal basis for processing your personal data is your consent to their processing as well as the conclusion and proper performance of the Agreement.
4. Access your personal data and receive copies of it (art. 15 GDPR).
5. Correct incorrect personal data and complete incomplete data (art. 16 GDPR).
6. Delete your personal data (the so-called right to be forgotten, in cases specified in art. 17 GDPR).
7. Restrictions on the processing of your personal data (in cases specified in art. 18 GDPR).

2. If you find that we are processing your personal data in a way that is inconsistent with applicable law, you have the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Office for Personal Data Protection, Stawki 2, 00-193 Warsaw.

§7 Automated decision making

We will not process your personal data for automated decision making.

§8 Personal data security

1. The website has a correct certificate issued by a trusted certification authority. This means that information such as passwords or credit card data is securely sent to this site and cannot be intercepted.
2. The IT staff grants users of IT systems rights to process personal data in the Data Controller's IT systems immediately after receiving from the user a declaration of maintaining personal data confidentiality and ways of securing them.
3. Access to the Data Controller's IT systems, used for processing personal data, is only possible after providing a unique identifier and password.
4. Data encryption is used, especially data transmitted over a public network.
5. Each person employed/cooperating in the processing of personal data has been authorized to process data.
6. Contracts for entrustment have been concluded with third parties processing data on behalf of the Data Controller, as per art. 28 GDPR.
7. The authorized persons have been trained in the principles of safe data processing.
8. Liability for actions related to personal data security has been determined.
9. A statement has been obtained from persons processing personal data about maintaining the confidentiality of personal data and ways of securing personal data.
10. The periodic integrity verification of databases is carried out through the restoration of data contained in backup copies.
11. Emergency power support for servers and workstations has been introduced using UPS or a dedicated power network.

§9 Cookie files

1. A cookie is a small text file that a website uses to record information on a user's computer or portable device when they use it.
2. Cookies can be installed by the website and can only be read by it (Data Controller files). The site may also use files from external services. In that case, the data can be read by the owner of the cookie (e.g., Google).
3. Cookies can be divided into permanent (which are stored on a user's computer and are not automatically deleted when the browser is closed, they are stored for a specified period) and session (they are deleted when the browser is closed).
4. Cookies store individual device configuration information, user preferences (e.g., username, language, etc.). Cookies can also be used to compile anonymous statistics on website usage. This means that you do not have to re-enter the same data every time you visit the site or read the cookie message every time.
5. The website uses both Data Controllers cookies and files from external services. The amount, type and function of cookies used by external services may differ between individual users due to their individual characteristics e.g. whether they have an account on a social network etc.
6. The website uses two types of cookies:
   a) necessary;
   b) statistical/analytical;
   c) marketing;

d) other (Unclassified cookies are cookies that we are in the process of classifying with the providers of each service are, for example, ubtru, ubtrs and ProfitroomToken-www.archemielno.pl).

7. The website uses the following necessary cookies:
   a) PHPSESSID - this is a cookie that is used to maintain the user's session state. It is a session file.

b) test_cookie - It is used to check whether the user's browser supports cookies. It is stored for a period of one day. 8. The website uses the following analitic cookies: a) _ga – Registers a unique identifier used to generate statistical data about the visitor's use of the site. It is stored for a period of two years. b) _ga_# - Used by Google Analytics to collect data on how many times a user has visited the website, as well as the dates of the first and last visit. It is stored for a period of two years. c) _gat - Used by Google Analytics to limit request rates. It is stored for a period of one day. d) _gid - Registers a unique identifier used to generate statistical data about how the visitor uses the website. It is stored for a period of one day. 9. The website uses the following marketing cookies:
a) _gcl_au - Used by Google AdSense to test the effectiveness of ads on sites using their services. It is stored for a period of three months. b) ads/ga-audiences - Used to detect if a user tends to leave the site through cursor movements. The file is kept for the duration of a session on the site. 10. You can freely manage and delete cookies. More information can be found in the browser usage instructions (links displayed below):
a) Google Chrome;
b) Mozilla Firefox;
c) Microsoft Edge;
d) Opera;
e) Safari.

9. All cookies on the device can be deleted entirely or selectively by selecting a specific file. However, be aware that this can result in the loss of saved information (e.g., saved login data, site preferences).
10. Browser settings can be used to block cookies entirely or selectively from a specific site.More information about managing cookies from specific sites can be found in the privacy and cookie settings of your chosen browser.
11. Most modern browsers can be used to prevent the placement of cookies on the device, but then it may be necessary to set preferences anew with each visit to the site. Some services and features may not function properly (e.g. logging into a profile).
12. The processing of data through functional/necessary files (essential for the proper functioning of the site) is carried out in order to achieve the legally justified purpose of the Data Controller, which is to provide the highest quality content on the website.
13. The processing of data by the other files is carried out on the consent of the website user.
14. The Data Controller will transfer personal data to other recipients who have been entrusted with the processing of personal data on behalf of and for the Data Controller, e.g. to entities responsible for the technical aspect of the site's operation. In addition, the Data Controller will make personal data available to other recipients, if such an obligation arises from legal provisions.
15. The data within individual cookie files will be stored for a period corresponding to its validity cycle, which has been recorded on the user's device. Cookies on the device can be deleted in full or selectively by selecting a specific file.