PRIVACY POLICY

I. Personal data controller

1. The data controller within the meaning of art. 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (GDPR) is:
   
   

   Karts Design Limited, 590 Kingston Road, SW208DN, London, United Kingdom, Company Number: 12240619  

2.  The data controller contact details:
   a) e-mail: contact@kartsdesign.com
3. The data controller is in accordance with art. 32 section 1 GDPR observes the principle of personal data protection and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure, or unauthorized access to personal data processed in connection with the business.
4. Providing personal data is voluntary, but necessary to establish cooperation and / or conclude an agreement with the data controller.
5. The data controller processes personal data to the extent necessary to perform the contract for the data subject or to the extent necessary to respond to actions taken by that person.

II. Purpose and basics of personal data processing

The data controller processes personal data for the following purposes:
a) preparation of a commercial offer in response to customer interest, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
b) providing services electronically via the Internet Portal, based on the concluded contract (art.6 par.1 lit.b RODO);
c) handling the complaint process, based on the obligation incumbent on the data controller in connection with applicable law (Article 6 (1) (c) of the GDPR);
d) accounting related to the issue and receipt of settlement documents, pursuant to the provisions of tax law (Article 6 (1) (c) of the GDPR);
e) archiving data for possible determination, investigation, or defense against claims or the need to prove facts, which is the legitimate interest of the data controller (Article 6 paragraph 1 point f of the GDPR);
f) contact by phone or via e-mail, in particular in response to inquiries addressed to the data controller, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
g) sending technical information regarding the functioning of the Internet Portal and services used by the customer, which is the legitimate interest of the data controller (Article 6 paragraph 1 letter f of the GDPR);
h) marketing of the data controller’s own products, which is his legitimate interest (art.6 par.1 lit.f RODO) or takes place on the basis of previously granted consent (art.6 par.1 lit.a RODO).

III. Data recipients. Transfer of data to third countries

1. The recipients of personal data processed by the data controller may be entities cooperating with the data controller when it is necessary to perform the contract concluded with the data subject.

1. The recipients of personal data processed by the data controller may also be subcontractors – entities whose services are used by the data controller when processing data, e.g. accounting offices, law firms, and entities providing IT services (including hosting services).

1. The data controller may be required to provide personal data on the basis of applicable law, in particular, to provide personal data to authorized state institutions.

1. Personal data may be transferred to an entity located outside the European Economic Area, i.e. to Google LLC as a provider of the Google Analytics and Google AdWords services and to Facebook Inc. as a Facebook Pixel service provider, based on appropriate legal safeguards, which are standard contractual clauses for the protection of personal data approved by the European Commission.

IV. Period of storage of personal data

1. The data controller stores personal data for the duration of the contract concluded with the data subject and after its termination for the purposes of pursuing claims related to the contract, and performance of obligations under applicable law, but for no longer than the limitation period for a given type of claims.

1. The data administrator stores personal data processed for marketing purposes for a period of 10 years, but no later than until the consent to data processing is withdrawn or an objection to data processing is raised.

V. Rights of the data subject

1. Any data subject has the right to:
   a) access – obtaining confirmation from the data administrator whether her personal data is being processed. If data about a person are processed, he is entitled to access them and obtain the following information: about the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data have been or will be disclosed, about the period of data storage or about the criteria for their determining the right to request rectification, deletion or limitation of the processing of personal data of the data subject and to object to such processing (Article 15 of the GDPR);
   b) to receive a copy of the data – to obtain a copy of the data subject to processing, the first copy is free, and for subsequent copies the data controller may impose a fee in a reasonable amount resulting from administrative costs (Article 15 (3) of the GDPR);
   c) to rectify – request rectification of personal data that is incorrect or supplementation of incomplete data (Article 16 GDPR);
   d) to delete data – requests to delete personal data if the data controller no longer has a legal basis for their processing or the data is no longer necessary for the purposes of processing (Article 17 of the GDPR);
   e) to limit processing – requests to limit the processing of personal data (Article 18 GDPR) when:

• the data subject questions the correctness of personal data – for a period allowing the data controller to check the correctness of such data,

• the processing is unlawful and the data subject opposes their removal, demanding that their use be restricted,

• the data controller no longer needs this data, but it is needed by the data subject to establish, assert or defend claims,

• the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the administrator prevail over the grounds of objection of the data subject;
  f) for transferring data – receiving in a structured, commonly used format machine-readable personal data concerning him which he has provided to the data controller, and requests to send this data to another data controller if the data is processed based on the consent of the data subject or contracts with contained therein and if the data is processed in an automated manner (Article 20 of the GDPR);
  g) to object – to object to the processing of her personal data for legitimate purposes of the data controller, for reasons related to her special situation, including profiling. Then the data controller assesses the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of data subjects, or grounds for establishing, pursuing or defending claims. If, according to the assessment, the interests of the data subject are more important than the interests of the data controller, the data controller will be obliged to stop processing data for these purposes (Article 21 GDPR)

2. To use the abovementioned rights, the data subject should contact, using the contact details provided, the data controller and inform him which rights and to what extent he wants to use it.

3. The data subject has the right to lodge a complaint to the competent supervision authority according to the headquarters of the data controller or according to the habitual residence of the complainant.

VI. Profiling

1. Personal data obtained by the data controller may be processed automatically – including in the form of profiling. Personal data profiling by the data controller consists of assessing selected information about the data subject to analyze and forecast personal preferences and interests, in particular for the possibility of providing the data subject with a personalized offer.
2. Automatic data processing carried out by the data controller does not give rise to any legal consequences for the data subject. The data subject may object to the automated processing of his data at any time.

VIII. Google Analytics

1. The data controller uses Google Analytics, a mechanism for analyzing internet services, offered by Google LLC. Google Analytics also uses so-called “Cookies”, text files that are saved on the User’s computer and allow an analysis of the User’s use of the website. The information obtained by the cookie about how the User uses the Portal is usually transmitted to a Google server in the USA and saved there.
2. The data administrator uses Google Analytics to analyze the use of the Website and its regular improvement. By obtaining statistics it can improve the offer and make it more interesting for the User. In relation to exceptional cases where personal data is transferred to the USA, Google complies with the EU-USA Privacy Shield agreement. The legal basis for the use of Google Analytics by the Administrator is Art. 6 clause 1 lit. f GDPR.

COOKIES POLICY

1. The website does not automatically collect any information, except for the information contained in cookies.
2. Cookie files (so-called “cookies”) are IT data, particularly text files, which are stored on the User’s end device and are intended for using the Portal’s websites. Cookies usually contain the name of the website from which they originate, their storage time on the end device, and a unique number.
3. The entity placing cookies on the User’s end device and accessing them is the Portal Administrator.
4. Cookies are used to:
   a) adjusting the content of the Portal’s websites to the User’s preferences and optimizing the use of websites; in particular, these files allow to recognize the User’s device and properly display the website, tailored to his individual needs;
   b) creating statistics that help to understand how Users use websites, which allows for improving their structure and content;
   c) maintaining the user’s session.
5. The following types of cookies are used on the Portal:
   a) “session” and “persistent” cookies. Session cookies are temporary files that are stored on the User’s end device until logging out, leaving the website, or turning off the software (web browser). Persistent cookies are stored on the User’s end device for the time specified in the cookie parameters or until the User deletes them;
   b) “necessary” cookies, enabling the use of services available on the Portal, e.g. authentication cookies used for services that require authentication on the Portal;
   c) cookies used to ensure security, e.g. used to detect fraud in the field of authentication on the Portal;
   d) “performance” cookies, enabling the collection of information on how to use the Portal’s websites;
   e) “functional” cookies, enabling “remembering” the settings selected by the User and personalizing the User’s interface, e.g. in terms of the language or region of the User’s origin, font size, appearance of the website, etc .;
   f) “advertising” cookies, enabling users to provide advertising content more tailored to their interests.
6. In many cases, the software used for browsing websites (web browser) by default allows the storage of cookies on the User’s end device. Users can change their cookie settings at any time. These settings can be changed in particular in such a way as to block the automatic handling of cookies in the web browser settings or to inform about them every time they are placed on the User’s device. Detailed information about the possibilities and ways of handling cookies is available in the software (web browser) settings.
7. The administrator informs those restrictions on the use of cookies may affect some of the functionalities available on the Portal.