§1 Personal Data Administration
The controller of personal data is KONDOR HOME SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Warsaw, ul. Solec 18 / B21, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0001077142, NIP: 7011180831, REGON: 527258710, with a share capital of PLN 5,000.00.
Contact with the person supervising the processing of personal data is possible via email at info@itodi.pl, in writing to the Controller’s address, or by phone at +48 728 408 023.
This Privacy Policy sets out the rules for the processing of personal data by the Controller on the Website, including the legal grounds, purposes and scope of data processing, as well as the rights of data subjects.
Personal data is processed by the Controller in accordance with applicable laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR). Official GDPR text: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
User rights are not absolute and do not apply to all personal data processing activities.
§2 Definitions
Controller – KONDOR HOME SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Warsaw, ul. Solec 18 / B21, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, under KRS number 0001077142, NIP: 7011180831, REGON: 527258710, share capital PLN 5,000.00.
Personal Data – information about an identified or identifiable natural person through one or several specific factors determining physical, physiological, genetic, psychological, economic, cultural, or social identity, including device IP address, online identifiers, and information collected via cookies or similar technologies.
Policy – this Privacy Policy.
Cookies Policy – the document specifying the rules on the use of cookies on the Website, available at: https://itodi.pl/pl/info/9-cookies.
Profiling – automated processing of personal data involving analysis and prediction of user behaviour.
GDPR / Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
Website – the website operated by the Controller at www.itodi.pl.
User – any natural person visiting the Website or using one or more services or functionalities described in this Policy.
§3 Security
The Controller has implemented appropriate technical and organisational measures ensuring the security of personal data processing and is responsible for ensuring that the data collected:
• is processed lawfully;
• is collected for specified, lawful purposes and not further processed in a way incompatible with those purposes;
• is accurate and adequate in relation to the purposes for which it is processed;
• is stored in a form that permits identification of the data subjects for no longer than is necessary for the purposes of the processing;
• is processed using measures ensuring appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, by means of suitable technical and organisational measures.
§4 Purposes and Legal Bases for Processing
Based on Article 6(1)(a) GDPR (consent) – personal data may be processed for:
• retargeting and behavioural advertising, including personalised ads based on the User’s activity on the Website and other websites; processing takes place only with cookie consent;
• sending newsletters;
• storing data in cookies in accordance with the Cookies Policy;
• contacting Users via remote communication tools, such as phone, email, or applications;
• marketing products and services of the Controller and its partners.
Based on Article 6(1)(b) GDPR (contract performance) – personal data may be processed for:
• performing a sales agreement or service contract, or taking steps at the User’s request before or after its conclusion, including warranty rights and complaint handling;
• handling complaints or withdrawals from a distance contract.
Based on Article 6(1)(c) GDPR (legal obligation) – personal data may be processed for:
• issuing and storing invoices, bills, or fulfilling other accounting/tax obligations;
• cooperation with law enforcement and public authorities;
• creating registers and documentation required by GDPR.
Based on Article 6(1)(f) GDPR (legitimate interest) – personal data may be processed for:
• operating the website www.itodi.pl;
• storing data necessary for proper operation of the Website in cookies;
• managing social media accounts and interacting with users;
• ensuring the security and proper functioning of the Website;
• website traffic analytics and statistics;
• direct marketing;
• establishing or defending legal claims;
• contacting the User.
Personal data may also be processed for other purposes if the Controller has an appropriate legal basis and the purpose does not violate the rights and freedoms of the User. Users will be informed in advance of any new processing purpose.
§5 Profiling
The Controller uses profiling for marketing purposes, consisting of analysing User activity on the Website using cookies and similar technologies.
Profiling may include:
• personalising ads based on browsing history;
• analysing interactions with Website content;
• adjusting advertising content on external sites (e.g., Google Ads, Facebook).
Profiling is carried out only on the basis of User consent.
Users may withdraw their consent at any time by changing their settings or contacting the Controller at info@itodi.pl.
§6 Data Retention Period
The data retention period depends on the service and processing purpose. As a rule, data is processed for the duration of the service, until consent is withdrawn, or until an effective objection is raised (for processing based on legitimate interest).
The retention period may be extended where processing is necessary to establish, exercise, or defend legal claims, and thereafter only if required by law. After the retention period, data is permanently deleted or anonymised.
Examples:
• Contract-related data – stored during the contract term and until limitation periods expire (3 or 6 years).
• Accounting/tax data – stored for the period required by tax law (currently 5 years).
• Data processed based on consent – stored until consent is withdrawn.
• User inquiry data – stored up to 12 months after correspondence ends.
§7 User Rights
Users have the right to:
• access their personal data;
• correct their data at any time;
• delete their data;
• receive a copy of their data;
• restrict processing;
• object to processing;
• transfer their data;
• withdraw consent (without affecting prior lawful processing);
• object to processing based on legitimate interest, including direct marketing;
• lodge a complaint with a supervisory authority.
To exercise these rights, Users may contact the Controller by email at info@itodi.pl or by mail. Requests will be processed within 30 days.
In certain cases, the Controller may refuse the request if the law requires further processing.
§8 Data Recipients
To properly operate the Website, the Controller may share personal data with third parties, including: hosting providers, courier companies, payment operators, postal operators, legal and debt-collection firms, accounting offices, e-commerce platform providers, insurers, banks, marketing companies, business partners and suppliers, mailing systems, cloud service providers, and the furniture configurator system.
The Controller may disclose data if required by law, including to administrative or law enforcement authorities.
§9 Data Security
The Controller continuously analyses risks to ensure that personal data is processed securely. Access to data is granted only to authorised persons and only to the extent necessary for their duties.
The Controller ensures that all operations on personal data are recorded and carried out only by authorised entities. Third-party processors must also guarantee compliance with security measures.
The Controller uses technical safeguards, such as encrypted data transmission (SSL/TLS), restricted system access, and procedures protecting against unauthorised access.
§10 Changes to the Privacy Policy
This Policy is reviewed and updated on an ongoing basis.
The current version was adopted and entered into force on 2025-10-02.
The legality of this document is ensured by the lawyers of KZ Kancelaria.