Table of Contents
II. Legal regulations on personal data protection
III. Principles of processing your personal data
IV. Your rights in connection with the processing of personal data
VII. Consent – withdrawal of consent
IX. Recipients of data sharing with other entities
X. Data processing outside the EEA
XI. Data processing using cookies and other internet technologies
I. Introduction
In the following Privacy Policy, we have prepared information regarding the use (processing) of personal data of individuals visiting or using services provided by Reef Factory sp. z o.o. (“RF,” “we,” “us”) through the website www.reffactory.com, the service www.reefpedia.org, and the Smart Reef application, of which RF is the publisher and administrator.
We respect your privacy, and therefore, we provide this Privacy Policy to inform you about the extent to which we process your personal data and to give you the opportunity to make an independent, conscious, and voluntary decision regarding the use of our services.
Within this Privacy Policy, we have opted for a general description of the methods and scope of collecting your data, the purposes for which they are used, to whom they may be disclosed, and how they are protected. Additionally, this Privacy Policy includes information about your rights, in accordance with the applicable regulations on personal data protection.
The policy serves as a general document, providing essential information regarding the processing of personal data. Further details and specifics regarding data collection are outlined in individual regulations or informational clauses received at the time of gathering personal data during various activities, such as subscribing to a newsletter, participating in a contest, creating an account in the Smart Reef application, or registering on the website www.reefpedia.org. These additional documents contain more detailed information tailored to each specific data collection activity.
More information about the scope of cookie files or other data-collecting technologies used on our website can be found in the Cookie Policy
Administrator – contact details for the Republic of Poland:
Reef Factory Sp. z o.o. with its registered office in Niemcz (86-032), ul. Bydgoska 94, entered into the Register of Entrepreneurs kept by the District Court in Bydgoszcz – VIII Commercial Division, under the KRS number 0000781869, NIP (Tax Identification Number) 5542976220, REGON (National Business Registry Number) 383143903;
e-mail address: support@reeffactory.com
II. Legal regulations on personal data protection
The Privacy Policy of RF is based on the following regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union, L No. 119, p. 1) (also known as “GDPR”);
- Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000);
- Act of 16 July 2004 Telecommunications Law (consolidated text: Journal of Laws of 2017, item 1907, as amended);
- Act of 18 July 2002 on the provision of electronic services (consolidated text: Journal of Laws of 2017, item 1219, as amended).
III. Principles of processing your personal data
We value the trust you place in us, and therefore, data security, legal compliance, and transparent principles are highly significant to us. Our key principles that guide us are as follows:
- we collect personal data only to the minimum extent necessary and required to achieve the purposes for which they are collected;
- we clearly define the purposes for which we collect your personal data;
- we take care to ensure the accuracy and correctness of your personal data;
- we respect your right to access and rectify your personal data;
- we respect your rights, including the right to have your personal data deleted, withdraw consent, limit processing, data portability, object to data processing, and not be subject to decisions based solely on automated processing, including profiling;
- we limit the storage of your personal data to the period necessary to achieve the purposes for which they are collected (except in cases where events may extend the storage period);
- we protect your personal data against unauthorized access, accidental loss, alteration, and other illegal forms of processing;
- in the event of sharing your personal data with other entities, we adhere to the principles of security, contractual safeguards, and compliance with applicable laws and regulations.
IV. Your rights in connection with the processing of personal data
RF respects your rights regarding the processing of personal data in accordance with current legal regulations, especially the GDPR (Articles 16-21). These rights are described below.
- Withdrawing consent for the processing of personal data at any time if consent is the legal basis for data processing (see point VII of the privacy policy).
- The right to information on how RF processes their personal data.
- Access to data: you have the right to receive confirmation from RF on whether and how your personal data is being processed by RF, and to access them to the extent specified in Article 15 of the GDPR.
- Rectification of your personal data and their completion in case they are incomplete.
- Objection to the processing of your personal data for reasons related to your particular situation. In case your personal data is processed based on our legitimate interests, if you object, we will stop processing the data – except in situations where we can demonstrate compelling legitimate grounds for the processing that override your interests or are necessary for the establishment, exercise, or defense of legal claims (e.g., evidential purposes). The right to object also applies to situations where the processing involves direct marketing, including profiling (regardless of whether the legal basis for processing is your consent or our legitimate interests, in either case, your objection or withdrawal of consent will result in the cessation of processing for these purposes).
- Not being subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you (except in situations allowed by law, situations where such a decision is necessary for the performance of a contract, or when it is based on explicit consent; in the latter two exceptions, you have the right to challenge such a decision).
- Deletion of personal data by RF (“right to be forgotten”) generally involves requesting the administrator to promptly erase your personal data. It is worth mentioning that, according to Article 17 of the GDPR, there are exceptions to this right (e.g., for the purposes of investigation or defense against legal claims).
- Limitation of the processing of personal data may involve temporarily blocking access to your data or transferring the data to another system.
- Data portability: you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, in cases where their processing is based on consent or on a contract, and is carried out by automated means.
- Filing a complaint to the supervisory authority – the President of the Personal Data Protection Office.
Requests related to the processing of personal data and the rights granted to you can be sent via email to: support@reeffactory.com or in writing to the address: Reef Factory Sp. z o.o., ul. Bydgoska 94, 86-032 Niemcz.
Requests will be processed without undue delay, within one month from the date of receipt. This period may be extended due to the complex nature or number of requests (by an additional two months, in such a case, you will be informed of the extension). Until the request is processed, there is a possibility of receiving information about the subject of the submitted request.
In the request, please provide your first name, last name, and contact details (telephone number or email address, and in the case of a written request, also your residential address).
V. Security of your data
RF implements organizational and technical measures aimed at protecting your personal data from loss, unauthorized access, accidental loss, alteration, and other illegal forms of processing. Ensuring security has been our fundamental principle during the design of IT infrastructure, standards, and business practices.
We are committed to considering the following principles to ensure security:
- confidentiality (we protect personal data from accidental disclosure);
- integrity (we protect personal data from unauthorized modification);
- availability (if necessary, we ensure authorized individuals have access to your data).
The personal data you provide to us on our websites is encrypted and protected using SSL certificate.
The measures taken do not ensure total information security. Therefore, we cannot guarantee that the application will be immune to information security risks.
VI. How we process your data
RF processes your personal data for specific, explicit, and lawful purposes. The purpose of processing your personal data is communicated by RF each time through a separate communication.
Below, you will find the legal bases and purposes for which we may use your data (there is a possibility of processing data for different purposes and legal bases within one processing operation).
Consent as the legal basis – it can be given through your active action (e.g., account creation) or by checking a checkbox (in both cases, the legal basis is Article 6(1)(a) of the GDPR).
You have the right to withdraw your consent at any time, as described in the information about the processing of personal data and in Section VII of this privacy policy.
Consent is the legal basis when:
- you voluntarily provide us with your data and inquire about an offer, service, or request contact from our Support Center;
- you subscribe to the newsletter;
- you participate in contests.
Performance of a contract or actions leading to the conclusion of a contract (Article 6(1)(b) of the GDPR).
In this case, the legal basis applies, for example, when we provide access to our services and services provided electronically (Article 6(1)(b) of the GDPR).
Legitimate interests as the legal basis (except in situations where your interests or fundamental rights override our interests (Article 6(1)(f) of the GDPR)).
We may process personal data based on our legitimate interests, including, but not limited to:
- handling inquiries other than those related to marketing information;
- conducting service quality research;
- conducting internal audits and reporting, as well as financial settlements;
- ensuring that brand products or services are delivered in compliance with applicable laws, standards, and manufacturer’s guidelines, as a protection against abuse;
- achieving evidentiary and archival purposes, and ensuring information is secured in case of legal needs for demonstration, fact-finding, or defense against claims;
- pursuing analytical and statistical goals to ensure the quality of brand products and services, better tailor products and services to customer needs, optimize product and service processes, build customer knowledge, conduct market and sales analysis, and develop business or marketing strategies. In such cases, the results of the processing are aggregated data;
- processing operational data and your personal data in connection with offering services provided electronically and ensuring their security, or handling complaints;
- enabling the exercise of your rights (especially the rights to data accuracy, withdrawal of consent, and storage of requests and evidence of their handling);
- managing the sales process and customer service, establishing customer service procedures and ensuring the quality of products and services, maintaining a central customer database (including potential customers);
- conducting sample tests and providing their results in the Smart Reef application.
In some cases, the processing of personal data may be based on the protection of vital interests (legal basis from Article 6(1)(d) of the GDPR) or the fulfillment of a legal obligation incumbent on the data controller (legal basis from Article 6(1)(c) of the GDPR).
The method of collecting data:
RF collects your personal data when:
- you fill out forms on our websites;
- you contact us through social media platforms;
- you participate in contests;
- you register an account in the Smart Reef application;
- you register an account on Reefpedia.org;
- you register an account on Social Reef;
- you contact the Support Department.
What data can we process, and where do we get it from?
The collected personal data may vary in scope. This scope depends on the category of data subject and the type of relationship with RF (customer, potential customer interested in products or services), as well as the purpose for which the data is collected. If you are our customer, in addition to the data you provide in the contact form, we may also use data about you collected by RF in the past.
In every situation, we process only the necessary scope of data.
We may process personal data such as:
– identifying data (e.g., first name, last name);
– contact information (e.g., phone number, email address, residential address);
– data related to products or services you use;
– data related to your inquiries, orders, assignments, or complaints;
– data related to products or services you are interested in;
– information contained in correspondence addressed to RF or provided during conversations (including through social media) or contained in correspondence directed to RF.
When using RF’s online services, providing personal data is voluntary but may be necessary to handle your inquiry. In such cases, the required data elements are marked with an asterisk (*).
By logging into our services through authentication using social media networks such as Facebook, Social Reef, or others, you give consent to the sharing of your data.
If you do not consent to leaving your personal data through online services, we encourage you to contact us via email.
Using our websites involves the collection of data through cookies or similar technologies. This scope is described in detail in the Cookie Policy.
Children’s Privacy
Within our services, the forms collecting personal data are directed to adults (as a result, RF does not knowingly process personal data of individuals under 16 years of age). Consents given by users are valid for individuals above 16 years of age. Individuals below 16 years of age should not provide us with any information without verified consent from their legal guardian.
VII. Consent – withdrawal of consent
As part of the services offered, we may ask you to consent to the processing of your personal data for marketing purposes related to products or services offered by RF, including electronic marketing, if your consent can serve as an appropriate legal basis for data processing. Consent can also be given through a so-called “explicit action” (e.g., voluntary provision of personal data and a request for contact within the scope specified in the consent or by checking the checkboxes).
You can withdraw your consent for future marketing at any time by directly contacting RF (contact details in section I).
Unsubscribing from the Newsletter is possible through the unsubscribe link provided in every email message. For other consents obtained by RF, withdrawal of consent is possible in accordance with the information contained in the relevant information clauses or marketing correspondence.
Withdrawing consent does not have any negative consequences or discomfort, but you should be aware that it may result in the inability to use services such as receiving the Newsletter or responses.
The request for withdrawal of consent will be processed immediately, leading to the cessation of personal data processing for marketing purposes. Until the request is processed and within 10 days after its processing, you may still receive information from us that you opted out of by withdrawing consent. This is due to the time needed to implement the request in our systems and does not imply non-fulfillment of the request. After this period, you will no longer receive marketing communications.
If RF possesses your personal data obtained for other purposes (e.g., for contract or service fulfillment), your data may continue to be processed based on a different legal basis.
The scope of managing consent for the installation and use of cookies is described in the Cookie Policy.
At any time, you also have the option to delete your account within the service on your own. However, you should be aware that this action may prevent you from fully benefiting from the services offered by RF.
At any time, you also have the option to independently delete your account within the service. However, you should be aware that this action may prevent you from fully accessing and using the services offered by RF.
VIII. Data retention
We retain your data for the time necessary to fulfill the purposes for which they were collected. The storage period of your data is determined in accordance with applicable legal regulations. Where possible, we try to specify the storage period and provide you with information about the planned and probable duration of their retention.
When processing your data based on consent, personal data is kept for the duration of its validity. However, the validity period of consent may change – it may be extended (if required by law or necessary for the establishment, defense, or pursuit of legal claims) or shortened (e.g., in case of a request for data deletion).
IX. Recipients of data sharing with other entities
Data recipients
In certain justified situations, if there is a valid legal basis (e.g., in the case of marketing or entering into a contract), your data may be disclosed to other data controllers.
We may also share your data with other recipients who act as processors (i.e., providing services on our behalf and under our instructions), especially in the areas of IT services, marketing services, or handling correspondence. In some cases, external entities providing services on our behalf may also act as independent data controllers (e.g., postal services).
In justified cases, your data may be disclosed to public authorities (e.g., police) and courts.
Regarding future marketing purposes, distributors of our products may act as data processors, and their contact information is here.
Please note that in the event that Distributors process your personal data independently in their own name (e.g., by offering products through their channels without involvement of RF), they will become separate data controllers. In such cases, they will be responsible for the processing of personal data and will not be subject to the terms of this Privacy Policy.
The website may contain links to other websites of the RF brand, social media platforms, or websites of collaborating entities (e.g., Distributors). When you navigate to a third-party website, you will be subject to a separate privacy and data protection policy – we recommend reviewing their policies before proceeding.
X. Data processing outside the EEA
In the event that your personal data is transferred to recipients in countries outside the European Economic Area (EEA), such transfer will take place based on a decision on the adequacy of protection by the European Commission, the use of standard contractual clauses as per the decision of the European Commission, or with your explicit consent.
XI. Data processing using cookies and other internet technologies
RF’s brand websites also collect data included in system logs, cookies files, or utilize other similar internet technologies (such as codes, pixels, tags, plugins). More information on this subject can be found in the Cookie Policy.
XII. Changes to the Policy
RF reserves the right to make changes to this privacy policy. This may be necessary to comply with applicable laws, privacy standards, or to expand our offerings. Any changes to RF’s privacy policy will be communicated on its websites.
Last update:
12.09.2023