• how we collect personal data of: customers purchasing products, including board games; people submitting comments, inquiries and opinions,
• the purposes for which we process the data of the above-mentioned categories of data subjects;
• the entities to whom the data are made available and on what basis;
• how long we store your personal data;
• the rights of data subjects;
• the manner of exercising the rights of data subjects.
Who is the Data Controller of your personal data?
Lucky Duck Games Sp. z o.o.
30-320 Kraków, ul. gen. Bohdana Zielińskiego 11
registered by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register under the number KRS 0000614771, NIP 6762506416 [Tax ID], Regon 364293939.
The Data Protection Officer can be contacted by e-mail: firstname.lastname@example.org or by post at the following address: Lucky Duck Games Sp. z o.o., 11 Bohdana Zielińskiego street, 30-320 Kraków, additionally marked by “RODO” [GDPR].
What are the purposes for processing your personal data?
First of all, we collect only the data that are necessary for us to achieve a specific purpose. What does this mean in practice?
The legal basis for data processing is taking actions at the request of the data subject before concluding the contract and in order to perform the contract to which the data subject is a party (Article 6(1)(b) of the GDPR). The personal data of persons who make a purchase in our Lucky Duck Games online store are processed on the same legal basis. When shopping in the online store, you can take advantage of additional functionalities and make a purchase under the User’s Account you have set up. Having such an account is convenient because you have online access to the history of your orders and your personal data, you can manage your consent to data processing, and at any time you can opt out of having such an account as a free electronic service. Having an account requires you to set a password and provide an e-mail address that will act as your login.
Regardless of the method of purchase, if you wish to receive an invoice, it will also be necessary to provide data to the extent necessary to issue it (here, the scope of data collected for this purpose may also be different, if the products are purchased by the company, it will be necessary to provide its full name, legal form, tax identification number). In case of issuing an invoice and storing the data in accordance with legal requirements, the legal basis for data processing is the legal obligation (Article 6(1)(c) of the GDPR). On the same basis, we will also process your data to the extent necessary to consider any claims under the warranty.
Your personal data may also be processed in our legitimate interest (Article 6 (1)(f) of the GDPR), which we consider to be:
• conducting analyses and audits, reporting for internal business purposes;
• considering claims and complaints;
• ensuring the protection of property, the security of IT systems against abuse and the safety of people staying at our headquarters, including by recording your image as part of the video monitoring system used;
• marketing of our own products (if these activities involve sending commercial information – then, in order to be able to take such actions, we will need your consent – Article 10 of the Act on Providing Services by Electronic Means.
• conducting research and evaluation of the quality of services and products provided in order to constantly improve them;
• communication with data subjects, including information about the progress of the contract, the availability of products, and significant changes to the website;
• archiving documents and information for the purpose of demonstrating the proper performance of legal obligations, contractual obligations or the proper course of specific processes in which we collected personal data, including the determination, investigation and defence of claims.
Using the functionalities of luckyduckgames.com
Using the functionalities of the website www.luckyduckgames.com, a contract for the provision of services by electronic means is concluded (pursuant to Article 6 (1)(b) of the GDPR).
• User Account maintenance service – in order to use the Account functionalities, a User may be asked to provide the necessary personal data to register and create an account (name and surname, address, e-mail address, telephone number, login and password). Providing data to the extent necessary to create an account is voluntary, but necessary for the account to be created. At this stage, the User may also be asked to read specific regulations and to confirm that they have read the terms and conditions for providing a specific service and information on the processing of personal data. In order to facilitate the service, the User may be asked to provide additional data, thus expressing consent to their processing. Such data can be deleted at any time. Data marked as mandatory are required in order to set up and operate the Account; providing the other data is voluntary.
• Order form service – if the User uses the option of ordering products in the Online Store, then they will be asked to deliver specific personal data to the extent necessary to provide the service, such as: name, surname, address, e-mail address, telephone number. Providing this data is voluntary, but at the same time it is necessary to provide the service.
• Newsletter service – by using the Newsletter Service, the User will be asked to deliver their personal data to the extent necessary to provide this service, i.e. an e-mail address. Providing an e-mail address is mandatory for this service to be provided.
Data processing for marketing purposes
Obtaining appropriate consents, the Data Controller may process your personal data for the purpose of carrying out marketing activities, which may include:
• displaying marketing content to the Users that is not tailored to their preferences (contextual advertising – then, the processing of personal data takes place in connection with the legitimate interest of the Data Controller (Article 6 (1)(f) of the GDPR);
• displaying marketing content to the Users that is tailored to their interests (behavioural advertising – the Data Controller processes Users' personal data, including personal data collected via cookies and other similar technologies);
• directing e-mail notifications about interesting offers or content that may contain commercial information;
• conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means).
These data can be used to create Users’ profiles, which allows for a better adjustment of the displayed content to their individual preferences and interests. The way of using profiles depends on the expressed marketing consents. The legal basis for the above-mentioned data processing is Article 6 (1)(f) of the GDPR.
You can withdraw your consent to the processing of your data in relation to a given communication channel at any time. In order to withdraw your consent or object to the processing of your data, it is enough to contact us by e-mail at the address email@example.com or by post at the Data Controller's address.
Consent to the processing of personal data
If none of the above-mentioned purposes for processing applies, your personal data may be processed based on your voluntary consent – to the extent and purpose the consent refers to. The data will be processed for the period necessary to achieve the purpose of processing or until you withdraw your consent, which you can do at any time, e.g. by sending such a request to firstname.lastname@example.org.
Communication with persons contacting Lucky Duck Games on their own initiative
If you contact us by e-mail, by post, and through the forms available on the website, your personal data may be processed to the extent and for the purposes the data were given to us. The data mainly include your name, surname, address, telephone number or e-mail address, details of the case in which you contact us. Providing your personal data is voluntary, but in some cases it may be necessary for us to be able to take certain actions desired by you, e.g. failure to provide a telephone number in the contact form will prevent us from contacting you by phone. The legal basis for the processing of personal data is our legitimate interest (Article 6 (1)(f) of the GDPR), for which we consider the handling of correspondence addressed to the Company and its archiving for the purposes of determining, investigating and defending claims. The data will be stored for the period necessary to achieve the purpose of processing and until thelimitation period for claims.
Performance of contracts with contractors
Running a business without the support of other entities would be almost impossible, therefore our business may involve the processing of personal data of contractors who are natural persons. Contractors' data will be processed for the following purposes:
• performance of the concluded contract or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR);
• compliance with a legal obligation, in particular those of a tax nature, related to the issuance and storage of accounting documents (Article 6(1)(c) of the GDPR);
• our legitimate interest (Article 6(1)(f) of the GDPR), which we consider to be:
- conducting direct marketing of own services, including those based on the consent referred to in the provisions of the Act on providing services by electronic means – if required;
- conducting analyses and audits, reporting for internal business purposes;
- archiving for the purpose of demonstrating the proper performance of legal obligations and contractual obligations, including the determination, investigation and defence of claims.
How long are your personal data stored?
Your personal data will be stored for the period necessary to achieve the purposes for which it was collected, including the duration of the contract, until the fulfilment of a legal obligation or until the implementation of any purpose based on a legitimate interest and no longer than until the expiry of the limitation period for claims that may be asserted as part of and in connection with the business processes in which they were collected.
If the data recorded via video monitoring constitute evidence in legal proceedings or when Lucky Duck Games, as an employer, becomes aware that they may constitute evidence in the proceedings – the storage period is extended until the final conclusion of the proceedings.
In case of User Account, your data are stored as long as you are a registered user.
Transfers of personal data to recipients
The recipients of your personal data may only be companies that support Lucky Duck Games in the implementation of the above-mentioned purposes of processing, and in this respect they provide us with certain services, within which your personal data is processed. In particular, these entities include IT service providers (maintaining and providing us with systems in which your personal data are processed), providers of accounting and postal services, legal advisory services (law firms), courier companies and payment service providers. Your data may also be transferred to other entities, if you give your consent.
How do we collect the data we process?
In the vast majority of cases, personal data comes directly from the data subjects, i.e. they are provided to us directly by clients, persons contacting us, contracting parties or their representatives.
Transfers of personal data outside the EEA
Due to the fact that the Data Controller uses marketing tools provided by Google and The Rocket Science Group, your personal data may be transferred outside the European Economic Area, e.g. to the USA.
The Data Controller ensures that the transfer of data to entities operating in the USA takes place with the use of appropriate safeguards, based on an appropriate agreement between the Data Controller and such entity containing standard contractual clauses adopted by the European Commission.
Is the provision of data necessary?
Remember that providing your personal data is voluntary, but it may be necessary to conclude a sales contract or perform obligations that are specified by law. The consequence of not providing personal data may be the inability to conclude a contract, the inability to sell or take actions for which we need your consent.
What are the rights of the data subjects?
Depending on the legal basis for the processing of personal data and the premises referred to in Art. 7 and 15-21 of the GDPR, each person whose data is processed has the right to:
• access personal data and receive a copy of it (Article 15 of the GDPR);
• rectify inaccurate personal data and have incomplete data completed (Article 16 of the GDPR);
• erase personal data (Article 17 of the GDPR);
• restrict the processing in cases referred to in Article 18 of the GDPR;
• transmit personal data in the cases specified in Article 20 of the GDPR;
• object to the processing of their personal data at any time – for reasons related to a particular situation – based on Article 6 (1)(f) of the GDPR and in other cases referred to in Article 21 of the GDPR;
• withdraw consent at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7 of the GDPR).
In order to implement any of the above rights, please send an appropriate request to Lucky Duck Games Sp. z o.o. In case of doubts related to the submission of a request, please contact us by e-mail at email@example.com.
The person whose personal data is processed has also the right to lodge a complaint with the supervisory body if he or she believes that Lucky Duck Games Sp. z o.o. processes his or her personal data contrary to applicable law. In Poland, the President of the Personal Data Protection Office is the national supervisory authority, having its office at ul. Stawki 2, 00-193 Warszawa.
The processing and protection of your personal data is very important to us. It is very much in our interest to ensure that any doubts that may arise in connection with the processing of personal data are immediately resolved. Therefore, we would be grateful if, in case of any doubts regarding the lawful processing of your personal data by us, you would like to contact us, so that we can deal with the reported doubts immediately.
In order to protect your data and secure the submission of forms, we use Google reCaptcha, a service of Google LLC ('Google'), pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest results from the outlined purposes. In this context, the analysis of various information is used to determine whether the data entry is performed by a human or by an automated program. The generated information is sent to a Google server in the USA and stored there. The collection and analysis of the data do not enable neither us nor Google to confirm your identity. In particular, Google will not associate this information with your personal data. More information on Google reCaptcha can be found at: https://policies.google.com/privacy or https://policies.google.com/terms