Privacy policy


https://subforma.com/ and https://app.subforma.com/


The protection of the privacy of users of the websites https://subforma.com/ and https://app.subforma.com/ (hereinafter referred to as the “Services” or the “Websites”) is particularly important to us. For this reason, all users of the Services (i.e. persons visiting the Websites) are guaranteed high standards of privacy protection. KOMJ Sp. z o.o., with its registered office in Trzebinia, acting as the personal data controller, ensures the security of personal data provided by users.


Processing of personal data / Controller

“Personal data” means any information that identifies a user directly, for example first name, last name, e-mail address, which you provide when using contact forms or other functionalities made available via the Service; or indirectly, for example a login, IP address, cookie identifiers or information used to log in to the website. 
The controller of personal data of the users of the Services processed in accordance with this Privacy Policy is KOMJ Sp. z o.o., ul. Przemysłowa 8, 32-540 Trzebinia, NIP 6282286943, KRS 0000964370, REGON 521792213, hereinafter referred to as the “Controller” or the “Company”. 
Personal data of Service users will be processed by the Controller in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
If you have any questions regarding the processing of personal data by the Controller, you may contact us at: hello@subforma.com, by phone at +48 788 777 861, or by correspondence at the Company’s registered address.
Acting pursuant to the obligation arising from Article 13(1) and (2) of the GDPR, applicable in all EU Member States as of 25 May 2018, we hereby inform you about the manner and purpose of processing your personal data, as well as about your rights related to the protection of your data.

Scope of personal data processing

When using certain Services, users may be asked to provide their personal data. The required scope of personal data is determined each time according to the needs of a given service or functionality of the Service that users intend to use. Data collected via the Services are collected by the Controller directly from the data subjects.
In the event that a User creates an account on the Service website https://app.subforma.com/, persons using the Company’s services via the Websites (including placing orders for prints and product delivery) provide the following personal data:

  • First and last name;
  • Residential address / Country;
  • Tax identification number (e.g. VAT ID);
  • Contact details such as e-mail address and telephone number;
  • User login and password for the Service account;

When placing orders in the Service, the User may also indicate: 

  • Shipment recipient details (first name, last name, company name);
  • Residential address or registered office of the shipment recipient;
  • Contact details (telephone number, e-mail address). 

If users use the website https://subforma.com/ solely to browse the content of the Website, the Controller may collect certain information about users using cookies, of which users are informed each time by the Controller. Information about cookies used in the Services is also included in section IX of this Privacy Policy. If the Controller requires the provision of data to use functionalities available in the Services, providing such data is always fully voluntary; however, failure to provide personal data will prevent the use of the Service in accordance with the available functionalities.

Purposes and legal basis for data processing

The Controller collects and processes users’ personal data solely in accordance with the provisions of this Privacy Policy. All data provided by the user will be processed by the Controller exclusively for the purpose of:

  • providing user and customer support and contacting users, including responding to inquiries, informing about products and services offered by the Company or preparing the process of concluding contracts with Company customers (e-mail correspondence, traditional correspondence, telephone contact) – the legal basis for processing is Article 6(1)(b) GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract; or Article 6(1)(f) GDPR, where the legitimate interest is building relationships and customer service;
  • In the event of creating an account in the Service (website address: https://app.subforma.com/), the Controller processes the User’s personal data in order to enable registration, creation and management of the account, login handling, session maintenance, ensuring access to Service functionalities (including placing and fulfilling orders, handling settlements and contact related to account use), as well as ensuring account security and preventing abuse.
    For this purpose, the Controller may process in particular the following categories of data: first and last name, e-mail address, telephone number, residential address/country, identification and billing data (e.g. VAT ID), user login/identifier, as well as technical data related to the use of the account (e.g. IP address, session identifiers, cookie identifiers, login dates and times, device and browser information).
    The legal basis for processing data for the purpose of creating and managing an account is Article 6(1)(b) GDPR. To the extent that processing is necessary to ensure account security, detect abuse and ensure proper functioning of the Service, the legal basis may also be Article 6(1)(f) GDPR.
    Data will be processed for the duration of the account, and after its deletion – for the period necessary to settle services, demonstrate compliance with legal obligations and for the possible establishment, pursuit or defense of claims.
  • processing personal data in order to fulfill legal obligations imposed on the Company – the legal basis is Article 6(1)(c) GDPR;
  • fulfillment of contractual obligations towards the Controller’s business partners, which constitutes the Controller’s legitimate interest – the legal basis is Article 6(1)(f) GDPR;
  • analytical and development purposes, improvements (including improving user experience), administration, maintenance, technical support and Service security – the legal basis is Article 6(1)(f) GDPR;
  • possible establishment, pursuit or defense of claims, enforcement or investigation of potential violations of the terms of use of the Services or other unlawful actions – the legal basis is Article 6(1)(f) GDPR;
  • use of contact forms provided by the Controller on the Service websites, including handling inquiries via the contact channel indicated by the user – the legal basis is Article 6(1)(f) GDPR;
  • The Company processes personal data of users visiting the Company’s social media profiles (Facebook, LinkedIn, Instagram, YouTube, TikTok, Pinterest) solely in connection with running such profiles and promoting the Company’s activities, services and products – the legal basis is Article 6(1)(f) GDPR;
  • performance of activities based on granted consent (Article 6(1)(a) GDPR), including newsletters or commercial information sent electronically; marketing based on legitimate interest – Article 6(1)(f) GDPR; 
  • direct marketing and advertising activities – Article 6(1)(f) GDPR.

Recipients of personal data

The personal data of Service users and the Company’s Clients may be disclosed by the Controller to:

  • persons authorized by the Controller, i.e. employees and collaborators who must have access to personal data in order to perform their duties;
  • our partners and external entities providing services to the Controller, to whom users’ personal data may be transferred and processed in order to enable them to perform services commissioned by the Controller, including IT service providers and entities providing accounting or marketing services;
  • public authorities or entities authorized to obtain data under applicable laws, e.g. courts, law enforcement authorities or state institutions, where they submit a request based on an appropriate legal basis. In the event of a personal data security breach, certain personal data may be disclosed to authorities competent for their protection;
  • other companies cooperating with the Controller, provided that the disclosure of such data is necessary in connection with the pursuit of the Controller’s interests or where there is an explicit legal basis for such transfer of data by the Controller to such entities.

All external entities are obliged to comply with the Controller’s guidelines and to implement appropriate technical and organizational measures to protect the personal data of Service users or the Company’s clients. 
Data recipients may act as our data processors (in which case they are fully subject to our instructions regarding the processing of personal data) or as independent data controllers (in which case it is additionally necessary to familiarize yourself with the principles of personal data processing applied by those entities).

Transfer of data to third countries / international organizations outside the EEA

In the event of cooperation with certain partners of the Controller or suppliers who are external entities, the registered offices of such external entities may be located both within the territory of countries that are members of the European Union and outside the European Economic Area (EEA). The level of data protection in countries outside the EEA may differ from that guaranteed under European law.
Where our partners or suppliers are established outside the EEA, the Controller ensures that the transfer of data outside the EEA is carried out in accordance with the applicable legal regulations in this respect. 
Data may be transferred to our partners outside the EEA in particular on the basis of decisions issued by the European Commission or standard contractual clauses approved by the European Commission.
In the absence of a decision confirming an adequate level of protection as referred to in Article 45(3) of the GDPR or the absence of appropriate safeguards referred to in Article 46 of the GDPR, personal data are transferred by the Company outside the EEA only if:

  • it is necessary for the performance of a contract concluded with the data subject or for taking steps necessary to conclude such a contract;
  • it is necessary for the Company’s use of internet infrastructure, such as e-mail, cloud services or a website;
  • such an obligation is provided for in the provisions of Polish or European law or international agreements ratified by Poland;
  • the data subject, having been informed of the possible risks which—due to the absence of a decision confirming an adequate level of protection and the absence of appropriate safeguards—may be associated with the proposed transfer, has explicitly consented to it.

In connection with the transfer of data outside the EEA, you may request information about the safeguards applied in this respect, obtain a copy of such safeguards or information on where they are made available by contacting us at the address indicated in section I above.

Rights of data subjects

Service users are entitled to the following rights with regard to personal data processed by the Controller:

  • the right of access to the user’s personal data;
  • the right to rectify the user’s personal data if the data are inaccurate or incomplete;
  • the right to erasure of personal data;
  • the right to object to the processing of the user’s personal data; 
    The right to object applies where the processing by the Controller is based on the Controller’s legitimate interest, e.g. for profiling for marketing purposes. The Controller will cease processing the data for such purposes unless there are compelling legitimate grounds which override the interests, rights and freedoms of the user, or the user’s data are necessary for the establishment, exercise or defense of legal claims;
  • the right to object to the processing of the user’s personal data for direct marketing purposes;
  • where consent to the processing of personal data has been given, the user may withdraw such consent at any time. Consent may be withdrawn at any time by contacting the Controller at the e-mail address indicated in section I of this Privacy Policy. Withdrawal of consent does not affect the lawfulness of processing carried out by the Controller prior to the withdrawal of consent;
  • the right to data portability;
  • the right to restriction of the processing of the user’s personal data;
  • the right to lodge a complaint with a supervisory authority (the President of the Personal Data Protection Office, with its registered office in Warsaw at ul. Moniuszki 1A, 00-014 Warsaw).

Personal data retention period

The Controller stores and processes the personal data of Service users and the Company’s clients for the period necessary to fulfill the processing purposes indicated in section III of this Privacy Policy or in accordance with mandatory provisions of law, i.e. for example until the completion of the performance of a contract in connection with the execution of an agreement between the Company and the Client. 
After the processing purpose has been achieved, the Controller will delete or anonymize the personal data, and if the Controller intends to process the data for analytical purposes, the data will be pseudonymized in order to use them to the extent appropriate and necessary for specific processing purposes, in a manner that prevents the identification and determination of the identity of the data subjects.

Security

The Controller applies appropriate technical and organizational measures to ensure an adequate level of security and integrity of users’ personal data, using proven technological standards to prevent unauthorized access to users’ personal data.

Cookies and similar technologies

Cookies are small text files that the Service website stores on the user’s computer or mobile device when the user browses it. Cookies usually contain the name of the domain from which they originate, their storage duration on the end device, and an individual, randomly generated, unique number identifying the cookie. Information collected through such cookies helps adapt the Service to the individual preferences and actual needs of users. It also enables the preparation of general statistics on the use of the Service and the maintenance of the user’s session.
The entity placing cookies on the user’s end device and accessing them is the Controller or partners whose services are used by the Controller. This policy describes the rules for the use of first-party cookies as well as third-party cookies. 
Information collected via cookies is used solely to ensure the proper functioning of the Website, for analytical, statistical and marketing purposes, and to tailor information to the user using the website. The use of cookies within the Service is not intended to identify users. 
The following types of cookies are used within the Service:

  • “Necessary” cookies, which enable the use of services available within the Service, e.g. authentication cookies used for services that require authentication within the Service. Necessary cookies contribute to the usability of the website by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies. 
  • “Functional / Preference” cookies, which relate to preferences and allow the website to remember information that changes the appearance or functionality of the website, such as the preferred language or the region in which the user is located.
  • “Analytical / Statistical” cookies, which collect information about the user’s use of the Service, such as the pages visited by the user and any error messages; they do not collect information that enables the identification of the user, and the collected data are aggregated in such a way that they become anonymous. Analytical cookies are used to improve the performance of the Service website. Statistical cookies help website owners understand how different users behave on the website by collecting and reporting anonymous information.
  • “Advertising” cookies, which are used to promote certain products, articles or services; we may use advertisements that are displayed on other websites. This type of cookie is used to make advertising messages more relevant and tailored to the preferences of Service users. The purpose of these cookies is to display advertisements that are relevant and interesting to individual users. For advertising purposes, we also use cookies of third parties (see below). 

Legal basis for the processing of cookies

Ad. a) The legal basis for processing data in connection with the use of necessary cookies is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR). 
Ad. b) and c) The processing of personal data in connection with the use of functional and analytical cookies is subject to obtaining the user’s consent for the use of (separately) functional and analytical cookies via the cookie consent management platform. Such consent may be withdrawn at any time via this platform. The processing of data in connection with the use of necessary and analytical cookies by the Controller is carried out for the above-mentioned purposes on the basis of the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in ensuring the highest quality of services provided within the Service. 
Ad. d) The processing of personal data in connection with the use of advertising cookies is possible after obtaining the user’s consent via the consent management platform. Such consent may be withdrawn at any time via this platform. The processing of data in connection with the use of advertising cookies by the Controller is carried out on the basis of the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in ensuring the highest quality of services provided within the Service and conducting marketing of its goods and services.

Third-party cookies

The Service, like most modern websites, uses functionalities provided by third parties, which involves the use of cookies originating from third parties. The use of such cookies is described below.

Google Analytics

We use the Google Analytics tool provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses its own cookies primarily to report user interactions with the Service. Cookies are used in the context of this service for the Controller’s analytical and statistical purposes (information about Users’ activity and the manner of using the Website). The information collected in this way is most often transferred to a Google server in the United States and stored there.
Google Analytics also offers an optional browser add-on which, once installed and activated, disables Google Analytics tracking on all websites visited by the user: https://tools.google.com/dlpage/gaoptout/.
In some cases, data collected using the above-mentioned tool may constitute personal data, such as pseudonymous cookie identifiers, pseudonymous advertising display identifiers, IP addresses, or other pseudonymous user identifiers. Google Analytics collects IP addresses in order to ensure secure use of the service and to inform website owners about the countries, regions and cities from which users originate (“IP-based geolocation”). We carry out these activities on the basis of our legitimate interest (improving the services we provide) in connection with your consent.
If you are interested in details related to data processing within Google Analytics, we encourage you to review the explanations prepared by Google: https://support.google.com/analytics/answer/6004245.

Google Ads

We use the Google Ads advertising program operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in order to conduct advertising campaigns, including remarketing campaigns. These activities are carried out on the basis of our legitimate interest, consisting in marketing our own products or services, in connection with your consent. When visiting the Service website, a Google remarketing cookie is placed on the user’s device, which, with the help of a pseudonymous identifier (ID) and based on the pages visited by the user, enables the display of interest-based advertisements. Further processing of information takes place only if the user has given Google consent to link browsing and app usage history with the user’s account and to use information from the user’s Google account to personalize ads displayed on websites.
We emphasize that the Controller, when using Google Ads, does not collect any data that would allow for the identification of the user. Any aggregation of data that causes them to acquire the nature of personal data may be carried out by Google; however, in this respect we bear no responsibility, as Google performs these activities on the basis of an agreement concluded with the user of Google services. When using Google Ads, the Controller may define audience groups to which it would like its advertisements to be delivered. 
From our website, using the cookie management mechanism, you may disable these cookies (by turning off the “marketing” option). 
Users may manage advertising settings directly on Google’s website: https://adssettings.google.com/. If you are interested in details regarding data processing within Google Ads, we encourage you to review Google’s privacy policy:  https://policies.google.com/privacy.

Facebook Ads and Pixel Tag

We use marketing and analytical tools available within the Facebook service. The provider of these tools is Meta Platforms, Inc., 1601 Willow Rd, Menlo Park, CA 94025, USA. These activities are carried out on the basis of our legitimate interest, consisting in marketing our own products or services and conducting analysis and statistics, in connection with your consent. 
In order to deliver personalized advertisements to Service users based on their behavior within the Service, we have implemented the Facebook Pixel within the Service, which automatically collects information about the user’s use of our website in terms of the pages viewed. The information collected in this way is most often transferred to a Facebook server in the United States and stored there. 
The Controller emphasizes that the information collected via the Facebook Pixel is anonymous, i.e. it does not allow us to identify you. 
However, we inform you that Facebook may combine the collected information with other information gathered in connection with the user’s use of the Facebook service and use it for its own purposes, including marketing purposes. 
Such actions by Facebook are no longer dependent on us, and information about them can be found directly in Facebook’s privacy policy: https://www.facebook.com/privacy/explanation.
From our website, using the cookie management mechanism, users may disable the Facebook Pixel (by turning off the “marketing” option).

Social media plugins

The Controller’s Services use so-called social media plugins redirecting to the Controller’s profiles maintained on social media platforms, in particular via social media plugins of LinkedIn, Facebook and Instagram. Through the functionalities offered by such plugins, users may share specific content or distribute it on social media, or visit a page belonging to the Controller (e.g. a so-called “Fanpage”) on a selected social media platform, or view information about the Controller on the services to which they are redirected. 
Please note that the use of these plugins involves the exchange of data between the user and the respective social media platform or website. 
The Controller does not process such data and has no knowledge of what data are collected from users. Therefore, we encourage users to familiarize themselves with the terms and conditions and privacy policies of the respective social media platforms before using a given plugin. The use of certain functionalities provided by these entities may involve the use of external cookies. From the moment a given plugin is clicked, the personal data of Service users are processed by the respective social media platform, and the owner of that platform becomes a joint controller of your personal data pursuant to Article 26 of the GDPR. 
Personal data voluntarily provided by Service users on the Fanpage will be processed by the Controller for the purpose of managing the Fanpage, communicating with Service users, including responding to inquiries, engaging in interactions, informing about organized events, providing important information, including about services and products offered by the Controller, and building a Fanpage community on the selected platform to which the social media plugins lead.
More information about the technologies used can be found in the privacy policy of the respective provider:

  • Facebook: https://pl-pl.facebook.com/privacy
  • LinkedIn: https://pl.linkedin.com/legal/privacy-policy?
  • Instagram: https://privacycenter.instagram.com/policy/
  • Pinterest: https://policy.pinterest.com/pl/privacy-policy
  • YouTube: https://policies.google.com/privacy?hl=pl
  • TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/pl

With regard to the data provided on social media platforms, you are entitled to the rights set out in section VI of this Privacy Policy.

Profiling

The Controller does not make decisions with respect to Service users based solely on automated processing, including profiling, that would produce legal effects for the user or similarly significantly affect the user. 
However, the Controller reserves the right to use tools that may take certain actions depending on information collected through tracking mechanisms; nevertheless, we consider that such actions do not have a significant impact on Service users, as they do not differentiate the user’s situation as a customer and do not affect the terms of any agreement that may be concluded with the Company. By using certain tools, the Controller may, for example, display personalized advertisements to Service users based on their previous activities within the Service or suggest products that may be of interest to Service users (see section IX above).

Information on the obligation to provide personal data

All personal data provided to the Company are provided voluntarily in connection with gaining access to the website and its functionalities (i.e. the provision of electronic services by the Controller to visitors of the Service website). Failure to provide the required information will prevent the use of the website’s functionalities (e.g. subscribing to a newsletter, contacting the Controller via contact forms, or creating an account and placing orders in the Service).

Entrustment of personal data processing

In the event that, in connection with the use of the Services, it becomes necessary to entrust the processing of personal data by the Service Customers (i.e. when the Customer, acting as a data controller within the meaning of Article 4(7) of the GDPR, entrusts the Company with the processing of personal data pursuant to Article 28 of the GDPR), the relevant provisions of Appendix No. 1 to this Privacy Policy (Data Processing Agreement) shall apply. Appendix No. 1 specifies in particular the scope and purpose of the entrustment, the obligations of the Parties, and the principles of personal data protection in connection with the provision of services via the Service.

Updates

The Privacy Policy may be amended by the Controller at any time. In such a case, the Controller will publish the updated version of the Privacy Policy on the Service website and inform users about the changes and their effective date.