GDPR


The following information constitutes a concise, comprehensible, and transparent summary of the information contained in the Privacy Policy regarding the Data Controller, the purposes and methods of processing personal data, and your rights in connection with such processing, in the form required to fulfil the GDPR information obligation. Details regarding the methods of processing and the entities involved in this process are available in the aforementioned policy.

 

Who is the Data Controller?

The Personal Data Controller (hereinafter: the Controller) is “SONTO Sp. z o.o.”, conducting business at: ul. Bagienna 36c, 70-772 Szczecin, Poland, Tax Identification Number (NIP): 9552564863, providing services electronically via the Service.

 

How Can You Contact the Data Controller?

The Controller may be contacted in one of the following ways:

  • Postal address – SONTO Sp. z o.o., ul. Bagienna 36c, 70-772 Szczecin, Poland
  • Email address – biuro@sonto.pl
  • Telephone – +48 501 310 260
  • Contact form – available at: /kontakt

 

Has the Controller appointed a Data Protection Officer?

The Administrator is not obliged to appoint a Data Protection Officer within the meaning of Art. 37 GDPR and has not appointed such a person.

In matters concerning the processing of data, including personal data, please contact the Administrator directly.

 

Where Do We Obtain Personal Data and What are its Sources?

Data is obtained from the following sources:

  • from the data subjects themselves

What Is the Scope of the Personal Data We Process?

The Service processes ordinary personal data voluntarily provided by the data subjects (e.g. first and last name, login, email address, telephone number, IP address, content of the message sent via the contact form, etc.).

Personal data is obtained in particular through:

  • the User account registration form
  • the Newsletter service subscription form
  • the contact form
  • automatic analytical tools (GA4, GTM, Microsoft Clarity) – within the scope of technical and behavioral data

The detailed scope of data processed is available in the Privacy Policy.

 

Is the provision of personal data mandatory?

The provision of personal data by the User is voluntary, however, failure to provide certain data may prevent the use of selected services offered within the Service (e.g. registration of a User account, subscription to the Newsletter, sending an inquiry via the contact form).

The provision of personal data to the extent required by law (e.g. data for issuing an invoice) is mandatory and results from the relevant tax and accounting regulations.

Is the Service directed to persons under 16 years of age?

The Service is not directed to persons under 16 years of age. The Administrator does not knowingly collect personal data of persons under 16 years of age without the consent of their parent or legal guardian. If it is found that such data has been obtained unknowingly, the Administrator will immediately delete it.

 

What Are the Purposes for which We Process Data?

Personal data voluntarily provided by Users is processed for one of
the following purposes:

  • Provision of electronic services (account registration, Newsletter, handling of the contact form).
  • Communication of the Administrator with Users in matters related to the Service and the protection of personal data.
  • Conducting analytics and statistics of the use of the Service, including the analysis of User behavior – based on consent.
  • Conducting marketing activities, including remarketing – based on consent.
  • Fulfilment of legal obligations incumbent on the Administrator.
  • Ensuring the legitimate interest of the Administrator.

 

What Are the Legal Bases for Data Processing?

The Service collects and processes Users’ data on the basis of:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation):
    • Art. 6(1)(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes
    • Art. 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
    • Art. 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party
    • Art. 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject, in particular resulting from tax and accounting regulations
  • Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000)
  • Act of 16 July 2004 – Telecommunications Law (Journal of Laws 2004, No. 171, item 1800)
  • Act of 4 February 1994 on Copyright and Related Rights (Journal of Laws 1994, No. 24, item 83)

What Is the Legitimate Interest Pursued by the Controller?

  • For the purpose of potentially establishing, pursuing, or defending against claims – the legal basis for processing is our legitimate interest (Art. 6(1)(f) GDPR) in protecting our rights, including, among others:
  • For the purpose of assessing the risk of potential clients
  • For the purpose of evaluating planned marketing campaigns
  • For the purpose of carrying out direct marketing

For How Long Do We Process Personal Data?

As a general rule, the personal data indicated above is stored solely for the duration of the service provided by the Controller within the Service. They are deleted or anonymised within 30 days from the termination of service provision (e.g. upon completion of correspondence conducted via the contact form).

In exceptional circumstances, for the purpose of safeguarding the legitimate interest of the Controller, this period may be extended. In such a case, the Controller will retain the data indicated above, from the time of the User’s request for its deletion, for no longer than 3 years in the event of a breach or suspected breach of the terms and conditions of the Service by the data subject.

Personal data contained in accounting documents (e.g. invoices) is stored for the period required by law — as a rule, for 5 years, counting from the end of the calendar year in which the tax payment deadline expired, in accordance with tax and accounting regulations.

 

Who Are the Recipients of the Data, Including Personal Data?

As a general rule, the sole recipient of the data is the Controller. However, data processing may be entrusted to other entities providing services to the Controller for the purpose of maintaining the operation of the Service.

Such entities may include, among others:

  • Hosting companies providing hosting or related services to the Controller
  • IT service and support companies performing maintenance or responsible for maintaining IT infrastructure
  • Providers of analytical and marketing tools:
    • Google LLC – in the scope of Google Analytics 4 and Google Tag Manager services
    • Microsoft Corporation – in the scope of the Microsoft Clarity service

Will your personal data be transferred outside the European Union?

Personal data will not, as a rule, be transferred outside the European Economic Area (EEA). An exception applies to situations in which data is processed by providers of analytical and marketing tools based in the United States:

  • Google LLC (Google Analytics 4, Google Tag Manager)
  • Microsoft Corporation (Microsoft Clarity)

Data transfers to these entities are carried out on the basis of Standard Contractual Clauses (SCC) approved by the European Commission or under the Data Privacy Framework (DPF) program, ensuring an adequate level of personal data protection in accordance with the requirements of the GDPR.

The User has the right to obtain information on the safeguards applied to the transfer of data outside the European Economic Area, as well as a copy of such safeguards, including the Standard Contractual Clauses, by contacting the Administrator.

Personal data may also be transferred outside the EEA if it has been published as a result of the User’s individual action (e.g. entering a comment or post), making the data available to every person visiting the Service.

 

Will personal data be the basis for automated decision-making?

Personal data will not be used for automated decision-making that produces legal effects concerning the User or similarly significantly affects the User within the meaning of Art. 22 GDPR.

However, the Administrator applies profiling for analytical and marketing purposes, consisting in the analysis of User behavior in the Service using Google Analytics 4, Google Tag Manager and Microsoft Clarity tools. Such profiling includes, among others, the analysis of the User’s activity in the Service, preferences and interests, in order to adapt content and advertisements and to keep statistics. The profiling is carried out on the basis of the User’s consent (Art. 6(1)(a) GDPR) given via the cookie consent banner and may be withdrawn at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

 

What rights do you have in relation to the processing of your personal data?

  • Right of access to personal data – Users are entitled to obtain access to their personal data, exercised upon request submitted to the Controller.
  • Right to rectification of personal data – Users are entitled to request that the Controller rectify without undue delay any personal data that is inaccurate and/or complete any incomplete personal data, exercised upon request submitted to the Controller.
  • Right to erasure of personal data – Users are entitled to request that the Controller erase their personal data without undue delay, exercised upon request submitted to the Controller. In the case of user accounts, erasure of data consists in the anonymisation of data enabling the identification of the User. In the case of the Newsletter service, the User may independently delete their personal data by using the link included in each email message sent.
  • Right to restriction of processing of personal data – Users are entitled to request restriction of the processing of personal data in the cases specified in Article 18 of the GDPR, including questioning the accuracy of personal data, exercised upon request submitted to the Controller.
  • Right to data portability – Users are entitled to receive from the Controller personal data concerning the User in a structured, commonly used, machine-readable format, exercised upon request submitted to the Controller.
  • Right to object to the processing of personal data – Users are entitled to object to the processing of their personal data in the cases specified in Article 21 of the GDPR, exercised upon request submitted to the Controller.
  • Right to lodge a complaint – Users have the right to lodge a complaint with the supervisory authority responsible for the protection of personal data. The supervisory authority competent in the Republic of Poland is the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl.

  • Right to withdraw consent
    If the processing of personal data is based on consent (Art. 6(1)(a) GDPR), the User has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
Do You Have Questions? Need a Quote?

Don’t wait – contact us today!
Our team is happy to answer all your questions and provide a personalized quotation.

CALL US
SEND A MESSAGE
At SONTO, our mission is to provide high-quality products at competitive prices. We operate through dedicated websites and online stores, ensuring a smooth and reliable shopping experience. Our offer reaches customers across Poland and the European Union, guaranteeing timely delivery and professional service.
Company Details

SONTO Sp. z o.o.
KRS: 0000973980
NIP: 955-256-48-63
REGON: 522300880

Contact
Sales Department
Order Service Department
Email Contact

Copyright © 2025 SONTO Wszystkie prawa zastrzeżone. Projekt i wykonanie: digitaltop.pl