Privacy Policy

The following Privacy Policy sets out the rules for storing and accessing data on Users’ Devices by persons using the Service for the purpose of providing electronic services by the Administrator, as well as the rules for collecting and processing personal data provided voluntarily by Users through tools available within the Service.

The following Privacy Policy constitutes an integral part of the Service Terms and Conditions, which define the rules, rights, and obligations of Users using the Service.

§1 Definitions

• Service – the “Sonto” website operating at https://www.sonto.pl
   
• External Service – websites of partners, service providers, or service recipients cooperating with the Administrator.
  
  
• Service Administrator / Data Administrator – the Administrator of the Service and the Data Administrator (hereinafter: the Administrator) is the company “SONTO Sp. z o.o.”, conducting business at: ul. Bagienna 36c, 70-772 Szczecin, Poland, with Tax Identification Number (NIP): 9552564863, providing electronic services through the Service.
  
  
• User – a natural person for whom the Administrator provides electronic services through the Service.
  
  
• Device – an electronic device, together with its software, through which the User accesses the Service.
  
  
• Cookies – text data collected in the form of files placed on the User’s Device.
  
  
• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  
  
• Personal Data – means information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  
  
• Processing – means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  
  
• Restriction of Processing – means the marking of stored personal data with the aim of limiting their future processing.
  
  
• Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
  
  
• Consent – consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  
  
• Personal Data Breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  
  
• Pseudonymisation – means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  
  
• Anonymisation – data anonymisation is an irreversible process of operations on data that destroys or overwrites personal data, making it impossible to identify or link a given record to a specific user or natural person.
  
  

§2 Data Protection Officer

The Administrator is not obliged to appoint a Data Protection Officer within the meaning of Art. 37 GDPR and has not appointed such a person.

In matters concerning the processing of data, including personal data, please contact the Administrator directly in the manner indicated in §14.

§3 Types of Cookies

• Internal Cookies – files placed on and read from the User’s Device by the Service’s IT system.
   
• External Cookies – files placed on and read from the User’s Device by the IT systems of External Services. Scripts from External Services that may place Cookies on Users’ Devices have been deliberately incorporated into the Service through scripts and services made available and installed within the Service.
   
• Session Cookies – files placed on and read from the User’s Device by the Service during a single session of that Device. Upon termination of the session, the files are deleted from the User’s Device.
  
  
• Persistent Cookies – files placed on and read from the User’s Device by the Service until they are manually deleted. The files are not automatically deleted upon termination of the Device session, unless the User’s Device configuration is set to delete Cookie files upon session termination.
  
  
• Essential Cookies – files necessary for the proper functioning of the Service, the disabling of which will prevent the correct use of the Service. They do not require User consent.
  
  
• Functional Cookies – files enabling the User’s preferences to be remembered and the Service to be personalized. They require User consent.
  
  
• Analytical Cookies – files used to collect information about how the Service is used, to keep statistics and to analyze User behavior. They require User consent.
  
  
• Marketing Cookies – files used to display advertisements tailored to the User’s interests, including remarketing. They require User consent.
  
  

§3a Cookie retention period

Cookies are stored on the User’s Device for the following periods:

Essential cookies:

• session cookies – until the end of the browser session
• consent management cookies – up to 12 months
  
  

Functional cookies:
User preferences (e.g. language, interface settings) – up to 12 months

Analytical cookies:

• Google Analytics 4 (GA4) – up to 14 months from the last visit
• Microsoft Clarity – up to 12 months from the last visit
  
  

Marketing cookies:
remarketing and advertising files – up to 13 months

The User may at any time delete stored Cookies via the internet browser settings, or change their cookie preferences via the cookie consent banner available in the Service.

§4 Data Storage Security

• Cookie Storage and Reading Mechanisms – the mechanisms for storing, reading, and exchanging data between Cookie files saved on the User’s Device and the Service are implemented through built-in browser mechanisms and do not allow for the retrieval of any other data from the User’s Device or from other websites visited by the User, including personal data or confidential information. The transmission of viruses, Trojan horses, and other malicious software to the User’s Device is also effectively prevented.
  
  
• Internal Cookies – Cookies used by the Administrator are safe for Users’ Devices and do not contain scripts, content, or information that could compromise the security of personal data or the security of the Device used by the User.
  
  
• External Cookies – the Administrator takes all possible steps to verify and select Service partners with regard to User security. The Administrator selects well-known, major partners with globally established public trust. However, the Administrator does not have full control over the content of Cookie files originating from external partners. The Administrator shall not be liable for the security, content, or lawful use of Cookie files originating from External Services, by scripts installed within the Service, to the extent permitted by law. A list of partners is provided further in this Privacy Policy.
  
  

• Cookie Control

  • At any time, Users may independently change the settings regarding the saving, deletion, and access to data stored in Cookie files by any website.

  • Information on how to disable Cookies in the most popular desktop browsers is available at: how to disable cookies, or from one of the following providers:

    • Managing cookies in the Chrome browser
    • Managing cookies in the Opera browser
    • Managing cookies in the Firefox browser
    • Managing cookies in the Edge browser
    • Managing cookies in the Safari browser
    • Managing cookies in the Internet Explorer 11 browser
      
      

  • At any time, Users may delete all Cookie files saved to date using the tools of the Device through which the User accesses the Service.

• User-Side Risks – the Administrator applies all possible technical measures to ensure the security of data contained in Cookie files. It should be noted, however, that ensuring the security of such data depends on both parties, including the User’s own conduct. The Administrator shall not be held liable for the interception of such data, impersonation of a User’s session, or deletion thereof, resulting from the User’s intentional or unintentional actions, or from viruses, Trojan horses, or other spyware by which the User’s Device is or was infected. Users should follow safe internet usage practices to protect against these risks.
  
  
• Storage of Personal Data – the Administrator ensures that it takes all necessary steps to keep the personal data voluntarily provided by Users secure, with access limited and implemented in accordance with the purposes for which it is processed. The Administrator also ensures that it takes all necessary steps to protect the data in its possession against loss, through the application of appropriate physical and organisational security measures.
  
  

§4a Consent to Cookies

• On the User’s first visit to the Service, a cookie consent banner is displayed, allowing the User to give or refuse consent to the storage of cookies other than those necessary for the functioning of the Service.
• Essential cookies are activated automatically, as they are required for the proper operation of the Service.
• Functional, analytical and marketing cookies are activated only after the User has given explicit consent.
• Giving consent is voluntary. The User may change or withdraw the consent given at any time via the cookie consent banner settings available in the Service or through the internet browser settings.
• Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
  
  

§5 Purposes for Which Cookies Are Used

• Facilitating and improving access to the Service
• Personalisation of the Service for Users
• Marketing and remarketing on external services
• Affiliate services
• Compiling statistics (users, number of visits, device types, connection speed, etc.
• Provision of social media services
• Analysis of User behavior in the Service (session recording, heatmaps, click analysis)
• Management of tags, scripts and analytical tools implemented in the Service
  
  

§6 Purposes of Personal Data Processing

Personal data voluntarily provided by Users is processed for one of the following purposes:

• Provision of electronic services:
  • sharing information about content posted in the Service on social media platforms or other websites,
  • handling inquiries submitted via the contact form.
• Communication of the Administrator with Users in matters related to the Service and the protection of personal data.
• Conducting analytics and statistics of the use of the Service, including the analysis of User behavior (using Google Analytics 4, Google Tag Manager and Microsoft Clarity tools) – based on the User’s consent given via the cookie consent banner.
• Conducting marketing activities, including remarketing – based on the User’s consent given via the cookie consent banner.
• Fulfilment of legal obligations incumbent on the Administrator, in particular resulting from tax and accounting regulations.
• Ensuring the legitimate interest of the Administrator, including the establishment, investigation or defense against possible claims.
• Fulfilling the Administrator’s legitimate interests.
•  

Data collected from Users anonymously and automatically is processed for one of the following purposes:

• Compiling statistics
• Remarketing
• Management of affiliate programmes
• Fulfilling the Administrator’s legitimate interests
  
  

§7 External Service Cookies

The Administrator uses JavaScript scripts and web components of partners in the Service, which may place their own cookies on the User’s Device. Please note that in your browser settings you can decide for yourself which cookies may be used by individual websites. Below is a list of partners or their services implemented in the Service that may place cookies:

• Social / integrated services:
  (Registration, Login, content sharing, communication, etc.)
  
  • X (formerly Twitter)
  • Facebook
    
    
• Statistics and traffic analysis:
  
  • Google Analytics 4 (GA4) – a service provided by Google LLC, used to analyze traffic in the Service and User behavior
  • Google Tag Manager (GTM) – a service provided by Google LLC, used to manage tags and scripts in the Service
    
    
• User behavior analysis:
  • Microsoft Clarity – a service provided by Microsoft Corporation, used to record User sessions, create heatmaps and analyze User interactions with the Service. The tool records, among other things, mouse movements, clicks, page scrolling and entered data (excluding sensitive data). Within the Microsoft Clarity tool, the following safeguards are applied to protect the privacy of Users:
    • automatic masking of fields containing sensitive data, including
    • passwords, payment data and personal data entered in forms, in
    • accordance with the default configuration of the tool,
    • disabling the recording of the content of text fields marked as private,
    • encryption of data transmission between the User’s browser and Microsoft servers.

      The Administrator has no access to masked data. Detailed information regarding the data processing rules of Microsoft Clarity is available in the Microsoft privacy policy: https://privacy.microsoft.com/
      
      

Services provided by third parties are beyond the Administrator’s control. These entities may change their terms of service, privacy policies, data processing purposes and cookie usage methods at any time.

Analytical and marketing cookies (including GA4, GTM and Microsoft Clarity) are only activated after the User has given consent via the cookie consent banner displayed on the first visit to the Service. The User may change or withdraw the consent given at any time.

§8 Types of Data Collected

The Service collects data about Users. Some data is collected automatically and anonymously, while other data constitutes personal data provided voluntarily by Users in the course of registering for specific services offered by the Service.

Data collected automatically (some of which may constitute personal data within the meaning of the GDPR, in particular the IP address):

• IP address
• Browser type
• Screen resolution
• Approximate location
• Subpages of the Service visited
• Time spent on individual subpages of the Service
• Operating system type
• Address of the previous subpage
• Referring page address
• Browser language
• Internet connection speed
• Internet Service Provider
• Demographic data (age, gender)

Data collected during registration:

• Email address

Data collected upon subscription to the Newsletter service:

• Email address

Data collected when contacting via the contact form:

• E-mail address
• Phone number
• Content of the message
• Other personal data voluntarily provided by the User in the message
  
  

Voluntary provision of data

The provision of personal data by the User is voluntary, however, failure to provide certain data may prevent the use of selected
services offered within the Service, in particular:

• failure to provide an e-mail address at registration will prevent the creation of a User account,
• failure to provide an e-mail address when subscribing to the Newsletter will prevent the subscription to the service,
• failure to provide data in the contact form will prevent a response to the User’s inquiry.

The provision of personal data to the extent required by law (e.g. data for issuing an invoice) is mandatory and results from tax and accounting regulations.

Some data (excluding identifying data) may be stored in cookies. Some data (excluding identifying data) may be transferred to the statistics service provider.

§9 Access to Personal Data by Third Parties

As a general rule, the sole recipient of personal data provided by Users is the Administrator. Data collected in the course of the services provided is neither transferred to nor sold to third parties.

Access to data (most commonly on the basis of a data processing entrustment agreement) may be granted to entities responsible for maintaining the infrastructure and services necessary for the operation of the Service, including:

• Hosting companies providing hosting services or related services for the Administrator.
• IT service and support companies carrying out maintenance or responsible for maintaining IT infrastructure.
• Providers of analytical and marketing tools:
  • Google LLC – in the scope of Google Analytics 4 and Google Tag Manager services
  • Microsoft Corporation – in the scope of the Microsoft Clarity service

Detailed information regarding the transfer of data to these entities and the safeguards applied is included in §10 of this Policy.

Entrustment of Personal Data Processing – Hosting, VPS, or Dedicated Server Services

For the purposes of operating the Service, the Administrator uses the services of an external hosting, VPS, or dedicated server provider – Digitaltop Szyszka Grzegorz. All data collected and processed within the Service is stored and processed within the service provider’s infrastructure located in Poland. Access to such data may occur in the course of maintenance work carried out by the service provider’s staff. Access to such data is governed by an agreement concluded between the Administrator and the Service Provider.

Entrustment of Personal Data Processing – Website Management Services

For the purposes of managing the Service, the Administrator uses the services of an external service provider – Digitaltop Szyszka Grzegorz. Staff of the aforementioned entity have access to data entered by users during registration and user account editing and/or data relating to the Newsletter service. Access to such data is governed by an agreement concluded between the Administrator and the Service Provider.

§10 Methods of Personal Data Processing

Personal data voluntarily provided by Users:

• Personal data will not, as a rule, be transferred outside the European Economic Area (EEA). An exception applies to situations in which data is processed by providers of analytical and marketing tools (Google LLC, Microsoft Corporation) based in the United States. In such cases, data transfers are carried out on the basis of Standard Contractual Clauses (SCC) approved by the European Commission or under the Data Privacy Framework (DPF) program, ensuring an adequate level of protection of personal data. Data may also be transferred outside the EEA if it has been published as a result of the User’s individual action (e.g. entering a comment or post), making the data available to every person visiting the Service. The User has the right to obtain information on the safeguards applied to the transfer of data outside the European Economic Area, as well as a copy of such safeguards (e.g. Standard Contractual Clauses), by contacting the Administrator in the manner indicated in §14 of this Policy.
• Personal data will not be used for automated decision-making that produces legal effects concerning the User or similarly significantly affects the User, within the meaning of Art. 22 GDPR. However, the Administrator applies profiling for analytical and marketing purposes, consisting in the analysis of User behavior in the Service using Google Analytics 4, Google Tag Manager and Microsoft Clarity tools. Such profiling is carried out on the basis of the User’s consent (Art. 6(1)(a) GDPR) given via the cookie consent banner and may be withdrawn at any time.
• Personal data will not be sold to third parties.

Anonymous data (excluding personal data) collected automatically:

• Anonymous data (excluding personal data) may be transferred outside the European Union.
• Anonymous data (without personal data) will not be used for automated decision-making that produces legal effects or similarly significantly affects a natural person.
• Anonymous data (excluding personal data) will not be sold to third parties.
  
  

§11 Legal Bases for Personal Data Processing

The Service collects and processes Users’ data on the basis of:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Art. 6(1)(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purpose.
  • Art. 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Art. 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party
    
  • Art. 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject, in particular resulting from tax and accounting regulations (e.g. storage of accounting documents)

• Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000
  
• Act of 16 July 2004 – Telecommunications Law (Journal of Laws 2004, No. 171, item 1800
  
• Act of 4 February 1994 on Copyright and Related Rights (Journal of Laws 1994, No. 24, item 83)
  
  

§12 Personal Data Processing Period

Personal data voluntarily provided by Users:

As a general rule, the personal data indicated above is retained solely for the duration of the Service provided by the Administrator within the Service. Such data is deleted or anonymised within 30 days of the termination of service provision (e.g., deletion of a registered user account, unsubscription from the Newsletter list, etc.)

An exception applies in cases where it is necessary to protect the Administrator’s legitimate purposes for further processing of such data. In such a case, the Administrator will retain the data indicated above, from the time of the User’s request for its deletion, for a period not exceeding 3 years in the event of a breach or suspected breach of the Service’s terms and conditions by the User.

Additionally, personal data contained in accounting documents (e.g. invoices) is stored for the period required by tax and accounting regulations — as a rule, for 5 years, counting from the end of the calendar year in which the tax payment deadline expired, in accordance with Art. 86 § 1 of the Polish Tax Ordinance and Art. 74 (2) of the Polish Accounting Act.

Anonymous data (excluding personal data) collected automatically:

Anonymous statistical data not constituting personal data is retained by the Administrator for statistical purposes for an indefinite period.

§13 Users’ Rights in Relation to the Processing of Personal Data

Users are entitled to the following rights in connection with the processing of their personal data:

• Right of access to personal data
  Users are entitled to obtain access to their personal data, exercised upon request submitted to the Administrator.
   
• Right to rectification of personal data
  Users are entitled to request that the Administrator rectify without undue delay any inaccurate personal data concerning them and/or complete any incomplete personal data, exercised upon request submitted to the Administrator.
   
• Right to erasure of personal data
  Users are entitled to request that the Administrator erase their personal data without undue delay, exercised upon request submitted to the Administrator. In the case of user accounts, erasure of data consists of anonymising the data that enables identification of the User. The Administrator reserves the right to suspend the fulfilment of a request for data erasure in order to protect the Administrator’s legitimate interests (e.g., where the User has breached the Terms and Conditions, or where data was obtained in the course of correspondence). In the case of the Newsletter service, the User may independently delete their personal data by using the unsubscribe link included in every email sent.
   
• Right to restriction of processing of personal data
  Users are entitled to request restriction of the processing of their personal data in cases specified in Article 18 of the GDPR, including where the accuracy of the personal data is contested, exercised upon request submitted to the Administrator.
   
• Right to portability of personal data
  Users are entitled to receive from the Administrator their personal data in a structured, commonly used, and machine-readable format, exercised upon request submitted to the Administrator.
   
• Right to object to the processing of personal data
  Users are entitled to object to the processing of their personal data in cases specified in Article 21 of the GDPR, exercised upon request submitted to the Administrator.
   
• Right to lodge a complaint
  Users are entitled to lodge a complaint with the supervisory authority responsible for the protection of personal data. The supervisory authority competent in the Republic of Poland is the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl.
  
  
• Right to withdraw consent
  If the processing of personal data is based on the User’s consent (Art. 6(1)(a) GDPR), the User has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. Consent may be withdrawn in the same manner in which it was given, or by contacting the Administrator via the contact forms indicated in §14.

§14 Contact Details of the Administrator

The Administrator may be contacted in one of the following ways:

• Postal address – SONTO Sp. z o.o., ul. Bagienna 36c, 70-772 Szczecin, Poland
• Email address – biuro@sonto.pl
• Telephone – +48 501 310 260
• Contact form – available at: /kontakt
  
  

§15 Service Requirements

• Restricting the saving of and access to Cookie files on the User’s Device may result in the improper functioning of certain Service features
  
• The Administrator shall bear no liability for the improper functioning of Service features in the event that the User restricts in any way the ability to save and read Cookie files.
  
  

§15a Protection of data of persons under 16 years of age

● The Service is not directed to persons under 16 years of age.
● The Administrator does not knowingly collect personal data of persons under 16 years of age without the consent of their parent or legal guardian.
● If the Administrator becomes aware that they have unknowingly obtained personal data of a person under 16 years of age without the consent of a parent or legal guardian, they will immediately delete such data.
● A parent or legal guardian of a person under 16 years of age who becomes aware that their ward has provided personal data to the Administrator may contact the Administrator in the manner indicated in §14 in order to request the deletion of such data.

§16 External Links

The Service – in articles, posts, entries, or User comments – may contain links to external websites with which the Service Owner does not cooperate. Such links and the websites or files to which they direct may be dangerous for your Device or pose a risk to the security of your data. The Administrator shall bear no liability for content located outside the Service.

§17 Changes to the Privacy Policy

• The Administrator reserves the right to change this Privacy Policy with regard to the use and processing of anonymous data or the use of Cookies. Changes in this regard will be published on this subpage of the Service and shall enter into force upon their publication.
• With regard to changes concerning the processing of Personal Data, the Administrator shall inform Users with user accounts or subscribed to the Newsletter service by e-mail, at least 14 days prior to the entry into force of the changes.
• The information on changes shall include:
  • the scope of the changes introduced, together with a justification,
  • the date of entry into force of the changes,
  • information on the User’s right not to accept the changes.
• If the User does not accept the changes introduced, the User has the right, before the changes enter into force:
  • to delete their account in the Service,
  • to unsubscribe from the Newsletter service,
  • to request the deletion of their personal data.
• Continued use of the services after the changes enter into force shall constitute acceptance of the updated Privacy Policy.
• Changes introduced to the Privacy Policy will be published on this subpage of the Service. Previous versions of the Privacy Policy will be available in the document archive.