1. The controller of personal data is Lemon City sp.j., located at ul. Ofiar Oświęcimskich 19, 50-069 Wrocław, NIP 8971852000, REGON 369482250, registered in the Register of Entrepreneurs maintained by the District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register under KRS number 0000718655 (hereinafter the “Controller”).
  2. The Controller operates the website EXIT19.PL (hereinafter the “Website”).
  3. A user of the Website (hereinafter the “User”) consents to the processing of their personal data by the Controller under the terms set out in this Privacy Policy.
  4. All statements, inquiries, and information concerning personal data may be submitted to the Controller via:
    – e-mail to: kontakt@exit19.pl;
    – the contact form available on the Website;
    – in writing to the Controller’s registered office.
  5. The User’s personal data is processed on the basis of Article 6 and other provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – “GDPR”).
  6. The User’s personal data is processed for the following purposes:
    – responding to questions and other messages sent by the User via the contact form or email, and for further communication with the User;
    – booking appointments for the User to use the escape room service;
    – providing the User with information about offers, promotions, discounts, and updates (direct marketing).
  7. The User’s data is also processed for the performance of contracts to which the User is a party, or to take action at the User’s request prior to entering into a contract.
  8. The User’s data is also processed when necessary for purposes arising from the legitimate interests pursued by the Controller or a third party (unless overridden by the User’s interests or fundamental rights and freedoms requiring protection of personal data), in particular for:
    – tax settlements in accordance with Polish tax law;
    – accounting in accordance with the Accounting Act and other applicable Polish law;
    – debt collection under the Civil Code and other applicable Polish legislation.
  9. The Controller processes the following categories of User data:
    – first and last name,
    – email address,
    – telephone number,
    – group photo (if applicable).
  10. Recipients of the User’s personal data may include:
    – employees, contractors, subcontractors, and other persons employed by or cooperating with the Controller;
    – accounting offices working with the Controller;
    – law firms working with the Controller;
    – IT service providers, including hosting and email services;
    – marketing service providers;
    – entities involved in settlements, including invoicing systems providers and banks;
    – postal and courier service providers.
  11. The User’s personal data may be transferred to third countries but only in accordance with Article 46 GDPR, i.e., provided that the recipient ensures appropriate safeguards. The User is entitled to receive a copy of their transferred data. Personal data will be stored for the period necessary to fulfill the purposes of processing, including:
    – the period of communication with the User, including the time necessary to provide all requested information;
    – the period of the Controller’s marketing activities;
    – the period necessary for proper performance of contracts concluded with the User;
    – the period necessary for tax settlements and the legally required retention period for tax documentation;
    – the legally required retention period for accounting records;
    – the period necessary for enforcing the Controller’s claims.
  12. The User’s personal data will be permanently deleted once all of the above periods have ended.
  13. The User has the right to:
    – obtain confirmation from the Controller as to whether their personal data is being processed;
    – receive a copy of the processed data;
    – obtain from the Controller all information covered by this Privacy Policy.
  14. The User has the right to request immediate rectification of inaccurate personal data. Taking into account the purposes of processing, the User may request completion of incomplete data, including by submitting an additional statement.
  15. The User has the right to request immediate deletion of their personal data, and the Controller must delete it without undue delay (subject to legal exceptions) if:
    – the data is no longer necessary for its processing purposes;
    – the User withdraws consent and there is no other legal basis for processing;
    – the User objects as described in points 18 or 19;
    – the data has been unlawfully processed;
    – deletion is required to comply with EU or Member State law applicable to the Controller;
    – the data was collected in relation to offering information society services directly to a child based on consent.
  16. The User has the right to request restriction of processing in the following cases:
    – when the accuracy of the data is contested, for the period necessary to verify it;
    – when processing is unlawful and the User opposes deletion, requesting restriction instead;
    – when the Controller no longer needs the data, but it is required by the User for establishing, exercising, or defending legal claims;
    – when the User has objected (as in point 18) until a determination is made whether the Controller’s legitimate grounds override those of the User.
  17. The User has the right to receive their personal data, in a structured, commonly used, machine-readable format, which they provided to the Controller, and to transmit that data to another controller without hindrance. The User may also request that the Controller transmit the data directly to another controller, where technically feasible.
  18. The User has the right to object at any time – for reasons related to their particular situation – to processing based on the Controller’s or a third party’s legitimate interests. The Controller may no longer process the data unless it demonstrates compelling legitimate grounds that override the User’s rights and interests, or for establishing, exercising, or defending claims.
  19. The User has the right to object at any time to processing for direct marketing purposes, and the Controller must comply.
  20. The User may withdraw consent to processing at any time. However:
    – withdrawal does not affect the legality of processing prior to withdrawal;
    – despite withdrawal, the Controller may still process data within the scope described in points 7–8.
  21. The User has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they believe that processing of their personal data violates the GDPR.