Privacy Policy

The controller of your personal data is: SANLITE Sp. z o.o. ul. Leśna 1, 42-256 Zrębice, Poland KRS: 0001073217 (District Court in Częstochowa, XVII Commercial Division) VAT: PL9492265618 | REGON: 527108703 E-mail: [email protected] | Tel.: +48 608 710 755 For any questions regarding the protection of your personal data, please contact us at: [email protected]

We process your personal data on the following legal bases and for the following purposes: a) Art. 6(1)(b) GDPR (performance of a contract) – to fulfil orders, deliver purchased licences, and manage your account. b) Art. 6(1)(c) GDPR (legal obligation) – to issue invoices and comply with tax and accounting obligations. c) Art. 6(1)(f) GDPR (legitimate interests) – to handle complaints, assert and defend claims, ensure service security, and conduct statistical analysis. d) Art. 6(1)(a) GDPR (consent) – to send commercial and marketing communications by electronic means, only if you have given separate consent.

Depending on the purpose, we process the following categories of data: Account and registration data: name, email address, company name, VAT number. Transaction data: billing details (address, country), order history, invoice numbers. Technical data: IP address, browser type, operating system, session and preference cookies. We do not process special categories of data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR).

Data processed for contract performance is retained for the duration of the contract and the limitation period for claims (generally 3 years for businesses, 6 years for consumers). Tax and accounting data (invoices) is retained for 5 years from the end of the tax year in which the tax obligation arose. Data processed on the basis of consent is retained until consent is withdrawn. Data processed on the basis of legitimate interests is retained until an effective objection is raised or the interest ceases.

We may share your data with the following categories of recipients: • Payment processors: Stripe Payments Europe, Ltd. (Ireland) and PayU S.A. (Poland) – solely to the extent necessary to process payments. • Hosting and IT infrastructure providers – under data processing agreements. • Email and communication service providers – solely to deliver orders and provide customer support. • Public authorities – only upon request and to the extent required by law. We do not sell your personal data. We do not transfer data to third countries outside the EEA, except where the recipient ensures an adequate level of protection (e.g. EU standard contractual clauses).

Under the GDPR, you have the following rights: a) Right of access – you may obtain information about the data we process and receive a copy. b) Right to rectification – you may request correction of inaccurate or completion of incomplete data. c) Right to erasure ("right to be forgotten") – you may request deletion of data that is no longer necessary or where consent has been withdrawn. d) Right to restriction of processing – you may request restriction of processing in certain circumstances. e) Right to data portability – you may receive your data in a machine-readable format (e.g. CSV). f) Right to object – you may object to processing based on legitimate interests. g) Right to withdraw consent – at any time, without affecting the lawfulness of processing before withdrawal. h) Right to lodge a complaint – with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, or your local supervisory authority. To exercise any of these rights, please contact us at: [email protected]

Our website uses cookies and similar technologies. We distinguish the following categories: Essential cookies – necessary for the website to function (session, authentication). No consent required. Functional cookies – remember your preferences (language, theme). Require consent. Analytical cookies – collect anonymous data on how the website is used (e.g. Google Analytics). Require consent. Marketing cookies – enable personalised advertising. Require consent. You can manage cookies through your browser settings or via the consent management tool on our website. Disabling essential cookies may prevent some website features from working.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or destruction, including: • Encrypted connections (TLS/HTTPS), • Encryption of sensitive data in the database, • Access controls and two-factor authentication for staff, • Regular security audits. Payment card data is not stored by us – it is processed exclusively by certified payment processors (Stripe, PayU).

We reserve the right to amend this Privacy Policy. We will notify you of material changes by email (if we hold your address) or via a prominent notice on the website, at least 14 days in advance. The current version of the Privacy Policy is always available at /privacy. This Privacy Policy is effective from 21.03.2025.