GENERAL INFORMATION CLAUSE

In accordance with Art. 13(1)-(2) and Art. 26(2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, p. 1) - hereinafter GDPR - we inform that:

Personal Data Controller

The controller of your personal data is Rentoom Apartamenty sp. z o.o. with its registered office at ul. Stanisława Szymańskiego 1B, 87-100 Toruń, NIP (Tax Identification Number): 8792727407, REGON (National Business Registry Number): 38760528100000, entered into the register of entrepreneurs of the National Court Register kept by the District Court in Toruń, 7th Commercial Division of the National Court Register under KRS number: 0000871532, share capital in the amount of: PLN 15,000.00 (hereinafter referred to as the "Controller").

You can contact the Controller via e-mail: info@rentoom.pl, by phone: 881 388 001 or in writing to the registered office address of Rentoom Apartamenty sp. z o.o. indicated in point I above.

Purposes and legal grounds for processing

Purpose of processing	Legal basis	Processing time
conclusion and performance of a contract natural persons contacting/concluding a contract on their own behalf persons conducting sole proprietorship	Art. 6(1)(b) of the GDPR, i.e. processing in order to take steps at your request prior to entering into a contract and processing necessary for the performance of a contract to which you are a party	for the time necessary for its performance, and also until the expiry of the limitation period for claims
persons appointed as representatives (including proxies and members of corporate bodies of legal entities)	Art. 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller consisting in taking the necessary steps before concluding a contract and processing necessary for the performance of a contract with the entity on whose behalf you act	until the expiry of the limitation period for claims regarding the performance of the contract
ensuring continuity of communication and enabling contact with the Controller	Art. 6(1)(f) of the GDPR, i.e. processing to pursue the legitimate interest of the Controller, consisting in maintaining continuity of communication and contact	for the duration of the correspondence and for a period of one year after its completion, until the expiry of the limitation period for claims regarding the performance of the contract
establishing, pursuing and enforcing claims and defense against claims in proceedings before courts and other state authorities	Art. 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller consisting in establishing, pursuing and enforcing claims and defending against claims	until the final conclusion of the proceedings
fulfilling legal obligations arising from legal provisions, in particular tax and accounting regulations	Art. 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with legal obligations to which the Controller is subject, arising from legal provisions, in particular tax and accounting regulations	for the time specified by law
marketing	as a rule, the legal basis for processing is Art. 6(1)(f) of the GDPR, i.e. processing to pursue our legitimate interest consisting in marketing activities, although in some cases we also collect consent for the processing of personal data - in such a situation, the legal basis for processing is Art. 6(1)(a) of the GDPR	in the case of expressing consent - until the withdrawal of consent to the processing of personal data, in the case of a legitimate legal interest - until the completion of marketing activities, and in the case of processing data for archival or statistical purposes - until they lose their relevance
Ensuring the functioning of the website and social media	Art. 6(1)(f) of the GDPR, i.e. processing to pursue the legitimate interest of the Controller, consisting in running the website and social media, ensuring their security and continuity of operation	for the time necessary to ensure such functioning (usually until the end of the user's session), and in the case of data required to ensure the continuity of the user's session, proper functioning of the site, etc. In the case of content published by users on the website/social media - until its removal by the user
Statistics	Art. 6(1)(a) of the GDPR, i.e. your consent	Until consent is withdrawn, no longer than for a period of one year from the date of their collection

Providing the required personal data by you is voluntary. At the same time, providing your personal data is necessary to achieve the above-mentioned purposes, in particular to conclude a contract, establish contact with the Controller or obtain information from the Controller.

Recipients of personal data

Your personal data may be disclosed to our partners; in particular, the following cooperating entities may gain access to them:

• 1. accounting,
• 2. law firm,
• 3. IT service providers (including software and maintenance service providers),
• 4. postal and courier service providers
• 5. social media service providers
• 6. property owners.

SCOPE OF PROCESSED DATA

In some special cases, the Controller may obtain personal data from third parties.

This happens when data is obtained through a recommendation from another person.

In such a case, the Controller obtains data enabling identification (in particular name and surname, possibly place of employment) and contact (in particular phone number or e-mail address).

Personal data may also come from a third party if you act on behalf of another person or entity (especially in the case of concluding or negotiating a contract between your employer and the Controller).

These data, depending on the situation, may include:

• 1. identification data (name, surname)
• 2. contact details
• 3. employment-related data (position, scope of duties, specialization)

Automated decision-making (including profiling)

Your personal data will not be used for profiling or for making any automated decisions concerning you.

Transfer of personal data outside the EEA or to an international organization

• 1. Google LLC based in California, USA and Google Ireland Ltd,
• 2. Meta Platforms, Inc based in California, USA and Meta Platforms Ireland Ltd,
• 3. Microsoft Corporation Inc based in Washington state, USA and Microsoft Ireland Operations Ltd,

In connection with IT services provided by the above entities, including social media run by us.

The transfer of data to the USA takes place on the basis of a decision of the European Commission stating an adequate level of personal data protection in the USA and agreements containing Standard Contractual Clauses.

Rights of the data subject:

Under the GDPR, you have the right to:

• 1. request access to your personal data (Art. 15 GDPR);
• 2. request rectification of your personal data (Art. 16 GDPR);
• 3. request erasure of your personal data, the so-called "right to be forgotten" (Art. 17 GDPR);
• 4. request restriction of personal data processing (Art. 18 GDPR);
• 5. object to the processing of personal data (Art. 21 GDPR);
• 6. request personal data portability (Art. 20 GDPR),
• 7. in the case of personal data processing based on your consent
• the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

In Poland, the supervisory authority within the meaning of the GDPR is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

More information can be found on the website: https://uodo.gov.pl/pl/134/233