Agaris
You are here:Home>legal

Privacy policy

PRIVACY POLICY

AGARIS MYCO

agaris-logo.png


ARTICLE 1 – GENERAL PROVISIONS


  1. This Privacy Policy contains a set of rules regarding the processing and protection of personal data by Agaris Myco Poland Sp. z o.o., including the grounds, purposes and scope of personal data processing and the rights of data subjects, as well as information on the processing of personal data in connection with with the use of the agarismyco.com website, including the use of cookies and analytical tools on the website.

  2. The controller of personal data collected via the website agarismyco.com is Agaris Myco Poland Sp. z o.o., Karszew 42, 98-100 Łask, e-mail: poczta@agarismyco.com (rodo@agarismyco.com) - hereinafter referred to as the “Controller”.

Personal data are processed by the Controller in accordance with the applicable laws, in particular:

  1. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;

  2. Personal Data Protection Act of 10 May 2018 (complete text: Journal of Laws of 2019, item 1781);

  3. Act of 12 July 2024 – Electronic Communications Law (Journal of Laws 2024, item 1221),

  4. Act of 18 July 2002 on the Provision of Electronic Services (complete text: Journal of Laws of 2024 r. item 1513 ;

  5. Consumer Rights Act of 30 May 2014 (complete text: Journal of Laws of 2024, item 1796);

  6. Labour Code Act of 26 June 1974 (complete text: Journal of Laws of 2025 item 277 as amended);

  7. Civil Code Act of 23 April 1964 (complete text: Journal of Laws of 2024 item 1061 as amended).


ARTICLE 2 – PURPOSE, SCOPE, GROUNDS AND PERIOD OF PERSONAL DATA PROCESSING


The Controller processes personal data in the following cases:

  1. in order to establish and implement cooperation and answer inquiries (Article 6(1)(f) of the GDPR) and take action at the request of the data subject prior to the conclusion a contract (Article 6(1)(b) GDPR. For this purpose, the administrator processes the following data: given name and surname (where available), position, company name, postal address (if provided), e-mail, telephone number. The data are processed for the period necessary to establish cooperation and conclude a contract.

  2. for direct marketing its of own products (Article 6(1)(f) of the GDPR), including customer opinion surveys, and sending information by traditional mail, e-mail or telephone (where available). For this purpose, the Controller processes the following data: name and surname (where available), postal address (where available), e-mail address, telephone number, company name – until the objection is raised.

  3. for purposes of the recruitment process: based on the job application sent, i.e. taking action before concluding a contract as part of exercising rights under the law (legal grounds: Article 6(1)(b) GDPR, in connection with Article 22¹(1) of the Labour Code); when personal data is provided in a broader scope, including the data specified in Article 9(1) GDPR when they are necessary to exercise a right or fulfil an obligation under the law (legal grounds: Article 6(1)(a) and Article 9(2)(a) GDPR, in connection with Article 22¹(4) of the Labour Code); and when consent is given to the process of data for this purpose (legal grounds: Article 6(1)(a) GDPR). The Controller processes personal data in the scope specified in Article 22¹ of the Labour Code, in particular: given name and surname, date of birth, contact details, education, professional qualifications, employment history and other personal data included in the application. Personal data for recruitment purposes will be stored, not longer than 3 months from the end of the recruitment process, unless consent has been given to the processing of personal data for future recruitment purposes. In this case, personal data will be processed for a period of 6 months from the sending of the application to us or until consent to data processing is withdrawn.

  4. for analytical and statistical purposes, for the purpose of improving the provided services and security, including IT security, and for preventing and counteracting fraud (Article 6(1)(f) GDPR), the Controller processes the following data: IP address. These data will be processed for the period necessary to perform the tasks related to the functioning of the website or to clarify any incidents. “In practice, personal data in a non‑anonymized form may be processed until consent is withdrawn.

  5. In order to fulfil a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR). The Controller processes the following data: given name and surname, company name, e-mail, phone number, address of residence or registered office, delivery address if different from private address or business address, tax ID (NIP), order number and bank account number. “The data will be processed for the period specified by the applicable legal provisions, which for tax obligations is 5 years. In the case of storing employee records in paper form for employees hired after 31 December 2018, as well as those employed between 1 January 1999 and 31 December 2018 for whom the relevant declarations were submitted to the Social Insurance Institution (ZUS), the retention period is 10 years. For employees hired before 1 January 1999, for whom no such declarations are available, the retention period is 50 years, counted from the date of termination of employment.


ARTICLE 3 – DATA RECIPIENTS


  1. Personal data may be transferred to the following recipients or categories of recipients:

  1. carriers, forwarders, couriers, postal operators carrying out shipments at the request of the Controller, to the extent necessary to make a delivery;

  2. providers of services supplying the Controller with technical, IT and organisational solutions enabling the Controller to conduct business activity and provide electronic services (in particular, computer software suppliers, e-mail and hosting providers as well as software suppliers for company management and providing technical assistance to the Controller). The Controller provides personal data only if and to the extent necessary for a specific purpose of data processing in compliance with the Privacy Policy;

  3. suppliers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular, accounting, legal or debt collection firms). The Controller provides personal data only if and to the extent necessary for a specific purpose of data processing in compliance with the Privacy Policy.


  1. The transfer of personal data by the Controller each time requires the existence of at least one of the grounds indicated in the Privacy Policy.

  2. The Controller only transfers data when it is necessary to achieve a specific purpose of data processing and only to the extent necessary for such purpose.

  3. The transfer of data takes place after prior verification of the entity whether it provides sufficient guarantees of a high level of protection of the processed personal data and only on the basis of a contract or other legal instrument permitted by law.


ARTICLE 4 – TRANSFER OF PERSONAL DATA TO OTHER ENTITIES, INCLUDING OUTSIDE THE EUROPEAN ECONOMIC AREA


  1. The Controller does not transfer the personal data being processed to third parties, except entities processing personal data at the request of the Controller and if such transfer is necessary due to legal regulations (at the request of authorised state authorities), in which case the scope of the provided data will be limited to the data necessary for the purpose of such disclosure.

Entities with which the Controller cooperates on the basis of your consent (Article 6(1)(a) GDPR), including Google, Meta (Facebook), LinkedIn and Sentry, have their registered offices in countries within the European Economic Area (EEA) or in Switzerland, which is recognised as ensuring an adequate level of personal data protection. Therefore, the level of data protection in these countries is equivalent to that in Poland. In the case of data transfers to entities established outside the EEA, the Controller verifies whether such entities provide guarantees of a high level of protection for the personal data they process. These guarantees arise in particular from the EU–US Data Privacy Framework and from the use of the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors pursuant to Article 28(7) GDPR and Article 29(7) GDPR, and taking into account Recommendations 1/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted by the European Data Protection Board on 18 June 2021.


ARTICLE 5 – RIGHTS OF THE DATA SUBJECT


  1. The data subject has the following rights regarding personal data:

    1. right of access;

    2. right to rectification;

    3. right to erasure;

    4. right to restriction of processing;

    5. right to data portability;

    6. right to withdraw consent and object to processing of personal data;

      • If you have given consent to the processing of your data, you can withdraw it at any time. Such a withdrawal affects the admissibility of processing your personal data after their transfer. Withdrawing the consent does not affect the lawfulness of processing based on the consent before its withdrawal;

      • If the Controller has based the processing of your personal data on the balancing of interests, in particular under Article 6(1)(f) GDPR, you may object to the processing. This is particularly the case when processing is not necessary for the performance of a contract concluded with you, which purpose is referred to in Article 2. When withdrawing consent, you will be asked for the reasons why your personal data should not be processed by the Controller, who will verify the situation and stop or adjust the data processing or indicate important, legitimate reasons based on which it will continue processing;

      • You may, of course, object to the processing of your personal data for direct marketing purposes at any time;

    7. right to lodge a complaint with a supervisory authority if the data subject believes that the processing of their personal data violates the provisions of the GDPR.

  2. In order to exercise the above-mentioned rights, the Controller should be contacted in writing, via the e-mail address specified in Article 1(2), (4) and Article 7 (3) or using the Contact Form available on the website.


ARTICLE 6 – COOKIES


  1. Cookies are small pieces of data in the form of text files that are sent by the server and saved on the website visitor’s device (e.g. computer hard drive, smartphone memory card, depending on the device used). They usually contain the name of the website they originate from, storage time on the end device and a unique number, but they may contain personal data in the form of an IP address and a unique device identifier stored in the file.

  2. Pixels (also referred to as pixel tags, tracking pixels, web beacons or web bugs) are transparent 1×1‑pixel GIF images that are embedded into a website and may be used for analytical purposes in relation to the site. Once the website is loaded, a pixel transmits data such as: IP address, operating system used, type of web browser used, screen resolution, time spent on the site and activity on it, the date and time of the request to load the page, and the exact path of the pixel together with the domain of the given website.

  3. Cookies are used for:

  1. making it possible to use certain features of webpages;

  2. generating statistics which help us understand how users interact with the webpages, allowing us to improve webpage structure and content, and ensure a more efficient browsing experience;

  3. adjusting the content of webpages to user preferences. In particular, these files allow us to recognise the user’s device and properly display a webpage that is personalised to their individual needs.

  • Based on information about the user's device, we create their 'digital fingerprint,' but we are not able to identify the user solely based on this device data. However, this information allows us to link user accounts with identified fraud attempts, enabling us to prevent them and protect other users and ourselves.

  • The Controller may process data contained in the cookies when visitors use a webpage in order to maintain a secure session for the user during their visit. The cookies make it possible to ensure better and more responsive server operation by remembering which server should handle the user’s requests.

  • The website uses cookies of the following categories:

    1. Necessary - to record the "consent" granted on the website in the categories: "Necessary" and "Not required".

    2. Performance - to study visitor behavior and measure its performance and limit the amount of data collected; These files may contain unique identification numbers. gat cookies are installed by Google for users of Google services in the European Economic Area and Switzerland - Google Ireland Limited - with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The duration of gat files is 1 minute,

    3. Analytical – to study how visitors use the website, including the number of visitors and their source; These files store information anonymously by assigning a random number. Cookies ga, gid, are installed by Google for users of Google services in the European Economic Area and Switzerland - Google Ireland Limited - with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The duration of ga files is 2 years and gid files are 1 day,

    4. Functional - to remember the language selected by the user when returning to the site, as well as to obtain information about the language when it is not otherwise available. The pll_language cookie is used by …………………………………………... The duration of these files is 1 year.

  • We would also like to point out that each user has the option of specifying how cookies are used by changing their browser settings. In particular, the user can partially restrict or completely disable cookies, but the latter may affect certain functionalities of the website.

Presented below are the cookie settings of the most popular browsers:

  1. Chrome: Settings > Privacy and security > Site settings,

  2. Edge: Settings > Site permissions > Cookies and site data.


ARTICLE 7 – PROTECTION OF PERSONAL DATA


  1. The Controller undertakes to protect the processed personal data in accordance with applicable laws, including non-disclosure to third parties and processing data exclusively for the purposes specified above. This does not apply to cases where personal data is shared, as previously indicated, with entities authorized to receive it under relevant legal provisions.

  2. The Controller also processes personal data to ensure the security of networks and information systems, in compliance with the requirements of the NIS2 Directive and national regulations. In particular, data may be used for:

  1. maintaining event logs (security logs),

  2. monitoring unauthorized access attempts,

  3. preventing and detecting fraud and incidents,

  4. reporting security breaches to the competent authorities.

  1. Legal basis and retention period: Logs and data concerning security incidents are specified in the table in § 2 item 1.

  2. The Controller declares that it makes every effort to provide the Buyer with a high level of security regarding the use of the Online Store, and for this purpose employs:

  1. Technical and organizational measures, particularly regarding the security of personal data processing;

  2. Measures ensuring:

  1. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

  2. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

  3. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

  • Any events affecting the security of information transmission and personal data, including suspected security breaches or unauthorized disclosure of data, should be reported to the Controller at the following e-mail address: poczta@agarismyco.com (rodo@agarismyco.com)



ARTICLE 8 – REVISIONS OF THE PRIVATE POLICY

In response to changes in technology and legislation, including laws governing privacy protection and online business, the Controller may revise the Privacy Policy, which will be published on its website with a new date.
The current version is in effect as of May, 1, 2026.