• 07763 797136
  • hello@kalkon.co.uk

Privacy policy

1. This Privacy Policy sets out the rules for the processing of personal data obtained through the website www.kalkon.co.uk, hereinafter referred to as the „Website”.

2. The owner of the website and simultaneously the Data Controller is Glossy Group LTD, SW19 7LH London, 1a, Strathearn Road Wimbledon, VAT: 14965532, hereinafter referred to as the Controller.

3. Personal data collected by the Controller through the Website is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as GDPR.

4. The Controller takes special care to respect the privacy of Clients visiting the Website.

§ 1 Type of processed data, purposes, and legal basis

1. The Controller collects information relating to natural persons performing a legal action not directly related to their business activity, natural persons conducting business or professional activity on their own behalf, and natural persons representing legal entities or organizational units that are not legal persons but are granted legal capacity by law, conducting business or professional activity on their own behalf, hereinafter collectively referred to as Clients.

2. The Controller processes Clients’ personal data in connection with the use of the contact form service on the Website for purposes necessary for the performance of a contract or to take steps prior to entering into a contract – the legal basis for processing is Article 6(1)(b) of the GDPR.

3. When using the contact form service, the Client provides the following data:

  • email address
  • first name
  • phone number

4. While using the Website, additional information may be collected, in particular: the IP address assigned to the Client’s computer or the external IP address of the Internet service provider, domain name, browser type, access time, operating system type. Navigation data may also be collected from Clients, including information about links and references they choose to click on or other actions taken on the Website, for purposes related to service provision, as well as for technical, administrative, analytical, and statistical purposes – in this regard, the legal basis for processing is also Article 6(1)(f) of the GDPR, i.e., the necessity for the purposes of the legitimate interests pursued by the Controller, which include ensuring IT security, managing the Website, and improving the functionality of the Website and the services provided.

§ 2 Recipients of data

1. The Client’s personal data is transferred to service providers used by the Controller in operating the Website. Depending on contractual arrangements and circumstances, the service providers to whom personal data is transferred either act on the Controller’s instructions regarding the purposes and methods of processing such data (processors) or independently determine the purposes and methods of processing (controllers).

  • 1.1. Processors. The Controller uses suppliers who process personal data solely on the Controller’s instructions. These include, among others, providers of hosting services, accounting services, marketing systems, systems for analyzing traffic on the Website, and systems for analyzing the effectiveness of marketing campaigns.

  • 1.2. Controllers. The Controller uses suppliers who do not act solely on instructions and independently determine the purposes and methods of using Clients’ personal data. These provide electronic payment and banking services.

2. Location. Service providers are mainly based in Poland and other countries of the European Economic Area (EEA).

3. Upon request, the Controller makes personal data available to authorized state authorities, in particular to organizational units of the Prosecutor’s Office, the Police, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.

§ 3 Data retention period

1. Clients’ personal data is stored:

  • 1.1. Where the basis for processing personal data is consent, the Client’s personal data is processed by the Controller until the consent is withdrawn, and after withdrawal of consent, for a period corresponding to the limitation period for claims that the Controller may raise or that may be raised against them. Unless a specific provision states otherwise, the limitation period is six years, and for claims concerning periodic benefits and claims related to business activities – three years.

  • 1.2. Where the basis for processing data is the performance of a contract, the Client’s personal data is processed by the Controller as long as it is necessary for the performance of the contract, and after that time, for a period corresponding to the limitation period for claims. Unless a specific provision states otherwise, the limitation period is six years, and for claims concerning periodic benefits and claims related to business activities – three years.

§ 4 Cookie mechanism, IP address

1. The Website uses small files called cookies. These are saved by the Controller on the end device of the person visiting the Website, provided the web browser allows it. A cookie file typically contains the name of the domain it originates from, its „expiration time,” and an individual, randomly selected number identifying the file. Information collected through these files helps tailor the products offered by the Controller to the individual preferences and actual needs of visitors to the Website.

2. The Controller uses two types of cookies:

  • 2.1. Session cookies: After the browser session ends or the computer is turned off, the stored information is deleted from the device’s memory. The session cookie mechanism does not allow the collection of any personal data or any confidential information from Clients’ computers.
  • 2.2. Persistent cookies: These are stored in the memory of the Client’s end device and remain there until they are deleted or expire. The persistent cookie mechanism does not allow the collection of any personal data or any confidential information from Clients’ computers.

3. The Controller uses its own cookies for the purpose of:

  • 3.1. analysis and research as well as audience auditing, in particular to create anonymous statistics that help understand how Clients use the Website, enabling improvements to its structure and content.

4. The Controller uses external cookies for the purpose of:

  • 4.1. presenting a map indicating the location of the Controller’s office on the Website’s information pages, using the maps.google.com service (external cookie administrator: Google Inc., based in the USA).

5. The cookie mechanism is safe for the computers of Clients visiting the Website. In particular, this method does not allow viruses or other unwanted or malicious software to enter Clients’ computers. Nevertheless, Clients can limit or disable cookie access to their computers in their browsers. If this option is used, the Website can still be used, except for functions that, by their nature, require cookies.

6. The Controller may collect Clients’ IP addresses. An IP address is a number assigned to the computer of a person visiting the Website by their Internet service provider. The IP address enables access to the Internet. In most cases, it is assigned dynamically, i.e., it changes with each Internet connection, and for this reason, it is commonly treated as non-personal identifying information. The IP address is used by the Controller to diagnose technical server issues, create statistical analyses (e.g., determining which regions generate the most visits), as information useful for administering and improving the Website, as well as for security purposes and the potential identification of unwanted automated programs overloading the server by browsing the Website’s content.

§ 5 Rights of data subjects

Data subjects have the following rights:

1. Right to withdraw consent to the processing of data at any time:

  • 1.1. The Client has the right to withdraw any consent given.
  • 1.2. Withdrawal of consent takes effect from the moment of withdrawal.
  • 1.3. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
  • 1.4. Withdrawal of consent does not entail any negative consequences for the Client; however, it may prevent further use of services or functionalities that the Controller may lawfully provide only with consent.

2. Right to object to the processing of data:

  • 2.1. The Client has the right to object at any time – for reasons related to their particular situation – to the processing of their personal data based on Article 6(1)(e) or (f) of the GDPR, including profiling based on these provisions. The Controller may no longer process such personal data unless they demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for establishing, pursuing, or defending claims.
  • 2.2. Opting out via email from receiving marketing communications regarding products or services will constitute the Client’s objection to the processing of their personal data, including profiling for these purposes.

3. Right to erasure of data (“right to be forgotten”):

  • 3.1. The Client has the right to request the erasure of all or some of their personal data.
  • 3.2. The Client has the right to request the erasure of personal data if:
    • 3.2.1. the personal data is no longer necessary for the purposes for which it was collected or processed;
    • 3.2.2. they have withdrawn specific consent, to the extent that the personal data was processed based on their consent;
    • 3.2.3. they have objected under Article 21(1) of the GDPR to the processing and there are no overriding legitimate grounds for processing, or they have objected under Article 21(2) of the GDPR to the processing;
    • 3.2.4. the personal data is processed unlawfully;
    • 3.2.5. the personal data must be erased to comply with a legal obligation under Union law or the law of the Member State to which the Controller is subject;
    • 3.2.6. the personal data was collected in connection with the offering of information society services.
  • 3.3. Despite a request for erasure of personal data due to an objection or withdrawal of consent, the Controller may retain certain personal data to the extent that processing is necessary for establishing, pursuing, or defending claims, as well as for complying with a legal obligation requiring processing under Union law or the law of the Member State to which the Controller is subject. This applies in particular to personal data including: first name, last name, email address, which are retained for the purpose of handling complaints and claims related to the use of the Controller’s services, as well as residential/correspondence address and order number, which are retained for the purpose of handling complaints and claims related to concluded sales contracts or service provision.

4. Right to restriction of data processing:

  • 4.1. The Client has the right to request the restriction of the processing of their personal data. Submitting such a request prevents the use of certain functionalities or services that involve the processing of the data subject to the request until the request is processed. The Controller will also refrain from sending any communications, including marketing ones.
  • 4.2. The Client has the right to request the restriction of the use of their personal data in the following cases:
    • 4.2.1. when they contest the accuracy of their personal data – in which case the Controller restricts its use for the time needed to verify the accuracy of the data, but no longer than 7 days;
    • 4.2.2. when the processing of the data is unlawful, and instead of erasure, the Client requests the restriction of its use;
    • 4.2.3. when the personal data is no longer necessary for the purposes for which it was collected or used but is needed by the Client to establish, pursue, or defend claims;
    • 4.2.4. when the data subject has objected to the processing of their data – until it is determined whether the legitimate grounds on the Controller’s side override the grounds for the objection of the data subject.

5. Right to request access to personal data from the Controller and to obtain a copy thereof:

  • 5.1. The Client has the right to obtain confirmation from the Controller as to whether their personal data is being processed, and if so, the Client has the right to:
    • 5.1.1. access their personal data;
    • 5.1.2. obtain information about the purposes of processing, the categories of personal data processed, the recipients or categories of recipients of this data, the planned retention period of the Client’s data or the criteria for determining this period (if specifying the planned retention period is not possible), the rights the Client has under the GDPR, the right to lodge a complaint with a supervisory authority, and if the personal data was not collected from the data subject – any available information about its source, as well as information about automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject, and the safeguards applied in connection with the transfer of personal data outside the European Union;
    • 5.1.3. obtain a copy of their personal data. The right to obtain a copy must not adversely affect the rights and freedoms of others.

6. Right to rectification (correction) of data:

  • 6.1. The Client has the right to request the Controller to promptly rectify their personal data that is inaccurate. Taking into account the purposes of processing, the Client whose data is concerned has the right to request the completion of incomplete personal data, including by providing an additional statement, by sending the request to the email address in accordance with §6 of the Privacy Policy.

7. Right to data portability:

  • 7.1. The Client has the right to receive their personal data provided to the Controller and then transfer it to another controller of their choice. The Client also has the right to request that the personal data be transferred directly by the Controller to such a controller, provided it is technically feasible. In such a case, the Controller will provide the Client’s personal data in a CSV file format, which is a commonly used, machine-readable format that allows the received data to be transferred to another data controller.

8. Right to lodge a complaint with a supervisory authority:

  • 8.1. The Client has the right to lodge a complaint with the President of the Personal Data Protection Office regarding a violation of their rights to the protection of personal data or other rights granted under the GDPR.

9. When the Client exercises a right arising from the above rights, the Controller fulfills the request or refuses to fulfill it promptly, but no later than within one month of receiving it. However, if – due to the complex nature of the request or the number of requests – the Controller is unable to fulfill the request within one month, it will be fulfilled within the next two months, with the Client being informed in advance, within one month of receiving the request, of the intended extension and its reasons.

10. The Client may submit complaints, inquiries, and requests to the Controller regarding the processing of their personal data and the exercise of their rights.

§ 6 Changes to the Privacy Policy

1. The Privacy Policy may be subject to change, and the Controller is not obliged to inform about it.

2. Questions related to the Privacy Policy should be directed to the email address: rafal@glossyroof.co.uk

3. Date of last modification: 26.06.2025

Quick Links
Information

Copyright 2025 kalkon | Created by MI