Ask a question

Privacy Policy

  1. General provisions
    1. This Privacy Policy defines the principles of processing personal data obtained through the ESG Asset Expert website available at esgasset.expert or as an application for mobile devices, the platform called ESG Asset Expert, through which it is possible
      1. making an inventory of furniture, items, devices and other equipment owned by the Client in his/her resources;
      2. selling furniture for your employees or third parties,
      3. making a purchase of furniture displayed in the Application/Platform
      4. ordering furniture disposal services by ZWD or third parties
        (hereinafter referred to as the ” Application “),
    2. The data controller is Zero Waste Design sp. z o. o. with its registered office in Warsaw, at ul. Czeska 24/4, 03-902 Warsaw, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court in Warsaw, 12th Commercial Division, under the KRS number 0000751565, NIP: 5252765609 and REGON number: 381483948, hereinafter referred to as the ” Administrator ” or ” Service Provider “).
    3. Personal data collected by the Administrator via the Application are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as ” GDPR “.
    4. The Administrator takes special care to respect the privacy of Interested Persons using the Application. The data administrator can be contacted at the address indicated above in point 1.2 and at the e-mail address indicated in point 8.2 of the Policy.
    5. Access to the Application is activated after the conclusion of an agreement between the Client and the Administrator, an integral part of which are the general terms and conditions of the ZWD 360 – SQAR Plan services and regulations, based on which the Administrator undertakes to provide services and the Client undertakes to pay an appropriate fee (” Agreement “). The service is jointly considered to be making the Application available for use, conducting training and removing defects in the Application, as well as additional work in relation to the Application (” Services “).
  2. Type of data processed, purposes and legal basis
    1. The Administrator collects information concerning, among others, natural persons conducting business or professional activity on their own behalf, concluding an agreement with the Service Provider directly related to their business activity, when the content of this agreement indicates that it does not have a professional character for such a person, resulting in particular from the subject of the business activity performed by them, made available on the basis of the provisions on the Central Register and Information on Business Activity (Entrepreneurs with consumer rights), who conclude an Agreement with the Service Provider for the provision of Services by the Service Provider (” Client ” jointly referred to as ” Clients “), as well as data of users designated by the Clients, who may be employees of the Clients or persons cooperating with the Clients on the basis of a civil law contract, who will use the Services on behalf of and with the authorization of the Clients, as well as any other person to whom the Client has granted access to the Application (hereinafter referred to jointly as ” Users ” and individually as ” User “). Clients and Users, depending on the context, will be jointly referred to as ” Interested Persons “.
    2. Personal data of Interested Persons are collected in the case of:
      1. activation of the account within the Application by the Service Provider, in order to create an individual account and manage this account. Legal basis: necessity to perform the contract for the provision of services by electronic means (Article 6 paragraph 1 letter b of the GDPR);
      2. conducting an inventory of furniture, items, devices and other equipment held by the Client in its resources via the Application in order to inventory the resources of Interested Persons and put them up for potential sale. Legal basis: necessity to perform the contract related to the possible trade in furniture or its disposal (Article 6, paragraph 1, letter b of the GDPR);
      3. placing an order via the Application, in order to perform a contract related to the sale of furniture or its disposal. Legal basis: necessity to perform a contract related to the sale of furniture or its disposal (Article 6 paragraph 1 letter b of the GDPR);
      4. subscription to the newsletter (Newsletter), in order to perform the contract, the subject of which is the service provided electronically. Legal basis: necessity to perform the contract for the provision of services in the form of sending the Newsletter (Article 6, paragraph 1, letter b of the GDPR), provided that the Customer consents to receiving commercial information electronically;
      5. providing answers to questions addressed to the Service Provider, including via the contact form or by e-mail. Legal basis – the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR), consisting in facilitating the use of services and providing answers to questions by the Service Provider
    3. For the purposes of activating the Customer’s account within the Application, the Customer provides the following data concerning the Customer:
      1. name and surname or company name;
      2. registered office or place of business activity;
      3. postal code and city;
      4. country (state);
      5. street with house/apartment number;
      6. NIP and REGON, and KRS (in the case of Clients who are legal persons),
      7. email address;
      8. contact telephone number.
    4. After activating the Customer’s account within the Application, the Customer independently sets an individual password to access their account. The Customer may change the password at a later time, on the terms described in §7.
    5. After activating the User account within the Application, the User independently sets an individual password to access their account, within the User account. The User may change the password at a later time, under the terms described in §7.
    6. For the purposes of activating the User account within the Customer’s account and its subsequent maintenance, the Customer also provides the following data in relation to all of its Users:
      1. name and surname;
      2. email address;
      3. postal code and city;
      4. country (state);
      5. street with house/apartment number;
      6. telephone number,
      7. PESEL number, or if there is none, the identity document number,
    7. When placing an order within the Application, the User provides the following data:
      1. User’s name and surname;
      2. User’s e-mail address;
      3. name and surname or name (company) of the Client;
      4. the Client’s registered office or place of business;
      5. Customer’s email address;
      6. Customer’s postal code and city;
      7. country (state) of the Client;
      8. street and house/apartment number of the Client;
      9. Customer’s telephone number,
      10. NIP and REGON, and KRS of the Client (in the case of Clients who are legal persons),
      11. the Customer’s credit card number, if required for the payment method.
    8. For the purposes of using the Newsletter service, the Customer only provides his/her e-mail address and makes a declaration of acceptance of this Privacy Policy.
    9. When using the Application via the website, additional information may be collected, in particular: the IP address assigned to the Interested Person’s computer or the external IP address of the Internet provider, domain name, browser type, access time, type of operating system.
    10. Interested Persons may also collect navigation data, including information about links and references they decide to click on or other actions taken in the Application, which are processed for the purposes of facilitating the use of the Administrator’s Services and improving their functionality and security. Legal basis – the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR), consisting in facilitating the use of services provided electronically and improving the functionality and security of these services.
    11. In order to determine, pursue and enforce claims, some personal data provided by Interested Persons as part of using the functionality within the Application may be processed, such as: first name, last name, data regarding the use of the Services, if the claims result from the manner in which the Interested Person uses the Services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis – the legitimate interest of the Administrator (Article 6 paragraph 1 letter f of the GDPR), consisting in the determination, pursuit and enforcement of claims and defense against claims in proceedings before courts and other state authorities.
    12. The provision of personal data to the Administrator is voluntary, in connection with the concluded Agreement and agreements on the sale or disposal of furniture and the provision of other Services via the Application, provided, however, that failure to provide all the data specified in the Agreement prevents the activation and establishment of a Customer account or a User account, and in the case of placing an order in order to conclude an agreement on the sale or disposal of furniture without providing the necessary data, it will prevent the placement and execution of the order, and failure to provide an e-mail address for the purposes of sending the Newsletter will prevent its receipt.
  3. Who is the data shared or entrusted to and how long is it stored?
    1. The personal data of the Interested Person are transferred to service providers used by the Administrator when running the Application. Service providers to whom personal data are transferred, depending on the contractual arrangements and circumstances, are either subject to the Administrator’s instructions regarding the purposes and methods of processing such data (processors) or may be separate data controllers if, as part of the activities performed, they will decide on the purposes and methods of data processing.
    2. The personal data of Interested Persons are stored:
      1. If the basis for the processing of personal data is a legitimate interest, then the personal data of the Interested Persons are processed by the Administrator until the Interested Person raises an effective objection to the processing of data or for a period corresponding to the limitation period for claims that may be raised by the Administrator and which may be raised against the Interested Person.
      2. If the basis for data processing is the necessity of processing for the purposes of performing the Agreement, then the personal data of the Interested Person are processed by the Administrator for as long as it is necessary to perform the Agreement, and after that time for a period corresponding to the limitation period for claims. Unless a special provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to running a business – three years.
      3. In the event of placing an order via the Application, personal data may be transferred to the extent necessary, depending on the choice of the Interested Person, to the following entities in order to deliver the ordered goods:
        1. a courier company, a postal operator, Poczta Polska,
        2. the company making the payments,
        3. a company performing activities related to furniture installation or disposal,
        4. bank.
      4. Navigation Data may be used to provide Interested Parties with better service, to analyse statistical data and to adapt the Application to the preferences of Interested Parties, as well as to administer the Application.
      5. If the Interested Person subscribes to the newsletter (Newsletter) and agrees to receive commercial information electronically, the Administrator will send electronic messages to his or her e-mail address containing commercial information about promotions and new products available within the Application.
      6. Unsubscribing by e-mail from receiving marketing communications regarding products or services within the Newsletter service will be treated as a resignation from the provision of this service and withdrawal of consent to receive commercial information electronically.
      7. In the event of a request, the Administrator will make personal data available to authorized state authorities, in particular organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office for Competition and Consumer Protection or the President of the Office of Electronic Communications.
  4. Cookie mechanism, IP address
    1. The Application uses small files called cookies. They are saved by the Administrator on the end device of people using the Application, if the web browser allows it. A cookie file usually contains the name of the domain from which it comes, its “expiration time” and an individual, randomly selected number identifying this file. Information collected using files of this type helps to adapt the products offered by the Administrator to the individual preferences and actual needs of people using the Application. They also make it possible to develop general statistics of visits to the products presented within the Application. Data from cookies may constitute personal data if it is possible to identify a natural person based on them or other circumstances (e.g. time and place of recording).
    2. The Administrator may collect IP addresses of Interested Persons. An IP address is a number assigned to the computer of a person visiting the Application by the Internet service provider. The IP number enables access to the Internet. In most cases, it is assigned to the computer dynamically, i.e. it changes with each connection to the Internet. The IP address is used by the Administrator to diagnose technical problems with the server, create statistical analyses (e.g. to determine from which regions we record the most visits), as information useful in administering and improving the Application, as well as for security purposes and possible identification of server-burdening, unwanted automatic programs for viewing the content of the Application.
    3. Detailed information on cookies used within the Application can be found in the Cookies Policy, available at https://esgasset.expert/polityka-plikow-cookies-eu/.
  5. Data Subject Rights
    1. Interested Persons have all the rights listed in this § 5. In order to exercise the rights referred to below, please contact the Administrator.
    2. The right to object to data processing – legal basis: Article 21 of the GDPR.
      1. The Interested Person has the right to object at any time – for reasons related to his or her particular situation – to the processing of his or her personal data, including profiling, if the Controller processes his or her data based on a legitimate interest, e.g. for the purposes of tailoring the marketing of the Controller’s products and services, for the purposes of keeping statistics on the use of individual functionalities of the Application and facilitating the use of the Application.
      2. If the objection of the Person Concerned proves to be justified and the Administrator has no other legal basis for the processing of personal data, the personal data of the Person Concerned will be deleted to the processing of which the Person Concerned has objected.
    3. The right to erasure (“ right to be forgotten ”) – legal basis: Article 17 of the GDPR.
      1. The Person Concerned has the right to request the deletion of all or some of their personal data.
      2. The Interested Person has the right to request the deletion of personal data if:
        1. personal data are no longer necessary in relation to the purposes for which they were collected or processed;
        2. has objected to the use of his/her data for marketing purposes or has effectively objected to the processing of his/her data for another purpose based on the legitimate interest of the Administrator;
        3. personal data are processed unlawfully;
        4. personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State to which the Controller is subject;
    4. Despite the request to delete personal data, in connection with the filing of an objection, the Administrator may retain certain personal data to the extent that processing is necessary to establish, pursue or defend claims, as well as to comply with a legal obligation requiring processing under EU law or the law of the Member State to which they are subject. This applies in particular to personal data including: first name, last name, e-mail address, which data are retained for the purpose of handling complaints and claims related to the use of the Administrator’s services, or additionally the address of residence/mailing address, order number, which data are retained for the purpose of handling complaints and claims related to concluded contracts or the provision of services.
    5. The right to restrict data processing – legal basis: Article 18 of the GDPR.
    6. The Interested Person has the right to request the restriction of the processing of his/her personal data. Submitting a request, until it is considered, prevents the use of certain functionalities or services, the use of which will be associated with the processing of the data covered by the request. The Administrator will also not send any messages, including marketing ones.
    7. The Person Concerned has the right to request the restriction of the use of personal data in the following cases:
      1. when he questions the accuracy of his personal data – then the Administrator limits their use for the time needed to verify the accuracy of the data,
      2. when the processing of data is unlawful and, instead of deleting the data, the Person Concerned requests the restriction of their use;
      3. when personal data are no longer necessary for the purposes for which they were collected or used, but they are needed by the Person Concerned to establish, pursue or defend legal claims;
      4. when he has objected to the use of his data – then the restriction takes place for the time needed to consider whether – due to the special situation – the protection of the interests, rights and freedoms of the Person Concerned outweighs the interests pursued by the Controller in processing the personal data of the Person Concerned.
    8. Right of access to data – legal basis: Article 15 of the GDPR.
      1. The Person Concerned has the right to obtain from the Controller confirmation as to whether or not he processes personal data, and if so, the Person Concerned has the right to:
        1. access your personal data;
        2. obtain information on the purposes of processing, the categories of personal data processed, the recipients or categories of recipients of this data, the planned period for which the Data Subject will be stored or the criteria for determining this period (when it is not possible to determine the planned period for which the data is processed), the rights of the Data Subject under the GDPR and the right to lodge a complaint with a supervisory authority, the source of this data, automated decision-making, including profiling, and the safeguards applied in connection with the transfer of this data outside the EEA;
        3. obtain a copy of your personal data.
    9. The right to rectification – legal basis: Article 16 of the GDPR.
      1. The Interested Person has the right to demand from the Administrator immediate rectification of his/her personal data that is incorrect. Taking into account the purposes of processing, the Interested Person whose data is being processed has the right to request supplementation of incomplete personal data, including by submitting an additional statement, by sending a request to the e-mail address in accordance with §8 of the Privacy Policy.
    10. Right to data portability – legal basis: Article 20 of the GDPR.
      1. The Interested Person has the right to receive their personal data that they have provided to the Administrator and then send them to another personal data controller of their choice to the extent that data processing is necessary to conclude or perform the Agreement. The Interested Person also has the right to request that the personal data be sent by the Administrator directly to such controller, if technically possible. In such a case, the Administrator will send the personal data of the Interested Person in the form of a file in the csv format, which is a commonly used, machine-readable format that allows the data received to be sent to another personal data controller.
    11. In the event that the Interested Person exercises the right resulting from the above rights, the Administrator will comply with the request or refuse to comply with it immediately, but no later than within one month of receiving it. However, if – due to the complex nature of the request or the number of requests – the Administrator is unable to comply with the request within one month, it will comply with it within the next two months, informing the Interested Person in advance within one month of receiving the request – of the intended extension of the deadline and the reasons for it.
    12. The Interested Person may submit to the Administrator complaints, inquiries and requests concerning the processing of his or her personal data and the exercise of his or her rights.
    13. The Interested Person has the right to lodge a complaint with the President of the Personal Data Protection Office regarding a violation of his or her rights to personal data protection or other rights granted under the GDPR.
  6. Services tailored to your preferences and interests (profiling)
    1. Profiling means any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
    2. The personal data of Interested Persons may be processed through profiling, but this will not produce any legal effects for them or similarly significantly affect the situation of Interested Persons.
    3. Profiling of personal data by the Administrator consists in processing the data of Interested Persons in an automated and manual manner, by using them to evaluate certain information about the Client, in particular to analyse or forecast his or her personal preferences and interests.
    4. In order to reach Interested Persons with marketing messages via the Application, the Administrator uses its own cookie mechanisms to collect information about the activity of Interested Persons on the Application Page. Details regarding the cookies used can be found in §4. Legal basis – legally justified interest (Article 6, paragraph 1, letter f of the GDPR), consisting in matching marketing messages to the preferences and interests of Interested Persons.
  7. Security Management – Password
    1. The Administrator will provide the Interested Persons with a secure and encrypted connection when sending personal data and when logging into the Client’s or User’s account on the Application. The Administrator uses an SSL certificate issued by one of the world’s leading companies in the field of security and encryption of data sent over the Internet.
    2. In the event that the Interested Person who has an account in the Application has lost the Application access password in any way, it is possible to generate a new password. The Administrator does not send a password reminder. The password is stored in the database in an encrypted form, in a way that makes it impossible to read. In order to generate a new password, the e-mail address must be provided in the form available under the “Remind password” link, provided at the login form to the account in the Application. The new password will be automatically sent to the e-mail address provided during registration or saved in the last change of the account profile.
    3. The Administrator never sends any correspondence, including electronic correspondence, with a request to provide login data, in particular the access password to the Customer’s account or the User’s account.
  8. Changes to Privacy Policy
    1. The Privacy Policy may be subject to change, about which the Administrator will inform the Clients 7 days in advance.
    2. Please send questions regarding the Privacy Policy to: kontakt@esgasset.expert.
    3. Effective date 11/09/2024.