Privacy Policy

Privacy Policy of IMG S.A.

To uphold the principles of legality, fairness, and transparency in processing the personal data of clients of IMG S.A., headquartered in Gdynia, this Privacy Policy has been adopted.

This Privacy Policy outlines the principles by which IMG S.A., headquartered in Gdynia, collects and processes its clients' personal data and the rights those clients have concerning the processing of their personal data.

Given that from May 25, 2018, the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), came into direct application, IMG S.A., headquartered in Gdynia, encourages its clients to familiarize themselves with the following information regarding the processing of their personal data.

I. Information about the Data Controller.

The controller of your personal data is IMG S.A., located at ul. Strzelców 40 lok. 25, 81-586 Gdynia.

For matters related to the processing of your personal data, you can contact the Controller by sending traditional correspondence to the following address: IMG S.A., ul. Kowalska 8-9/7, 82-300 Elbląg, or via email at info@imgfitness.pl.

II. Data Protection Officer.

For matters concerning the protection of your personal data and the exercise of your rights, you can contact the Data Protection Officer appointed by the group of enterprises to which the Controller belongs, at iod@imgfitness.pl.

III. Purpose of processing personal data.

Your personal data is processed by the Controller for various purposes, in different scopes, and on different legal grounds provided in GDPR.

Below are the details regarding the processing of your personal data, grouped according to the purposes for which the data is processed by the Controller.

1. Contract execution.

The processing of your personal data by the Controller is necessary for the execution of the contract for the sale of fitness accessories and devices, including:

  • Handling the process of fulfilling your orders for fitness products available from the Controller.
  • Allowing you to create a User Account on the Controller's website at info.fitnessteam.pl and use the available functionalities.

The legal basis for processing your personal data for this purpose is Article 6(1)(b) GDPR.

2. Legitimate interests of the Controller or a third party.

The Controller has the right to process your personal data to fulfill the legitimate interests of the Controller or a third party.

This means that the purpose for which the Controller processes your personal data on this basis is lawful.

The Controller considers processing your personal data to be in line with the legitimate interests of the Controller or a third party, for:

  • Transmitting your personal data within the group of enterprises to which the Controller belongs, for internal administrative purposes.
  • Preventing fraud and ensuring network and information security.
  • Customizing services to the needs of the Controller’s clients.
  • Optimizing products or services based on your feedback, interests, technical logs of applications.
  • Optimizing sales or post-sales service processes.
  • Handling complaints.
  • Archival (evidential) purposes for securing information in case of legal need to prove certain facts (e.g., to a tax authority).
  • Establishing, asserting, or defending against claims.
  • Conducting customer satisfaction surveys and determining the quality of the Controller’s services and support.
  • Offering you products or services (direct marketing), including tailoring them to your needs through profiling (as explained later in this Privacy Policy).
  • Offering you products or services directly (direct marketing) from the Controller’s partners, e.g., in the form of discount coupons, including tailoring them to your needs through profiling (as explained later in this Privacy Policy) to the extent specified by the Controller's documented analysis of legitimate interests.

The processing of your personal data to fulfill the legitimate interests of the Controller or a third party is provided for in Article 6(1)(f) GDPR.

3. Protection of vital interests of the data subject or another natural person.

The Controller has the right to process your personal data to protect your vital interests or those of another natural person, meaning those essential for the life of yourself or another person.

This category primarily includes humanitarian purposes, particularly natural disasters and human-made disasters, as well as purposes related to the necessity of saving life, health, or protecting property.

The legal basis for processing personal data to protect your vital interests or those of another person is Article 6(1)(d) GDPR.

However, the Controller will not process special categories of your personal data (including health data) on this basis unless you give explicit consent for processing for this purpose or if you are physically or legally incapable of giving such consent and the processing is necessary to protect your vital interests or those of another person (Article 9(2)(a) or (c) GDPR).

4. Processing personal data for one or more purposes requiring the data subject's consent.

If the processing of your personal data is not legally based on any of the purposes mentioned in points 1-3 above, the Controller may process your personal data for one or more other purposes explicitly specified by the Controller, only if you have given prior consent, and processing for this purpose is not prohibited by mandatory provisions of applicable law.

Separate consent is particularly required for the processing of your personal data for the direct marketing of the Controller’s products or services or those of its cooperating entities (Controller's partners), carried out through:

  • Sending commercial information via electronic communication means (e.g., by sending you a commercial offer to the email address you provided when placing an order – the requirement to obtain your consent is provided in Article 10 of the Act of July 18, 2002, on providing services by electronic means).
  • Contacting you using telecommunications end devices and automatic calling systems (e.g., by presenting you with a commercial offer during a phone call) – the requirement to obtain your consent is provided in Article 172 of the Act of July 16, 2004, Telecommunications Law.

The Controller may also process your personal data for one or more specified purposes not mentioned in this section only if you are informed in advance and consent to processing your personal data for another (new) purpose.

IV. Information about recipients of personal data.

The recipients or categories of recipients of your personal data are you and:

Data processors:

  • Entities within the group of enterprises to which the Controller belongs.
  • Entities cooperating with the Controller (Controller's partners), not part of the Controller's group of enterprises.
  • Entities providing information technology (IT) services.
  • Entities providing accounting and payroll services.
  • Entities providing marketing services (including marketing agencies).
  • Entities involved in debt collection.
  • Entities providing legal services.
  • Insurance company damage adjusters.
  • Payment agents handling cashless payments on the Internet.
  • Courier and postal companies.
  • Other service providers supplying the Controller with technical or organizational solutions to fulfill your contract.

Independent recipients:

  • Entities within the Controller's capital group, whose offer complements the Controller's offer.
  • Business partners whose offer complements the Controller's offer.
  • Business partners who are members of the loyalty program implemented by the Controller.

Other recipients, explicitly authorized by you to process your personal data.

V. Transfer of personal data to third countries or international organizations.

The Controller does not transfer your personal data outside the territory of Poland, the European Union, and the European Economic Area.

VI. Period of personal data storage.

Your personal data is stored by the Controller for no longer than necessary for the purposes for which the data is processed, in accordance with point III of the Privacy Policy, including:

  • Your personal data obtained for the purpose of concluding and performing a contract and fulfilling the legitimate interests of the Controller will be stored for the duration of the contract, and thereafter for the period necessary for:
    • Post-sale customer service (e.g., handling complaints) – until the statute of limitations for your claims arising from the contract.
    • Securing or asserting the Controller's claims – until the statute of limitations for the Controller's claims.
    • Fulfilling the Controller's legal obligations, with data processed for accounting and tax purposes being processed for 5 years, counted from the end of the calendar year in which the tax obligation arose.
  • Your personal data obtained for the direct marketing of the Controller's products or services will be stored until you object to the processing of your personal data for this purpose or withdraw your consent if the Controller processes this data based on marketing consent, or the Controller determines that the personal data you provided has become outdated.

VII. Rights of the data subject.

In connection with the processing of your personal data, you have the following rights, which the Controller ensures:

  • The right to access your personal data, meaning obtaining confirmation from the Controller whether it processes your data and information regarding such processing, as well as receiving a copy of this data.
  • The right to rectify (correct) your personal data if the data processed by the Controller is incorrect or incomplete.
  • The right to request the deletion of data (including the "right to be forgotten").
  • The right to request the Controller to restrict the processing of your personal data.
  • The right to object to the processing of data.
  • The right to data portability – you have the right to receive from the Controller in a structured, commonly used, machine-readable format the personal data concerning you that you provided to the Controller based on a contract or your consent; you may also instruct the Controller to send this personal data directly to another entity (data recipient) indicated by you.
  • The right to lodge a complaint with the supervisory authority.
  • The right to withdraw consent to the processing of personal data – you have the right to withdraw your consent to the processing of personal data by the Controller