Information obligation regarding personal data processing pursuant to Article 13(1) and (2) and Article 14 of the GDPR

Data Administrator:

Anna Odrzywołek Moonlight Spa, 31-061 Kraków, Bonifraterska Street 2, NIP: 677 227 34 97

For entity: Moonlight Spa, 31-061 Kraków, Bonifraterska 2 Street Contact: kontakt@moonlightspa.pl

Contact details of the Data Protection Officer (DPO): kontakt@moonlightspa.pl

We collect personal data by contacting us: by phone, email, via social media, in person, via the contact form, and by completing a health questionnaire at the office.

The purpose of processing your personal data: safe implementation of ordered treatments, maintaining contact with the client and enabling contact in individual important matters, issuing necessary documents for the purchase of services, handling correspondence, for tax and accounting purposes; in accordance with the legally justified purpose of the Controller.

We process your data in accordance with your consent:

• to process data for marketing, commercial, statistical and promotional purposes when organizing events, competitions, etc.;

• to process data: recorded in the contact form, included in the health survey, saved in cookies and collected from our website: https://www.moonlightspa.pl, when signing up for organized loyalty programs, competitions and promotional and image-building campaigns;

Providing data is voluntary, however, failure to provide them will make it impossible to conclude a contract and use the services offered by the Data Administrator.

Your rights regarding the processing of personal data: the right to access your data and the right to rectify, delete, limit processing, the right to transfer data, the right to object, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal; the right to lodge a complaint with the President of the Personal Data Protection Office regarding a violation of the right to personal data protection or other rights granted under the GDPR

The storage period of your data: 5 lat.

Sharing your personal data: only to public authorities fighting fraud and abuse, which operate under separate, overarching legal provisions; they will not be transferred to any cooperating entities or other Data Controllers. We do not share your data with cooperating entities or other Data Controllers.