Privacy Policy

Ladies and Gentlemen

Lalafo Poland Sp. z o. o. cares about your privacy and makes every effort to ensure that you have comfort and transparency when using our services.

Below we present the most important information about the principles of processing Users' personal data in connection with the use of the Lalafo website and mobile application ("Website"). This information has been prepared taking into account and based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter referred to as "GDPR").

1) Who is the data controller and how to contact us?

The Controller, i.e. the entity deciding how your personal data will be used, is Lalafo Poland sp. z o. o., 12 Młyńska Street, flat ---, POZNAŃ, postcode 61-730, POZNAŃ Post Office, POLAND, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court Poznań – Nowe Miasto in Poznań, 8th Commercial Division under the number: 0001184927, REGON: 542278359, NIP: 7792591539 (hereinafter referred to as "We", "Company", "Controller"). You can contact us regarding the protection of your personal data. Here are our contact details: e-mail: [email protected]

2) Why did we obtain your data?

Your personal data was obtained in connection with the use of the Lalafo platform – creating a user account, viewing content, placing an order, fulfilling the order (including shipping), communicating with the Company, making payments or technical activities related to the use of the website/application.

3) What personal data do we process?

- identification and registration data (name, surname or nickname, e-mail address, telephone number),

- data regarding the account and user activity (login history, account activities, purchase history),

- address details and product delivery details (shipping address, recipient details),

- payment data – the scope necessary to complete the order (transaction identifiers, payment status).

- data obtained automatically as a result of using the platform (IP address, device data, cookies and other online identifiers),

- data contained in correspondence with the Company (e.g. via the contact form or e-mail),

- technical data – identifiers in systems/CRM, access logs.

4) What is the legal basis for processing personal data?

- Article 6, paragraph 1, letter b of the GDPR – necessity for the performance of the contract for the provision of services by electronic means, account management and order fulfillment,

- Article 6, paragraph 1, letter c of the GDPR – fulfillment of the Company's legal obligations (including tax and accounting obligations),

- Article 6(1)(f) of the GDPR – our legitimate interest in operating the website, ensuring security, responding to abuse, defending against claims, statistical analysis and improving the functionality of the platform.

5) Who can we transfer data to?

The Company may share your personal data with authorities and offices, banks and payment operators handling transactions, legal and tax advisors, postal and courier companies, YALLA CLASSIFIEDS OÜ as the Processor providing operational support services to the Company (in particular in the field of platform infrastructure, finance, IT and group process and business tools management), IT service providers necessary for the operation of the platform, including:

– Alphabet/Google (Google Workspace, Google Cloud – attachments, documents, communication),
– Microsoft (collaboration tools, documents),
– Atlassian (Jira – user reports, internal process management),
– Meta (advertising account and marketing communication management).

6) Is data transferred outside the EEA?

Your data may be transferred outside the European Economic Area (EEA) – within the scope of using the services of the IT providers indicated above, and when using IT tools from the providers indicated above or other cloud services. Transfers outside the EEA will only take place on the basis of standard contractual clauses (SCCs) or other appropriate safeguards as provided for in Articles 45–46 of the GDPR.

7) How long do we store data?

· Account and profile data – for the entire duration of your account use; after deletion of your account, your data is retained for the period necessary for settlements and the limitation period for claims (up to 6 years).

· Order, payment and billing data – 5 years in accordance with tax and accounting regulations.

· Delivery and complaint data – until delivery is completed and the complaint is handled, and then for up to 12 months.

· Chat and correspondence with support client – up to 24 months, unless the case lasts longer.

· Technical data and system logs – up to 24 months (ensuring platform security).

These periods may be extended if necessary to establish or defend claims or if required by law.

8) What are your rights?

We guarantee the protection of all your rights under the GDPR, namely:

· the right to access your data and receive a copy thereof,

· the right to rectify (correct) your data,

· the right to delete data if, in your opinion, there are no grounds for their processing,

· the right to request restriction of processing if you believe that your data is incorrect, processed without justification or is only needed to establish, pursue or defend claims,

· the right to object to data processing based on our legitimate interest,

· the right to lodge a complaint with a supervisory authority – you have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that your personal data is being processed unlawfully.

9) Do we make decisions in an automated manner (including profiling)?

We do not make decisions that produce legal effects (or similarly significantly affect you) solely based on automated data processing, including profiling.

10) What does the Cookie, Identifier and Consent Management (CMP) policy look like?

The Cookie Policy regulations are set forth in a separate document. You can manage cookie consent (except for essential cookies) in the cookie banner or in the Website/application settings.

11) Is the provision of your data mandatory?

· Providing the data necessary to create an account and place orders is necessary to use our services.

· Additional data (e.g. some settings, cookie consents) are voluntary and can be changed/withdrawn.

12) How do we ensure safety?

We use technical and organizational measures appropriate to the risk to protect data against loss, unauthorized access, modification and disclosure.

13) Can this document change?

Yes. We may update the policy, particularly as the website/app's functionalities, tools used, or legal requirements change. The current version of the policy is always published on the website/app.
If the changes are significant, we will publish a notice on the website/app (and, if required, ask for renewed consent).