§ 1 Data Controller

1. The controller of your personal data is BFC TRADING SOLUTIONS LTD., headquartered in London at 85 Great Portland Street, VAT: 5263301718, Company No. 09676587, which provides electronic services and stores and accesses information on the User's devices.
2. Contact with the data controller is possible via email at info@merly.eu.

§ 2 General Information and Data Security

1. The controller processes personal data in compliance with applicable laws, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR.
2. When processing personal data, the controller applies organizational and technical measures in accordance with applicable laws, including encryption of the connection using an SSL certificate.

§ 3 Legal Basis and Purposes of Data Processing

1. The controller processes data:
   • based on the consent of the data subjects – Article 6(1)(a) GDPR,
   • to fulfill obligations under applicable laws – Article 6(1)(c) GDPR,
   • for purposes arising from legitimate interests in the form of informational and marketing activities and for analytical and statistical purposes – Article 6(1)(f) GDPR.
2. Among the processed data are:
   • identification data (first name, last name, company),
   • contact data (email address, phone number),
   • connection parameters (time stamp, type of device, its resolution, operating system, and IP address).
3. Personal data is processed for the following purposes:
   • arising from the function of a specific form, e.g., generating and delivering an order (electronic publication),
   • establishing commercial contact and own marketing,
   • providing electronic services,
   • analytical and statistical purposes.

§ 4 Data Sharing

1. Data is shared with external entities only within the legally permitted boundaries.
2. Data that enables the identification of a natural person is shared only with the consent of that person or when the necessity to share the data arises from a legal obligation imposed on the controller by applicable laws.
3. Consent to data sharing is given during the initial provision of personal data.
4. The controller may transfer personal data to external entities it uses, e.g., software providers necessary for running the online store, entities delivering goods, payment providers, accounting offices, software providers facilitating business operations (e.g., accounting software), technical support providers, marketing service providers, and statistical service providers.
5. Apart from the entities covered by the data subject's consent, data will not be shared with other businesses, private individuals, or international organizations.

§ 5 Data Processing Period

The controller processes personal data only for the period during which there is a legal basis for doing so, i.e., until:

1. the legal obligation requiring the processing of data ceases (e.g., tax obligation, record-keeping requirements),
2. the possibility of establishing, pursuing, or defending potential claims related to the agreement concluded by the Store ceases,
3. the data subject withdraws their consent to data processing, if it was the basis for the processing,
4. the data subject objects to the processing of their personal data - if the basis for the data processing was the controller's legitimate interest or if the data was processed for direct marketing purposes - depending on what is applicable in a given case and what occurs latest.

§ 6 Rights of Data Subjects

1. Every data subject has the right to access their data, the right to correct, update, transfer, and request the restriction of processing.
2. In cases where data is processed based on the controller's legitimate interests, the data subject has the right to object.
3. When processing is based on consent, it can be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent is done by making a declaration to the controller in any form that allows the controller to become aware of the identity and will of the data subject.
4. Every data subject has the right to "be forgotten" through the complete deletion of previously collected personal data. The service controller – upon the request of a natural person whose data was provided on the sites – is obliged to delete the data entirely, except for legally permitted exceptions.
5. Every data subject has the right to lodge a complaint with a supervisory authority – the President of the Personal Data Protection Office – if they believe that the processing of their personal data violates the law.

§ 7 Processing of Personal Data for Marketing Purposes

1. The controller processes users' personal data to conduct marketing activities, which may include:
   • displaying marketing content to the User that is not tailored to their preferences (contextual advertising),
   • displaying marketing content to the User that matches their interests (behavioral advertising),
   • sending email notifications about interesting offers or content, which in some cases contain commercial information,
   • conducting other types of direct marketing activities for goods and services (sending commercial information electronically and telemarketing activities),
   • in order to conduct marketing activities, the controller in some cases uses profiling. This means that through the automatic processing of data, the controller evaluates selected factors relating to individuals to analyze their behavior or create a forecast for the future.
2. The controller processes users' personal data for marketing purposes in connection with displaying contextual advertising to users (i.e., advertising that is not tailored to the user's preferences).
3. The controller processes users' personal data, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with displaying behavioral advertising to users (i.e., advertising that is tailored to the user's preferences). The processing of personal data then includes profiling users. The use of data collected via this technology for marketing purposes, particularly in promoting third-party services and goods, is based on the controller's legitimate interest and only if the user has consented to the use of cookies. Consent to the use of cookies can be given by configuring the browser appropriately and can be withdrawn at any time, especially by clearing the cookies history and disabling cookies in the browser settings. This consent can be withdrawn at any time.
4. If the User has consented to receive marketing information via email, SMS, and other electronic communication means, the User's personal data will be processed for the purpose of sending such information. The legal basis for data processing is the controller's legitimate interest in sending marketing information within the scope of the User's consent (direct marketing). The User has the right to object to the processing of data for direct marketing purposes, including profiling. The data will be stored for this purpose for the duration of the controller's legitimate interest unless the User objects to receiving marketing information.

§ 8 Cookies

1. The service uses cookies.
2. Cookies are IT data, in particular, text files, which are stored on the end device of the Service User and are intended for use on the Service's websites. Cookies usually contain the name of the website they come from, the time of storage on the end device, and a unique number.
3. The entity placing cookies on the end device of the Service User and accessing them is the Service operator and entities cooperating with it as indicated in § 2(2).
4. Cookies are used for the following purposes:
   • creating statistics that help understand how Service Users use websites, enabling the improvement of their structure and content,
   • maintaining the session of the Service User (after logging in), thanks to which the User does not have to re-enter the login and password on each subpage of the Service,
   • determining the User's profile to display tailored materials in advertising networks, particularly the Google network,
5. The Service uses two basic types of cookies:
   • session cookies – these are temporary files stored on the User's end device until logging out, leaving the website, or disabling the software (web browser),
   • persistent cookies – cookies stored on the User's end device for the time specified in the cookies parameters or until they are deleted by the User.
6. Web browsing software (web browser) usually allows cookies to be stored on the User's end device by default. Service Users can change these settings. The web browser allows the deletion of cookies. It is also possible to automatically block cookies. Detailed information on this topic is contained in the help or documentation of the web browser.
7. Restrictions on the use of cookies may affect some functionalities available on the Service's websites.
8. Cookies placed on the User's end device and used may also be by advertisers and partners cooperating with the Service operator.
9. If the Service User does not want to receive cookies, they can change their web browser settings on their own.
10. The service operator reserves the right that disabling cookies mentioned in this section, which may be necessary for authentication processes, security, or maintaining user preferences, may make it difficult, or in extreme cases, impossible to use the websites managed by the controller.
11. To manage cookie settings in browsers, refer to the instruction manual of those browsers.

§ 9 Changes to the Privacy Policy

The controller reserves the right to change the privacy policy, if required by applicable law or if the technological and technical conditions of the services' operation change or if any service partner changes.