1. This document specifies the privacy principles applicable in the online service ARUBACARDED -https://arubacarded.com/ in the scope of collecting, processing and using personal data obtained by the Data Controller.

2. Personal information collected by the data controller shall be processed in accordance with the provisions of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (GDPR).

3. Pursuant to Article 4(7) of the GDPR, the Data Controller is Maciej Ząbczyk AFFVANI, Giedlarowa 1143, 37-300 Leżajsk, Poland (EU), Vat number: 8161714654, REGON: 522738405, e-mail: [email protected].

4. The Data Controller shall make an extra effort in order to protect privacy and information provided to him and concerning the users of the website.

1. Personal data will be processed in accordance with the principles of art. 5 GDPR.

Personal data will be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’).

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).

d) accurate and, where necessary, kept up to date (‘accuracy’).

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’).

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

1. We ensure that the collection and use of your personal data is lawful. Therefore, for the purposes listed below, we only use your personal data if one of the following conditions apply:

a) You have given us your consent.

b) We need your personal data for the performance of a contract you enter into with us, such as when you purchase a product through the website.

c) We need to comply with legal obligations.

d) We need to protect your vital interests.

e) Your data is necessary for the public interest, or

f) We have a legitimate interest in processing the personal data.

2. Category of Personal Data:

a) Identity data: first name, last name, date of birth, gender - required to identify the traveller.

b) Contact details: e-mail address, telephone number - used for the dispatch of documents and for contact when information needs to be completed.

c) Passport data: passport number, country of issue, expiry date - necessary for correct completion of the application.

d) Travel information: date of arrival, intended stay, purpose of visit - required by Aruban authorities.

e) Device information: information about your computer, phone or other device you use to view the website such as device type, operating system, hardware version, browser type, unique device identifier, IP address and advertising ID. Log information.

f) Payment information (we don’t store this information).

1. The legal basis for the processing of personal data results from the provisions of the GDPR. When we inform about the processing of personal data based on:

a) Article 6(1)(a) of the GDPR – this means that we process personal data based on the consent received,

b) Article 6(1)(b) of the GDPR – this means that we process personal data because they are necessary for the performance of the contract or to take action before its conclusion, at the request received,

c) Article 6(1)(c) of the GDPR – this means that we process personal data in order to comply with a legal obligation,

d) Article 6(1)(f) of the GDPR – this means that we process personal data in order to pursue legitimate interests.

2. The basis for the processing of the Customer's Personal Data is primarily the necessity to perform the contract to which he is a party or the need to take action at his request prior to its conclusion (Article 6 par 1 (b) of GDPR).

3. In other purposes, the Customer's Personal Data may be processed based on:

a) applicable law when processing is necessary to fulfil the legal obligation of the Controller e.g. when based on tax regulations or accounting one, The Controller settles concluded sales contracts (Article 6 (1) (c) GDPR).

b) indispensable for purposes other than those mentioned above resulting from legitimate interests pursued by the Controller or by a third party, in particular to determine, assert or defend claims, market and statistical analyses Article 6 (1) (f) GDPR).

1. In compliance with the applicable legal provisions, we process your personal data for a term of time that is necessary to meet the designated purpose. After such term, the personal data of Customers will be irrevocably deleted or destroyed.

2. Personal data processed covered by the consent statement will be processed until the consent is revoked.

3. We process personal data during the term of the agreement, as well as during a period of expiry of claims resulting from the provisions of the Polish Civil Code.

1. The catalogue of recipients of personal data processed by the data controller results from the provisions of law, the user's consent and the scope of services used by the user.

2. The recipients of the data may be entities carrying out the order at the request of the data controller and dealing with its service: employees, associates, accounting companies, providers of IT solutions, payment service companies, banks, companies providing marketing services, telecommunications service providers, law firms, authorized state authorities.

3. Aruban administrative authorities - data is forwarded to the relevant governmental institutions in order to process the application for an Aruba ED Card.

4. In the case of transferring personal data to entities based outside the EEA, the Controller ensures the application of the requirements set out in Chapter 5 of the GDPR, including the application of appropriate safeguards for the transfer in the form of standard contractual clauses adopted under the decision of the European Commission.

1. Due to the voluntary nature of providing your personal data, you have the right to

a) access to their personal data (Article 15 of the GDPR).

b) rectify their personal data (Article 16 of the GDPR)

c) delete their personal data ("right to be forgotten" – Article 17 of the GDPR).

d) restrict the processing of your personal data (Article 18 of the GDPR).

e) portability of their personal data (Article 20 of the GDPR).

f) to object (Article 21 of the GDPR).

2. If you find that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with the President of the Office for Personal Data Protection.

3. Consent to the processing of personal data may be withdrawn at any time. Withdrawal of consent to the processing of data does not affect the lawfulness of the processing of data carried out by the data controller based on consent before its withdrawal.

1. Cookies are used on the Website.

2. Cookies are small pieces of text information sent by the server and saved on the side of the User's end device in connection with the use of the website.

3. The use of cookies is aimed at the proper functioning of the website. They are used to improve the experience with the Online Service websites.

4. The cookies used by the data Controller are safe for the User's devices. In particular, it is not possible for viruses or other unwanted software or malicious software to enter the Users' devices in this way. These files make it possible to identify the software used by the User and to adapt the Website individually to each User. Cookies usually contain the name of the domain from which they originate, the time they are stored on the device and the assigned value.

5. The cookies used are primarily intended to facilitate the use of the Website by remembering the information provided once, so that the customer does not have to provide it each time, as well as cookies are used to adapt their content, including the presented advertisements, to their preferences.

6. Cookies collect various types of information that, as a rule, do not constitute personal data. However, some information, depending on its content and how it is used, may be linked to a specific person – and thus considered personal data. In relation to information collected by cookies, which can be linked to a specific person, the provisions of the Privacy Policy apply, in particular regarding the rights of the data subject. Information on the information collected by cookies is also made available, m.in in the content of the information clause placed in a visible and easily accessible place during the first visit to the https://arubacarded.com/.

7. The User may object to the actions taken by the Administrator, and in the case of giving consent, it may be withdrawn at any time.

What types of cookies can be used?

1. Due to the period of storage of cookies on the device of a person visiting the website, we can distinguish:

a) Session cookies: these are stored on the device of the User of the Website and remain there until the end of the session of the given browser. The saved information is then permanently deleted from the memory of the Website User's device. The mechanism of session cookies does not allow for the collection of any personal data or any confidential information from the Device of the Website User. These cookies are mandatory for certain applications or functionalities to function properly.

b) Persistent cookies: they are stored on the device of the User of the Website and remain there until they are deleted. Ending the session of a given browser or turning off the device does not remove them from the device of the Website User. The storage time depends on the choice you can make in your browser settings. This type of cookie allows information to be sent to the server each time a given website is visited. The mechanism of permanent cookies does not allow for the collection of any personal data or any confidential information from the Device of the User of the Website.

2. Due to the purpose of collection, we distinguish the following Cookies:

c) necessary: necessary for the proper functioning of the website – files processed based on the legitimate interest of the administrator (Article 6(1)(f) of the GDPR).

d) statistical: they allow us to study website traffic, learn about the preferences of our users, analyse their behaviour on the website and enable interaction with external networks and platforms – files processed based on the user's voluntary consent (Article 6(1)(a) of the GDPR).

e) marketing: they allow us to adjust the displayed advertisements and content to the preferences of our users and to conduct personalized marketing campaigns – files processed based on the user's voluntary consent (Article 6(1)(a) of the GDPR).

3. Cookies may be used by advertising networks, in particular the Google network, to display advertisements tailored to the way the Customer uses the Website. For this purpose, information about the Customer's navigation path or the time spent on a given page may be stored.

4. With regard to information about the Customer's preferences collected by the Google advertising network, the Customer may view and edit information resulting from cookies using the tool: https://www.google.com/ads/preferences/.

5. The User may independently and at any time change the settings for cookies, specifying the conditions for their storage and access by cookies to the User's device. The User may change the settings referred to in the previous sentence using the settings of the web browser or by configuring the service. These settings can be changed in such a way as to block the automatic handling of cookies in the settings of the web browser or to inform about each time they are placed on the User's device. Detailed information on the possibilities and methods of handling cookies is available in the software (web browser) settings.

6. To find out how to manage cookies, including how to disable them in your browser, you can use your browser's help file. You can read this by pressing the F1 key in your browser. In addition, you can find the corresponding instructions on the following subpages, depending on the browser you use:

Firefox

Chrome

Safari

Internet Explorer / Microsoft Edge

7. Restricting the use of cookies may affect some of the functionalities available on the website.

8. The website also collects external cookies, the so-called third part cookies, which come from external servers.

9. We use the following services: Google analytics, google ads, stripe, zoho.one.

As needed, we reserve the right to change or modify the Privacy Policy and the Cookies Policy. We will inform you of any changes or additions by posting the relevant information on the main page.

This version of the privacy policy and cookies policy is effective from 17.02.2025.