Privacy policy

PRIVACY POLICY

This Privacy Policy sets out how AMAPIU PAULINA SZCZĘSNA , KWAŚNA 31 16-300 AUGUSTÓW, 8461575091, 520653917 collects, processes and uses personal data obtained from Users via the online store available at the following web address: www.amapiu.co

Personal data protection

AMAPIU PAULINA SZCZĘSNA, KWAŚNA 31 16-300 AUGUSTÓW, 8461575091, 520653917is the Controller of the collected personal data.
Contact details of the Information Security Administrator in the Company (currently the Data Protection Officer).
Mailing address: AMAPIU PAULINA SZCZĘSNA , PATRIOTÓW 193 , I PIĘTRO , 04-858 WARSZAWA (e-mail: [email protected])

Legal basis for personal data processing

Legal basis for processing [GDPR]	Purpose of processing	Description of the legal basis for processing
Performance of the purchase contract [Art. 6(1)(b) GDPR]	Customers’ personal data may be processed by the Controller for the purpose of performing the services provided by the Controller, ordered by the Customer in accordance with the Terms of Purchase, such as creating an individual Account and ordering products via the Online Platform. For the aforementioned purpose, the Controller may send communications to the e-mail address and phone number of the Customer, including information about the next stages of the order on the Online Platform, reminders, etc.	Data processing for the purpose of performing the services provided by the Controller in accordance with the Terms of Purchase is within the law because it is necessary in order to perform a contract with the Customer, e.g. an online Sale. As part of the functionality of an individual Account, the Customer may have access to such information as the purchase history, the complaints history and the withdrawal from the contract.
Legal obligations of the Controller [Art. 6(1)(c) GDPR]	Customers’ personal data may be processed by the Controller in order to respond to complaints regarding the Website, Online Platform and products.	Data processing is within the law because it is necessary for the purposes arising from the applicable legal provisions (e.g. the Consumer Rights Act of the Polish Civil Code).
The Controller’s legitimate interest [Art. 6(1)(f) GDPR]	Customers’ personal data may be processed by the Controller also for the purpose of marketing the Controller’s products and services of. Customers’ personal data may be processed also in order to respond to inquiries, complaints and queries regarding the Website, Online Platform and products.	Data processing is within the law because it is necessary for the purposes arising from the legitimate interests pursued by the Controller. The Controller’s legitimate interest consists in processing Customer data for the purpose of marketing the Controller’s products and services. The Controller’s legitimate interest also consists in the need to respond to Customer inquiries and complaints as well as withdrawals from the contract.
Your consent [Art. 6(1)(a) GDPR]	The Customer (e.g. via the Website when registering for an individual Account) may consent to: the sending of commercial information by email e.g. as a newsletter;phone marketing;the making of automated decisions based on profiling (e.g. in order to automatically adapt offers and discounts to a given user).	Consent is not a prerequisite for using the Controller’s Services. Consent may be withdrawn at any time – via email and by post. Withdrawing consent does not affect data processing (or the lawfulness of processing), which will retain its form (e.g. sending of commercial information and phone marketing which took place before the withdrawal).

Retention period of personal data

Legal basis for personal data processing	Period of personal data processing
performance of contract	Customers’ personal data will be stored for as long as it is necessary to be able to use an individual Account, perform services and respond to an inquiry or complaint and no longer than: I until the account is deleted or II until the complaint is reviewed, or III until the limitation period for claims has expired.
the Controller’s legal obligations	In some situations, the Controller is obliged by law to store personal data for a longer period. In such a case, the Customer’s personal data will be stored for the period required, in accordance with the law.
the Customer’s Consent	Personal data will be processed until the Customer has withdrawn their voluntary consent to data processing.
the Controller’s legitimate interest	Personal data will be processed until the Customer has successfully objected to the processing of data.

Information on personal data processed

What kind of data is processed?

The Controller collects and processes the personal data of Website Customers who order products or services.

The Controller may collect and process personal data when (among other occasions) the Customer:

visits the website;

registers for an individual Account on the Online Platform;
joins the loyalty programme;
places an order on the Online Platform;
subscribes to the newsletter;
makes a complaint, withdraws from the contract or sends inquiries about products and services provided by the Controller.

Personal data collected and processed by the Controller include, among others:
- contact details – name, surname, email address, mobile phone number;
- address;
- verification data – information such as gender and age;
- data collected as cookies.
Is providing personal data necessary?

The provision of personal data by the Customer is fully voluntary, however, failure to provide the data necessary e.g. to set up an individual Account on the Online Platform, perform the service or respond to inquiries and complaints, and withdraw from the contract may accordingly prevent the Controller from taking action and hinder the provision of the appropriate functionality, services or information that the Customer expects.

The data provided by the Customer may be made available to third parties on the basis of personal data processing agreements concluded by the Controller. The recipients of the data will also be institutions authorised by law.

The right to access

The Customer has the right to access their personal data. They may contact the Controller in order to:

confirm whether the Customer’s personal data are being processed;
inquire about the purposes of processing the Customer’s personal data;
inquire about the category of Customer data;
request information about the recipients of the Customer’s personal data;
request information about the planned retention period of the Customer’s personal data (or criteria for determining it);
request information about the rights of the Customer regarding personal data being processed;
request information about the sources of the Customer’s personal data if the data have not been collected from the Customer;
request information on automated decision-making concerning the Customer based on the processing of collected personal data, including profiling.

The customer has the right to ask the Controller for a copy of the personal data being processed. Further copies may be subject to charge.

Rights in connection with the processing of your personal data

In connection with the processing of your personal data, you have the following rights:

Customer’s rights	Description of Customer’s rights
the right to correct data	The Customer has the right to request the correction of personal data if they are incorrect or incomplete. If the data are incomplete, the Customer has the right to request their completion by submitting the appropriate statement to the Controller.
the right to restrict processing	The Customer has the right to “block” the processing of their personal data in certain situations, e.g. if: the Customer wishes to question the correctness of personal data collected (until we verify the correctness);the Customer objects to the processing of personal data;“Blocking” the processing of personal data consists in the fact that the Controller will still be able to store the Customer’s personal data, but will not be able to process (use) it in any other way (except in particular situations, e.g. when it is required for reasons of important public interest).
the right to data portability	The Customer has the right to request that the Controller provide them with the personal data in a structured, commonly used, machine-readable format. The Customer also has the right to transmit the data to another data controller or request that the Controller transmit the data to another data controller if technically possible. The right to personal data portability applies only if the Customer’s personal data are processed: on the basis of consent granted or on the basis of a contract (e.g. if data are processed as part of the fulfilment of an order for the Controller’s products);in an automated way.
the right to erasure of data (the so-called right to be forgotten)	The Customer has the right to request the erasure of their data in some cases, e.g. when: the data are processed in an unlawful way;the data are no longer necessary to achieve the purposes for which they were collected or processed;there is no legal basis for processing the data (e.g. when the Customer has withdrawn their consent or objected to the processing). The right to request the erasure of personal data may be limited in some cases, e.g. when their processing is necessary to comply with the Controller’s legal obligations (e.g. in accordance with obligations related to the keeping of accounting records).
the right to withdraw consent	The Customer has the right to withdraw consent at any time, e.g. in the Account settings section or by clicking the link attached to a marketing email they receive. In order to withdraw consent, the Customer can also contact the Controller using the following contact details: insert email. Note! Withdrawal of consent may result in the Controller not being able to provide the Customer with services which were based on consent. Withdrawal of consent does not affect the lawfulness of the processing that was carried out on its basis before the withdrawal.
the right to object	The Customer has the right to object to the processing of personal data if the processing is based on the legitimate interest of the Controller. The objection can be raised for reasons related to the Customer’s particular situation. If the Customer objects to:the processing of personal data for the purposes of direct marketing, the Controller will not be able to process the Customer’s personal data;the processing of personal data for other purposes, the Controller will not be able to process the Customer’s personal data unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Customer, or for the establishment, exercise or defence of legal claims.The right to object concerns only the processing of personal data on the basis of the Controller’s legitimate interest and it does not apply to the processing of the Customer’s personal data on the basis of the performance of a contract, consent or other legal grounds.
the right to lodge a complaint	The customer has the right to lodge a complaint with the supervisory authority – the President of the Office for Personal Data Protection. Contact details for complaints can be found at: https://uodo.gov.pl/en/484

The use of professional tools

a) Google Analytics and cookies
The Controller uses Google Analytics, which is a tool developed by Google for analysing website statistics. Google Analytics uses cookies that are saved on the user’s computer and that make it possible to analyse how users use the Website. Information obtained in this way (including the user’s IP address) is sent to the servers of Google Inc. in the USA, where it is stored. Google uses the obtained data to assess the traffic on the Website based on the number of visits, prepare reports on website activity and offer other services related to the use of the Website. Google may provide information to third parties, as long as this complies with the law, or if the third parties process the data on behalf of Google.

Google ensures that the user’s IP address will not be associated with other Google Inc. data. Detailed information on the terms of service and privacy policy can be obtained at:

https://policies.google.com/terms
https://policies.google.com/privacy

The user has the possibility to block cookies by changing the web browser settings, however, this can hinder the functioning of some features of the Website. The user can also prevent Google from collecting and processing data generated by cookies by downloading and installing the plugin available on the website:
https://tools.google.com/dlpage/gaoptout

b) Google Ads
The Website also uses the free conversion tracking function, which is available in Google Ads. In this respect, Google is committed to protecting customer and user data. Every time a user clicks an ad, Google places a cookie on their computer that expires after 50 months. This technology makes it possible to carry out activities related to remarketing used to display Website ads to users who have previously visited the Website while they are browsing other sites on the internet.

If the user does not agree to this service, they may refuse to save cookies by changing the browser settings to disable the automatic cookie handling option. It is also possible to disable cookies used by Google to track conversions by changing the appropriate browser settings to block cookies from Google. For more information on tailored advertising and the possibility to opt out of sharing information from your web browser for behavioural advertising, please visit http://youronlinechoices.eu/

C) Facebook Pixel
The Website also uses a Facebook pixel belonging to Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. It gives the possibility to track the movements of users visiting the Website by monitoring conversions or by clicking on Facebook advertising. It allows us to assess the effectiveness of advertisements for statistics and marketing research. The data collected in this way is anonymous for the Controller, which means that they cannot see the data of individual users. The data are collected and processed by Facebook, and the Controller informs users about it to the best of their knowledge. Facebook has the possibility to connect the data with a user’s account on Facebook and use them for some advertising activity in compliance with Facebook’s privacy policy. Facebook can use cookies and other technological solutions for storing data from the Website in this regard. More information on data protection and the appropriate settings can be found at: https://www.facebook.com/about/privacy/

d) Google Custom Search Engine
Google Custom Search Engine (CSE) is used on the Website. Information on the protection of user data by Google is available at:
https://policies.google.com/privacy

e) Google Double Click
The Website may use DART cookies for the purpose of displaying ads by the Google DoubleClick system, which creates a cookie when websites are visited. The DoubleClick advertising system is used for this purpose. The cookies are used to display ads tailored to the user’s interests. DART cookies enable Google and partners to display specific ads to the user, based on their visits to the Website or other websites. The DART system does not track personal information, such as name, email address, address or phone number. The user has the possibility to disable the DART cookie – to do this, they have to visit the following website:
https://adssettings.google.com/authenticated

More information is also available on the following website:
https://policies.google.com/technologies/ads

It is also possible to collectively disable cookies used by ad providers. To do this, please go to the Network Advertising Initiative website:
www.networkadvertising.org/managing/opt_out.asp

c) Social media plugins
The Website uses plugins of social media sites, such as Facebook, Instagram and Twitter. When the user visits the Website, the browser creates a direct connection to the servers of these sites. The plugin content is sent from the social media site directly to the user’s browser and then integrated with the Website. When the plugin is enabled, the social media site receives information about the user’s visit to a particular website. If the user is signed in to one or more social media sites, they may link the visit with the User’s account. When using the plugin, e.g. by clicking the “Like” button, the browser sends the relevant information to Facebook, where it will be stored. To get detailed information on the purposes and scope of data collection and processing as well as the use of data by social media sites, please read the privacy policy of the given website. In this way, you can also get information about your rights and settings to protect your privacy. The Website also contains direct links to the above-mentioned social media sites. The Company is not responsible for any services provided by these entities. These entities do not have the ability to match the user’s IP address to personal data collected by the Website. For detailed information about the privacy policy on the portals mentioned, please visit the website of the service provider.

g) Google Tag Manager
The Website uses a script (tag) management system, e.g. for analytical tools’ tracking scripts (e.g. Google Analytics), advertising systems’ conversion tracking scripts (e.g. Google Ads), and JavaScript (e.g. pop-up messages).

h) Marketing Automation tools
The Website uses special tools to improve sales processes. The tools are designed to increase the efficiency of campaigns by automatically collecting and processing information on the behaviour of internet users when visiting the online store. Based on the analysed data, the tools direct personalised marketing messages to potential Consumers. Basic functions and activities of marketing automation are:

monitoring and analysis of the behaviour of internet users visiting the platform;
categorising potential Consumers (e.g. by interests, demographic information based on cookies);
automatically creating marketing messages based on the above data;
creating and sending newsletters, emails, pop-up messages and notifications, web push notifications;
creating mailing lists and databases of internet users;
monitoring the recipient’s response to the above forms of communication (open/bounce rates, click-through/transition rate)

Definitions

Term	Description
personal data	All information about an identified or identifiable natural person.
identifiable person	A person whose identity can be determined directly or indirectly, e.g. by reference to an identification number or a factor determining his or her physical, physiological, mental, economic, cultural or social characteristics.
processing personal data	Any operation on personal data, including collecting, recording, storing, processing, changing, sharing, deleting and copying.
personal data controller	An entity that determines the purposes and methods of processing personal data and bears responsibility for their processing in accordance with the law.
Data Protection Officer	Someone who ensures that the processing of personal data by the controller (or processing entity) is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), i.e. GDPR.

AMAPIU PAULINA SZCZĘSNA, privacy policy effective from 01.09.2022.