Personal data security policy of the epizamka.pl online store
I. What is the Personal Data Security Policy?
The personal data security policy are the rules whose purpose is to inform our clients about the entire process of obtaining, processing and securing their personal data. We will also explain the principles and purposes of data collection. These processes are carried out on the basis of applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the Act of May 10, 2018 on the protection of personal data.
This Personal Data Security Policy will help you understand what information we collect in connection with the operation of the Store and how we process it.
If we write about the User in the Security Policy, these provisions also apply to you.
II. Definitions
Administrator - Anna Pham ANIAPHU at the address: ul. Nadrzeczna 7C/box D10, 05-552 Wólka Kosowska.
Personal data - all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information collected via through cookies and other similar technology.
Security Policy - this Personal Data Security Policy.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Act - Act of May 10, 2018 on the protection of personal data.
Online Store - epizamka.pl online store run by the Administrator at https://epizamka.pl.
User - any natural person visiting the Online Store and using one or more services or functionalities described in the Security Policy.
III. Personal data administrator
The administrator of personal data is: Anna Pham ANIAPHU with its registered office in Wólka Kosowska, at ul. Nadrzeczna 7C/ box D10, NIP: 9451949202.
IV. Purposes and grounds for processing personal data
In accordance with the scope of its activity, the Administrator processes your personal data for various purposes, but it is always done in accordance with the law. Your data is processed in connection with the following categories of activities:
1. Browsing the Online Store
Data of all entities using the Online Store (including IP address or other identifiers and information collected via cookies or other similar technologies) and who are not registered Users (i.e. people who do not have a profile in the Online Store) processed are by the Administrator for one or more of the following purposes:
- providing services by electronic means in the scope of making content posted in the Online Store available to Users, providing contact forms - legal basis for processing - the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR); - handling purchases made without registration in the Online Store - legal basis for processing - the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR);
- handling complaints - legal basis for processing - the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR);
- analytical and statistical - legal basis for processing - legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in conducting analyzes of Users' behavior and activity as well as their preferences aimed at improving the quality and adequacy of the functionalities used and the services provided;
- possible determination and pursuit of claims or defense against them - legal basis for processing - the Administrator's legitimate interest (Article 6(1)(f) of the GDPR), which consists in protecting his rights;
- marketing of the Administrator and other entities, in particular related to the presentation of behavioral advertising - legal basis for processing - legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in adjusting the displayed advertising content - the rules for processing personal data for marketing purposes are described in the "MARKETING" section.
The User's activity in the Online Store, including his personal data, is recorded in system logs (a dedicated computer system created to store a chronological record containing information about events and activities related to the IT system used to provide services by the Administrator). The information collected in the logs is processed in connection with the provision of services by the Administrator. The administrator also processes them for technical purposes, which in particular means that these data may be temporarily stored and processed to ensure the security and proper functioning of IT systems, e.g. in connection with making backup copies, testing changes in IT systems, detecting irregularities or protecting against abuses and attacks.
2. Registration in the Online Store
Users who register in the Online Store by creating a Customer Account are asked to provide the data necessary to create and operate the account. To facilitate placing an order, the User may provide additional data and consent to their processing. Additional data can be changed or deleted at any time. Providing data marked as mandatory (e-mail address and password) is required in order to set up and operate an account, and failure to provide them results in the inability to create an account. Personal data provided to the administrator are processed for one or more of the following purposes:
- providing services related to maintaining and servicing an account in the Online Store - legal basis for processing - the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR),
- analytical and statistical - legal basis for processing - legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in conducting analyzes of Users' behavior and activity as well as their preferences aimed at improving the quality and adequacy of the functionalities used and the services provided;
- possible determination and pursuit of claims or defense against them - legal basis for processing - the Administrator's legitimate interest (Article 6(1)(f) of the GDPR), which consists in protecting his rights;
- marketing of the Administrator and sellers - the rules for processing personal data for marketing purposes are described in the "MARKETING" section.
3. Placing an order
a) Placing an order (offer to purchase goods) by the User in the Online Store involves the processing of his personal data. Providing data marked as mandatory is voluntary, but necessary for the implementation and delivery of the goods ordered by him, and failure to provide them results in the inability to place an order. Providing other data is also voluntary and does not affect the execution of the order.
b) Personal data provided when placing an order in the Online Store are processed for one or more of the following purposes:
- execution of the order placed - legal basis for processing:
* in the scope of mandatory data - the necessity of processing to perform the contract (Article 6(1)(b) of the GDPR),
* in the scope of data provided voluntarily - consent (Article 6(1)(a) of the GDPR);
- fulfillment of statutory obligations incumbent on the Administrator, resulting in particular from tax and accounting regulations - legal basis for processing - legal obligation (Article 6(1)(c) of the GDPR);
- analytical and statistical - legal basis for processing - legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in conducting analyzes of Users' behavior and activity as well as their preferences aimed at improving the quality and adequacy of the functionalities used and the services provided;
- possible determination and pursuit of claims or defense against them - legal basis for processing - the Administrator's legitimate interest (Article 6(1)(f) of the GDPR), which consists in protecting his rights.
4. Contact form
a) In the Administrator's Online Store, it is possible to contact him using an electronic contact form. Using the form requires providing necessary personal data to contact the User and answer the query. Providing marked data as mandatory, it is required in order to accept and handle the inquiry, and failure to provide them results in the inability to use the form.
b) Personal data provided to the Administrator in the contact form are processed for one or more of the following purposes:
- identification of the sender and handling his inquiry sent via the provided form - legal basis for processing - the necessity of processing to perform the contract for the provision of the service (Article 6(1)(b) of the GDPR);
- analytical and statistical - legal basis for processing - legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in keeping statistics of inquiries submitted by Users via the Online Store in order to improve its functionality and the Administrator's activities.
5. Marketing
The Administrator processes Users' personal data in order to carry out marketing activities, the legal basis of which is the Administrator's legitimate interest (Article 6(1)(f) of the GDPR). These activities may consist in particular on:
- displaying marketing content to the User that is not adapted to his preferences (contextual advertising);
- displaying marketing content to the User that corresponds to his interests (behavioral advertising);
- sending e-mail notifications about interesting offers or content, which in some cases contain commercial information;
- conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
In order to carry out marketing activities, the Administrator uses profiling in some cases. This means that thanks to automatic data processing, the Administrator assesses selected factors concerning natural persons in order to analyze their behavior or create a forecast for the future. making this type of profiling, however, the Administrator does not apply to the User profiling that has legal effects on him or similarly significantly affects him.
6. Contextual advertising
The Administrator processes Users' personal data for marketing purposes in connection with the management to Users of contextual advertising (i.e. advertising that does not match the User's preferences). The processing of personal data then takes place in connection with the implementation of the Administrator's legitimate interest (Article 6(1)(f) of the GDPR).
7. Behavioral advertising
The Administrator processes Users' personal data, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with targeting Users with behavioral advertising (i.e. advertising that is tailored to the User's preferences). The processing of personal data then also includes the profiling of Users. Use of collected via this technology of personal data for marketing purposes, in particular in the field of promoting services and goods of third parties, is based on the legitimate interest of the administrator and only on the condition that that the User has consented to the use of cookies. Consent to the use of cookies may be expressed through the appropriate configuration of the browser, and can also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in the browser settings. This consent may be withdrawn at any time.
8. Direct marketing
If the User has agreed to receive marketing information via e-mail, SMS and other means of electronic communication, the User's personal data will be processed for the purpose of sending him such information. The basis for data processing is the Administrator's legitimate interest in sending marketing information within the limits of the consent given by the User (direct marketing). The user has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the duration of the Administrator's legitimate interest, unless the User objects to receiving marketing information.
9. Cookies and similar technology
Cookies are small text files installed on the device of the User browsing the Online Store. Cookies collect information that facilitates the use of the website - e.g. by remembering the User's visits to the Online Store and the activities performed by him.
10. "Online Shop" Cookies
The administrator uses the so-called cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Administrator and other entities providing analytical and statistical services to him use cookies, storing information or accessing to information already stored in the User's telecommunications end device (computer, telephone, tablet, etc.). Cookies used for this purpose include:
- cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
- authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);
- cookies used to ensure security, e.g. used to detect abuses in the field of authentication (user centric security cookies);
- session cookies of multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
- persistent cookies used to personalize the User's interface for the duration of the session or slightly longer (user interface customization cookies),
- cookies used to remember the contents of the basket for the duration of the session (shopping cart cookies);
- cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Online Store, to create statistics and reports on the functioning of the Online Store) . Google does not use the collected data to identify the User or combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found here under the link: https://www.google.com/intl/pl/policies/privacy/partners.
11. "Marketing" cookies
The administrator also uses cookies for marketing purposes, including related to steering to Users of behavioral advertising. For this purpose, the Administrator stores information or gains access to information already stored in the User's telecommunications end device (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular in the field of promoting services and goods of third parties, requires the consent of the User. This consent can be expressed through the appropriate configuration of the browser, and can also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in the browser settings.
V. How long do we store your data?
1. In accordance with applicable law, we process your personal data for the time needed, to achieve the set goal. After this period, your personal data will be irreversibly deleted or destroyed.
2. In a situation where we do not need to perform other operations with your personal data than to store it (e.g. when we store the content of the order for the purpose of defending against claims), we additionally protect it by pseudonymisation until it is permanently deleted or destroyed. Pseudonymization consists in encrypting personal data or a set of personal data in such a way that they cannot be read without an additional key, and therefore such information becomes completely useless to an unauthorized person.
3. Your personal data will be processed by the Administrator for the period necessary to achieve the goals referred to in the section "Purposes and grounds for processing personal data" (chapter IV), e.g. until the end of the newsletter service for you, participation agreement in our program loyalty, completion of the complaint procedure, and after this period until any claims expire or until the obligations to store data under the law expire.
VI. What rights do you have related to your data?
1. Data subjects have the following rights:
- The right to information about the processing of personal data - on this basis, the person submitting such a request, the Administrator provides information about the processing of personal data, including, above all, about the purposes and legal grounds for processing, the scope of data held, entities to which personal data are disclosed and the planned date of their deletion;
- The right to obtain a copy of the data - on this basis, the Administrator provides a copy of the processed data concerning the person submitting the request;
- The right to rectify data - on this basis, the Administrator removes any inconsistencies or errors regarding the processed personal data, and supplements or updates them if they are incomplete or have changed;
- The right to delete data - on this basis, you can request the deletion of data, the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
- The right to limit processing - on this basis, the Administrator ceases to perform operations on personal data, with the exception of operations to which the data subject has consented and their storage, in accordance with the adopted retention rules, or until the reasons for limiting data processing cease (e.g. a decision of the supervisory authority will be issued, allowing for further data processing);
- The right to transfer data - on this basis, to the extent that data is processed in connection with the concluded contract or consent, the Administrator issues data provided by the person to whom they relate, in a format that allows them to be read by a computer. It is also possible to request that these data be sent to another entity - provided, however, that there are technical possibilities in this respect both on the part of the Administrator and that other entity;
- The right to object to the processing of data for marketing purposes - the data subject may object to the processing of personal data for marketing purposes at any time, without the need to justify such an objection;
- The right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data on the basis of the Administrator's legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property). The objection in this regard should contain a justification and is subject to the Administrator's assessment.
2. An application regarding the exercise of the rights described above can be submitted by traditional mail to the following address: ul. Nadrzeczna 7C/box D10, 05-552 Wólka Kosowska or via e-mail to the following address: sklep@epizamka.pl.
3. The application should, if possible, precisely indicate what the request concerns, i.e. in particular:
- who submits the application
- which of the rights described above the person submitting the application wants to use;
- what processing purposes the request concerns (e.g. marketing purposes, analytical purposes, etc.).
4. If the Administrator is unable to determine the content of the request or identify the person submitting the request based on the submitted application, he will ask the applicant for additional information.
5. The response to the notification will be provided immediately, no later than within one month of its receipt. If it is necessary to extend this period, the Administrator will inform the applicant about the reasons for such extension.
6. The answer will be provided to the e-mail address from which the application was sent, and in the case of applications sent by letter, by registered mail to the address indicated by the applicant, unless the content of the letter indicates the desire to receive feedback to the e-mail address (in this case e-mail address must be provided).
VII. Right to withdraw consent
1. If the Administrator processes your personal data on the basis of your consent, you can withdraw this consent at any time - at your discretion.
2. If you want to withdraw your consent to the processing of your personal data, you can do so as follows:
- send an e-mail directly to the Administrator at sklep@epizamka.pl or
- select the appropriate box in the customer panel, in the "Information" tab or
- click on the link in the e-mail, attached at the end of the e-mail.
3. If the Administrator processes your personal data on the basis of your consent, its withdrawal does not make the processing of personal data up to that point unlawful. In other words, until the consent is withdrawn, the Administrator has the right to process your personal data and the withdrawal of consent does not affect the lawfulness of the existing processing.
VIII. Right to lodge a complaint
If you believe that your personal data is processed contrary to applicable law, you can lodge a complaint with the President of the Office for Personal Data Protection.
IX. Transfer of personal data to Third Countries and International Organizations
Your personal data is not transferred to third countries, i.e. outside the European Economic Area (EEA) or outside international organizations.
X. Changes to the Personal Data Security Policy
1. To the extent not covered by this Personal Data Security Policy, the provisions of the Act shall apply and GDPR.
2. You will be notified of any changes to this Security Policy by email e-mail.
3. This Privacy Policy is effective from January 1, 2023.
XI. Questions and contact
If you have any questions about the personal data security policy, please contact the Administrator in writing, by traditional mail, to the following address: ul. Nadrzeczna 7C/box D10, 05-552 Wólka Kosowska or via e-mail to: sklep@epizamka.pl.