PRIVACY POLICY OF
WWW.AGROSTART.PL WEBSITE
TABLE OF CONTENTS:
- GENERAL PROVISIONS
- BASIS FOR DATA PROCESSING
- PURPOSE, BASIS AND PERIOD OF DATA PROCESSING BY THE DATA CONTROLLER
- RECIPIENTS OF DATA PROVIDED VIA THE WEBSITE
- PROFILING OF WEBSITE DATA
- RIGHTS OF DATA SUBJECTS
- WEBSITE COOKIES AND ANALYTICS
- FINAL PROVISIONS
1. GENERAL PROVISIONS
1.1. The Website Privacy Policy is informational, which means that it is not a source of obligation for the Website Users. The Privacy Policy contains, first and foremost, rules regarding personal data processing by the Website data Controller, including the basis, purposes, and scope of personal data processing and rights of data subjects, as well as information on the use of cookies and analytical tools by the Website.
1.2. The Controller of personal data collected via the Website is Maria Smoleńska, running a business under the name Sky&Sand Maria Smoleńska, entered into the Central Registration and Information on Business of the Republic of Poland kept by the minister responsible for economy, with the following address of the place of business: ul. Bolesława Chrobrego 91, 87-100 Toruń, NIP (Tax Identification Number) 8781755593, REGON (Polish Business register Number) 340563688, e-mail address:
1.3. The Website data is processed by the Controller in accordance with applicable laws, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR or the GDPR Regulation. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.4. The use of the Website is voluntary. Similarly, the provision of personal data by the Website User or Client is voluntary, subject to two exceptions: (1) conclusion of agreements with the Controller - failure to provide, in the cases and to the extent indicated on the Website and this Privacy Policy, personal data necessary for the conclusion and performance of the Sales Agreement or the agreement for the provision of Electronic Services with the Controller results in the inability to conclude this agreement. In such cases, the provision of personal data is a contractual requirement and if the data subject wishes to enter into an agreement with the Controller, they are obliged to provide the required data. Each time the scope of data required to conclude an agreement is indicated beforehand on the Website; (2) the Controller's statutory obligations – the provision of personal data is a statutory requirement resulting from universally binding legal regulations imposing an obligation on the Controller to process personal data (e.g. processing of data for tax purposes) and the failure to provide such data will prevent the Controller from performing these obligations.
1.5. The Controller exercises due care to protect the interests of persons whose personal data it processes and, in particular, is responsible for and ensures that the collected data is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which it is processed; (4) stored in a form which enables the identification of data subjects for a period no longer than necessary for the achievement of the purpose of the processing; and (5) processed in a way which ensures adequate security of personal data, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
1.6. Having regard to the nature, scope, context, and purposes of the processing, as well as the risk of violation of the rights or freedoms of natural persons of varying probability and gravity, the Controller implements appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the GDPR Regulation and to be able to demonstrate it. These measures are reviewed and updated as needed. The Controller uses technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically.
2. BASIS FOR DATA PROCESSING
2.1. The Controller is entitled to process personal data in cases and to the extent that at least one of the following conditions is met:
(1) the data subject has expressed consent to the processing of their personal data for one or multiple specific purposes;
(2) the processing is necessary for the performance of an agreement to which the data subject is party or to take steps at the request of the data subject prior to entering into the agreement;
(3) the processing is necessary for compliance with a legal obligation to which the Controller is subject;
(4) the processing is necessary for the purposes of the legitimate interests pursued by the Controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2.2. In each case, the processing of personal data by the Controller requires the existence of at least one of the grounds indicated in sec. 2.1 of the Privacy Policy. Specific grounds for the processing of personal data of the Website Users and Clients by the data Controller are indicated in the next section of the Privacy Policy - with reference to a given purpose of personal data processing by the Controller.
3. PURPOSE, BASIS AND PERIOD OF DATA PROCESSING BY THE DATA CONTROLLER
3.1. Each time, the purpose, basis, period, and scope as well as recipients of the personal data processed by the Controller result from the activities undertaken by a given Website User or Client or the Controller.
3.2. The Controller may process personal data provided via the Website for the following purposes, on the following grounds and during the following periods:
Purpose of data processing Legal basis for data processing Data storage period
Performance of the Sales Agreement or the agreement for the provision of Electronic Services, or taking actions at the request of the data subject prior to entering into the above-mentioned agreements, Art 6 sec. 1 letter b) GDPR Regulation (performance of the agreement) - processing is necessary for the performance of the agreement to which the data subject is party or to take steps at the request of the data subject prior to entering into the agreement;
The data is retained for the period necessary for the performance, termination or expiry in any other way of the concluded Sales Agreement or the agreement for the provision of Electronic Services
Direct marketing, Art. 6 sec. 1 letter f) GDPR Regulation (legitimate interest of the Controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in caring for the interests and the positive image of the Controller, the Website, and seeking to sell the Products.
The data is stored for the period of the existence of a legitimate interest of the Controller; however, no longer than for the period of the statute of limitations of the Controller's claims against the data subject in connection with the business activity conducted by the Controller. The limitation period is determined by law, in particular, the Civil Code (the basic limitation period for claims related to the conduct of business is three years, and for sales agreements - two years).
The Controller may not process data for direct marketing purposes if the data subject has raised an effective objection in this respect.
Marketing, Art. 6 sec. 1 letter a) GDPR Regulation (consent) – the data subject has consented to the processing of their data by the Controller for marketing purposes.
The data is stored until the data subject withdraws their consent to further processing for that purpose.
The expression of opinion about the Sales Agreement concluded by the Client, Art. 6 sec. 1 letter a) GDPR Regulation (consent) – the data subject has given consent to the processing of their data by the Controller for the purpose of expressing their opinion.
The data is stored until the data subject withdraws their consent to further processing for that purpose.
Keeping tax books, Art. 6 sec. 1 letter c) GDPR Regulation (legal obligation) in conjunction with with Art. 86 § 1 of the Tax Ordinance, consolidated text of 17 January 2017 (Dz. U. /Journal of Laws/ of 2017 item 201 as amended) - processing is necessary for compliance with a legal obligation to which the Controller is subject;
The data is stored for the period required by the provisions of law requiring the Controller to keep tax records (until the expiry of the limitation period for tax liabilities unless tax acts provide otherwise).
Determination, pursuit or defence of claims that the Controller may assert or that may be asserted against the Controller, Art. 6 sec. 1 letter f) GDPR Regulation (legitimate interest of the Controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in the determination, pursuit or defence of claims that the Controller may assert or that may be asserted against the Controller.
The data is stored for the period of the existence of a legitimate interest pursued by the Controller; however, no longer than for the period of the statute of limitations for claims that may be asserted against the Controller. The limitation period is determined by legal provisions, in particular the Civil Code.
Using the Website and ensuring its correct operation, Art. 6 sec. 1 letter f) GDPR Regulation (legitimate interest of the Controller) – processing is necessary for purposes resulting from the Controller's legitimate interests –consisting in running and maintaining the Website. The data is stored for the period of the existence of a legitimate interest of the Controller; however, no longer than for the period of the statute of limitations of the Controller's claims against the data subject in connection with the business activity conducted by the Controller. The limitation period is determined by law, in particular, the Civil Code (the basic limitation period for claims related to the conduct of business is three years, and for sales agreements - two years).
Keeping statistics and Website traffic analysis, Art. 6 sec. 1 letter f) GDPR Regulation (legitimate interest of the Controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in keeping statistics and analysing traffic on the Website to improve the functioning of the Website and increase sales.
The data is stored for the period of the existence of a legitimate interest of the Controller; however, no longer than for the period of the statute of limitations of the Controller's claims against the data subject in connection with the business activity conducted by the Controller. The limitation period is determined by law, in particular, the Civil Code (the basic limitation period for claims related to the conduct of business is three years, and for sales agreements - two years).
4. RECIPIENTS OF DATA PROVIDED VIA THE WEBSITE
4.1. For the proper functioning of the Website, including the execution of the concluded Sales Agreements, it is necessary for the Controller to use the services of external entities (e.g., a software supplier, IT company). The Controller uses such processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.
4.2. Personal data may be transferred by the Controller to a third country, in which case the Controller ensures that this will be done in relation to a country that provides an adequate level of protection – in compliance with the GDPR Regulation, and, in the case of other countries, that the transfer will take place on the basis of standard data protection clauses. The Controller ensures that the data subject is able to obtain a copy of their data. The Controller transfers the collected personal data only in the case and to the extent necessary to fulfil the given purpose of data processing compliant with this Privacy Policy.
4.3. The Controller does not transfer data in every single case and to all recipients or categories of recipients indicated in the Privacy policy - the Controller only transfers data if it is necessary for the fulfilment of a given purpose of personal data processing and solely to the extent necessary for its fulfilment.
4.4. Personal data the Website Users or Clients may be transferred to the following recipients or categories of recipients:
4.4.1. carriers / forwarders / courier brokers / entities managing the warehouse and/or the shipping process – in the case of a Website User who has the Product delivered by mail or courier, the Controller makes the collected personal data available to the selected carrier, forwarder or broker that conducts shipments at the Controller's request; if the shipment is made from an external warehouse – to the entity managing the warehouse and/or the shipping process – to the extent necessary for delivering the Product to the Client.
4.4.2. entities processing electronic or credit card payments – in the case of a Website User who uses the electronic or credit card payment method on the Website, the Controller makes the collected personal data of the Client available to a selected entity processing the aforementioned payments via the Website at the Controller's request to the extent necessary to process the payment made by the Client.
4.4.3. marketing service providers - marketing agencies providing the Controller with support in marketing activities.
4.4.4. providers of an opinion poll system – in the case of Website Users who agreed to express their opinion about the concluded Sales Agreement, the Controller makes the collected personal data available to the selected entity providing the opinion poll system for the evaluation of the Sales Agreements concluded via the Website at the Controller's request to the extent necessary for the Client to express an opinion using the opinion poll system.
4.4.5. service providers supplying the Controller with technical, IT and organisational solutions, which enable the Controller to conduct its business activities, including the Website and the Electronic Services provided through it (in particular, providers of computer software for running the Website, e-mail and hosting providers, as well as providers of business management and technical support software for the Controller) - the Controller makes the collected personal data of the Website User available to a selected provider acting on its behalf only in the case and to the extent necessary to implement a given purpose of data processing in accordance with this Privacy Policy.
4.4.6. providers of accounting, legal and advisory services performing accounting, legal or advisory support activities for the Controller (in particular an accounting office, a law firm or a debt collection agency) - the Controller makes the collected personal data of the Website User available to a selected provider acting on its behalf only in the case and to the extent necessary to implement a given purpose of data processing in accordance with this Privacy Policy.
4.4.7. providers of social plug-ins, scripts, and other similar tools placed on the Website that enable the browser of the Website User to download content from the providers of the aforementioned plug-ins (e.g. logging in using a social network login data) and to transfer the visitor's personal data for this purpose to these providers, including:
4.4.7.1. Meta Platforms Ireland Ltd.– the Controller uses Facebook plug-ins on the Website (e.g. the Like button, Share or logging in using Facebook login details) and therefore collects and shares personal data of the Website User with Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland ) to the extent and in accordance with the privacy principles available at: https://www.facebook.com/about/privacy/ (the data includes information about activities on the Website - including information about the device, visited websites, purchases, displayed advertisements and how to use the services - regardless of whether the Website User has a Facebook account and is logged in to Facebook).
4.4.7.2. Google Ireland Limited – the Controller uses Google plug-ins on the Website (e.g. logging in using Google login data) and therefore collects and shares personal data of the Website User with Google (Gordon House, Barrow Street, Dublin 4, Ireland) to the extent and in accordance with the privacy principles available at: https: //policies.google.com/privacy?hl=pl.
4.4.7.3. LinkedIn Ireland Unlimited Company – the Controller uses LinkedIn plug-ins on the Website (e.g. logging in using LinkedIn login details) and therefore collects and shares personal data of the Website User with LinkedIn Ireland Unlimited Company (Gardner House, 2 Wilton Place, Saint Peter's, Dublin 2, Ireland) to the extent and in accordance with the privacy principles available at: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
5. PROFILING OF WEBSITE DATA
5.1. The GDPR Regulation imposes an obligation on the Controller to inform about automated decision-making, including profiling, as referred to in Art. 22, sec. 1 and 4 of the GDPR Regulation, and - at least in these cases - relevant information about the principles on which they are taken, as well as about the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the Privacy Policy.
5.2. On the Website, the Controller may use profiling for direct marketing purposes but decisions made on its basis by the Controller do not concern the conclusion of or refusal to conclude the Sales Agreement or the possibility of using Electronic Services via the Website. The effect of using profiling on the Website may be, e.g., granting a given person a discount, sending a discount code, reminding about unfinished shopping, sending a proposal of a Product, which may correspond to the interests or preferences of a given person, or offering better conditions in comparison with the standard offer on the Website. Despite profiling, it is up to the person to freely decide whether they wish to take advantage of the discount received in this way or of better conditions and make a purchase via the Website.
5.3. Profiling on the Website consists in automatic analysis or prediction of a given person's behaviour on the Website, e.g. through adding a particular Product to the shopping cart, browsing the page of a particular Product on the Website, or through analysis of the previous history of purchases made via the Website. The condition for such profiling is that the Controller must have the personal data of a given person to be able to send, e.g., a discount code to that User.
5.4. The data subject has the right to refuse to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that person or affects the User in a similarly significant way.
6. RIGHTS OF DATA SUBJECTS
6.1. Right to access, rectify, restrict the processing or erase data and the right to data portability - the data subject has the right to request the Controller to enable them to access, rectify or erase their personal data ("right to be forgotten"), as well as restrict or object to the processing thereof, and has the right to data portability. Detailed conditions for the exercise of the rights indicated above are specified in Art. 15-21 of the GDPR Regulation.
6.2. Right to withdraw consent at any time - the person whose data are processed by the Controller based on consent (pursuant to Art. 6, sec. 1 letter a) or Art. 9, sec. 2 letter a) GDPR Regulation) has the right to withdraw their consent at any time without affecting the lawfulness of the processing carried out based on such consent before its withdrawal.
6.3. Right to lodge a complaint with the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint with the supervisory authority in the manner and mode specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
6.4. Right to object – the data subject has the right to object at any moment, for reasons related to his or her specific circumstances, to the processing of his or her data, pursuant to Art. 6, sec. 1 letter e) (public interest or tasks) or f) (legitimate interest of the Controller), including profiling under these regulations. In such a case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.
6.5. Right to object direct marketing – if personal data is processed for the purposes of direct marketing, the data subject has the right to object to the processing of their personal data for that purpose, including profiling, at any time, to the extent to which the processing of data is associated with such direct marketing.
6.6. To exercise the rights referred to in this section of the Privacy Policy, you can contact the Controller by sending an appropriate message in writing or by e-mail to the Controller's address provided at the beginning of the Privacy Policy.
7. WEBSITE COOKIES AND ANALYTICS
7.1. Cookie files (cookies) are small text information in the form of text files sent by the server and saved on the side of the visitor to the Website (e.g. on the hard drive of the computer, laptop, or smartphone memory card - depending on the device used by the visitor of the Website). Detailed information on cookie files and the history of their development can be found at: https://pl.wikipedia.org/wiki/HTTP_cookie.
7.2. Cookies that can be sent by the Website can be divided into different types according to the following criteria:
Cookie supplier:
1) own (created by the Controller's Website) and
2) owned by third parties/entities (other than the Controller) Storage period on the device of the Website User:
1) session cookies (stored until the User logs out of the Website or turns off the web browser) and
2) permanent (stored for a specified period, defined by the parameters of each file or until manually deleted) Purpose of use:
1) necessary (enabling the proper functioning of the Website),
2) functional/preferential (enabling the adaptation of the Website to the preferences of the Website User),
3) analytical and performance (collecting information on the way of using the Website),
4) marketing, advertising and social media (collecting information about the Website User to display advertisements, personalise the advertisements, measure the effectiveness and conduct other marketing activities, including on websites separate from the Website, such as social networking websites or other websites that belong to the same advertising networks as the Website)
7.3. The Controller may process the data contained in cookies when visitors use the Website for the following purposes:
to identify the Website Users as logged in to the Website and showing that they are logged in (necessary cookies)
remembering the products added to the cart to place an order (necessary cookies)
remembering data from completed order forms, surveys or login data to the Website (necessary cookies or/and functional/preferential)
adjusting the content of the Website to the individual preferences of the User (e.g. colour, font size, website layout) and optimising the use of the Website (functional/preferential cookies)
keeping anonymous statistics showing how the Website is used (analytical/performance cookies)
displaying and rendering advertisements, limiting the number of advertisements and ignoring advertisements that the Website User does not want to see, measuring the effectiveness of advertisement, as well as personalising advertisements, i.e. examining the behavioural characteristics of people visiting the Website through anonymous analysis of their activities (e.g. repeated visits on specific websites, keywords, etc.) to create their profiles and to target them with advertisements customised to their predicted interests, also when they visit other websites that belong to the advertising network of Google Ireland Ltd. and Facebook, i.e., Meta Platforms Ireland Ltd. (marketing/advertising/social media cookies)
7.4. In the most popular web browsers, it is possible to check which Cookies (including the period of operation of Cookies and their provider) are sent by the Website:
the Chrome browser:
(1) in the address bar, click the lock icon on the left, (2) go to the "Cookies" tab.
the Firefox browser:
(1) in the address bar, click the lock icon on the left, (2) go to the "Allowed" or "Blocked" tab, (3) click the "Cross-site tracking cookies", "Social media tracking elements" or "Content with tracking elements” the Internet Explorer browser:
(1) click the "Tools" menu, (2) go to the "Internet Options" tab, (3) go to the "General" tab, (4) go to the "Settings" tab, (5) click the "View Files" box
the Opera browser:
(1) in the address bar, click the lock icon on the left, (2) go to the "Cookies" tab. the Safari browser:
click the "Preferences" menu, (2) go to the "Privacy" tab, (3) click the "Manage site data" box. Irrespective of the browser, with tools available, e.g., at: https://www.cookiemetrix.com/ lub: https://www.cookie-checker.com/
7.5. It is the standard for most web browsers available on the market to allow for saving Cookie files by default. Every user can set the terms for the use of Cookie files by customising the settings of their web browser. This means, for example, that it is possible to limit (e.g. for a specific period) or to completely block the saving of Cookie files – however, the latter option may impact some functionalities of the Website (for example, it may become impossible to complete the Order path through the Order Form as Products will not be remembered at the subsequent stages of placing the Order).
7.6. The browser Cookie settings are important for granting consent to the use of Cookies by the Website – according to the regulations, consent can also be granted using browser settings. Detailed information on how to change settings for cookies and how to delete them in the most popular web browsers is available in the help section of your web browser and on the following websites (simply click the link):
in the Chrome browser
in the Firefox browser
in the Internet Explorer browser
in the Opera browser
in the Safari browser
in the Microsoft Edge browser
7.7. To run the Website, the Controller may use the services of Google Analytics, Universal Analytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). The services enable the Controller to keep statistics and to analyse the Website traffic. The collected data is processed as part of the above-mentioned services to generate statistics that support the administration of the Website and the analysis of the Website traffic. The data is aggregated. The Controller, using the above-mentioned services, collects via the Website the following data: the sources and medium of acquisition of visitors to the Website, the actions of the visitors on the Website, information about the devices and browsers they use to visit the Website, IP and domain information, geographical data, demographic data (age and sex), interests.
7.8. It is easy for the User to block the sharing of information about their activities on the Website with Google Analytics – to do this, e.g., install a browser add-on provided by Google Ireland Ltd. available at: https://tools.google.com/dlpage/gaoptout?hl=pl.
7.9. Due to the possibility of the Controller to use advertising and analytical services provided by Google Ireland Ltd. on the Website, the Controller indicates that full information on the principles of processing data of the Website Users (including information saved in Cookies) by Google Ireland Ltd. can be found in the privacy principles of Google services available at: https://policies.google.com/technologies/partner-sites.
7.10. The Controller may use the Facebook Pixel service provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland) on the Website. That service helps the Controller measure the effectiveness of advertisements and learn what actions are taken by the Website Users, as well as display advertisements tailored to the User. Detailed information about the functioning of Facebook Pixel can be found at: https://www.facebook.com/business/help/742478679120153?helpref=page_content.
7.11. It is possible to manage the functioning of Facebook Pixel through the ad settings in your account on Facebook.com: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
8. FINAL PROVISIONS
8.1. The Website may contain links to other websites. The Controller encourages the Users accessing other websites to get acquainted with the privacy policy set out therein. This Privacy Policy applies only to the Controller's Website.