PRIVACY POLICY AND COOKIES

TABLE OF CONTENTS:

1. GENERAL PROVISIONS.

2. LEGAL BASIS FOR DATA PROCESSING.

3. PURPOSE, LEGAL BASIS, PERIOD, AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE.

4. DATA RECIPIENTS IN THE ONLINE STORE.

5. PROFILING IN THE ONLINE STORE.

6. RIGHTS OF THE DATA SUBJECT.

7. COOKIES IN THE ONLINE STORE, OPERATIONAL DATA, AND ANALYTICS.

8. FINAL PROVISIONS.


1. GENERAL PROVISIONS

1.1. This privacy policy of the Online Store is informative, meaning it does not impose obligations on the Service Users or Customers of the Online Store. It primarily contains rules regarding the processing of personal data by the Administrator in the Online Store, including the legal basis, purposes, and scope of data processing, the rights of the data subjects, and information on the use of cookies and analytical tools in the Online Store.

1.2. The Administrator of personal data collected through the Online Store is Beata Piątkowska, running a sole proprietorship Beata Piątkowska BB-Akcesoria (registered office and delivery address: Tarnowiec 353, 38-204 Tarnowiec Poland); entered in the CEIDG; NIP: 6851261212; REGON: 523013319, email address: bb.akcesoria@gmail.com, and contact phone number: 724 252 776 - hereinafter referred to as the “Administrator” and simultaneously the Service Provider and Seller of the Online Store.

1.3. Personal data in the Online Store are processed by the Administrator in accordance with applicable laws, especially the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR).

1.4. Use of the Online Store, including making purchases, is voluntary. Similarly, providing personal data by the Service User or Customer is voluntary, except in two cases: (1) entering into contracts with the Administrator – failure to provide personal data necessary to enter and execute a Sales Agreement or Electronic Service Agreement will prevent the conclusion of such a contract. The scope of required data is indicated on the Online Store’s page and in the Store’s regulations and privacy policy; (2) statutory obligations of the Administrator – failure to provide personal data that the Administrator is legally obliged to process (e.g., for tax or accounting purposes) will prevent the Administrator from fulfilling those obligations.

1.5. The Administrator ensures the protection of the interests of the persons whose personal data are processed, particularly that the data are: (1) processed lawfully, (2) collected for specified, legitimate purposes and not processed further in a way incompatible with those purposes, (3) accurate and relevant to the purposes for which they are processed, (4) stored in a form that allows identification of the data subjects no longer than necessary, and (5) processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical and organizational measures.

1.6. Considering the nature, scope, context, and purposes of processing, as well as the risks to the rights or freedoms of individuals, the Administrator implements appropriate technical and organizational measures to ensure that processing complies with the GDPR and is demonstrable. These measures are reviewed and updated as necessary. The Administrator uses technical measures to prevent unauthorized access to or modification of personal data transmitted electronically.

1.7. Any words, expressions, and acronyms in this privacy policy that start with a capital letter (e.g., Seller, Online Store, Electronic Service) should be understood according to their definitions in the Online Store’s Regulations available on the Store’s website.


2. LEGAL BASIS FOR DATA PROCESSING


2.1. The Administrator may process personal data when at least one of the following conditions is met: (1) the data subject has consented to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) processing is necessary for the purposes of legitimate interests pursued by the Administrator or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly when the data subject is a child.

2.2. Processing of personal data by the Administrator requires the fulfillment of at least one of the legal bases stated in point 2.1. Specific bases for processing personal data of Service Users and Customers are specified in the next section of the privacy policy, depending on the purpose of the data processing.


3. PURPOSE, LEGAL BASIS, PERIOD, AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE


3.1. The purpose, legal basis, period, scope, and recipients of personal data processed by the Administrator result from the actions taken by the respective Service User or Customer in the Online Store. For example, if a Customer decides to make a purchase in the Online Store and chooses in-store pickup of the purchased Product instead of courier delivery, their personal data will be processed for the purpose of fulfilling the concluded Sales Agreement but will not be shared with the carrier responsible for deliveries on behalf of the Administrator.

3.2. The Administrator may process personal data in the Online Store for the following purposes, on the following legal bases, within the periods, and to the following extent:

Purpose of data processing:

Legal basis for processing and retention period:

Scope of processed data:

Execution of the Sales Agreement or the agreement for the provision of Electronic Services or taking actions at the request of the data subject before the conclusion of the aforementioned agreements

Article 6(1)(b) of the GDPR (performance of the contract)

Data will be stored for the period necessary to execute, terminate, or otherwise lapse the concluded agreement.

Maximum scope: name and surname, email address, contact phone number, delivery address (street, house number, apartment number, postal code, city, country), residence/business address/headquarters (if different from the delivery address).

For Service Users or Customers who are not consumers, the Administrator may additionally process the company name and taxpayer identification number (NIP) of the Service User or Customer. The provided scope is maximum – for example, in the case of in-store pickup, the delivery address is not required.

Direct marketing

Article 6(1)(f) of the GDPR (legitimate interest of the administrator)

Data will be stored for the period of the legitimate interest pursued by the Administrator, but no longer than the statute of limitations for claims related to the business activities conducted by the Administrator. The limitation period is defined by law, in particular by the Civil Code (the basic limitation period for claims related to business activity is three years, and for a sales agreement, it is two years).

The Administrator cannot process data for direct marketing if the data subject has effectively objected to such processing.

Data: email address.

Marketing

Article 6(1)(a) of the GDPR (consent)

Data will be stored until the data subject withdraws their consent for further processing of their data for this purpose.

Data: name, email address.

Providing feedback on the concluded Sales Agreement

Article 6(1)(a) of the GDPR (consent)

Data will be stored until the data subject withdraws their consent for further processing of their data for this purpose.

Data: email address.

Keeping accounting records

Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act (as of January 30, 2018, Journal of Laws 2018, item 395)

Data will be stored for the period required by legal regulations that oblige the Administrator to keep accounting records (5 years, counting from the beginning of the year following the financial year to which the data pertains).

Data: name and surname, residence/business address/headquarters (if different from the delivery address), company name, and taxpayer identification number (NIP) of the Service User or Customer.

Establishing, pursuing, or defending claims that the Administrator may assert or that may be asserted against the Administrator

Article 6(1)(f) of the GDPR

Data will be stored for the period of the legitimate interest pursued by the Administrator, but no longer than the statute of limitations for claims related to the business activities conducted by the Administrator. The limitation period is defined by law, in particular by the Civil Code (the basic limitation period for claims related to business activity is three years, and for a sales agreement, it is two years).

Data: name and surname, contact phone number, email address, delivery address (street, house number, apartment number, postal code, city, country), residence/business address/headquarters (if different from the delivery address).

For Service Users or Customers who are not consumers, the Administrator may additionally process the company name and taxpayer identification number (NIP) of the Service User or Customer.

 

4. DATA RECIPIENTS IN THE ONLINE STORE


4.1. For the proper functioning of the Online Store, including the execution of concluded Sales Agreements, it is necessary for the Administrator to use the services of external entities (such as software providers, couriers, or payment processors). The Administrator only uses the services of such processors who provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of individuals whose data is being processed.

4.2. Data transfer by the Administrator does not occur in every case and not to all recipients or categories of recipients specified in the privacy policy. The Administrator only transfers data when it is necessary to achieve the specific purpose of personal data processing and only to the extent necessary to do so. For example, if a customer chooses in-store pickup, their data will not be shared with the carrier cooperating with the Administrator.

4.3. The personal data of Users and Customers of the Online Store may be transferred to the following recipients or categories of recipients:

4.3.1. Carriers / couriers / courier brokers – in the case of a Customer who uses the delivery method via postal or courier services in the Online Store, the Administrator will provide the collected personal data of the Customer to the selected carrier, courier, or intermediary handling shipments on behalf of the Administrator to the extent necessary to complete the delivery of the Product to the Customer.

4.3.2. Entities handling electronic payments or credit card payments – in the case of a Customer who uses electronic payment methods or credit card payments in the Online Store, the Administrator will provide the collected personal data of the Customer to the selected entity handling such payments in the Online Store on behalf of the Administrator to the extent necessary for processing the payment made by the Customer.

4.3.3. Providers of survey systems for reviewing Sales Agreements – in the case of a Customer who has agreed to provide feedback on the concluded Sales Agreement, the Administrator will provide the collected personal data of the Customer to the selected provider supplying the survey system for reviewing Sales Agreements in the Online Store on behalf of the Administrator to the extent necessary for the Customer to provide feedback using the survey system.

4.3.4. Providers of services supplying the Administrator with technical, IT, and organizational solutions enabling the Administrator to conduct business activities, including the Online Store and the provision of Electronic Services through it (in particular, software providers for running the Online Store, email and hosting providers, and software providers for managing the business and providing technical support to the Administrator) – the Administrator will provide the collected personal data of the Customer to the selected provider acting on behalf of the Administrator only when and to the extent necessary to achieve the specific purpose of data processing in accordance with this privacy policy.

4.3.5. Providers of accounting, legal, and advisory services offering the Administrator accounting, legal, or consulting support (in particular, accounting offices, law firms, or debt collection companies) – the Administrator will provide the collected personal data of the Customer to the selected provider acting on behalf of the Administrator only when and to the extent necessary to achieve the specific purpose of data processing in accordance with this privacy policy.

 

5. PROFILING IN THE ONLINE STORE


5.1. The GDPR regulation imposes on the Administrator the obligation to inform about automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR, and – at least in these cases – provide significant information about the principles of such decisions, as well as the meaning and expected consequences of such processing for the data subject. Bearing this in mind, the Administrator provides information regarding possible profiling in this section of the privacy policy.

5.2. The Administrator may use profiling in the Online Store for direct marketing purposes, but decisions made based on it by the Administrator do not concern the conclusion or refusal of the Sales Agreement, nor the possibility of using Electronic Services in the Online Store. The result of using profiling in the Online Store may be, for example, granting a discount to a person, sending them a discount code, reminding them of abandoned purchases, sending a proposal for a Product that may match the person’s interests or preferences, or offering better conditions compared to the standard offer of the Online Store. Despite profiling, the person freely decides whether they want to take advantage of the received discount or better conditions and make a purchase in the Online Store.

5.3. Profiling in the Online Store involves automatic analysis or forecasting of a person’s behavior on the Online Store website, for example, by adding a specific Product to the cart, browsing a specific Product page in the Online Store, or analyzing the person’s previous purchase history in the Online Store. The condition for such profiling is the Administrator’s possession of the personal data of the person in order to send them, for example, a discount code.

5.4. A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that significantly affects them or produces legal effects concerning them.


6. RIGHTS OF THE DATA SUBJECT


6.1. The right of access, rectification, restriction, erasure, or transfer – the data subject has the right to request access to their personal data, rectification, erasure (“right to be forgotten”), or restriction of processing, as well as the right to object to processing, and the right to data portability. The detailed conditions for exercising the rights mentioned above are outlined in Articles 15-21 of the GDPR.

6.2. The right to withdraw consent at any time – the data subject, whose data is processed by the Administrator based on consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR), has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out based on consent before its withdrawal.

6.3. The right to lodge a complaint with a supervisory authority – the data subject, whose data is processed by the Administrator, has the right to lodge a complaint with a supervisory authority in accordance with the procedure specified in the GDPR and Polish law, particularly the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.

6.4. The right to object – the data subject has the right to object at any time, on grounds relating to their particular situation, to processing of their personal data based on Article 6(1)(e) (public interest or task) or (f) (legitimate interests of the administrator), including profiling based on these provisions. In such a case, the Administrator may no longer process these personal data unless they demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the grounds for establishing, exercising, or defending legal claims.

6.5. The right to object to direct marketing – if personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing purposes, including profiling, insofar as the processing is related to direct marketing.

6.6. To exercise the rights referred to in this section of the privacy policy, one may contact the Administrator by sending a written or electronic message to the Administrator’s address provided at the beginning of the privacy policy or using the contact form available on the Online Store’s website.


7. COOKIES IN THE ONLINE STORE, OPERATIONAL DATA, AND ANALYTICS


7.1. Cookies are small text information in the form of text files sent by the server and stored on the device of the person visiting the Online Store’s website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone – depending on the device used to visit the Online Store). Detailed information about Cookies and their history can be found, among others, here: http://pl.wikipedia.org/wiki/Ciasteczko.

7.2. The Administrator may process data contained in Cookies when visitors use the Online Store’s website for the following purposes:

7.2.1. Identifying users as logged in to the Online Store and showing that they are logged in;

7.2.2. Remembering products added to the cart for order placement;

7.2.3. Remembering data entered in Order Forms, surveys, or login details for the Online Store;

7.2.4. Customizing the content of the Online Store website to the individual preferences of the User (e.g., regarding colors, font size, page layout) and optimizing the use of the Online Store website;

7.2.5. Conducting anonymous statistics to show how the Online Store website is used;

7.2.6. Remarketing, i.e., analyzing visitor behavior on the Online Store website through anonymous analysis of their actions (e.g., repeated visits to specific pages, keywords, etc.) in order to create their profile and provide them with ads tailored to their anticipated interests, including when they visit other websites in Google Inc.’s advertising network and Facebook Ireland Ltd.

7.3. By default, most internet browsers available on the market accept the saving of Cookies. Each person can set the conditions for using Cookies through their internet browser settings. This means that one can partially limit (e.g., temporarily) or completely disable the saving of Cookies – however, this may affect certain functionalities of the Online Store (for example, it may not be possible to complete the order process via the Order Form due to the failure to remember products in the cart during subsequent steps of placing an order).

7.4. Browser settings regarding Cookies are crucial in terms of consent to the use of Cookies by the Online Store – according to the regulations, such consent may also be given through the settings of the internet browser. If such consent is not provided, one should appropriately change the browser settings regarding Cookies.

7.5. Detailed information on changing the settings for Cookies and deleting them on the most popular internet browsers can be found in the help section of the browser and at the following links: Chrome browser, Firefox browser, Internet Explorer browser, Opera browser, Safari browser, Microsoft Edge browser.

7.6. The Administrator may use Google Analytics and Universal Analytics services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) in the Online Store. These services help the Administrator analyze traffic on the Online Store website. The data collected is processed in these services in an anonymized manner (these are so-called operational data, which prevent identification of a person) to generate statistics helpful in managing the Online Store. These data are aggregated and anonymous, i.e., they do not contain identifying features (personal data) of individuals visiting the Online Store website. By using these services, the Administrator collects data such as the sources and medium of visitors to the Online Store, their behavior on the website, information about devices and browsers used, IP and domain, geographic, demographic data (age, gender), and interests.

7.7. It is possible for a person to easily block the sharing of their activity on the Online Store website with Google Analytics – to do so, they can install the browser extension provided by Google Inc. available here: https://tools.google.com/dlpage/gaoptout?hl=pl.

7.8. The Administrator may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Administrator measure the effectiveness of ads and understand the actions taken by visitors to the Online Store, as well as display tailored ads to these individuals. Detailed information about the Facebook Pixel’s operation can be found at the following address: https://www.facebook.com/business/help/742478679120153?helpref=page_content.

7.9. Managing the operation of the Facebook Pixel is possible through ad settings in the user’s account on the Facebook.com portal: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.


8. FINAL PROVISIONS


The Online Store may contain links to other websites. The Administrator encourages visitors to review the privacy policy established on other sites once they navigate to them. This privacy policy applies only to the Administrator’s Online Store.