Categories
NEW BESTSELLERS

PRIVACY POLICY

The store is administered by Magdalena Staszewska-Nowicka conducting business under the company name TTO Magdalena Staszewska-Nowicka, at the address: Worławki 17, 11-008 Worławki, VAT number: 7393948520, REGON: 387862530. This privacy policy has been structured in a question and answer format, chosen to ensure clarity and readability of the information presented to you.

If you have any questions regarding this privacy policy, you can contact us at any time by sending a message to: [email protected]

#1: Who is the administrator of your personal data?

The administrator of your personal data is Magdalena Staszewska-Nowicka conducting business under the company name TTO Magdalena Staszewska-Nowicka, at the address: Worławki 17, 11-008 Worławki, VAT number: 7393948520, REGON: 387862530.

#2: Who can you contact regarding the processing of your personal data?

As part of implementing personal data protection in our organisation, we have decided not to appoint a Data Protection Officer, as this is not mandatory in our situation. For matters related to personal data protection and privacy in general, you can contact us at: [email protected]

#3: What information do we hold about you?

Depending on the purpose, we may process the following information about you:

  • first and last name
  • residential address
  • business address
  • VAT number
  • email address
  • phone number
  • data contained in correspondence sent to us
  • bank account number
  • IP address
  • image (profile photo)
  • products you have viewed in the store
  • details of orders placed
  • details of abandoned carts
  • activity in relation to newsletter messages
  • information about the operating system and internet browser you use
  • subpages viewed
  • time spent on the website
  • navigation between individual subpages
  • clicks on individual links
  • the source from which you arrive at our website
  • your age range
  • your gender
  • your approximate location limited to town/city
  • your interests determined on the basis of online activity

The scope of data processed has been described precisely in relation to each processing purpose. This information can be found further in this policy.

#4: Where do we get your personal data from?

In most cases, you provide it to us yourself. This happens when you:

  • place an order in the store
  • register a user account
  • submit a complaint or withdraw from a contract
  • sign up for the newsletter
  • contact us

In addition, some information about you may be automatically collected by the tools we use:

  • the store and newsletter system mechanism collect your IP address
  • the store mechanism collects information about products you have viewed and details of orders placed, including incomplete ones
  • the newsletter system mechanism collects information about your activity in relation to content sent to you via the newsletter, such as message opens, link clicks, etc.
  • Google Analytics and Facebook Pixel collect a range of information about how you use our store

#5: Is your data secure?

We take the security of your personal data seriously. We have analysed the risks associated with each data processing activity and have implemented appropriate security and data protection measures. If you have any questions about your personal data, we are available at [email protected]

#6: For what purposes do we process your personal data?

There is more than one purpose. Below is a list, followed by a more detailed explanation. We have also assigned the appropriate legal basis for processing to each purpose:

  • order processing – Art. 6(1)(b) GDPR
  • handling complaints or withdrawals from contracts – Art. 6(1)(f) GDPR
  • sending the newsletter – Art. 6(1)(a) GDPR
  • handling correspondence – Art. 6(1)(f) GDPR
  • fulfilling tax and accounting obligations – Art. 6(1)(c) GDPR
  • creating an archive for the potential need to defend, establish or pursue claims, as well as for identifying returning customers – Art. 6(1)(f) GDPR
  • own marketing – Art. 6(1)(f) GDPR
  • analysis, statistics and optimisation – Art. 6(1)(f) GDPR

User Account – details

When creating a user account, you must provide the data necessary to set it up: an email address and password. Providing this data is voluntary but necessary to create an account. When editing your account data, you may provide additional information, in particular data that may be used when placing orders, such as your name and surname, residential or business address, VAT number, and phone number. You may also set an avatar, such as a profile photo including your image. If you create an account via integration with a social media account, we will obtain access, based on your prior authorisation, to certain data stored in that social media account (name, email address, profile photo). You may modify your account information at any time. However, if you created your account using social media integration, data retrieved from that social media service cannot be modified. Data provided in connection with creating an account is processed for the purpose of providing you with the electronic service of access to a user account, based on the agreement concluded under the terms described in the Terms and Conditions – meaning the legal basis for processing is Art. 6(1)(b) GDPR. Data will be stored for as long as the user account is active. You may delete your account at any time, though this will not result in the removal of your order history from our database. Order data is stored in our archive for the entire duration of the store’s operation, in order to identify returning customers, reconstruct purchase history, applied discounts, etc., which constitutes our legitimate interest as referred to in Art. 6(1)(f) GDPR.

Orders – details

When placing an order in the store, you must provide the data necessary to process it. Depending on the specifics of the order, the required data may vary. For example, if you are ordering physical products, we need the delivery address. If you request a VAT invoice for a company, we need the VAT number and business address. Providing data is voluntary but necessary to place an order. Each order is saved in our database, meaning that your personal data associated with the order is accompanied by order details such as the products ordered, chosen payment method, chosen delivery method, and payment date. Data collected in connection with an order is processed for the purpose of performing the contract concluded by placing the order (Art. 6(1)(b) GDPR), issuing an invoice (Art. 6(1)(c) GDPR in conjunction with invoicing regulations), including the invoice in accounting records and fulfilling other tax and accounting obligations (Art. 6(1)(c) GDPR in conjunction with tax and accounting regulations), and for archival purposes in case of the potential need to defend, establish, or pursue claims, as well as for identifying returning customers, which constitutes our legitimate interest (Art. 6(1)(f) GDPR). Order data will be processed for the time necessary to fulfil the order, and then until the statute of limitations for claims under the concluded contract expires. After that period, data may still be processed by us for archival purposes in case of the potential need to defend, establish, or pursue claims, as well as for identifying returning customers. Please note that we are also obliged to retain accounting records, which may contain your personal data, for the period required by law.

Complaints and withdrawals from contracts – details

If you submit a complaint or withdraw from a contract, you provide personal data contained in the complaint or withdrawal statement, including name and surname, residential address, phone number, email address, and bank account number. Providing this data is voluntary but necessary to submit a complaint or withdraw from a contract. Data provided in connection with a complaint or withdrawal is used to carry out the complaint or withdrawal procedure, and subsequently for archival purposes, which constitutes our legitimate interest (Art. 6(1)(f) GDPR). Data will be processed for the time necessary to complete the complaint or withdrawal procedure. Complaint documents will be retained until the warranty rights expire. Withdrawal statements will be retained together with accounting records for the period required by law.

Newsletter – details

When signing up for the newsletter, you provide us with your first name and email address. Providing this data is voluntary but necessary to subscribe to the newsletter. In addition, our newsletter system records your IP address used at the time of signing up, determines your approximate location, the email client you use, and tracks your activity in relation to messages sent to you. As a result, we also hold information about which messages you have opened, which links you have clicked, etc. Data provided in connection with the newsletter subscription is used for the purpose of sending you the newsletter, and the legal basis for processing is your consent (Art. 6(1)(a) GDPR) given when subscribing. Regarding the processing of information not provided directly by you but automatically collected by our mailing system, we rely on our legitimate interest (Art. 6(1)(f) GDPR) in analysing newsletter subscriber behaviour for the purpose of optimising our mailing activities. You may unsubscribe from the newsletter at any time by clicking the dedicated link in any newsletter message or by simply contacting us. Even after unsubscribing, your data will continue to be stored in our database for the purpose of identifying returning subscribers and potential defence against claims related to sending you the newsletter, in particular to demonstrate the fact that you gave consent and the moment it was withdrawn, which constitutes our legitimate interest as referred to in Art. 6(1)(f) GDPR. You may modify your newsletter data at any time by clicking the relevant link in any newsletter message or by contacting us directly.

Handling correspondence – details

When you contact us, you naturally provide us with your personal data contained in the correspondence, in particular your email address and name. Providing data is voluntary but necessary to make contact. Your data is processed in this case for the purpose of contacting you, and the legal basis is Art. 6(1)(f) GDPR — our legitimate interest. The legal basis for processing after the contact has ended is also our legitimate interest in archiving correspondence for the purpose of being able to demonstrate certain facts in the future (Art. 6(1)(f) GDPR). Correspondence may be archived and we are unable to definitively determine when it will be deleted. You have the right to request access to the history of correspondence you have conducted with us (if it has been archived), as well as to request its deletion, unless archiving is justified by our overriding interests, such as defence against potential claims from your side.

Tax and accounting obligations – details

If we issue an invoice to you, it becomes part of our accounting records, which will be retained for the period required by law. Your personal data is in this case processed for the purpose of fulfilling our tax and accounting obligations (Art. 6(1)(c) GDPR in conjunction with the relevant tax and accounting regulations).

Archive – details

Within the description of each data processing purpose above, we have indicated the relevant data retention periods. These periods are often linked to our archiving of certain data for the purpose of being able to demonstrate specific facts in the future, reconstruct the history of our relationship with a customer, correspondence exchanged, and to defend, establish, or pursue claims. We rely on our legitimate interest as referred to in Art. 6(1)(f) GDPR.

#7: How long will we retain your personal data?

Retention periods have been specified separately for each processing purpose. You will find this information within the details dedicated to each individual processing purpose.

#8: Who are the recipients of your personal data?

Personal data is transferred, on the basis of appropriate agreements, to entities processing data on our behalf and providing services to us. Such entities process data solely in accordance with our instructions, maintaining confidentiality and security. We reserve the right to monitor how the entrusted data is processed. Your personal data may be shared with external entities that receive it in connection with their own purposes (e.g. courier service providers and payment processors). In other cases, personal data may be disclosed only to entities authorised by law.

#9: Do we transfer your data to third countries or international organisations?

Yes, some personal data processing operations may involve transferring your data to third countries. We transfer your personal data to third countries in connection with the use of tools that store personal data on servers located in third countries, in particular in the USA. The providers of these tools guarantee an adequate level of personal data protection through appropriate compliance mechanisms provided for under the GDPR, in particular through the use of standard contractual clauses.

#10: Do we use profiling? Do we make automated decisions based on your personal data?

We do not make decisions about you based solely on automated processing, including profiling, that would produce legal effects concerning you or similarly significantly affect you. We do use tools that may take certain actions depending on information collected through tracking mechanisms, but we consider that these actions do not have a significant impact on you, as they do not differentiate your status as a customer, do not affect the terms of any contract you may conclude with us, etc. By using certain tools, we may, for example, show you personalised advertisements based on your previous activity on our website, or suggest products that may interest you. This is referred to as behavioural advertising. We emphasise that within the tools we use, we do not have access to information that would allow us to identify you personally.

#11: What rights do you have in connection with the processing of your personal data?

The GDPR grants you the following potential rights in connection with the processing of your personal data:

  • the right to access your data and receive a copy of it
  • the right to rectification (correction) of your data
  • the right to erasure of data (if you believe there is no basis for us to process your data, you may request that we delete it)
  • the right to restriction of processing (you may request that we restrict processing to storage only or to actions agreed with you, if in your opinion we hold incorrect data or are processing it without a legal basis)
  • the right to object to processing (you have the right to object to the processing of data on the basis of legitimate interest; you should indicate the particular situation which in your opinion justifies us ceasing the processing covered by the objection; we will stop processing your data for those purposes unless we demonstrate that the grounds for our processing override your rights, or that your data is necessary for us to establish, pursue, or defend claims)
  • the right to data portability (you have the right to receive from us, in a structured, commonly used, machine-readable format, the personal data you have provided to us on the basis of a contract or your consent; you may instruct us to send this data directly to another entity)
  • the right to withdraw consent to the processing of personal data, if you have previously given such consent
  • the right to lodge a complaint with a supervisory authority (if you consider that we are processing data unlawfully, you may lodge a complaint with the President of the Personal Data Protection Office or another competent supervisory authority)

The rules relating to the exercise of the rights listed above are described in detail in Articles 16–21 of the GDPR. We encourage you to familiarise yourself with these provisions. For our part, we consider it necessary to clarify that the rights listed above are not absolute and will not apply to all personal data processing activities. We emphasise that one of the rights listed above always applies — if you believe that we have violated data protection regulations in processing your personal data, you have the right to lodge a complaint with the supervisory authority (the President of the Personal Data Protection Office). You may also contact us at any time to request information about what data we hold about you and for what purposes we process it. Simply send a message to [email protected]. We have done our best to ensure that all relevant information is comprehensively presented in this privacy policy. The email address above can also be used if you have any questions relating to the processing of your personal data.

 
Scroll to Top