2.1 The Administrator is authorized to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) processing is necessary for the purposes of legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, particularly when the data subject is a child.

2.2 The processing of personal data by the Administrator requires at least one of the bases mentioned in point 2.1 of this privacy policy to be present. The specific bases for processing the personal data of Users and Customers of the Online Store by the Administrator are indicated in the following section of the privacy policy – with respect to each specific purpose of processing personal data by the Administrator.

PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE

3.1 The purpose, basis, period, scope, and recipients of personal data processed by the Administrator are determined by the actions taken by the respective User or Customer in the Online Store. For example, if a Customer decides to make a purchase in the Online Store and chooses in-store pickup of the purchased Product instead of courier delivery, their personal data will be processed for the execution of the Sales Agreement, but it will not be shared with the carrier responsible for deliveries on behalf of the Administrator.

3.2 The Administrator may process personal data in the Online Store for the following purposes, on the following bases, for the following periods, and within the following scope:

RECIPIENTS OF DATA IN THE ONLINE STORE

4.1 For the proper functioning of the Online Store, including the execution of Sales Agreements, it is necessary for the Administrator to use the services of external entities (such as software providers, couriers, or payment processors). The Administrator only uses services from such data processors who provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of data subjects.

4.2 Data transfer by the Administrator does not occur in every case and not to all recipients or categories of recipients mentioned in the privacy policy. The Administrator only transfers data when it is necessary to achieve a specific purpose of personal data processing and only to the extent necessary to accomplish that purpose. For example, if a Customer opts for in-store pickup, their data will not be shared with the carrier cooperating with the Administrator.

4.3 Personal data of Users and Customers of the Online Store may be shared with the following recipients or categories of recipients:

• Carriers / Forwarders / Courier Brokers – In the case of a Customer who chooses to receive a Product via postal or courier delivery in the Online Store, the Administrator will provide the collected personal data of the Customer to the selected carrier, forwarder, or intermediary handling the delivery on behalf of the Administrator, to the extent necessary to complete the delivery of the Product to the Customer.

• Entities handling electronic or credit card payments – For a Customer who uses electronic payment methods or credit cards in the Online Store, the Administrator will provide the collected personal data of the Customer to the selected entity handling these payments in the Online Store on behalf of the Administrator, to the extent necessary for processing the payment made by the Customer.

• Providers of technical, IT, and organizational solutions – These are entities that supply the Administrator with technical, IT, and organizational solutions enabling the Administrator to conduct business, including the Online Store and the Electronic Services provided through it (such as software providers for managing the Online Store, email and hosting providers, and software for business management and technical support). The Administrator shares the collected personal data of the Customer with the selected provider acting on their behalf only when necessary and to the extent required to achieve a specific data processing purpose in accordance with this privacy policy.

• Providers of accounting, legal, and advisory services – These are entities that provide accounting, legal, or advisory support to the Administrator (such as accounting firms, legal offices, or debt collection companies). The Administrator will share the collected personal data of the Customer with the selected provider acting on their behalf only when necessary and to the extent required to achieve a specific data processing purpose in accordance with this privacy policy.

PROFILING IN THE ONLINE STORE

5.1 The GDPR requires the Administrator to inform about automated decision-making, including profiling as mentioned in Articles 22(1) and 22(4) of the GDPR, and – at least in these cases – provide significant information about the principles of such decisions, as well as the significance and anticipated consequences of such processing for the data subject. Bearing this in mind, the Administrator provides information regarding potential profiling in this section of the privacy policy.

5.2 The Administrator may use profiling for direct marketing purposes in the Online Store, but decisions made based on profiling do not affect the conclusion or refusal to conclude a Sales Agreement or the possibility of using Electronic Services in the Online Store. The effects of profiling in the Online Store may include, for example, granting a discount to an individual, sending a discount code, reminding them of incomplete purchases, sending product suggestions that may match the individual’s interests or preferences, or offering better conditions compared to the standard offer of the Online Store. Despite profiling, the individual freely decides whether to use the discount or better conditions received in this way and proceed with a purchase in the Online Store.

5.3 Profiling in the Online Store involves the automatic analysis or prediction of a person’s behavior on the Online Store’s website, such as adding a specific product to the cart, viewing a particular product page, or analyzing their past purchase history in the Online Store. The condition for such profiling is that the Administrator has the personal data of the individual to subsequently send them, for example, a discount code.

5.4 The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

RIGHTS OF THE DATA SUBJECT

6.1 Right of access, rectification, restriction, deletion, or transfer – The data subject has the right to request from the Administrator access to their personal data, its rectification, deletion ("right to be forgotten"), or restriction of processing, and also has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above rights are specified in Articles 15-21 of the GDPR.

6.2 Right to withdraw consent at any time – A person whose data is processed by the Administrator based on consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6.3 Right to lodge a complaint with a supervisory authority – A person whose data is processed by the Administrator has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the GDPR and Polish law, particularly the Personal Data Protection Act. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.

6.4 Right to object – The data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the administrator), including profiling based on these provisions. In such cases, the Administrator must cease processing the personal data unless they demonstrate the existence of compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

6.5 Right to object to direct marketing – If personal data is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.

6.6 To exercise the rights mentioned in this section of the privacy policy, the data subject can contact the Administrator by sending a relevant message in writing or electronically to the address of the Administrator provided at the beginning of the privacy policy or by using the contact form available on the Online Store’s website.

COOKIES IN THE ONLINE STORE, OPERATIONAL DATA AND ANALYTICS

7.1 Cookies are small text files sent by the server and saved on the visitor’s device when they visit the Online Store’s website (e.g., on a hard drive of a computer, laptop, or on a smartphone’s memory card, depending on the device used to visit the website). Detailed information about cookies, including their history, can be found here: http://pl.wikipedia.org/wiki/Ciasteczko.

7.2 The Administrator may process data contained in cookies during the use of the Online Store’s website for the following purposes:

• Identifying users as logged in to the Online Store and showing that they are logged in;
• Remembering products added to the cart for placing an order;
• Remembering data from completed order forms, surveys, or login data for the Online Store;
• Customizing the content of the Online Store’s website to the individual preferences of the user (e.g., colors, font size, page layout) and optimizing the use of the Online Store’s pages;
• Conducting anonymous statistics to show how the Online Store’s website is used;
• Remarketing, which involves analyzing the behavior of visitors to the Online Store through anonymous analysis of their actions (e.g., repeated visits to specific pages, keywords, etc.) to create their profile and deliver ads tailored to their predicted interests, even when they visit other websites in the Google Inc. and Facebook Ireland Ltd. ad networks.

7.3 By default, most web browsers available on the market accept cookies. Users have the ability to define the conditions for using cookies through their web browser settings. This means that one can partially limit (e.g., temporarily) or completely disable the saving of cookies. However, in the latter case, this may affect some functionalities of the Online Store (e.g., it may be impossible to complete the order path through the order form due to the inability to remember products in the cart during subsequent steps of placing the order).

7.4 Browser settings regarding cookies are important for consent to use cookies by our Online Store – according to the regulations, such consent can also be given through browser settings. If consent is not given, it is necessary to change the browser settings regarding cookies accordingly.

7.5 Detailed information on how to change cookie settings and how to delete cookies manually in the most popular web browsers is available in the help section of the browser.

7.6 The Administrator may use Google Analytics and Universal Analytics services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) on the Online Store. These services help the Administrator analyze traffic on the Online Store. The collected data is processed within these services in an anonymized manner (these are so-called operational data that prevent the identification of an individual) to generate statistics useful for managing the Online Store. This data is aggregated and anonymous, i.e., it does not contain identifying features (personal data) of visitors to the Online Store. The Administrator, using these services, collects data such as the sources and mediums of visitors to the Online Store, their behavior on the site, information about devices and browsers used, IP and domain, geographic data, and demographic data (age, gender) and interests.

7.7 It is possible for an individual to easily block Google Analytics from sharing information about their activity on the Online Store's site. To do this, one can install a browser add-on provided by Google Inc., available here: https://tools.google.com/dlpage/gaoptout?hl=pl.

7.8 The Administrator may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the Online Store. This service helps the Administrator measure the effectiveness of advertisements and learn about the actions visitors to the Online Store take, as well as display tailored ads to those individuals. Detailed information about how the Facebook Pixel works can be found at the following address: https://www.facebook.com/business/help/742478679120153?helpref=page_content. Managing the Facebook Pixel can be done through ad settings in your Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.

7.9 The Administrator may use Yandex Metrica services provided by Yandex (16 Lva Tolstogo str., Moscow, 119021, Russia) on the Online Store. These services help the Administrator analyze traffic on the Online Store. The collected data is processed within these services in an anonymized manner (these are so-called operational data that prevent the identification of an individual) to generate statistics useful for managing the Online Store. This data is aggregated and anonymous, i.e., it does not contain identifying features (personal data) of visitors to the Online Store.

7.10 The Administrator may use Hotjar services provided by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) on the Online Store. These services help the Administrator analyze traffic on the Online Store. The collected data is processed within these services in an anonymized manner (these are so-called operational data that prevent the identification of an individual) to generate statistics useful for managing the Online Store. This data is aggregated and anonymous, i.e., it does not contain identifying features (personal data) of visitors to the Online Store.

7.11 The Administrator may use Heap Analytics services provided by Heap Inc. (225 Bush St. 2nd Floor, San Francisco, CA 94104, USA) on the Online Store. These services help the Administrator analyze traffic on the Online Store. The collected data is processed within these services in an anonymized manner (these are so-called operational data that prevent the identification of an individual) to generate statistics useful for managing the Online Store. This data is aggregated and anonymous, i.e., it does not contain identifying features (personal data) of visitors to the Online Store.

FINAL PROVISIONS

8.1 The Online Store may contain links to other websites. The Administrator encourages users to review the privacy policies of those other sites once they leave the Online Store. This privacy policy only applies to the Online Store of the Administrator.