Privacy Policy

Website privacy policy (hereinafter “Privacy Policy”)

1 Effective date:

  • The Privacy Policy is effective as of 21.04.2023.
  1. General provisions:
  • The Privacy Policy is informative in nature, it mainly contains the principles concerning the processing of personal data by the Administrator, including the grounds, purposes and scope of the processing of personal data and the rights of data subjects on the website at www.ambassade-biologique-recherche-warszawa.com (hereinafter the “Website”).
  • The controller of the personal data is the entrepreneur entered in the Central Register and Information on Business Activity under the name Beauty Experts Anna Lohmann with the main place of business activity in Warsaw at Jerzego 18, 04-424 Warsaw, NIP: 5242431290, REGON: 147098551.; e-mail address: anna.lohmann@beauty-experts.pl hereinafter referred to as “Administrator”.
  • Personal data shall be processed by the Administrator in accordance with the applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “RODO” or “RODO Regulation”).
  • The use of the Website, including the conclusion of contracts, is voluntary. Similarly, the related provision of personal data by the user of the Website is voluntary, subject to two exceptions:

– conclusion of contracts with the Administrator – failure to provide in the cases and to the extent indicated in the cases and to the extent indicated on the Website and in the Terms and Conditions of the salon and this privacy policy personal data necessary for the conclusion and performance of an agreement with the Administrator shall result in the impossibility to conclude such a contract. The provision of personal data in such a case is a contractual requirement and if the data subject wishes to conclude the contract in question with the Administrator, he/she is obliged to provide the required data.

– statutory obligations of the Controller, where the provision of personal data is a statutory requirement resulting from generally applicable legal provisions imposing a the Administrator is obliged to process personal data (e.g. processing of data the purpose of keeping accounting records) and failure to provide such data will make it impossible for the Administrator to fulfil these obligations.

  • The Administrator shall take special care to protect the interests of the persons to whom the personal data processed by him/her relate, and in particular he/she shall be responsible and ensure that the data collected by him/her are:

– processed lawfully;

– collected for specified lawful purposes and not subjected to further processing incompatible with those purposes;

– adequate in relation to the purposes for which it is processed;

– kept in a form which permits identification of data subjects for no longer than is necessary to achieve the purpose of the processing;

– processed in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.

 

  1. Grounds for data processing:
  • The controller is entitled to process personal data to the extent that one or more of the following conditions are met:

– the data subject has given his/her consent to the processing of his/her personal data;

– the processing is necessary for the performance of a contract to which the data subject is a party;

– the processing is necessary for taking steps at the request of the data subject prior to entering into a contract;

– processing is necessary for compliance with a legal obligation incumbent on the Controller;

– processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;

  • The processing of personal data by the Controller requires in each case the existence of at least one of the grounds indicated in the paragraph above.

 

  1. Purpose, basis, period and scope of data processing by the Controller:
  • Each time the purpose, basis, period and scope and recipients of the personal data processed by the Administrator results from the activities undertaken by the respective user of the Website.
  • The Administrator may process personal data for the following purposes, on the following grounds, for the following periods and to the following extent:

 

 

Purpose of data processing

Legal basis for data storage

 

Period of data processing

Performance of the contract entered into with the Controller

Article 6, paragraph 1 point (b) of the RODO Regulation (performance of a contract) and article 9 paragraph 2 point (a) of the RODO Regulation.

The data are kept for the period necessary for the performance, termination or otherwise expiry of the contract concluded.

Taking action at the request of the data subject.

Article 6, paragraph 1 point (b) of the RODO Regulation (performance of a contract) and article 9 paragraph 2 point (a) of the RODO Regulation.

The data are kept for the period necessary for the performance, termination or otherwise expiry of the concluded contract.

Direct marketing

Article 6 paragraph 1 point (f) of the RODO Regulation (legitimate interest of the controller)

The data are stored for the period of existence of the legitimate interest pursued by the Controller, but no longer than the period of limitation of claims against the data subject in respect of the business activities conducted by the Controller.

The limitation period is determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years, and for a sales contract two years).

The Administrator may not process data for direct marketing purposes in the event of an effective objection to this effect by the data subject.

Marketing of the Administrator’s services and products

Article 6, paragraph 1 point a of the RODO Regulation (consent).

Data is stored until  withdrawal of the data subject’s consent to further processing of his/her data for this purpose.

Bookkeeping

Article 6 paragraph 1 point (c) of the RODO Regulation in conjunction with Article 74(2) of the Accounting Act, i.e. of 30 January 2018. (Journal of Laws 2018, item 395).

The data shall be stored for the period

required by the provisions of law requiring the Administrator to keep the accounts (5 years, counting from the beginning of the year following the financial year to which the data refer).

Establishing, asserting or defending claims which the Administrator may raise or which may be raised against the Administrator

Article 6 paragraph 1 point (f) of the RODO Regulation Data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than the period of limitation of claims against the data subject in respect of the Administrator’s business activities. The limitation period is determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims relating to the business activities is three years, and for a sales contract it is two years).

The data is stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of claims that may be raised against the Administrator (the basic limitation period for claims related to the business activities is three years).

Use of the Website and ensuring its correct operation

Article 6 paragraph 1 point (f) of the RODO Regulation (legitimate interest of the Administrator) – the processing is necessary for the purposes arising from the Administrator’s legitimate interests – consisting of the operation and maintenance of the Website.

The data shall be stored for the period of existence of the legitimate interest pursued by the Controller, but no longer than the period of limitation of the Controller’s claims against the data subject in respect of the Controller’s business activities. The period limitation period is determined by the provisions of law,

in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years, and for a Sales Agreement it is two years).

Keeping statistics and analysing traffic on the Website

Article 6 paragraph 1 point (f) of the RODO Regulation (legitimate interest of the Administrator) – the processing is necessary for the purposes arising from the Administrator’s legitimate interests of the Administrator – consisting of conducting statistics and analysis of traffic on the Website in order to improve the functioning of the Website and increase sales of Products.

The data is stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of claims that may be raised against the Administrator (the basic limitation period for claims related to the

business activities is three years).

 

  1. Data processing:
  • For the proper functioning of the Website, including for the execution of concluded contracts, it is necessary for the Administrator to use the services of external entities (such as, for example, a software provider, an IT company or an entity handling electronic and payment card payments). The Controller shall only use the services of such processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the RODO Regulation and protects the rights of the data subjects.
  • Personal data will not be transferred by the Controller to a third country, i.e. to recipients outside the European Economic Area.
  • The transfer of data by the Administrator does not take place in every case and not to all recipients or categories of recipients indicated in the Privacy Policy. The Administrator shall only transfer data if it is necessary for the fulfilment of the given purpose of personal data processing and only to the extent necessary for its fulfilment.
  • The personal data of Service Recipients may be transferred to the following recipients or categories of recipients:

– entities handling electronic payments, in the case of a Website user who uses the electronic payment method, the Administrator shall make the collected personal data of the user available to the selected entity handling the aforementioned payments on the Website on behalf of the Administrator to the extent necessary to handle the executed payment.

– service providers supplying the Administrator with technical, IT and organisational solutions enabling the Administrator to conduct its business activity, including the Website and the services provided through it, and to perform contracts

(in particular computer software providers for running the Website, IT companies, e-mail and hosting providers, and providers of software for business management, marketing activities

and providing technical assistance to the Administrator). The Administrator shall make the collected personal data of the Customer available to the selected provider acting on his/her behalf only in the case and to the extent necessary to fulfil the given purpose of data processing in accordance with this Privacy Policy.

– marketing service providers – marketing agencies providing support to the Administrator in marketing activities.

– carriers, forwarders, couriers, who provide courier services to the Administrator, the Administrator shall make the collected personal data available to the selected entity to the extent necessary to carry out the delivery.

– providers of accounting, legal, advisory or translation services who provide accounting, legal, advisory or translation support to the Administrator (in particular an accounting office, a law firm, a debt collection agency or a translation agency). The Administrator shall make the collected personal data available to the selected provider acting on his/her behalf only in the case and to the extent necessary to fulfil the given purpose of data processing in accordance with this Privacy Policy.

– providers of social plug-ins, scripts and other similar tools placed on the Website allowing the browser of the person visiting the Website to download content from the providers of the said plug-ins (e.g. logging in with the login data of a social network) and transmitting the personal data of the visitor to these providers for this purpose.

– Meta Platforms Ireland Limited.  The Administrator uses social media plug-ins of Instagram on the Website and therefore collects and shares the personal data of the Customer using the Website to Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) to the extent and in accordance with their privacy policy available.

 

  1. Website profiling:
  • Personal data is not subject to automated decision-making, including profiling.

 

  1. Cookies and other similar technologies:
  • What cookies are and what they are used for:

– Cookies are small text files with information that are stored by your browser on your computer’s hard drive or in the memory of your mobile device when you visit the Website. Cookies collect information that facilitates the use of the Website – for example, by remembering a user’s visit and actions performed by him/her.

  • Basic division of cookies:

– Session files – they are saved on the device only during the user’s use of the from the Website;

– Permanent files – are saved in the browser’s memory for a longer period of time, and this time depends on the specific cookie. They make the use of frequently visited sites easier, as they serve to remember the user’s preferences (selected language, resolution, content layout) and are used during the next visit.

  • With regard to the role a cookie plays in the Website, we distinguish:

– Essential cookies – our use of essential cookies is necessary for the proper functioning of the Website. These cookies are installed in particular for the purpose of remembering login sessions or filling out forms, as well as for the purpose of setting privacy options;

– Functional cookies – remember and customize the website according to the choices of the person visiting the Website, such as language preferences;

– Analytical cookies – allow you to see the number of visits and sources of traffic to the Website. They help determine which pages are more and which are less popular and understand how users navigate the site. This allows us to study statistics and improve the performance of the Website.

  • If any of the cookies used by Beauty Experts processes personal data, the processing takes place:

– in the scope of cookies necessary – on the basis of Article 6(1)(f) RODO, i.e. the Administrator’s legitimate interest in the form of proper functioning of the Website;

– in the scope of non-essential cookies – on the basis of Article 6(1)(a) RODO, i.e. the user’s consent.

  • Analytical tools used:

Google analytics is a web analytics service offered by Google, which processes aggregated, and thus anonymous, statistical data on users visiting the Website. This functionality is used to conduct web analytics, including in order to analyze statistics and reports on the operation of the Website, as well as to learn how users use the Website.

Each user can decide for himself whether data via Google analytics will be collected and processed by using the functionality for managing cookies or through his browser settings. Detailed information on the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.Zarządzanie cookies

  • Cookies that are necessary for the use of the Website are automatically installed on the user’s device, as their use is necessary for the provision of the telecommunications service (data transmission to display content), and the user does not have the option to opt out of these cookies if he or she wishes to use the Website. Non-essential cookies (functional, analytical) are installed only if the user gives permission for their installation. Such consent can be given:

– by clicking the “Accept all” button on the banner that appears after entering the Website – then consent is given for all categories of cookies;

– by “Manage cookies” – then the user can consent to the installation of only selected cookies. In this case, he will be presented with a list of all cookies that he can enable.

– Using the banner functionality on the Website, the user has the right at any time to inspect his settings and to change them, as well as to withdraw the given consent.

  • Changing browser settings and deleting cookies:

In many cases, the Internet browser allows the storage of cookies on the device by default, but the user may at any time change the settings so as to block the automatic handling of cookies or be informed each time they are placed on the device. Detailed information on the possibility and methods of using cookies is available in the settings of your web browser

 

  1. Rights of the data subject:
  • Right of access, rectification, restriction, erasure or portability – The data subject has the right to request from the Controller access to his/her personal data, their rectification, erasure (“right to be forgotten”) or restriction of processing, and has the right to object to processing, and has the right to portability of their data. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the RODO.
  • The right to withdraw consent at any time, a person whose data is processed by the Administrator on the basis of expressed consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the RODO has the right to withdraw consent at any time without affecting the legality of the processing performed on the basis of consent before its withdrawal.
  • The right to lodge a complaint to a supervisory authority – a person whose data is processed by the Administrator has the right to lodge a complaint to a supervisory authority in the manner and mode specified in the provisions of RODO and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.
  • Right to object, the data subject has the right to object at any time, for reasons related to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), under these provisions. In such a case, the controller shall no longer be allowed to process such personal data, unless the controller demonstrates the existence of compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject, or grounds for establishing, asserting or defending claims.
  • The right to object to direct marketing, if the personal data is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him or her for the purposes of such marketing.
  • In order to exercise the rights referred to in this section of the Privacy Policy, the Administrator may be contacted by sending an appropriate message in writing or by e-mail to the Administrator’s address indicated at the beginning of the Privacy Policy.