- GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Personal data - all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected for via cookies and other similar technology.
- Personal data administrator, Administrator - Oakywood sp. z o.o. with the registered office in Ciche, 34-407 Ciche 35B, entered into the Register of Entrepreneurs of the National Court Register maintained by the Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie Wydział XII Gospodarczy KRS under the number: 0000894372, fiscal identification number (NIP): 7352896281;
- Store - online store run by the Administrator at oakywood.shop;
- User - any natural person visiting the Store or using one or several services or functionalities described in the Policy.
II. PERSONAL DATA PROCESSING IN CONNECTION WITH THE USE OF THE STORE
In connection with the User's use of the Store, the Administrator collects data to the extent necessary to provide the services offered, as well as information about the User's activity in the Store. Detailed rules and purposes for processing personal data collected while using the Store by the User are described below.
III. OBJECTIVES AND LEGAL BASIS FOR DATA PROCESSING
- USE OF THE STORE
- Personal data of all persons using the Store (including the IP address or other identifiers and information collected via cookies or other similar technologies) are processed by the Administrator:
- in order to provide services electronically in the scope of making content collected in the Store available to Users, providing contact forms - then the legal basis for processing is the necessity of processing to perform the contract (art. 6 paragraph 1 letter b of the GDPR);
- to support purchases made without registering in the Store - then the legal basis for processing is the necessity of processing to perform the contract (art. 6 paragraph 1 letter b of the GDPR);
- to handle complaints - then the legal basis for processing is the necessity of processing to perform the contract (art. 6 paragraph 1 letter b of the GDPR);
- for analytical and statistical purposes - then the legal basis for processing is the justified interest of the Administrator (art. 6 paragraph 1 letter f of the GDPR) consisting in conducting analyzes of Users' activity as well as their preferences in order to improve the functionalities and services provided;
- in order to possibly determine and assert claims or defend against them - the legal basis for processing is the justified interest of the Administrator (art. 6 paragraph 1 letter f of the GDPR) consisting in the protection of his rights;
- for Administrator's marketing purposes
- PLACING ORDERS
- Placing an order (purchase of a good or service) by a Store User is associated with processing of his personal data. Providing data marked as mandatory is required to accept and process the order, and failure to do so results in the lack of its implementation. Providing other data is optional.
- Personal data is processed:
- in order to process the order placed - the legal basis for processing is the necessity of processing to perform the contract (art. 6 paragraph 1 letter b of the GDPR); in the scope of optional data, the legal basis for processing is consent (art. 6 paragraph 1 letter a GDP)
- in order to implement the statutory obligations incumbent on the Administrator, resulting in particular from tax and accounting regulations - the legal basis for processing is the legal obligation (art. 6 paragraph 1 letter c of the GDPR);
- for analytical and statistical purposes - the legal basis for processing is the Administrator's justified interest (art. 6 paragraph 1 letter f GDP) consisting in conducting analyzes of Users' activities in the Store, as well as their shopping preferences in order to improve the functionalities used;
- in order to possibly determine and assert claims or defend against them - the legal basis for processing is the Controller's legitimate interest (art. 6 paragraph 1 letter f GDP) consisting in the protection of his rights.
- CONTACT FORMS
- Administrator provides the possibility of contacting him using electronic contact forms as well as via e-mail address or other forms of communication indicated on the Store's website. Using the form or making contact via e-mail address or other forms of communication indicated on the Store's website requires providing personal data necessary to contact the User and answer the inquiry. The User may also provide other data to facilitate contact or service the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to do so results in the inability to handle. Providing other data is voluntary.
- Personal data is processed:
- to identify the sender and handle his inquiry sent via the provided form - the legal basis for processing is the necessity of processing to perform the service contract ( 6 paragraph 1 letter b of the GDPR);
- for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Administrator ( 6 paragraph 1 letter f GDPR) consisting in keeping statistics of inquiries submitted by Users via the Store in order to improve its functionality.
- MARKETING OBJECTIVES
- The Administrator processes Users' personal data in order to carry out marketing activities that may consist of:
- displaying marketing content relevant to the User's interests (behavioral advertising);
- sending e-mail notifications about interesting offers or content, which in some cases contain commercial information;
- In order to implement marketing activities, the Administrator uses profiling in some cases. This means that due to automatic data processing, the Administrator assesses selected factors regarding natural persons in order to analyze their behavior or create a forecast for the future.
- BEHAVIORAL ADVERTISING
- This consent may be withdrawn at any time.
- DIRECT MARKETING
If the User has agreed to receive marketing information via e-mail, the User's personal data will be processed for the purpose of sending such information. The basis for data processing is the legitimate interest of Administrator consisting in sending marketing information within the limits of consent given by the User (direct marketing). The User has the right to object to data processing for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the duration of the legally legitimate interest of Administrator, unless the User objects to receiving marketing information.
- Personal data is processed:
- in order to provide the newsletter sending service - the legal basis for processing is the necessity of processing to perform the contract (Article 6 paragraph 1 letter b of the GDPR);
- in the case of sending marketing content to the User as part of the newsletter - the legal basis for processing, including profiling, is the legitimate interest of Administrator (Article 6 paragraph 1 letter f of the GDPR) in connection with the consent expressed to receive the newsletter;
- for analytical and statistical purposes - the legal basis for processing is Administrator's legitimate interest (Article 6 paragraph 1 letter f of the GDPR) consisting in conducting analyzes of Users' activity on a given Website in order to improve the functionalities used;
- in order to possibly establish and pursue claims or defend against them - the legal basis for processing is the legitimate interest of Administrator (Article 6 paragraph 1 letter f of the GDPR).
VI. SOCIAL MEDIA
- Administrator processes the personal data of Users visiting the Administrator's profiles in social media (Facebook, Pinterest, Instagram, YouTube, Twitter). These data are processed only in connection with keeping the profile, including to inform Users about the Administrator's activity and to promote various types of events, services and products, as well as to communicate with users through the functionalities available on social media. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6 paragraph 1 letter f of the GDPR) consisting in promoting its own brand and building and maintaining a brand-related community.
- There are integrated social media plugins on the Store's website. This means that if the User clicks on one of these buttons, certain information will be shared with the providers of these social media channels. If the User is logged in to a given social account at the same time, the social network service provider may connect this information with the User's account on the social channel and make the activities on the User's profile public in such a way that they will be shared with other network users.
- Plug-ins, the so-called plug-ins of social networks, incl. Facebook, Pinterest, Instagram, YouTube and others may be on the Store's website. The related services are provided respectively by:
- Facebook and Instagram are operated by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2 and Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA Facebook;
- Pinterest is operated by: Pinterest Europe Ltd., an Irish company with its registered office at: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland or Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103;
- YouTube is operated by: Google, 1600 Amphitheater Parkway Mountain View, CA 94043 United States;
- Twitter is operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
- The plug provides its supplier only with information about the time when the User had access to the Store. If, while viewing the Store's website or staying on it, the User is logged in to his account located, for example, on Facebook, the provider is able to combine the User's interests, information preferences, and other data obtained, for example, by clicking the "Like" button or leaving comment, or enter the profile name in the searched ones. Such information will also be transmitted directly to the provider via the browser. To avoid recording a visit to the selected User account of a given provider of the social media portal on the Store's website, log out of the account before browsing the Store.
- Facebook: http://www.facebook.com/policy.php ; further information on personal data collection: http://www.facebook.com/help/186325668085084 http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook has joined the "Privacy Shield" agreement between the EU and the US, https://www.privacyshield.gov/EU-US-Framework;
- Instagram: https://help.instagram.com/519522125107875;
- Google: google.de/intl/de/policies/privacy and https://www.youtube.com/howyoutubeworks/policies/community-guidelines/. Google has joined the "Privacy Shield" agreement between the EU and the US www.privacyshield.gov/EU-US-Framework;
- Pinterest: https://policy.pinterest.com/pl/privacy-policy;
- Twitter: https://twitter.com/privacy. Twitter has joined the "Privacy Shield" agreement between the EU and the US, https://www.privacyshield.gov/EU-US-Framework.
- Video materials are published on the Store's website, which are posted on the YouTube portal. All these videos are subject to the "extended data protection mode", which means that no data about you as a user is transferred to YouTube if you do not play the videos. Personal data is only transferred once the video has been played. We have no influence on this type of data transmission.
- In the event of visiting the Store's website and playing a given video material posted on YouTube, YouTube receives information that you have opened the given video material on the Store's website, which involves the transfer of personal data to YouTube. This takes place regardless of whether YouTube provides a User account through which you are logged in, or whether there is no User account. If you are logged in to Google (and hence to YouTube), your data will be directly assigned to your account. If you do not wish to be assigned to your YouTube profile, please log out before playing the video. YouTube saves your data as user profiles and uses them for the purposes of advertising, market research and to design its website as required. This analysis is carried out in particular (also for users who are not logged in) to present demand-driven advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles, but to exercise this right, please contact YouTube.
- Further information on the purpose and scope of data collection and processing by YouTube can be found in the data protection declaration. There, you will also receive further information on your rights and the settings options to protect your privacy: google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and complies with the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework.
VII.COOKIES AND SIMILAR TECHNOLOGY
Cookies are small text files installed on the device of the User browsing the Store. Cookies collect information that facilitates the use of the website - e.g. by remembering User's visits to the Store and activities performed by him.
- "SERVICE" COOKIES
- cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
- authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
- cookies used to ensure security, e.g. used to detect fraud in the field of authentication (user centric security cookies);
- session cookies of multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
- persistent cookies used to personalize the User interface for the duration of the session or a little longer (user interface customization cookies),
- cookies used to remember the contents of the basket for the duration of the session (shopping cart cookies);
- To collect statistics, Administrator uses the Google Analytics product, thus the data of the User visiting the Website will be obtained by Google, 1600 Amphitheater Parkway Mountain View, CA 94043 United States. Google is certified under the Privacy Shield program. As part of the agreement between the US and the European Commission, the latter has established an adequate level of data protection in the case of companies certified by the Privacy Shield. It is possible to block Google Analytics access to the User's data after the user installs the plugin in the browser at the link: https://tools.google.com/dlpage/gaoptout/. If you are interested in the details related to data processing as part of Google Analytics, we encourage you to read the explanations prepared by Google: https://policies.google.com/privacy?hl=pl.
- “MARKETING” COOKIES
- GOOGLE ADS, FACEBOOK PIXEL
- Store's website uses the Google Ads program.
- Google Ads is a program of Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, United States ("Google"). As part of Google Ads, the Administrator uses the so-called conversion tracking. When you click on an ad served by Google, a conversion tracking cookie is set. Cookies are small text files that are saved in the internet browser on the user's computer. These cookies lose their validity after 30 days and are not used to identify you personally. If the user visits certain pages of this website and the cookie has not yet expired, Google and the website of the Store are informed that the user has been redirected to this page after clicking on the ad.
- Each Google Ads customer receives a different cookie. Cookies cannot be tracked through the websites of Ads customers. The information collected using the conversion cookie is used to compile conversion statistics for Ads customers who have opted for conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that could be used to identify the user. If you do not want to participate in conversion tracking, you can object to the use of this feature. For this, it is sufficient to deactivate the Google conversion tracking cookie in your internet browser. You will then not be included in the conversion tracking statistics.
- Conversion cookies are stored based on art. 6 paragraph 1 letter f of the GDPR. The website operator has a legitimate interest in analyzing user behavior to optimize both its website and its advertising.
- You can set your browser so that you are informed about the generation of cookies and allow them only on a case-by-case basis, not to accept cookies on a case-by-case basis or in general, and to activate the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.
- In order to conduct effective marketing campaigns and promotions of Goods sold by Administrator through the Online Store, Administrator uses the "Facebook Pixel" option, which is provided by the Facebook social network operated by Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304 , USA or, for EU residents, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland ("Facebook"). Facebook Pixel is a code fragment placed on the Online Store website. It allows Facebook to identify people visiting the Administrator's web content as a target group to display ads on Facebook on their social profiles (e.g. as part of sponsored ads), which we understand as our legitimate interest (art. 6 paragraph 1 letter f of the GDPR). As part of the Facebook Pixel function, it is therefore possible to display the Administrator's published ads on Facebook only to Facebook users who have shown interest in our services or who have certain common factors (such as interests in certain topics or products determined on the basis of the visited tabs on our website, viewed products) that we pass on to Facebook (this results from the operation of Pixel installed on our website). The Facebook Pixel function also helps the Administrator understand the effectiveness of Facebook ads for statistical and market research purposes, showing whether users have been redirected to our services after clicking on an ad on Facebook (the so-called conversion, allowing to determine on which devices the user performs the activity), in order to create the so-called similar audiences or statistical twins (i.e. serving advertisements to target groups similar to existing customers) and obtaining comprehensive statistics on site usage. During your visit to our website, the Facebook Pixel function establishes a direct connection to Facebook's servers. Thus, the Facebook server is notified that the User has visited our website, and Facebook assigns this information to the personal Facebook user account.
- Further information on the collection and use of data by Facebook and your privacy rights and options can be found in the data protection policy of Facebook at https://www.facebook.com/about/privacy/update. Specific information and details about Facebook Pixel's features and how it works are available in the Facebook help section at https://www.facebook.com/business/help/651294705016616. This feature can be disabled as shown at https://www.facebook.com/settings?tab=ads. To do this, you must log in to Facebook.
- You can object to our use of Facebook Piksel using your personal data as follows: Users who have a Facebook account by clicking on the following link: https://www.facebook.com/ads/preferences.
- Anyone can opt out of viewing interest-based advertising displayed by Facebook or its affiliates through the European Interactive Digital Advertising Alliance (opt-out) by clicking on the following link: http://www.youronlinechoices.com/en/your choices.
- Please note that when the cookie blocking is removed, the data will be collected again by Facebook Pixel.
VIII. PERIOD OF PROCESSING OF THE PERSONAL DATA
We will process personal data for the duration of the contract and the time necessary to demonstrate performance of the contract, i.e. for the duration of the limitation period for claims.
IX. USER’S ENTITLEMENTS
- Data subjects have the following rights:
- The right to information on the processing of personal data - the Administrator provides information on the processing of personal data, including primarily the purposes and legal grounds for processing, the scope of data held, entities to whom personal data is disclosed and the planned date of their removal;
- The right to obtain a copy of the data - the Administrator provides a copy of the processed data regarding the person making the request;
- Right to rectification - the Administrator removes any incompatibilities or errors regarding personal data being processed, and supplements or updates them if they are incomplete or have changed;
- The right to delete data (the so-called right to forget) - is the basis for requesting the deletion of data whose processing is no longer necessary to achieve any of the purposes for which it was collected;
- The right to limit processing - the Administrator ceases to carry out operations on personal data, with the exception of operations to which the data subject has consented and their storage, in accordance with the adopted retention rules, or until the reasons for limiting data processing cease (e.g. a decision will be issued supervisory authority authorizing further processing of data);
- The right to transfer data - to the extent that data is processed in connection with the concluded contract or expressed consent, the Administrator issues data provided by the person to whom they relate, in a format that can be read by a computer. It is also possible to request that the data be sent to another entity - provided that both the Administrator and another entity to which the data are sent have appropriate technical conditions enabling such transmission;
- The right to object to the processing of data for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such an objection;
- The right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data on the basis of the justified interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property). An objection in this respect should contain a justification and is subject to the Administrator's assessment;
- The right to withdraw consent - if the data are processed on the basis of consent, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before the withdrawal of this consent;
- Right to complain - if it is considered that the processing of personal data violates the provisions of the GDPR or other provisions regarding the protection of personal data, the data subject may submit a complaint to the President of the Office for Personal Data Protection.
- An application regarding the exercise of the rights of data subjects, together with an indication of which request we make, can be submitted:
- in writing to the address of the seat of Oakywood sp. z o.o. with the registered office in Ciche, 34-407 Ciche 35B;
- by Administrator’s email: email@example.com;
- If the Administrator will not be able to determine the content of the request or identify the person submitting the application based on the application, he will ask the applicant for additional information.
- Answers to applications will be given within one month of receipt. If it is necessary to extend this period, the Administrator will inform the applicant about the reasons for such extension.
- The answer will be given to the e-mail address from which the application was sent, and in the case of applications sent by letter, by ordinary letter to the address indicated by the applicant, unless the content of the letter indicates the desire to receive feedback to the e-mail address (in this case you must provide an email address).
X. DATA RECIPIENTS
- In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as payment operators, entities providing accounting, legal, auditing, consulting services, couriers (in connection with the implementation of the order).
- In particular, personal data will be disclosed to the following external entities:
- Shopify International Ltd., Ireland 2nd Floor 1-2 Victoria Buildings Haddington Road Dublin 4, D04 XN32 Ireland or Shopify Inc. 151 O’Connor Street Ground floor, Ottawa, ON K2P 2L8 Canada - as the entity operating the internet platform on which the Online Store website is located and also as the entity servicing the Stripe payment methods available on the Online Store website;
- PayPal (Europe) S.à r.l. & Cie, S.C.A with the registered office in L-1150 w Luxemburg or PayPal Inc. 303 Bryant Street Mountain View, California 94041 U.S.A. - as an entity operating the PayU online transfer system, through which it is possible to make payments for goods purchased on the Store's website;
- Klarna Inc., 629 N. High St., Suite 300, Columbus, Ohio 43215 - as an entity operating the PayU online transfer system, through which it is possible to make payments for goods purchased on the Store's website;
- DHL Parcel Polska spółka z ograniczoną odpowiedzialnością with its registered office at ul. Osmańska 2, in Warsaw 02-823 - as an entity that is a carrier and performs the delivery of goods purchased on the Store's website;
- DHP Express (Poland) spółka z ograniczoną odpowiedzialnością with its registered office at Wirażowa 37, Warsaw 02-158 - as an entity that is a carrier and performs the delivery of goods purchased on the Store's website;
- UPS Polska spółka z ograniczoną odpowiedzialnością with its registered office at Prądzyńskiego 1/3 01-222 Warszawa - as an entity that is a carrier and performs the delivery of goods purchased on the Store's website
- Administrator reserves the right to disclose selected information about the User to the competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.
XI. TRANSFER OF PERSONAL DATA OUTSIDE EEA
XII. SECURITY OF THE PERSONAL DATA
- Administrator conducts a risk analysis on an ongoing basis to ensure that personal data is processed by him in a safe manner - ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary due to the not the job. The administrator makes sure that all operations on personal data are recorded and performed only by authorized employees and colleagues.
- Administrator shall take all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data on behalf of the Administrator.
XIII. CONTACT DETAILS
Contact with the Administrator is possible in writing to the address of the seat of Administrator at: Oakywood sp. z o.o. with the registered office in Ciche, 34-407 Ciche 35B or by Administrator’s email: firstname.lastname@example.org;
XIV. SALE TO CUSTOMERS IN THE UNITED STATES OF AMERICA
The policy is reviewed on an ongoing basis and updated as necessary.