1. DEFINITIONS
1.1. Controller – DEMI POLAND - Nowak, Skrodzki sp.k., with its registered office in Straszęcin, ul. Inwestycyjna 5, 39-218 Straszęcin, entered into the Register of Entrepreneurs under number KRS: 0000763271, NIP: 8172177237, REGON: 361084610, e-mail: [email protected].
1.2. Personal Data – any information about an identified or identifiable natural person by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifiers and information collected via cookies or similar technologies.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.5. Website – the website operated by the Controller at store.woondah.com.
1.6. User – any natural person visiting the Website, making a remote purchase from the Controller or using one or more of the services or functionalities described in the Policy.
2. DATA PROCESSING IN CONNECTION WITH WEBSITE USE
2.1. In connection with the User’s use of the Website, the Controller collects data to the extent necessary for the provision of individual offered services, remote sales, as well as information about the User’s activity on the Website. Detailed rules and purposes of personal data processing collected during the User’s use of the Website are described below.
3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING ON THE WEBSITE
3.1. [Website Use] Personal data of all individuals using the Website (including IP address or other identifiers and information collected via cookies or similar technologies), who are not registered Users (i.e., persons who do not have an account on the Website), are processed by the Controller:
3.1.1. for the purpose of providing electronic services in the scope of making content gathered on the Website available to Users, providing contact forms, presenting invitations to submit offers, and conducting remote sales – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);
3.1.2. for the purpose of handling purchases made without registration on the Website – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);
3.1.3. for the purpose of handling complaints – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);
3.1.4. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting of analyzing Users’ activity and preferences to improve the functionalities used and services provided;
3.1.5. for the possible establishment and pursuit of claims or defense against them – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting of the protection of its rights;
3.1.6. for the Controller’s marketing purposes, in particular related to the presentation of behavioral advertising – the principles for processing personal data for marketing purposes are described in the “MARKETING” section.
3.2. User activity on the Website, including personal data, is recorded in system logs (a special computer program for chronologically storing records of events and actions related to the IT system used to provide services by the Controller). Information collected in logs is processed in connection with service provision. The Controller also processes it for technical purposes, particularly, such data may be temporarily stored and processed to ensure the security and proper functioning of IT systems, e.g., related to backups, testing system changes, detecting irregularities, or protecting against abuse and attacks.
3.3. [Placing Orders] Placing an order (purchasing goods or services) by a User of the Website involves processing their personal data. Providing data marked as required, along with a contact phone number, is necessary to accept and fulfill the order; failure to provide such data will result in the inability to complete the order. Providing additional data is optional.
3.4. Personal data is processed:
3.4.1. for the purpose of fulfilling the placed order – the legal basis is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR); in the scope of optional data, the legal basis is consent (Article 6(1)(a) of the GDPR);
3.4.2. for the purpose of fulfilling legal obligations imposed on the Controller, especially those arising from tax and accounting regulations – the legal basis is a legal obligation (Article 6(1)(c) of the GDPR);
3.4.3. for analytical and statistical purposes – the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting of analyzing User activity on the Website and their purchasing preferences to improve the functionalities used;
3.4.4. for the possible establishment and pursuit of claims or defense against them – the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting of the protection of its rights.
3.5. [Contact Forms] The Controller allows Users to contact it via electronic contact forms. Using the form requires providing personal data necessary to contact the User and respond to the inquiry. The User may also provide additional data to facilitate contact or handling the inquiry. Providing data marked as required, and providing true and correct data, is necessary to accept and handle the inquiry; failure to do so, or providing false or incorrect data, will result in the inability to process the inquiry. Providing additional data is voluntary.
3.6. Personal data is processed:
3.6.1. for the purpose of identifying the sender and handling their inquiry submitted via the contact form – the legal basis is the necessity of processing for the performance of the service agreement (Article 6(1)(b) of the GDPR);
3.6.2. for analytical and statistical purposes – the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting of compiling statistics on inquiries submitted via the Website to improve its functionality.
4. MARKETING
4.1. If the User has given consent to receive marketing information via e-mail, their personal data will be processed for the purpose of sending such information. The legal basis for data processing is the Controller’s legitimate interest in sending marketing communications within the scope of the User’s consent (direct marketing). The User has the right to object to the processing of data for direct marketing purposes, including profiling. The data will be stored for this purpose as long as the Controller has a legitimate interest, unless the User objects to receiving marketing messages.
4.2. The Controller may collect and display individual reviews from satisfied Users. With the User’s consent, the Controller may publish their review along with their first and last name on its website: store.woondah.com. If you would like to update or delete your review, you may contact us at [email protected].
4.3. At the User’s request, the Controller may send electronic notifications regarding the availability of products specified by the User. The condition for sending such information is the User’s consent to receive product-related e-mails and to the processing of their personal data.
5. SOCIAL MEDIA
5.1. The Controller processes personal data of Users visiting the Controller’s social media profiles. These data are processed solely in connection with operating the profiles, including for the purpose of informing Users about the Controller’s activities, promoting various events, services, and products, as well as communicating with Users via the functionalities available on social media platforms.
The legal basis for processing personal data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting of promoting its own brand and building and maintaining a community related to the brand.
6. COOKIES AND SIMILAR TECHNOLOGIES
6.1. Cookies are small text files installed on the User’s device while browsing the Website. Cookies collect information that facilitates the use of the website – for example, by remembering the User’s visits and actions on the Website.
6.2. [Service Cookies]
The Controller uses so-called service cookies primarily to provide the User with electronic services and to improve the quality of these services. Therefore, the Controller and other entities providing analytical and statistical services for the Controller use cookies, storing or accessing information already stored on the User’s end device (computer, phone, tablet, etc.). Cookies used for this purpose include:
6.2.1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
6.2.2. authentication cookies used for services requiring authentication during the session (authentication cookies);
6.2.3. cookies used to ensure security, e.g., to detect authentication abuses (user-centric security cookies);
6.2.4. multimedia player session cookies (e.g., flash player cookies), for the duration of the session (multimedia player session cookies);
6.2.5. persistent cookies used to personalize the User interface for the duration of the session or slightly longer (user interface customization cookies);
6.2.6. cookies used to remember the contents of the shopping cart during the session (shopping cart cookies);
6.2.7. cookies used to monitor website traffic, i.e., data analytics cookies, including Google Analytics cookies (used by Google to analyze how the User uses the Website, to create statistics and reports on Website functioning). Google does not use the collected data to identify the User nor combines this information to enable identification.
Details about the scope and rules of data collection related to this service are available at:
https://www.google.com/intl/pl/policies/privacy/partners
Users may disable tracking by Google Analytics via:
https://tools.google.com/dlpage/gaoptout/
6.3. The Controller uses cookies to identify the User’s country at the shipping data entry stage. This allows the Controller to present, among other things, the total cost of the transaction, including the delivery destination.
6.4. The Website uses the Microsoft Clarity tool provided by Microsoft Corporation (One Microsoft Way, Redmond, Washington, USA) to monitor, record, and analyze User behavior on the Website.
The tool collects, records, organizes, stores, and analyzes actions such as navigation, clicks, scrolling, cursor movement, session recordings, heatmaps, and more. It also gathers information about location, device, operating system, browser, and cookies.
Data is processed in a pseudonymized form (not sufficient for identifying a person) and in aggregate.
More information on the Microsoft Clarity Privacy Policy, as well as access and control of your personal data, is available at:
https://privacy.microsoft.com/en-us/privacystatement
7. DATA RETENTION PERIOD
7.1. The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. As a general rule, data is processed for the duration of the service or order fulfillment, until the withdrawal of granted consent, or until a valid objection is submitted in cases where the legal basis for processing is the Controller’s legitimate interest.
7.2. The data processing period may be extended if the processing is necessary for the establishment, exercise, or defense of potential claims, and thereafter only in cases and to the extent required by law. After the expiration of the processing period, the data is irreversibly deleted or anonymized.
8. USER RIGHTS
8.1. Individuals whose data is being processed have the following rights:
8.1.1. Right to information – upon request, the Controller provides information about the processing of personal data, including the purposes and legal bases of processing, the scope of the data held, recipients of the data, and the planned date of its deletion;
8.1.2. Right to obtain a copy of the data – the Controller provides a copy of the processed data related to the requesting person;
8.1.3. Right to rectification – the Controller corrects any inconsistencies or errors in the processed personal data and supplements or updates it if it is incomplete or has changed;
8.1.4. Right to erasure (right to be forgotten) – you may request the deletion of data that is no longer necessary for any of the purposes for which it was collected;
8.1.5. Right to restriction of processing – the Controller ceases data processing operations, except for those to which the individual has consented, and stores the data in accordance with retention rules or until the reason for restriction ceases (e.g., a supervisory authority decision allowing further processing);
8.1.6. Right to data portability – to the extent that data is processed in connection with a contract or consent, the Controller provides the data in a format allowing it to be read by a computer. It is also possible to request that the data be transferred to another entity, provided this is technically feasible;
8.1.7. Right to object to data processing for marketing purposes – the data subject may object at any time to the processing of their data for direct marketing purposes, including profiling, without the need to justify such objection;
8.1.8. Right to object to processing for other purposes – the data subject may object at any time to the processing of their data based on the Controller’s legitimate interest (e.g., for analytical or statistical purposes or for the protection of property). Such objection should include a justification and will be evaluated by the Controller;
8.1.9. Right to withdraw consent – if the data is processed based on consent, it may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal;
8.1.10. Right to lodge a complaint – if it is believed that the processing of personal data violates the GDPR or other data protection laws, a complaint may be submitted to the President of the Personal Data Protection Office.
8.2. Requests regarding the exercise of data subject rights may be submitted:
8.2.1. in writing to the Controller’s address: DEMI POLAND - Nowak, Skrodzki sp.k., ul. Inwestycyjna 5, 39-218 Straszęcin;
8.2.2. via e-mail to: [email protected].
8.3. The request should, if possible, clearly indicate what the request concerns, in particular:
8.3.1. which right the individual wants to exercise (e.g., right to obtain a copy of the data, right to erasure, etc.);
8.3.2. what processing the request refers to (e.g., use of a particular service, activity on a specific website, receiving a newsletter with commercial content to a specific e-mail address, etc.);
8.3.3. what processing purposes the request concerns (e.g., marketing, analytics, etc.).
8.4. If the Controller is unable to determine the content of the request or identify the person submitting it based on the submission, the Controller will request additional information from the requester.
8.5. A response to the request will be provided within one month of its receipt. If necessary, the Controller may extend this period and will inform the requester of the reasons for the extension.
8.6. The response will be sent to the e-mail address from which the request was submitted, or by standard mail to the address provided by the requester, unless the content of the letter clearly indicates the preference to receive the response via e-mail (in which case the e-mail address should be provided).
9. DATA RECIPIENTS
9.1. In connection with the provision of services, personal data may be disclosed to external entities, in particular:
- IT system service providers,
- banks and payment operators,
- accounting, legal, auditing, and consulting service providers,
- courier companies (in connection with order fulfillment),
- and entities affiliated with the Controller.
9.2. The Controller reserves the right to disclose selected information about the User to competent authorities or third parties who request such information, based on the relevant legal basis and in accordance with applicable law.
10. DATA TRANSFERS OUTSIDE THE EEA
10.1. The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by European law. Therefore, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, ensured in particular by:
10.1.1. cooperation with entities processing personal data in countries for which the European Commission has issued an adequacy decision;
10.1.2. use of standard contractual clauses issued by the European Commission;
10.1.3. application of binding corporate rules approved by the competent supervisory authority;
10.1.4. in the case of transfers to the USA – cooperation with entities participating in the Privacy Shield program approved by the European Commission.
10.2. Transfers of data outside the EEA occur in connection with order fulfillment (e.g., couriers, customs offices) and the use of cloud services by the Controller provided by Google LLC for file and data storage.
10.3. The Controller may also transfer data outside the EEA in the absence of an adequacy decision or appropriate safeguards as referred to in Articles 45(3) and 46 of the GDPR, including binding corporate rules – but only when the transfer is necessary for the performance of a contract concluded in the data subject’s interest (e.g., delivering an order to the User’s address).
11. PERSONAL DATA SECURITY
11.1. The Controller conducts ongoing risk analysis to ensure that personal data is processed in a secure manner — ensuring in particular that:
- only authorized persons have access to the data,
- only to the extent necessary for their tasks,
- and that all operations on personal data are recorded and performed by authorized staff or collaborators.
11.2. The Controller also takes all necessary steps to ensure that its subcontractors and other cooperating entities provide guarantees of applying appropriate security measures whenever they process personal data on behalf of the Controller.
12. CONTACT DETAILS
12.1. You can contact the Controller by:
- e-mail: [email protected],
- or by post at the following address:
DEMI POLAND – Nowak, Skrodzki sp.k.
ul. Inwestycyjna 5,
39-218 Straszęcin
13. PRIVACY POLICY CHANGES
13.1. This Privacy Policy is reviewed on an ongoing basis and updated as necessary.