Privacy Policy

§ 1

General Provisions

1. This Privacy Policy defines the rules for processing personal data obtained through the website WWW.PROFUMOLABO.COM (hereinafter referred to as: the "Website").
2. The data controller is the PROFUMO LABO Online Store operated by PROFUMO LABO SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office at Al. Jerozolimskie 98, 00-807 Warsaw, entered into the Register of Entrepreneurs of the National Court Register by the DISTRICT COURT FOR THE CAPITAL CITY OF WARSAW IN WARSAW, 12TH COMMERCIAL DIVISION OF THE NATIONAL COURT REGISTER under KRS number 0000918422, NIP: 7011046498, REGON: 389550609.
3. Personal data collected by PROFUMO LABO SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office at Al. Jerozolimskie 98, 00-807 Warsaw via the PROFUMO LABO online store, hereinafter referred to as: the Controller, are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as GDPR.
4. The Controller takes special care to respect the privacy of Users visiting the Website.

§ 2

Type and Purposes of Processed Data

1. The Controller collects information regarding natural persons conducting business or professional activities in their own name, and natural persons representing legal persons or organizational units that are not legal persons but are granted legal capacity by law, hereinafter collectively referred to as Users.
2. Personal data of Users are collected in the event of:
   1. registration of an account on the Website for the purpose of creating and managing an individual account. Legal basis: necessity for the performance of the Account service agreement,
   2. placing an order on the Website for the purpose of performing the agreement. Legal basis: necessity for the performance of the agreement for the provision of the service.
3. In the case of account registration on the Website, the User provides:
   1. e-mail address,
   2. address details,
   3. first and last name,
   4. phone number.
4. In the case of Entrepreneurs, the above scope of data is additionally extended to include the Entrepreneur's company name and NIP (Tax ID) number.
5. During account registration on the Website, the User independently sets an individual password to access their account. The User can change the password at a later time.
6. In the case of placing an order on the Website, the User provides the following data:
   1. e-mail address,
   2. address details,
   3. first and last name,
   4. phone number.
7. In the case of Entrepreneurs, the above scope of data is additionally extended to include the Entrepreneur's company name and NIP (Tax ID) number.
8. The provision of personal data to the Store is voluntary in connection with the concluded sales agreements, with the reservation, however, that failure to provide the data specified in the forms will prevent the placement and fulfillment of the User's order.

§ 3

Selected Data Protection Methods Used by the Controller

1. Login and personal data entry areas are protected in the transmission layer (SSL certificate). Thanks to this, personal data and login data entered on the site are encrypted on the user's computer and can only be read on the target server.
2. Personal data stored in the database are encrypted in such a way that only the Operator holding the key can read them. This protects the data in the event of the database being stolen from the server.
3. To protect data, the Operator regularly performs security backups.
4. An essential element of data protection is the regular updating of all software used by the Operator to process personal data, which in particular means regular updates of programming components.

§ 4

Sharing or Entrusting Data

1. User's personal data are transferred to service providers used by the Controller in operating the Website. Service providers to whom personal data are transferred, depending on contractual arrangements and circumstances, either follow the Controller's instructions regarding the purposes and methods of processing such data (processors) or independently determine the purposes and methods of their processing (controllers).
   1. Processors. The Controller uses providers who process personal data only at the Controller's instruction. These include, among others, providers of hosting services, accounting services, marketing systems, website traffic analysis systems, and marketing campaign effectiveness analysis systems;
   2. Controllers. The Controller uses providers who do not act solely on instruction and set the purposes and methods of using Users' personal data themselves. They provide electronic payment services and banking services.
2. Users' personal data are stored:
   1. where the basis for processing is the Controller's legitimate interest, the User's personal data are processed by the Controller until consent is withdrawn, and after withdrawal for a period corresponding to the limitation period for claims that the Controller may raise or that may be raised against the Controller. Unless a specific provision states otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to conducting business activity - three years.
   2. where the basis for processing is the performance of an agreement, the User's personal data are processed by the Controller as long as it is necessary for the performance of the agreement, and thereafter for a period corresponding to the limitation period for claims. Unless a specific provision states otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to conducting business activity - three years.
3. Upon request, the Controller shares personal data with authorized state authorities, in particular organizational units of the Prosecutor's Office, the Police, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection, or the President of the Office of Electronic Communications.

§ 5

Rights of Data Subjects

1. Right to withdraw consent:
   1. The User has the right to withdraw any consent given to the Controller.
   2. Withdrawal of consent takes effect from the moment of withdrawal.
   3. Withdrawal of consent does not affect the processing carried out by the Controller in accordance with the law before its withdrawal.
   4. Withdrawal of consent does not entail any negative consequences for the User, but it may prevent further use of services or functionalities that the Controller can legally provide only with consent.
2. Right to object to data processing:
   1. The User has the right to object at any time – for reasons related to their particular situation – to the processing of their personal data, including profiling, if the Controller processes their data based on a legitimate interest, conducting statistics on the use of individual Website functionalities, facilitating the use of the Website, or satisfaction surveys.
   2. Resignation via e-mail from receiving marketing communications regarding products or services will constitute the User's objection to the processing of their personal data, including profiling for these purposes.
   3. If the User's objection proves justified and the Controller has no other legal basis for processing, the User's personal data will be deleted.
3. Right to erasure (right to be forgotten):
   1. The User has the right to request the deletion of all or some personal data.
   2. The User has the right to request erasure if:
      • the personal data are no longer necessary for the purposes for which they were collected or processed,
      • they have withdrawn the specific consent to the extent the data were processed based on it,
      • they have objected to the use of their data for Marketing purposes,
      • the personal data are processed unlawfully,
      • the personal data must be erased to comply with a legal obligation under Union or Member State law.
   3. Despite the request for erasure, in connection with an objection or withdrawal of consent, the Controller may retain certain personal data to the extent necessary for the establishment, exercise, or defense of claims, as well as to comply with a legal obligation requiring processing under Union or Member State law. This applies in particular to personal data including: first name, last name, e-mail address (retained for handling complaints and claims related to the use of Website services), and additionally home address/correspondence address, order number (retained for handling complaints and claims related to sales agreements or provision of services).
4. Right to restriction of processing:
   1. The User has the right to request restriction of processing. Submitting such a request prevents the use of certain functionalities or services, the use of which would involve processing the data covered by the request, until it is resolved. The Controller will also not send any communications, including marketing ones.
   2. The User has the right to request restriction of use in the following cases:
      • when they contest the accuracy of their personal data – the Controller then restricts use for the time needed to verify accuracy, not longer than 7 days,
      • when processing is unlawful, and instead of erasure, the User requests restriction of use,
      • when the personal data are no longer necessary for the purposes they were collected for, but are needed by the User to establish, exercise, or defend claims,
      • when they have objected to the use of their data – the restriction occurs for the time needed to consider whether the protection of the User's interests, rights, and freedoms outweighs the interests pursued by the Controller.
5. Right of access to data:
   1. The User has the right to obtain confirmation from the Controller as to whether personal data are being processed, and if so, the right to:
      • access their personal data,
      • obtain information about the purposes of processing, categories of data, recipients, the planned storage period (or criteria for determining it), the User's rights under GDPR, the right to lodge a complaint with a supervisory authority, the source of data, automated decision-making including profiling, and safeguards applied when transferring data outside the EU.
6. Right to rectification:
   1. The User has the right to request from the Controller the immediate rectification of inaccurate personal data concerning them. Taking into account the purposes of processing, the User has the right to have incomplete personal data completed, including by providing a supplementary statement via e-mail.
7. Right to data portability:
   1. The User has the right to receive their personal data provided to the Controller and then transmit them to another data controller of their choice. The User also has the right to request that the personal data be transmitted directly by the Controller to another controller, where technically feasible.
8. In the event of the User exercising any of the above rights, the Controller fulfills the request or refuses to do so immediately, no later than one month after receiving it. However, if the Controller cannot fulfill the request within a month, they will do so within the following two months, informing the User within one month of receiving the request about the intended extension and its reasons.
9. The User may submit complaints, inquiries, and requests to the Controller regarding the processing of their personal data and the exercise of their rights.
10. The User has the right to request from the Controller a copy of the standard contractual clauses by directing an inquiry.
11. The User has the right to lodge a complaint with the President of the Personal Data Protection Office regarding the violation of their rights to personal data protection or other rights granted under GDPR.

§ 6

Additional Information on Data Use

1. In some situations, the Controller (Seller) has the right to transfer your personal data to other recipients if it is necessary to perform the agreement concluded with you or to fulfill obligations incumbent on the Controller. This applies to the following groups of recipients:
   1. Couriers
   2. Payment operators
   3. Authorized employees and associates who use the data to operate the website
   4. Companies providing marketing services to the Controller.
2. The Controller (Seller) may provide the customer's phone number to a company providing IT services for issuing, maintaining, and providing access to e-receipts, which may be processed for the purposes of:
   1. verifying whether a given phone number has been registered in the company's own products giving access to e-receipts, and in the case of positive verification, providing the e-receipts and additional information from the issuing process to the Customer within those products,
   2. sending SMS and other notifications to Customers confirming the issuance of an e-receipt to the IT system of the company providing e-receipt services.

§ 7

Additional Uses of Personal Data

1. The Website uses personal data additionally for the following purposes:
   1. Handling inquiries via the form
   2. Preparation, packing, and shipping of goods
   3. Execution of ordered services
   4. Running a newsletter.
2. The Website performs the functions of obtaining information about users and their behavior in the following way:
   • Through data voluntarily entered in forms, which are entered into the Operator's systems.
   • By saving cookie files (so-called "cookies") on terminal devices.

§ 8

Security Management

1. The Controller provides Users with a secure and encrypted connection during the transfer of personal data and during login to the User Account on the Website.
2. The Controller uses an SSL certificate issued by one of the world's leading companies in the field of security and encryption of data transmitted via the Internet.
3. In the event that a User with an account on WWW.PROFUMOLABO.COM has lost their access password in any way, the Website allows for the generation of a new password. The Controller does not send password reminders. The password is stored in an encrypted form that prevents it from being read. To generate a new password, an e-mail address must be provided in the form available under the "Forgot password" link next to the account login form. The User will receive an e-mail at the address provided during registration or saved in the last profile update, containing a redirect to a dedicated form on the Website where the User can set a new password.
4. The Controller does not send any correspondence, including electronic correspondence, asking for login details, and in particular, the access password to the User account.

§ 9

Consent to Personal Data Processing

The User consents to the processing of personal data by PROFUMO LABO SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office at Al. Jerozolimskie 98, 00-807 Warsaw, entered into the Register of Entrepreneurs of the National Court Register by the DISTRICT COURT FOR THE CAPITAL CITY OF WARSAW IN WARSAW, 12TH COMMERCIAL DIVISION OF THE NATIONAL COURT REGISTER under KRS number 0000918422, for the purposes of direct marketing regarding its own products and services. Data for this purpose will be processed based on Art. 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

• Information on cookie files
• GDPR CONSENT Form