Privacy policy

HURTOWNIA-FIRANEK.PL ONLINE STORE PRIVACY POLICY FOR BUSINESSES

TABLE OF CONTENTS:
1. GENERAL PROVISIONS
2. BASIS FOR DATA PROCESSING
3. PURPOSE, BASIS AND DURATION OF DATA PROCESSING IN THE ONLINE STORE
4. DATA RECIPIENTS IN THE ONLINE STORE
5. PROFILING IN THE ONLINE STORE
6. RIGHTS OF THE DATA SUBJECT
7. COOKIES IN THE ONLINE STORE AND ANALYTICS
8. END PROVISIONS

1. GENERAL PROVISIONS
1.1. This Online Store privacy policy is informative, which means it is not a source of obligations for the Service Recipients or Customers of the Online Store. The privacy policy primarily contains rules concerning the processing of personal data in the Online Store by the Controller, including the basis, purposes and duration of personal data processing, and the rights of data subjects, as well as information regarding the use of cookie files and analytic tools in the Online Store.
1.2. The Controller of the personal data collected through the Online Store is FIRANY GROUP SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Piaseczno (registered office address and delivery address: ul. Wojska Polskiego 58/1, 05-500 Piaseczno); entered into the Register of Entrepreneurs of the National Court Register under the number KRS 0000727067; register court where the company documentation is kept: District Court for the Capital City of Warsaw in Warsaw, 14
th Commercial Division of the National Court Register; share capital in the amount of: PLN 300,000; NIP (VAT): 1231394442; REGON: 369942006, electronic mail address: bok@firankihurt.pl and contact phone number: 579107068. – hereinafter referred to as the “Controller”, and at the same time being the Online Store Service Provider and the Seller.
1.3. Contact details of the data protection supervisor appointed by the Controller: _____ electronic mail address bok@firankihurt.pl.
1.4. Personal data in the Online Store are processed by the Controller under applicable law, in particular under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),, hereinafter referred to as the „GDPR” or „GDPR Regulation”. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.5. Use of the Online Store, including making purchases, is voluntary. Similarly, the provision of personal data by a Service Recipient or Customer using the Online Store, in relation to the above, is voluntary subject to two exceptions: (1) Concluding contracts with the Controller – in cases and within the scope specified on the Online Store website, as well as in the Online Store Terms and Conditions and in this privacy policy, failure to provide personal data necessary to conclude and perform a Sales Contract or an Electronic Service Provision Contract with the Controller leads to concluding said contract being impossible. Providing personal data in such cases is a contractual requirement and if the data subject wishes to conclude a given contract with the Controller, it is obligated to provide the necessary data. On each occasion, the scope of data required to conclude a contract is specified previously on the Online Store website and in the Online Store Terms and Conditions; (2) Controller's statutory obligations – provision of personal data is a statutory obligation arising out of commonly applicable provisions of the law, which impose on the Controller a personal data processing obligation (e.g. data processing for the purposes of tax or account book keeping), and failure to provide such data would prevent the Controller from performing these obligations.
1.6. The Controller takes particular care to protect the interests of the subjects of the data it processes, and in particular it is responsible for and ensures that the data it collects are: (1) processed in accordance with the law; (2) collected for specific, lawful purposes and not subjected to further processing not in accordance with these purposes; (3) correct and adequate to the purposes for which they are processed; (4) stored in a form preventing the identification of the data subject, no longer than necessary to achieve the purposes of processing, and (5) processed in a way that ensures proper personal data security, including protection against prohibited or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational means.
1.7. Taking into account the nature, scope, context, and purposes of processing, as well as the varied probability and scale of danger posed by the risk of violation of the rights or freedoms of individuals, the Controller implements adequate technical and organisational means so processing is performed in accordance with this regulation and so it is demonstrable. These means are reviewed and updated as necessary. The Controller uses technical means that prevent the acquisition and modification by unauthorised persons of personal data transmitted by electronic means.
1.8. All words, expressions and acronyms found in this privacy policy that are capitalised (e.g. Seller, Online Store, Electronic Service) are to be understood in accordance with their definition specified in the Online Store Terms and Conditions, available on the Online Store website.
2. BASIS FOR DATA PROCESSING
2.1. The Controller has the right to process personal data when and to the extent that at least one of the following conditions is met: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation which the Controller is subject to; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2.2. Personal data processing by the Controller requires in each instance that at least one basis specified in section 2.1 of the privacy policy exists. The specific basis for the processing of personal data of Online Store Service Recipients and Customers by the Controller is indicated in the following section of the privacy policy – with reference to a particular purpose of personal data processing by the Controller.
3. PURPOSE, BASIS AND DURATION OF DATA PROCESSING IN THE ONLINE STORE
3.1. In each instance the purpose, basis and duration, as well as recipients of the personal data processed by the Controller arise out of the actions taken by a given Service Recipient or Customer in the Online Store or by the Controller. For example, if the Customer decides to make a purchase in the Online Store and selects self-pickup of the purchased Products instead of a courier shipment, then his or her personal data will be processed to perform the concluded Sales Contract, but will not subsequently be shared with a carrier who performs shipments for the Controller.
3.2. The Controller may process personal data within the Online Store for the following purposes, on the following basis, and for the durations specified in the table below:

Purpose of data processing
Legal basis for data processing
Duration of data processing
Performance of a Sale Contract or a Contract for Electronic Service Provision, or taking steps at the request of the data subject prior to entering into the above-mentioned contracts
Article 6(1)(b) of GDPR (contract performance) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

The data are stored for a duration necessary for the concluded Sales Contract or a Contract for Electronic Service Provision to be performed, terminated or to otherwise expire.
Direct marketing
Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller – involves taking care of the interests and good image of the Controller, its Online Store, and pursuing sales of Products.

The data are stored for the duration of the legitimate interest pursued by the Controller, however no longer than until the end of the limitation period for the Controller’s claims against the data subject on account of the business conducted by the Controller. The limitation period is specified by the law, in particular the civil code (the basic limitation period for claims related to the conduct of business is three years, and two years for sales contracts).
The Controller may not process the data for direct marketing purposes if effective objection was expressed by the data subject.
Marketing
Article 6(1)(a) of the GDPR Regulation (consent) – the data subject expressed consent for processing of his or her personal data by the Controller for marketing purposes.

The data are stored until the data subject withdraws his or her consent for further processing of his or her data for this purpose.
Account book keeping
Article 6(1)(c) of the GDPR Regulation in connection with Art. 74(2) of the Act on accounting, i.e. dated 30 January 2018 (Polish Journal of Laws of 2018, item 395) – processing is necessary for compliance with a legal obligation which the Controller is subject to;

The data are stored for a duration required by the law that obligates the Controller to keep account books (5 years starting on the beginning of the year following the fiscal year which the data apply to).
Determining, exercising or defending claims that the Controller may raise or which may be raised against the Administrator
Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller – involves determining, exercising or defending claims that the Controller may raise or which may be raised against the Controller

The data are stored for the duration of existence of the legitimate interest pursued by the Controller, however no longer than for the limitation period of the claims that may be raised against the Controller (basic limitation period for claims against the Controller is six years).
Use of the Online Store website and ensuring its correct functioning
Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller)– processing is necessary for the purposes of the legitimate interests pursued by the Controller – involves running and maintaining the Online Store website
The data are stored for the duration of the legitimate interest pursued by the Controller, however no longer than until the end of the limitation period for the Controller’s claims against the data subject on account of the business conducted by the Controller. The limitation period is specified by the law, in particular the civil code (the basic limitation period for claims related to the conduct of business is three years, and two years for sales contracts).
Statistics and Online Store traffic analysis
Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller)– processing is necessary for the purposes of the legitimate interests pursued by the Controller - involves running statistics and analysing traffic in the Online Store for the purpose of improving the Online Store functioning and increasing Product Sales
The data are stored for the duration of the legitimate interest pursued by the Controller, however no longer than until the end of the limitation period for the Controller’s claims against the data subject on account of the business conducted by the Controller. The limitation period is specified by the law, in particular the civil code (the basic limitation period for claims related to the conduct of business is three years, and two years for sales contracts).
4. DATA RECIPIENTS IN THE ONLINE STORE
4.1. For the correct functioning of the Online Store, including performance of Sales Contracts, it is necessary that the Controller uses the services of third party entities (such as a software provider, courier, or a payment handling entity). The Controller uses only the services of such processing entities that provide sufficient guarantees of implementing adequate technical and organisational means so processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.
4.2. Personal data may be transferred by the Controller to a third-party state, and the Controller ensures that in such cases they will be transferred to states that provide adequate protection – in compliance with the GDPR Regulation, and the data subject can obtain a copy of his or her data. The Controller transfers the personal data it collects only in cases and only to the extent necessary to pursue a given purpose of processing in compliance with this privacy policy.
4.3. Data are transferred by the Controller not in all cases and not to all recipients or recipient categories specified in the privacy policy – the Controller transfer the data only when it is necessary to pursue a specific purpose of personal data processing and only to the extent necessary to pursue it. For example, if a Customer uses a personal ID card, his or her data will not be transferred to a carrier working with the Controller.
4.4. Personal data of Online Store Service Recipients and Customers may be transferred to the following recipients or recipient categories:
1.1.1 carriers / freight forwarders / courier brokers / storage and/or shipment process handling entities – in the case of Customers who in the Online Store use the postal shipment or courier shipment Product delivery method, the Controller shares the Customer’s personal data with the selected carrier, freight forwarder or intermediary that performs shipments ordered by the Controller, or if the shipment is sent from an external warehouse – with the storage and/or shipment process handling entity - to the extent necessary to ship the Product to the Customer.
1.1.2. service vendors supplying the Controller with technical, IT and organisational solutions that enable the Controller to conduct its business, including running the Online Store and providing Electronic Services through the Online Store (in particular vendors of computer software for running the Online Store, e-mail and hosting vendors, and vendors of business management software and technical support for the Controller) - the Controller shares the Customer’s personal data with the selected vendor acting at the Controller's order only in cases and to the extent necessary to pursue a specific data processing purpose in compliance with this privacy policy.
1.1.3. vendors of accounting, legal, and consulting services providing the Controller with accounting, legal or consulting support (in particular an accounting office, legal firm or debt collection company)- The Controller shares the Customer’s personal data with the selected vendor acting at the Controller's order only in cases and only to the extent necessary to pursue a given purpose of processing in compliance with this privacy policy.
5. PROFILING IN THE ONLINE STORE
5.1. The GDPR Regulation obligates the Controller to inform about automated decision making, including profiling referred to in Art. 22(1) and (4) of the GDPR Regulation, and – at least in these instances – to provide relevant information concerning how the decision are made, as well as concerning the importance and predicted consequences of such processing for the data subject. Considering the above, the Controller provides in this section of the privacy policy information concerning possible profiling.
5.2. The Controller may use profiling in the Online Store for purposes of direct marketing, but the decisions made on its basis by the Controller do not concern entering or declining to enter into Sales Contracts, as well as the ability to use Electronic services in the Online Store. An effect of profiling in the Online Store may be, for example, granting a specific person a discount, sending him or her a discount code, reminding them about unfinished shopping, sending suggestions for Product that may correspond to their interests or preferences, or proposing better terms and conditions compared to the standard terms and conditions of the Online Store. Regardless of any profiling, the given person freely takes the decision whether they want to use the discount or better terms and conditions granted in this manner, and make a purchase in the Online Store.
5.3. Profiling in the Online Store involves automated analysis or prediction of the behaviour of a specific person on the Online Store website, e.g. by adding a specific Product to his or her cart, browsing the page of a specific Product in the Online Store, or by analysing the history of his or her previous purchases made in the Online Store. The condition for such profiling is the Controller having the personal data of the given person, so the person can then be sent a discount code, for example.
5.4. Data subjects have the right to not be subject to decisions which are based solely on automated processing, including profiling, and which cause legal consequences for this person, or affect his or her rights in a similar manner.
6. RIGHTS OF THE DATA SUBJECT
6.1. Right of access, rectification, limitation, erasure, or portability – data subjects have the right to request access, rectification, erasure (“right to be forgotten”), or limitation of processing of their personal data by the Controller, and have the right to object to their processing, and also have the right to portability of their data. Specific conditions of exercising the above rights are provided in Art. 15-21 of the GDPR Regulation.
6.2. Right to withdraw consent at any time – persons whose personal data are processed by the Controller under the consent they gave (pursuant to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR Regulation) have the right to withdraw their consent at any time without affecting the lawfulness of the processing performed under the consent prior to its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – persons whose personal data are processed by the Controller have the right to lodge a complaint with a supervisory authority in a manner and way specified in the GDPR Regulation and Polish law, in particular in the Act on personal data protection. The supervisory authority in Poland is the President of the Personal Data Protection Office.
6.4. Right to object – data subjects have the right to object at any time – for reasons related to their special circumstances – to processing of their personal data under Art. 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling under these regulations. The Controller in this instance may no longer process these personal data, unless it demonstrates that there exist valid, legitimate basis for processing, which override the interests, rights, and freedoms of the data subject or the basis for determining, pursuing or defending claims.
6.5. Right to object concerning direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right to at any time object to processing the data he or she is subject to for such marketing, including profiling, to the extent that processing is related to such direct marketing.
6.6. To exercise the rights referred to in this section of the privacy policy, you can contact the Controller by sending a relevant message in writing or by e-mail to the Controller’s address provided in the introduction to the privacy policy, or using the contact form available at the Online Store website.
7. COOKIES IN THE ONLINE STORE AND ANALYTICS
7.1. Cookie files are small bits of textual information in the form of text files, sent by the server and saved on the Online Store visitor’s end (e.g. on the hard disk of his or her PC, laptop, or on the memory card of a smartphone - depending on the device used to visit our Online Store). Detailed information concerning Cookie files, as well as the history of their origin can be found here, for example:
http://pl.wikipedia.org/wiki/Ciasteczko.
7.2. The Controller may process data contained in Cookie files when visitors use the Online Store website for the following purposes:
1.1.4. to identify Service Recipients as logged in the Online Store and to show they are logged in;
1.1.5. to save Products added to the cart for the purpose of placing an Order;
1.1.6. to save data from completed Order Forms, surveys, or Online Store login data;
1.1.7. to customise the Online Store website content to the individual preferences of the Service Recipient (e.g. concerning colours, font size, site layout), and to optimise the use of Online Store web pages;
1.1.8. to collect anonymous statistical data representing how the Online Store website is used;
1.1.9. for remarketing, i.e. to study the behaviour characteristics of Online Store visitors by anonymously analysing their actions (e.g. repeated visits on specific pages, keywords, etc.) to create their profiles and provide them with advertisements customised to their predicted interests, also when they visit other websites in the advertisement networks of Google Ireland and Facebook Ireland Ltd.
7.3. As standard, most web browsers available on the market accept Cookie file saving by default. Everybody can define how Cookie files are used using their own browser's settings. This means that you can, for example, partially restrict (e.g. temporarily) or completely disable the ability to save Cookie files - in the latter case it may affect some Online Store functionalities, however (for example it may prove impossible to complete Order placement through the Order Form because Products are not saved in the cart during subsequent steps of Order placing).
7.4. Cookie-related web browser settings are important from the perspective of consent for Cookie file use by our Online Store - pursuant to regulations, such consent may also be expressed by means of browser settings. If you do not consent, adjust your Cookie-related browser settings accordingly.
7.5. Detailed information on how to change your Cookie file settings and how to delete them manually in the most common browsers can be found in the help section of each browser, and on the following websites (just click a particular link):
for Chrome
for Firefox
for Internet Explorer
for Opera
for Safari
for Microsoft Edge
7.6. The Controller in the Online Store may use the Google Analytics and Universal Analytics services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), and the SALESmanago service provided by Benhauer Spółka z ograniczoną odpowiedzialnością (ul. Grzegórzecka 21, 31-532 Kraków, Poland). These services help the Controller collect statistical data and analyse traffic in the Online Store. Collected data are processed as part of the services specified above to generate statistics helpful in administrating the Online Store and analysing traffic in the Online Store. These data are collective. When using the above services in the Online Store, the Controller collects such data as sources and acquisition media of Online Store visitors, and their behaviour at the Online Store website, information concerning the devices and browsers used to visit the website, IP address and domain, geographical and demographical data (age, sex), and interests.
7.7. It is possible to easily disable providing information on your activity at the Online Store website to Google Analytics - to do this you can, for example, install a browser add-on provided by Google Ireland Ltd., available here: https://tools.google.com/dlpage/gaoptout?hl=pl.
7.8. Detailed information on how SALESmanago functions can be found at the following internet website
https://www.salesmanago.pl/info/wszystkie_funkcjonalnosci.htm.
7.9. The Controller may use in the Online Store the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Controller measure the effectiveness of advertisements and find out what actions Online Store visitors take, as well as display customised advertisements to these persons. Detailed information on how Facebook Pixel functions can be found at the following internet website
https://www.facebook.com/business/help/742478679120153?helpref=page_content.
7.10. Facebook Pixel functioning can be managed using advertisement settings in your Facebook.com website account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
8. END PROVISIONS
8.1. The Online Store may contain links to other websites. The Controller encourages you to read the privacy policy applicable at other websites when you visit them. This privacy policy applies to the Controller’s Online Store only.