1.1. Controller – XROCKET SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Krakow (address of the registered office and address for service: ul. Ślusarska 9, 30-710 Krakow); entered into the Register of Entrepreneurs of the National Court Register KRS 0000568115 [company register number]; registry court in which the company's documentation is kept: District Court for Kraków - Śródmieście in Krakow, 11th Commercial Division of the National Court Register; share capital PLN 40,000; NIP [tax identification number]: 9452185698, REGON [company identification number]: 36207754500000 and email address: [email protected]
1.2. Personal data - all information about a physical person identified or identifiable by one or more specific factors determining physical, physiological, genetic, psychological, economic, cultural or social identity, including device IP, location data, Internet identifier and information collected through cookies and other similar technology.
1.4. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5 Website - a website kept by the Controller at: www.bodyboom.pl
1.6 User - any natural person visiting the Website or using one or several services or functionalities described in the Policy.
2. GENERAL PROVISIONS
2.1. The Controller of personal data collected via the Online Store is – XROCKET SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Krakow (address of the registered office and address for service: ul. Ślusarska 9, 30-710 Krakow); entered into the Register of Entrepreneurs of the National Court Register KRS [company registration number] 0000568115;
registry court in which the company's documentation is kept: District Court for Kraków - Śródmieście in Krakow, 11th Commercial Division of the National Court Register; share capital: PLN 40,000; NIP [tax identification number]: 9452185698, REGON [company identification number]: 36207754500000 and email address: [email protected] - hereinafter referred to as
the “;Controller” and at the same time being a Service Provider of the Online Store and the Seller.
2.2 The personal data of the Customer and the Client shall be processed in accordance with the legal requirements regarding the rules for processing and securing data, including Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR), Act of 10 May 2018 on the protection of personal data and the act on electronic services of 18 July 2002 (Journal of Laws 2002 No. 144, item 1204, as amended).
2.3 The Controller shall take special care to protect the interests of the data subjects, and in particular shall ensure that the data it collects is processed in accordance with the law; collected for specified, legitimate purposes and not subject to further processing incompatible with those purposes; factually correct and adequate in relation to the purposes for which it is processed and stored in a form allowing identification of the data subjects, no longer than it is necessary to achieve the purpose of processing.
2.4 All words, expressions and acronyms appearing on this website and beginning with a capital letter (e.g., Seller, Online Store, Electronic Service) should be understood in accordance with their definition contained in the Online Store Regulations available on the Online Store website.
3. SCOPE OF PROCESSING OF PERSONAL DATA ON THE WEBSITE
3.1. Each time, the purpose, scope and recipient of data processed by the Controller shall result from actions taken by the Service Recipient or the Customer on the Website. For example, if the Customer chooses a personal collection instead of a courier delivery of the product during placing the order, his/her personal data shall be processed in order to conclude and execute the Sales Agreement,
3.2. but shall no longer be made available to the carrier performing the shipment at the request of the Controller.
In connection with the User's use of the Website, the Controller shall collect data in the scope necessary to provide particular services offered, as well as information on the User's activity on the Website. The detailed rules and purposes of processing personal data collected during the use of the Website by the User are described below.
4. PURPOSE AND LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA ON THE WEBSITE
4.1 Possible purposes of collecting personal data of the Service Users or the Customers of the Website by the Controller:
4.1.1. in order to provide services electronically in the scope of making available the content collected on the Website to the Users - the legal basis for the processing is the necessity of processing to perform an agreement (Article 6 paragraph 1 letter b of GDPR);
for analytical and statistical purposes - the legal basis of the processing is a legitimate interest of the Controller consisting in conducting analyzes of the Users' activity, as well as their preferences in order to improve the functionalities and services provided (Article 6 paragraph 1 letter f) of GDPR).
in order to possibly establish and enforce claims or defense against them - the legal basis for the processing is the Controller's legitimate interest in protecting its rights (Article 6 paragraph 1 letter f) of GDPR);
in order to answer the query sent via the contact form - the legal basis for the processing is the consent of the User, which he/she can withdraw at any time
for marketing purposes of the Controller and other entities that may rely on:
displaying to the User marketing content that is not adapted to his/her preferences (contextual advertising) - the legal basis for the processing of personal data is a legitimate interest of the Controller (Article 6 paragraph 1 letter f ) of GDPR).
displaying to the User marketing content corresponding to his/her interests (behavioral advertising) including profiling - the legal basis
for processing of personal data is the consent of the User, which he/she can withdraw at any time.
184.108.40.206. directing marketing content thereto via email, MMS/SMS or by phone (direct marketing) - the legal basis for the processing of personal data is the consent of the User, which he/she can withdraw at any time;
220.127.116.11. directing via a newsletter notifications of interesting offers or content that may in some cases contain commercial information - the legal basis for sending the newsletter is the necessity of processing to perform the agreement (Article 6 paragraph 1 letter b) of GDPR), while in the case of directing marketing content (commercial information) to the User as part of the newsletter - the legal basis for the processing of personal data is the consent of the User, which may be withdrawn at any time.
4.1.5 to keep a profile on social networks, including informing the Users about the activity of the Controller and promoting various types of events, services and products - the legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6 paragraph 1 letter f) of GDPR) to promote its own brand (Article 6 paragraph 1 letter f) of GDPR).
5. DATA RECIPIENTS
5.1. In connection with the provision of services, personal data shall be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems used to provide services to entities such as banks and payment operators, entities providing accounting services, couriers (in connection with the implementation of the agreement) and entities related with the Controller,
5.2. In the case of a Customer who uses in the Online Store, the method of delivery by mail or courier, the Controller shall provide the Customer's personal data collected to a selected carrier or intermediary performing the shipment at the request of the Controller.
5.3. In the case of a Customer who uses in the Online Store, the method of electronic payments or a payment with card, the Controller shall provide the collected personal data of the Customer to the selected entity servicing the above payments in the Online Store.
5.4. The Controller may process the following personal data of the Customers or Clients using the Online Store: name and surname; email address; number a contact phone; delivery address (street, house number, apartment number, zip code, city, country), address of residence/business/registered office (if different from delivery address). In the case of Customers or Clients who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Customer or the Client.
5.5. Providing personal data referred to in the point above may be necessary to conclude and implement the Sales Agreement or agreement for the provision of Electronic Services in the Online Store. Each time the scope of data required to conclude a agreement is indicated previously on the Online Store website and in the Online Store Regulations.
5.6 In the case of obtaining the User's consent, his/her data may also be made available to other entities for their own purposes, including for marketing purposes.
5.7. The Controller reserves the right to disclose selected information about the User to the competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the applicable law.
6. COOKIES AND OPERATING DATA
6.1. Cookies are small text information in the form of text files, sent by the server and saved on the side of the person visiting the website of the Online Store (e.g. on the hard drive of the computer, laptop or on the smartphone's memory card - depending on which device is used by the visitor of our Online Store). Detailed information about cookies as well as the history of their creation can be found, among others here: http://pl.wikipedia.org/wiki/Ciasteczko.
6.2. The Controller may process data contained in Cookies when visitors use the Online Store for the following purposes:
6.2.1. memorizing Products added to the cart in order to place an Order;
6.2.2. memorizing data from completed Order Forms or surveys;
6.2.3. keeping anonymous statistics showing the method of use the Online Store website.
6.5. Detailed information on changing cookies settings and their independent removal in the most popular web browsers is available in the help section of the web browser and on the following websites (just click on the link):
- in the Chrome browser
- in the Firefox browser
- in the Internet Explorer browser
- in the Opera browser
- in the Microsoft Edge browser
- in the Safari browser
6.6.. The Controller shall also process anonymised operational data related to the use of the Online Store (IP address, domain) to generate statistics helpful in administering the Online Store. That data is aggregate and anonymous, i.e. it does not contain features that identify visitors of the Online Store. that data is not disclosed to third parties.
7. PERIOD FOR PERSONAL DATA PROCESSING
7.1. The period for data processing by the Controller depends on the type of service provided and the purpose of the processing. The data processing period can also result from the rules when they form the basis for processing. In the case of data processing based on the justified interest of the Controller - for example due to security reasons - the data shall be processed for a period of time enabling that interest to be realized or for lodging an effective objection to data processing. If the processing is based on consent, the data is processed until the consent is withdrawn. When the processing basis is a necessity to enter into and perform the agreement, the data is processed until the agreement is terminated.
7.2. The data processing period may be extended if the processing is necessary to establish or enforce claims or defend against claims, and after this period - only in the case and to the extent that are required by law. After the end of the processing period, the data shall be irreversibly deleted or anonymized.
8. USER RIGHTS
8.1. The User shall have the right to: access to the data contents and demand its correction, deletion, processing restrictions, the right to transfer data and the right to object to the processing of data, as well as the right to lodge a complaint to the supervisory body competent for the protection of personal data.
8.2. To the extent that User's data is processed on the basis of consent, it may be withdrawn at any time by contacting the Controller.
8.3 The User shall have the right to object to the processing of data for marketing purposes, if the processing occurs in connection with the legitimate interest of the Controller, and for reasons related to its special situation in other cases where the legal basis for the data processing is legitimate interest of the Controller (e.g. due to the implementation of analytical and statistical objectives).
9. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
9.1. The Controller shall transfer personal data outside the EEA only when it is necessary and with an adequate level of protection, in particular by:
9.1.1. cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;
9.1.2. use of standard contractual clauses issued by the European Commission; 9.1.3., use of binding rules of conduct approved by the competent supervisory authority;
9.2. The Controller shall always inform about the intention to transfer of personal data outside the EEA at the collection stage.
10. SECURITY OF PERSONAL DATA
10.1. The Controller shall conduct risk analysis on an on-going basis and monitor the adequacy of data security measures applied to the identified threats. If necessary, the Controller shall implement additional measures to increase data security.
10.2. In order to ensure the integrity and confidentiality of data, the Controller has implemented procedures that allow access to personal data only to authorized persons and only to the extent that it is necessary due to the tasks performed thereby. The Controller shall apply organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.
10.3. In addition, the Controller shall undertake all necessary actions to ensure that its subcontractors and other cooperating entities guarantee appropriate security measures whenever they process personal data at the request of the Controller.
11. CONTACT DETAILS
11.1 Contact with the Controller shall be possible in the following ways:
11.1.1 in writing to the following address Xrocket Sp. z o.o., ul. Ślusarska 9, 30-710 Krakow
11.1.2. electronically via the following email address [email protected]
12. FINAL PROVISIONS
12.2. The Controller uses technical and organizational measures ensuring protection of personal data being processed, appropriate to threats and categories of data protected, and in particular, protects data from being made available to persons unauthorized, taken away by an unauthorized person, processed in violation of applicable laws and changed, lost, damaged or destructed.
12.3. The Controller shall respectively provide the following technical measures to prevent the acquisition and modification of personal data sent electronically by unauthorized persons:
12.3.1. Securing the data set against unauthorized access.
12.3.2. Access to the Account only after providing an individual login and password
12.3.3. SSL certificate.
12.3.4. The policy shall be verified on an ongoing basis and updated if necessary. The current version of the Policy has been adopted and is effective from May 25, 2018.