PRIVACY POLICY AND COOKIES POLICY
§ 1 General Provisions
1. The controller of the personal data of users of the website available under the domain www.lotana.pl is LOTANA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office at ul. Marii Skłodowskiej-Curie 4/12, 20-029 Lublin, Poland, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court Lublin-Wschód in Lublin with its seat in Świdnik, VI Commercial Division of the National Court Register under KRS number 0001054995, NIP 7123460607, REGON 526212574, share capital PLN 225,000.00 fully paid up (hereinafter referred to as the “Controller”).
2. The Controller has made available an electronic contact point intended for direct communication with the authorities of the Member States, the European Commission and the Digital Services Board, available at: info@lotana.pl. The same communication channel may also be used by Customers for quick and direct contact with the Controller.
3. Written contact is also possible at the address indicated above, via the contact form available on the Store’s website or by telephone at +48 459 569 057 (calls are accepted on business days between 8:00 a.m. and 4:00 p.m.; the cost of the call is in accordance with the Customer’s operator tariff).
4. Communication may be conducted in Polish, English or Ukrainian.
5. The purpose of this Policy is to define the actions undertaken with regard to personal data collected via the Controller’s website and related services and tools used by its users, as well as within the scope of concluding and performing contracts outside the website..
6. If necessary, the provisions of this Policy may be amended. Any amendment shall be communicated to users by publishing the updated content of the Policy, and in the case of persons who have consented to the processing of data by electronic means or provided an e-mail address in connection with contract performance, such persons shall also be notified of the amendment by e-mail.
§ 2 Legal Bases, Purposes and Retention of Personal Data
1. Personal data of users are processed in accordance with the General Data Protection Regulation, the Act on the Protection of Personal Data, the Act of 10 May 2018 on the Protection of Personal Data, and the Act of 18 July 2002 on the Provision of Electronic Services, as amended, and for the purposes of making a notification pursuant to Article 16(1) of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ EU L 2022.277.1, as amended; “DSA”), also pursuant to Article 3(h) of the DSA.
2. The Controller may collect the following personal data for the following purposes:
| PURPOSE OF DATA PROCESSING | LEGAL BASIS FOR PROCESSING AND DATA RETENTION PERIOD | DATA RETENTION PERIOD | SCOPE OF PROCESSED DATA |
| Performance of a contract with the Customer or taking actions at the request of the data subject prior to concluding such contract | Article 6(1)(b) GDPR |
|
|
| Marketing | Article 6(1)(a) GDPR (consent) |
|
|
| Keeping accounting records | Article 6(1)(c) of the GDPR in conjunction with Article 86 §1 of the Polish Tax Ordinance of 17 January 2017 (Journal of Laws of 2017, item 201) or Article 74(2) of the Accounting Act of 30 January 2018 (Journal of Laws of 2018, item 395). |
|
|
| Refund processing | Performance of the contract or taking actions at the request of the data subject prior to concluding the contract
(Article 6(1)(b) of the GDPR). |
|
|
| Establishment, assertion or defence of claims that may be raised by the Controller or that may be raised against the Controller | Article 6(1)(f) of the GDPR. |
|
|
| Conducting research and analyses in order to improve the functioning of available services | Article 6(1)(f) of the GDPR. |
|
|
| Customer account registration | Performance of the contract or taking actions at the request of the data subject prior to concluding the contract (Article 6(1)(b) of the GDPR). |
5 years after termination of the business relationship with the Customer. |
|
| Provision of customer service | Performance of the contract or taking actions at the request of the data subject prior to concluding the contract
(Article 6(1)(b) of the GDPR). |
|
|
| Ensuring proper functioning of the service | Maintenance of the Service’s performance and its improvement
(Article 6(1)(f) of the GDPR).) |
|
|
| Enabling the Customer to reset the password | Protection and security of the service, protection of Customers’ interests, ensuring Customer security
(Article 6(1)(f) of the GDPR). |
|
|
| Supervision of compliance with regulations, contracts and the privacy policy | Protection and security of the service, protection of Customers’ interests, ensuring Customer security
(Article 6(1)(f) of the GDPR). |
|
|
| Handling requests regarding personal data | Article 6(1)(c) of the GDPR. | For the duration of the Controller’s legitimate interest, however no longer than the limitation period for claims in relation to the data subject arising from the conducted business activity. |
|
| Dostarczanie informacji do organów, odpowiedzialnych za egzekwowanie prawa i innych instytucji państwowych, | Article 6(1)(c) of the GDPR | For the duration of the Controller’s legitimate interest,
however no longer than the limitation period for claims in relation to the data subject arising from the conducted business activity. |
|
| Fulfilment of the legal obligation specified in Article 16(1), (4), (5) and (6) of the DSA consisting in:
accepting notifications regarding the presence of information in the hosting service which, in the notifier’s opinion, constitutes illegal content within the meaning of Article 3(h) of the DSA; examining the notification; informing about the decision taken with regard to the notification; informing about the possibility to appeal against the decision referred to in point 3. |
Article 6(1)(c) of the GDPR | Until informing about:
|
|
| Processing of personal data to the extent in which, on the basis of proceedings conducted before competent public administration authorities, including law enforcement authorities, in matters concerning the purposes or legal bases for processing personal data, the Controller is obliged to process such data | Article 6(1)(c) of the GDPR |
|
|
| Taking actions in the field of identification and reporting of potential product-related risks, ensuring compliance of products with safety requirements, and informing competent authorities or users of the need to take safety-related actions, to the extent required by the GPSR | Article 6(1)(c) of the GDPR |
|
|
3. The Controller may use profiling for the purposes of direct marketing; however, decisions taken by the Controller on the basis of such profiling do not concern the conclusion or refusal to conclude a contract, nor the possibility of using electronic services. The effect of using profiling may include, for example, granting a discount to a given person, sending that person a discount code, reminding them of unfinished purchases, sending a product offer that may correspond to that person’s interests or preferences, or proposing better terms compared to the standard offer. Despite the use of profiling, the data subject freely decides whether to make use of the discount or better terms received in this manner and to make a purchase. Profiling consists of the automated analysis or prediction of a given person’s behaviour on the Controller’s website, for example by adding a specific product to the shopping cart, browsing the page of a specific product, or by analysing the previous history of activity on the website. A condition for such profiling is that the Controller possesses the personal data of the given person in order to subsequently send, for example, a discount code.
4. Taking into account the nature, scope, context and purposes of processing, as well as the risk of infringement of the rights or freedoms of natural persons of varying likelihood and severity, the Controller implements appropriate technical and organisational measures to ensure that processing is carried out in accordance with the Regulation and to be able to demonstrate such compliance. These measures are reviewed and updated where necessary. The Controller applies technical measures preventing the acquisition and modification, by unauthorised persons, of personal data transmitted electronically.
§ 3 Disclosure of Data
1. The Controller ensures that all collected personal data are used for the purpose of fulfilling obligations towards users. Such information shall not be disclosed to third parties, except in cases where:
- the data subjects to whom the data relate have previously given their explicit consent to such action; or
- the obligation to transfer such data arises or will arise from applicable provisions of law, e.g. to law enforcement authorities.
2. Additionally, personal data of service recipients and customers may be transferred to the following recipients or categories of recipients:
- service providers supplying the Controller with technical, IT and organisational solutions enabling the Controller to conduct business activity, including the operation of the website and the electronic services provided through it (in particular providers of computer software, marketing agencies, e-mail and hosting service providers, providers of software for company management and technical support for the Controller, as well as product delivery operators) – the Controller makes the collected personal data of the Customer available to a selected provider acting on its behalf only where and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy;
- providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular an accounting office, a law firm or a debt collection company) – the Controller makes the collected personal data of the Customer available to a selected provider acting on its behalf only where and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy;
- carriers / freight forwarders / courier brokers – in the case of a Customer who uses postal or courier delivery of the Product in the Online Store, the Controller makes the collected personal data of the Customer available to a selected carrier, freight forwarder or intermediary carrying out shipments on behalf of the Controller to the extent necessary to deliver the Product to the Customer.
3. The Controller may make anonymised data (i.e. data that do not identify specific Users) available to external service providers for the purpose of better recognising the attractiveness of advertisements and services for users, and in this respect, due to the registered offices of software providers, such data may be transferred – while maintaining the principles of their protection – to third countries which ensure standard contractual clauses approved by the European Commission with regard to the processing of personal data or which have appropriate authorisations to carry out such activities on the basis of bilateral data processing entrustment agreements between the European Union and the given third country, which is not a member of the European Economic Area. In the case of the Controller, such entities are:
- Google LLC (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for the use of Google Analytics, serving to analyse statistics of websites; Google Tag Manager, serving to manage scripts through the easy addition of code fragments to a website or application and to track actions performed by users on the website; Google Ads, serving to display sponsored links in the search results of the Google search engine and on partner websites within the Google AdSense programme; Google Workspace, enabling comprehensive website editing and coordination of the work of persons working on it (including Google Drive, Gmail, Google Sheets, Google Forms, Google Looker Studio);
- Meta Platforms, Inc. (registered office: 1601 Willow Road, Menlo Park, CA 94025, USA) for the use of the Facebook Pixel, serving to track conversions from Facebook advertisements, optimise them based on collected data and statistics, and build an audience list targeted for future advertisements;
- Microsoft Corporation (registered office: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) for the purposes of analytical tools used to analyse website statistics and track actions performed by users on the website.
4. The Controller continuously conducts a risk analysis in order to ensure that personal data are processed by it in a secure manner – ensuring in particular that access to the data is granted only to authorised persons and only to the extent necessary due to the tasks performed by them. The Controller ensures that all operations performed on personal data are recorded and carried out solely by authorised employees and collaborators.
5. The Controller undertakes all necessary actions to ensure that its subcontractors and other cooperating entities also provide a guarantee of applying appropriate security measures in every case in which they process personal data on behalf of the Controller
6. The Controller’s website may use the functionality of Google Analytics, a website traffic analysis service provided by Google, LLC (“Google”). Google Analytics uses cookies to help website operators analyse how visitors use the website. Information generated by cookies concerning the use of the website by visitors is generally transmitted to Google and stored on servers located in the United States. In accordance with current IT standards, the IP addresses of users visiting the Controller’s website are shortened. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. On behalf of the Controller, Google will use this information for the purpose of evaluating the website for its users, compiling reports on website traffic, and providing other services related to website traffic and Internet usage for website operators. Google will not associate the IP address transmitted within the scope of Google Analytics with any other data held by Google. More information on how Google Analytics collects and uses data can be found on Google’s official website at: www.google.com/policies/privacy/partners. In addition, each User may prevent the collection and processing of data relating to their use of the website by Google by downloading and installing a browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout.
7. When making personal data available to third parties, the Controller makes every effort to ensure that such disclosure is made solely to entities meeting the criteria and requirements set out in Articles 46 or 49 of the GDPR. In appropriate cases, the Controller shall rely on standard contractual clauses of the European Union and other safeguards in order to enable transfers outside the EEA. In accordance with the judgment of the Court of Justice of the European Union of 16 July 2020, the Controller continues to assess the legal systems of the countries to which data are transferred and, where necessary, updates the measures aimed at ensuring an adequate level of protection.
8. With regard to data transferred to the United States, when making personal data available to third parties, the Controller makes every effort to ensure that such transfers are carried out, in accordance with the decision of the European Commission of 10 July 2023, solely to entities and organisations in the United States that ensure compliance with the new “EU–US Data Privacy Framework”. The list of such organisations has been published by the United States Department of Commerce. The transfer of personal data from the EEA to organisations that have joined the “EU–US Data Privacy Framework” programme and are included on this list is possible without the need to obtain additional authorisations or to apply legal instruments such as standard contractual clauses or binding corporate rules. However, where a given data importer in the United States has not joined the “EU–US Data Privacy Framework” programme, the transfer of personal data to such an entity is possible and shall be carried out upon fulfilment of the conditions set out in Articles 46 or 49 of the GDPR. In such cases, the Controller shall rely on standard contractual clauses of the European Union and other safeguards in order to enable transfers outside the EEA.
§ 4 User Rights
1. A User whose personal data are processed has the right to:
- access, rectification, restriction, erasure or data portability – the data subject has the right to request from the Controller access to their personal data, rectification thereof, erasure (“the right to be forgotten”) or restriction of processing, as well as the right to object to processing, and also has the right to data portability. Detailed conditions for exercising the above-mentioned rights are set out in Articles 15–21 of the GDPR;
- withdrawal of consent at any time – where personal data are processed by the Controller on the basis of consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR), the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal;
- lodging a complaint with a supervisory authority – the data subject whose personal data are processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and under the procedure specified in the provisions of the GDPR and Polish law, in particular the Act on the Protection of Personal Data. The supervisory authority in Poland is the President of the Personal Data Protection Office in Warsaw;
- objection – the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of personal data concerning them based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the controller) of the GDPR, including profiling based on those provisions. In such a case, the Controller may no longer process those personal data unless it demonstrates the existence of compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of legal claims;
- objection to direct marketing – where personal data are processed for the purposes of direct marketing (based on the Controller’s legitimate interest, not on the consent of the data subject), the data subject has the right to object at any time to the processing of personal data concerning them for such direct marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
2. The exercise of the above rights shall take place on the basis of a request submitted by the User to the Controller’s e-mail address. Such a request should include the User’s first and last name.
3. The User declares that the data provided or published by them within the service are accurate.
§ 5 Cookies
1. Cookies should be understood as IT data, in particular text files, stored on users’ end devices (usually on a computer’s hard drive or on a mobile device), used to record specific settings and data by the user’s browser for the purpose of using websites. These files make it possible to recognise the user’s device and properly display the website, ensuring convenience during its use. The storage of cookies therefore enables appropriate preparation of the website and the offer in accordance with user preferences – the server recognises the user and remembers, inter alia, preferences such as visits, clicks and previous actions..
2. Cookies contain, in particular, the name of the domain of the website from which they originate, the time of their storage on the end device, and a unique number used to identify the browser from which the connection to the website is made.
3. Cookies are used for the purpose of:
- adapting the content of websites to user preferences and optimising the use of websites;
- creating anonymous statistics which, by helping to determine how users use websites, enable improvements to their structure and content;
- providing website users with advertising content tailored to their interests.
- Cookies are not used to identify users, and their identity is not determined on the basis of cookies.
4. The basic classification of cookies consists in distinguishing them into:
- Necessary cookies – these are absolutely necessary for the proper functioning of the website or the functionalities that the user wishes to use, as without them we would not be able to provide many of the services we offer. Some of them also ensure the security of services provided electronically by us.
- Functional cookies – these are important for the operation of the website due to the fact that:
- they are used to enrich the functionality of websites; without them, the website will function properly, but will not be adapted to user preferences;
- they are used to ensure a high level of website functionality; without them, the level of website functionality may be reduced, but their absence should not prevent full use thereof;
- they are used for most website functionalities; blocking them will result in selected functions not working properly.
- Business cookies – these enable the implementation of the business model on which the website is made available; blocking them will not result in the unavailability of all functionalities, but may reduce the level of service provision due to the inability of the website owner to generate revenues subsidising its operation. This category includes, for example, advertising cookies.
- Cookies used for website configuration – these enable the setting of functions and services on websites.
- Cookies used for website security and reliability – these enable verification of authenticity and optimisation of website performance.
- Cookies used for authentication – these enable informing when a user is logged in, thanks to which the website may display appropriate information and functions.
- Cookies examining session status – these enable saving information on how users use the website. They may relate to the most frequently visited pages or possible error messages displayed on certain pages. Cookies used to save the so-called “session status” help improve services and increase browsing comfort.
- Cookies examining processes occurring on the website – these enable the efficient operation of the website and the functionalities available on it.
- Cookies used to conduct analyses, research or audience audits – these enable website owners to better understand user preferences and, through analysis, improve and develop products and services. Usually, the website owner or a research company collects information anonymously and processes data on trends without identifying the personal data of individual users.
5. The use of cookies in order to adapt website content to user preferences does not, as a rule, involve the collection of any information enabling the identification of the user, although such information may sometimes constitute personal data, i.e. data enabling certain behaviours to be attributed to a specific user. Personal data collected using cookies may be collected solely for the purpose of performing specific functions for the user. Such data are encrypted in a manner preventing access by unauthorised persons.
6. Cookies used by this website are not harmful either to the user or to the end device used by the user; therefore, in order for the service to function properly, it is recommended not to disable the handling of cookies in browsers. In many cases, software used to browse websites (web browsers) by default allows the storage of information in the form of cookies and other similar technologies on the user’s end device. The user may at any time change the manner of using cookies by the browser. To do so, the browser settings must be changed. The method of changing settings varies depending on the software (web browser) used. Appropriate instructions can be found on subpages depending on the browser used.
7. Cookies are also used to facilitate logging into a user account, including via social media, and to enable navigation between subpages of websites without the need to log in again on each subpage. At the same time, cookies are used to secure websites, e.g. to prevent access by unauthorised persons.
8. Detailed information on changing cookie settings and deleting cookies independently in the most popular web browsers is available in the help section of the web browser and on the following websites (simply click on the relevant link):
9. Detailed information on managing cookies on a mobile phone or other mobile device should be included in the user manual of the respective mobile device.
