Privacy policy at e-herbapol.com.pl

Thank you for your interest in data protection on our website.

This privacy policy contains information about the type and scope of processing of your personal data by “Herbapol-Lublin” S.A., ul. Diamentowa 25 (20-471) having its registered office in Lublin.

At the same time, “Herbapol-Lublin” S.A. having its registered office in Lublin announces the appointment of a personal data protection officer whose contact details are: iod@herbapol.com.pl, tel. no. +48817488219.

I. DEFINITIONS

II. TYPE OF DATA PROCESSED WHEN USING THE WEBSITE, PURPOSES AND LEGAL BASIS FOR PROCESSING

1. USING THE WEBSITE WWW.E-HERBAPOL.COM.PL

2. REGISTRATION AND CREATION OF AN ACCOUNT ON THE WEBSITE

3. PLACING ORDERS AND FULFILMENT OF SALES CONTRACTS

4. NEWSLETTER

5. COOKIES

III. RIGHTS OF PERSONS WHOSE DATA ARE PROCESSED

IV. DATA RECIPIENTS

V. TRANSFER OF DATA OUTSIDE THE EEA

VI. SECURITY OF PERSONAL DATA

VII. PRIVACY POLICY UPDATES

I. DEFINITIONS

CONTROLLER – “Herbapol-Lublin” S.A. having its registered office in Lublin. The Controller can be reached at the e-mail address: kontakt@e-herbapol.com.pl or the mailing address “Herbapol-Lublin” S.A., ul. 25 Diamentowa (20-471 Lublin).

PERSONAL DATA – all information that is directly or indirectly related or can be related to a specific person, including device IP, location data, Internet identifier and information collected through cookies and similar technology.

Privacy Policy – this Privacy Policy.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

WEBSITE – the website www.e-herbapol.com.pl through which the Controller sells products

USER – a person who uses the WEBSITE WWW.E-HERBAPOL.COM.PL

II. TYPE OF DATA PROCESSED WHEN USING THE WEBSITE, PURPOSES AND LEGAL BASIS FOR PROCESSING 

In connection with the use of the website, the Controller collects data to the extent necessary to provide services, as well as information about the activity in the store. Detailed rules and purposes of personal data processing are described below.

1. USE OF THE WEBSITE WWW.E-HERBAPOL.COM.PL

Personal data of all persons using the Website (including persons who are not Customers with a registered account on the Website): information collected through cookies or other similar technologies) are processed by the Controller:

  • in order to guarantee an uninterrupted connection;
  • in order to guarantee a comfortable use of the website;
  • in order to ensure a secure connection to the website;
  • for analytical and statistical purposes

The legal basis of data processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) arising from the above-mentioned purposes of processing.

Period for which personal data will be stored / criteria for determining this period:

182 days

2. REGISTRATION AND CREATION OF AN ACCOUNT ON THE WEBSITE

Personal data of persons who register and create an account on the website:

first name and surname, address (street, house/flat/office number, postal code, city/town, country), e-mail address, contact telephone number). In the case of Customers who are not consumers it is also necessary to provide the company name and tax identification number (NIP).

Providing data marked as mandatory is required to create and operate an account, and if such data are not provided, an account will not be created.

Data related to registration and account creation are processed by the Controller:

  • in order to provide services related to maintaining and operating an account in the Store – the legal basis for processing is the necessity of processing for the performance of the contract (Article 6(1)(b) GDPR.
  • in order to establish and enforce claims or defend against them – the legal basis for processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) consisting in the protection of its rights.

If the User places any personal data of other persons in the Store (including their first name, address, telephone number or e-mail address), they can do so only on the condition that they do not violate any applicable laws and personal rights of such persons.

Period for which personal data will be stored / criteria for determining this period:

The data is deleted when the account is deleted.

*You can delete your Account after logging in to it at any time and without giving a reason. In the “My account” tab, there is a “Delete your account” option. If the Account is deleted, all data will be deleted, with the exception of data necessary for the complaint process and handling of potential claims which will be stored until the expiry of the limitation periods for civil law claims arising from Orders which have been completed. Personal data contained in the Seller’s tax books and related documents will be stored until the expiry of the limitation period for tax liabilities, in accordance with the Tax Ordinance.

3. PLACING ORDERS AND FULFILMENT OF SALES CONTRACTS

Personal data of persons who place an order on the website (including persons who place an order without registering an account) and as a result of placing an order include a sales contract:

First name, surname, address of residence (street, house number, postal code, city/town), delivery address (if different from the address of residence), contact phone and e-mail address.

Personal data related to the ordering process are processed:

  • to fulfil the order that has been placed – the legal basis for processing is the necessity of processing for the performance of the contract (Article 6(1)(b) GDPR)
  • to fulfill the statutory obligations imposed on the Controller, arising in particular from tax and accounting regulations – the legal basis for processing is compliance with a legal obligation (Article 6(1)(c) GDPR);
  • for analytical and statistical purposes – the legal basis for processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) consisting in analysing the activity of Customers in the Store, as well as their shopping preferences in order to improve the functionalities used;
  • for the determination and enforcement of claims or defence against them – the legal basis for processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) consisting in the protection of its rights.

Period for which personal data will be stored / criteria for determining this period:

The data collected for the performance of the contract are stored until the expiry of statutory deadlines (e.g. tax regulations).

4. NEWSLETTER

The data processed in connection with sending the newsletter are: first name and e-mail address.

Personal data related to the sending of the newsletter are processed in order to:

  • carry out marketing activities, which may consist in sending e-mail notifications about interesting offers or content – Newsletter. The basis for data processing is the person’s consent to subscribe to the newsletter (Article 6(1)(a) GDPR. The consent may be withdrawn at any time, also via the link at the bottom of each newsletter, as well as by sending a request to be removed from the newsletter mailing list to the e-mail address: kontakt@e-herbapol.com.pl and after logging, in the Newsletter tab, on the Customer’s account. Withdrawal of consent will have a future effect which means that it will not affect the legality of any action taken by us prior to its withdrawal.

Period for which personal data will be stored / criteria for determining this period:

The data will be deleted when the consent is withdrawn.

5. COOKIES

Information about COOKIES can be found in the COOKIE POLICY.

III. RIGHTS OF PERSONS WHOSE DATA ARE PROCESSED

The data subjects have the following rights:

  • The right to be informed about the processing of personal data – on this basis, the Controller provides, to the person submitting the request, information about personal data processing, including mainly the purposes and legal grounds for processing, the scope of data stored, entities to which personal data are disclosed and the planned date of erasure of data;
  • The right to obtain a copy of data – on this basis, the Controller provides a copy of the personal data being processed, regarding the person submitting the request;
  • The right to rectification – on this basis, the Controller removes any inconsistencies or errors regarding the personal data being processed, and supplements or updates them if they are incomplete or have changed;
  • The right to erasure – on this basis, you can request the erasure of data the processing of which is no longer necessary to fulfil any of the purposes for which they were collected;
  • The right of restriction of processing – on this basis, the Controller ceases to perform operations on personal data, except for operations for which the data subject has given consent and their storage, in accordance with the adopted retention rules, or until the reason for the restriction of data processing ceases to exist (e.g. a decision of the supervisory body authorising further data processing will be issued);
  • The right to data portability – on this basis, insofar as the data are processed in connection with the conclusion of the contract concluded or a consent granted, the Controller issues the data provided by the data subject in a computer-readable format. It is also possible to request that the data be transmitted to another entity – however, provided that there are technical possibilities in this regard both on the part of the Controller and that other entity;
  • The right to object to data processing for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;
  • The right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the legitimate interest pursued by the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property). The objection in this respect should contain a justification and is subject to the Controller’s assessment;
  • The right to withdraw consent – if data are processed based on a consent, the data subject has the right to withdraw such consent at any time which does not affect the lawfulness of processing based on consent before its withdrawal;
  • The right to file a complaint – if you find that the processing of your data violates the provisions of the GDPR or other regulations regarding protection of personal data, you may file a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa.

A request regarding the exercise of the rights of data subjects may be submitted:

in writing to the following address: “Herbapol-Lublin” S.A., ul. 25 Diamentowa (20-471 Lublin);

by e-mail to the following address: kontakt@e-herbapol.com.pl or iod@herbapol.com.pl

The request should, as far as possible, precisely indicate what is demanded, i.e. in particular:

what right does the person submitting the request wishes to exercise (e.g. right to obtain a copy of data, right to have the data erased, etc.);

which processing process the request concerns (e.g. use of a specific service, activity on a specific website, receipt of a newsletter containing commercial information to a specific e-mail address, etc.);

what processing purposes the request concerns to (e.g. marketing purposes, analytical purposes, etc.).

If the Controller is not able to determine the content of the request or identify the person submitting the request based on the notification submitted, it will request additional information.

Response to the notification will be given within 30 days of receipt. If it is necessary to extend this deadline, the Controller will inform the person submitting the request about the reasons for such extension.

The answer will be sent to the e-mail address from which the request was sent, and in the case of requests sent by letter, by ordinary letter to the address indicated by the person submitting the request, unless the letter states that feedback is to be sent to the e-mail address (in which case the e-mail address should be provided).

IV. DATA RECIPIENTS

In connection with the provision of services, personal data will be disclosed to external entities, including in particular providers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, audit, consulting, courier services (in connection with fulfilment of the order), marketing agencies (in the scope of marketing services).

If the Customer agrees, his or her data may also be made available to other entities for their own purposes, including marketing purposes.

The Controller reserves the right to disclose selected information concerning Customers to the competent authorities or third persons that submit a request for such information on an appropriate legal basis and in accordance with the applicable law.

V. TRANSFER OF DATA OUTSIDE THE EEA

We do not currently transfer the personal data of Customers outside the EEA. The level of protection of personal data outside of the European Economic Area (EEA) differs from that provided by European law. For this reason, if the Controller decides to transfer personal data outside the EEA, it will only do so, if it is necessary and with an adequate level of protection, in particular by:

cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;

use of standard contractual clauses issued by the European Commission;
application of binding corporate rules, approved by the competent supervisory authority;

in the event of data transfer to the USA – cooperation with entities participating in the Privacy Shield Program, approved by the European Commission.

The Controller always notifies its intention to transfer personal data outside the EEA at the stage of its collection.

VI. SECURITY OF PERSONAL DATA

The Controller conducts risk analysis on an ongoing basis to ensure that personal data is processed in a secure manner – ensuring, above all, that only authorised persons have access to the data and only to the extent that it is necessary due to the tasks performed by them. The Controller makes sure that all operations on personal data are recorded and made only by authorised employees and associates.

The Controller undertakes all necessary actions so that its subcontractors and other cooperating entities guarantee that appropriate security measures are applied whenever they process personal data at the request of the Controller.

VII. PRIVACY POLICY UPDATES

The policy is verified on an ongoing basis and updated if necessary.