PRIVACY POLICY
1.1. Administrator – 4MYOrganic Sp. z o.o. Sp.k. with headquarters in Warsaw (postal code: 02-933), ul. Okrężna 83 A
1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected using through cookies and other similar technology.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46 / EC.
1.5. Service – a website maintained by the Administrator at www.4organic.pl and www.sklep.4organic.pl.
1.6. User – any natural person visiting the Service or using one or more services or functionalities described in the Policy.
2.1. In connection with the User’s use of the Service, the Administrator collects data to the extent necessary to provide individual services offered, as well as information about the User’s activity on the Service website. The detailed rules and purposes of processing personal data collected during the use of the Service by the User are described below.
USING THE SERVICE
3.1. Personal data of all persons using the Service (including IP address or other identifiers and information collected via cookies or other similar technologies) and who are not registered Users (i.e. persons without a profile in the Service) are processed by the Administrator:
3.1.1. in order to provide electronic services in the scope of making the content collected on the Website available to Users, including:
- to the extent necessary to establish, shape the content, change, solve and correctly implement services provided electronically and to implement orders placed by the User;
- in order to fulfill orders placed by the User for products in the Service’s assortment;
- in order to consider complaints submitted by the User and to return benefits in the case of withdrawal from the agreement(return of goods);
– then the legal basis for processing is the necessity of processing to perform the contract (Article 6 (1) (b) of the GDPR);
3.1.2. for analytical and statistical purposes – then the legal basis for processing is the Controller’s legitimate interest (Article 6 (1) (f) of the GDPR) consisting in conducting analyzes of Users’ activity, as well as their preferences in order to improve the functionalities and services provided;
3.1.3. in order to possibly establish and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights;
3.1.4. for marketing purposes of the Administrator and his trusted partners, by sending a newsletter – the legal basis for processing is the User’s consent (Article 6 (1) (a) of the GDPR).
3.1.5. for the Administrator’s marketing purposes, including presenting offers and products on the Website related to the provision of electronic services – the legal basis for processing is a legitimate interest (Article 6 (1) (f) of the GDPR).
Detailed rules for the processing of personal data for marketing purposes are described in the “MARKETING” section.
3.2. The User’s activity on the Service, including his personal data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the Administrator). The information collected in the logs is processed primarily for purposes related to the provision of services. The Administrator also processes them for technical and administrative purposes, for the purposes of ensuring the security of the IT system and managing this system, as well as for analytical and statistical purposes – in this respect, the legal basis for processing is the Administrator’s legitimate interest (Article 6 (1) (f) GDPR).
REGISTRATION IN THE SERVICE
3.3. Persons who register in the Service are asked to provide the data necessary to create and operate the account. In order to facilitate service, the User may provide additional data, thereby consenting to their processing. Such data can be deleted at any time. Providing data marked as mandatory is required in order to set up and operate an account, and failure to do so results in the inability to create an account. Providing other data is voluntary.
3.4. Personal data are processed:
3.4.1. in order to provide services related to the operation and maintenance of an account in the Service – the legal basis for processing is the necessity of processing to perform the agreement (Article 6 (1) (b) of the GDPR), and in the scope of optional data – the legal basis for processing is consent (Article 6 section 1 letter a of the GDPR);
3.4.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in conducting analyzes of Users’ activity in the Service and how to use the account, as well as their preferences in order to improve the functionalities used;
3.4.3. in order to possibly establish and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights.
3.4.4. for marketing purposes of the Administrator and other entities – the rules for the processing of personal data for marketing purposes are described in the “MARKETING” section.
3.5. If the User places any personal data of other people in the Service (including their name, address, telephone number or e-mail address), they may do so only if they do not violate the applicable law and personal rights of these people.
PLACING ORDERS (USING PAID SERVICES ON THE WEBSITE)
3.6. Placing an order (purchase of goods or services) by the User involves the processing of his personal data. Providing data marked as mandatory is required in order to accept and service the order, and failure to do so results in the lack of its implementation. Providing other data is optional.
3.7. Personal data are processed:
3.7.1. in order to fulfill the order placed – the legal basis for processing is the necessity of processing to perform the agreement (Article 6 (1) (b) of the GDPR); in the scope of optional data, the legal basis for processing is consent (Article 6 (1) (a) of the GDPR);
3.7.2. in order to fulfill the statutory obligations incumbent on the Administrator, resulting in particular from tax and accounting regulations – the legal basis for processing is the legal obligation (Article 6 (1) (c) of the GDPR);
3.7.3. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in conducting analyzes of Users’ activity in the Service, as well as their purchasing preferences in order to improve the functionalities used;
3.7.4. in order to possibly establish and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights.
CONTACT FORMS
3.8. The administrator provides the possibility of contacting him using electronic contact forms. Using the form requires providing personal data necessary to contact the User and answer the inquiry. The User may also provide other data to facilitate contact or service the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to do so results in the inability to service. Providing other data is voluntary.
3.9. Personal data are processed:
3.9.1. in order to identify the sender and handle his inquiry sent via the provided form – the legal basis for processing is the necessity of processing to perform the service agreement (Article 6 (1) (b) of the GDPR);
3.9.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in keeping statistics of inquiries submitted by Users via the Service in order to improve its functionality.
4.1. The Administrator processes Users’ personal data in order to carry out marketing activities, which may include:
4.1.1. displaying to the User marketing content that is not tailored to his preferences (contextual advertising);
4.1.2. displaying to the User marketing content corresponding to his interests (behavioral advertising);
4.1.3. sending e-mail notifications about interesting offers or content, which in some cases contain commercial information (newsletter service);
4.1.4. conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
4.2. In order to carry out marketing activities, the Administrator uses profiling in some cases. This means that thanks to automatic data processing, the Administrator evaluates selected factors relating to natural persons in order to analyze their behavior or create a forecast for the future.
CONTEXTUAL ADVERTISING
4.3. The Administrator processes Users’ personal data for marketing purposes in connection with directing contextual advertising to Users (i.e. advertising that does not match the User’s preferences). The processing of personal data takes place then in connection with the implementation of the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR).
BEHAVIORAL ADVERTISING
4.4. The Administrator and his trusted partners process Users’ personal data, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with targeting behavioral advertising to Users (i.e. advertising that is tailored to the User’s preferences). The processing of personal data then also includes profiling of Users.
NEWSLETTER
4.5. The administrator provides the newsletter service on the terms specified in the regulations to persons who have provided their e-mail address for this purpose. Providing data is required to provide the newsletter service, and failure to do so results in the inability to send it.
4.6. Personal data are processed:
4.6.1. in order to provide the newsletter sending service including sending marketing content – the legal basis for processing is the User’s consent to receive it (Article 6 (1) (a) of the GDPR);
4.6.2. for analytical and statistical purposes – the legal basis for processing is the Administrator’s legitimate interest (Article 6 (1) (f) of the GDPR) consisting in conducting analyzes of Users’ activity in the Service in order to improve the functionalities used;
4.6.3. in order to possibly establish and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR).
The user may unsubscribe from the newsletter at any time. He can contact the Customer Service Department by sending an e-mail to the address kontakt@4organic.pl.
DIRECT MARKETING
4.7. The User’s personal data may also be used by the Administrator to direct marketing content to him through various channels, i.e. via e-mail or web push. Such actions are taken by the Administrator only if the User has given their consent, which may be withdrawn at any time.
5.1. The Administrator processes the personal data of Users visiting the Administrator’s profiles in social media (Facebook, YouTube, Instagram). These data are processed only in connection with keeping the profile, including to inform Users about the Administrator’s activity and to promote various types of events, services and products. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6 (1) (f) of the GDPR) consisting in promoting its own brand.
6.1. Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information that facilitates the use of the Service – e.g. by remembering the User’s visits to the Service and the activities performed by the User. They are saved on the User’s end device (computer, smartphone, tablet, etc.). By saving these files on the device it is possible, among others. remembering login details, thanks to which the User will not have to enter the login and password each time. These files remember the goods added to the basket or adjust the content of the website to the interests of the User. Thanks to cookies, it is possible to collect Service statistical data, which allows us to develop the Shop in accordance with the preferences of our customers.
6.2. If the User does not agree to saving cookies on his device, he should configure the browser settings accordingly or delete saved cookies from the browser’s memory each time after using the website. It should be borne in mind that the use of restrictions on saving cookies may make it difficult or impossible to use the Service.
6.3. In order to consent to the storage of cookies, you must give the consent shown at the bottom of the Service website.
6.4. As part of the website, information on geolocation is collected, i.e. the Administrator verifies from which location (continent, country, province and city) the User places an order.
“SERVICE” COOKIES
6.5. The administrator uses the so-called service cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Administrator and other entities providing analytical and statistical services to him use cookies by storing information or accessing information already stored in the User’s telecommunications end device (computer, telephone, tablet, etc.). Cookies used for this purpose include:
6.5.1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
6.5.2. authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
6.5.3. cookies used to ensure security, e.g. used to detect fraud in the field of authentication (user centric security cookies);
6.5.4. persistent cookies used to personalize the User’s interface for the duration of the session or a little longer (user interface customization cookies),
6.5.5. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by the Google company to analyze how the User uses the Service, to create statistics and reports on the functioning of the Sevice). Google does not use the collected data to identify the User and does not combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
“MARKETING” COOKIES
6.6. The administrator and his trusted partners also use cookies for marketing purposes, including in connection with targeting Users with behavioral advertising. For this purpose, the Administrator and trusted partners store information or gain access to information already stored in the User’s telecommunications end device (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular in the field of promoting services and goods of third parties, requires the consent of the User. This consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal.
7.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the time the service is provided or the order is processed, until:
7.1.1. termination of the agreement,
7.1.2. withdraw the consent given when the legal basis for data processing is the consent of the User or
7.1.3. reporting an effective objection to data processing in cases where the legal basis for data processing is the legitimate interest of the Administrator.
7.2. The data processing period may be extended each time if the processing is necessary to establish and assert any claims or defend against them, and after that time only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.
8.1. The User has the right to: access the data and request rectification, deletion, processing restrictions, the right to transfer data and the right to object to data processing, as well as the right to lodge a complaint with the supervisory body dealing with the protection of personal data.
8.2. To the extent that the User’s data is processed on the basis of consent, it can be withdrawn at any time by contacting the Administrator or using the functionalities available on the Service.
8.3. The User has the right to object to the processing of data for marketing purposes, if the processing takes place in connection with the legitimate interest of the Administrator, and – for reasons related to the specific situation of the User – in other cases when the legal basis for data processing is the legitimate interest of the Administrator (e.g. in connection with the implementation of analytical and statistical purposes).
9.1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting services, couriers (in connection with the implementation of the order), marketing agencies (in the scope of marketing services).
9.2. If the User’s consent is obtained, his data may also be made available to other entities for their own purposes, including marketing purposes.
9.3. The Administrator reserves the right to disclose selected information about the User to the competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.
10.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
10.1.1. cooperation with entities processing personal data in countries for which a relevant decision of the European Commission has been issued;
10.1.2. use of standard contractual clauses issued by the European Commission;
10.1.3. application of binding corporate rules approved by the competent supervisory authority;
10.1.4. in the event of data transfer to the USA – cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
10.2. The administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection.
11.1. The administrator ensures the security of personal data thanks to appropriate technical and organizational measures aimed at preventing unlawful data processing and their accidental loss, destruction and damage. In addition, the Administrator takes special care that personal information is:
11.1.1. correct and processed in accordance with the law,
11.1.2. obtained only for specific purposes and not further processed in a manner inconsistent with these purposes,
11.1.3. adequate, relevant and not redundant in relation to the purposes of their processing,
11.1.4. accurate and up-to-date,
11.1.5. not kept longer than necessary,
11.1.6. safely stored,
11.1.7. not transferred to a country outside the European Economic Area without adequate protection.
11.2. In order to better secure the User’s account, it is recommended to:
11.2.1. using a complex password securing access to the account that makes it impossible to guess it by third parties. Such a password should contain a minimum of 8 characters, uppercase and lowercase letters, numbers and special characters.
11.2.2. keeping the login and password to the Customer’s account secret, including in particular not transferring data (login, password) to any third parties
11.2.3. logging out of the Service after each completed session (completed purchases, adding messages on the forum, etc.). Merely turning off the browser window is not tantamount to logging out of the Service. Logging out of the Service will take place after clicking the “Log out” button
11.2.4. use of antivirus programs, including regular virus scans on disks
11.2.5. using the Service only through trusted computers on which only proven software has been installed. The use of third party computers by the User carries the risk of intercepting the login, password or other data provided by the User while using the account.
11.2.6. if the User uses the Service via a foreign computer, e.g. in an internet cafe, he should not remember the data on the computer and delete the history of the pages viewed.
11.3. The administrator conducts a risk analysis on an ongoing basis to ensure that personal data is processed by him in a safe manner – ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary due to the tasks they perform. The administrator makes sure that all operations on personal data are recorded and performed only by authorized employees and associates.
11.4. The administrator takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data at the request of the Administrator.
12.1. Contact with the Administrator is possible via the e-mail address kontakt@4organic.pl or the correspondence address:
4MYOrganic Sp. z o.o. Sp.k.
ul. Okrężna 83 A
02-933 Warsaw
13.1. The policy is verified on an ongoing basis and updated if necessary. The current version of the Policy was adopted and has been in force since May 23, 2018.