PRIVACY AND COOKIES POLICY
I. Who are we?
The controller of your personal data, i.e. the entity responsible for what happens to them, is us, the owner of yourkaya.com Store, i.e. Bright Future spółka z ograniczoną odpowiedzialnością with its registered office in Wrocław, ul. Duńska 7, 54-427 Wrocław, entered in the Register of Businesses kept by the District Court for Wrocław-Fabryczna in Wrocław, 6th Business Division of the National Court Register, under KRS [National Court Register] No. 0000692159, NIP [tax identification No.]: 5213792944, REGON [National Official Business Register No.]: 368186614, share capital: PLN 10,800.00 (hereinafter referred to as the "Controller").
II. How can you contact us?
Send us an e-mail to [email protected] We will be happy to help. However, if you prefer to contact us in writing, send us a letter to Bright Future spółka z ograniczoną odpowiedzialnością, Bagatela 10/8, 00-585 Warsaw, Poland.
III. What data do we collect and for what purpose?
We may process your personal data in the following cases:
1) to enter into and perform the sales contract (fulfil your order) – we may process your data which are necessary to enter into and perform the sales contract (fulfil your order) or take steps at your request prior to entering into the contract, such as your name/company name, e-mail address, contact address (delivery address), contact telephone number and tax identification number (NIP). Providing such data is voluntary, but necessary to place an order. These data shall be processed to perform the sales contract or to take steps at your request prior to entering into the contract (article 6(1)(b) of GDPR) and to fulfil obligations under laws in force, including tax law and accounting regulations (article 6(1)(c) of GDPR). They will be processed for the time necessary to fulfil the order until the end of the limitation period for claims under the sales contract.
2) to process a complaint or to make it possible for you to exercise your right to withdraw from the contract – we may process your data provided in the complaint or notice of withdrawal from the contract, such as your name, e-mail address, contact address, telephone number, order number and bank account number (if we pay your money back). Providing such data is voluntary, but necessary to make a complaint or submit a notice of withdrawal from the contract. The data are processed by us, because the processing is necessary for compliance with a legal obligation (under article 6(1)(c) of GDPR) for the time necessary to carry out the complaint or contract withdrawal procedure. Having taken the above steps, we may process the personal data you provided to archive documents and demonstrate the progress of the complaint or contract withdrawal procedure in the future on the basis of our legitimate interest (article 6(1)(f) of GDPR) until the end of the limitation period for your claims in this regard or until you file a reasoned objection.
3) to contact you – we may process your data such as your name, e-mail address, telephone number or mailing address, as well as other data you decide to provide us in the message sent to us. In this case, your personal data shall be processed on the basis of our legitimate interest which is to correspond with you and exchange information (article 6(1)(f) of GDPR). Once our correspondence or information exchange has ended, we may process your personal data for archiving purposes (which is our legitimate interest under article 6(1)(f) of GDPR). Providing such data is voluntary, but necessary to correspond or exchange information with us. Your personal data shall be processed at the latest until you file a reasoned objection.
4) to keep your Account (registration and management of the Account) – we may process your data such as your name, e-mail address, contact address, contact telephone number and history of orders placed by you. In this case, your data shall be processed on the basis of the contract entered into with us for the provision of electronic services (article 6(1)(b) of GDPR). Providing such data is voluntary, but necessary to create the Account (enter into the contract) and to use it. These data shall be processed for the duration of the contract for the provision of electronic services until the end of the limitation period for claims under the contract at the latest. You can also provide us with more personal data in your profile, such as the day and month of your birth. In that case, the basis for the processing of your personal data shall be the consent you have given us (article 6(1)(a) of GDPR). Providing such data is voluntary and shall help us personalise our offer for you and make it easier to contact you. It is only up to you whether you give us more data and you can change your settings at any time.
5) to establish a business relationship or partnership and then to enter into and perform civil law contracts – we may process your data such as your name, telephone number, e-mail address, company name, tax identification number and function/position. Providing such data is voluntary, but necessary to enter into a contract with us. These data shall be processed to perform the contract entered into or to take steps at your request prior to entering into the contract (article 6(1)(b) of GDPR) and to fulfil obligations under laws in force, including the tax law and accounting regulations (article 6(1)(c) of GDPR). They shall be processed for the time necessary to perform the contract entered into with us until the end of the limitation period for claims under this contract.
6) to contact representatives or designated contact persons – if you represent any public or private entity or have been designated as a contact person by such entity, we may process your data such as your name, PESEL [personal identification No.], telephone number, email address and function/position on the basis of our legitimate interest (article 6(1)(f) of GDPR) which is to sign and enter into a contract with the entity you represent, to contact this entity and to verify whether you are authorised to represent this entity. Providing data is voluntary, but refusal to provide it may make it impossible for us to communicate or enter into a contract. Your data may be processed until the end of communication with you or the end of the limitation period for claims under the contract entered into with the entity you represent or of which you are a representative.
7) to establish, exercise or defend claims and rights – on the basis of our legitimate interest (article 6(1)(f) of GDPR) until the end of the limitation period for these claims.
8) to send you our Newsletter – we may process your data in the form of your e-mail address on the basis of our legitimate interest (article 6(1)(f) of GDPR) which is to check whether you read our Newsletters and which of the information contained therein you are most likely to read. We may also process your data in the form of the day and month of your birth on the basis of the consent given by you when signing up to our Newsletter. The Newsletter shall be sent pursuant to article 10 of the Electronic Services Provision Act of 18 July 2002 and article 172 of the Act of 16 July 2004 – Telecommunications Law. The processing of your personal data shall take place at the latest until you file a reasoned objection to the processing of your personal data or withdraw your consent to receive the Newsletter. Providing data is voluntary, but giving your e-mail address is necessary if you want to receive our Newsletter. You may unsubscribe from the Newsletter at any time by sending an e-mail to [email protected] or by clicking on the unsubscribe link at the bottom of each message in which the Newsletter is sent.
9) for direct marketing purposes – on the basis of our legitimate interest (article 6(1)(f) of GDPR) at the latest until you file a reasoned objection to the processing of your personal data. Direct marketing communication may also take place under article 10 of the Electronic Services Provision Act of 18 July 2002 on the basis of your consent to receive commercial information by electronic means of communication or article 172 of the of Act of 16 July 2004 – Telecommunications Law on the basis of your consent to use telecommunications terminal equipment and automatic calling systems for direct marketing purposes. Direct marketing communication then takes place electronically and may also take place via automatic calling systems, including SMS/MMS/e-mail. In this case, we may process your personal data until you withdraw your consent. Remember, however, that withdrawal of such consent does not constitute an objection to the processing of your personal data within the framework of our legitimate interest.
10) to manage the website and to analyse data collected by automated means – on the basis of our legitimate interest (article 6(1)(f) of GDPR) for the duration of the operation of our website, but no longer than until you file a reasoned objection to the processing of your personal data.
11) to keep profiles on social networking sites and web portals – as we have profiles on social networking sites (e.g. Facebook, Instagram, Pinterest and Twitter), we may process the data that you leave when visiting our profiles and viewing the presented materials (e.g. comments, identifiers and likes). In that case, such data are processed primarily to enable activity on our profiles and portals where we present our materials, to effectively manage our profiles, to present information about our operations, initiatives, services or other activities and in connection with the promotion of our products and services, as well as for statistical and analytical purposes and possibly for the purposes of exercising and defending claims. The legal basis for the processing of your personal data is our legitimate interest (article 6(1)(f) of GDPR) which is to promote our brand, present our materials, ensure high quality of our services and products offered, as well as exercising and defending claims (if necessary). Your data in the aforementioned scope shall be processed by us for the period we keep our profiles and present our materials and after the end of this period for the period required by provisions of generally applicable law. The period of storing such personal data may be each time extended by the limitation period for claims if the processing is necessary for us to exercise or defend such claims. Please note that the above information does not apply to the processing of personal data by administrators of social networking sites and web portals.
12) in the case of reporting adverse reactions to cosmetic products – if a cosmetic product is purchased in our Store, in the event of an adverse reaction to this cosmetic product, a healthcare professional and the end user, his legal guardian or legal representative may report this reaction to us by sending us a letter (Bagatela 10/8, 00-585 Warsaw, Poland) or e-mail ([email protected]).
As far as reporting of adverse reactions to cosmetic products is concerned, your personal data shall be processed for the following purposes:
a) to ensure high standards of quality and safety of cosmetic products and, in particular, to monitor the safety of cosmetic products, including to keep a register of reports of individual cases of adverse reactions to cosmetic products and to report individual cases of severe adverse reactions to cosmetic products to the competent authorities; to meet the obligation to ensure public access to the above information:
– data concerning health shall be processed under article 9(2)(i) of GDPR, i.e. the processing is necessary for reasons of public interest in the area of public health which is to ensure high standards of quality and safety of cosmetic products on the basis of the law, i.e. on the basis of Regulation (EC) No. 1223/2009 of the European Parliament and of the Council of 30 November 2009 – article 23, and the Cosmetic Products Act of 4 October 2018;
– other personal data shall be processed under Article 6(1)(c) of GDPR, i.e. the processing is necessary for compliance with a legal obligation, including the obligation under Regulation (EC) No. 1223/2009 of the European Parliament and of the Council of 30 November 2009, including articles 10 and 21, and the Cosmetic Products Act of 4 October 2018, including article 11.
In the case of personal data concerning health, the basis for the processing in certain situations may also be the consent of data subjects (article 9(2)(a) of GDPR in conjunction with the provisions of Regulation No. 1223/2009 of 30 November 2009 and the Cosmetic Products Act of 4 October 2018).
b) to establish, exercise or defend claims – in the case of data concerning health, under article 9(2)(f) of GDPR, i.e. the processing is necessary for the establishment, exercise or defence of claims; in the case of other ordinary data, under article 6(1)(f) of GDPR, i.e. on the basis of our legitimate interest which is the right to exercise or defend claims.
We shall store your personal data for the period which is necessary to fulfil the purposes of the processing and which is defined in applicable regulations on the storage of cosmetic product adverse reaction reports, i.e. one year after the end of the verification of the adverse reaction report. As far as pursuing our legitimate interests is concerned, including to defend or exercise claims, until the end of the limitation period for claims.
13) Furthermore, in other (different than the above) cases about which we shall keep you informed, your personal data may be processed on the basis of the following: • freely given consents (article 6(1)(a) of GDPR); • applicable law – when the processing is necessary for compliance with a legal obligation (article 6(1)(c) of GDPR); • necessity for purposes other than those mentioned above arising from legitimate interests pursued by us or by a third party (article 6(1)(f) of GDPR).
IV. Who are our partners (recipients of your data)?
We may transfer your personal data to entities that cooperate with us. These are entities providing in particular the following services: telecommunications services, IT services, hosting services, courier services, legal services, including debt collection services, accounting and financial services, entities providing statistical analysis services, advertising and marketing services (including mailing services) or ensuring the maintenance of our website and entities providing personal data protection training and consulting services.
As a general rule, we do not transfer your personal data outside the European Economic Area (EEA), but if it is necessary, we may transfer them outside the EEA only while ensuring an adequate level of protection in accordance with GDPR, primarily by the following: applying appropriate safeguards in the form of standard contractual clauses adopted pursuant to a decision of the European Commission and personal data processing agreements that meet the requirements of GDPR; cooperating with personal data processors in countries for which an appropriate and valid decision of the European Commission has been issued regarding the determination of an adequate level of protection for personal data; and applying binding corporate rules approved by the competent supervisory authority.
V. How do we process your data and what are your rights in this regard?
We conduct an ongoing risk analysis to ensure that personal data are processed in a secure manner, ensuring, in particular, that only authorised persons have access to the data and only to the extent necessary to fulfil the specific purpose for which the data were collected, taking into account the tasks performed by such persons. We make sure that all personal data operations are recorded and performed only by authorised employees and partners. We take all necessary measures to ensure that also our subcontractors and other cooperating entities guarantee the application of appropriate data protection measures.
To the extent that the applicable personal data regulations provide so, you have the following rights:
1) the right of access to your personal data (article 15 of GDPR): you have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and information including the following: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom your personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
2) the right to rectification (article 16 of GDPR): you have the right to request us to rectify your personal data when they are inaccurate or incomplete;
3) the right to erasure ('right to be forgotten') (article 17 of GDPR): in cases provided for by applicable law, you have the right to request us to erase your personal data and to inform the entities to which we have transferred your data of your request;
4) the right to restriction of processing (article 18 of GDPR): in certain cases you have the right to request that we restrict the processing of your personal data: a) when you question the accuracy of your personal data – for a period enabling us to verify the accuracy of these data; b) when the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; c) when we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of claims; and d) when you have objected to the processing pursuant to article 21(1) of GDPR pending the verification whether our legitimate grounds override yours;
5) the right to data portability (article 20 of GDPR): you have the right to receive the personal data you have provided to us and transmit them to another personal data controller of your choice. You have the right to data portability if we process your personal data on the basis of your consent (article 6(1)(a) of GDPR) or in order to perform a contract (article 6(1)(b) of GDPR) and the processing is carried out by automated means. You have also the right to have your personal data transmitted directly to other authorised controller, where technically feasible;
6) the right to object (article 21 of GDPR): if we process your data on the basis of our legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation. Your objection in this respect should contain a statement of reasons. Then, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of claims. Where your personal data are processed by us for direct marketing purposes, including profiling, once we have received your objection (without having to justify it) we definitely can no longer process your data for such purposes;
7) the right to withdraw consent (article 7 of GDPR): where the processing of your personal data is based on your consent (article 6(1)(a) of GDPR), you have the right to withdraw such consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
8) the right to lodge a complaint with a supervisory authority (article 77 of GDPR): if you believe that the processing of your personal data violates applicable laws, you have the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office.
To exercise your rights (with the exception of section 8 above), just send us an e-mail to [email protected] or write to us to Bright Future spółka z ograniczoną odpowiedzialnością, Bagatela 10/8, 00-585 Warsaw, Poland.
VI. How long do we store your data?
The period for which we process personal data depends on the purpose of the processing and is given in section III for each purpose. The period of data processing may be extended if the processing is necessary for the establishment, exercise or defence of claims (until the end of the limitation period for claims under the Civil Code), and thereafter only if and to the extent required by the law (e.g. in the case of tax and accounting documents – 5 years from the end of the calendar year in which the deadline for tax payment expired). After the end of the processing period, the data are erased or anonymised.
VII. Cookies Policy
Cookies are used for the following purposes:
1) to adjust the content of our website to the Store user's preferences and optimise the use of the website; in particular, these files make it possible for the Store to recognise the Store user's device and appropriately display the website tailored to the user's needs;
2) to create statistics which help to understand how users of the Store use our website, which makes it possible to improve its structure and content. The Store uses two basic types of cookies: session cookies and persistent cookies. Session cookies are temporary files that are stored on the user's device until the user leaves the website or disables the software (closes a web browser). Persistent cookies are files that are stored on the user's device for a period of time specified in cookies parameters or until they are deleted by the user.
The Store may use the following types of cookies:
1) essential cookies that make it possible to use the services available in the Store, e.g. authentication cookies used for services requiring authentication in the Store;
b) cookies which ensure security, e.g. cookies which are used to detect irregularities in the area of authentication in the Store;
3) performance cookies which make it possible to collect information about the way Store's pages are used;
4) functional cookies which make it possible to remember settings selected by the user and to personalise the user's interface, e.g. with regard to the selected language or region from which the user comes from, the font size, website look, etc.;
5) advertising cookies which make it possible to provide users with advertising content more suited to their interests.
On our website, we use our own cookies to ensure its smooth operation (e.g. to check the popularity of our website, for statistical and analytical purposes or to process product orders) and third-party cookies used by third parties whose services we use in our business (e.g. using such tools as Google Analytics or Facebook).
VII. 1. Profiling
We collect the data stored in cookies in order to tailor content to your needs. By 'content' we mean both the information we publish on our website and the information which is displayed to you by administrators of websites on which we have our profiles (e.g. Facebook and Instagram). By 'tailoring' we mean making the content more interesting for you, as the data stored in cookies make it possible for us to analyse your behaviour.
By using cookies, we can learn about the preferences of our users based on the analysis of how often a user visits our website and their interest in specific products. This allows us to understand the habits, expectations and needs of our customers, which we can satisfy by adjusting the functionalities of our website accordingly. Cookies allow us to show you advertisements tailored to your interests and to present to you offers or marketing content that you are interested in. In other words, the purpose of what we do is to create your profile based on the information available to us. This use of data allows us to show you vertisements that you will find interesting.
If you choose not to have cookies stored on your device, you will be shown advertisements when you use our website, but these advertisements will not be related to your previous activity on the website. Moreover, the analysis of interests (preferences) may apply to customers of age if they have given their consent to it when it serves the purpose of creating and presenting dedicated advertisements or offers, or granting discounts in an automated manner which may produce legal effects with regard to such customer or significantly affect them in a similar manner. Therefore, if you explicitly consent to personalised offers and content, we may show you attractive price offers, e.g. discounts/bonuses, that are tailored to your interests and preferences. These offers will be shown to you in an automated manner and may be based on profiling. The offers will be active for a limited period of time and can only be used by you. Receiving such offers may be dependent on the device and browser you use to access our website. In this case, in addition to the rights specified in section V of this Policy, you have the right to obtain human intervention on our part as the controller, to express your point of view and to contest the offer sent to you. For this purpose, you can email us to [email protected] or write to us to Bright Future spółka z ograniczoną odpowiedzialnością, Bagatela 10/8, 00-585 Warsaw, Poland.
VII. 2. Retargeting
Using cookies, we can reach with our advertising message those users who have visited our site before or who have had contact with our products or services. Then, the advertising message is displayed on other websites visited by the user. Thanks to data contained in cookies, we can create statistics, e.g. about the number of people using our website. Automated processing of personal data for statistical purposes takes place when using analytical tools such as Google Analytics or Google Ads.
VII. 3. Server logs
Like most other websites, we collect information contained in log files. The information in the log files includes your IP number, your computer network name, your Internet service provider, the browser you are using, the time you spend on the website and which pages you access while using our website. The information contained in the server logs is not disclosed to anyone except those duly authorised to manage our server. The data stored in the server logs help us to manage our website, e.g. statistics can be generated based on the data from the logs (e.g. providing information from which regions we record the most visits to our website). These summaries do not, however, contain information that identifies individuals using our website.
VII.4 Marketing tools
1) Google Tag Manager On our website, we use Google Tag Manager (GTM), a tool that helps us manage website tags via the user interface and software code integration on our website. With the GTM functionality, we can measure the traffic and behaviour of users visiting our website, determine the impact of online advertising and our social media channels on that behaviour or make remarketing and targeting settings or test and optimise our website. In connection with the use of GTM, Google collects aggregated data without being able to identify a specific user. Tracking services such as Google Analytics and Google Ads are integrated with GTM.
2) Google Analytics On our website, we use the analytics tool Google Analytics. This tool uses its own cookies and using a special code analyses statistics and verifies website traffic. All this is aimed at improving and developing our website. Google Analytics collects, inter alia, anonymous information about visits to our website and about the time spent on the website by users. We may also use the following advertising features as part of the Google Analytics service: • remarketing using Google Analytics; • view reports in Google ads network; • demographics and interests reports in Google Analytics; • integrated services that require Google Analytics to collect data for advertising purposes, including using identifiers and ad cookies. Using your browser settings, ad settings, mobile application ad settings and any other available means (e.g. the NAI's consumer opt-out), you can opt out of the advertising features we use. Information about data collection and processing by Google Analytics is available at https://policies.google.com/technologies/partner-sites?hl=en.
4) Facebook Pixel On our website, we use the marketing tool Facebook Pixel which is provided by Facebook. The Facebook Pixel is an analytical tool which, by means of a code snippet placed on our website, helps us to measure the effectiveness of advertisements based on an analysis of your activity on our website for statistical and market research purposes. The Facebook Pixel also provides us with comprehensive statistics about the use of our website. This enables us to show you advertisements of our products that are more relevant to your current interests. The specific terms and conditions for the processing of personal data and other privacy policies of Facebook are available at https://www.facebook.com/legal/FB_Work_Privacy. More information about the Facebook Pixel features is available at https://www.facebook.com/business/help/742478679120153.
5) Other As part of our marketing activities, we may also use the services of other third parties that use their own cookies.
VIII. Social media
On our website, we may provide you with the geolocation option, i.e. the determination of your geographic location when you use our website. Geolocation service is provided only with your prior consent, based on your browser settings and the IP address of your device. Geolocation is only used by us for advertising purposes and to facilitate the order placing process in terms of choosing the delivery option at a given collection site. Location data are collected when required to use the associated function. You can completely disable geolocation services in the settings of your device, but this may prevent or hinder the full use of our website.
X. Web push notifications
We use web push notifications, i.e. short messages that are displayed on the screen of your device, to provide you with information and updates about the content of our website. With web push notifications, you can stay up to date with the content that is made available on our website. Web push notifications require your consent. When you visit our website, you will see a message informing you that you may receive such notifications. If you agree (by clicking the "I agree" or similar button), these notifications will be displayed on your device. You can disable the option to receive web push notifications. To do so, you have to change the settings in your web browser.
XI. Final provisions