PRIVACY POLICY

WWW.NATURALBABYCARE.EU


§ 1 GENERAL INFORMATION
1. The Online Store's privacy policy does not constitute a source of obligations for Visitors (including Guests) or Customers of the Online Store. It is for informational purposes only and does not constitute a contract or regulations.

2. All expressions and words written in capital letters (e.g. Online Store, Customer, etc.) should be understood in accordance with the provisions of the Online Store Regulations.

3. In the event of any discrepancies between this Privacy Policy and the consents to the processing of personal data granted by a natural person, the legal basis for determining the scope of the Controller's activities shall be the voluntarily expressed consents or legal provisions that are applicable to a given factual situation.


§ 2 PERSONAL DATA CONTROLLER
1. The controller of your personal data is: Natural Baby Care, ul. Mostowa 19d/3, 61/854 Poznań, NIP: 786-159-40-74, REGON: 382172950, ​​BDO number: 000559804 (hereinafter referred to as the Controller).

2. In all matters related to the protection of personal data, please contact us at the above address or via e-mail: office@naturalbabycare.eu.

3. You can also send a request to the address provided for information about what personal data we have about you and for what purposes we process it.

4. The Administrator informs that correspondence is stored for statistical purposes and to improve the GDPR assistance system, as well as to resolve complaints and any administrative interventions made based on reports in the indicated Customer Account. Addresses and data collected in this manner will not be used for communication purposes other than fulfilling the request. In particular, they will not be used for marketing purposes or transferred to third parties.

5. In the event of contacting the Controller to perform specific actions (e.g., filing a complaint, making a return), the Controller may again request data from the individual, including personal data, such as name, surname, address, and email address, in order to confirm their identity and enable return contact regarding the matter and perform the requested action. Providing this data is not mandatory, but may be necessary to perform the action or obtain information of interest to the individual.

6. If you have given additional consent to our use of cookies, our trusted partners may also be the controllers of the data obtained based on your online activity.

§ 3 DATA COLLECTION AND PURPOSE OF PROCESSING
1. We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR) and other data protection laws currently in force at the time of processing specific data.

2. Pursuant to the aforementioned legal acts, personal data is considered information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

3. We ensure that the data we collect from you is confidential, secure, and processed only when necessary. We process data lawfully, fairly, and transparently for the data subject. We only process data and only the content necessary for the legitimate purpose, i.e., the reason for processing. Personal data is collected with due diligence and adequately protected against unauthorized access. We employ appropriate security measures and state-of-the-art technology to protect personal data against accidental loss and unauthorized access, use, alteration, or disclosure. We store personal data in a manner that permits the identification of the data subject for no longer than is necessary for the purposes for which the data is processed.

4. The Administrator obtains information about personal data in the following manner:
a) by making a purchase in the Store (online store) by the Customer;
b) by registering a Customer Account;
c) by voluntary subscription to the newsletter service;
d) through information entered voluntarily in an e-mail message or in the contact form;
e) by sending a complaint, request, inquiry or letter of another nature;
f) through information entered voluntarily in an e-mail sent in connection with the desire to establish cooperation;
g) by posting a review of the product;
h) via cookies, pixels or similar internet technologies.

5. We hereby inform you that the purpose and scope of data processed by the Controller results from the consent of the Website Visitor or the Customer or legal provisions and, in selected cases, is further specified as a result of actions taken by these persons in the Online Store or through other communication channels.

6. Providing personal data by a Visitor or Customer of the Online Store is voluntary, but necessary in order to use certain functionalities of the Online Store (e.g. placing an Order by the Customer and settling it, registering a Customer Account or using contact forms).

7. Each time, the scope of data required to conclude a specific contract is indicated in advance in the Online Store (we indicate the data required to conclude a contract/use a specific functionality), through other communication channels with the Visitor or Customer, or in the Terms and Conditions. Failure to provide personal data may result in the inability to effectively use the Website's functionality, for example, the inability to place an order.

8. Your personal data is collected by the Administrator for the following purposes:

Purpose of processing Legal basis Legitimate purpose, if any
Maintaining statistics. Article 6(1)(f) of the GDPR. Having statistical information about our activities, which allows us to improve our business operations.
Marketing your own products and services without the use of electronic means of communication. Article 6(1)(f) of the GDPR. Marketing activities promoting your business.
Marketing of own products and services using electronic means of communication, including profiling. Article 6, paragraph 1, letter f of the GDPR, whereby these activities are subject to other applicable regulations,
in particular the Telecommunications Law and the Act on the Provision of Services by Electronic Means, are conducted solely on the basis of consent (Article 6, paragraph 1, letter a of the GDPR). Conducting marketing activities promoting the conducted business using email addresses. Presenting advertisements, customizing discounts and promotions.
Posting an opinion in the Online Store. Article 6, paragraph 1, letter a of the GDPR. Product satisfaction survey.
Handling requests submitted via the contact form, emails, complaints, and other requests. Article 6(1)(a) of the GDPR;
Article 6(1)(c) of the GDPR. Responding to requests and inquiries submitted via the contact form or otherwise, including storing sensitive requests and responses to ensure accountability. Handling requests and responding to consumer complaints. Pursuing claims, including from third parties, and defending them against them.
Customer Account Management. Article 6, paragraph 1, letter a of the GDPR. Conclusion and performance of a Service Provision Agreement (Account) or taking action at the request of a prospective Customer prior to its conclusion.
Conclusion and performance of a Sales Agreement, Subscription Agreement, and Service Provision Agreement (Article 6, Section 1, Letter b of the GDPR). Conclusion and performance of a contract or taking action at the request of a prospective Customer prior to its conclusion.
Archiving sales documents. Article 6, paragraph 1, letter c of the GDPR. Fulfillment of legal obligations arising from regulations, e.g., tax and accounting regulations, especially in the case of paid contracts.

9. In the case of an adult Customer or an adult Website Visitor, with their additional consent, Personal Data may also be processed for the purpose of presenting, creating, granting and implementing dedicated advertisements, offers or promotions (discounts) for a given Customer regarding the products or services of the Controller and its partners, tailored to their preferences to the greatest possible extent (profiling), as a result of automated decision-making, which may produce legal effects for them or significantly affect them in a similar way, e.g. by offering a short-term discount exclusively to such a person on a specific product they recently viewed in our Online Store (this option is not available to persons who are not of legal age or who are of legal age but have not given their consent to such action).

10. Newsletter. If you wish to subscribe to our newsletter, you must provide us with your email address or phone number and name via the newsletter subscription form. Providing your data is voluntary, but necessary to use the newsletter service. You can also subscribe to the newsletter when creating a Customer Account.
The data you provide to us when signing up for the newsletter is used to send you a newsletter informing you about company activities, current collections, promotions, and discounts. The legal basis for processing in this situation is your voluntary consent expressed when signing up for the newsletter.
In this case, your data is processed for the purpose of periodically sending the newsletter, and the basis for processing is Article 6 paragraph 1 letter a of the GDPR, i.e. your consent resulting from the wish to receive the service.
Your data will be processed for the duration of the newsletter, unless you unsubscribe earlier, in which case your data will be permanently deleted from the database. Furthermore, you can correct your data stored in the newsletter database at any time, or request its deletion by unsubscribing from the newsletter. You also have the right to data portability, as defined in Article 20 of the GDPR.
The newsletter database is appropriately secured by the Administrator. The newsletter database is managed by a third party. Emails sent contain links to hidden images (so-called tracking pixels). In addition to its primary function of counting email opens, it can also be used to identify the customer and conduct marketing activities.

11. Email Contact. When you contact us via email, you provide us with your email address as the sender's address. You may also include other personal data in your message. Providing this data is voluntary, but necessary to contact us.
In this case, your data is processed for the purpose of contacting you, and the basis for processing is Article 6(1)(a) of the GDPR, i.e., your consent resulting from your wish to contact us. The legal basis for processing after contact is the legitimate purpose of archiving correspondence for internal purposes (Article 6(1)(c) of the GDPR).
The content of your correspondence may be archived, and we cannot clearly determine when it will be deleted, but this will be no longer than 5 years. You have the right to request a history of your correspondence with us (if it was archived), as well as to request its deletion, unless its archiving is justified by our overriding interests.

12. Opinions. To add your opinion about a product or our post, you must complete the form.
In this case, your data is processed to enable the posting of Opinions, and the basis for processing is Article 6(1)(a) of the GDPR, i.e. your consent resulting from your wish to post your entry on our website.
The data will be processed for the duration of the opinion's existence on the website, unless you request deletion of the opinion beforehand, which will result in the deletion of your data related to the opinion from the database.

You can correct your data in your review at any time, or request its deletion. You also have the right to data portability, as set out in Article 20 of the GDPR.

13. Customer Account. By creating a Customer Account on our Website, you provide us with your email address, first name, and last name. This is voluntary, but necessary for the successful registration of your Customer Account. You can then also provide your address details in the Customer Panel.
In this case, your data is processed for the purpose of maintaining a Customer Account, and the basis for processing is Article 6(1)(a) of the GDPR, i.e. your consent resulting from your willingness to set it up.
The data will be processed for the duration of your Customer Account, unless you request its deletion earlier, which will result in your data being deleted from the database.
You can correct your data assigned to your Customer Account at any time, or request its deletion. You also have the right to data portability, as defined in Article 20 of the GDPR.
When creating a Customer Account, you may – but are not required to – consent to subscribing to the newsletter service.

§ 4 CATEGORIES OF PERSONAL DATA

1. The personal data controller may process the following categories of personal data:
a) personal data provided in the form when registering a Customer Account, placing Orders in the Online Store, in particular: e-mail address, first name and last name, telephone number;
b) personal data completed by the user when using the Customer Account, in particular: first name and last name; e-mail address; residential address [street, house number, apartment number, postal code, town, voivodeship, country], and in the case of Customers who are not consumers, additionally the company name and tax identification number [NIP];
c) personal data required to place an order, in particular: name and surname; e-mail address; contact telephone number; residential address [street, house number, apartment number, postal code, town, voivodeship, country], and in the case of Customers who are not consumers, additionally the company name and tax identification number [NIP];
d) personal data provided for the purpose of using the newsletter, provided when using the contact form, posting opinions and sent via e-mail; or provided when submitting complaints, claims or requests, in particular: first name and last name; e-mail address; contact telephone number; address [street, house number, apartment number, postal code, town, voivodeship, country], bank account number;
e) personal data provided for the purpose of participating in competitions/promotional campaigns: name and surname; e-mail address; contact telephone number; residential address [street, house number, apartment number, postal code, city, country];
f) other data, in particular obtained based on the Customer's activity on the Internet, including data obtained via the Online Store or other channels of communication with the Customer, using cookies and similar technologies.


§ 5 RECIPIENTS OF PERSONAL DATA
1. Your personal data may be processed by our partners and subcontractors, i.e., entities whose services we use to process data and provide services to you. To our knowledge, all entities entrusted with the processing of personal data guarantee the use of appropriate personal data protection and security measures required by law.

2. The Administrator may transfer your personal data to:
a) state authorities or other entities authorized under the law, in order to perform our obligations;
b) The Controller's partners may participate in the processing of personal data to a limited extent, in particular those who technically help to efficiently run the Online Store (e.g. support us in sending e-mails and, in the case of advertising activities, also in marketing campaigns), providers of hosting or ICT services, carriers or intermediaries carrying out the shipment of Orders, entities handling electronic payments or card payments in the Online Store, companies that service software, support the Controller in marketing campaigns, as well as providers of legal and advisory services and external accounting;
c) in addition, we may share fully anonymised data (that cannot identify you) with entities with which we cooperate.

3. As part of its marketing (advertising) activities, the Administrator uses the services of third parties that use cookies, pixels, or marketing functions similar to cookies in the Online Store. A detailed list of these entities is provided in § 8 of this Policy.


§ 6 ARCHIVING PERSONAL DATA
1. The Controller will retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy and/or to meet legal and regulatory requirements. After this period, the Controller will securely delete your personal data.

2. We store data for the periods indicated below:

Data related to the sales process. 8 years
Data for marketing purposes. In the case of data processing based on consent – ​​until such consent is withdrawn.
In the case of data processing based on a legitimate purpose – until an objection is raised.
Data transferred via contact form or email. For a period of 3 years, in order to maintain accountability.
Data contained in opinions. In the case of data processing based on consent – ​​until its withdrawal. In the case of data processing based on a legitimate interest – until an objection is filed.
Personal data associated with cookies and similar functions. Until these files are deleted via website/browser/device settings (however, deleting files does not always mean deleting the Personal Data obtained through these files – in such case, the personal data will be deleted until an objection is filed).
Data transferred during the complaint procedure and other procedures related to customer claims. 6 years.
Other data categories (except for data from cookies, which are discussed in more detail in our Cookie Policy). 5 years.
3. In each case, personal data will also be stored when legal provisions (e.g., accounting or tax regulations) oblige the Controller to process them; we will store personal data for a longer period in the event that the Customer has any claims against the Controller, for the Controller to pursue claims, or for the purpose of pursuing or defending against third-party claims, for the limitation period specified by law, in particular the Civil Code.

4. Depending on the scope of personal data and the purposes for which it is processed, it may be stored for varying periods. In each case, the longer period will apply.


§ 7 RIGHTS, ACCESS AND UPDATING PERSONAL DATA, COMPLAINTS
Pursuant to Article 15 of the GDPR, you have the right to obtain information from the Personal Data Controller as to whether your personal data is being processed.

If the Administrator processes your personal data, you have the right to:
a) access to personal data;
b) obtain information on the purposes of processing, the categories of personal data processed, the recipients or categories of recipients of these data, the planned period of storage of your data or the criteria for determining this period, your rights under the GDPR and the right to lodge a complaint with a supervisory authority, the source of these data, automated decision-making, including profiling, and the safeguards applied in connection with the transfer of these data outside the European Union;
c) obtain a copy of your personal data.

Furthermore, you may request the correction of your personal data (Article 16 GDPR), the deletion of your personal data (Article 17 GDPR), object to the processing of your personal data (Article 21 GDPR) and, where technically feasible, request the transfer of your personal data to another organisation (Article 20 GDPR).

In connection with the right to be forgotten, the Controller will update or delete your data, unless it has a legal obligation to retain it for business purposes or to comply with the law. In certain cases, you have the right to request the restriction of the processing of your personal data (Article 18 of the GDPR). You can also contact the Controller if you have any concerns about the way your personal data is collected, stored, or used.

The Administrator endeavors to promptly process all requests regarding the above-mentioned operations on your personal data, but no later than 30 days from receipt of the request. Due to the complex nature of the request, the Administrator has the right to process your request beyond 30 days, of which the User will be informed in advance.

The Administrator strives to resolve complaints definitively, but if you remain dissatisfied with the response, you may submit a complaint to your local data protection supervisory authority. In Poland, the supervisory authority under the GDPR is the President of the Personal Data Protection Office.


§ 8 AUTOMATED PROCESSING OF PERSONAL DATA, COOKIE POLICY
1. Our Website, like almost all other websites, uses cookies. This cookie policy applies to both Online Store Customers and Online Store Visitors, i.e., users who browse the Store but do not make purchases.
2. The Cookie Policy is a document that forms an integral part of this Privacy Policy. The Cookie Policy can be found here.
3. Some recipients of your personal data, collected for example via cookies, are transferred to our partners based outside the European Economic Area (EEA). Most of our partners are based in a country covered by a European Commission decision establishing an adequate level of protection within the meaning of Article 45 points 1 and 2 of the GDPR, but we also work with entities based outside the EEA and not covered by the aforementioned decision.
4. The list of entities referred to in the above point, together with their registered offices, can be found in the Cookie Policy.
5. The above may result in your data being processed outside the EEA. However, we ensure that this data is also subject to an appropriate level of protection by vetting our partners and concluding standard contractual clauses with them within the meaning of Article 46(1) and Article 46(2)(c) of the GDPR.


§ 9 CHANGES TO THE PRIVACY POLICY
1. The Privacy Policy 1.0 is effective from September 23, 2023
2. The Administrator declares that he has the right to make changes to this document for important reasons, including:
a) changes in applicable regulations, in particular in the field of GDPR, telecommunications law, services provided electronically and regulating consumer rights, affecting the rights and obligations of the Controller or the rights and obligations of the data subject;
b) development of electronic functionalities or services caused by the progress of Internet technology, including the implementation of new IT, technological or technical solutions on the Website, affecting the scope of this Privacy Policy.

3. The Administrator undertakes to inform Users about any changes in sufficient time to allow them to become familiar with the content of the amended document, e.g. by posting the consolidated text of the Privacy Policy on the main page of the Website.

4. For users who use the newsletter feature, if the Administrator makes any significant changes to the Privacy Policy, they will notify Users via email. If they have any objections to the changes to the Policy, the User has the right to discontinue using the newsletter by submitting a request to unsubscribe from the newsletter or by requesting the deletion of their personal data.