Privacy Policy

PRIVACY POLICY

OF CEBABABY.EU ONLINE STORE

TABLE OF CONTENTS:

1. GENERAL PROVISIONS
2. GROUNDS FOR DATA PROCESSING
3. THE PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN ONLINE STORE
4. DATA RECIPIENTS IN ONLINE STORE
5. PROFILING DATA IN ONLINE STORE
6. RIGHTS OF DATA SUBJECTS
7. COOKIES IN THE ONLINE STORE, OPERATIONAL DATA AND ANALYTICS
8. FINAL PROVISIONS

1. GENERAL PROVISIONS

1.1.            This Online Store's privacy policy is for information purposes only, which means that it does not constitute a source of obligations for the Service Users or Customers of the Online Store. The Privacy Policy contains all the principles of processing personal data by the Data Controller in the Online Store, including the basis, purposes and scope of personal data processing and the rights of data subjects, as well as information on the use of cookies and analytical tools in the Online Store.

1.2.            Data Controller of the data collected by means of the Online Store is “CEBA” SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ [Limited liability company] with its registered office in Oleśnica (seat and service address: ul. Fabryczna 1, 56-400 Oleśnica); entered into the Register of Entrepreneurs of the National Court Register under KRS number 0000126791; the registry court where the documentation of the company is kept: District Court for Wrocław Fabryczna in Wrocław, IX Commercial Division of the National Court Register; share capital in the amount of: PLN 151,000.40; NIP [Polish Tax ID No.]: 7510001663; REGON [National Business Identification no.]: 004527649, e-mail address: kontakt@ceba.com.pl – hereinafter referred to as “Data Controller” and being at the same time the Service Provider of the Internet Shop and the Seller.

1.3.            Personal data in the Online Store is processed by the Data Controller in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR is available at: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

1.4.            The use of the Online Store, including shopping, is voluntary. Similarly, the provision of personal data by the Customer or the Service User is voluntary, subject to two exceptions:  (1) conclusion of agreements with the Data Controller – failure to provide personal data necessary to conclude and perform a Sales Contract or an agreement for the provision of an Electronic Service with the Personal Data Controller in the cases and to the extent indicated on the website of the Online Store and in the Terms and Conditions of the Online Store and in this privacy policy shall result in the impossibility to conclude such an agreement. In such a case, providing personal data is a contractual requirement and if the data subject wishes to conclude a given agreement with the Data Controller, he or she is obliged to provide the required data. The scope of information necessary to conclude an agreement is provided each time on the Online Store's website and in the Terms and Conditions of the Online Store. (2) statutory obligations of the Data Controller – providing personal data is a statutory requirement resulting from generally binding provisions of law imposing on the Data Controller an obligation to process personal data (e.g. processing data for the purpose of keeping tax or account books) and failure to provide such data shall prevent the Data Controller from performing such obligations.

1.5.            Data Controller protects data subjects’ interests with due diligence, and he shall be, in particular, responsible for and shall ensure that the data collected by him/her are: (1) processed lawfully; (2) collected for specified, legitimate purposes and are not further processed for purposes other than those for which the personal data were initially collected;  (3) correct in substance and adequate for the processing purposes; (4) stored in a form allowing identification of the data subjects no longer than necessary to achieve the purpose of the processing and (5) processed in a manner ensuring adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.

1.6.            Taking into account the nature, scope, context and purposes of processing as well as the risks of violating fundamental rights and freedoms of natural persons, Data Controller shall implement appropriate technical and organisational measures to ensure and prove that processing is performed in accordance with this regulation. Those measures shall be reviewed and updated where necessary. Data Controller shall use technical measures preventing unauthorised persons from obtaining and modification of personal data collected by electronic means.

1.7.            All words, expressions and acronyms used in this privacy policy which start with a capital letter (e.g. Seller, Online Store, Electronic Service) shall be understood in accordance with their definition presented in the Terms & Conditions of the Online Store which were made available on Online Store’s website.

2. GROUNDS FOR DATA PROCESSING

2.1.            Data Controller shall be entitled to process personal data in cases where – and to the extent to which – at least one of the following conditions is met: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or for taking action at the request of the data subject prior to the conclusion of the contract; (3) processing is necessary to comply with a legal obligation to which the Data Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.2.            Processing of personal data by Data Controller requires each time at least one of the grounds indicated in point 2.1 of the Privacy Policy. The specific grounds for processing personal data of the Service Users and Customers of the Online store by the Data Controller are indicated in the subsequent point of the privacy policy – in relation to the specific purpose of personal data processing by the Data Controller.

3. THE PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN ONLINE STORE

3.1.            Each time the purpose, basis, period and scope of personal data processed by the Data Controller results from the actions taken by a given Service User or Customer in the Online Store. For example, if the Customer decides to place an order in the Online Store and chooses to collect the purchased Product on his or her own instead of delivering it by courier, his or her personal data will be processed in order to perform the concluded Sales Contract, but will not be made available to the carrier carrying out the shipment on behalf of the Data Controller.  

3.2.            Data Controller may process personal data in the Online Store for the following purposes, on the following basis, in the following periods and in the following scope:

4. DATA RECIPIENTS IN ONLINE STORE

4.1.            It is necessary for Data Controller to use the services of external entities (such as software providers, couriers or payment service providers) for the proper functioning of the Online Store, including the performance of concluded Sales Contracts. Data Controller uses the services of processors, which provide sufficient guarantees of implementation of appropriate technical and organizational measures so that the processing meets the requirements of GDPR Regulation and protects the rights of data subjects.

4.2.            Transfer of data by the Data Controller does not take place in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Data Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary for its achievement. For example, if the Customer would like to use the personal collection option, his or her data will not be passed on to a carrier cooperating with the Data Controller.

4.3.            Personal data of Service Users and Customers of the Online Store may be transferred to the following recipients or categories of recipients:

• carriers / forwarding agents / courier brokers – in case the Customer of the Online Store would like the Product to be sent by mail or courier, the Data Controller shall make the collected personal data of the Customer available to a selected carrier, forwarding agent or intermediary who delivers shipments on behalf of the Data Controller to the extent necessary to carry out the delivery of the Product to the Customer.
• Electronic payment or payment card service providers – in case the Customer of the Online Store would like to use electronic payments or pay by card the Data Controller shall make the collected personal data of the Customer available to a selected payment service provider, who provides those payment services in the Online Store at the commission of the Data Controller to the extent necessary provide payment services to the Customer.
• service providers who supply the Data Controller with technical, IT and organisational solutions, which allow the Data Controller to conduct business activities including but not limited to the Online Store and Electronic Services provided by means of this Online Store (in particular, the computer software supplier for running the Online Store, the e-mail and hosting provider and the software supplier for managing the company and providing technical support to the Data Controller – the Data Controller shall make the collected personal data of the Customer available to a selected supplier acting on his order only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.
• accounting, legal and advisory services providers providing the Data Controller with accounting, legal or advisory support (in particular an accounting office, a law firm or a debt collection company) – the Data Controller shall make the collected personal data of the Customer available to a selected supplier acting on his order only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.

5. PROFILING DATA IN ONLINE STORE

5.1.            The GDPR Regulation imposes on the Data Controller the obligation to inform about automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR Regulation, and – at least in these cases – the essential information about the principles of making such decisions, as well as about the significance and expected consequences of such processing for the data subject.  With this in mind, the Data Controller provides information about possible profiling in this section of the privacy policy.

5.2.            Data Controller may use profiling in the Online Store for the purposes of direct marketing, but the decisions made on its basis by the Data Controller do not concern the conclusion or refusal to conclude a Sales Contract or the possibility of using Electronic Services in the Online Store. The effect of using profiling in the Online Store can be e.g. granting a discount to a given person, sending them a discount code, reminding them about unfinished purchases, sending them a proposal for a Product that may correspond to their interests or preferences, or offering better offer as compared to the standard offer of the Online Store. Despite profiling, the decision whether the person would like to use the discount, make a purchase in the Online Store or get a better deal shall be made by this person.

5.3.            Profiling in the Online Store consists in an automatic analysis or forecast of a given person's behaviour on the website of the Online Store, e.g. by adding a specific Product to a basket, browsing the website of a specific Product in the Online Store or by analysing the previous history of previous purchases made in the Online Store. Profiling is possible only if the Data Controller has the personal data of a given person in order to be able to send him/her, e.g. a discount code.

5.4.            Data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning this data subject or affects this person significantly in a similar way.

6. RIGHTS OF THE DATA SUBJECT

6.1.            Right to access to and rectification, limitation or erasure of personal data, the right to data portability – the data subject has the right to request from the Data Controller an access to his or her personal data, rectify, erase (“right to be forgotten”) or restrict the processing thereof and has the right to object to the processing and the right to data portability. The aforementioned rights can be exercised in the way specified in Articles 15-21 of the GDPR Regulation.

6.2.            Right to withdraw consent at any time – a person whose data is processed by the Data Controller on the basis of his or her consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

6.3.            Right to lodge a complaint with a supervisory authority – data subject whose data is processed by Data Controller has the right to lodge a complaint with a supervisory authority in the manner and under the procedure specified in the provisions of the GDPR Regulation and the Polish law provisions, including but not limited to the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.

6.4.            Right to object – The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on letter (e) (public interest or task) or (f) (legitimate interests of a controller) of Article 6(1), including profiling based on those provisions. Data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

6.5.            Right to object to direct marketing – if personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

6.6.            In order to exercise the rights referred to in this section of the privacy policy, one cant contact the Data Controller by sending an appropriate message in writing or by e-mail to the Data Controller's address indicated in the introduction of the privacy policy or by using the contact form available on the website of the Online Store.

7. COOKIES IN THE ONLINE STOE, OPERATIONAL DATA AND ANALYTICS

7.1.            Cookies are small text information in the form of text files, sent by a server and stored on the website of a person visiting the Online Store (e.g. on the hard drive of a computer, laptop or smartphone memory card – depending the device used for visiting the Online Store). Detailed information about cookies and the history of their creation can be found here: http://pl.wikipedia.org/wiki/Ciasteczko.

7.2.            Data Controller may process the data contained in cookies files when visitors use the website of the Online Store for the following purposes:

• to identify Service Users as logged in to the Online Store and indicate that they are logged in;
• to save the Products which were added to the cart in order to place an Order;
• to memorise data from the filled-in Order Forms, questionnaires or data needed to log in to the Online Store;
• to adjust the content of the Online Store's website to the individual preferences of the Service User (e.g. concerning colours, font size, page layout) and optimise the use of the Online Store's websites;
• to keep anonymous statistics presenting the use of the website of the Online Store;
• for remarketing, i.e. investigating the behavioural characteristics of persons visiting the Online Store through an anonymous analysis of their activities (e.g. repeatable visits to specific websites, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their anticipated interests, when they also visit other websites within the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd;

7.3.            Most browsers are set by default to accept all Cookies. Everyone has the possibility to set the conditions of use of cookies by means of his or her own browser settings. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the possibility of storing cookies – in the latter case, however, this may affect some of the functionality of the Online Store (for example, it may be impossible to follow the Order path through the Order Form due to the fact that the Products will not be stored in the shopping cart during the subsequent steps of placing an Order).

7.4.            Your browser's cookie settings are important in terms of your consent to the use of cookies by our Online Store – this consent can also be given in accordance with the regulations of your Internet browser. If you have not provided your consent, you should change your browser's cookie settings accordingly.

7.5.            Detailed information on how to change and delete cookies in the most popular web browsers is available in the help section of your web browser and on the following pages (click to follow the link):

• in Chrome browser
• in Firefox browser
• in Internet Explorer browser
• in Opera browser
• in Safari browser
• in Microsoft Edge browser

7.6.            Administrator may use Google Analytics, Universal Analytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). These services help the Data Controller analyse the traffic in the Online Store. The collected data is processed by means of the above services in an anonymized manner (these are the so-called operational data, which make it impossible to identify a person) to generate statistics which prove to be helpful in the administration of the Online Store. This data is aggregated and anonymous, i.e. it does not contain any identifying features (personal data) of persons visiting the website of the Online Store. Data Controller using the above services in the Online Store collects data such as the source and medium of obtaining Online Store visitors and the way they behave on the website of the Online Store, information about the devices and browsers from which they visit the site, IP and domain, geographical data and demographic data (age, gender), as well as their interests.

7.7.            One can easily disable the option of making the information about one’s own activity in the Online Store available to Google Analytics by installing the Google Ireland Ltd. browser add-on available here: https://tools.google.com/dlpage/gaoptout?hl=en.

7.8.            Data Controller may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) in the Online Store. This service allows Data Controller to measure the effectiveness of advertisements and find out what activities are performed by the visitors to the online store, as well as display the advertisements tailored to these people. Detailed information about how Pixel Facebook works can be found at the following web address: https://www.facebook.com/business/help/742478679120153?helpref=page_content.

7.9.            One can manage the operation of Facebook Pixel by means of advertisement settings available on his or her Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.

8. FINAL PROVISIONS

8.1.            Online Store may contain links to other websites. Data Controller recommends that after switching to other websites, the user should read the privacy policies set out there. This privacy policy applies only to the Data Controller's Online Store.