PRIVACY POLICY
- Definitions
1.1. Controller – Be Bio Active Cosmetiqs Mind Network Inspire Sp. z o.o. Sp.k. with its seat in Warsaw (zip code: 02-933), ul. Okrężna 83A.
1.2. Personal data – all information relating toan identified or identifiable natural person who can be identified by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity including an Internet Protocol address, location data, online ID as well as information collected by means of Internet cookies or any other technology that is similar in nature.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation (EU) No 45/2001 of the European Parliament and of the Council (UE) 2016/679 of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/WE (General Data Protection Regulation).
1.5. Service – the online service run by the Controller at the following address: www.bebiocosmetiqs.pl.
1.6. User – each natural person visiting the Service website or using one or more services or functionalities as defined in this Policy.
- The processing of personal data in connection with the use of Service
2.1. With respect to the use of the Service by the User, the Controller collects data only to the extent necessary to provide respective services as well as information on the User’s activity on the Service website. The detailed rules and purpose of processing all personal data of a given User collected while they are using the Service are defined below.
- Purpose and legal grounds for the processing of personal data by the Service
USING THE SERVICE
3.1. The personal data of both all individuals using the Service – including an Internet Protocol address or any other identifiers and information collected by means of Internet cookies or any other technology similar in nature – and those who are not registered Users (i.e. they do not have an account in the Service) are processed by the Controller:
3.1.1. In order to provide services by electronic means with respect to making content gathered in the Service available to Users, including the following instances:
- to the extent necessary to establish, shape the content, amend, withdraw and properly provide services by electronic means as well as to realize orders placed by the User;
- to realize orders for products offered by the Service placed by the User;
- to process claims filed by the User and to reimburse them in case of a withdrawal (return of goods);
– in such a case the legal basis for the processing of personal data is the necessity of the processing of personal data in order to perform the agreement (Article 6 (1) (b) of GDPR);
3.1.2. for analytical and statistical purposes – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) related to carrying out analyses of Users’ activities as well as their preferences in order to enhance the applied functionalities and provided services;
3.1.3. for the purpose of establishing, seeking redress or defending against legal claims – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) with respect to protection of their rights;
3.1.4. for the marketing purposes of the Controller and their trusted partners, by means of circulating the newsletter – in such a case the consent expressed by the User serves as the legal basis for the processing of personal data (Article 6 (1) (a) of GDPR).
3.1.5. for the marketing purposes of the Controller, including the presentation of offers and products in the Service related to providing services by electronic means – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR).
The rules of the processing of personal data for the marketing purposes are presented in detail in the “MARKETING” section.
3.2. The User’s activity on the Service website, including their personal data, is registered in system logs (special software to store chronological order containing information on incidents and activities with regard to the IT system used for the purpose of providing services by the Controller). All data stored in logs are processed mainly for the purpose of services provision. The Controller processes them also for technical and administrative purposes, in order to protect and manage the IT system, as well as for statistical and analytical purposes – to this extent the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR).
REGISTRATION IN THE SERVICE
3.3. Individuals registering in the Service are requested to provide data necessary to create and manage their account. In order to facilitate management of the account, the User may provide additional data and by doing so they express their consent to the processing of their personal data. These data may be deleted at any time. Providing data marked as obligatory is required for the purpose of creating and managing the account, and in the event of not providing them, the account cannot be created. Provision of the remaining data is voluntary.
3.4. The personal data are processed:
3.4.1. to provide services related to managing and maintaining the account in the Service – in such a case the legal basis for the processing of personal data is the necessity of the processing of personal data in order to perform the Agreement (Article 6 (1) (b) of GDPR), and in the case of the data provided voluntarily – the consent expressed by the User serves as the basis for the processing of personal data (Article 6 (1) (a) GDPR);
3.4.2. for analytical and statistical purposes – the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) to the extent of analyzing Users’ activity within the Service and the way they use their accounts as well as their preferences in order to enhance the applied functionalities;
3.4.3. forthe purpose of establishing, seeking redress or defending against potential legal claims – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) with respect to protection of their rights.
3.4.4. for the marketing purposes of the Controller and any third party – the rules of the processing of personal data for the marketing purposes are presented in the “MARKETING” section.
3.5. If the User shares in the Service any personal data of other individuals (including their name and surname, address, telephone number or e-mail address), they may do it provided that it does not violate the provisions of legal regulations in force or does not constitute infringement of those individual’s rights.
ORDER PLACEMENT (USING PAID SERVICES OFFERED ON THE WEBSITE)
3.6. Placing an order (to purchase goods or services) by the User is related to the processing of their personal data. Providing data marked as obligatory is required for the purpose of accepting and processing the order as in the case they are not provided, the order is not realized. Provision of the other data is optional.
3.7. The personal data are processed:
3.7.1. in order to execute the placed order – in such a case the legal basis for the processing of personal data is the necessity of the data processing in order to perform the agreement (Article 6 (1) (b) of GDPR); and in the case of data provided optionally – the consent expressed by the User serves as the grounds for the processing of personal data (Article 6 (1) (a) GDPR);
3.7.2. in order to comply with the legal obligation to which the Controller is subject resulting particularly from the tax laws and accounting regulations – in such a case the legal basis for the processing of personal data is the legal obligation (Article 6 (1) (c) GDPR);
3.7.3. for analytical and statistical purposes – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) related to carrying out analyses of Users’ activities as well as their purchasing preferences in order to enhance the applied functionalities;
3.7.4. for the purpose of establishing, seeking redress or defending against potential legal claims – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) with respect to protection of their rights.
CONTACT FORMS
3.8. The Controller ensures that they can be contacted by means of electronic contact forms. In order to use the form,the User is required to provide their personal data necessary to contact them and reply to their request. The User may also provide other data to facilitate the contact or to deal with their request. Providing data marked as obligatory is necessary in order for the request to be accepted and dealt with. If such data are not provided, it is not possible to deal with the request. Provision of the other data is optional.
3.9. The personal data are processed:
3.9.1. for the purpose of the sender’s identification and dealing with their request sent by means of the available electronic form – in such a case the legal basis for the processing of personal data is the necessity of the processing of personal data in order to perform the service provision agreement (Article 6 (1) ( b) GDPR);
3.9.2. for the analytical and statistical purposes – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) with respect to keeping a record of statistics concerning requests submitted by Users via the Service in order to enhance its functionalities.
- Marketing
4.1. The Controller processes the Users’ personal data in order to carry out marketing activities that may include:
4.1.1. providing the User with marketing content which is not aligned with their preferences (contextual advertising);
4.1.2. presenting the User with marketing content which is aligned with their interests (online behavioral advertising);
4.1.3. sending notifications by e-mail about interesting offers or content which in some cases include commercial information (newsletter service);
4.1.4. carrying out any other activities related to direct marketing of goods and services (providing commercial information via electronic mail and telemarketing activities).
4.2. In order to carry out marketing activities, the Controller may in some instances use profiling. This means that thanks to the automatic data processing the Controller assesses selected indicators regarding natural persons so as to analyze their behaviors or to make general predictions for the future.
CONTEXTUAL ADVERTISING
4.3. The Controller processes the Users’ personal data for the marketing purposes related to sending contextual advertising to them (i.e. advertising which is not aligned with the User’s preferences). In such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR).
ONLINE BEHAVIORAL ADVERTISING
4.4. The Controller and their trusted partners process the Users’ personal data, including the data collected by means of Internet cookies or any other technologies similar in nature, for the purpose of targeting online behavioral advertising at Users (i.e. advertising that is matched to the User’s preferences). In such a case the processing of personal data includes also profiling activities of Users.
NEWSLETTER
4.5. Based on the rules detailed in the Terms, the Controller sends to individuals, who provided their e-mail addresses, a newsletter. Providing data is obligatory in order for the newsletter service to be feasible. If the personal data are not provided, the newsletter cannot be sent.
4.6. The personal data are processed:
4.6.1. for the purpose of providing the newsletter service including sending marketing content – in such a case the legal basis for the processing of personal data is the consent to receive the newsletter expressed by the User (Article 6 (1) (a) GDPR);
4.6.2. for the analytical and statistical purposes – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) with respect to analyzing Users’ activities within the Service in order to enhance applied functionalities;
4.6.3. for the purpose of establishing, seeking redress or defending against potential legal claims – in such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR).
The User may resign from receiving the newsletter at any time. They may contact the Customer Service department via e-mail sent at the following address: kontakt@bebiocosmetiqs.pl.
DIRECT MARKETING
4.7. The User’s personal data may be also used by the Controller in order to send marketing content by means of various channels, i.e. electronic mail or web push. Such activities are undertaken by the Controller only if the User has expressed their consent which may be withdrawn at any time.
- Social Media Portals
5.1. The Controller processes the personal data of Users who visit the Controller’s social media profiles (Facebook, YouTube, and Instagram). These data are processed solely for the purpose of maintaining such a profile, in order to inform Users about the Controller’s activities and promote various kinds of events, services or products. In such a case the legal basis for the processing of personal data is the legitimate interests pursued by the Controller (Article 6 (1) (f) of GDPR) related to promoting their own brand.
- Internet cookies and similar technology
6.1. Internet cookies are small pieces of data sent from a website and stored on the User’s computer while the User is browsing the Service. Internet cookies collect information in order to facilitate the use of the Service – e.g. by means of remembering the User’s visits on the Service website and their activities there. Internet cookies are stored on the User’s terminal equipment (computer, telephone handset, tablet etc.). Due to the fact that Internet cookies are stored on the device, it is possible to – among others – remember login in credentials so that the User does not need to fill in their user name and password every time. These files keep a record of goods added to the shopping cart or adjust the web page content to the User’s interests. The Service is able to collect statistical data by means of Internet cookies, what in turn enables us to develop the Service in line with our Customers’ preferences.
6.2. If the User does not express their consent to have Internet cookies stored on their device, they should configure the browser settings accordingly or remove stored cookies each time they have used the Service. However, it should be kept in mind that applying limits to storing Internet cookies may hinder the use of the Service or make it impossible.
6.3. In order to express one’s consent to store Internet cookies, the User needs to do it in the section located at the bottom of the Service website.
6.4. The Service collects geolocation data, i.e. the Controller verifies the location (continent, country, voivoidship and town) the User places their order from.
“SERVICE” COOKIES
6.5. The Controller uses the so-called service Cookies mostly in order to provide the User with services received by electronic means and to enhance the quality of these services. Owing to that the Controller, and other providers rendering analytical and statistical services to the Controller, use Internet cookies, storing information or gaining access to the information already stored in the terminal equipment of the User (computer, telephone handset, tablet, etc.). Internet cookies used for this purpose include:
6.5.1. user input cookies with data entered by the User (session ID) for the duration of a given session;
6.5.2. authentication cookies used for supporting authentication services for the duration of a given session;
6.5.3. user centric security cookies to ensure security e.g. used to detect authentication frauds;
6.5.4. user interface customization cookies used to personalize the User’s interface for the duration of a given session or a little more time;
6.5.5. Internet cookies used to monitor the traffic on a given website, i.e. data analytics, including Google Analytics (these are cookies used by the Google company in order to analyze the User’s manner of using the Service and to generate statistics and reports with regard to the Service functioning). Google does not use collected data for the purpose of identifying the User as well as it does not combine such information in order to facilitate identification. The detailed information on the scope and rules of collecting data with regard to this service may be found at: https://www.google.com/intl/pl/policies/privacy/partners.
“MARKETING” COOKIES
6.6. The Controller and their trusted partners use Internet cookies also for the marketing purposes such as, among others, targeting online behaviors at Users. Therefore, the Controller and their trusted partners store information or gain access to the information already stored in the terminal equipment of the User (computer, telephone handset, tablet, etc.). Using Internet cookies and all personal data collected by means of them for the marketing purposes, especially in the scope of promoting services and goods provided by any third party, requires the User’s consent. The User’s consent may be withdrawn at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- The Processing of Personal Data– Retention Period
7.1. The period during which the Controller processes the personal data depends on the nature of the service rendered and the purpose of the processing of personal data. In general, the personal data are processed for the whole time the service is rendered or the order is executed, until:
7.1.1. the subject of the Agreement is completed,
7.1.2. the withdrawal of consent when the legal basis for the processing of personal data is the User’s consent, or
7.1.3. the objective is raised with regard to the processing of personal data in situations when the legal basis for the processing of personal data is the legitimate interests pursued by the Controller.
7.2. The data processing period may be prolonged in each case when the processing of personal data is necessary for the purpose of establishing, seeking redress or defending against legal claims, and after this period elapses only in the case and to the extent required by the law provisions. After the data retention period expires, the processed data are irretrievably destroyed or rendered anonymous.
- The User’s Rights
8.1. The User has the right to request from the Controller access to and rectification or erasure of their personal data or restriction of processing concerning the data subject or to object to processing and to data portability as well as the right to lodge a complaint with a supervisory authority.
8.2. To the extent the User’s personal data are processed based on their consent, the User has the right to withdraw consent at any time by means of contacting the Controller or using functionalities available on the Service website.
8.3. The User has the right to object to their data being processed for the marketing purposes if the basis for the processing of personal data is the legitimate interests pursued by the Controller and also – for reasons relating to the User’s specific situation – in any other cases where the basis for the processing of personal data is the legitimate interests pursued by the Controller (e.g. related to carrying out analytical and statistical activities).
- Data Recipients
9.1. In connection with the provision of services the personal data shall be disclosed to external entities, especially to providers in charge of servicing IT systems, entities such as banks and payment processing companies, entities rendering accounting services, couriers (as related to the order realization process), marketing agencies (within the scope of marketing services).
9.2. If the User expresses their consent, their data may be also disclosed to any other entities for their own purposes including the marketing ones.
9.3. The Controller reserves the right to disclose selected information concerning the User to the competent authorities or any third party which submits a request for such information, based on the appropriate legal basis and in accordance with the legal regulations in force.
- Transfers of personal data outside the EEA
10.1. The security level of personal data outside the European Economic Area (EEA) differs from the one guaranteed by the European legislation. Therefore, the Controller transfers the personal data outside the EEA only when it is necessary and guarantees the appropriate security level, above all by means of:
10.1.1. cooperating with entities processing personal data in countries with regard to which the appropriate decision has been made by the European Commission;
10.1.2. making use of standard contractual clauses issued by the European Commission;
10.1.3. making use of binding corporate rules approved by the competent authority;
10.1.4. cooperating with the entities participating in the Privacy Shield program, approved by the European Commission in case of the personal data transfer to the USA.
10.2. The Controller always communicates their intention to transfer the personal data outside the EEA already on the data collection stage.
- The Personal Data Protection
11.1. The Controller guarantees the appropriate security level of the personal data by means of appropriate technical and organizational safeguards to prevent unlawful data processing and accidental loss, damage or destruction of such data. Moreover, the Controller uses their best efforts for the personal data:
11.1.1. to be correct and lawfully processed,
11.1.2. to be obtained solely for specific purposes and not processed further in anymanner incompatible with those purposes,
11.1.3. to be adequate, relevant and not excessive in relation to the purpose of the processing,
11.1.4. to be accurate and updated,
11.1.5. not to be kept longer than necessary,
11.1.6. to be securely stored,
11.1.7. not to be transferred outside the European Economic Area without adequate protection.
11.2. In order to safeguard the User’s account better, it is recommended to:
11.2.1. use a strong, complex password – that is difficult to be guessed easily by other individuals– protecting access to the account. Such a password should consist of minimum 8 characters, upper and lower-case letters, numbers and special characters.
11.2.2. maintain the confidentiality of one’s username and password, including not disclosing these data (username and password) to any other individuals.
11.2.3. log out of the Service after each completed session (finalizing the shopping, adding posts on the forum, etc.). Simply closing the browser window does not mean that the User has logged out. Logging out of the Service is completed after clicking the “Log out” button.
11.2.4. use anti-virus software, including regular virus scanning of drives.
11.2.5. use the Service solely on trusted devices on which only proven software is installed. If the User uses the third party’s computer, they are exposed to the risk of having their login, password or other data provided while using the account intercepted.
11.2.6. if the User uses the Service on the third party’s device, e.g. at an Internet cafe, they should not save any data and additionally they should delete their search history.
11.3. The Controller carries out the risk analysis on a regular basis in order to secure a safe way of the processing of personal data– that most importantly guarantees only the authorized individuals to have access to the data and only to the extent necessary to carry out their approved activities. The Controller ensures that all instances of data processing are registered and carried out only by the authorized employees and business partners.
11.4. The Controller undertakes all necessary activities in order for their subcontractors and any third party they cooperate with to guarantee application of appropriate security measures; in each case they process the personal data on instructions from the Controller.
- Contact details
12.1. The Controller may be reached at kontakt@bebiocosmetiqs.pl or at the correspondence address:
Be Bio Active Cosmetiqs Mind Network Inspire Sp. z o.o. Sp.k.
ul. Okrężna 83A
02-933 Warszawa
- Privacy Policy Adjustments
13.1. This Policy is reviewed on a regular basis and amended according to the needs.
The Controller is entitled to amend this Policy for legitimate reasons (e.g. changes to legislation or the functioning of the Service). In the case any changes are implemented, the User is notified at least 14 days before the changes enter into force – the appropriate information on any changes of this Policy shall be communicated on the Service website and if the Controller has got the User’s e-mail address or the User has registered an account – they shall receive communication regarding the changes of the Policy by e-mail.
13.2 This Policy has been in place since May 23, 2018.