If you've found your way here, it's a sure sign that you value your privacy. I completely understand, which is why I'm providing you with this document that contains the rules for processing personal data and the use of cookies and other tracking technologies in connection with the operation of the DRESS UP store.
Formal information to start – the administrator of the store is Krystyna Biłak, running the business under the name “Dress Up Krystyna Biłak, ul. Prosta 43, 43-300 Bielsko-Biała, NIP 5471747965.”
If you have any questions regarding the privacy policy, you can contact me at any time by sending an email to dressup.questions@gmail.com.
This Privacy Policy has been in effect since April 15, 2021.
- Who is the administrator of your personal data?
The administrator of your personal data is Krystyna Biłak, running the business under the name “Dress Up Krystyna Biłak, ul. Prosta 43, 43-300 Bielsko-Biała, NIP 5471747965.”
- Who can you contact regarding the processing of your personal data?
As part of implementing data protection in our organization, I have decided not to appoint a data protection officer since it is not mandatory in my case. For matters related to personal data protection and general privacy, you can contact me at dressup.questions@gmail.com.
- What information do we have about you?
Depending on the purpose, we may process the following information about you:
- First and last name
- Residential address
- Business address
- NIP number (Tax Identification Number)
- Email address
- Phone number
- Data contained in correspondence sent to us
- Details of orders placed
- Bank account number
- IP address
- Activity related to sent newsletters
The scope of the processed data is described precisely in relation to each processing purpose. Further information on this can be found in the rest of this policy.
- Where do we obtain your personal data?
In most cases, you provide us with this information directly. This occurs when you:
- Place an order in the store
- Send complaints or withdraw from a contract
- Subscribe to the newsletter
- Leave a comment or review about a product
- Contact us
Additionally, some information about you may be automatically collected by the tools we use:
- The store and newsletter system collect your IP address
- The newsletter system collects information about your activity related to the content sent to you in the newsletters, such as message openings, clicks on links, etc.
- Are your data safe?
We care about the security of your personal data. We have analyzed the risks associated with the various processes of processing your data and have implemented appropriate security measures to protect personal data. We continuously monitor the state of our technical infrastructure, train our staff, review the procedures in place, and make necessary improvements. If you have any questions regarding your personal data, we are at your disposal at dressup.questions@gmail.com.
- For what purposes do we process your personal data?
There is more than one purpose for processing your data. Below is a list of these purposes, followed by a more detailed discussion. Each purpose is also assigned the appropriate legal basis for processing.
- Registration and maintenance of user accounts – Article 6(1)(b) of the GDPR
- Order processing – Article 6(1)(b) of the GDPR
- Handling complaints or withdrawal from a contract – Article 6(1)(f) of the GDPR
- Sending newsletters – Article 6(1)(a) of the GDPR
- Managing comments or reviews of products – Article 6(1)(a) of the GDPR
- Handling correspondence – Article 6(1)(f) of the GDPR
- Fulfilling tax and accounting obligations – Article 6(1)(c) of the GDPR
- Creating an archive for the potential need to defend, establish, or pursue claims, as well as for identifying returning customers – Article 6(1)(f) of the GDPR
- Internal marketing – Article 6(1)(f) of the GDPR
User Account
When creating a user account, you must provide the necessary information to set up the account: an email address and a password. Providing this information is voluntary but essential for creating the account.
As part of editing your account information, you may provide additional details, particularly those that can be used when placing orders, such as your first and last name, residential or business address, NIP number, and phone number. You can also set your avatar, such as a profile picture.
If you create an account through integration with a social media account, based on your prior authorization, we will gain access to specific data collected within your social media account (first and last name, email address, profile picture).
Additionally, our system used for managing user accounts logs your IP address used when registering the user account.
You can modify the information about yourself provided to us during the registration of your user account at any time. However, if you created the account using integration with a social media account, the data obtained from that social media platform cannot be modified.
The data you provide in connection with the account creation is processed for the purpose of providing you with electronic services that allow you to use your user account. This service is provided based on the agreement made under the terms described in the regulations, meaning that in this regard, the legal basis for processing your personal data is Article 6(1)(b) of the GDPR.
The data will be stored for the duration of the user account. You can decide at any time to delete your account; however, this will not result in the deletion of the information about your orders placed using the account from our database. Data about orders is stored in our archive until the expiration of the statute of limitations for claims arising from the agreement, which constitutes our legitimate interest as stated in Article 6(1)(f) of the GDPR.
Orders
When placing an order in the store, you must provide the necessary information to fulfill the order. Depending on the details of the order, the catalog of data may vary. For example, if you are ordering physical products, we need to know the address to which the order should be delivered. If you request an invoice for a company, we need to know the NIP number and the business address. Providing this information is voluntary but essential for placing the order.
Additionally, our system used to process orders logs your IP address from which you placed the order.
Each order is recorded in our database, which means that your personal data associated with the order is accompanied by information about the order itself, such as the products ordered, selected payment method, chosen delivery method, and payment deadline.
The data collected in connection with the order is processed to execute the agreement made by placing the order (Article 6(1)(b) of the GDPR), to issue an invoice (Article 6(1)(c) of the GDPR in conjunction with regulations governing invoicing), to include the invoice in accounting documentation, and to fulfill other tax and accounting obligations (Article 6(1)(c) of the GDPR in conjunction with regulations governing tax and accounting obligations), as well as for archival purposes for potential defense, identification, or pursuit of claims, which constitutes our legitimate interest (Article 6(1)(f) of the GDPR).
Data about orders will be processed for the time necessary to fulfill the order, and subsequently for the duration of the statute of limitations for claims arising from the agreement. Furthermore, after this period, the data may still be processed for archival purposes for potential defense, identification, or pursuit of claims, as well as for identifying returning customers. Please also remember that we are obliged to keep accounting documentation, which may contain your personal data, for the period required by law.
Complaints and Withdrawal from the Agreement
If you are submitting a complaint or withdrawing from the agreement, you provide personal data included in the content of the complaint or the declaration of withdrawal, which includes your name, address, phone number, email address, and bank account number. Providing this information is voluntary but necessary to submit a complaint or withdraw from the agreement.
The data you provide in connection with the complaint or withdrawal is used to carry out the complaint procedure or the withdrawal procedure, and then for archival purposes, which constitutes our legitimate interest (Article 6(1)(f) of the GDPR).
The data will be processed for the time necessary to carry out the complaint or withdrawal procedure. Complaint documents will be stored until the expiry of warranty claims. Declarations of withdrawal from the agreement will be stored along with accounting documentation for the period required by law.
Newsletter
By signing up for the newsletter, you provide us with your name and email address or phone number. Providing this information is voluntary but necessary to subscribe to the newsletter.
Additionally, our system used to manage the newsletter logs your IP address from which you signed up, determines your approximate location, the email client you use, and tracks your actions related to the messages sent to you. Consequently, we also have information on which messages you opened and which links you clicked within those messages.
The data you provide when signing up for the newsletter is used to send you the newsletter and to announce the results of any contests in which you participated. The legal basis for processing this data is your consent (Article 6(1)(a) of the GDPR) given at the time of subscribing to the newsletter. As for the processing of information not coming from you but collected automatically by our mailing system, we rely on our legitimate interest (Article 6(1)(f) of the GDPR) in analyzing subscriber behavior to optimize our mailing activities.
You can unsubscribe from the newsletter at any time by clicking the dedicated link in every newsletter email or simply by contacting us. Despite unsubscribing from the newsletter, your data will still be stored in our database to identify returning subscribers and potentially defend claims related to sending you the newsletter, particularly to demonstrate your consent to receive the newsletter and when it was withdrawn, which constitutes our legitimate interest as stated in Article 6(1)(f) of the GDPR.
You can modify the data you provided for receiving the newsletter at any time by clicking the relevant link visible in every newsletter email or simply by contacting us.
Comments and Product Reviews
When adding a comment or review about a product, you must provide at least a username, which will be associated with the comment or review (the name may include personal data, such as your first or last name), and an email address. Providing this information is voluntary but necessary to add a comment or review. You can also add your avatar (which may include your image, such as a photo) and provide your website address, but this is not mandatory.
The data provided in connection with adding a comment or review will be processed for the purpose of publishing the comment or review on the site. The legal basis for processing is your consent (Article 6(1)(a) of the GDPR) resulting from submitting the form for publishing the comment or review. You can withdraw your consent at any time by requesting the removal of the comment or review.
Your comment or review will be publicly available on the site for as long as it is accessible on the Internet, unless you request its removal beforehand. You can also modify the content of the comment and the associated data as the person who added the comment or review.
Correspondence Handling
By contacting us, you naturally provide us with your personal data contained in the correspondence, particularly your email address and name. Providing this information is voluntary but necessary to establish contact.
Your data is processed in this case for the purpose of contacting you, and the legal basis for processing is Article 6(1)(f) of the GDPR, which refers to our legitimate interest. The legal basis for processing after the contact has ended is also our justified aim of archiving the correspondence to ensure we can demonstrate certain facts in the future (Article 6(1)(f) of the GDPR).
The content of the correspondence may be subject to archiving, and we cannot clearly determine when it will be deleted. You have the right to request a history of the correspondence you have had with us (if it has been archived), as well as to request its deletion, unless its archiving is justified by our overriding interests, such as defense against potential claims from you.
Tax and Accounting Obligations
If we issue an invoice to you, it will be part of the accounting documentation, which will be stored for the period required by law. Your personal data is processed in this situation to fulfill our tax and accounting obligations (Article 6(1)(c) of the GDPR in conjunction with regulations governing tax and accounting obligations).
Archive
In the description of the various purposes of personal data processing mentioned above, we indicated the retention periods for personal data. These periods are often related to our archiving of certain data to ensure we can demonstrate specific facts in the future, recreate the course of cooperation with the client, correspondence exchanged, defense, establishment, or pursuit of claims. We rely on our legitimate interest in this regard, as referred to in Article 6(1)(f) of the GDPR.
Own Marketing
In our store, we utilize a mechanism for recovering abandoned shopping carts. If you start the order process but do not complete it, our system will note this fact to encourage you to finalize your order. These actions may include sending you emails encouraging you to complete your purchase or displaying targeted advertisements while you browse the Internet.
We also use SMS marketing, allowing us to send commercial and promotional information to the phone number you provide when placing an order.
You can object to such activities at any time.
How Long Will We Store Your Personal Data?
The retention periods for data are specified separately for each purpose of processing. You can find this information in the details related to each specific processing purpose.
Please note that we have adopted a model of storing your order data for the entire duration of our online store's operation. We believe this benefits you, as you can always access your purchase history and potentially benefit from discounts we offer to our regular customers. However, if you do not want your order data to be stored for that long, you can object to its retention for this purpose at any time. We inform you, however, that we see our legitimate interest in retaining order data until the expiration of the statute of limitations for claims from the sales contract concluded with us.
Who Are the Recipients of Your Personal Data?
- Hosting provider, which stores data on the server - Shoper
- Provider of the mailing system, where your data is stored if you are a newsletter subscriber - Shoper, MailerLite
- Provider of the invoicing system, where your data is stored for issuing invoices - iFirma
- Accounting office that processes your data visible on invoices - Biuro Rachunkowe Jagoda Skorupa
- Service providers for technical support, who may access data if technical work involves areas containing personal data
- Blue Media S.A. based in Sopot, ul. Powstańców Warszawy 6, will process your personal data to fulfill the obligation arising from Article 33(1) of the Act on Counteracting Money Laundering and Terrorist Financing
- Other subcontractors who gain access to data if their activities require such access
All entities listed above process your data based on agreements with us for data processing and guarantee an appropriate level of data protection.
Your data is shared with courier companies to the extent necessary for delivering your order. These companies become independent administrators of your personal data.
If necessary, your data may be shared with a legal advisor or attorney bound by professional secrecy. This need may arise from the requirement for legal assistance that necessitates access to your personal data.
Your personal data may also be transferred to tax offices to fulfill tax, settlement, and accounting obligations. This includes any declarations, reports, statements, and other accounting documents containing your personal data.
Additionally, if necessary, your personal data may be shared with entities, authorities, or institutions entitled to access the data under the law, such as police, security services, courts, and prosecutors.
9. Do We Transfer Your Data to Third Countries or International Organizations?
Your personal data is stored on servers located in third countries as part of the Google service within the G-Suite package, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This includes all data processed within Google services, including data stored in files synchronized with Google Drive. The collected information is primarily stored in the United States of America (USA).
10. Do We Use Profiling? Do We Make Automated Decisions Based on Your Personal Data?
We do not make decisions based solely on automated processing, including profiling, that would have legal effects on you or similarly significantly affect you.
However, we do use tools that can take certain actions based on information collected through tracking mechanisms, but we believe that these actions do not significantly impact you, as they do not differentiate your situation as a customer or affect the terms of any contract you may enter into with us.
By using specific tools, we can, for example, direct personalized advertisements to you based on your previous actions on our site or suggest products that may interest you. This is known as behavioral advertising. We encourage you to deepen your understanding of behavioral advertising, especially concerning privacy issues. Detailed information, along with the option to manage settings related to behavioral advertising, can be found here: http://www.youronlinechoices.com.
11. What Rights Do You Have Regarding the Processing of Your Personal Data?
GDPR grants you the following potential rights related to the processing of your personal data:
- The right to access your data and receive a copy of it.
- The right to rectify (correct) your data.
- The right to erasure of data (if you believe we do not have grounds to process your data, you can request its deletion).
- The right to restrict the processing of data (you can request that we limit the processing of data solely to storage or performing agreed-upon actions if you believe we have inaccurate data or are processing it unlawfully).
- The right to object to the processing of data (you have the right to object to processing based on legitimate interests; you should indicate a specific situation that you believe justifies our cessation of the processing in question; we will stop processing your data for these purposes unless we demonstrate that the grounds for processing are overriding your rights or that your data is necessary for establishing, pursuing, or defending claims).
- The right to data portability (you have the right to receive from us in a structured, commonly used, machine-readable format personal data that you have provided us based on a contract or your consent; you can instruct us to send this data directly to another entity).
- The right to withdraw consent for processing personal data if you previously provided such consent.
- The right to lodge a complaint with a supervisory authority (if you believe we are processing data unlawfully, you can file a complaint with the President of the Personal Data Protection Office or another relevant supervisory authority).
The rules related to the exercise of the rights mentioned above are described in detail in Articles 16 – 21 of the GDPR. We encourage you to familiarize yourself with these provisions. We believe it is necessary to clarify that the rights mentioned above are not absolute and may not apply to all processing activities of your personal data.
We emphasize that one of the rights mentioned above is always available to you: if you believe that we have violated data protection regulations in processing your personal data, you have the right to lodge a complaint with the supervisory authority (the President of the Personal Data Protection Office).
12. Do We Use Cookies and What Are They?
Our store, like almost all other websites, uses cookies.
Cookies are small text files stored on your device (e.g., computer, tablet, smartphone) that can be read by our IT system (first-party cookies) or third-party IT systems (third-party cookies). Specific information can be recorded and stored in cookies, which IT systems can then access for specific purposes.
Some cookies we use are deleted after you close your web browser (session cookies). Others are retained on your device and allow us to recognize your browser during your next visit (persistent cookies).
If you want to learn more about cookies, you can refer to this material: https://pl.wikipedia.org/wiki/HTTP_cookie.
13. On What Basis Do We Use Cookies?
We use cookies based on your consent, except when cookies are necessary for providing you with our electronic services correctly.
Regarding your consent to cookies, we assume that you express this consent through the settings of your web browser or additional software that helps manage cookies. We consider that you agree to all cookies we use that are not blocked by your browser or additional software.
Please remember that disabling or limiting the handling of cookies may prevent you from using certain features available in our store and may cause difficulties in using our store, as well as many other websites that use cookies. For example, if you block cookies from social media plugins, buttons, widgets, and social features implemented in our store may be unavailable to you.
14. Can You Disable Cookies?
Yes, you can manage your cookie settings within your web browser. You can block all or selected cookies. You can also block cookies from specific websites. At any time, you can also delete previously saved cookies and other site and plugin data.
Web browsers also offer the option of using incognito mode. You can use this mode if you do not want information about visited pages and downloaded files to be saved in your browsing and download history. Cookies created in incognito mode are deleted when you close all windows of that mode.
There are also browser plugins that allow you to control cookies, such as Ghostery (https://www.ghostery.com). Control over cookies can also be provided by additional software, particularly antivirus packages, etc.
Additionally, there are online tools that allow you to control certain types of cookies, especially for collectively managing behavioral advertising settings (e.g., www.youronlinechoices.com, www.networkadvertising.org/choices).
We also provide you with the option to control cookies directly from our store. We have implemented a special mechanism for managing cookies that allows you to block cookies that you do not wish to accept.
Please remember that disabling or limiting the handling of cookies may prevent you from using certain features available in our store and may cause difficulties in using our store, as well as many other websites that use cookies. For example, if you block cookies from social media plugins, buttons, widgets, and social features implemented in our store may be unavailable to you.
15. For What Purposes Do We Use First-Party Cookies?
First-party cookies are used to ensure the proper functioning of various mechanisms in the store, such as maintaining sessions after logging into your account, remembering recently viewed products, and products added to the cart.
First-party cookies also store information about cookie settings defined by you through the cookie management mechanism.
First-party cookies are also used to handle the cart recovery mechanism.
16. What Third-Party Cookies Are Used?
Google Analytics
We use the Google Analytics tool provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We do this based on our legitimate interest in creating statistics and analyzing them to optimize our websites.
To use Google Analytics, we have implemented a special tracking code on our site. This tracking code uses cookies from Google LLC related to the Google Analytics service. You can block the Google Analytics tracking code at any time by installing the browser add-on provided by Google: https://tools.google.com/dlpage/gaoptout.
Google Analytics automatically collects information about your use of our site. The information collected is typically sent to servers owned by Google, which may be located worldwide, where it is stored.
Due to the IP address anonymization we have activated, your IP address is truncated before further transmission. Only in exceptional cases is the full IP address sent to Google servers and then truncated. The anonymized IP address sent by your browser in the context of Google Analytics is generally not linked with other Google data.
We emphasize that we do not collect any data within Google Analytics that would allow for your identification. Therefore, the data collected in Google Analytics does not constitute personal data for us. The information we have access to through Google Analytics includes, in particular:
- Information about the operating system and web browser you are using
- The subpages you visit on our store
- The time spent in our store and on its subpages
- Transitions between individual subpages
- The source from which you access our store
Additionally, we use the following Advertising Features within Google Analytics:
In the context of Advertising Features, we also do not collect personal data. The information we have access to includes, in particular:
- Your age range
- Your gender
- Your approximate location limited to the city
- Your interests determined based on online activity
Google Analytics and Google Analytics 360 services have obtained certification for the independent security standard ISO 27001. ISO 27001 is one of the most recognized standards worldwide and certifies compliance with relevant requirements by the systems that support Google Analytics and Google Analytics 360.
If you are interested in details regarding Google's use of data from sites and applications that use Google services, we encourage you to read this information: https://policies.google.com/technologies/partner-sites.
Facebook, Instagram, Pinterest, TIK TOK
In the context of the Facebook Ads system provided by Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA, we use the Custom Audiences feature to target specific groups of users with our advertising messages. We base this activity on our legitimate interest in marketing our own products or services.
To personalize advertisements based on your behavior in our store, we have implemented the Facebook Pixel on our site, which automatically collects information about your use of our website. The information collected is typically sent to Facebook's servers, which may be located worldwide, particularly in the United States.
The information collected via the Facebook Pixel is anonymous, meaning it does not allow for your identification. Depending on your activity on our pages, you may be included in a specific audience group, but we do not identify individual persons within these groups.
However, we inform you that Facebook may combine the collected information with other information about you collected while using Facebook and utilize it for its own purposes, including marketing. Such actions by Facebook are beyond our control, and you can find information about them directly in Facebook's privacy policy: https://www.facebook.com/privacy/explanation. You can also manage your privacy settings from your Facebook account. Here you can find useful information on this topic: https://www.facebook.com/ads/settings.
Our website uses plugins, buttons, and other social media tools, collectively referred to as "plugins," provided by social networks such as Facebook, Instagram, and Pinterest.
When you visit our website containing a plugin from a particular social network, your browser sends information about your visit to the administrator of that social network. Since the plugin is an embedded part of the social network integrated into our site, the browser sends a request for the content from the social network.
The plugins collect certain information about you, such as your user ID, the visited site, date and time, and other information related to your web browser.
Social network administrators use some of this information to personalize your viewing experience on our site. For example, when you visit a page with a "Like" button, the administrator of the social network needs information about who you are to show you which of your friends also like our page.
The information collected by the plugins can also be used by social network administrators for their own purposes, such as improving their products, creating user profiles, analyzing and optimizing their actions, and targeting advertisements. We have no real influence over how the information collected by the plugins is subsequently used by social network administrators. You can find details on this topic in the terms of service and privacy policies of the respective social networks.
Social media plugins collect and transmit information to the administrators of these services even when you browse our site without being logged into your social media account. However, in this case, the browser sends a more limited set of information.
If you are logged into one of the social networks, the administrator will be able to directly associate your visit to our site with your profile on that social network.
If you do not want social networks to associate data collected during your visit to our website directly with your profile on that social network, you must log out of that service before visiting our site. You can also completely prevent the loading of plugins on the page by using appropriate extensions for your browser, such as script blockers.
Additionally, using some plugins may involve publishing certain information to your social media profiles. For example, information about clicks on the "Like" button may be visible on your Facebook timeline. Of course, if you share any content on your social media using the plugins embedded on our site, that sharing will naturally be visible on your profile.
Regarding details related to the processing of information collected by plugins by social network administrators, especially the purpose and scope of data collection, further processing and use by administrators, as well as the ability to contact them and your rights in this regard, and options for settings that ensure your privacy protection, you can find all this information in the privacy policies of the respective providers:
- Facebook: https://www.facebook.com/privacy/explanation
- Instagram: https://www.facebook.com/help/instagram/155833707900388
- Pinterest: https://policy.pinterest.com/pl/privacy-policy
17. Do We Track Your Behavior on Our Store?
Yes, we use Google Analytics and Facebook Custom Audiences tools, which involve collecting information about your activities in our store. These tools are described in detail in the section on third-party cookies, so we will not repeat that information here.
18. Do We Target You with Advertising?
Yes, we use Facebook Ads, which allows us to target advertisements to specific audience groups defined based on various criteria such as age, gender, interests, profession, work, and actions previously taken within our store. These tools have been described in detail in the section on third-party cookies, so we will not repeat that information here.
19. Can This Privacy Policy Change?
Yes, we may modify this privacy policy, particularly due to technological changes on our store's side and changes in legal regulations. All archived versions of the privacy policy will be linked below.
20. Who Else May Process Your Data?
On behalf of PayPo sp. z o.o. and Autopay S.A., we inform you that PayPo sp. z o.o., based in Warsaw, ul. Domaniewska 39, or Autopay S.A., based in Sopot, ul. Powstańców Warszawy 6, becomes the administrator of your personal data and will process your personal data to fulfill the obligation arising from Article 33(1) of the Act on Counteracting Money Laundering and Financing of Terrorism if you choose the deferred payment option via PayPo.