Privacy policy
effective from 25.07.2023
The controller responsible for processing personal data is:
- Vanilla s.c. Katarzyna Pastwa, Marek Pastwa
- ul. Napoleońska 33
- 94-231 Łódź
- shop@ohzuza.com
Thank you for your interest in our online store. Protecting your privacy is very important to us. Below you will find detailed information on how we handle your data.
1. Access data and hosting
You can visit our websites without providing personal data. Each time a web page is accessed, the server automatically saves only so-called server logs, e.g. the name of the requested file, your IP address, date and time of the request, the amount of data transferred and the requesting internet service provider (so-called access logs), and documents the page view.
These data are analyzed solely to ensure the proper functioning of our website and to improve our offer. This serves, pursuant to Article 6(1)(f) GDPR, to safeguard our legitimate interest in the optimal and correct presentation of our websites and offer. All access data are deleted within seven days after the end of your visit to the site.
Hosting
Hosting and display services for the website are provided in part on our behalf by our service providers under a data processing agreement. Unless otherwise stated in this privacy policy, all access data and data collected in the forms provided for this purpose on our site will be processed on their servers. If you have questions about our service providers and the basis of our cooperation with them, please contact us. You will find our contact details in the section “Our contact details and your rights.”
2. Collection and processing of data for contract performance, contact purposes and creation of a customer account
We collect personal data only when you voluntarily provide it to us when placing your order or contacting us (e.g. via a contact form or by email). Mandatory fields are marked as such because the data entered there are necessary to perform the contract or to handle the matter for which you are contacting us. Without providing them, it is not possible to complete the order or contact us. Which data are collected follows directly from the forms into which the data are entered. We use the data you provide pursuant to Article 6(1)(b) GDPR for the purpose of performing the contract and responding to your inquiries. In addition, if, pursuant to Article 6(1)(a) GDPR, you give your consent to create a customer account, we will process your personal data necessary for that purpose. Further information on the processing of your data, in particular regarding the transfer of data to our service providers for order fulfillment, payments and shipping, can be found in subsequent parts of this privacy policy.
After full performance of the contract or deletion of your customer account, the processing of your data will be limited and, after the expiry of the retention periods specified in tax regulations and the Accounting Act, these data will be deleted (Article 6(1)(c) GDPR), unless you give explicit consent (Article 6(1)(a) GDPR) to further use of these data or, in accordance with applicable law, we reserve the right to further use the data for other purposes, of which—in such a case—we inform you in this privacy policy. Your customer account can be deleted at any time. To do so, please send a message to our contact address indicated in the section “Our contact details and your rights” or use the appropriate function in your customer account settings.
Shopify as our store service provider (data processor)
Our store uses the Shopify platform, which provides services for us such as hosting, payment processing, anti-fraud security, order management, statistics and marketing, acting as a data processor within the meaning of the GDPR. Shopify processes customers’ personal data only on our instructions and for the purpose of providing store services. Data may be transferred to or stored in third countries, including Canada and the USA, with appropriate safeguards such as standard contractual clauses in place. The following documents contain detailed information:
– Shopify Consumer Privacy Policy
– Shopify Data Processing Addendum (DPA)
– Shopify Privacy Portal – exercise of user rights.
Merchandise management system
To handle orders and perform the contract, we also use an external merchandise management system. Our service providers perform these services for us under a data processing agreement. If you have questions regarding our service providers and the basis of our cooperation with them, please contact us. You will find our contact details in the section “Our contact details and your rights.”
3. Transfer of data for delivery purposes
For the performance of the contract (Article 6(1)(b) GDPR), we transfer your data to the shipping company selected by you during the ordering process, which has been commissioned to deliver the ordered products.
4. Processing of data for payment purposes
To process payments in our online store, we cooperate with external service providers handling online electronic payments and transfer your data to the payment service chosen by you during the ordering process. This serves to perform the contract (Article 6(1)(b) GDPR).
Shopify Payments as a payment data processor
If you use the Shopify Payments option, your data may be transferred to Shopify during the payment process, where Shopify acts as a data processor for payment handling. Details of roles and responsibilities are set out in the Shopify Payments Terms of Service.
Processing of data to prevent abuse and optimize payments
In certain situations, we may provide our service providers with additional information which may be used together with the information necessary to execute the payment. These service providers act on our behalf as data processors and provide services for us in the area of fraud prevention and payment process optimization (e.g. invoicing, analysis of disputed payments, accounting support). Pursuant to Article 6(1)(f) GDPR, this serves our legitimate interests in protection against abuse and fraud as well as effective payment management.
5. Marketing channels: email (e.g. newsletter), traditional mail, telephone contact
Advertising by email after subscribing to the newsletter
If you subscribe to our newsletter, we will use the data you provide that are necessary to regularly send you our newsletter electronically on the basis of your consent (Article 6(1)(a) GDPR). You can unsubscribe from the newsletter at any time by sending us a message to our contact address indicated in the section “Our contact details and your rights” or by using the appropriate link included in the newsletter. After unsubscribing, we will delete your email address unless you explicitly consent to further use of your data for other purposes or we reserve the right to further use these data in legally permissible cases, of which we inform you in this privacy policy.
Sending the newsletter
The newsletter is sent by an external service provider on our behalf under a data processing agreement. If you have questions about our service providers and the basis of our cooperation with them, please contact us. You will find our contact details in the section “Our contact details and your rights.”
Sending invitations to review a purchase
If, during or after placing an order, you have given your consent (Article 6(1)(a) GDPR), we will use your email address to send you an electronic invitation to review the purchase made in our store. Reviews/ratings are submitted via our review system. You can withdraw your consent at any time by sending a message to our contact address indicated in the section “Our contact details and your rights” or by using the appropriate link included in the invitation message.
Invitations to submit reviews may be sent on our behalf by our service provider—eKomi/Zaufane.pl—which provides services to us in this area. eKomi/Zaufane.pl cooperates for this purpose with subcontractors based in Germany. An appropriate level of data protection has been ensured for this cooperation. You will find contact details in the section “Our contact details and your rights.”
Advertising sent by traditional mail and your right to object
We also reserve the right to process your data—first and last name and postal address—for our own advertising purposes in relation to our products, e.g. sending the latest offers and information about our products by post. This serves, pursuant to Article 6(1)(f) GDPR, to safeguard our legitimate interest in contacting customers for the advertising of our own products. You may object at any time to the processing of your data for this purpose by sending a message to our contact address indicated in the section “Our contact details and your rights.”
Telephone advertising
If, during or after placing an order, you have given your consent (Article 6(1)(a) GDPR), we will use your data for our own advertising purposes, e.g. to inform you about our new products and promotions. You can withdraw your consent at any time by sending us a message to our contact address indicated in the section “Our contact details and your rights” or by making an appropriate oral statement during the phone call. After consent is withdrawn, we will delete your phone number unless you explicitly consent to further use of it for other purposes or we reserve the right to further use these data in legally permissible cases, of which we inform you in this privacy policy.
6. Cookies and similar technologies
General information
To make your visit to our website more attractive and to enable you to use its key functions, we use technological tools, including cookies. Cookies are small text files that are automatically stored on your end device. Some of the cookies we use are deleted after the end of the browser session, i.e. after the browser is closed (so-called session cookies). Other cookies remain stored on your end device and allow us to recognize your browser the next time you visit the site (so-called persistent cookies). We use technologies that are absolutely necessary to ensure the proper and optimal use of the essential functions of our website (e.g. shopping cart functionality). These technologies process data such as your IP address, time of visit, device and browser information, as well as information on how you use our website (e.g. the contents of the shopping cart). This serves, pursuant to Article 6(1)(f) GDPR, our legitimate interest in the optimal presentation of our offer.
We also use technological tools to fulfill legal obligations to which we are subject (e.g. to demonstrate that we have obtained your consent to process your personal data), as well as for web analytics and online marketing. Further information on this, including the relevant legal bases for processing, can be found in subsequent sections of this privacy policy.
In your browser’s help menu you will find explanations on how to change cookie settings. They are available at the following links: Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™.
Where we have been given your consent to use specific technological tools (Article 6(1)(a) GDPR), you may withdraw it at any time. To withdraw consent, please contact us via the contact address indicated in the section “Our contact details and your rights.”
7. Use of cookies and similar technological tools for web analytics and marketing purposes
Where you have given your consent (Article 6(1)(a) GDPR), we use on our website the cookies and other similar technological tools of external service providers indicated below. After the processing purpose has been fulfilled and use of the given technological tool has ended, the data collected through the use of these tools will be deleted. You may withdraw your consent at any time. Detailed information on how to withdraw consent and your right to object can be found in the section “Cookies and similar technologies.” Further information can be found on the websites of the respective service providers. If you have questions concerning our service providers and the basis of our cooperation with them, please contact us. You will find our contact details in the section “Our contact details and your rights.”
Use of Google services
We use the technological tools listed below from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Information automatically collected by Google technologies regarding the use of our website is usually transferred to and stored on a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation is based on the European Commission’s standard contractual clauses. Where, in the context of using Google technologies, your IP address is processed, IP anonymization is enabled so that your address is shortened before being stored on Google servers. Only in exceptional cases will the full IP address be transferred to a Google server and shortened there. Unless otherwise specified for individual Google technologies described in this privacy policy, data are processed on the basis of a joint controllership agreement with Google pursuant to Article 26 GDPR. Further information on Google’s data processing can be found in Google’s privacy policy.
Google Analytics
To analyze the use of our website, we use Google Analytics, a web analytics service by Google, which automatically processes your data (IP address, time of visit, device and browser information, and information about your use of our website) for this purpose and creates pseudonymous user profiles on this basis. Cookies may be used for this purpose. Your IP address is generally not combined with other data collected by Google. Data processing within Google Analytics is carried out on the basis of a data processing agreement concluded with Google.
To optimize and enhance our website offering, we have also activated data sharing settings for “Google products and services.” This allows Google to access data collected and processed within Google Analytics and use them to improve Google’s products and services. Data sharing with Google for this purpose is based on an additional agreement concluded between data controllers. We have no influence over Google’s subsequent processing of data.
We also use Google Optimize, an extension of Google Analytics, to create and run A/B tests of our website.
For web analytics we also use Google Signals, an extension of Google Analytics that enables so-called cross-device tracking. This means that if your internet-enabled devices are linked to your Google account and you have activated “personalized advertising” in your Google account, Google can generate reports on the use of our site (in particular regarding the number of users using different devices), even if you switch devices. We do not process your personal data in this respect; we receive only statistics based on Google Signals functions and technologies.
For analysis of the use of our website and for advertising purposes, within Google Analytics we also use the DoubleClick cookie, which enables recognition of your browser when using other websites. Google will use this information to prepare reports on your activity on our website and to provide other services related to website usage.
Google Ads
With Google Ads, we promote our website in search results and on third-party sites. For this purpose, when you visit our website, a Google remarketing cookie is automatically stored on your device, which—based on the pages you visit—enables interest-based advertising by processing your data (IP address, time of visit, device and browser information, and information on the use of our website) using a pseudonymous identifier (ID). Further data processing occurs only if you have activated ad personalization in your Google account settings. In that case—if you are logged in to Google while visiting our website—Google will use your data together with data collected within Google Analytics to create and define audience lists for cross-device remarketing.
For web analytics purposes we use Google Ads Conversion Tracking to measure and analyze your behavior when you visit our site via an ad within Google Ads. Cookies may be used for this purpose and data such as IP address, time of visit, device and browser information, as well as information on the use of our website (e.g. a site visit or newsletter registration) may be processed. Pseudonymous user profiles are then created on the basis of these data.
Google Maps
For the visual presentation of geographic information, Google Maps will store and process information on how you use the maps and individual functions, including your IP address and location data. We have no influence over this processing by Google.
Google reCAPTCHA
To protect against spam and to prevent abuse and improper use of our online forms (e.g. by harmful bots), our website integrates Google reCAPTCHA, which for this purpose processes your data (IP address, time of visit, device and browser information, and information on the use of our website) and, on their basis, performs an analysis of your use of our website using JavaScript scripts and cookies. Personal data entered by you in the individual fields of forms on our pages are not read or stored.
Google Fonts
To ensure consistent presentation of content on our websites, the “Google Fonts” script is integrated into our site, which processes your data (IP address, time of visit, device and browser information, and information on the use of our website). We have no influence over this processing by Google.
YouTube video plugin
To integrate third-party content using the YouTube video plugin—when the video is played—Google processes the following data: IP address, time of visit, and the user’s device and browser information.
Use of Facebook services
Facebook Pixel
We use the Facebook Pixel provided by Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). The scope of the Pixel functionalities we use is indicated below. Facebook Pixel automatically collects and stores data (your IP address, time of visit, device and browser information, and information about your use of our website, e.g. a site visit or newsletter registration). Pseudonymous user profiles are then created on the basis of these data.
As part of advanced matching in Facebook Analytics—for comparison purposes—hashed information that can identify natural persons (e.g. names, email addresses and phone numbers) is also collected and stored.
For this purpose, during your visit to our site the Facebook Pixel stores a cookie on your device which, by means of a pseudonymous cookie ID, enables your browser to be automatically recognized when visiting other websites. Facebook will combine this information with other data from your Facebook account and use it to compile reports on website activity and to provide other services related to your use of websites, in particular for personalized advertising. Information automatically collected by Facebook technologies regarding your use of our website is usually transferred to and stored on a server of Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation is based on the European Commission’s standard contractual clauses. Data processing takes place pursuant to Article 26 GDPR on the basis of joint arrangements between joint controllers. Where the transfer of data to the USA is our responsibility, our cooperation is based on the European Commission’s standard contractual clauses. Further information on Facebook’s data processing can be found in Facebook’s privacy policy.
Facebook Analytics
Within Facebook Analytics—based on the data collected by Facebook Pixel about your use of our site—statistics on user activity on our site are created. Data processing by Facebook takes place on the basis of a data processing agreement. The analysis of data (site usage statistics) serves to optimize and enhance our website.
Facebook Ads
Facebook Ads enables us to advertise our website on Facebook and other platforms. We set the parameters of the given advertising campaign. Facebook is responsible for the exact implementation, in particular the decision to display the given ad to specific users. Unless otherwise specified for particular functions and tools, data processing takes place on the basis of a joint controllership agreement pursuant to Article 26 GDPR. Joint responsibility is limited to the collection of data and their transfer to Facebook Ireland. It does not include subsequent processing by Facebook Ireland.
Based on statistics of user activity on our websites created using Facebook Pixel, we run targeted advertising via Facebook Custom Audience by defining the profile/characteristics of a given target group. Within the advanced matching function (see above), Facebook acts as a data processor on our behalf.
Based on the pseudonymous cookie ID stored by Facebook Pixel and information collected on user activity on our website, we create personalized advertising via Facebook Pixel Remarketing.
For web analytics and optimization of our offer—using Facebook Pixel Conversions—we analyze the activity of users who visit our website via ads displayed within Facebook Ads. Data processing by Facebook takes place on the basis of a data processing agreement.
8. Social media
Social media plugins: Facebook, Instagram, Pinterest
Our website uses so-called plugins (buttons) of social networks. The plugins are available via an HTML link, which ensures that when you visit our site containing such plugins (buttons), no automatic, direct connection to the servers of the respective social network operator is established. After clicking one of the buttons (plugins), a new window of your browser will open displaying the site of the social network concerned, where you can confirm the use of the respective button, e.g. “Like” or “Share.”
Our activity on social platforms: Facebook, Instagram, YouTube, Pinterest, LinkedIn
If you have granted consent to the respective social network (Article 6(1)(a) GDPR), when you visit our account/profile on the above social networks, your data will be automatically collected and stored for web analytics and marketing purposes. Pseudonymous user profiles are created on the basis of these data. They may be used, for example, to place personalized advertising within and outside the social networks that likely corresponds to your interests. Cookies are usually used for this purpose.
Detailed information on the processing and use of your data by the respective social networks, as well as information on your rights and privacy settings options, and contact details for inquiries are described in the privacy policies of the respective social networks linked below. If you need assistance, you can also contact us.
Facebook is a social network offered by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”). Information automatically processed concerning your activity and use of our Facebook fan page is usually transferred to and stored on a server of Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation is based on the European Commission’s standard contractual clauses. Data processing in connection with visits to the Facebook fan page takes place under Article 26 GDPR on the basis of joint controllership arrangements, available here. Further information regarding the processing of your personal data in connection with visits to the Facebook fan page (information on Page Insights) is available here.
Instagram is a social network offered by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”). Information automatically processed concerning your activity and use of our Instagram page is usually transferred to and stored on a server of Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation is based on the European Commission’s standard contractual clauses. Data processing in connection with visits to the Instagram fan page takes place under Article 26 GDPR on the basis of joint controllership arrangements. Further information regarding the processing of your personal data in connection with visits to the Facebook fan page (information on Page Insights) is available here.
YouTube is a social network offered by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Information automatically processed concerning your activity and use of our YouTube profile is usually transferred to and stored on a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation is based on the European Commission’s standard contractual clauses.
Pinterest is a social network offered by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”). Information automatically processed concerning your activity and use of our Pinterest profile is usually transferred to and stored on a server of Pinterest, Inc., 505 Brannan St., San Francisco, CA 94107, USA. The European Commission has not issued an adequacy decision for the USA.
LinkedIn is a social network offered by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). Information automatically processed concerning your activity and use of our LinkedIn profile is usually transferred to and stored on a server of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation is based on the European Commission’s standard contractual clauses.
9. Our contact details and your rights
Data subjects have the following rights:
- pursuant to Article 15 GDPR: the right to obtain information about data processing to the extent specified in that article;
- pursuant to Article 16 GDPR: the right to rectification of your inaccurate or incomplete personal data;
- pursuant to Article 17 GDPR: the so-called “right to be forgotten,” i.e. the right to erasure of your personal data stored by us, provided further processing is not necessary:
- to exercise the right to freedom of expression and information;
- to comply with a legal obligation;
- for reasons of public interest;
- to establish, pursue or defend legal claims;
- pursuant to Article 18 GDPR: the right to restriction of processing, where:
- the accuracy of the personal data is contested by you;
- the processing is unlawful and you oppose the erasure of the data;
- we no longer need the personal data, but you need them to establish, exercise or defend legal claims;
- you have objected to processing pursuant to Article 21;
- pursuant to Article 20 GDPR: the right to receive the data you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller;
- pursuant to Article 77 GDPR: the right to lodge a complaint with a supervisory authority (the President of the Personal Data Protection Office – “UODO”).
If you have questions regarding the collection, processing and use of your personal data, or if you wish to request information, rectification, restriction of processing or deletion of data, and to withdraw consents granted or to object to the use of specific data, please contact the data controller indicated at the beginning of this privacy policy.
Right to object
If we process personal data as described in this privacy policy to safeguard our legitimate interests, you may object to the processing of your data for this purpose—with effect for the future. If processing is carried out for direct marketing purposes, you may exercise the right to object at any time. If processing is carried out for other purposes, you have the right to object only on grounds relating to your particular situation.
After you exercise your right to object, we will no longer continue to process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests and rights, or where the processing serves the establishment, exercise or defense of legal claims.
The above sentence does not apply where processing is carried out for direct marketing purposes. In that case, after you object, we will always stop further processing of your personal data.
*This English version mirrors the structure and legal meaning of the original Polish document and is intended for clarity while preserving legal effect under applicable law (including the GDPR).*
