Privacy policy of BALAGAN online store (including Article 13 GDPR)

1. General information

1.1. This Online Store privacy policy (hereinafter referred to as the “Policy”) is informative only, meaning that it is not a source of obligations for the Customers of the Online Store and it is not a contract nor terms and conditions.

1.2. Any words, expressions and abbreviations appearing on this website and beginning with a capital latter (e.g. Seller, Online Store, Electronic Services) should be understood in accordance with the definition laid down in the Online Store’s Terms and Conditions available at the following address: https://balaganstudio.com/pl/.

1.3. Should there be any doubts or discrepancies between the Policy and the consents granted by a given person, irrespectively of the provisions of the Policy, the voluntarily given consents or the provisions of law shall always be the basis for the Controller’s actions or for the determination of the scope of actions by the Controller. 

2. Personal Data Controller

2.1. In line with our obligation resulting from Article 13 of the general Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of personal data (GDPR) we hereby inform that the Controller of the personal data collected is BALAGAN sp. z o. o (limited liability company) with its registered office in Warsaw, ul. Kielecka 1/1, 02-504 Warsaw, Poland, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under numbers: National Court Register number (KRS): 0000782251, Tax payer identification number (NIP): 5213863874, hereinafter referred to as the “Controller”.

2.2. You can contact the Controller in the cases concerning personal data protection and exercise of your rights by e-mail at the address: [email protected] or by sending mail to the address of the registered office of the Online Store or Controller’s mailing address: ul. Kielecka 1 m. 1, 02-504 Warszawa, where the Online Store operates. The above contact details might be used as well to contact the data protection officer.

2.3. In the case of additional consent, our trusted partners will also be the controllers of the data obtained on the basis of your online activity using the technologies such as cookies.

3. Purpose and legal basis of personal data processing 

3.1. The Controller may process the following personal data

a) Personal Data provided in the form of registration of an Account or while placing an order in the Online Store (in particular, name and surname; e-mail address; contact phone number; address [street name and number, apartment number, postal code, town, country], address of the place of residence/business/registered office [if different than the delivery address], bank account number, and, in the case of Customers who are not consumers, also the business name and tax identification number [NIP] and other data collected during the use of the Online Store;

b) Personal Data submitted in the contact form or provided while filing a complaint;

c) Other data, in particular, data obtained on the basis of the Customer's activity on the Internet or in mobile applications, including the data obtained through the Online Store or other channels of communication with the Customer, using cookies or similar technologies. 

3.2. Personal Data are processed for the purpose of:

a) conclusion and performance of the Contract for the Provision of Services (Account) or taking actions requested by the future Customer prior to such conclusion (we process your data in order to maintain your Account so that you can enjoy the benefits it offers, such as ordering without the need to fill in the forms every single time, access to your shopping history, management of your consents in the service, etc., and to enable you to use other services available on our website); legal basis: Article 6(1)(b) GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps on the request of the data subject prior to entering into a contract);

b) conclusion and performance of the Sale Contract or taking actions requested by the future Customer prior to such conclusion (we need your data to complete your order and perform the concluded contract, in particular, to confirm that the order has been placed and a reservation has been made or that the selected Goods have been shipped, as well as to contact you with that regard); legal basis: Article 6(1)(b) GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps on the request of the data subject prior to entering into a contract);

c) receiving and handling complaints; legal basis: Article 6(1)(c) GDPR ( processing is necessary for compliance with a legal obligation to which the controller is subject);

d) presenting advertisements, offers or promotions (discounts) relating to the goods or services of the Controller or its partners (the updated list of the partners is available in the Online Store) that are dedicated to all recipients; legal basis: Article 6(1)(a) GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes);

e) assessment and analysis of the Customer’s activity and information about the Customer, including within the automated processing of the Personal Data (profiling), for the purpose of presenting general advertisements, offers or promotions (discounts) relating to the goods or services of the Controller or its partners in a manner customized to that Customer’s interests (however, without significantly affecting the Customer’s decisions), as well as market and statistical analyses; legal basis: Article 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interest pursued by the controller);

f) exercise and defence of claims, including third party claims – in the case of using most of the Online Store’s functionality; legal basis: Article 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interest pursued by the controller);

g) fulfilment of legal obligations resulting from the provisions of law, e.g. tax and accounting regulations, especially in the case of contracts against payment; legal basis: Article 6(1)(c) GDPR (e.g. issuance and storage of accounting documents, replying to enquiries, fulfilment of obligations resulting from the rights of data subjects, collaboration with state administration bodies);

h) conducting correspondence with Customers, including replying to the Customers’ enquiries; legal basis: Article 6(1)(a) GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes);

i) in the case of an adult Customer, upon such Customer’s additional consent, the Personal Data may be also processed for the purpose of presenting, creating, awarding and executing advertisements, offers or promotions (discounts) dedicated to that Customer and relating to the goods or services of the Controller or its partners, that are to the maximum possible extent customized to the Customer’s preferences (profiling), as a result of automated decision-making, which could cause legal consequences for the Customer or significantly affect the Customer, e.g. through a short-term discount dedicated only for the Customer for specific Goods that the Customer has recently viewed in our store; legal basis: Article 6(1)(a) GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes).

3.3. The Controller defines the following categories of personal data recipients:

a) personal data may be transferred to entities supporting Controller’s business processes, e.g. entities providing postal or courier services, accounting, tax or legal services;

a) in the cases described in separate legal provisions and in line with the manner defined in those provisions personal data may be transferred to authorised state administration bodies;

b) personal data may be processed with the use of external and internal IT infrastructure, including being processed by hosting services providers as well as transferred to entities administering Controller’s communication and informatics systems or entities providing IT tools that meet GDPR requirements on systems’ security.

3.4. The Controller declares that each case of personal data disclosure or transfer for the purpose of data processing is conducted on the basis of consent given by the data subject, data processing agreement or legal obligation.

3.5. The personal data shall be stored for the duration necessary to fulfil the purposes of its collection, however, no longer than 6 years from the termination date of the Contract (in accordance with Article 118 of the Civil Code).

4. The right to update, change, remove and access personal data

4.1. In connection with the processing of your personal data by the Controller you have a right to:

- demand access to personal data;
- demand correction of personal data;
- demand removal or restriction of processing of personal data;
- transfer personal data (processed under the Contract);
- oppose processing of personal data in the cases determined in Article 21 GDPR;
- lodge a complaint with  the President of the Office of Personal Data Protection.

5. Transfer of Personal Data outside the European Economic Area (EEA)

5.1. For the purposes of the Controller’s use of support tools for the current activity provided e.g. by Google, the Personal Data of the Customer may be transferred to countries outside the European Economic Area, in particular to the United States of America (USA), Israel or another country where the cooperating entity receives the tools for the processing of Personal Data with the cooperation of the Controller.

5.2. Proper protection of the Personal Data transferred has been ensured by the Controller by means of applying the standard data protection clauses adopted by the European Commission decision and contracts of entrusting the data to be processed in compliance with the GDPR requirements. In the event of transferring the data from Europe to the USA, some entities located there may additionally ensure a proper level of data protection under the so-called Privacy Shield (more information on this matter is available at: https://www.privacyshield.gov/).

5.3. The Customer has the right to obtain a copy of the security measures applied by the Controller in relation to the transfer of Personal Data to third countries by contacting us.

6. Voluntary provision of Personal Data

6.1. The submission of Personal Data by the Customer in the Online Store is voluntary, however, it is necessary for the use of particular functionality of store, for example, to place an Order and account for it (conclusion and performance of a Sale Contract) or register an Account (conclusion and performance of a Contract for the Provision of Services) or use our forms.

Each time, the scope of data required for the conclusion of a given contract shall be specified in the Online Store (we indicate the data the provision of which is necessary in order to conclude the contract/ use a particular functionality) through other channels of communication with the Customer or in the Terms and Conditions. Non-provision of Personal Data may result in the lack of possibility to complete the above-mentioned actions.

7. Profiling

7.1 For the purposes of presenting general advertisements, offers or promotions (discounts) dedicated to all Customers in a manner customized to the preferences of a given Customer, the Controller may obtain information about such preferences, e.g. by analysing how frequently the Customer visits the Online Store. It allows for a better understanding of the Customer’s expectations and customizing to the Customer’s needs, however, without affecting the Customer’s decisions to a significant extent. Thanks to the Controller’s use of advanced technologies, the above actions will be frequently performed by the system in an automated manner, allowing for the contents to be more recent and for the Customer to see it sooner.

7.2. In the case of adult Customers, the above-mentioned analysis of interests or preferences will also serve the purpose of creating, awarding, executing of dedicated and to the maximum possible extent customized advertisements, offers or promotions (discounts) in an automated manner, which could cause legal consequences for the Customer or significantly affect the Customer, potentially limiting the access thereto by other Customers (the option shall not be available to Customers who are not of legal age and have not given their consent to such actions taken by the Controller). Our actions are different from the regular “profiling” (e.g. customizing our messages and banners to your interests) in the way that the result thereof can significantly affect your choices as a consumer, e.g. the result thereof could be a very beneficial time-limited offer dedicated only to you on the basis of your shopping history and activity on our website, whereas other Customers of ours will not have access to such offer. The more frequently the given Customer uses the services of the Controller and purchases Goods from the Controller, the better the special offers and surprises could be prepared for the Customer.

8. Cookie policy

8.1. Who is concerned by cookies?

Due to the fact that the cookie technology applied by the Controller (or a technology of a similar func-tionality) collects information about each person visiting the Online Store, the below provisions of the Policy shall apply to the persons using the Online Store regardless of whether they become the Online Store’s Customers or not (whether they place Orders, make reservations of Goods or have an Account), (hereinafter also the “Visitors”).

8.2. What technology do we use?

The Online Store uses the technology storing and obtaining access to the information on the com-puter or other device connected to the network (in particular, using cookies or similar solutions) for the purpose of ensuring maximum comfort during the use of the Online Store, including statistical purposes and purposes concerning customization of the presented marketing contents of the Con-troller, its partners and advertisers, to the Visitor’s interests. During a visit in the Online Store, data concerning the Visitor’s activity online may be collected automatically.

Due to the fact that the Controller may use solutions of a functionality similar to that of cookies, the below provisions of the Policy shall be applied to those solutions respectively. 

8.3. What are ”cookies”?

Cookies are short text files sent by the server and saved on the device of the Visitor (usually on the hard drive of the computer or on a mobile device). They store information that the Online Store might need in order to adjust to the methods of use of the Online Store by the Visitor and to collect statisti-cal data concerning the Online Store (e.g. what websites have been visited, what elements have been downloaded) and data concerning the domain name of the internet service provider or country of origin of the Visitor.

8.4. Do cookies collect your personal data?

If the Visitor uses the Online Store, the Online Store uses cookies enabling identification of the Visi-tor's browser or device – the cookies collect information of various types that, as a rule, does not constitute personal data (it does not enable identification of the Visitor). Some information, depend-ing on the contents and method of use thereof, may be still associated with a specific person – through attributing certain behaviour to a specific Visitor, e.g. through the linking of such behaviour to the data provided at the registration of an Account in the Online Store – and therefore, may be con-sidered to be personal data.

With regard to the information collected by cookies that may be attributed to a specific person, the provisions of the Policy concerning Personal Data, in particular, concerning the rights of data sub-jects, shall apply. The information concerning the data collected by cookies can be also found, inter alia, in the information clause placed in a visible and easily accessible place during the first visit to the Online Store. 

8.5. On what legal basis do we use cookies?

Obtaining and storing the information using cookies is possible upon the consent given by the Visitor. Typically, Internet browsers or other software installed on the computer or other device connected to the network, by default, allow saving of cookies on that device, therefore, collection of information about the Visitors. The consent to the use of cookies, including the use thereof by our partners, may be modified or withdrawn at any time (although some parts of the Store may cease to work correctly in such event) in the settings of the Internet browser or in the privacy policy management on our website. Withdrawal of the consent shall not affect the lawfulness of the processing completed on the basis of the consent prior to the withdrawal (detailed information concerning the manner of with-drawal is presented in the subsequent items of this Policy). The basis of processing of the data ob-tained in such manner is the legitimate interest of the Controller which is to ensure the highest quality of the contents presented by the Controller and customization thereof to the Visitor’s preferences as well as marketing - including direct marketing - of the goods and services of the Controller or its part-ners, whereas in such event, the partners shall not participate in the processing of the Customer’s data. On the other hand, to the extent in which the Controller's partners may have direct access to such information - the legal basis of such processing shall be voluntary consent given by the Cus-tomer.

8.6. What do we use cookies for?

The use of cookies is aimed at, above all, making the visiting of the Online Store easier for the Visi-tor, for example, by “remembering” the once provided information so that the Visitor does not have to provide it every single time, as well as at customizing the contents, including the advertisements pre-sented, to the Visitor’s preferences. Cookies serve also the purpose of increasing the usability and customization of the contents of the Online Store, including presenting, creating, awarding and exe-cuting advertisements, offers or promotions (discounts) dedicated to a given Visitor in accordance with the Visitor’s interests (it concerns only the case where the Visitor is of legal age and has given consent to such action).

The cookie technology applied by the Online Store allows for the Controller to learn information about the preferences of the Visitor - e.g. through analysing how frequently the Visitor visits the Online Store. Analysis of online activity helps in better understanding of habits and expectations of Visitors and in customization to their needs and interests. This technology makes it possible to pre-sent Visitors the advertisements customized to their needs and interests and to prepare better spe-cial offers and surprises for the adult Visitors who have agreed thereto.

On the basis of cookies, the Controller uses also the technology allowing for reaching the Visitors who have visited the Online Store before with marketing content during their use of other websites.

8.7. Can you oppose the use of information coming from cookies?

The Visitor may oppose the actions of the Controller taken for the purpose described above. If the Visitor has given consent to, inter alia, presenting, creating, receiving and executing dedicated ad-vertisements, offers or promotions (discounts) customized to the Visitor's preferences, such consent may be withdrawn at any time, however, it shall not affect the legality of the processing performed before the withdrawal of the consent. 

8.8. What type of cookies do we use and are they harmful?

The cookies used by the Online Store are not harmful either for the Visitor or for the computer/end device used by the Visitor, therefore, we recommend that you do not disable them in your browsers. The Online Store uses two types of cookies: session cookies, that are saved on the computer or mo-bile device of the Visitor until the moment of logging out of the website or disabling the software (In-ternet browser), and permanent cookies, that remain in the Visitor’s device for the period specified in the cookie parameters or until they have been manually deleted in the browser.

8.9. For how long will we keep the information collected by cookies?

Depending mostly on the purposes and legal basis of the processing of Personal Data collected by cookies, they may be stored for the period specified in the Policy.

The Personal Data concerning a Visitor who is not a Customer that have been collected by cookies shall be stored until such person opposes thereto. The Controller may remove the Personal Data if they have not been used for marketing purposes for 3 years, unless the law requires the Controller to process the Personal Data for a longer time.

A part of the Personal Data may be stored longer in case the Visitor brings any claims against the Controller or for the purposes of exercise or defence of legal claims (including third party claims) by the Controller in the period of limitation of the claims as specified by the law, in particular, the Civil Code.

In each case, the longer period of storing of the Personal Data shall prevail.

8.10. Third party cookies

The cookies used by the Controller serve mostly the purpose of optimizing the service of the Visitor during the visiting of the Online Store. However, the Controller cooperates with other companies in the scope of the marketing (advertising) activity conducted. For the purposes of the cooperation, the browser or other software installed on the Visitor’s device shall also save cookies from entities con-ducting such marketing activity who may become the Controller of the Customer’s personal data. The cookies sent by such entities shall ensure that the Visitor is presented only with the advertise-ments that are in line with the Visitor’s individual interests and needs. In the view of the Controller, displaying a customized advertisement is more attractive for the Visitor than an advertisement that is unrelated to the Visitor’s needs. It would be impossible without cookies because it is the companies cooperating with the Controller who provide the advertising content to the Visitors. 

8.11. How to delete or block cookies?

The Visitor may change the method of using cookies by managing the consents given in the privacy settings on our website or in the browser, and the Visitor may block or delete the cookies from the Online Store (and other websites). For this purpose the browser settings should be changed. The method for deleting cookies varies depending on the browser used. The information on how to delete cookies should be found in the tab “Help” of a given browser. Deleting cookies does not mean delet-ing the Personal Data by the Controller of the Personal Data obtained through the cookies.

For example, in Internet Explorer cookies can be modified in the following settings: Tools → Internet options → Privacy; in Mozilla Firefox: Tools → Options → Privacy; whereas in Google Chrome: Set-tings → Show advanced settings  → Privacy → Content settings → Cookie files. The access paths may differ depending on the version of the browser.

Detailed information on the management of cookies on a mobile phone or another mobile device may be found in the user manual/ operating manual of the given phone or mobile device.

It is also possible to block third party cookies and, at the same time, accept the cookies used directly by the Controller (the option: “block third party cookies”).

8.12. What are the consequences of deleting or blocking cookies?

Limitation of the use of cookies on a given device makes it impossible or more difficult to use the Online Store correctly, for example, it may cause the lack of possibility to stay logged in.

9. General information

9.1. How to contact us?

You can contact the Controller at any time by sending a message by traditional mail or e-mail to the Controller’s address specified in the introduction of this Policy or by phone to the phone number specified in the introduction of this policy.

The Controller stores the correspondence for statistical purposes and to ensure the best and fastest reaction to the appearing questions, as well as in the scope of complaint handling and any potential decisions concerning administrative interventions in a given Account taken on the basis of reports. The addresses and data collected in this manner shall not be used for communication in other pur-poses than execution of the report.

In the event of contacting the Controller for the purpose of particular actions (e.g. lodging a complaint through a form), the Controller may once again request the person to transfer the data, including personal data, e.g. given name, surname, e-mail address, etc., for the purpose of confirming the identity of that person and enabling a return contact in the given matter, as well as completion of the action in question. It is not mandatory to transfer such data, but it may be necessary for the comple-tion of the actions or obtaining the information desired by that person.

9.2. How do we safeguard your data?

Taking into consideration the current state of technical knowledge, cost of implementation and the nature, scope, context and purposes of the processing and the risk of infringement of rights or free-dom of natural persons, with different levels of probability and significance of threat, the Controller shall take technical and organizational measures ensuring protection of the processing of Personal Data that are appropriate for the threats and the category of data covered with the protection, in par-ticular, the Controller shall ensure protection of the data from access by unauthorized persons, col-lection by unauthorized persons, processing contrary to the applicable regulations and from change, loss, damage or destruction. Disclosure of the information about the technical and organizational measures ensuring protection of the processing of data to the public can impair the effectiveness of the protection, hence, jeopardize the proper protection of the Personal Data.

The Controller shall provide, for example, the following appropriate technical measures preventing the Personal Data sent electronically from being obtained and modified by unauthorized persons:

1. Protecting the filing systems from unauthorized access.
2. SSL Certificates on the Online Store’s websites, on which the Personal Data are being pro-vided.
3. Encrypting of data for the purpose of authorization of the person using the Online Store’s functionality.
4. Access to the Account only after entering the individual login and password.
5. Links to other websites.

The Online Store may contain links to other websites. The Controller recommends reading the terms and conditions and privacy policies of other websites. This Policy concerns only the specified actions of the Controller.

9.3. Can this policy be changed and how are you going to find out about it?

The Controller may amend the Policy in the future, inter alia, for the following important reasons:
1. in the event of a change of applicable regulations, in particular, in the scope of Personal Data protection, telecommunication law, electronically supplied services, and regulations concern-ing consumer rights, affecting the Controller’s rights and obligations or the data subject’s rights and obligations;

2. development of the functionality or of the Electronic Services dictated by the progress in In-ternet technology, including application/implementation of new technological or technical so-lutions affecting the scope of the Policy;

3. Each time, the Controller shall post the information about the changes to the Policy on the websites of the Online Store. Together with each change, the new version of the Policy shall be published with the new date.

10. Since when is this version of the Policy binding?

This version of the Policy has been binding since 29.03.2023.