Privacy Policy

PRIVACY POLICY

WEBSITE RUN BY 

 HAIRMATE LIMITED LIABILITY COMPANY

§ 1 GENERAL PROVISIONS

  • We respect and protect the privacy and security of users of our website (" Users "). This privacy policy (" Privacy Policy ") applies to data provided to us via the website: https://hairmate.pl (" Website "). In the Privacy Policy, we describe what information we collect in connection with the provision of electronic services (" Services " or " Service "), as well as for what purpose and how it is used.
  • When collecting and processing personal data, the following data processing principles are applied: lawfulness, reliability and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.
  • The controller of personal data collected via the Website is Hairmate Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, at ul. Ludwika Rydygiera 16 lok. U1, 01-793 Warsaw, entered into the register of entrepreneurs by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under the number 0000785206, NIP 5272892831, REGON 383312665, share capital PLN 15,000.00, e-mail address: salon@hairmate.pl – hereinafter referred to as the “ Controller ” and being at the same time the Service Provider of the Website.
  • The term " data processing " used in the Privacy Policy refers to information provided voluntarily by Users, as well as information collected automatically (via so-called " cookies "), and includes all operations on personal data, in particular: collecting, recording, storing, developing, changing, sharing and deleting, performed in connection with the provision of the Website and Services. The primary purpose of data processing is to optimize the functionality of the Website and Services so that Users can use them in the simplest and most effective way.
  • The term " personal data " means any information that identifies or enables the identification of a natural person, such as name, surname, e-mail address, telephone number, IP address, or other online identifiers collected via cookies or other similar technologies.

§ 2 DATA PROCESSING

  • In connection with the use of the Service, the Administrator collects personal data of Users to the extent necessary to provide the Services offered within the Service, and also collects information about the activity of Users on the Service. Personal data on the Service are processed by the Administrator in accordance with applicable legal regulations, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as " GDPR ".
  • The Administrator processes the following categories of personal data:
  • for registering your account on the Website: name and surname, e-mail address.
  • for your use and management of your account on the Website: name and surname, telephone number, e-mail address, gender, address data (street, building number, apartment number, postal code, city, country), Tax Identification Number (in the case of issuing an invoice).
  • to receive information (newsletter) about promotional activities, special offers, discount coupons: e-mail address, telephone number, date of birth.
  • for the implementation of sales agreements concluded by you and registered on the Website: name and surname, e-mail address, telephone number, address data (street, building number, apartment number, postal code, town, country), Tax Identification Number (in the case of issuing an invoice), data regarding purchases on the Website.
  • for the performance of contracts concluded without your registration on the Website: name and surname, e-mail address, telephone number, address data (street, building number, apartment number, postal code, town, country), Tax Identification Number (in the case of issuing an invoice).
  • to be notified about the availability of the products you indicated: e-mail address.
  • to enable the settlement of your funds for the returned goods: name, surname, bank account number.
  • to enable contact with us: first name, last name, order number, contact details (mailing address including street, building number, apartment number, postal code, city, country, e-mail address, telephone number).
  • Data is processed for the following purposes:
  • concluding and performing a sales agreement in the scope of, among others, product presentation, transaction handling, payment settlement, product shipment, complaints, withdrawal from the agreement, product return, and also providing other services electronically, including making the content collected on the Website available to Users, including messages, newsletters or other direct communication, as well as  analysing the activity and information collected as part of maintaining the account, purchases made on the Website, including in particular information on returns and presenting available payment methods – in such case the legal basis for processing is the necessity of processing to perform the contract (Article 6, paragraph 1, letter b) of the GDPR). On the same basis, the Administrator also provides Users with a contact form, which allows them to ask the Administrator a question. Using the form requires providing personal data necessary for the Administrator to contact the User and answer the submitted question;
  • analytical and statistical – in this case the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f) of the GDPR), consisting in conducting analyses of Users’ activities, as well as their preferences, in order to improve the functionalities used and the Services provided, as well as to build forecasts regarding online purchases, promoting own products;
  • ensuring the security of IT systems, developing and verifying software solutions, including those enabling the resolution of problems reported by Users - in such case the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f) of the GDPR), consisting in the development of technology necessary for the proper operation of the Website;
  • any determination, pursuit or defence against claims – the legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights;
  • sending marketing messages – the legal basis is the legitimate interest as the Controller (Article 6, paragraph 1, letter f) of the GDPR) in connection with the consent given to receive such content via a specific channel (by phone or e-mail);
  • performance of obligations arising from the provisions on accounting, taxes and other obligations resulting from applicable regulations (Article 6, paragraph 1, letter c of the GDPR).
  • Using the Service, including concluding agreements for the provision of Services, is voluntary, as is providing personal data by the User using the Service. However, in the case of concluding agreements for the provision of Services with the Administrator, failure to provide personal data necessary for concluding and performing an agreement for the provision of Services with the Administrator in the cases and to the extent indicated on the Service results in the impossibility of concluding and performing that agreement.
  • Taking into account the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying probability and severity of threat, the Controller implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the law and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller applies technical measures to prevent unauthorized persons from obtaining and modifying personal data sent electronically.
  • The Administrator informs that it processes personal data of Users visiting the Administrator's profiles maintained in social media (e.g. Facebook, Instagram, YouTube, TikTok). The personal data provided by Users - as part of the Administrator's profile - are processed for the purpose of providing the User with information about the Administrator's activity within this profile (the basis is the performance of the contract, art. 6 sec. 1 letter b) of the GDPR), as well as for the purpose of promoting its own services and products (the basis is the legitimate interest of the Administrator, art. 6 sec. 1 letter f) of the GDPR).

§ 3 COOKIES ON THE WEBSITE

  • The website uses cookies and similar technologies. Cookies are small text information in the form of text files, sent by the server and saved on the User's side (e.g. on a computer, laptop, tablet, phone - depending on the device the User uses).
  • The Administrator may process data contained in cookies when visitors use the Website for the following purposes:
  • to display content and improve the quality of the Services,
  • for analytical and statistical purposes.
  • Through the default settings of your web browser, the User consents to the installation of cookies on their devices. You can withdraw your consent to the installation of cookies at any time by changing the settings in your browser.

§ 4 PERSONAL DATA PROCESSING PERIOD

  • Personal data is stored no longer than required to achieve the purposes for which it was collected. However, legal regulations may require the Administrator to store it longer. Personal data is processed for the following periods of time:
  • the validity period of the agreement concluded with the Administrator, including the period of existence of the account on the Website;
  • until the User withdraws his/her consent (when personal data are processed based on the User’s consent) – in the case of the Newsletter service;
  • considering the matter addressed to the Administrator by the User - 2 years from each contact ;
  • until an effective objection is raised (when personal data are processed based on a legitimate interest) – in the case of direct promotion of the Administrator’s products;
  • indicated in legal regulations when these regulations impose an obligation to process personal data - for a period of 5 years from the end of the tax year in which our tax obligation arose (for transaction data);
  • until the expiry of the period related to a given claim arising from legal provisions - pursuing claims or defending against claims (e.g. complaints);
  • The Administrator also informs that the above-mentioned period of personal data processing may be extended by the limitation period of claims, if the processing of personal data is necessary to establish, pursue, or defend against claims. After this period, the data will be processed only to the extent and for the time required by law. After the processing period has elapsed, personal data are irreversibly deleted or anonymized.

§ 5 DATA RECIPIENTS ON THE WEBSITE

  • The Administrator ensures that it does not transfer personal data to unauthorized entities. As a rule, the Administrator does not provide personal data without the User's consent. However, bearing in mind that when providing services within the Service, the Administrator uses subcontractors, i.e. external entities (indicated in section 4 below), personal data are entrusted to the Administrator's subcontractors if the entrustment is an element of the service performed for the User. Data may be made available to third parties if the law obliges the Administrator to provide such personal data (e.g. law enforcement authorities).
  • The Administrator only uses the services of processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.
  • The Controller does not transfer data in every case and not to all recipients or categories of recipients indicated in the Privacy Policy – ​​the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.
  • The personal data of Website Users may be transferred to the following recipients or categories of recipients:
  • service providers supplying the Administrator with technical, IT and organizational solutions enabling the Administrator to conduct business activities, including the Website and the Services provided via it (in particular suppliers of computer software for running the Website, e-mail and hosting providers);
  • providers of accounting and consulting services;
  • courier companies that will deliver the ordered products;
  • in case of payment via the system ... data may be transferred to ... to the extent necessary to process payment for the order
  • Provided that the User obtains the appropriate consent, his or her personal data may also be made available to other entities for their own purposes, including marketing purposes.

§ 6 TECHNOLOGIES USED ON THE WEBSITE

The Administrator collects information regarding system logs, i.e. information regarding the device and login, also containing the date, time of the visit and the IP number of the device from which the connection was made, as well as data regarding the Service's viewing statistics and traffic to and from the site. The Administrator and the Administrator's partners use the following tools and solutions for analytical and marketing purposes:

  • Google Analytics cookies are files used by Google to analyze how the User uses the Service, to create website statistics and reports on the operation of the Service. Cookies make advertising campaigns more effective. Their use makes it easier for advertisers to reach recipients, as well as to determine the number of ads displayed and the number of people who clicked on them. Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at the link: https://www.google.com/intl/pl/policies/privacy/partners. 
  • Google AdWords is a tool that allows you to display sponsored links in the Google search engine results and on websites cooperating in the Google AdSense program, which allows you to measure the effectiveness of advertising campaigns carried out by the Administrator. Information on data processing by Google within the scope of the above service is available at the link: 

https://policies.google.com/technologies/ads?hl=pl. 

  • Facebook Pixels are a unique piece of code attached to your Facebook advertising account used to measure the effectiveness of advertising campaigns implemented by the Administrator on Facebook. The tool allows for advanced data analytics to optimize the Administrator's activities also using other tools offered by Facebook. Detailed information on data processing by Facebook can be found at this link: 

https://pl-pl.facebook.com/help/443357099140264?helpref=about_content. 

  • The Service uses social media plugins (Facebook, Instagram). Social plugins enable sharing activities on other sites with friends. They allow the User to share content published on the Service on a selected social media portal. The use of plugins on the Service causes the given social media portal to receive information about the User's use of the Service and may assign it to the User's profile created on the given social media portal. Detailed information on this subject can be found at https://www.facebook.com/policy.php. 

§ 6 DATA TRANSFER OUTSIDE THE EEA

  • In principle, the Administrator processes personal data within the European Economic Area (hereinafter: EEA). The Administrator transfers personal data outside the EEA only when necessary and with an appropriate (i.e. in accordance with legal regulations) level of protection in this respect. The Administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection.
  • Personal data are not transferred to international organizations.

§ 7 RIGHTS OF USERS WHOSE DATA IS PROCESSED

  • The User has the right to request access to the content of the data and its rectification, deletion, restriction of processing for a specified period or within a specified scope, as well as the right to transfer personal data. Within the scope of these rights, the User may independently delete the User's account in the "..." tab, change or delete the data included in this account, as well as send a request to the Administrator to perform the above. In addition, the User may request the transfer of the data held to another entity via the contact form, providing the name and address of the entity to which we are to transfer the data and its scope. The transfer will take place in electronic form after the request is confirmed and the Administrator has made sure that the request comes from the User.
  • The user has the right to information about the scope of personal data processed.
  • The User has the right to object to the processing of his or her data based on the legally justified interest of the administrator or the performance of a task carried out in the public interest.
  • The User has the right to withdraw consent to receiving the Newsletter.
  • The User also has the right to lodge a complaint with the supervisory authority responsible for the protection of personal data if he or she considers that the processing of personal data by the Administrator violates the provisions of the GDPR.
  • The User's exercise of the rights is limited when the obligation to store data on completed transactions results from the provisions of tax law or in order to protect the interests of the Administrator, e.g.  resulting from the complaint process or withdrawal from the contract. In such a case, deletion of data does not result in cessation of their processing by the Administrator in the indicated scope.

§ 8 FINAL PROVISIONS

  • Contact with the Administrator is possible using the data indicated in the first paragraph of this Privacy Policy.
  • The Privacy Policy is regularly reviewed and, if necessary, updated.
  • The current version of the Privacy Policy is effective from August 15, 2024.