PRIVACY POLICY
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR“), we are obliged to provide information to individuals whose personal data we process.
This notice covers the main aspects related to the processing of personal data of the Administrator’s Clients, including users of the website https://branchestore.com/ (hereinafter referred to as the “Website“) and the Branché online shop operated on the Website (hereinafter referred to as the “Online Store“).
This notice covers the main aspects related to the processing of personal data of the Administrator’s Clients, including users of the website https://branchestore.com/ (hereinafter referred to as the “Website“) and the Branché online shop operated on the Website (hereinafter referred to as the “Online Store“).
I. General Information
- The Data Controller in accordance with the GDPR is Kamila Szamot, ul. Pańska 73/104, 00-827 Warsaw, VAT ID: 527-277-98-62, REGON: 365390449, hereinafter referred to as the Administrator.
- You can contact the Administrator via email at customercare@branchestore.com
II. What Are Personal Data and What Constitutes Their Processing?
- Under the provisions of the GDPR, “personal data” refers to any information relating to an identified or identifiable natural person.
- An identifiable natural person is one who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors defining the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- The processing of personal data is understood as any operation performed on personal data, whether automated or not, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination, or otherwise making available, aligning or combining, restricting, erasing, or destroying.
- Providing personal data is, in most cases, voluntary. However, failure to provide certain data specified in the Privacy Policy will result in the inability to use the services and benefits offered by the Administrator.
III. Purposes of Personal Data Processing
- The Administrator collects and processes personal data particularly in relation to:
- Providing services electronically, including enabling account registration in the Online Store,
- Entering into and executing distance contracts,
- Sending newsletters,
- Undertaking marketing activities,
- Archiving documents containing personal data,
- Managing profiles and accounts on social media.
- Your personal data may also be processed for other purposes. In such cases, you will receive information from the Administrator in compliance with the information obligation as required by the GDPR (Articles 13 and 14 GDPR).
- Regarding certain personal data (listed below), due to the potential for claims against the Administrator concerning the services provided, the Administrator will process this data until the expiration of the limitation period for potential claims.
- The detailed purposes of personal data processing, along with the legal basis and processing period, are presented in the table below:
Lp. | Purpose of Data Processing | Legal basis | Processing Period |
1. | Managing and Maintaining a Customer Account in the Online Store | processing is necessary for the performance of a contract (i.e., an agreement for the provision of services by electronic means) to which the data subject is a party (Article 6(1)(b) of the GDPR) | throughout the period the Client’s account is maintained, until its termination or the cessation of the Administrator’s activities |
2. | Conclusion of contracts through the online store | processing is necessary for the performance of a contract (i.e., a sales agreement) to which the data subject is a party (Article 6(1)(b) of the GDPR) | for the period specified by law for the storage of documentation or for the limitation period of claims related to the concluded contract—whichever event lasts longer |
3. | Execution of concluded contracts | processing is necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) of the GDPR) | for the period specified by law for the storage of documentation or for the limitation period of claims related to the concluded contract—whichever event lasts longer |
4. | Handling complaints related to concluded contracts | the basis for processing is (i) the performance of a contract to which the data subject is a party, in relation to the responsibility for the conformity of the Goods with the contract (Article 6(1)(b) of the GDPR), as well as (ii) the pursuit of the Administrator’s legitimate interest, which is the defense against unfounded claims and ensuring high-quality customer service (Article 6(1)(f) of the GDPR) | for the period specified by law for the storage of documentation or for the limitation period of claims related to the concluded contract—whichever event lasts longer |
5. | Enabling the exercise of the right of withdrawal from the contract | Performance of a contract to which the data subject is a party, in terms of liability for the conformity of the Goods with the contract (Article 6(1)(b) of the GDPR) | For the period of document retention established by law or until the expiration of claims related to the concluded contract, whichever occurs later |
6. | Facilitating the exercise of the right to withdraw from the contract | Processing is necessary for compliance with legal obligations incumbent on the administrator, arising from tax and accounting regulations (Article 6(1)(c) of the GDPR) | For the period of tax and accounting document retention established by law regarding the concluded contract |
7. | Handling the loyalty program | Processing is necessary for the performance of a contract (i.e., an agreement for the provision of services by electronic means) to which the data subject is a party (Article 6(1)(b) of the GDPR) | For the duration of the Customer’s account until its closure or the termination of the Administrator’s operations |
8. | Monitoring customer activity on the Store’s website and conducting analyses and statistics of customer preferences | Processing is necessary for the purposes of legitimate interests pursued by the administrator, including, among others: – improving the Store’s operations; – enhancing the functionality of the services provided; – optimizing the customer service process. (Article 6(1)(f) of the GDPR) | For the duration of the Administrator’s legitimate interest, but no longer than until you object to the processing of data for the above purpose |
9. | Responding to inquiries or requests submitted via the contact form and archiving the content of such correspondence | In the course of contact, processing is necessary for the performance of a contract (i.e., an agreement for the provision of services by electronic means) to which the data subject is a party (Article 6(1)(b) of the GDPR) After the termination of cooperation, processing is necessary for the purposes of legitimate interests pursued by the administrator, namely the archiving of correspondence to demonstrate its course in the future (Article 6(1)(f) of the GDPR) | Until the Customer submits a valid objection to the processing |
10. | Sending a newsletter containing marketing content and/or commercial information | Processing is carried out based on the consent of the data subject (Article 6(1)(a) of the GDPR) | Until the consent is withdrawn or the Administrator stops sending the Newsletter |
11. | Managing the Administrator’s profiles on Facebook and Instagram | The legitimate interest of the Administrator consists of collecting data through Facebook and Instagram regarding activity on the Administrator’s profiles, data enabling anonymous analysis of user groups and interactions, and presenting information about the Administrator’s activities (in accordance with Article 6(1)(f) of the GDPR). The basis for data processing also includes the user’s consent, derived from their activity on the Administrator’s profile on Facebook or Instagram (pursuant to Article 6(1)(a) of the GDPR) | For the duration of the Administrator’s legitimate interest, but no longer than until the following actions are taken: (i) the removal of the “like” from the Administrator’s profile on Facebook and Instagram, and (ii) the deletion of all user activities on those profiles. Data processing will also cease if the user deletes their account on Facebook or Instagram, or if the Administrator removes their profiles from these platforms. However, performing these actions does not equate to the deletion of archived data related to activities on the platform |
12. | Archiving documents produced by the Administrator as part of their business activities | Processing is necessary for compliance with the legal obligations incumbent on the Administrator (Article 6(1)(c) of the GDPR). Additionally, the basis for processing is the legitimate interest of the Administrator, consisting of securing evidence to substantiate facts (Article 6(1)(f) of the GDPR) | Until a valid objection to the processing is submitted |
13. | Establishing or pursuing claims, or defending against claims or allegations | The legitimate interest of the Administrator consists of establishing or pursuing claims and defending against claims or allegations (Article 6(1)(f) of the GDPR) | Until the expiration of claims in accordance with applicable regulations |
14. | Creating records of processing activities and registries required under GDPR regulations | Processing is necessary for compliance with the legal obligations incumbent on the Administrator (Article 6(1)(c) of the GDPR in connection with Article 30(1) and (2) of the GDPR) | For the duration of the Administrator’s business operations |
- In relation to the management of the Administrator’s profiles on Facebook and Instagram, the following detailed rules apply:
- User data may be processed by the Administrator in case of any activity on the Administrator’s profile on Facebook and Instagram (including liking the profile, posting a comment, liking a post, etc.).
- Through Facebook or Instagram, the Administrator may receive personal data divided into user categories, such as: total number of visits, reactions to posts, comments, gender distribution of visitors, visit sources, information regarding clicks on specific content on the page (e.g., maps or contact information), and post reach.
- User activity on the Administrator’s profile on Facebook and Instagram is entirely voluntary, but such activity is equivalent to the processing of personal data. We have no control over the creation and display of analytics, nor can we stop the collection or processing of data for this purpose. If you wish to limit your connection with the Administrator’s profile on Facebook or Instagram, you can use the platform’s available features to unfollow or unsubscribe from the Administrator’s profile.
- Regardless of the above, Facebook and Instagram may use your data for their own purposes, particularly for market research and advertising. Cookies may be stored on your computer, which analyze your usage behavior. Other information, including data about your devices and internet connection, may be collected and linked to your account. Facebook and Instagram may create your profile even if you are not logged in or do not have a registered account on the platform. These profiles may be used to display targeted advertisements on their platforms.
- The provider of Facebook and Instagram is Meta Platforms Ireland Limited, with its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
- Details on personal data processing on Facebook are regulated in the privacy documents available at https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0 .
- Details on personal data processing on Instagram are regulated in the privacy documents available at https://help.instagram.com/196883487377501?ref=dp
- The Administrator uses Google Analytics tools (web analytics tools from Google Inc.) on the Website. The following rules apply:
- Google Analytics uses methods that allow for the analysis of your usage of the Website—such as cookies. Details of the service are available at: https://analytics.google.com/analytics/web/provision/?hl=pl#/provision
- As part of the analysis, personal data such as the IP address of the device you use to access the Website and data about your activity on the Website are processed. However, the personal data processed in this way is not saved or archived anywhere.
- According to Google’s assurances, with respect to users in the European Economic Area and Switzerland, the responsible entity is Google Ireland Limited, based in Dublin, Ireland (Gordon House, Barrow Street, Dublin 4, Ireland).
- Automatically collected information about the use of the Website may be transferred to and stored on a Google server. Google ensures that it uses data protection mechanisms compliant with European regulations. Details are available at: https://policies.google.com/privacy?hl=p
- You can prevent Google from recording data collected by cookies regarding your use of the Website (including your IP address), as well as prevent the processing of such data, by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout?hl=pl
IV. From which sources do we obtain personal data?
- The personal data held by the Administrator comes primarily from you.
- If the data was not provided by you, it comes from the following sources:
- from the Administrator’s Clients, Contractors, and Business Partners,
- from other entities that provide your data, e.g., in correspondence,
- from publicly available sources, particularly from data posted on websites, including publicly accessible records, registers, and databases, such as CEIDG, KRS, the REGON database, the VAT register, etc.
V. Recipients of Personal Data
- The Administrator does not share your data with third parties unless it is necessary for the proper processing of personal data and the Administrator’s business operations. The data may be shared or entrusted to the following entities:
- recipients of personal data:
- banks and entities providing payment intermediary services (for the purpose of financial settlements),
- entities to which the Administrator is obligated to provide personal data under generally applicable legal provisions,
- data processors (based on agreements for the processing of personal data):
- Entities that may gain access to your personal data when providing services to the Administrator, such as hosting services, email delivery, and other electronic communication tools, as well as entities managing databases and IT systems used by the Administrator,
- entities providing accounting services to the Administrator,
- Google, due to the use of Google tools on the Website.
- recipients of personal data:
- The Administrator may transfer your personal data to third countries only when using IT systems provided by entities based outside the European Union and the European Economic Area (EEA), or when required by generally applicable EU or national legal regulations.
VI. Rights Related to Data Processing by the Administrator
- The GDPR grants you the following rights concerning the processing of personal data:
- the right to request access to your personal data,
- the right to request rectification of your personal data,
- the right to request the erasure of personal data (the right to be forgotten),
- the right to request the restriction of processing,
- the right to data portability,
- the right to object to the processing of personal data,
- If the processing is based on consent, you have the right to withdraw your consent at any time, without providing a reason, in any form, particularly by sending an email to the Data Administrator. The withdrawal of consent does not affect the lawfulness of processing carried out based on the consent before its withdrawal.
- You also have the right to lodge a complaint with the President of the Office for Personal Data Protection if you believe that the Administrator’s processing of your data violates legal regulations.
- Not all the rights mentioned in section 1 will apply to every case of processing. This depends on the type of processing and its legal basis.
- The Administrator may make decisions in an automated manner, including using profiling; however, this will not have any legal effects on you or significantly impact your situation in a similar way.
VII. Final Provisions
In the event of changes to the Privacy Policy, the Administrator will inform you on the Website and fulfill the information obligation to the appropriate extent.