privacy policy

I. Personal data administrator

1. The controller of personal data within the meaning of art. 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is ala Limited company with its registered office in Ciechanów at ul. Sosnowa 11, 06-400 Ciechanów, entered into the Register of Entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, XIV Economic Department of the National Court Register under the number KRS 0000522027, NIP: 5272725582, REGON: 147426080, share capital 2.000.000 PLN

2. Data controller’s e-mail address: contact@alanaturalbeauty.com.

3. Controller in accordance with art. 32 section 1 of the GDPR observes the principle of personal data protection and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data processed in connection with the business.

4. Provision of the personal data by the customer is voluntary, but necessary to conclude a contract with the data controller.

5. The data controller processes personal data only to the extent necessary to perform the contract or provide services to the data subject.

II. Purpose and basics of personal data processing

1. The controller processes personal data for the following purposes:

  • preparation of a commercial offer in response to customer interest, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
  • conclusion and implementation of sales contracts with customers, by virtue of the concluded contract (art.6 par.1 lit.b RODO);
  • providing services electronically via the Online Store, by virtue of the concluded contract (art.6 par.1 lit.b RODO);
  • handling the complaint process, by virtue of the obligation imposed on the data controller by the applicable law (Article 6 (1) (c) of the GDPR);
  • accounting related to the issuance and receipt of settlement documents, in accordance with tax law, including the Act of 29.09.1994 on accounting and the Act of 11.03.2004 on tax on goods and services (art.6 par.1 lit.c RODO);
  • archiving data for possible determination, investigation or defense against claims or for the purpose of proving facts, which is the legitimate interest of the data controller (Article 6 paragraph 1 point f of the GDPR);
  • contact by phone or via e-mail, in particular in response to inquiries addressed to the data controller, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
  • sending technical information regarding the functioning of the Online Store and services used by the customer, which is the legitimate interest of the data administrator (Article 6 paragraph 1 point f of the GDPR);
  • marketing of the data controller’s own products, which is his legitimate interest (art.6 par.1 lit.f RODO) or takes place by virtue of previously granted consent (art.6 par.1 lit.a RODO).

III. Data recipients. Transfer of data to third countries

1. The recipients of personal data processed by the data administrator may be entities cooperating with the data administrator when it is necessary to perform the contract concluded with the data subject.

2. The recipients of personal data processed by the data controller may also be subcontractors – entities whose services the data controller uses for data processing, e.g. accounting offices, law firms, entities providing IT services (including hosting services).

3. The data controller may be required to provide personal data by virtue of applicable law, in particular to provide personal data to relevant state bodies or institutions.

4. Personal data will not be transferred to an entity established outside the European Economic Area.

IV. Period of storage of personal data

1. The data controller stores personal data for the duration of the contract concluded with the data subject and after its termination for the purposes of pursuing claims related to the contract, performance of obligations under applicable law, but for no longer than the limitation period in accordance with the provisions of the Civil Code.

2. The data controller stores personal data on the settlement documents for a period of time indicated by the provisions of the Act on tax on goods and services and the Accounting Act.

3. The data controller stores personal data processed for marketing purposes for a period of 10 years, but no longer than until the consent to data processing is withdrawn or an objection to data processing is raised.

4. The data controller stores personal data for purposes other than those indicated in paragraph 1-3 for a period of 3 years, unless the consent for data processing has been withdrawn earlier, and the data processing cannot be continued on a basis other than the consent of the data subject.

V. Rights of the data subject

1. Every data subject has the right to:

  • access – to obtain confirmation from the controller whether her personal data is being processed. If data about a person are processed, she is entitled to access them and obtain the following information: about the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data have been or will be disclosed, about the period of data storage or about the criteria for their determining, about the right to request rectification, deletion or limitation of the processing of personal data of the data subject and to object to such processing (Article 15 of the GDPR);
  • to receive a copy of the data – to obtain a copy of the data subject to processing, the first copy is free, and for subsequent copies the controller may impose a fee in a reasonable amount resulting from administrative costs (Article 15 (3) of the GDPR);
  • rectification – to request to rectify data subject’s personal data that is incorrect or to supplement incomplete data (Article 16 of the GDPR);
  • data deletion – to request deletion of her personal data if the controller no longer has a legal basis for their processing or if the data are no longer necessary for the purposes of processing (Article 17 of the GDPR);
  • limit processing – to request limitation of the processing of personal data (Article 18 of the GDPR) when: – the data subject questions the correctness of personal data – for a period allowing the controller to check the correctness of such data, – the processing is unlawful and the data subject opposes their removal, demanding that their use be restricted, – the controller no longer needs these data, but they are needed by the data subject to establish, pursue or defend claims, – the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the controller prevail over the grounds of objection of the data subject;
  • transferring of data – to receive in a structured, commonly used machine-readable format data subject’s personal data, which she has provided to the controller, and to request that the data be sent to another controller if the data are processed by virtue of the consent of the data subject or the contract concluded with the data subject and if the data are processed in an automated manner (Article 20 of the GDPR);
  • to object – to object to the processing of her personal data for legitimate purposes of the controller, for reasons related to her special situation, including profiling. In such a situation the controller assesses the existence of valid legitimate grounds for processing that may override the interests, rights and freedoms of data subjects, or grounds for establishing, pursuing or defending claims. If, according to the assessment, the interests of the data subject are more important than the interests of the controller, the controller will be obliged to stop processing data for these purposes (Article 21 of the GDPR).

2. To exercise the above-mentioned rights, the data subject should contact, using the provided contact details, with the controller and inform her which rights she wants to exercise and to what extent.

3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office in Warsaw

VI. Profiling

Personal data obtained by the data controller will not be processed automatically, including by profiling.

x