PRIVACY POLICY FOR THE

BOHEMISOUL.COM ONLINE SHOP

§ 1

GENERAL PROVISIONS

1. The Data Controller for the processing of data collected through the bohemisoul.com online Shop is Agnieszka Balbierz trading as BOHEMI SOUL AGNIESZKA BALBIERZ entered into the Central Registration and Information on Business (CEIDG) kept by the minister in charge of economy, registered office: ul. Jana Sawy 8/05, 20-632 Lublin, Poland, place of business and address for service: ul.  Jana Kasprowicza 97B, 34-520 Poronin, Poland, tax identification number NIP: 7123120917, statistical number REGON: 061631167, email address: help@bohemisoul.com, hereinafter referred to as “Data Controller” or Service Provider.
2. Personal data collected by the Data Controller via the website are processed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation), hereinafter referred to as the GDPR.
3. All capitalized terms used in this Privacy Policy shall have the meaning set forth in the “Definitions” section of the Terms and Conditions for the bohemisoul.com Online Shop. 

§ 2

TYPE OF PERSONAL DATA PROCESSED, PURPOSE AND SCOPE OF DATA COLLECTION

1. PURPOSE AND LEGAL BASIS FOR PROCESSING. The Data Controller shall process Users personal data in the following circumstances:
   1. Account registration in the Shop in order to create an individual account and manage this Account, pursuant to art. 6 sec. 1 lit. b) GDPR (performance of the contract for the provision of electronic services in accordance with the Terms and Conditions for the Online Shop),
   2. placing an order in the Shop in order to perform the contract of sale, pursuant to art. 6 sec. 1 lit. b) GDPR (performance of the contract of sale),
   3. subscribing to the Newsletter in order to send commercial information by electronic means. Personal data is processed after expressing a separate consent, pursuant to art. 6 sec. 1 lit. a) GDPR.
2. TYPE OF THE PERSONAL DATA PROCESSED. The User provides, in the case of:
   1. Accounts: name and surname, login, address, e-mail address.
   2. Orders: name and surname, address, tax identification number, e-mail address, telephone number.
   3. Newsletter: e-mail address.
3. PERSONAL DATA RETENTION PERIOD. Personal data submitted by Users are retained by the Data Controller for the following retention periods:
   1. If the lawful basis is performance of contract: personal data are stored for as long as necessary for the performance of a contract, and thereafter until the expiration of any statutory period of prescription or limitation. Unless a specific regulation provides otherwise, the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity – three years.
   2. If the lawful basis is consent: personal data are stored until withdrawal of consent, and thereafter until the expiration of any statutory period of prescription or limitation for claims that may be raised by the Data Controller or that may be brought against the Data Controller. Unless a specific regulation provides otherwise, the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity – three years.
4. The Data Controller may collect additional User information, including, in particular: a User’s computer IP address, the IP address of the internet provider, domain name, browser type, duration of a visit, operating system.
5. If the Data Subject has given a separate consent to such processing (Article 6 (1) (a) GDPR), their personal data may be processed for the purpose of sending electronic marketing messages or for direct marketing via telephone – in accordance with Article 10 section 2 of the Act on the Provision of Electronic Services of 18 July 2002 or Article 172, section 1 of the Telecommunications Law Act of 16 July 2004, including profiled marketing communications if the Data Subject has consented to receive such communications.
6. User’s navigation data may also be collected, including information about links they decide to click on or other activities undertaken in the Shop. The legal basis for this type of activity is the Data Controller’s legitimate interest (Article 6 sec. 1 lit. f of the GDPR) to facilitate the use of electronic services and improve the functionality of these services.
7. Submitting personal data to bohemisoul.com is voluntary.
8. The Data Controller shall take all reasonable steps to protect the interests of data subjects and ensure that all data are:
   1. lawfully processed, 
   2. obtained only for specified, lawful purposes, and not further processed in any manner incompatible with those purposes,
   3. factually correct, adequate and relevant in relation to the purposes for which they are processed; stored in a form that permits identification of the data subject, for no longer than is necessary for the purpose of processing.

§ 3

SHARING PERSONAL DATA

1. Users’ personal data are shared with service providers used by the Data Controller when running the Shop, in particular to:
   1. entities delivering Products,
   2. payment system providers,
   3. accounting office,
   4. hosting providers,
   5. software providers that enable business operations,
   6. entities providing the mailing system,
   7. provider of software needed to run an online Shop.
2. The service providers referred to in point 1 of this section, to which personal data are transferred, depending on the contractual arrangements and circumstances, or who are subject to the Data Controller’s instructions as to the purposes and methods of processing the data (processors) or independently define the purposes and methods of their processing (administrators).
3. In order to manage the list of Users, the Service Provider uses the Mailchimp website, where some of the Users’ data are stored. Mailchimp is a mailing list management and email sending service provided by Intuit Inc. based in the USA. Mailchimp has its own privacy policy available at: https://www.intuit.com/privacy/statement/ 
4. User’s personal data are stored only in the European Economic Area (EEA), subject to §5 point 5 and §6 of the Privacy Policy.

§ 4

RIGHT TO CONTROL, ACCESS AND RECTIFY PERSONAL DATA

1. Every data subject has the right to access, rectify, erase, restrict the processing of their personal data as well as the right to data portability, the right to object to processing and the right to withdraw consent at any time without affecting the lawfulness of processing completed based on consent before its withdrawal.
2. Legal basis for Users’ claims:

1. Access to personal data – Article 15 of the GDPR
2. Rectification of personal data – Article 16 of the GDPR,
3. Erasure of personal data (right to be forgotten) – Article 17 of the GDPR,
4. Restriction of data processing – Article 18 of the GDPR,
5. Data portability – Article 20 of the GDPR,
6. Objection to processing – Article 21 of the GDPR,
7. Withdrawal of consent to processing – Article 7 sec. 3 of the GDPR.

3. Users may exercise their rights under point 2 by sending an email to: help@bohemisoul.com
4. If any request is received in relation to Users’ rights, the Data Controller must comply with or refuse to act on a User’s request without delay but not later than within a month of receiving the request. If however, due to the complex nature or a high number of requests, the Data Controller is unable to respond within a month, the Data Controller may extend the time to respond by further two months. If this is the case, the Data Controller shall inform the User within one month of receiving their request and explain why the extension is necessary.
5. If the data subject considers that the processing of their personal data violates the GDPR, the data subject may file a complaint to the President of the Personal Data Protection Office.

§ 5

COOKIE POLICY

1. Bohemisoul.com uses cookies. 
2. Cookies are essential for the provision of electronic services via the Shop. Cookies contain information that is necessary for the proper functioning of the Shop and for the statistical analysis of website traffic.
3. The website uses two types of cookies: “session” cookies and “persistent” cookies.
   1. “Session” cookies are temporary files which are stored on the User’s end-device until they log out (leave the website).
   2. “Persistent” cookies remain stored on the User’s device until deleted manually or automatically after a set period of time.

4. The Data Controller uses their own cookies to provide information on how individual Users interact with the Website. These files collect information about how Users use the website, what type of website referred the User to bohemisoul.com, the frequency of visits and the time of each visit. This information does not register the Users’ personal data and is used solely for statistical analysis of website traffic.
5. The Data Controller uses third party cookies for the purpose of collecting general and anonymous static data by means of the Google Analytics tools (Data controller for third party cookies: Google Inc. based in the USA).
6. The Data Controller uses the HotJar tool, which enables tracking the User’s behavior on the website. For this purpose, HotJar cookies (Hotjar Limited, company number C 65490, Level 2, St Julian’s Business Center, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) are used. As part of the cookie settings, the User may decide whether he/she agrees to the Data Controller’s use of tracking via HotJar or not.
7. The Data Controller uses marketing tools, such as Marketing Automation – Edrone, to deliver advertisements to the User. This is related to the use of cookies belonging to the tool provider. As part of the cookie settings, the User may decide whether he/she agrees to the Data Controller’s use of this tool in relation to the User or not.
8. Cookies may also be used by advertising networks, in particular the Google network, in order to display advertisements tailored to the manner in which the User uses the Store. For this purpose, they may keep information about the User’s navigation path or the time spent on a given page.
9. Users can restrict the access of cookies to their computers via their browser settings. Detailed information on how to manage cookies can be found in the settings of particular web browsers.

§ 6

ADDITIONAL SERVICES RELATED TO THE USER’S ACTIVITY IN THE SHOP

1. The Shop uses so-called social media plugins (“plugins”). When displaying the bohemisoul.com website containing such a plugin, the User’s browser will establish a direct connection with the Facebook, Instagram, Pinterest, Twitter, TikTok, Google and YouTube servers.
2. The content of the plugin is forwarded by the given service provider directly to the User’s browser and integrated with the website. Thanks to this integration, service providers receive information that the User’s browser has displayed the bohemisoul.com website, even if the User does not have a profile with the given service provider or is not currently logged in. Such information (together with the User’s IP address) is sent by the browser directly to the server of the given service provider (some servers are located in the USA) and stored there.
3. If the User logs in to one of the above social media sites, the service provider will be able to directly assign the visit to bohemisoul.com to the User’s profile on the given social media site.
4. If the User uses a given plugin, e.g. by clicking on the “Like” button or the “Share” button, the relevant information will also be sent directly to the server of the given service provider and stored there.
5. The purpose and scope of data collection and their further processing and use by service providers, as well as the possibility of contacting and the User’s rights in this regard, and the possibility of choosing settings that ensure the protection of the User’s privacy are described in the privacy policy of the service providers:
   1. https://www.facebook.com/policy.php
   2. https://help.instagram.com/519522125107875?helpref=page_content
   3. https://policy.pinterest.com/pl/privacy-policy
   4. https://help.twitter.com/en/rules-and-policies 
   5. https://www.tiktok.com/legal/privacy-policy-eea?lang=pl 
   6. https://policies.google.com/privacy?hl=pl&gl=ZZ. 
6. If Users do not want social media services to assign data collected during visits at bohemisoul.com directly to their profile on a given website, they must log out of the website before visiting bohemisoul.com. Users may also completely prevent plugins from loading on the page by using the appropriate browser extensions, e.g. blocking scripts using “NoScript”.
7. The Data Controller uses remarketing tools on his website, i.e. Google Ads, this involves the use of Google LLC cookies for the Google Ads service. As part of the mechanism for managing cookie settings, the User has the option to decide whether the Service Provider is able to use Google Ads (external cookie administrator: Google LLC. Based in the USA) in relation to him/her.

§ 7

FINAL PROVISIONS

1. The Data Controller shall implement technical and organizational measures to safeguard personal data during processing, adjusted to the risks and classification of protected data. In particular, the Data Controller shall protect the data against unauthorized access, takeover, processing in violation of law, alteration, loss, damage or destruction.
2. The Data Controller shall take appropriate technical measures to safeguard the electronic personal data against unauthorized interception or modification.
3. To all matters not settled in this Privacy Policy, the relevant provisions of the GDPR shall apply as well as applicable provisions of Polish law.