PRIVACY POLICY
WWW.LATERANO.COM.PL ONLINE STORE

CONTENTS:

1. GENERAL PROVISIONS

1.1. This privacy policy of the Online Store is for information purposes only, which means it does not impose any obligations of the Service Users or Customers of the Online Store. The privacy policy contains mainly principles of personal data processing by the Controller in the Online Store, including the basis, purposes, and scope of personal data processing, the rights of data subjects, and information on cookies and analytical tools used in the Online Store.

1.2. The Controller of the personal data collected in the Online Store is POLANEX Sp. z o.o. with its registered office in Gniezno, ul. Słoneczna 40, 64-200 Gniezno, Poland entered into the register of entrepreneurs of the National Court Register by the Regional Court for Poznań-Nowe Miasto and Wilda in Poznań, 9th Commercial Division, National Court Register No. 00001383697, NIP [tax No.] 7840010501, REGON [statistical No.] 630144079, forwarding address: Polanex Sp. z o.o., 64-200 Gniezno, ul. Słoneczna 40, annotated ‘Biuro Obsługi Klienta’, e-mail address contact@laterano.com.pl tel. 0048 61  426 47 48, hereinafter referred to as the ‘Controller’, simultaneously the Online Store Service Provider and Seller.

1.3. The contact details of the data protection officer designated by the Controller: Iwona Włodarczyk, rodo@polanex.com.pl

1.4. The Controller processes the personal data in the Online Store in accordance with applicable regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter the ‘GDPR’. The official text of the GDPR: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

1.5. The use of the Online Store and any purchase are done freely. Similarly, the provision of personal data by a Service User or Customer using the Online Store is a voluntary act except for two situations: (1) contracting with the Controller. A failure to provide personal data necessary to conclude and perform a Sale Contract or E-service contract with the Controller in the cases and scope specified on the website of the Online Store, the Terms and Conditions of the Online Store and this privacy policy results in no contract. In such a case, the provision of personal data is a contractual requirement and if the data subject wishes to enter into a contract with the Controller, they shall provide the required data. The scope of data necessary to enter a contract is in each case specified in advance on the Online Store’s website and in its Terms and Conditions; (2) statutory obligations of the Controller. The provision of personal data is a statutory obligation under generally applicable law under which the Controller is obliged to process personal data (such as data processing to keep tax or accounting records). Any failure to provide such data prevents the Controller from discharging these obligations.

1.6. The Controller exercises due care to protect the interests of data subjects. In particular, it is liable for and ensures that the data it collects are
(1) processed lawfully;
(2) collected for specified, legitimate purposes and not processed further at variance with the purposes;
(3) factually correct and adequate to the processing purposes;
(4) stored in a way that data subjects can be identified not longer than necessary to achieve the processing purpose; and
(5) processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

1.7. Taking into account the nature, scope, context, and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller implements appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. The Controller applies technical measures to prevent unauthorised persons from obtaining and modifying personal data sent electronically.

1.8. Any words, phrases, and acronyms in the privacy policy that are capitalised (such as Seller, Online Store, E-service) are defined in the Terms and Conditions of the Online Store available on its website.

2. BASIS FOR DATA PROCESSING

2.1. The Controller is authorised to process personal data if and to the extent that at least one of the following applies: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.2. The processing of personal data by the Controller requires at least one of the basis from Section 2.2 to occur each time. Specific basis for Controller’s processing of personal data of Service Users and Customers of the Online Store are specified in the next Section of the privacy policy in regard of a given purpose of the processing.

3. PURPOSE, BASIS, AND PERIOD OF DATA PROCESSING IN THE ONLINE STORE

3.1. In each case, the basis, period, and recipients of personal data processed by the Controller result from the actions taken by the Service User or Customer of the Online Store or the Controller. For example, if a Customer choses to make a purchase in the Online Store and collect the Product in person instead of via a courier, their personal data will be processed to perform the Sale Contract entered into but will not be shared with the carrier delivering packages for the Controller.

3.2. The Controller may process personal data in the Online Store for the purposes, on the basis, and over the periods specified in the table below:

Data processing purpose
Legal basis for data processing
Legal basis for data processing

Performance of a Sale Contract or E-service contract or actions on request of a data subject before such a contract is entered into

Article 6(1)b of the GDPR (performance of a contract). Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

The data are stored for the period necessary to perform, terminate, or otherwise extinguish a Sale Contract or E-service contract.  The data are stored for five years following the end of a fiscal year. The legal basis is the Accounting Act

Direct marketing

Article 6(1)f of the GDPR (legitimate interest of the Controller). The processing of data is necessary for purposes of the legitimate interests of the Controller, that is pursuit of interests and maintenance of the image of the Controller, its Online Store, and pursuit of sale of Products

The data are stored over the period of legitimate interest pursued by the Controller, not longer than the time-bar for claims of the Controller towards the data subject in relation to the Controller’s economic activity. The time-bar is specified by the law, particularly the Civil Code (the primary time-bar for claims related to economic activity is three years, and for a sale contract, two years).

The Controller must not process data for direct marketing if the data subject effectively objects it.

Marketing

Article 6(1)a of the GDPR (consent). The data subject has given consent to the processing of their personal data for marketing purposes by the Controller

The data area stored until the data subject withdraws the consent for further processing for this purpose.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Customer’s expression of their opinion regarding a Sale Contract they entered into

Article 6(1)a of the GDPR. The data subject has given consent to the processing of their personal data for expressing their opinion

The data area stored until the data subject withdraws the consent for further processing for this purpose.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal

Determination, pursuit, or defence against potential claims of the Controller or against the Controller

Article 6(1)f of the GDPR (legitimate interest of the Controller). The processing of data is necessary for purposes of the legitimate interests of the Controller, that is the determination, pursuit, or defence against potential claims of the Controller or against the Controller

he data are stored over the period of legitimate interest pursued by the Controller, not longer than the time-bar for claims against the Controller (the basic time-bar for claims against the Controller is six years).

Use of the Online Store’s website and ensuring its correct functioning

Article 6(1)f of the GDPR (legitimate interest of the Controller). The processing of data is necessary for purposes of the legitimate interests of the Controller, that is operating and maintaining the Online Store

The data are stored over the period of legitimate interest pursued by the Controller, not longer than the time-bar for claims of the Controller towards the data subject in relation to the Controller’s economic activity. The time-bar is specified by the law, particularly the Civil Code (the primary time-bar for claims related to economic activity is three years, and for a sale contract, two years).

Statistics and traffic analysis in the Online Store

Article 6(1)f of the GDPR (legitimate interest of the Controller). The processing of data is necessary for purposes of the legitimate interests of the Controller, that is keeping statistics and analysing the traffic in the Online Store to improve its functioning and sale of Products.

The data are stored over the period of legitimate interest pursued by the Controller, not longer than the time-bar for claims of the Controller towards the data subject in relation to the Controller’s economic activity. The time-bar is specified by the law, particularly the Civil Code (the primary time-bar for claims related to economic activity is three years, and for a sale contract, two years).

4. DATA RECIPIENTS IN THE ONLINE STORE

4.1. The Controller needs to employ third parties (such as software supplier, courier, or payment processing companies) to ensure proper functioning of the Online Store and performance of Sale Contracts. The Controller uses only processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.

4.2. The Controller does not transfer data in each case or to all the recipients or types of recipients specified in the privacy policy. The Controller transfers data only when it is necessary to pursue a specific processing purpose and only to the extent necessary to pursue it successfully. For example, if a Customer choses to collect a Product in person, their data are not transferred to a courier employed by the Controller.

4.3. Personal data of Service Users and Customers of the Online Store may be transferred to the following recipients or categories of recipients:

4.3.1. carriers / forwarding agents / courier brokers / 3PL operators. When a Customer chooses Product delivery by post of by courier, the Controller transfers their personal data it has collected to the selected carrier, forwarding agent, or a third party handling deliveries for the Controller or when the delivery if from a third-part warehouse, a 3PL operator to the extent necessary to deliver the Product to the Customer.

4.3.2. providers of electronic or card payment services. If a Customer choses to pay by electronic means or by card, the Controller transfers their personal data it has collected to the selected provider of payment services to the Online Store employed by the Controller to the extent necessary to handle the payment made by the Customer

4.3.3. institutions that offer loans or lease purchase services. If a Customer choses to pay by instalments or use lease purchase, the Controller transfers their personal data it has collected to the selected provider of loan or lease purchase services to the Online Store employed by the Controller to the extent necessary to handle the payment made by the Customer.

4.3.4. providers of an opinion survey system. If a Customer agreed to express their opinion on their Sale Contract, the Controller transfers their personal data it has collected to a selected supplier of an opinion survey system for Sale Contracts entered into in the Online Store employed by the Controller to the extent necessary for the Customer to express their opinion using the opinion survey system.

4.3.5. service providers that supply the Controller with technical, IT, and organisational solutions facilitating the Controller’s economic activity, including the Online Store and the E-services rendered in the Online Store (in particular providers of computer software for the operation of the Online Store, providers of e-mail services and hosting, and providers of business management software and software for providing technical support to the Controller). The Controller transfers Customer personal data it collected to the selected supplier employed by it solely to the extent necessary to successfully pursue a specific data processing purpose in accordance with the privacy policy.

4.3.6. providers of bookkeeping, legal, and counselling services that provide bookkeeping, legal, or counselling support to the Controller (in particular a bookkeeper, legal firm, or debt collection agency). The Controller transfers Customer’s personal data it collected to the selected provider employed by it only in the case and to the extent necessary to successfully pursuit the data processing purpose in accordance with the privacy policy.

4.3.7. Providers of social-media plugins, scripts, and other similar tools embedded into the Online Store’s website to allow the web browser of a visitor to the Online Store’s website to download content from the providers of the plugins (such as signing in with a social media platform credentials) and transfer of the visitor’s data to these providers for this purpose, including:

4.3.7.1. Facebook Ireland Ltd. The Controller uses Facebook plugins on the Online Store’s website (such as Like, Share, or signing in with Facebook credentials). Therefore, the Controller collects personal data of the Service User using the website of the Online Store and transfers them to Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) to the extent and in accordance with the privacy policies found at https://www.facebook.com/about/privacy/ (the data include information about Online Store website activity, including information about the device, visited pages, purchases, advertisements displayed, and the way they use the service regardless of whether the Service User has a Facebook account and is signed in to Facebook).

5. PROFILING IN THE ONLINE STORE

5.1. The GDPR obliges the Controller to inform about automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. In light of the above, the Controller hereby informs about potential profiling.

5.2. The Controller may use profiling for direct marketing in the Online Store, but decision based on profiling do not concern entering into or refusal to enter into a Sale Contract or the access to E-services in the Online Store. The results of profiling in the Online Store may include granting of a discount, delivery of a discount code, reminder about outstanding purchase, a Product offer matching the interests or preferences of the specific person or proposal of better, non-standard conditions in the Online Store. Despite profiling, it is the individual’s decision whether to take advantage of such a discount, better conditions, and make the purchase in the Online Store.

5.3. Profiling in the Online Store involves automatic analysis and forecasting of behaviour of an individual on the Online Store’s website, such as addition of a specific Product to the bag, displaying a page of a specific product in the Online Store, or analysis of the history of purchases made in the Online Store. The condition for such profiling is for the Controller to have personal data of such a person, so it can, for example, offer them a discount code.

5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The data subject may object to automated processing.

6. RIGHTS OF THE DATA SUBJECT

6.1. The right to access, rectify, restrict, erase, or portability. The data subject has the right to demand access to their personal data from the Controller, rectify, erase them (‘the right to be forgotten’) or restrict their processing and has the right to object to processing and data portability. Detailed conditions for the exercising of these rights are indicated in Articles 15–21 of the GDPR.

6.2. The right to withdraw consent at any time. The data subject whose data are processed by the Controller pursuant to a consent (granted under Article 6(1)a or Article 9(2)a of the GDPR) has the right to withdraw the consent any time , without affecting the lawfulness of processing based on consent before its withdrawal.

6.3. The right to lodge a complaint with a supervisory authority. The data subject whose data are processed by the Controller has the right to lodge a complaint with a supervisory authority in a manner and under a procedure specified in the GDPR and Polish regulations, particularly the Act on personal data protection. The supervisory authority in Poland is the President of the Office for Personal Data Protection.

6.4. The right to object. The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (f) of Article 6(1) (legitimate interest of the Controller), including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

6.5. The right to object to direct marketing. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

6.6. The rights referred to in this privacy policy can be exercised by contacting the Controller in writing or via e-mail to the Controller’s address indicated in the initial part of the privacy policy or with a contact form on the Online Store’s website.

7. COOKIES AND ANALYTICS IN THE ONLINE STORE

7.1. Cookie files (Cookies) are small pieces of text information in text files sent by servers and saved on the device of the visitor to the Online Store (such as a hard drive of the computer, laptop, or flash drive of a smartphone depending on the device used to visit the Online Store). Details on Cookies and their history can be found at: https://en.wikipedia.org/wiki/HTTP_cookie.

7.2. Cookies sent by the Online Store’s website can be divided according to the following criteria:

By the provider

  1. first-party (created by the website of the Controller’s Online Store) and 

  2. third-party (other than the Controller)

By the time it is stored on the device of a visitor to the Online Store’s website

  1. session (stored until the user signs out of the Online Store or closes the web browser) and 

  2. persistent (stored for a set period defined by parameters of individual files or until deleted manually)

By the purpose

  1. essential (for proper functioning of the Online Store’s website), 

  2. functionality/preference (used to adjust the Online Store’s website to the preferences of the visitor), 

  3. analytics and performance (collect information on how the Online Store’s website is used), 

  4. marketing, advertising, and social media (collect information about the visitor to the Online Store’s website to show them personalised advertisements and pursue other marketing operations, including on websites other than the Online Store’s website, such as social platforms)

7.3. The Controller may process data in Cookies during visits to the Online Store’s websites for the following specific purposes:

The purposes of Cookies in the Controller’s Online Store

identification of Service Users as signed in to the Online Store and notifying about being signed in (essential Cookies)

saving Products added to the bag in the memory to facilitate Order placement (essential Cookies)

saving data from completed Order Forms, questionnaires, or Online Store credentials (essential and/or functionality/preference Cookies)

adapting the content of the Online Store’s website to personal preferences of the Service User (such as colours, font size, layout) and optimisation of the Online Store’s website experience (functionality/preference Cookies)

collection of anonymous statistics regarding the use of the Online Store’s website (statistical Cookies)

remarketing, that is investigation of behavioural characteristics of visitors to the Online Store through anonymous analysis of their actions (such as recurrent visits to specific pages, keywords, etc.) to build their profile and offer them advertisements matching their anticipated interests, also when they visit other websites in the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. (marketing, advertising, and social media Cookies)

7.4. It is possible to verify which Cookies (including their duration and provider) are being sent by the Online Store’s website in the most popular web browsers with the following procedures:

In Chrome:
(1) click the padlock icon on the left-hand side of the address bar and
(2) navigate to the ‘Cookies’ tab.

In Firefox:
(1) click the shield icon on the left-hand side of the address bar,
(2) navigate to the ‘Allowed” or ‘Blocked’ tab,
(3) click ‘Cookies shared between websites’, ‘Social media trackers’ or ‘Content with trackers’

In Internet Explorer:
(1) click menu ‘Tools’,
(2) navigate to ‘Internet options’,
(3) navigate to ‘General’,
(4) navigate to ‘Settings’,
(5) click ‘Display files’

In Opera:

(1) click the padlock icon on the left-hand side of the address bar and
(2) navigate to the ‘Cookies’ tab.

In Safari:

(1)  click menu ‘Preferences’,
(2) navigate to ‘Privacy’,
(3) click ‘Manage website data’

Regardless of the web browser at:
https://www.cookiemetrix.com/
lub:
https://www.cookie-checker.com/

7.5. Most web browsers accept Cookies by default. Every user can define the use of Cookies in their browser settings. This means they can partially limit (for example, temporarily) or completely disable saving Cookies. The latter case may affect some functionalities of the Online Store (for example, it may be impossible to complete an Order with the Order Form because Products are not saved between steps of Order placement).

7.6. Web browser Cookies settings are relevant to the consent for our Online Store to use Cookies. By law, such consent has to be granted in browser settings as well. Details of how to change Cookies settings and remove the files in the most popular web browsers are available in the browser’s help and on the following websites (clickable links):

in Chrome
in Firefox
in Internet Explorer
in Opera
in Safari
in Microsoft Edge

7.7. The Controller may use Google Analytics, Universal Analytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) in the Online Store. These services aid the Controller with keeping statistics and analysing traffic in the Online Store. The collected data are processed under these services to generate statistics to support the Online Store administration and traffic analysis. The data are collective. With the services specified above, the Controller collects such data as sources and channels of visitors to the Online Store and their behaviour on the Online Store’s website, information about the devices and web browsers used to visit the website, IP and domain, location data, demographic data (age and sex), and interests.

7.8.An individual can relatively easily block sharing their activity on the Online Store’s website with Google Analytics. They need, for example, to install a browser addon provided by Google Ireland Ltd. available at https://tools.google.com/dlpage/gaoptout?hl=pl.

7.9. The Controller may use the Facebook Pixel service on the Online Store’s website provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The service helps the Controller measure the effectiveness of advertisements, find out the actions taken by visitors to the Online Store, and show them personalised advertises. Details on how the Facebook Pixel works can be found at https://www.facebook.com/business/help/742478679120153?helpref=page_content.

7.10. It is possible to control the Facebook Pixel in the advertisement settings in ones Facebook.com account at https://www.facebook.com…

8. FINAL PROVISIONS

8.1. The Online Store may include links to other websites. The Controller advises to read their privacy policy when entering other websites. This privacy policy applies to the Controller’s Online Store only.