Privacy and cookie usage policy
1. Data controller and definitions
- The data controller of Customers/Users of the Online Shop, also known as the Seller, is SHISHA GROUP S.A., tel. +48 600 108 510, NIP 8722409375, REGON 181131530.
- The data controller can be contacted at:
- address for letters: Przemysłowa 5, 35-105 Rzeszów;
- the e-mail address: email@example.com.
- User - a natural person entering the website/websites of the Online Shop or using the services or functionalities described in this Policy.
- Customer - a natural person having full legal capacity, a natural person who is a Consumer, a legal person or an organizational unit without legal personality, to which the Act grants legal capacity, which concludes a Distance Selling Agreement with the Seller.
- Online Shop - an Internet service run by the Seller, available at electronic addresses (websites): shisha.pl through which the Customer/User may obtain information about the Goods and its availability and buy the Goods or order the service.
- Newsletter - information, including commercial information within the meaning of the Act of 18 July 2002 on the provision of electronic services (Dz. U. z 2020 r. poz. 344) from the Seller, sent to the Customer/User by electronic means; its receipt is voluntary and requires the consent of the Customer/User.
- Account - a set of data stored in the Online Shop and in the Seller's IT system concerning the Customer/User and orders placed by the Customer/User and the agreements concluded by the Customer/User, which enables the Customer/User to place orders and conclude agreements.
- GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2. The purposes, legal basis and period of the processing
- In order to perform the Distance Selling Agreement, the Seller processes:
- information concerning the User's device in purpose to ensure the correct functioning of the services: IP address of the computer, information contained in cookies or other similar technologies, session data, web browser data, device data, data concerning activity on the website, including on individual subpages;
- geolocation data, if the User has consented to the service provider's access to geolocation. The geolocation data is used to provide more tailored offers of Goods and services;
- users personal data: name, surname, registered office address, correspondence address, e-mail address, telephone number, Tax Identification Number (NIP), bank account number or other personal data required by the Administrator in the purchasing process.
- This information does not contain identity data of the Users, but in combination with other information may constitute personal information. Therefore, the data controller extends full GDPR protection to them.
- These data are processed in accordance with Article 6 section 1 letter b of the GDPR, for the purpose of providing a service, i.e. an agreement for the provision of services by electronic means in accordance with the Regulation, in accordance with Article 6 section 1 letter a of the GDPR, in accordance with consenting to the use of certain cookies or other similar technologies, as expressed by the appropriate settings of the Internet browser, in accordance with the Telecommunications Law or in accordance with consenting to geolocation. The data are processed until the end of the User's use of the Online Shop.
- The Administrator undertakes to take all measures required under Article 32 of the RODO, i.e., taking into account the state of the art, the cost of implementation and the nature, scope and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and seriousness, the Administrator implements appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
3. Marketing activities of the data controller
- The data controller may place marketing information about his/her Goods or services on the Online Shop’s website. Such content shall be displayed by the data controller in accordance with Article 6 section 1 letter f of the GDPR, in accordance with the legitimate interest pursued by the data controller, in publishing the content related to the services provided and the promotional content of the actions in which the data controller is involved. At the same time, the action does not infringe the rights and freedoms of the Customers/Users, the Customers/Users expect to receive similar content, or even expect it or it is their direct purpose to visit the website(s) of the Online Shop.
4. Recipients of User’s data
- The data controller discloses the Users' personal data only to the processors under the concluded contracts of entrustment of personal data processing, for the purpose of providing services to the Administrator, e.g. hosting and maintenance of the website, IT services, marketing and PR services.
5. Transfer of personal data to third countries
- Personal data will not be processed in third countries.
6. Withdrawal from the contract - electronic return form
- Rights for the data subjects
- of access (Article 15 of the GDPR) - to obtain confirmation from the data controller, whether his or her personal data are being processed. If the data about a person is processed, he or she is entitled to access it and to obtain the following information: about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed, about the period of data storage or about the criteria used to determine that period, about the right to request rectification, erasure or restriction of processing of personal data and to object to such processing;
- to obtain a copy of the data (Article 15 section 3 GDPR) - to obtain a copy of the data to be processed; the first copy being free of charge. For further copies the data controller may charge a reasonable fee based on administrative costs;
- to rectification (Article 16 of the GDPR) - to request the rectification of inaccurate or to supplement incomplete data concerning him or her;
- to erase the data (Article 17 of the GDPR) - to request the erasure of his/her personal data if the data controller has not a legal basis for their processing or the data are not necessary for the purposes of processing anymore;
- to restriction of processing (Article 18 of the GDPR) - to request a restriction of processing of personal data when:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
- the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
- the data subject has objected to processing pursuant to Article 21 section 1 pending the verification whether the legitimate grounds of the controller override those of the data subject;
- to data portability (Article 20 GDPR) - to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the data controller to which the personal data have been provided, where data are processed on the basis of the data subject's consent or on a contract with him/her and where data are processed by automated means;
- to object (Article 21 of the GDPR) - to object to the processing of his/her personal data for the legitimate purposes of the controller, on grounds related to his/her specific situation, including profiling. In such case, the data controller shall assess the existence of important legitimate grounds for processing overriding the interests, rights and freedoms of data subjects or grounds for establishing, pursuing or defending claims. If according to the assessment the interests of the data subject will take precedence over the interests of the controller, the data controller shall be obliged to stop processing the data for these purposes;
- to withdraw consent at any time and without giving any reason, but the processing of personal data carried out before withdrawal of consent will still remain lawful. Withdrawal of consent shall result in the data controller ceasing to process personal data for the purpose for which the consent was given.
- In order to exercise the aforementioned rights, the data subject should contact the data controller, using the contact details provided and inform the data controller, which right and to what extent he/she wants to exercise it.
7. The President of the Personal Data Protection Office
- The data subject has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office, with its seat in Warsaw, ul. Stawki 2, which can be contacted as follows:
- address for letters: ul. Stawki 2, 00-193 Warsaw;
- via the electronic mailbox available on the website: https://www.uodo.gov.pl/pl/p/kontakt;
- address for letters: helpline: 606-950-0000.
8. Data Protection Officer
- In any case, the data subject may also contact the Data Protection Officer of the data controller directly by e-mail or in writing to the address of the data controller given in section 1 point 2 this Policy.
- Privacy and Cookies Policy may be supplemented or updated according to the data controller's current needs in purpose to provide current and reliable information to Customers/Users.
- The Online Shop performs the functions of obtaining information about Customers, Users and their behaviour in the following way by:
- information voluntarily entered on the forms, for purposes arising from the function of the form;
- storing cookies (so-called: “cookies") on final device;
- collecting web server logs by the Online Shop’s hosting operator (necessary for proper operation of the Online Shop).
- Cookie files are IT data, in particular text files, which are stored in the Customer's/ User's final device and are designed to use the Online Shop’ s website. Cookies usually contain the name of the website from which they come from, the time of their storage on the final device and a unique number.
- To manage the cookie settings, Customer/User should select web browser/system and follow the instructions: Internet Explorer, Chrome, Safari, Firefox, Opera, Android, Safari (iOS), Windows Phone.
- The legal basis for the processing of personal data from cookies is the legitimate interests pursued by the Website’s Operator, consisting in providing high quality services, ensuring the safety of services.
- The Online Shop uses two basic types of cookies: session cookies and persistent cookies. Session cookies are temporary files, which are stored in the User's final device until logging out, leaving the Online Shop or switching off the software (web browser). Persistent cookies are stored in a User's device for the time specified in the parameters of cookies or until their removal by the User.
- The cookies are used for the following purposes:
- creating statistics that help to understand how Customers/Users of the Online Shop use the websites, which allows to improve their structure and content;
- maintaining the Customer/User session (after logging in), thanks to which the Customer/User does not have to re-enter the login and password on each subpage of the Online Shop;
- defining the Customer's profile in purpose to display product recommendations and matching materials in advertising networks, in particular the Google network.
- Software for web browsing (web browser) usually by default allows for storing cookies in the User's final device. Customers/Users may change their settings in this area. The web browser allows to remove cookies. It is also possible to automatically block cookie files.
- Cookie files placed in the Customer’s/User's final device and may also be used by Online Shop’s advertisers and partners, cooperating with the Online Shop.
- Cookies may be used by the Google network to display advertisements tailored to the way the Customer/User uses the Online Shop. For this purpose, they can store information about the user's navigation path or time spent on a given page: https://policies.google.com/technologies/partner-sites.
- In terms of information on the Customer’s/ User's preferences collected by the Google's advertising network, the Customer/User can view and edit the information resulting from cookies using the tool: https://www.google.com/ads/preferences/
- On the website of the OnlineShop there are plug-ins, which can transfer the data of Customers/Users to the data collectors, such as e.g: .
- In purpose to correctly perform the Distance Selling Agreement, the data controller may make the Customer/User data available to courier entities. The currently available delivery methods in the Online Shop are: https://shisha.pl/eng-delivery.html.
- In purpose to correctly perform the Distance Selling Agreement, the data controller may make the Customer/User data available to Internet payment systems. The currently available methods of payment in the form of prepayment in the Online Shop are: https://shisha.pl/eng-payments.html.
- The Customer/User may give his/her consent to receive commercial information electronically by ticking the appropriate option in the registration form or at later date in the appropriate tab. In the case of such consent, the Customer/User shall receive information (Newsletter) of the Online Shop as well as other commercial information sent by the Seller to the Customer’s/User’s email address.
- The Customer/User may unsubscribe from the Newsletter at any time by unchecking the appropriate box on his/her Account page or by going to the form https://shisha.pl/newsletter.php, clicking the appropriate link in the content of each Newsletter or through the Customer Service Office.
- The Customer/User may not place in the Online Shop or provide the Seller with content, including opinions and other data of an illegal nature.
- The Customer/User gets access to the Account after registration.
- When registering, the Customer/User provides the account type or gender, name, surname, company name, NIP number, data for issuing a sales document, shipping data, e-mail address and choose a password. The Customer/User assures that the data provided by him/her in the registration form are correct. Registration requires that Customer/User read the Regulations carefully and mark on the registration form that he/she has read the Regulations and fully accepts all provisions.
- At the moment of granting the Customer/User access to the Account, an agreement for the provision of services by electronic means is concluded between the Seller and the Customer/User for an indefinite period of time. The Consumer may withdraw from this agreement on the terms specified in the Regulations.
- Registration of an Account on one of the websites of the Online Shop means at the same time registration allowing access to the other websites where the Online Shop is available.
- The Customer/User may terminate the agreement for the provision of services by electronic means at any time with immediate effect, informing the Seller about it by e-mail or in writing to the address of the data controller given in section 1 point 2 this Policy.
- The Seller has the right to terminate the agreement for the provision of services concerning the Account in the event of: cessation or transfer of the Online Shop service to a third party, violation by the Customer/User of the law or provisions of the Regulations, as well as in the event of inactivity of the Customer/User for a period of 6 months. The agreement is terminated with seven days’ notice. The Seller may stipulate that re-registration of the Account shall require the Seller's permission.