Privacy policy

By Insomnia

Privacy policy

dated September 1, 2021

By Insomnia Natalia Pstrokońska, address: ul. Kwitnącego Sadu 2, 02-202 Warszawa, entered in the register of entrepreneurs – Central Registration and Information on Business (CEIDG), Tax ID No (NIP) 5851078074, REGON 388483466, as the controller of personal data has implemented and uses appropriate technical and organizational measures to ensure that data processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 General Data Protection Regulation (Official Journal of the European Union L 119/1, version PL 4.5.2016) and the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2019 item 1781 as amended).

1. Who is the Personal Data Controller?

Natalia Pstrokońska conducting business activity under the name of By Insomnia Natalia Pstrokońska, address: ul. Kwitnącego Sadu 2, 02-202 Warszawa, entered in the register of entrepreneurs – Central Registration and Information on Business (CEIDG), Tax ID No (NIP) 5851078074, REGON 388483466

2. Who can I contact regarding my personal data?

E-mail address: sklep@byinsomnia.pl

Mobile: + 48 573 337 660

3. What is the purpose and legal basis for processing my Personal Data?

Purpose of data processingLegal basis for data processingPersonal data storage period
user account maintenance and all related Services in the Online StoreArticle 6 section 1 letter b of the GDPR (agreement execution) - processing is necessary for the execution of an agreement with the data subject being a party of the agreement or in order to take action at the request of the data subject prior to entering into an agreement;The data is stored until the account is deleted by the User.
Performance of the sales agreement or the agreement on the provision of services by electronic means, including taking action at the request of the data subject, before concluding the above-mentioned agreements, as well as actions related to any complaints regarding the agreementArticle 6 section 1 letter b of the GDPR (agreement execution) - processing is necessary for the execution of an agreement with the data subject being a party of the agreement or in order to take action at the request of the data subject prior to entering into an agreement;The data will be stored for the period necessary to perform the agreement
Accounting for the concluded agreement - maintaining accounting recordsArticle 6 section 1 letter c of the GDPR in connection with Article 74 section 2 of the Accounting Act (consolidated text) of 30 January 2018 (Journal of Laws of 2018 item 395) - processing is necessary for compliance with a legal obligation to which the controller is subject
The storage period results from the provisions of tax law and, as a rule, is five years counting from the beginning of the year following the financial year in which the tax obligation arose.
Pursuing claims by the Controller resulting from concluded sales agreements or agreements on the provision of services by electronic means, or the Controller's defence against such claims.
Article 6 section 1 letter f of the GDPR (legitimate interest of the Controller) - processing is necessary for purposes arising from the legitimate interests of the Controller - pursuing claims or defence against claimsThe data will be stored for the duration of the legitimate interest of the Controller
Direct MarketingArticle 6 section 1 letter f of the GDPR (legitimate interest of the Controller) - processing is necessary for purposes arising from the legitimate interests of the Controller - including the Controller seeking to sell the offered products and caring for their interests and reputation.The data will be stored for the duration of the legitimate interest of the Controller
Keeping the website traffic statisticsArticle 6 section 1 letter f of the GDPR (legitimate interest of the Controller) - processing is necessary for purposes arising from the legitimate interests of the Controller - consisting in keeping statistics on website trafficThe data is stored for the duration of the legitimate interest of the Controller, but no longer than for the period of limitation of the Controller's claims against the data subject related to business activity conducted by the Controller. The limitation period is determined by the law, in particular the Civil Code (the basic limitation period for claims related to conducting a business activity is three years, and for a sales agreement it is two years).

Purpose of data processingLegal basis for data processingPersonal data storage period
user account maintenance and all related Services in the Online StoreArticle 6 section 1 letter b of the GDPR (agreement execution) - processing is necessary for the execution of an agreement with the data subject being a party of the agreement or in order to take action at the request of the data subject prior to entering into an agreement;The data is stored until the account is deleted by the User.
Performance of the sales agreement or the agreement on the provision of services by electronic means, including taking action at the request of the data subject, before concluding the above-mentioned agreements, as well as actions related to any complaints regarding the agreementArticle 6 section 1 letter b of the GDPR (agreement execution) - processing is necessary for the execution of an agreement with the data subject being a party of the agreement or in order to take action at the request of the data subject prior to entering into an agreement;The data will be stored for the period necessary to perform the agreement
Accounting for the concluded agreement - maintaining accounting recordsArticle 6 section 1 letter c of the GDPR in connection with Article 74 section 2 of the Accounting Act (consolidated text) of 30 January 2018 (Journal of Laws of 2018 item 395) - processing is necessary for compliance with a legal obligation to which the controller is subject
The storage period results from the provisions of tax law and, as a rule, is five years counting from the beginning of the year following the financial year in which the tax obligation arose.
Pursuing claims by the Controller resulting from concluded sales agreements or agreements on the provision of services by electronic means, or the Controller's defence against such claims.
Article 6 section 1 letter f of the GDPR (legitimate interest of the Controller) - processing is necessary for purposes arising from the legitimate interests of the Controller - pursuing claims or defence against claimsThe data will be stored for the duration of the legitimate interest of the Controller
Direct MarketingArticle 6 section 1 letter f of the GDPR (legitimate interest of the Controller) - processing is necessary for purposes arising from the legitimate interests of the Controller - including the Controller seeking to sell the offered products and caring for their interests and reputation.The data will be stored for the duration of the legitimate interest of the Controller
Keeping the website traffic statisticsArticle 6 section 1 letter f of the GDPR (legitimate interest of the Controller) - processing is necessary for purposes arising from the legitimate interests of the Controller - consisting in keeping statistics on website trafficThe data is stored for the duration of the legitimate interest of the Controller, but no longer than for the period of limitation of the Controller's claims against the data subject related to business activity conducted by the Controller. The limitation period is determined by the law, in particular the Civil Code (the basic limitation period for claims related to conducting a business activity is three years, and for a sales agreement it is two years).

4. Which personal data is processed?

Name and surname, telephone number, e-mail address, computer IP

If the customer requires a VAT invoice - we additionally process the name of their business, correspondence or residence address, and Tax ID No (NIP).

In the event that the customer requests the delivery of goods - we additionally process the delivery address provided

5. Who may the obtained personal data be transferred to?

Due to the need to ensure the proper working of the website, as well as the correct implementation of the agreements concluded through it, the Controller will transfer data to its contractors, indicated below. The Controller uses only the services of such processors who can sufficiently guarantee to implement the appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR and protects the rights of the data subjects.

The transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the Privacy Policy, and does not always cover all processed data. The Controller provides data to processors only to the extent that it is necessary for the purpose for which the transfer takes place and only in relation to the data that is necessary to fulfil this purpose.

The data may be transferred to the following recipients or categories of recipients:

service providers providing the Controller with technical, IT and organizational solutions, enabling the Controller to conduct their business activity, including the Online Store and provision of services by electronic means (in particular computer software providers for running the Online Store, e-mail and hosting providers, as well as providers of software for business management and technical support for the Controller) - the Controller provides the Customer's personal data to a selected provider acting on their behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy.

entities processing electronic and card payments - the Controller provides the Customer's personal data to the selected entity processing payments in the Online Store at the request of the Controller to the extent necessary to handle payments made by the Customer.

providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular an accounting office, law firm or debt collection company) - the Controller provides the Customer's personal data to a selected provider acting on their behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy.

6. Will the data be transferred outside the EEA?

No, the data is not transferred outside the EEA. In the event of using the services of e.g. IT support providers, your personal data may be transferred outside the European Union, provided that the European Commission determines that the third country ensures an adequate level of protection.

7. Information on rights related to data processing

Individuals whose data is processed have the right to access their data, as well as to correct, delete or restrict its processing.  They can also exercise their right to object the processing of the data and the right to transfer their data to another data controller. In order to exercise any of the rights, please contact us by phone or e-mail.

We would like to inform you about your right to lodge a complaint with the supervisory authority for compliance with the provisions on the protection of personal data, i.e. the right to lodge a complaint with the President of the Personal Data Protection Office.

8. Consent

In the case of personal data processed on the basis of consent, the person whose data is processed has the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of data processing performed before the consent is withdrawn nor to the extent to which we process personal data based on another legal basis for data processing (e.g. to perform our obligations under the law).

9. Objection

The person whose data is processed has the right to object at any time - for reasons related to a particular situation - to the processing of their personal data, if the basis for this objection is the so-called clause of a legitimate purpose (Article 6 section 1 letter f of the GDPR) or public interest (Article 6 section 1 letter e of the GDPR). In such a case, we will not process the data subject to objection on this basis. However, legal regulations grant us the right to refuse to execute this request, if there are valid legitimate grounds for the further processing of data, overriding the interests, rights and freedoms, or grounds for establishing, investigating or defending claims.

If one's personal data is processed for direct marketing purposes, one can object to the processing of their data for this purpose at any time. After accepting such a request, we will not process such data for direct marketing purposes.

10. Is the provision of personal data a statutory or contractual requirement, or a requirement necessary to conclude an agreement, is the data subject obliged to provide their personal data and what are the potential consequences of failing to provide such data?

Providing personal data is not a statutory requirement, but without the Controller obtaining them, the agreement with the Customer cannot be concluded.

11. Information on automated decision making, including profiling.

Not applicable.

12. Cookies

Cookies are small text files sent by the server and saved on the device of the person visiting the website of the Online Store (e.g. on a computer's hard drive, laptop or on a smartphone's memory card - depending on which device is used by visitors to our Online Store). Detailed information on cookies, as well as the history of their creation, can be found here: https://pl.wikipedia.org/wiki/HTTP_cookie.

Cookies can be divided with regards to:

1. their provider: own files, created by the Controller and external files - belonging to entities other than the Controller

2. their storage period: session files (active only when the Customer uses the website) and permanent files (saved in the user's computer memory)

3. the purpose of their use: necessary (enabling the proper working of the website), functional/preferential (enabling the website to be adjusted to the preferences of the website user), analytical (collecting data on how the website is used), as well as marketing, advertising and social media (collecting information about the user of the website in order to display personalised advertisements to that person and conduct other marketing activities)

The Controller will use cookies for the following purposes:

The Website users may change settings related to cookies at any time. Details regarding ways and methods of managing cookies are available in the software settings (of the web browser).

Examples of editing options in popular browsers:

– Mozilla Firefox: www.support.mozilla.org/pl/kb/ciasteczka

– Internet Explorer: www.support.microsoft.com/kb/278835/pl

– Google Chrome: www.support.google.com/chrome/bin/answer.py?hl=pl&answer=95647

– Safari: www.safari.helpmax.net/pl/oszczedzanie-czasu/blokowanie-zawartosci/

– Opera: https://help.opera.com/pl/latest/web-preferences/#cookies

– Microsoft Edge: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privac

The Controller may use Google Analytics and Universal Analytics services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) on the website. These services help the Controller monitor statistics and analyse website traffic. The collected data is processed as part of the above services to generate statistics helpful in website administration and traffic analysis. This data is aggregate. By using the above services, the Controller gathers data such as the source and medium of obtaining website visitors and the manner of their usage of the website, information on devices and browsers from which they access the website, IP and domain, geographic and demographic data (age, gender) and interests. Anyone can easily block providing information about their activity on the Online Store website to Google Analytics - for this purpose, you can install an Opt-out Browser Add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=en.