Privacy Policy
This Privacy Policy (hereinafter: “Policy“) contains information on the processing of your personal data in connection with the use of the “Cheerful Bambino” online store, operating at the Internet address www.cheerfulbambino.com (hereinafter: “Store“).
All capitalized terms that are not otherwise defined in the Policy have the meaning given to them in the Terms & Conditions, available here.
Personal Data Administrator
The Administrator of your personal data is Joanna Mazik running a business under the name “Cheerful Bambino Joanna Mazik” (address of the permanent place of business: ul. Hetmańska 14/10, 20-553 Lublin), entered into the Central Register and Information on Business, having the NIP number: 7151910844, REGON: 523792424 (hereinafter: “Administrator“).
Contact with the Administrator
In all matters related to the processing of personal data, you can contact the Administrator via:
- a) e-mail – at the address: hi@cheerfulbambino.com;
- b) traditional mail – at the address: Hetmańska 14/10, 20-553 Lublin, POLAND;
- c) telephone – at the number: +48 531 393 390.
Personal data protection measures
The Administrator applies modern organizational and technical security measures to ensure the best protection of your personal data and guarantees that it processes them in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (hereinafter: “GDPR), and other provisions on the protection of personal data.
Information about processed personal data
Using the Store requires the processing of your personal data. Below you will find detailed information about the purposes for the processing, the processing period and the obligation or voluntarily to provide them.
I.
Purpose of the processing:
Conclusion and performance of the Sales Agreement
Processed personal data:
- name and surname;
- telephone number
- e-mail address;
- address of residence;
- business address and tax identification number (if the Buyer is an Entrepreneur or an Entrepreneur with Consumer rights);
- delivery address (street, house number, apartment number, city, postal code, country) – if different from the address of residence/business activity.
Legal basis:
art. 6 sec. 1 lit. b GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
Disclosure:
Providing the above-mentioned personal data is a condition for the conclusion and performance of the Sales Agreement (their provision is voluntary, but the consequence of not providing them will be the inability to conclude and perform the Agreement mentioned above).
The Administrator will process the above-mentioned personal data until the claims resulting from the Agreement mentioned above expire.
II.
Purpose of the processing:
Complaints procedure
Processed personal data:
- name and surname;
- telephone number
- e-mail address;
- Order number;
- mailing address (street, house number, apartment number, city, postal code, country).
Legal basis:
art. 6 sec. 1 lit. c GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject)
Disclosure:
Providing the above-mentioned personal data is a condition for receiving a response to the complaint or exercising the Customer’s rights under the provisions on the Administrator’s liability in the event of non-compliance of the Goods or the Newsletter with the Agreement related to it (their provision is voluntary, but the consequence of not providing them will be the inability to receive a response to the complaint and the implementation of the permissions mentioned above).
The Administrator will process the above-mentioned personal data for the duration of the proceedings, and in the case of exercising the above-mentioned rights of the Customer – until their expiry.
III.
Purpose of the processing:
Conclusion and performance of the Newsletter Delivery Agreement
Processed personal data:
e-mail address;
Legal basis:
art. 6 sec. 1 lit. b GDPR (processing is necessary for the performance of a contract for the delivery of the Newsletter to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
&
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case, informing about new products and promotions available in the Store)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary in order to receive the Newsletter (the consequence of not providing it will be the inability to receive the Newsletter).
The Administrator will process the above-mentioned personal data until the objection is raised, the purpose of processing is achieved, or the claims expire.
IV.
Purpose of the processing:
Sending email notifications (e.g. about the availability of Goods)
Processed personal data:
e-mail address;
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case, informing Customers about the actions taken related to the performance of Sales Contracts)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary in order to receive information about activities related to the performance of Agreements concluded with Customers (the consequence of not providing them will be the inability to receive the information as mentioned above).
The Administrator will process the above-mentioned personal data until the objection is raised or the purpose of processing is achieved.
V.
Purpose of the processing:
Handling inquiries submitted by customers
Processed personal data:
- name;
- e-mail address;
- other data contained in the message to Administrator.
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case, to answer the received inquiry)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary in order to receive an answer to the inquiry (the consequence of not providing it will be the inability to receive an answer).
The Administrator will process the above-mentioned personal data until the objection is raised or the purpose of processing is achieved.
VI.
Purpose of the processing:
Fulfillment of tax obligations (e.g. issuing a VAT invoice, storing accounting documentation)
Processed personal data:
- name and surname/ company name;
- address of residence/ business;
- tax identification number;
- Order number.
Legal basis:
art. 6 sec. 1 lit. b GDPR (processing is necessary to fulfill a legal obligation of the Administrator, in this case the obligations arising from tax law)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary for the Administrator to meet his tax obligations (the consequence of not providing them will be the Administrator’s inability to meet the fulfilling tax obligations).
The Administrator will process the above-mentioned personal data for 5 years from the end of the year when the deadline for tax payment for the previous year expires.
VII.
Purpose of the processing:
Fulfillment of obligations related to the protection of personal data
Processed personal data:
- Name and surname;
- The contact details you provided (e-mail address; mailing address, telephone number).
Legal basis:
art. 6 sec. 1 lit. c GDPR (processing is necessary to fulfill a legal obligation of the Administrator, in this case the obligations arising from the provisions on the protection of personal data)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary for the proper performance by the Administrator of the obligations arising from the provisions on the protection of personal data, including the implementation of the rights granted to you by the GDPR (the consequence of not providing the above-mentioned data will be the inability to properly exercise the rights mentioned above).
The Administrator will process the above-mentioned personal data until the expiry of the limitation periods for claims for violation of the provisions on the protection of personal data.
VIII.
Purpose of the processing:
Determination, investigation or defence against claims
Processed personal data:
- name;
- surname;
- company name;
- e-mail address;
- address of residence/ business;
- social security number/ tax identification number.
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case to establish, investigate or defend against claims that may arise in connection with the performance of Agreements concluded with the Administrator)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary to determine, investigate or defend against claims that may arise in connection with the performance of Agreements concluded with the Administrator (the consequence of not providing them will be the Administrator’s inability to take the actions mentioned above).
The Administrator will process the above-mentioned personal data until the expiry of the limitation periods for claims that may arise in connection with the performance of Agreements concluded with the Administrator.
IX.
Purpose of the processing:
Analysis of your activity in the Store
Processed personal data:
1) date and time of the visit;
2) device IP number;
3) type of device operating system;
4) approximate location;
5) type of web browser;
6) time spent in the Store;
7) viewed Goods;
8) visited subpages and other actions taken within the Store
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case obtaining information about your activity in the Store)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary for the Administrator to obtain information about your activity in the Store (the consequence of not providing them will be the Administrator’s inability to get the data mentioned above).
The Administrator will process the above-mentioned personal data until the objection is raised or the purpose of processing is achieved.
X.
Purpose of the processing:
Store administration
Processed personal data:
1) IP address;
2) server date and time;
3) information about the web browser;
4) information about the operating system.
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case to ensure the proper operation of the Store)
Disclosure:
The above data is automatically saved in the so-called server logs each time you use the Store (administrating it without server logs and automatic saving would not be possible).
Providing the above-mentioned personal data is voluntary but necessary to ensure the proper operation of the Store (the consequence of not providing them will be the inability to ensure the correct operation of the Store).
The Administrator will process the above-mentioned personal data until the objection is raised or the purpose of processing is achieved.
XI.
Purpose of the processing:
Create a Facebook or Instagram audience
Processed personal data:
- name and surname;
- e-mail address.
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case to create a group of recipients of advertisements on Facebook and Instagram)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary to create a group of recipients (the consequence of not providing them will be the Administrator’s inability to complete the groups mentioned above).
The above-mentioned personal data is deleted immediately after the matching process is completed and is not made available to third parties or other advertisers.
XII.
Purpose of the processing:
Handling of Administrator profiles on social media
Processed personal data:
- name and surname;
- e-mail address;
- other data you provided (e.g. in message)
Legal basis:
art. 6 sec. 1 lit. f GDPR (processing is necessary in order to implement the Administrator’s legitimate interest, in this case to enable commenting on content published in social media and responding to received messages)
Disclosure:
Providing the above-mentioned personal data is voluntary but necessary to comment on the content published on the Administrator’s social media profiles and to receive responses to messages sent to these profiles (the consequence of not providing them will be the inability to perform the activities mentioned above).
The Administrator will process the above-mentioned personal data until the objection is raised or the purpose of processing is achieved.
Profiling
In order to create your profile for marketing purposes and to direct marketing tailored to your preferences, the Administrator will process your personal data in an automated manner, including profiling – however, this will not have any legal effects on you or significantly affect your situation.
The scope of the profiled personal data corresponds to the scope indicated above in relation to the analysis of your activity in the Store and the data that you will save in the Account.
The legal basis for the processing of personal data for the above purpose is art. 6 sec. 1 lit. f of the GDPR, according to which the Administrator may process personal data in order to pursue its legitimate interest, in this case conducting marketing activities tailored to recipients’ preferences. Providing the above-mentioned personal data is voluntary but necessary to achieve the purpose mentioned above (the consequence of not providing them will be the Administrator’s inability to conduct marketing activities tailored to the preferences of recipients).
The Administrator will process personal data for profiling until the objection is raised or the purpose of processing is achieved.
Recipients of personal data
Recipients of personal data will be the following external entities cooperating with the Administrator, among others:
- hosting company;
- online payment system providers;
- newsletter service provider;
- companies providing tools to analyze activity in the Store and direct marketing to individuals using it (including Google Analytics);
- a company providing accounting services.
In addition, personal data may also be transferred to public or private entities if such an obligation arises from generally applicable laws, a final court judgment or a valid administrative decision.
Transfer of personal data to a third country
In connection with the Administrator’s use of services provided by Google LLC, your personal data may be transferred to the following third countries: United Kingdom, Canada, USA, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia and Australia. The basis for the transfer of data to the mentioned third countries is:
- in the case of the United Kingdom, Canada, Israel and Japan – decisions of the European Commission stating the adequate level of protection of personal data in each of the aforementioned third countries;
- in the case of the USA, Chile, Brazil, Saudi Arabia, Qatar, India, China, South Korea, Singapore, Taiwan (Republic of China), Indonesia and Australia – contractual clauses providing an adequate level of protection, in accordance with the standard contractual clauses outlined in Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and the Council.
You may obtain a copy of data transferred to a third country from the Administrator.
Entitlements
In connection with the processing of personal data, you have the following rights:
- the right to be informed which personal data concerning you are processed by the Administrator and to receive a copy of such data (the so-called right of access). The issuance of the first copy of data is free of charge. For subsequent copies, the Administrator may charge a fee;
- if the processed data becomes outdated or incomplete (or otherwise incorrect), you have the right to request rectification;
- in certain situations, you may request the Administrator to delete your personal data, such as when:
- the Administrator no longer needs the data for the purposes for which it has informed you;
- you have effectively withdrawn your consent to data processing – unless the Administrator has the right to process the data on another legal basis;
- the processing is unlawful;
- the need to delete the data is due to a legal obligation of the Administrator;
- in case the Administrator processes your personal data on the basis of your consent to processing or for the purpose of executing the Agreement concluded with the Administrator, you have the right to transfer your data to another Administrator;
- where the Administrator processes personal data on the basis of the processing consent you have given, you have the right to withdraw this consent at any time (withdrawal of consent does not affect the lawfulness of the processing that was performed based on consent before its withdrawal);
- if you consider that the processed personal data is incorrect, its processing is unlawful, or the Administrator no longer needs specific data, you may request that for a certain necessary period (e.g., to verify the correctness of the data or to assert claims) the Administrator not perform any operations on the data, but only store it;
- You have the right to object to the processing of personal data based on the Administrator’s legitimate interests. If you successfully object, the Administrator will stop processing your personal data for the purpose mentioned above;
- you have the right to lodge a complaint with the President of the Office for Personal Data Protection if you consider that personal data processing violates the GDPR’s provisions.
Cookies
-
- The Administrator informs that the Store uses ‘cookies’ installed on your terminal device. These are small text files that can be read by the Administrator’s system and by systems belonging to other entities whose services are used by the Administrator (e.g. Google).
- The Administrator uses cookies for the following purposes:
- ensuring proper functioning of the Store – thanks to cookies, it is possible to ensure smooth operation of the Store, use its functions and convenient movement between the various subpages;
- increasing the comfort of browsing the Store – thanks to cookie files, it is possible to detect errors on some subpages and their constant improvement;
- creating statistics – cookies are used to analyze how users use the Store. They make it possible to constantly improve the Store and adjust its operation to the preferences of users;
- conducting marketing activities – thanks to cookies, the Administrator can direct advertising to users tailored to their preferences.
- The Administrator may place both permanent and temporary (session) files on your device. Session files are usually deleted when you close your browser, while closing your browser does not delete permanent files.
- Information about the cookies used by the Administrator is displayed in the panel at the bottom of the Store’s website. Depending on your decision, you can enable or disable cookies of each category (except for essential cookies) and change these settings at any time.
- Data collected through cookies do not allow the Administrator to identify you.
- The Administrator uses the following cookies or tools that use them:
file type, “file name”, (file provider), /operation period
file function
essential, “access_token”, (Administrator), /1 day
This cookie is used to identify the visitor through the application. This allows the visitor to log in to the website via the application (e.g. Facebook).
essential, “CookieConsent”, (Cookiebot), /1 year
This cookie is used to store the visitor’s consent to the use of cookies.
essential, “test_cookie”, (Google), /1 day
This cookie is used to verify that the visitor’s browser accepts cookies.
essential, “CONSENT [x2]”, (Google), /2 years
This cookie is used to verify that the visitor has consented to the use of cookies.
preferential, “lang”, (Administrator), / Indefinite (until deleted)
This cookie is used to determine the visitor’s preferred language and country settings – this allows the site to display content that is most appropriate for that region and language.
statistical, “_ga”, (Google), /2 years
This cookie is used to generate statistical data about how a visitor uses the site.
statistical, “_ga_#”, (Google), /2 years
This cookie (used by Google Analytics) is used to collect data on the number of times a visitor visits the site and the dates of the first and last visit.
marketing, “_fbp”, (Meta Platforms Limited), /3 months
This cookie (used by Facebook Pixel) is used to present Facebook ads to the visitor.
marketing, “_gcl_au”, (Google), /3 months
This cookie (used by Google AdSense) is used to measure the effectiveness of ads.
marketing, “IDE”, (Google), /1 year
This cookie (used by Google DoubleClick) is used to record and report on a site visitor’s actions after viewing or clicking on one of the advertiser’s ads to measure the effectiveness of the ad and present targeted ads to the visitor..
marketing, “pagead/landing [x2]”, (Google), /session
This cookie is used to collect visitor behaviour data from multiple sites to present more relevant advertising. In addition, it allows the site to limit the number of times the same ad is shown.
marketing, “VISITOR_INFO1_LIVE”, (Google), /179 days
This cookie (used by YouTube) is used to measure the number of visitors to a site with an embedded video.
marketing, “YSC”, (Google), /session
This cookie (used by YouTube) is used to determine which YouTube videos the visitor has viewed.
marketing, “yt.innertube::nextId”, (Google), /Indefinite (until deleted)
This cookie (used by YouTube) is used to determine which videos available on YouTube a visitor has watched.
marketing, “yt.innertube:: requests”, (Google), /Indefinite (until deleted)
This cookie (used by YouTube) is used to gather statistics on what videos available on YouTube a visitor has watched.
marketing, “ytidb::LAST_RESULT_ENTRY_KEY”, (Google), /Indefinite (until deleted)
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote-cast-available”, (Google), /session
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote-cast-installed”, (Google), /session
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote- connected-devices”, (Google), / Indefinite (until deleted)
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote- device-id”, (Google), / Indefinite (until deleted)
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote- fast-check-period”, (Google), /session
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote- session-app”, (Google), /session
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
marketing, “yt-remote- session-name”, (Google), /session
This cookie (used by YouTube) is used to store the visitor’s viewing preferences.
- Through the most commonly used browsers, you can check whether cookies have been installed on your device, as well as delete installed cookies and block the installation of cookies in the future by the Store. However, disabling or restricting cookies may cause quite severe difficulties in using the Store, e.g. log in to each subpage, the longer loading of the Store’s website, and limitations in using certain functionalities.
Final Provisions
The generally applicable data protection regulations shall apply to the extent not regulated by the Policy.
The Policy is effective as of January 1, 2023.