ONLINE SHOP PRIVACY POLICY 

WWW.RAINBOWSOCKS.COM

1. The Personal Data Administrator of the online store available at: www.rainbowsocks.com, hereinafter referred to as the Online Store, is IWUC LIMITED LIABILITY COMPANY with its registered office in Warsaw, ul. Kłobucka 8B/28, 02-699 Warsaw, registered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XIII Economic Department of the National Court Register, under KRS number: 0000636355, NIP: 9512418776, REGON: 36537132800000, hereinafter referred to as the Personal Data Administrator.

2. All inquiries, requests, complaints regarding the processing of personal data by the Personal Data Administrator, hereinafter referred to as Notifications, should be addressed to the following email address: gosia@rainbowsocks.com or in writing to the address ul. Kłobucka 8B/28, 02-699 Warsaw. The notification should clearly indicate:

  1. the data of the person or persons covered by the Notification,
  2. the event that is the reason for the Notification,
  3. present your demands and the legal basis for these demands,
  4. indicate the expected way of handling the matter.

3. In our Online Store, we collect the following personal data:

  1. name and surname - may be processed when users provide them to us via email, contact form, registration form, or order form available in our Online Store, as well as in the case of providing us with this data via traditional mail or during phone contact, in order to take advantage of the offer of our Online Store,
  2. phone number - may be processed in the case of phone contact, as well as when the user of the Store provides it to us via email, contact form, registration form, or order form available in our Online Store. The phone number is processed to enable us to contact the user regarding the execution of a given order or to provide an answer to other questions asked,
  3. residential/correspondence address - we process this data for the proper shipment of ordered Products, its indication is necessary in the case of making purchases in our Store,
  4. email address - may be processed when the user provides it in the case of contact via email, contact form, registration form, or order form available in our Store, as well as via traditional mail or during phone contact. Through the email address, we respond to questions related to our offer and also provide information related to the execution of the concluded agreement. Additionally, if the user has consented to receiving marketing content and has become a subscriber to our newsletter, we will also send them commercial and marketing information several times a month,
  5. device IP address and potential personal data contained in Cookies files - information resulting from general principles of connections made on the Internet, such as IP address (and other information contained in system logs), is used for technical and statistical purposes, including in particular for collecting general demographic information (e.g. about the region from which the connection is made). This type of data is also used for marketing and analytical purposes if consent is given under art. 173 sec. 1 of the telecommunications law,
  6. NIP (Tax Identification Number) and company name - data necessary for issuing all invoices and other documents related to the use of our Online Store,
  7. optionally, other data may be collected as part of conducting specific matters or may be provided by users of our Online Store via email, contact form available in the Online Store, traditional mail, or during phone contact.

4. Every person using our Online Store has the option to choose whether and to what extent they want to use our services and provide information and data about themselves, within the scope defined by the content of this Privacy Policy.

5. We process personal data for the following purposes:

  1. making purchases in our Online Store using the order form provided on the Online Store's website (Art. 6 (1) (b) GDPR) - in this regard, personal data provided will cease to be processed upon finalizing the specific transaction,
  2. entering into and performing contracts related to the services offered by us (Art. 6 (1) (b) GDPR) - in this regard, personal data will cease to be processed upon the completion of the relevant contract,
  3. maintaining individual user accounts (Art. 6 (1) (b) GDPR) - in this regard, personal data will cease to be processed upon deletion of the user account by the user,
  4. directing marketing content regarding the Administrator and conducting website analytics in connection with the use of cookies (Art. 6 (1) (a) GDPR) - personal data is processed until the end of the session or deletion of cookies by the user, withdrawal of consent, or until effective objection to processing for this purpose is made,
  5. maintaining the website (Art. 6 (1) (f) GDPR in conjunction with Art. 173 (1) of the Telecommunications Law) - in this regard, personal data will cease to be processed upon the expiration of the Cookie file, deletion of cookies, or accordingly upon the end of the specific session,
  6. providing the newsletter service (subscription) (Art. 6 (1) (a) GDPR) - in this regard, provided personal data will be deleted upon withdrawal of consent and removal from the newsletter subscribers list,
  7. fulfilling legal obligations incumbent on the Personal Data Administrator, in particular, maintaining documentation, issuing invoices, etc. (Art. 6 (1) (c) GDPR) - in this regard, personal data will be deleted upon fulfilling specific legal obligations,
  8. ongoing communication related to the functioning of the Online Store (Art. 6 (1) (f) GDPR, i.e., the legitimate interest of the Personal Data Administrator) - in this regard, your personal data will cease to be processed upon responding to the specific question or questions,
  9. establishing and asserting claims or defending against such claims (Art. 6 (1) (f) GDPR, i.e., the legitimate interest of the Personal Data Administrator) - in this regard, personal data will be deleted upon the expiration of the relevant claims, but generally after the expiry of the 3-year statute of limitations period.

6. The users, i.e., the persons whose data is processed, are the source of the personal data processed by the Personal Data Administrator.

7. The Administrator utilizes tools provided by Google Ireland Ltd (Google Analytics, Google Ads) and Meta Platforms Ireland Ltd. (Facebook Pixel). As a general rule, data processed within the use of these tools are processed on servers located within the EEA. However, entities providing these tools may be obliged to transfer data to third parties if such an obligation is imposed on them by law or if it is necessary due to the nature of the services provided (SaaS, hosting, etc.). The scope of transferred personal data in this regard refers to all personal data indicated in point 3 of this Privacy Policy. The legal bases for processing personal data indicated in the preceding sentence have been specified in point 5 letters d and e of this Policy. The transfer of personal data to the United States is based on the European Commission Decision of 10.07.2023 on ensuring an adequate level of protection through the EU-US Data Protection Frameworks (Article 45 (1) GDPR). Our data importer entities meet the criteria of the decision and participate in the Data Protection Framework program, and are listed at: https://www.dataprivacyframework.gov/s/participant-search.

8. We do not provide any personal data to third parties without the explicit consent of the person whose data it concerns. Personal data may be disclosed without the consent of the person whose data it concerns, solely to entities authorized to process personal data under applicable law (e.g., law enforcement authorities, Social Security Institution, or Tax Office). The Administrator discloses personal data of its clients in particular to: payment operators, companies providing postal and courier services, and tax authorities.

9. Personal data may be entrusted for processing to entities processing such data on our behalf as the Data Controller. In such a situation, as the Data Controller, we conclude a data processing agreement with the data processing entity. The data processing entity processes the entrusted personal data solely for the purposes, to the extent, and for the purposes specified in the data processing agreement referred to in the preceding sentence. Without entrusting personal data for processing, we could not conduct our activities within the Online Store or deliver parcels with ordered Products. As the Data Controller, we entrust personal data for processing, in particular, to the following entities:

  1. providing hosting services for the website on which our Online Store operates,
  2. managing CRM,
  3. providing accounting services,
  4. providing other services necessary for the current operation of the Online Store on our behalf.

10. Personal data is not subject to profiling by us as the Data Controller within the meaning of the GDPR regulations.

11. In accordance with the GDPR regulations, every individual whose personal data we process as the Data Controller has the right to:

  1. access their personal data as referred to in Article 15 of the GDPR,
  2. be informed about the processing of personal data as referred to in Article 12 of the GDPR,
  3. rectify, complete, update, or correct personal data as referred to in Article 16 of the GDPR,
  4. withdraw consent at any time as stipulated in Article 7 (3) of the GDPR,
  5. have their data erased (right to be forgotten) as referred to in Article 17 of the GDPR,
  6. restrict processing as referred to in Article 18 of the GDPR,
  7. data portability as referred to in Article 20 of the GDPR,
  8. object to the processing of personal data as referred to in Article 21 of the GDPR,
  9. in the case of consent as the legal basis - the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal,
  10. not to be subject to profiling as referred to in Article 22 in conjunction with Article 4 (4) of the GDPR,
  11. lodge a complaint with the supervisory authority (i.e., the President of the Office for Personal Data Protection) as referred to in Article 77 of the GDPR.

12. If you wish to exercise your rights as mentioned in the preceding point, please send a message via email to the email address or in writing to the postal address as specified in point 2 above.

13. Each identified case of a security breach is documented, and in the event of one of the situations specified in the GDPR or the Act occurring, individuals whose data are affected are informed about such breach of personal data protection regulations, and - if applicable - the President of the Office for Personal Data Protection.

14. The Cookies Policy constitutes a separate document available at the following address: https://rainbowsocks.com/en/info/cookies-policy.html

15. In matters not regulated by this Privacy Policy, the relevant provisions of universally applicable law apply. In the event of any inconsistency between the provisions of this Privacy Policy and the above regulations, the latter shall prevail.