Privacy Policy

I. What is the Privacy Policy?

The privacy policy is a set of rules intended to inform Users about the process of obtaining, processing and securing their personal data. These processes are carried out in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR), the Act of 10 May 2018 on the protection of personal data (consolidated text: Journal of Laws of 2019, item 1781), and the Act of 18 July 2002 on the provision of electronic services.

The purpose of this Privacy Policy is to comply with the information obligation arising from Article 13 of the GDPR.

II. Definitions

The terms used in the Privacy Policy mean:

1. ADMINISTRATOR – KOKOSEK BABY STORE SC, registered at ul. Dyrekcyjna 3, 50-528 Wrocław, NIP: 8992877117, REGON: 385561480.

2. PERSONAL DATA – information about a natural person identified or identifiable by a factor/factors determining physical, physiological, genetic, mental, economic, cultural or social identity (including name and surname, identification number, device IP, location data, online identifier, information collected via Cookies and other similar technology).

3. CUSTOMER – User purchasing a Product/Products in the Online Store.

4. POLICY – this Privacy Policy.

5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

6. ONLINE STORE – a sales platform for Products and services offered by the Seller, available on the Internet at www.kokosek.pl .

7. BLOG – a blog maintained on the Online Store by the Administrator.

8. USER – a natural person visiting the Online Store and using the services offered by the Administrator and described in the Privacy Policy.

9. REGISTERED USER – a natural person who has registered in the Online Store by creating a Customer Account.

10. REGULATIONS – Regulations of the Website, which in the scope of Electronic Services are the regulations referred to in Article 8 of the Act of 18 July 2002 on the provision of services by electronic means (i.e. Journal of Laws of 2020, item 344), available at the registered office of the Administrator (brick-and-mortar store) and at https://kokosek.pl/pages/regulamin-sklepu.

III. Personal Data Administrator

The personal data controller is KOKOSEK BABY STORE SC , registered at ul. Dyrekcyjna 3, 50-528 Wrocław, NIP: 8992877117, REGON: 385561480.

Contact with the Administrator is possible by sending a written message to the registered office address indicated above or by sending a message to the e-mail address: rodo@kokosek.pl

IV. Purposes and basis of personal data processing and processing periods

In accordance with the scope of its activities, the Administrator processes Users' personal data for various purposes, but always in accordance with the law and within the limits specified by the GDPR.

1. Using the Online Store

Data collected in connection with the use of the Online Store (including browsing) may constitute personal data, particularly when it concerns a Registered User. This data is processed for the following purposes:

  • provision of services by electronic means (Article 6, paragraph 1, letter b of the GDPR),
  • remembering the contents of the shopping cart (Article 6, paragraph 1, letter f of the GDPR – legitimate interest of the Controller),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • improving the purchasing process thanks to data on the location of the end device (Article 6, paragraph 1, letter f of the GDPR),
  • establishing and pursuing claims or defending against them (Article 6(1)(f) of the GDPR).

Storage period: data is processed for the duration of use of the Store and until the processing purposes expire or an objection is effectively raised.

2. Registration and logging in to the Customer Account

An email address is required for registration. Data is processed for the following purposes:

  • maintaining the Account and enabling logging in (Article 6, paragraph 1, letter b of the GDPR),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR).

Retention period: data is stored for the duration of the Account's existence and then until the expiry of the limitation period for claims.

3. Maintaining the Customer Account and automatic completion of data

Users can enter additional data in their account panel and consent to its automatic completion when placing an order. This data is processed for the following purposes:

  • maintaining the Account (Article 6, paragraph 1, letter b of the GDPR),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR),
  • automatic completion of data when placing an order – based on the User’s consent (Article 6, paragraph 1, letter a of the GDPR),
  • marketing activities of the Controller (Article 6, paragraph 1, letter f of the GDPR).

Retention period: Account-related data – until deletion. Consent-based data – until withdrawal.

4. Placing an Order in the Online Store

Placing an order requires providing data marked as mandatory, such as: name and surname, delivery address, e-mail address, telephone number, invoice details (NIP/company number – if applicable), order number, selected delivery and payment methods and payment identifiers (without storing full card details) .

Data is processed for the purposes of:

  • conclusion and performance of the sales contract (Article 6, paragraph 1, letter b of the GDPR),
  • issuing and storing accounting documents and fulfilling tax obligations (Article 6, paragraph 1, letter c of the GDPR),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR).

Retention period: accounting documents – 5 years from the end of the tax year; other data – until the limitation period for claims.

5. Contact via the Contact Form

Providing the data necessary to respond to your inquiry is required. The data is processed for the following purposes:

  • identification of the sender and handling of the inquiry (Article 6(1)(f) of the GDPR),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR).

Retention period: until the end of the case, then a maximum of 3 years for evidentiary purposes.

6. Telephone and e-mail contact with the Customer Service Office

Providing a phone number or email address is required, and in some cases, additional data needed to process the request. The data is processed for the following purposes:

  • handling inquiries (Article 6(1)(f) of the GDPR),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR).

Retention period: until the end of the case + a maximum of 3 years for evidentiary purposes.

7. Newsletter

The User's consent is required for sending the Newsletter (Article 6, paragraph 1, letter a of the GDPR and Article 10 of the Act on the Protection of Personal Data). Data are processed for the following purposes:

  • sending the newsletter (based on consent),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR).

Retention period: until consent is withdrawn or objection is raised.

8. Marketing

The Administrator may process data for marketing purposes, including:

  • displaying contextual advertising (Article 6(1)(f) of the GDPR),
  • displaying advertisements tailored to your interests (behavioral profiling – based on consent, Art. 6 sec. 1 letter a of the GDPR).

Retention period: until effective objection or withdrawal of consent.

9. Blog and comments

To add a comment, you must provide your name and email address (this address is not published). The data is processed for the following purposes:

  • enabling comments (Article 6(1)(b) of the GDPR),
  • analysis and statistics (Article 6(1)(f) of the GDPR),
  • the Administrator's own marketing (Article 6, paragraph 1, letter f of the GDPR),
  • pursuing or defending against claims (Article 6(1)(f) of the GDPR).

Retention period: until the comment is deleted or an objection is filed; in the case of claims – until their limitation period expires.

Collection, acquisition, scope and purpose of collecting personal data

The Administrator informs Users that in connection with conducting marketing, communication and analytical activities, it entrusts the processing of personal data to specialized external entities providing services in the field of:

  • handling mailing systems and marketing automation,
  • sending newsletters and SMS messages,
  • analyzing User behavior in the Store and conducting remarketing activities in digital channels,
  • operating analytical systems and optimizing website performance.

The Administrator also informs that within the framework of the operation of the Online Store, technologies are used to track the activities of Users/Customers, including in particular analytical and marketing codes, used to analyze the statistics of visits to the Store, improve its functionality and conduct marketing communications, only within the scope of campaigns launched or indicated by the Administrator.

Data processing by entities cooperating with the Controller is based on concluded personal data processing agreements , in accordance with Article 28 of the GDPR. These entities do not use the data for their own purposes, but only to the extent necessary to provide services to the Controller.

The period of data processing within the framework of cooperation with these entities corresponds to the period of validity of the User's consent to marketing communications or lasts until the User effectively objects to the processing of data for this purpose.

V. Recipients of personal data

1. In connection with operating the Online Store, the Administrator uses the services of external entities, which requires the transfer of Users' personal data. Personal data may be transferred, in particular, to the following categories of recipients:

Payment operators :

  • PayPro SA (Przelewy24, Polcard – Settlement Agent), ul. Pastelowa 8, 60-198 Poznań, KRS 0000347935, NIP 7792369887, – handling electronic and card payments,
  • PayPal (Europe) S.à rl et Cie, SCA , Boulevard Royal 22-24, L-2449 Luxembourg – PayPal payment processing.
  • Courier and postal companies – in particular: InPost, DPD, DHL, UPS, Poczta Polska – for the purpose of delivering orders.

IT service providers and sales integration providers – including entities providing software supporting order fulfillment, sales management, inventory management and integration with e-commerce platforms.

Opinion and satisfaction survey support – external entities supporting the process of collecting opinions and surveying customer satisfaction after a purchase.

Marketing and analytics service providers – e.g. entities providing services in the field of web analytics, digital marketing, contextual advertising or marketing communications automation.

Entities providing legal, accounting, auditing and advisory services – within the scope of legal, tax and accounting services for the Administrator.

2. Personal data may also be transferred to public administration bodies or other entities authorized under the law – only in cases where such an obligation results from applicable regulations.

VI. Users' rights regarding personal data

1. Users whose personal data are subject to the following rights under the GDPR:

a) The right to access data – to obtain information as to whether data are being processed and, if so, to access them and receive information, among others, on the purposes of processing, data categories, recipients, storage period, as well as the rights of the User.

b) The right to obtain a copy of the data – to receive a copy of the personal data being processed. The first copy of the data is free of charge; for subsequent copies, the Controller may charge a fee based on administrative costs.

c) The right to rectification of data – requesting the correction or supplementation of incorrect or incomplete data.

d) The right to erasure of data ("right to be forgotten") – to request the erasure of data in the cases specified in Article 17 of the GDPR, e.g. when the data are no longer necessary for the purposes for which they were collected or when consent to their processing has been withdrawn.

e) The right to restrict processing – to request the restriction of data processing in the cases specified in Article 18 of the GDPR, e.g. when the User questions the accuracy of the data or objects to their processing.

f) The right to data portability – to receive data in a structured, commonly used and machine-readable format and to request its transfer to another controller if the processing is based on consent or a contract and is carried out in an automated manner.

g) The right to object to the processing of data for marketing purposes – The User may object to the processing of their data for direct marketing purposes at any time. Any objection in this regard will be honored immediately.

h) The right to object to data processing for other purposes – the User may object to data processing when it is based on the Controller's legitimate interest. In such a case, the Controller will no longer process the data unless it demonstrates compelling legitimate grounds that override the User's interests, rights, and freedoms, or grounds for establishing, pursuing, or defending legal claims.

i) The right to withdraw consent – ​​if data is processed based on consent, the User may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

2. The User may submit a request regarding the exercise of the above rights:

  • in writing, to the correspondence address : KOKOSEK BABY STORE SC, ul. Dyrekcyjna 3, 50-528 Wrocław – this is the preferred form of contact, ensuring the fastest processing of the application,
  • by e-mail to the following address: rodo@kokosek.pl – however, in such a case, the deadline for responding is counted from the moment the message is actually read by the Administrator.

3. The Administrator may request additional information necessary to confirm the identity of the person submitting the application.

4. A response to the request will be provided promptly, but no later than one month from its receipt. This deadline may be extended by a maximum of two months due to the complex nature of the request or the number of submissions. In such a case, the Administrator will inform the User of the reasons for any extension.

5. The response is provided in the form in which the request was submitted (e.g. by letter or e-mail), unless the User indicates a different preferred form.

VII. The right to lodge a complaint with the President of the Personal Data Protection Office

If the User believes that his or her personal data is being processed contrary to applicable law, he or she may file a complaint with the President of the Personal Data Protection Office.

VIII. Transfer of personal data to third countries and international organizations

1. As a rule, Users' personal data processed by the Controller are stored within the territory of the European Economic Area (EEA).

2. Due to the Controller's use of the services of certain suppliers, data may be transferred outside the EEA, in particular to:

  • Shopify International Ltd. – Data may be transferred to Canada and the United States in connection with the hosting and operation of the sales platform (Shopify). Canada has an adequacy decision from the European Commission. For data transfers to the US, Standard Contractual Clauses (SCCs) approved by the European Commission are used.
  • PayPal (Europe) S.à rl et Cie, SCA – within the scope of PayPal payment processing, data may be transferred to the United States. Data protection is ensured through the use of standard contractual clauses (SCCs).
  • Google Ireland Ltd. and Meta Platforms Ireland Ltd. (Facebook, Instagram) – for marketing and analytical tools, data may be transferred to the United States. In such cases, Standard Contractual Clauses (SCCs) and other required safeguards under the GDPR are used.
  • Other entities based outside the EEA, providing IT support or marketing services, with which the Controller cooperates only if an adequate level of personal data protection is ensured in accordance with the GDPR.

3. In any case, data transfers outside the EEA will be carried out using appropriate safeguards as referred to in Article 46 of the GDPR, in particular standard contractual clauses adopted by the European Commission, or on the basis of a Commission decision establishing an adequacy level of protection (Article 45 of the GDPR).

4. The User has the right to obtain a copy of the safeguards applied regarding the transfer of personal data outside the EEA by contacting the Controller at the address indicated in this Privacy Policy.

IX. Concluding Remarks

1. In matters not covered by this Privacy Policy, the provisions of the GDPR and generally applicable Polish provisions on personal data protection shall apply.

2. An integral part of this Privacy Policy is the Cookie Policy available at the Administrator's office (stationary store) and at https://kokosek.pl/pages/polityka-plikow-cookies .

3. The Privacy Policy is effective from the moment of its publication in the Online Store, i.e. from 17/11/2020, and is available at the Administrator’s registered office (brick-and-mortar store) and at https://kokosek.pl/pages/polityka-prywatnosci .