Sundose.io Website Privacy Policy
General provisions
This Privacy Policy describes, among other things, the means of obtaining, the purposes and legal basis for processing, the principles of storage and sharing, and the methods of protecting personal data collected through the Sundose.io website (hereinafter referred to as the “Sundose.io Website” or “Website”).
Personal data of Sundose.io Users are processed in accordance with the provisions of generally applicable law, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU.L.2016.119.1)(hereinafter referred to as “GDPR”);
- Act of 10 May 2018 on personal data protection (Journal of Laws of 2018, item 1000 as amended);
- Act of 18 July 2002 on the provision of electronic services (Journal of Laws No. 144, item 1204 as amended)
- Act of 16 July 2004 – Telecommunications Law (Journal of Laws No. 171, item 1800, as amended).
Definitions
Whenever this document refers to:
- Personal data – means information about an identified or identifiable person, directly or indirectly through an identifier such as full name, identification number, location data, internet identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;
- Personal data processing – means any activity performed on personal data, such as collecting, recording, organising, arranging, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or combining, limiting, deleting or destroying;
- Personal data controller – means the entity which alone or jointly with others determines the purposes and means of personal data processing;
- User – means any natural person who visits the Sundose.io Website and/or uses one or more of the services or functionalities made available on the Website;
- Registered User – means a user who has created a user account;
- User Account – means a set of resources and rights within the Website assigned to a particular registered user.
Data Controller
The personal data controller of the Users of the Sundose.io Website is Sundose Spółka z ograniczoną odpowiedzialnością with its registered office in Lublin, Company address: ul. Vetterów 1; 20-277 Lublin, registered by the District Court Lublin-Wschód in Lublin with its registered office in Świdnik, 6th Commercial Division of the National Court Register under number 0000642406, with a share capital of PLN 267,000.00, NIP: 7123320705, REGON: 365652197 (hereinafter referred to as the “Company” or “We”).
Data Protection Officer
The Company has appointed a Data Protection Officer to assist in complying with the provisions of the Personal Data Protection Law and monitoring their compliance. Our Data Protection Officer is Ms Małgorzata Kufel. The Data Protection Officer can be contacted by e-mail, sending an e-mail to the address: gdpr@sundose.io .
Contact with the Data controller
In matters related to the protection of personal data, contact with the Company is possible via e-mail at: gdpr@sundose.io or via traditional mail by writing to the address: Sundose Sp. z o.o.; ul. Vetterów 1; 20-277 Lublin.
Means of data collection and scope of data collection
We obtain personal data mainly directly from Sundose.io Users. Users provide or leave their personal data at different stages of using the Website. The data is collected:
- when sending us a message via the contact form, we receive: first name; surname; e-mail address and possibly order number and other personal data contained in the message, IP address of the computer from which the inquiry was sent;
- during registration and creation of a User account in the Website – we receive an e-mail address; login data, IP address of the computer from which registration was made;
- after creating a user account in the Website, if the User decides to complete his or her profile with additional data, we may receive, among other things, the first name; surname; home address, or possibly another shipping address for the ordered products; telephone number; and e-mail address;
- when filling out the health survey – we may then receive, among other things, data such as gender; age; physical data (e.g. body weight, height); demographic data; physiological data; data concerning eating habits; health data; IP address of the computer from which the survey was completed;
- when purchasing the product we offer, we receive the first name, surname, home address, or possibly another shipping address for the ordered product; telephone number; e-mail address, IP address of the computer from which the purchase was made;
- when the User pays for a product purchased through the Website – we receive, among others, the first name and surname of the bank account holder; bank account number; other data given in the reference of the payment transfer;
- when the User pays for a product purchased through the Website – we receive, among others, the first name and surname of the bank account holder; bank account number; other data given in the reference of the payment transfer;
- automatically during a visit to the Sundose.io Website - we receive information collected by cookies that characterises the User’s use of our Website, e.g. the date, time of beginning and end of the visit to the Website and the scope of the visit; information about the operating system and the Internet browser used by the User; information about the type of device used and IP address (Internet protocol) and the Uniform Resource Locator (URL).
Sometimes, Users’ personal data is provided to us by third parties. It happens when the User pays for products purchased on our Website through the PayU electronic payment system. The Users by choosing this method of payment agree that a third party (the owner of the PayU system) will provide us with the User’s data allowing us to properly record the payment..
The purposes and legal basis for personal data processing
We process personal data of Sundose.io Users only to the extent necessary to achieve the purposes for which they were collected. The table below presents the purposes pursued and the relevant legal basis for personal data processing.
No. |
Purposes of personal data processing |
Legal basis for processing |
1. |
reply to messages, inquiries or requests addressed to us via the contact form |
processing is necessary for the performance of a contract (i.e. the contract for the provision of services by electronic means) to which the data subject is a party (Article 6(1)(b) of the GDPR) |
2. |
maintaining and operating a User Account on the Website |
processing is necessary for the performance of a contract (i.e. the contract for the provision of services by electronic means) to which the data subject is a party (Article 6(1)(b) of the GDPR) |
3. |
composing an individual Sundose product composition based on the results of a health survey |
processing is carried out on the basis of the data subject’s consent (Article 6(1)(a) and Article 9(2)(a) of the GDPR) |
4. |
accepting orders for the products offered through the Website and the performance of supply contracts |
processing is necessary for the conclusion and performance of a contract (i.e. a supply contract) to which the data subject is a party (Article 6(1)(b) of the GDPR) |
5. |
complaint handling |
processing is necessary for the performance of a contract (i.e. a supply contract to the extent that the recipient exercises their rights under warranty for defects in goods) to which the data subject is a party (Article 6(1)(b) of the GDPR) |
6. |
issuing accounting documents, making tax and accounting settlements, keeping and archiving tax and accounting documentation |
processing is necessary to fulfil the legal obligations incumbent on the controller, resulting from tax and accounting regulations (Article 6(1)(c) of the GDPR) |
7. |
possible establishing and pursuing of claims or defending against them, including the conduct of court proceedings and recovery of debts |
processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e. to - to protect and enforce our rights, (Article 6(1)(f) of the GDPR) |
8. |
archiving of data and documents containing personal data for evidence purposes |
processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e. to - to secure information, inter alia, in case of legal need to prove facts, (Article 6(1)(f) of the GDPR) |
9. |
sending a newsletter and/or mailing containing marketing content and/or commercial information (e.g. information about products, offers, news, promotions, competitions, etc.) |
processing is carried out on the basis of the data subject’s consent (Article 6(1)(a) of the GDPR) |
10. |
sending SMS messages containing marketing content and/or commercial information |
processing is carried out on the basis of the data subject’s consent (Article 6(1)(a) of the GDPR) |
11. |
conducting other marketing activities |
processing is necessary for the purposes of the legitimate interests pursued by the controller, to - direct marketing of own goods or services (Article 6(1)(f) of the GDPR) |
12. |
conducting analyses and statistics on the way the Users use the Website based on data collected using cookies |
processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e. to - improving the operation of the Website and improving the functionality of the services provided; - improving the security of the Website’s operation; - optimising the User service process. (Article 6(1)(f) of the GDPR) |
Data Recipients
Our authorised employees have access to personal data collected through the Sundose.io Website. In justified cases, we transfer or may transfer certain personal data to the following data recipients:
- entities entitled to obtain personal data under the provisions of law for the purpose of their proceedings, e.g. public authorities and entities performing public tasks or acting on behalf of public authorities;
- the bank maintaining the Company’s bank account;
- entities, which we use for the performance of tasks involving the processing of personal data on behalf of and for the Company. These will be entities providing services on our behalf necessary for the proper operation of the Sundose.io Website, the performance of contracts concluded through the Website and the fulfilment of our legal obligations or the fulfilment of our legitimate interests, e.g.
- providers of IT services and tools;
- marketing services providers;
- entities providing accounting and bookkeeping services;
- companies that provide us with data and e-mail hosting services;
- courier service companies.
Beforehand, we conclude agreements on entrusting the processing of personal data with all entities to whom we provide personal data in order to provide services ordered by us. In these agreements, we strictly define, among others, the permitted nature, purpose and scope of processing of personal data collected through the Website. We also make every effort to ensure that these entities provide guarantees of appropriate security measures and adequate protection of personal data.
We do not sell or exchange personal data obtained through the Website with other entities for marketing purposes.
Information about the intention to transfer personal data to a third country or international organisation
Personal data will not be transferred to any country outside the European Economic Area (including countries of the European Union, Norway, Liechtenstein and Iceland) or to any international organisation.
Data retention period
Personal data collected through the Website will be processed only for the periods necessary to achieve the purposes for which they were collected.
No. |
Purposes of personal data processing |
Data retention period |
1. |
reply to messages, inquiries or requests addressed to us via the contact form |
for as long as there is a need for mutual contact on the matter to which the correspondence relates |
2. |
maintaining and operating a User Account on the Website |
for the period of keeping the User Account, until its deletion |
3. |
preparing, on the basis of the results of a health survey, an offer for a Sundose product with a composition composed individually for the consumer to meet his or her individual needs |
for the period of keeping the User Account, until its deletion |
4. |
accepting orders for the products offered through the Website and the performance of supply contracts |
for the duration of the supply contract |
5. |
complaint handling |
until the complaint procedure is completed |
6. |
issuing accounting documents, making tax and accounting settlements, keeping and archiving tax and accounting documentation |
for a period of 5 years from the end of the calendar year in which the deadline for payment of tax expired, or longer if required by law |
7. |
possible establishing and pursuing of claims or defending against them, including the conduct of court proceedings and recovery of debts |
for the periods necessary to protect our rights or for periods of limitation of potential claims as defined by law |
8. |
archiving of data and documents containing personal data for evidence purposes |
for periods required by applicable law and/or for periods of limitation of potential claims as defined by law |
9. |
sending a newsletter and/or mailing containing marketing content and/or commercial information (e.g. information about products, offers, news, promotions, competitions, etc.) |
until the withdrawal of consent to the sending of a newsletter or mailing containing marketing content and/or commercial information |
10. |
sending SMS messages containing marketing content and/or commercial information |
until the withdrawal of consent to the sending of SMS messages containing marketing content and/or commercial information |
11. |
conducting other marketing activities |
until a valid, reasoned objection is lodged |
12. |
conducting analyses and statistics on the way of using the Website by users on the basis of data collected using cookies |
until a valid, reasoned objection is lodged |
At the end of the retention period, personal data will be deleted or rendered anonymous.
Rights of the data subjects
We respect all rights of data subjects resulting from the provisions of the GDPR. Each data subject has the right to:
- request access to his or her personal data – i.e. the right to check what personal data is being processed by us and to obtain information, among other things, on what purpose and on what legal grounds the data is being processed, to whom it is being made available and when it will be deleted;
- request the rectification of personal data when the data are inaccurate and to request the completion of data when the data are incomplete;
- request the erasure of his or her personal data, if there is a circumstance provided for by law (i.e. in Article 17 of the GDPR) justifying this request;
- request a restriction of the processing of personal data in the cases provided for by law (i.e. Article 18 of the GDPR);
- receive the personal data provided by the User from us in a structured, commonly used machine-readable format (e.g. txt., doc., rtf., xls., odt., pdf., jpeg., xml.) and the right to send the data to another controller or to request that the personal data be sent by us directly to another controller, if technically possible.
The data subject has the right to object at any time to the processing of his or her personal data, which may:
- be objected to because of his or her particular situation – that is, where the processing of the data is based on our legitimate interest or for statistical purposes, and the objection is justified by a particular situation that endangers the privacy of the person if further processing by us, or
- be marketing objection – i.e. when personal data are processed for direct marketing purposes, including profiling for that purpose.
If the personal data is processed on the basis of consent, Sundose.io Users have the right to withdraw this consent at any time. However, this will not affect the lawfulness of the processing that was carried out on the basis of consent before its withdrawal.
Withdrawal of consent for sending the newsletter can be done by clicking on the appropriate link in the newsletter content or by sending us an appropriate message to gdpr@sundose.io. These rights may be exercised by, among other things, sending us a request to the following e-mail address: gdpr@sundose.io or by traditional mail to the address: Sundose Sp. z o.o.; ul. Vetterów 1; 20-277 Lublin. Such a request should contain data that will enable us to identify the applicant unambiguously and to execute the request as requested.
Any data subject who considers that our processing of personal data violates his or her rights is also entitled to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (ul. Stawki 2; 00-193 Warszawa).
Voluntary data provision, consent to processing
Providing personal data is not obligatory, but is necessary to take advantage of many functionalities of Sundose.io Website. Without providing personal data, it will not be possible, for example, to send us a message via the contact form, create a user account and purchase products offered by us or subscribe to the newsletter. However, in some cases, legal regulations will require us to provide certain personal data, e.g. for accounting or tax purposes.
Automatic data processing, including profiling
Personal data collected through Sundose.io Website is not processed in a way that would result in automated decision making, including profiling. This means that we do not use IT systems that would collect information about individuals and then, automatically, make decisions that could have legal effects on them or similarly significantly affect their situation.
Data security
Personal data collected through our Website is secured in accordance with the guidelines resulting from the provisions of the GDPR. We use appropriate technical and organisational measures to ensure the appropriate level of security of personal data and to protect it against accidental or intentional destruction or damage, accidental loss, alteration, access by unauthorised persons or against being taken away by an unauthorised person. For example:
- Sundose.io Website uses secure Internet connections, encrypted with SSL certificate to ensure the confidentiality of data transmission over the Internet;
- we store personal data on secure servers;
- personal data may be processed only by our specially authorised employees and only to the extent necessary to carry out the tasks referred to them;
- we have developed and implemented an appropriate personal data security policy which defines the relevant data processing procedures;
- we conclude agreements on entrusting the processing of personal data with entities which we use for the processing of personal data, in which we precisely define the permissible purpose, scope and method of processing;
- we make every effort to ensure that the entities to which we entrust the processing of personal data provide guarantees of appropriate security measures and adequate protection of personal data.
Cookies
Similarly to many other websites, Sundose.io Website uses cookies to collect and process anonymous User data. Cookies are small text files sent by the websites visited by the User and saved on the User’s computer. The information contained in these files can only be read by the Website that created them. The data collected by means of cookies do not allow for unambiguous identification of a person.
Cookies are used by us to analyse how Users use the Website, to improve the operation of the Website, to improve the functionality of our services and to adapt them to the individual needs of Users, as well as for statistical purposes.
Most web browsers accept cookies by default. The User may change these settings in his or her browser at any time. However, disabling cookies may affect the proper functioning of some functions of the Website.
We also collect information on how to use the Website on the basis of so-called access logs based on the IP addresses of Website Users. Data collected in this way do not allow to establish the identity of the Users, but on their basis we can analyse the efficiency of the Website, its security, diagnose potential problems in the scope of personal data violation and find solutions. Such data are also statistical data about the visitors to our Website (e.g. information about the region), which allow us to adjust our offer.
Final provisions
We reserve the right to make changes to this Privacy Policy. Such changes may be necessary or appropriate, e.g. in the event of changes in legislation, new guidelines from regulatory authorities, changes in the technology by which we process personal data, as well as changes in the ways, purposes or basis on which we process personal data. We will inform the Website Users of any changes made.