Privacy Policy
cuddlerest.com
§ 1 General provisions
1. The administrator of the personal data of the users of the website located under the domain www.cuddlerest.com is FABRYKA PRZYTULNOŚCI SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Marki (Marki municipality) 61/2 Rysia Street 05-270 Marki, entered in the National Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw XIV Economic Division of the National Court Register under the KRS number: 0000842191 Tax ID: 1251705655 REGON: 386094909 share capital: PLN 5000.00 paid in full (hereinafter: “Administrator”).
2. The Administrator has designated an electronic point of contact for direct communication with Member State authorities, the Commission, and the Digital Services Board: shop@cuddlerest.com. Any customer can use the same contact point to communicate directly and quickly with the Administrator. The Administrator can also be contacted in writing at his address: 61/2 Rysia Street 05-270 Marki. Communication may be conducted in Polish or English.
3. The purpose of the Policy is to set out the activities undertaken in respect of personal data collected through the Administrator’s website and related services and tools used by its users as well as in the activity of concluding and fulfilling contracts in contact outside the website.
4. If necessary, the provisions of this Policy may be amended. The change will be communicated to users by announcing the new content of the Policy. In the case of a base of persons who have consented to the processing of data by e-mail or who have provided e-mail data in the execution of contracts, they will also be notified of the change by e-mail.
§ 2 Grounds for processing purposes and storage of personal data
1. Your personal data is processed in accordance with the General Data Protection Regulation, the Data Protection Act the Data Protection Act of 10.05.2018 and the Act on the Provision of Electronic Services of 18.07.2002. as amended from time to time and for the purposes of notification pursuant to Article 16(1) of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on the single market for digital services and amending Directive 2000/31/EC (Digital Services Act) (OJ EU.L.2022.277.1 as amended; “DSA”) also on the basis of Article 3(h) of the DSA.
2. The controller may collect the following data for the following purposes:
| Purpose of data processing | Legal basis processing and retention period | Data retention period | Scope of data processing |
|---|---|---|---|
| Performing a contract with the customer or taking action at the request of the data subject prior to entering into the aforementioned contracts | Article 6(1)(b) of the RODO Regulation (performance of a contract) |
|
|
| Marketing direct | Article 6(1)(f) of the RODO Regulation (legitimate interest of the controller). The controller may only process data for direct marketing purposes after consent has been obtained and in the absence of an objection from the data subject. |
|
|
| Marketing | Article 6(1)(a) of the RODO Regulation (consent) |
|
|
| Running accounts | Article 6(1)(c) of the RODO Regulation in conjunction with Article 86(1) of the Tax Ordinance i.e. of 17 January 2017. (Journal of Laws of 2017 item 201) or Article 74(2) of the Accounting Act, i.e. of 30 January 2018. (Journal of Laws of 2018, item 395). |
|
|
| Making a refund | Performing the Contract or taking action at the request of the data subject prior to the conclusion of the Contract (Article 6(1)(b) RODO). |
|
|
| Making a refund | Performing the Contract or taking action at the request of the data subject prior to the conclusion of the Contract (Article 6(1)(b) RODO). |
|
|
| Establishing asserting or defending claims which the Administrator may assert or which may be asserted against the Administrator | | Article 6(1)(f) of the RODO Regulation |
|
|
| Conducting research and analysis to improve the performance of available services | Article 6(1)(f) of the RODO Regulation |
|
|
| Collection of telemetry data | Article 6(1)(f) of the RODO Regulation |
|
|
| Customer account registration | Performing the Contract or taking action at the request of the data subject prior to the conclusion of the Contract (Article 6(1)(b) RODO |
|
|
| Provision of customer service | Performing the Contract or taking action at the request of the data subject prior to the conclusion of the Contract (Article 6(1)(b) RODO) |
|
|
| Correct functioning of the service | Maintaining the performance of the Service and improving it (Article 6(1)(f) of the DPA) |
|
|
| Enabling the customer to reset the password | Protection and safeguarding of the service interests of the customers safeguarding of the customer’s security (Art. 6(1)(f) RODO) |
|
|
| Overseeing compliance with regulations, contracts privacy policy | Protection and safeguarding of the service interests of the customers safeguarding of the customer’s security (Art. 6(1)(f) RODO) |
|
|
| Processing of requests for personal data | Article 6(1)(c) RODO |
|
|
| Providing information to authorities law enforcement and other state institutions | Article 6(1)(c) RODO | The period of the existence of the legitimate interest of the Controller but no longer than the period of the statute of limitations for claims against the data subject in respect of business activities. |
|
|
Fulfilment of the legal obligation set out in Article 16(1) (4) (5) and (6) of the DSA to:
1. to accept from the notifier the presence on the hosting service of information which in the opinion of the notifier, constitutes illegal content within the meaning of Article 3(h) of the DSA; 2. to consider the application; 3. to inform you of the decision taken on your application; 4. inform them of the possibility of appealing against the decision taken as referred to in point 3). | Article 6(1)(c) RODO |
|
|
| Processing of personal data in terms of to the extent that on the basis of proceedings before the authorised public administrative authorities including law enforcement authorities on matters concerning the purposes or grounds for the processing of personal data the Controller obliged to process them. | Article 6(1)(c) RODO | For the duration of such an obligation |
|
3. Users’ personal data shall be stored for no longer than necessary to achieve the purpose of processing i.e. until the consent is withdrawn if processing is based on such consent until the statute of limitations for the Administrator’s and the other party’s claims regarding the performance of concluded agreements (in the case of sales/service contracts 2 years counting to the end of the year) and until the execution of an enquiry directed by e-mail or the completion of the processing of a complaint. After the expiry of this period, the Customer’s personal data will be processed by the Administrator on the basis of Article 6(1)(f) of the RODO, i.e. for the purposes resulting from the legitimate interests pursued for the purposes of marketing campaigns.
4. The Administrator may use profiling for direct marketing purposes, but the decisions made on its basis by the Administrator do not concern the conclusion or refusal of a contract or the possibility of using electronic services. The effect of the use of profiling may be, for example, to grant a person a discount, send him or her a discount code, remind him or her of unfinished purchases, send a product proposal that may match the person’s interests or preferences, or offer better conditions compared to a standard offer. Despite the profiling, it is the individual who freely decides whether to take advantage of the discount received in this way or the better terms and conditions and make a purchase. Profiling involves the automatic analysis or prediction of a person’s behaviour on the Administrator’s website e.g. by adding a specific product to the shopping cart browsing a specific product page or by analysing previous activity history on the website. The condition for such profiling is that the Administrator has the personal data of the person in question in order to be able to subsequently send him or her for example a discount code.
5. To the extent necessary for the proper functioning of the website its functionality the website may during the User’s use of the website collect other information including but not limited to:
a) IP address;
b) Device hardware and software information such as hardware identifiers mobile device identifiers (e.g. Apple Identifier for Advertising [“IDFA”] or advertising identifier on an Android device [“AAID”])
c) Platform type
d) Settings and components
e) Your browser details including browser type and preferred language;
6. Taking into account the nature scope context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and seriousness the Administrator shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the Regulation and to be able to demonstrate this. These measures shall be reviewed and updated as necessary. The Administrator shall apply technical measures to prevent the acquisition and modification by unauthorised persons of personal data transmitted electronically.
§ 3 Data sharing
1. The administrator ensures that any personal information collected is used to fulfil obligations to users. This information will not be shared with third parties except when:
a) the express prior consent of the persons concerned to do so or
b) if the obligation to transmit such data arises or will arise from applicable laws e.g. to law enforcement authorities.
2. In addition personal data of service recipients and customers may be transferred to the following recipients or categories of recipients:
a) service providers who supply the Administrator with technical IT and organisational solutions enabling the Administrator to conduct its business activity including the website and the electronic services provided through it (in particular computer software providers marketing agencies e-mail and hosting providers business management and technical support software providers to the Administrator and the product delivery operator) – the Administrator shall make the collected personal data of the Client available to the selected provider acting on its behalf only in the case and to the extent necessary for the performance of the given purpose of the data processing in compliance with this Privacy Policy.
b) providers of accounting legal or advisory services who provide accounting legal or advisory support to the Administrator (in particular an accounting office a law firm or a debt collection company) – The Administrator shall make the collected personal data of the Client available to the chosen provider acting on his/her behalf only in the case and to the extent necessary to achieve the given purpose of the data processing in accordance with this Privacy Policy.
c) carriers / forwarders / courier brokers – in the case of a Customer who uses the Online Shop’s method of Product delivery by post or courier service the Administrator shall make the collected personal data of the Customer available to the selected carrier forwarder or broker executing the shipment on the Administrator’s order to the extent necessary to complete the delivery of the Product to the Customer.
3. The Administrator may share anonymised data (i.e. data that does not identify specific Users) with external service providers in order to better identify the attractiveness of advertisements and services to Users and in this regard, due to the location of the software providers, the data may be transferred – subject to the principles of data protection – to third countries that however provide standard contractual provisions approved by the European Commission for the processing of personal data or that have the appropriate authority to do so on the basis of bilateral data processing entrustment agreements between the European Union and the third country in question while not being a member of the European Economic Area. These entities in the case of the Controller, are:
- Google LLC. (registered office: 1600 Amphitheatre Parkway Mountain View CA 94043 USA) for Google Analytics tools for analysing website statistics Google Tag manager: for script management by easily adding code snippets to a website or application and tracking user actions on the website Google Ads for displaying sponsored links in Google search results and on Google AdSense co-operative websites Google Workspace for complex website editing and co-ordination (including Google Drive Gmail Google Sheets Google Forms Google Looker studio);
- Meta Platforms Inc. (registered office: 1601 Willow Road Menlo Park CA 94025 USA) for the Facebook pixel used to track conversions from Facebook advertisements optimise them on the basis of the collected data and statistics and build a targeted audience list for future advertising.
- Microsoft Corporation (Headquarters: One Microsoft Place South County Business Park Leopardstown Dublin 18 Ireland) for Microsoft Clarity web analytics tools to analyse web site statistics and track user actions on the web site;
- WordPress (registered office: CT Corporation System 330 N Brand Blvd. Glendale California 91023-2336) for the hosting and construction of the website and for the analysis of website statistics and the tracking of user activities on the website;
4. The controller always gives notice of its intention to transfer personal data outside the EEA at the stage of collection.
5. The controller shall carry out a risk analysis on an ongoing basis to ensure that personal data is processed by the controller in a secure manner – ensuring in particular that only authorised persons have access to the data and only to the extent necessary for their tasks. The controller shall ensure that all operations on personal data are recorded and carried out only by authorised employees and associates.
6. The Administrator shall take all necessary measures to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator.
7. The Administrator’s website may use the functionality of Google Analytics a web audience analysis service provided by Google LLC. (“Google”). Google Analytics uses cookies to help website operators analyse how visitors use the website. The information generated by the cookie about visitors’ use of the website is generally transmitted to and stored by Google on servers in the United States. In accordance with current IT standards the IP addresses of visitors to the Administrator’s website are abbreviated. Only in exceptional cases is the complete IP address transferred to a Google server in the United States and shortened there. On behalf of the Administrator Google will use this information for the purpose of evaluating the website for its users compiling reports on website traffic and providing other services relating to website traffic and internet usage to website operators. Google will not associate the IP address transmitted within the scope of Google Analytics with any other data in its possession. For more information on how Google Analytics collects and uses data please visit Google’s official website at: www.google.com/policies/privacy/partners. In addition any User can prevent Google from collecting and processing data about their use of the website by downloading and installing a browser plug-in at the following link: http://tools.google.com/dlpage/gaoptout.
8. When the Controller shares data with third parties it will make every effort to ensure that this is done only with entities that meet the criteria and requirements indicated in the framework of Article 46 or 49 RODO. Where appropriate the Administrator will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. In line with the decision of the Court of Justice of the European Union of 16 July 2020 the Controller continues to assess the legal regime of the countries to which data is transferred and where necessary updates measures to ensure adequate levels of protection.
9. With regard to data transferred to the United States the Administrator when sharing data with third parties makes every effort to ensure that this is done in accordance with the European Commission’s decision of 10 July 2023 only to entities and organisations in the USA that ensure compliance with the new “EU-US Data Privacy Framework”. A list of these organisations has been published by the US Department of Commerce. Transfers of personal data from the EEA to organisations that have joined the “EU-US Data Privacy Framework” and are on this list are possible without the need for additional authorisations or the use of legal instruments such as standard contractual clauses or binding corporate rules. However where the relevant data importer in the US has not joined the “EU-US Data Protection Framework” transfers of personal data to it are possible and will take place under the conditions of Article 46 or 49 of the RODO. In such cases the Controller will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA.
§ 4 User rights
1. The user whose personal data is processed has the right to:
a. access rectification restriction erasure or portability – the data subject has the right to request from the Controller access to his/her personal data rectification erasure (“right to be forgotten”) or restriction of processing and has the right to object to processing and has the right to portability of his/her data. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the RODO Regulation.
b. withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (on the basis of Article 6(1)(a) or Article 9(2)(a) of the RODO Regulation) then he/she has the right to withdraw consent at any time without affecting the lawfulness of the processing performed on the basis of consent before its withdrawal.
c. lodge a complaint to the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint to the supervisory authority in the manner and mode specified in the provisions of the RODO Regulation and Polish law in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection in Warsaw.
d. Objection – the data subject has the right to object at any time – on grounds relating to his or her particular situation – to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller) including profiling on the basis of these provisions. In such a case, the controller shall no longer be allowed to process these personal data unless the controller can demonstrate the existence of compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or grounds for the establishment exercise or defence of claims.
e. objection to direct marketing – where personal data are processed for the purposes of direct marketing (based on the legitimate interest of the Controller not on the basis of the data subject’s consent) the data subject has the right to object at any time to the processing of personal data concerning them for such marketing including profiling to the extent that the processing is related to such direct marketing.
2. The exercise of the above rights takes place based on the user’s request sent to the e-mail address shop@cuddlerest.com. Such a request should include the user’s name.
3. The user shall ensure that the data he/she provides or publishes on the site is correct.
§ 5 Cookies
1. Cookies are IT data, in particular text files, stored on the user’s terminal equipment (usually on the computer’s hard drive or mobile device) for the purpose of storing certain settings and data by the user’s browser in order to use websites. These cookies allow the website to recognise the user’s device and display the website accordingly providing comfort during use. The storage of cookies, therefore, allows the website and the offer to be tailored to the user’s preferences – the server recognises the user and remembers preferences such as visits, clicks, and previous actions, among other things.
2. “Cookies” contain, in particular, the domain name of the website from which they originate, the length of time they are stored on the terminal device, and a unique number used to identify the browser from which the website is connected.
3. Cookies are used for:
a. adapting the content of the websites to your preferences and optimising the use of the websites
b. the creation of anonymous statistics which by helping to determine how the user uses the web pages make it possible to improve their structure and content
c. to provide site users with advertising content tailored to their interests.
Cookies are not used to identify you and your identity is not established from them.
4. The main division of cookies is their distinction into:
a. Essential cookies – these are absolutely essential for the proper functioning of the website or the functionality you wish to use as without them we would not be able to provide many of the services we offer. Some of them also ensure the security of the services we provide electronically.
b. Functional cookies – are important for the operation of the website due to the fact that:
i. serve to enrich the functionality of the websites; without them the website will function correctly but will not be adapted to the user’s preferences
ii. serve to ensure a high level of website functionality; without them the level of functionality of the website may be reduced but their absence should not prevent the website from being used altogether
iii. serve most of the functionality of the websites; blocking them will result in selected functions not working properly.
c. Business cookies – enable the business model on which the website is provided; blocking them will not make all functionality unavailable but may reduce the level of service provision due to the website owner’s inability to realise the revenue that subsidises its operation. Advertising “cookies”, for example, fall into this category.
d. Website configuration cookies – allow you to set functions and services on websites.
e. Cookies for website security and reliability – enable verification of authenticity and optimisation of website performance.
f. Authentication cookies – allow you to be informed when you are logged in so that the website can show you relevant information and functions.
g. Session status cookies – allow information to be recorded about how users use the website. They may relate to the most frequently visited pages or possible error messages displayed on certain pages. Session state cookies help to improve services and the browsing experience.
h. Cookies for website processes – allow the website and the functions available on it to function efficiently.
i. Advertising cookies – allow ads to be displayed that are more interesting to users and more valuable to publishers and advertisers; cookies can also be used to personalise advertising as well as to display ads outside of websites.
j. Location-accessing cookies – allow the information displayed to be tailored to the user’s location.
k. Analysis research or audience audit cookies – allow the website owner to better understand the preferences of its users and, through analysis, improve and develop products and services. Typically the website owner or research company collects information anonymously and processes trend data without identifying the personal data of individual users.
l. Non-harmful cookies – includes cookies which are necessary for the proper functioning of the website and which are needed to enable the functionality of the website but their operation has nothing to do with tracking the user
m. Research cookies – used to track users but do not include information to (without other data) identify a specific user.
5. As a general rule, the use of cookies to adapt the content of websites to the user’s preferences does not imply the collection of any information identifying the user, although this information may sometimes be of a personal nature, i.e. data enabling certain behaviour to be attributed to a specific user. Personal data collected using cookies may only be collected in order to perform specific functions for the user. Such data is encrypted in such a way that it cannot be accessed by unauthorised persons.
6. The cookies used by this website are not harmful either to the user or to the terminal device used by the user, so for the proper functioning of the website, it is recommended not to disable them in browsers. In many cases, the web browsing software (web browser) allows, by default, the storage of information in the form of “cookies” and other similar technologies on the user’s terminal device. The user can change the browser’s use of “cookies” at any time. To do so the browser settings must be changed. How to change your settings varies depending on the software (browser) you are using. You will find relevant instructions on the subpages depending on the browser you are using.
7. Cookies are also used to facilitate logging into a user’s account, including via social media, and to enable switching between sub-pages on websites without having to log in again on each sub-page. At the same time, cookies are used to secure websites, e.g. to prevent unauthorised access.
8. As part of its cookie technology the Administrator may use tracking pixels or clear GIF files to collect information about how users use its services and how they respond to marketing messages sent by email. A pixel is software code that allows an object, usually an image the size of a pixel, to be embedded on a page, which provides the ability to track user behaviour on the web pages where it is deployed. Once the appropriate consent has been given the browser automatically establishes a direct connection to the server storing the pixel so the processing of the data collected by the pixel is carried out within the framework of the data protection policy of the partner who administers the aforementioned server.
9. The administrator may use web log files (which contain technical data such as your IP address) to monitor traffic on its services, troubleshoot technical problems, detect and prevent fraud, and enforce the User Agreement.
10. While the administrator informs you that the website does not respond to Do Not Track (DNT) signals, you may disable certain forms of online tracking, including certain analytics and personalised advertising, by changing the cookie settings in your browser or using our cookie consent tools (if applicable).
11. Detailed information on how to change your cookie settings and how to delete them yourself in the most popular web browsers is available in the help section of your browser and on the following pages (just click on the respective link):
a) Google Chrome
b) Mozilla Firefox
c) Microsoft Edge
d) Opera
e) Safari macOS
f) Safari iOS/iPad OS
12. For details on how to manage cookies on your mobile phone or other mobile device please refer to the user manual for your mobile device.
