Privacy policy

PRIVACY POLICY

This privacy policy sets out the rules for the processing of personal data of the users of the website available at http://sklep.allbag.pl (AllBag online shop) by ALLBAG TOMASZ WOŹNIAK Sp. k., with its registered office in Mucharz.

1. DEFINITIONS

Controller – ALLBAG TOMASZ WOŹNIAK Sp. k., with its registered office in Mucharz, address: Świnna Poręba 127A, 34-106 Mucharz, entered in the Register of Entrepreneurs of the National Court Register under KRS: 0000839896, whose registration files are maintained by the District Court for Kraków-Śródmieście in Kraków, 12th Commercial Division of the National Court Register, NIP: 5512642595, REGON: 384947621

Contact details:

Correspondence address: Świnna Poręba 127a, 34-106 Mucharz,

Telephone number: +48 731 161 161,

E-mail address: sklep@allbag.pl.

Customer – a User or other entity contacting the Controller to purchase products from the Controller's offer.

Privacy Policy – this privacy policy, i.e. a document containing information on the processing of personal data in connection with using the Website, as well as in connection with the fulfilment of the contact with the person from the Controller's Sales Department for the purpose of placing an order via e-mail contact.

Website – the website on which you are located, available at http://sklep.allbag.pl (AllBag online shop).

Personal data – all information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies and other similar technology.

User – the person using the Website.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons as regards the personal data processing and on the free movement of such data and repealing Directive 95/46/EC.

1. PRINCIPLES FOR PERSONAL DATA PROCESSING

1. The Controller processes Personal Data in accordance with the legal provisions in force in this regard concerning the protection of Personal Data, applying technical and organisational measures to ensure the protection of processing and securing Personal Data against its access to unauthorised persons, acquisition by unauthorised persons, processing in violation of the relevant regulations, and alteration, loss or destruction.
2. In most cases, the provision of personal data is voluntary. However, if the personal data is necessary for the entering into and/or performing the agreement, it is required.
3. When legal provisions impose an obligation to process data, the provision of such data is necessary in order for the Controller to comply with legal obligations (e.g. arising from tax regulations or the Accounting Act – such as issuing and storing invoices and other accounting documents).
4. In connection with the use of the Shopify platform and tools from suppliers such as Google or Meta, Personal Data may be transferred to third countries (mainly the USA). The security of this data is ensured by decisions of the European Commission declaring an adequate level of protection (e.g. the Data Privacy Framework for US entities) or, in the absence thereof, by other legal mechanisms provided by the GDPR, such as the Standard Contractual Clauses (SCC).

1. PURPOSES, LEGAL BASIS AND DURATION OF PERSONAL DATA PROCESSING

Personal Data may be processed for various purposes and based on various legal grounds – depending on which functionalities of the Internet Shop are used by the User, in particular for the purpose of entering into and performing sales agreements, answering questions directed via the Website or conducting marketing activities. Further details can be found below. 

1. SALE OF PRODUCTS FROM THE CONTROLLER'S RANGE

Explanation of the purpose for which the Personal Data is processed

The Customer has the option to purchase products from the Controller's offer through the Website or by contacting a person from the Controller's Sales Department. The Customer's data is processed to the extent necessary for entering into and performing the sales agreement, including the settlement of payments and the dispatch of products. In addition, the Controller processes Personal Data for the purpose of issuing and storing invoices and accounting documents, as well as for the performance of obligations related to entering into the sales agreement, in particular ones arising from consumer protection legislation (right of withdrawal, consumer rights in the event of non-conformity of the product with the agreement). 

Legal basis for Personal Data processing

Personal Data processing occurs based on the sales agreement entered into by and between the Customer and the Controller (Article 6(1)(b) GDPR). To the extent that the processing of Personal Data serves the purpose of the Controller's legal obligations (resulting, for instance, from tax, accounting regulations), the basis for the processing is the necessity to fulfil these obligations (Article 6(1)(c) GDPR).

Period of Personal Data processing

The Controller will process the Personal Data for the duration of the performance of the agreement entered into and for as long as required by law. This period may be extended by the statute of limitations for potential claims.

1. CUSTOMER COMMUNICATION

Explanation of the purpose for which Personal Data is processed

The Customer may contact the Controller using the electronic forms available on the Website. The completion of the form requires the submission of personal data necessary to make contact and answer the question. In the content of the message, the Customer may also voluntarily provide additional information that will facilitate communication or expedite the handling of the request. In addition, the Website provides other forms of contact, such as e-mail addresses or telephone numbers, which the Customer may use.

Legal basis for Personal Data processing

The legal basis for Personal Data processing in this regard is the legitimate interest of the Controller, which consists of corresponding with the Customer and responding to their enquiries (Article 6(1)(f) GDPR).

Period of Personal Data processing

The Customer's Personal Data will be processed for the period necessary to respond to the Customer's enquiry or until the Customer successfully objects to its processing based on the Controller's legitimate interest.

1. REGISTRATION ON THE WEBSITE AND USE OF THE FUNCTIONALITIES AVAILABLE ON THE WEBSITE

Explanation of the purpose for which Personal Data is processed

At the time of registration on the Website, the User submits their personal data requested in the registration form. Registration on the Website allows you to view the history of previous orders placed by the User and to add a default delivery address. The User may also use the option of logging in to the Website via the "Shop" service (Shop App) provided by Shopify. If this form of login is selected, Shopify provides the Controller with the User's personal data necessary to create or operate an account on the Website, such as an e-mail address and basic identification data.

Legal basis for Personal Data processing

Personal Data processing is based on an agreement entered into by and between the user and the Controller as regards the creation of an account and the use of the Website (Article 6(1)(b) GDPR).

Period of Personal Data processing

The Personal Data Controller will process Personal Data for as long as the User has an Account on the Service. This period may be extended by the statute of limitations for potential claims related to using the Website.

1. HANDLING COMPLAINTS RELATED TO USING THE WEBSITE

Explanation of the purpose for which Personal Data is processed

The User may submit a complaint related to using the Website with the form, e-mail addresses and telephone numbers provided on the Website.

Legal basis for Personal Data processing

Personal Data processing is based on an agreement entered into by and between the user and the Controller as regards the creation of an account and the use of the Website.

Period of Personal Data processing

The User's personal data will be processed for the period necessary to process the complaint. This period may be extended by the statute of limitations for potential claims related to using the Website.

1. IMPLEMENTATION OF PROMOTIONAL AND MARKETING ACTIVITIES

The Controller may process the User's personal data in order to conduct marketing and promotional activities for the products on offer, including through sending newsletters, in the event that the User consents to such.

Personal Data processing for direct marketing purposes may also take place via the social profiles maintained by the Controller, in particular on sites such as Facebook, Instagram, LinkedIn, TikTok, Twitter, Snapchat or Pinterest. Within the framework of these profiles, data of their visitors may be processed, including, in particular, information disclosed in comments, reactions, opinions, web identifiers and other data resulting from the User's activity during interaction with the profile maintained by the Controller. Processing occurs for the proper running of the Allbag shop profiles, including the presentation of information about products, news, promotions, marketing campaigns, inspirations and projects carried out by the shop, as well as to enable visitors to actively participate in the life of the profile (comment, react, ask questions). The data may also be used to create statistics, analyses and to conduct advertising activities using tools provided by the various social media providers.

Legal basis for Personal Data processing

The legal basis for the Personal Data processing for the above purpose is the Controller's legitimate interest in promoting its activities and products (Article 6(1)(f) GDPR).

Period of Personal Data processing

Personal Data will be processed for the period necessary for the above purposes or until an effective objection is made to Personal Data processing for marketing purposes based on the Controller's legitimate interest.

1. PUBLICATION OF OPINIONS ON THE WEBSITE

Explanation of the purpose for which Personal Data is processed

The Website provides Users with the option to add product reviews via an external tool called Judge.me. Within the scope of this functionality, data such as e-mail address, first name (or pseudonym), content of the review, as well as order information (e.g. order number) may be processed, which is used to verify that the review was written by the person who actually made the purchase.

Legal basis for Personal Data processing

The legal basis for the processing of Personal Data in this regard is the Controller's legitimate interest in enabling Users to express opinions about products and to present these opinions on the Website (Article 6(1)(f) GDPR).

Period of Personal Data processing

Data is processed for the duration of the display of opinions on the Website or until the User requests its deletion, or until an effective objection is lodged against the processing of Personal Data on the basis of the Controller's legitimate interest.

Articles published on the Website may contain references to such content as may be posted on platforms such as Facebook or YouTube. Be advised that the rules for Personal Data processing on these websites, including the purposes and means of processing, are determined by their owners in accordance with their own privacy policies.

The Website uses cookies and other similar technologies, which involves the processing of the User's Personal Data. The details of this process, including its objectives, are specified in paragraph VI of the Policy.

1. RECIPIENTS OF PERSONAL DATA

The catalogue of recipients of Personal Data depends on the purpose for which it is processed by the Controller. Personal data may be transferred to:

1. entities providing maintenance and technical support services for the applications, software, IT systems and the Website where Personal Data processing occurs,
2. providers of marketing services,
3. providers of transport, freight, postal and courier services,
4. entities handling electronic payments,
5. entities providing advice and support to the Controller in the pursuit of claims, in particular: law firms, tax offices, debt collection companies, insurers, insurance brokers,
6. entities that are manufacturers of the advertised product,
7. entities entitled to receive Personal Data on the basis of the law.

1. RIGHTS CONCERNING PERSONAL DATA

Any person whose Personal Data is processed has the right to:

1. access to the content of Personal Data,
2. rectify Personal Data,
3. delete Personal Data,
4. restrict Personal Data processing,
5. lodge a complaint as regards Personal Data processing to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection.

In addition:

1. where personal data are processed on the basis of consent or an agreement entered into, the data subject also has the right to data portability,
2. where personal data is processed on the basis of the legitimate interest of the Controller, the data subject may object at any time to the processing on grounds related to their particular situation,
3. where personal data processing is carried out for marketing purposes based on a legitimate interest of the Controller, the data subject has the right to object to the processing at any time,
4. where data is processed on the basis of consent given, the data subject may withdraw consent at any time. However, do note that the withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal.

The aforementioned rights may only be exercised in accordance with the relevant regulations. If a request is made for the exercise of rights related to Personal Data, the Personal Data will be processed for the purpose of processing the request, fulfilling the request and documenting how the request was handled in the Data Subject's request register. The processing takes place for the period necessary to achieve this purpose, in accordance with the obligations under the GDPR, on the basis of the Controller's legitimate interest (Article 6(1)(f) GDPR).

If you have any questions about the processing of your Personal Data or wish to exercise your rights, do contact the Controller via the e-mail or postal address indicated in pt. 1 of the Policy, marked "Personal Data."

1. COOKIES AND SIMILAR TECHNOLOGIES

Cookies and other similar technologies, such as pixels (hereinafter referred to as "Cookies"), are used to provide services at the highest level, taking into account individual needs of users. This is IT data, which mainly includes text files, stored on the Service user's terminal equipment (e.g. computer, smartphone, tablet), enabling the use of websites.

Rules for setting cookies

1. Cookies are only stored on the User's terminal equipment with the User's express consent. This consent is not required for "essential cookies," which are essential for the proper functioning of the Website.
2. The User may give their consent to the other Cookies (functional, analytical, marketing) by starting to use the Website without changing the Cookie settings and clicking on the "Accept" button.
3. If the User does not agree to the installation of non-essential Cookies, they should select the "Reject" option.
4. If the User wishes to change the settings, they should select "Manage preferences." Using this option allows the User to select and agree to the Cookies chosen. The Cookies message is only displayed when you first access the Website and remains visible until you make the appropriate settings. You can change your cookie settings by selecting the "Cookie Settings" option when using the Website.
5. In addition, it is possible to manage cookies yourself from the User's web browser, including blocking or deleting them. Comprehensive information is available in your browser settings.

Be advised that limiting or disabling the use of Cookies may affect some of the functionality available on the Website.

Apart from the Controller, the User's terminal equipment may be equipped with cookies by entities co-operating with the Controller, e.g. partners providing analytical and advertising services, application developers, advertising agencies and other partners (in this situation the cookies they place are "third-party cookies"). Detailed information on these entities is provided below.

Google Analytics

The Website uses the analytical services of Google Inc. (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), including Google Analytics 4 and Google Tag Manager. These tools use cookies to analyse how the Website is used. The information collected by the cookies is transferred to Google's servers and archived there. Google uses the information it collects to analyse traffic, prepare reports on using the Website and provide other services related to internet activity. We use Google Analytics to analyse how the Website is used, to improve its performance and to optimise our product offering. The User can block the sharing of data to Google Analytics by installing a browser add-on provided by Google:

https://tools.google.com/dlpage/gaoptout

Google Ads

We use Google Ads tools to promote our products in search results and on external websites. Cookies used by Google Ads (e.g. IDE, NID) allow the display of advertisements tailored to the user's preferences (remarketing). If you visit the Website, a Google cookie may be stored on your device to recognise your browser and display advertisements for products you have previously viewed. This data is processed by automated means, but does not enable us to identify you. You can find more information about Google's data processing rules for advertising here: https://policies.google.com/technologies/ads

Pixel Meta (Facebook)

The service uses Pixel Meta (Facebook), administered by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). With this tool (cookie _fbp), when using Facebook or Instagram, the User can see advertisements for our products tailored based on previous activities on the Website. Pixel helps us measure the effectiveness of adverts by analysing the actions taken by users after they have viewed them. The data collected is anonymous to us, but Meta may link it to your account on the social media platform and use it in accordance with its privacy policy: https://www.facebook.com/about/privacy/

Pixel TikTok

The service uses the TikTok Pixel, provided by TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland). The cookies associated with this tool (e.g. _ttp) make it possible to track the User's activities on the Website so that advertising campaigns can be optimised and personalised advertisements can be displayed in the TikTok application to those who have visited the Website. For more information on TikTok's data processing, click here:

https://www.tiktok.com/legal/privacy-policy-eea

LinkedIn Insight Tag

The Website uses the LinkedIn Insight Tag, provided by LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). This tool uses cookies (e.g. li_gc, lidc) to track conversions, retarget visitors and collect general demographic information about Service Users using the LinkedIn platform. This allows us to better match advertising content to users' professional profiles. Details of LinkedIn's cookie policy can be found here: https://www.linkedin.com/legal/cookie-policy

Functionality support tools (Judge.me and SEA Accessibility)

In order to ensure the full functionality of the Website, we use solutions from third-party suppliers:

Judge.me – a tool for collecting and displaying product reviews. This provider's cookies enable verification of the buyer's identity and technical operation of the review module.

SEA Accessibility – a tool to support the digital accessibility of the Website (WCAG). The cookies of this tool remember the user's preferences as regards accessibility, such as contrast, font size or enhanced readability mode.

TYPE	DESCRIPTION	NAME AND PERIOD OF PROCESSING	BASIS OF PROCESSING
Essential	Essential cookies are necessary for the proper functioning of the Website and the provision of services related to its use (e.g. maintaining the session, remembering the contents of the shopping cart). They cannot be disabled, as the Shop will not function properly without them.	Shopify (Shopify International Ltd. Address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland): cart, checkout_token, secure_customer_sig. Local: cookie-accepted.	Article 6(1)(b) GDPR (Performance of an agreement for the provision of electronic services)
Analytical	Analytical cookies are used to collect information on the number of visits and traffic sources on the Website. They help us understand how Users navigate the shop, which allows us to improve its performance.	Google Analytics 4: _ga, _gid, _gat (and derivatives). Google Tag Manager.	Art. 6(1)(a) GDPR (User Consent)
Marketing	Marketing cookies are used by our advertising partners to build a profile of your interests and display tailored advertising on other sites (e.g. Facebook, TikTok, LinkedIn).	Meta (Facebook): _fbp. TikTok: _ttp, _tt_enable_cookie. LinkedIn: li_gc, lidc, li_fat_id, bcookie. Google Ads: IDE, NID, test_cookie.	Article 6(1)(a) GDPR (User Consent)
Functional	Functional cookies enable the Website to remember choices made by the User and to operate additional functions.	SEA Accessibility: accessibility settings files (contrast, fonts). Judge.me (Judge.me Address: Unit 1406, 20-22 Wenlock Road, London, N1 7GU, United Kingdom): identity verification files when issuing reviews.	Article 6(1)(a) GDPR (User Consent)

1. FINAL PROVISIONS

1. The privacy policy is regularly reviewed and, if necessary, updated.
2. The Controller will inform Users of any modifications to the Privacy Policy by publishing an appropriate notice on the Website.