1. Definitions

1.1.  In the context of the Privacy Policy, the terms indicated below have the following meaning:

1.1.1.    Administrator - Windy Woods Care Sp. z o.o. with its registered office in Skawina, ul. Torowa 46, 32-050Skawina, entered into the National Court Register by the District Court for Kraków, Śródmieście in Kraków, I Commercial Division of the National Court Register, under the KRS number: 0001067029, Tax Identification Number (NIP): 944-228-51-80, the National Official Register of the Economy Units (REGON): 526842967.

1.1.2.    Personal data - all information about an identified or identifiable natural person. A natural person may be identified by one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, which includes IP address, location data, internet identifier, and information collected through Cookies and other similar technology.

1.1.3.    GDPR - the Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation).

1.1.4.    Website - a website maintained by the Administrator at the internet address https://www.windywoods.co/.

1.1.5.    User - any natural person visiting the Website or using one or more features or services described in the Privacy Policy.

1.1.6.    Cookies - small bits of information stored on the end device (e.g. computer, tablet, smartphone) which can be read by the Website's ICT system and other ICT systems belonging to entities whose services the Administrator uses (so-called first-party Cookies and third-party Cookies). The Website uses 'session' Cookies, which are deleted when the browser is closed, and 'persistent' Cookies, which are stored for a duration specified in the Cookies parameters after closing the Website.

1.1.7.    Privacy Policy - the present Privacy Policy with the Cookies policy.

  1. Personal data Administrator

2.1.  The Administrator of Users' Personal data is Windy Woods Care Sp. z o.o.  with its registered office in Skawina, ul. Torowa 46, 32-050 Skawina, entered into the National Court Register by the District Court for Kraków, Śródmieście in Kraków, I Commercial Division of the National Court Register, under the KRS number: 0001067029, Tax Identification Number (NIP): 944-228-51-80, the National Official Register of the Economy Units (REGON): 526842967, the owner and Website administrator providing services by electronic means.

2.2.  The User may contact the Administrator:

2.2.1.    by letter - to the following address: ul. Torowa 46, 32-050 Skawina, Poland

2.2.2.    electronically - to the following e-mail address: office@windywoods.pl .

  1. Personal Data Protection Officer

3.1.  A Personal Data Protection Officer has been appointed by the Administrator.

3.2.  The User may contact the officer referred to in point 3.1. above:

3.2.1.    by letter - to the following address: ul. Torowa 46, 32-050 Skawina, Poland

3.2.2.    electronically - to the following e-mail address: office@windywoods.pl .

  1. Purpose and legal basis for the processing of Personal data

4.1.  Use of the Website

4.1.1.    Personal data of all individuals using the Website (including IP addresses, other identifiers, and information collected via Cookies or other similar technologies) who are not registered Users (i.e. individuals without an account on the Website) is processed by the Administrator:

4.1.1.1.       in order to provide electronic services for the purpose of making available to Users the contents of the Website and sharing contact forms - the legal basis for processing data is the necessity of processing data to perform an agreement (Article 6(1)(b) of the GDPR);

4.1.1.2.       in order to process purchases made without registration on the Website - the legal basis for processing data is the necessity of processing data to perform an agreement (Article 6(1)(b) of the GDPR);

4.1.1.3.       in order to process complaints - the legal basis for processing data is the necessity of processing data to perform an agreement (Article 6(1)(b) of the GDPR);

4.1.1.4.       for analytical and statistical purposes - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in conducting analyses of Users' activity and preferences in order to improve the quality of provided services;

4.1.1.5.       if necessary, in order to pursue claims or defend against them - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in the protection of the Administrator's rights;

4.1.1.6.       for marketing purposes related to the activity of the Administrator - the rules for the processing of Personal data for marketing purposes are described in detail in point 4.5. below.

4.1.2.    The User's activity on the Website, including their Personal data, is recorded in server logs. The information stored in the logs is processed in connection with the provision of services. The Administrator also processes the data for technical purposes; in particular, the data may be temporarily stored and processed to ensure the security and proper functioning of IT systems in situations such as creating back-up copies, testing changes in the IT systems, detecting irregularities, and protecting against violations and attacks.

4.2.  Registration on the Website

4.2.1.    Individuals who register on the Website are asked to provide data necessary to create and operate an account. For User's convenience, the User may provide additional data; by doing so, the User consents to its processing. Such data can be deleted at any time. Providing data marked as mandatory is required to create and operate an account; failure to provide mandatory data results in the inability to create an account. Providing additional data is voluntary.

4.2.2.    Personal data is processed:

4.2.2.1.       in order to provide services related to the maintenance and operation of an account on the Website - the legal basis for processing data is the necessity of processing data to perform an agreement (Article 6(1)(b) of the GDPR), considering optional data - the legal basis for processing data is consent (Article 6(1)(a) of the GDPR);

4.2.2.2.       for analytical and statistical purposes - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in conducting analyses of Users' activity and preferences in order to improve the quality of provided services;

4.2.2.3.       if necessary, in order to pursue claims or defend against them - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in the protection of the Administrator's rights;

4.2.2.4.       for marketing purposes related to the activity of the Administrator - the rules for the processing of Personal data for marketing purposes are described in detail in point 4.5. below.

4.2.3.    If the User wishes to enter any Personal data of other individuals on the Website (including their first and last name, address, phone number, or e-mail address), the User may do so only if they do not violate the applicable law and personal rights of these individuals.

4.3.  Making purchases

4.3.1.    Placing an order (purchase of goods) by the Website User involves the processing of their Personal data. Providing data marked as mandatory is required for an order to be accepted and processed; failure to provide mandatory data results in the order not being processed. Providing additional data is voluntary.

4.3.2.    Personal data is processed:

4.3.2.1.       in order to execute the placed order - the legal basis for processing data is the necessity of processing data to perform an agreement (Article 6(1)(b) of the GDPR), considering optional data - the legal basis for processing data is consent (Article 6(1)(a) of the GDPR);

4.3.2.2.       in order to fulfil the statutory obligations incumbent on the Administrator, which result in particular from tax and accounting regulations - the legal basis for processing data is legal obligation (Article 6(1)(c) of the GDPR);

4.3.2.3.       for analytical and statistical purposes - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in conducting analyses of Users' activity and purchase preferences in order to improve the quality of provided services;

4.3.2.4.       if necessary, in order to pursue claims or defend against them - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in the protection of the Administrator's rights;

4.3.2.5.       for purposes related to satisfaction analysis, which, in particular, is conducted by sending e-mail requests for reviews of purchased products and the quality of the service provided by the Administrator - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in maintaining high quality of service and high level of User satisfaction.

4.4.  Contact forms

4.4.1.    The Administrator can be contacted electronically by the use of contact forms. To use the form, the User is required to provide Personal data necessary for contacting the Administrator. The User may also provide additional data to facilitate the communication with the Administrator. Providing data marked as mandatory is required in order for the inquiry to be accepted and processed; failure to provide mandatory data results in the inquiry not being processed. Providing additional data is voluntary.

4.4.2.    Personal data is processed:

4.4.2.1.       in order to identify the sender and process the inquiry sent via the provided form - the legal basis for processing data is the necessity of processing data to perform an agreement for the provision of services (Article 6(1)(b) of the GDPR);

4.4.2.2.       for analytical and statistical purposes - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), which consists in storing information about inquiries submitted by Users via the Website in order to improve its functionality.

4.5.  Marketing

4.5.1.    The Administrator processes Users' Personal data in order to carry out marketing activities, which may include:

4.5.1.1.       showing the User marketing contents that are not tailored to their preferences (contextual advertising) - the legal basis for processing data is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR);

4.5.1.2.       showing the User marketing contents corresponding to their preferences (behavioural advertising) - in this instance, the processing of Personal data includes User profiling. The use of Personal data collected through this method for marketing purposes is based on the legitimate interest of the Administrator; additionally, the use of Personal data collected through this method takes place only if the User consents to the use of Cookies. Consent to the use of Cookies may be expressed through a particular browser configuration; the consent may be withdrawn at any time, in particular, by clearing the Cookies history or by disabling Cookies in the browser settings. The rules of using the so-called Cookies are described in detail in point 5. below.

4.5.1.3.       sending e-mail notifications about interesting offers or content, which may contain marketing information, and conducting other types of activities related to direct marketing of goods and services (sending marketing information by electronic means) - the basis for data processing is the legitimate interest of the Administrator, which consists in sending marketing information within the limits of the consent granted by the User (direct marketing). The User has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for the duration of the legitimate interest of the Administrator unless the User objects to receiving marketing information.

  1. Cookies

5.1.  The Website uses first-party and third-party Cookies due to the fact that some information about the User may be collected automatically. When using the Website, IT data about the visit, the so-called server logs, is also automatically collected.

5.2.  Cookies do not collect Personal data or any confidential information from the User's computer. The User's identity is not determined on the basis of Cookies.

5.3.  During the first visit on the Website, information about the use of Cookies and request for consent to the use of Cookies are displayed. By clicking 'I Agree', the User agrees to the use of Cookies. The User may change the Cookies settings at any time from the level of their browser, which also includes deleting Cookies. However, disabling Cookies may cause difficulties in using the Website. The User may use the incognito mode offered by web browsers; thus, Cookies will be deleted when the browser is closed.

5.4.  First-party Cookies are used to ensure the proper functioning of the Website. In particular, first-party Cookies improve the speed, security, and available features of the Website.

5.5.  The Website works with third parties, which may use Cookies or similar technologies. The Administrator's use of third-party Cookies is based on the legitimate interest of the Administrator, which consists in administering the Website, analysing data and marketing products and services.

5.6.  The Website uses Cookies from the following third parties:

5.6.1.    Google Analytics Cookies, social media Cookies

5.7.  In addition to Cookies, the Website may also collect data normally collected by Internet system administrators, the so-called server logs. Information included in the logs may include: IP address, date and time of visit on the Website, information about web browser and operating system, Internet provider, website address from which the User was redirected to the Website, and others. Logs are saved and stored on the server. Considering the so-called server logs, no data enabling the identification of the User is collected. The server logs are only used to facilitate administering of the Website; access to server logs is only granted to authorised individuals who administer the server.

  1. The scope of processing Personal data

6.1.  The Administrator processes the following User data:

6.1.1.1.       first name,

6.1.1.2.       last name,

6.1.1.3.       e-mail address,

1.1.1.1.       delivery address (street and number, postal code, city, country),

6.1.1.4.       phone number,

6.1.1.5.       if the User wishes to receive a VAT invoice - the data necessary to issue a VAT invoice (Tax Identification Number (NIP), name of the company).

  1. Personal data processing period

7.1.  The period of time in which the Administrator processes data depends on the type of service provided and the purpose of processing. As a general rule, data is processed: for the duration of the service or the execution of the order; until the consent to data processing is withdrawn or until a valid objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Administrator.

7.2.  The data processing period may be extended if the processing is necessary to pursue claims or defend against them. In such a case, data processing will be used to the extent required by law. After the processing period expires, the data is irreversibly deleted or anonymized.

  1. Recipients of Personal data

8.1.  In connection with the provision of services, the User's Personal data will be disclosed to external entities (hereinafter referred to as 'Processors'), which include the following: suppliers responsible for the operation of IT systems; entities such as banks and payment operators; entities providing accounting, legal, auditing, and consulting services; couriers (in connection with order execution); marketing agencies (in connection with marketing services); and entities related to the Administrator, such as business partners. With the consent of the User, their data may also be made available to other entities for their own purposes, which includes marketing.

8.2.  In the agreement with the Processor, the Administrator obliges the Processor to comply with the same data protection obligations which were imposed on the Administrator in the present Privacy Policy. The obligations include, in particular, ensuring the implementation of appropriate technical and organisational measures with the purpose of meeting the processing provisions of the GDPR.

8.3.  If the Processor fails to fulfil its data protection obligations, the Administrator is fully liable towards the User for the fulfilment of the obligations of the Processor.

8.4.  In accordance with the provisions of applicable law and relevant legal basis, the Administrator reserves the right to disclose selected information relating to the User to the competent authorities or third parties who request such information.

  1. Transfer of Personal data to third countries

9.1.  The level of Personal data protection outside the European Economic Area (EEA) differs from that provided by European law. Therefore, the Administrator transfers Personal data outside the EEA only when it is necessary. If Personal data is to be sent outside the EEA, the Administrator provides an adequate level of protection by:

9.1.1.    cooperating with Personal data processing entities in countries for which a relevant decision of the European Commission has been issued;

9.1.2.    using standard contractual clauses issued by the European Commission;

9.1.3.    using binding corporate rules approved by the competent supervisory authority.

9.2.  The Administrator always informs about the intention to transfer Personal data outside the EEA at the stage of collecting data.

  1. Profiling

10.1.            When carrying out marketing activities, the Administrator uses profiling in certain cases. Through automatic data processing, the Administrator evaluates selected factors related to natural persons in order to analyse their behaviour or create projections.

  1. Personal data security

11.1.            In order to ensure the integrity and confidentiality of data, the Administrator allows access to Personal data only to authorised individuals; the access is, moreover, limited to the extent that is necessary for the performance of their responsibilities.

11.2.            When processing the Personal data of Users, the Administrator uses organisational and technical measures in accordance with the applicable law, which includes encryption of the connection using an SSL certificate in order to ensure that all operations on Personal data are monitored and performed only by authorised individuals.

11.3.            The Administrator also takes all necessary steps to ensure that its subcontractors and other cooperating entities implement appropriate security measures when they process Personal data on behalf of the Seller.

11.4.            The Administrator conducts an ongoing risk analysis and monitors the adequacy of data security measures. If it is necessary, the Administrator implements additional measures to increase data security.

  1. Rights related to the processing of Personal data

12.1.            The User has the right to the following:

12.1.1. to access their Personal data,

12.1.2. to receive a copy of their Personal data,

12.1.3. to correct their Personal data,

12.1.4. to delete their Personal data,

12.1.5. to request to limit the processing of their Personal data,

12.1.6. to object to the processing of their Personal data,

12.1.7. to request to transfer their Personal data,

12.1.8. at any time, to withdraw consent to the processing of their Personal data. The withdrawal of consent does not affect the lawfulness of processing which occurred before the withdrawal of consent.

12.2.            In order to exercise the rights referred to in point 12.1. above, the User may contact the Administrator by sending a message to one of the addresses listed in point 2.2.2. of the present Privacy Policy.

12.3.            In the event that the User decides their data is being processed unlawfully, they have the right to lodge a complaint with a supervisory authority.

  1. Changes in the Privacy Policy

13.1.            The Privacy Policy is kept under constant review and may be updated if necessary.