Privacy Policy
Privacy Policy
This Privacy Policy (hereinafter referred to as the "Policy") provides information on how your personal data is processed in connection with the use of the "Pierce of Cake" online store, available at www.pierceofcake.pl (hereinafter referred to as the "Store").
Data Controller
The entity responsible for managing your personal data is Pierce of Cake Magdalena Młodzianko, with its registered office at ul. Śrutowa 17/1, 50-256 Wrocław, holding Tax ID (NIP): 8951856472 and Business Registry Number (REGON): 020620945 (hereinafter referred to as the "Controller").
Contact with the Controller
For any matters concerning the processing of personal data, you may contact the Controller via email at: [email protected].
Personal Data Protection Measures
The Controller uses modern organizational and technical measures to best protect your personal data and ensures that their processing complies with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (GDPR), the Act of 10 May 2018 on the Protection of Personal Data, and other applicable data protection regulations.
Information on Personal Data Processed
Using the Store requires the processing of your personal data. Below you will find detailed information regarding the purposes and legal grounds for this processing, the period for which the data will be processed, and whether the provision of data is mandatory or voluntary.
Conclusion and Performance of the Account Service Agreement
Personal data processed: first name, last name, email address, phone number, Account password created by the User, and optionally date of birth and gender.
Providing the above personal data (excluding the optional ones) is necessary to conclude and perform the Account Service Agreement (providing it is voluntary, however failure to provide it will prevent the conclusion of the agreement and creation of an Account).
The Controller will process this personal data until the statute of limitations for claims arising from the Account Service Agreement expires.
Conclusion and Performance of the Sales Agreement
Personal data processed: first name, last name, email address, phone number, residential or business address (street, house number, apartment number, city, postal code, country), optionally – company name and Tax ID (NIP) (if the Buyer is an Entrepreneur or an Entrepreneur with Consumer rights).
Providing the above personal data is necessary to conclude and perform the Sales Agreement (providing it is voluntary, but failure to provide this data will prevent the conclusion and performance of the Sales Agreement).
The Controller will store this personal data until the statute of limitations for claims arising from the Sales Agreement expires.
Conclusion and Performance of the Newsletter Service Agreement
Personal data processed: email address.
Providing this personal data is voluntary, but necessary to receive the Newsletter (failure to provide it will prevent subscription to the Newsletter).
The Controller will process this personal data until an effective objection is raised, the processing purpose is achieved, or the statute of limitations for claims arising from the Newsletter Service Agreement expires (whichever occurs first).
Providing Commercial Information by Phone (including via SMS)
Personal data processed: phone number.
Providing this data is voluntary, but necessary to receive commercial information by phone (if you do not provide it, you will not be able to receive commercial information via this channel).
The Controller will process this personal data until an effective objection is raised or until the processing purpose is achieved (whichever occurs first).
Organization of Contests and Promotions
Personal data processed: first name, last name, email address, phone number.
Providing this data is voluntary, but necessary to participate in a contest or promotional campaign (failure to provide it will prevent participation in these events).
The Controller will process this personal data until an effective objection is raised or until the processing purpose is achieved (whichever occurs first).
Handling the Complaint Procedure
Personal data processed: first and last name, email address.
Providing the above personal data is necessary to receive a response to a complaint or to exercise the rights granted to the Customer under the provisions concerning the Controller's liability in the event of non-conformity of physical goods with the Sales Agreement. Providing the data is voluntary, however failure to provide it will prevent obtaining a response to the complaint and the exercise of the indicated rights.
The Controller will process this data for the duration of the complaint proceedings, and in the case of exercising the aforementioned Customer rights – until they become time-barred.
Sending Email Notifications
Personal data processed: email address.
Providing this personal data is voluntary, but necessary to receive information regarding the performance of Agreements concluded with Customers (failure to provide this data will prevent the sending of such information).
The Controller will process this data until an effective objection is raised or until the processing purpose is achieved (whichever occurs first).
Handling Customer Inquiries
Personal data processed: first and last name, email address, and other information contained in the message to the Controller.
Providing this personal data is voluntary, but necessary to obtain a response to the inquiry (failure to provide it will prevent a response from being given).
The Controller will process this data until an effective objection is raised or until the processing purpose is achieved (whichever occurs first).
Publishing Product Reviews
Personal data processed: first name, optionally – other information contained in the review.
Providing this personal data is voluntary, but necessary to post a review (failure to provide it will prevent the review from being added).
The Controller will process this data until an effective objection is raised or until the processing purpose is achieved (whichever occurs first).
Publishing Image/Likeness
An image recorded in the form of a photograph will be displayed on the Store's website.
Submitting the image is voluntary and constitutes consent to its publication on the website.
The Controller will process the image until an effective objection is raised or until the processing purpose is achieved (whichever occurs first).
Fulfillment of Tax Obligations (including issuing VAT invoices, archiving accounting documentation)
Personal data processed: first and last name/company name, residential/registered address, Tax ID (NIP).
Providing this personal data is voluntary, but necessary for the Controller to fulfill tax obligations (failure to provide it will prevent the Controller from fulfilling these obligations).
The Controller will store this data for 5 years, counted from the end of the year in which the tax payment deadline for the given year passed.
Fulfillment of Obligations Related to the Protection of Personal Data
Personal data processed: first and last name, and the contact details you provided (email address, phone number, optionally date of birth and gender).
Providing this personal data is voluntary, but necessary for the Controller to properly perform obligations arising from data protection regulations, including the exercise of your rights under the GDPR (failure to provide this data will prevent the proper exercise of these rights).
The Controller will store this personal data until the statute of limitations for claims related to violations of data protection regulations expires.
Establishment, Pursuit, or Defense Against Claims
Personal data processed: first and last name/company name, email address, residential/registered address, PESEL number, Tax ID (NIP).
Providing this data is voluntary, but necessary to establish, pursue, or defend against claims arising from the performance of agreements concluded with the Controller (failure to provide it will prevent the Controller from taking such actions).
The Controller will process this personal data until the statute of limitations for claims related to the performance of agreements concluded with the Controller expires.
Analysis of Your Activity in the Store
Personal data processed: date and time of visit, device IP address, operating system type, approximate location, web browser type, time spent in the Store, products viewed, pages visited, and other actions taken.
Providing this data is voluntary, but necessary for the Controller to obtain information about your activity in the Store (failure to provide it will prevent the Controller from obtaining this information).
The Controller will process this data until an effective objection is raised or until the processing purpose is achieved.
Store Management
Personal data processed: IP address, date and time of connection to the server, information about the web browser and operating system.
This data is automatically recorded in server logs each time the Store is used (administering the Store without this automatic log recording would not be possible).
Providing this data is voluntary, but necessary to ensure the proper functioning of the Store (failure to provide it will prevent it from functioning properly).
The Controller will process this personal data until an effective objection is raised or until the processing purpose is achieved.
Profiling
In order to create a marketing profile and direct personalized marketing content to you, the Controller will process your personal data in an automated manner, including through profiling – however, without producing any legal effects or significantly affecting your situation.
Profiling will cover data analyzed in the context of your activity in the Store as well as information stored in your Account.
The legal basis for processing personal data for this purpose is Article 6(1)(f) of the GDPR, which allows the Controller to process data in pursuit of its legitimate interests, such as conducting marketing activities tailored to recipients' preferences. Providing this data is voluntary, but necessary to achieve the above purpose (failure to provide it will prevent the conduct of marketing activities tailored to your preferences).
The Controller will process personal data for profiling purposes until an effective objection is raised or until the processing purpose is achieved.
Recipients of Personal Data
Personal data will be shared with the following external entities cooperating with the Controller:
- 1.hosting company;
- 2.courier companies;
- 3.online payment system providers;
- 4.newsletter service provider;
- 5.companies offering tools for analyzing Store activity and directing direct marketing (e.g. Google Analytics);
- 6.accounting firm.
Additionally, personal data may be shared with public or private institutions if required by applicable law, a final court judgment, or a final administrative decision.
Transfer of Personal Data to Countries Outside the EEA
In connection with the Controller's use of Google LLC services, your personal data may be transferred to the following countries outside the European Economic Area: the United Kingdom, Canada, the USA, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia, and Australia. The transfer of data to these countries is carried out on the basis of the following principles:
For the United Kingdom, Canada, Israel, and Japan – personal data is transferred based on a decision of the European Commission, which recognizes that these countries ensure an adequate level of data protection.
For the USA, Chile, Brazil, Saudi Arabia, Qatar, India, China, South Korea, Singapore, Taiwan (Republic of China), Indonesia, and Australia – the data transfer is carried out on the basis of contractual clauses that meet the requirements set out in the standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021, on the transfer of data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
You may request a copy of the data transferred to these third countries from the Controller.
Your Rights
In connection with the processing of your personal data, you have the following rights:
- 1.You have the right to find out what personal data of yours is being processed by the Controller and to receive a copy of it (the so-called right of access). The first copy is free of charge, while the Controller may charge a fee for subsequent copies;
- 2.If your personal data is outdated, incomplete, or otherwise incorrect, you have the right to request its correction;
- 3.
In certain situations, you may ask the Controller to delete your personal data, for example when:
- a)the data is no longer needed by the Controller for the purposes it informed you about;
- b)you have withdrawn your consent to data processing and the Controller has no other legal basis for processing it;
- c)the data is being processed unlawfully;
- d)deletion of the data is required by applicable law;
- 4.If personal data is processed based on your consent or for the performance of an Agreement, you have the right to transfer your data to another controller.
- 5.If your personal data is processed based on consent you have given, you have the right to withdraw that consent at any time. However, withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
- 6.If you believe that the personal data being processed is incorrect, that the processing is unlawful, or that the Controller no longer needs certain data, you may request that the Controller temporarily stop processing this data, limiting itself only to storing it (e.g. for the time needed to verify the accuracy of the data or to pursue claims).
- 7.You have the right to object to the processing of personal data if it is being processed on the basis of the Controller's legitimate interest. In the event of an effective objection, the Controller will stop processing the data for that purpose.
- 8.You have the right to file a complaint with the President of the Personal Data Protection Office (UODO) if you believe that the processing of your personal data violates GDPR provisions.
Final Provisions
In matters not regulated by this Policy, the generally applicable provisions of law concerning the protection of personal data shall apply.