PRIVACY POLICY

www.kolibry.garden

This privacy policy has been prepared in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the European Union No. L 119/1 of 4 May 2016; hereinafter referred to as GDPR). This document is primarily intended to fulfill the information obligation specified in Articles 13 and 14 of the GDPR.

1. Definitions

We use the following terms in this privacy policy:

1. Website – the website operated by Kolibry Garden, available at www.kolibry.garden.
2. We, the Administrator, Kolibry Garden – AM Sp. z o.o. with its registered office at ul. Zamknięta 10, apt. 1.5, 30-554 Kraków, NIP: 1060003008, REGON: 120674671, e-mail address: shop@kolibry.garden.
3. You, Customer, User – any natural person whose personal data is processed by Kolibry Garden in connection with the use of the Website.

2. Who is the data controller?

Data Controller is the entity that determines the purposes and methods of personal data processing. The controller of your personal data is Kolibry Garden (AM Sp. z o.o., ul. Zamknięta 10, lok. 1.5, 30-554 Kraków, e-mail: shop@kolibry.garden).

3. Whose personal data do we process?

As part of our business, we primarily process personal data of Website users. The scope of this data is always tailored to the specific purposes of its processing and the type of services provided.

4. What data do we collect through the Website and for what purposes do we use it?

The scope of personal data collected and the purposes of its processing depend on the functionalities you use on the Website. In particular, this includes the following situations:

1. Browsing the Website

What data do we collect?

When using the Website, data is automatically saved in the form of server logs, where the user is identified by the URL address. This information includes in particular:

• time of receipt of the request,
• time of sending the response by the server,
• name of the user's end device – identification within the HTTP protocol,
• information about errors occurring during the execution of HTTP requests,
• URL address of the previously visited page (referrer) – if the Website was accessed via a link,
• data about the user's web browser,
• the user's IP address.

For what purpose do we process data?

This data is used to manage and maintain the server on which the Website operates, as well as to conduct statistical analyses of user traffic.

Do you need toprovide us with your data?

Providing your data is voluntary, but it is necessary to ensure the proper operation of the Website and its functionality.

On what legal basis do we process your data?

Data processing is based on:

• Article 6, paragraph 1, letter a) of the GDPR b GDPR – in connection with the performance of a contract for the provision of electronic services, consisting in providing access to the Website,
• Article 6, paragraph 1, letter f GDPR – based on our legitimate interest in ensuring the proper operation of the Website and making it available to users.

Who can we share your data with?

Personal data may be transferred to third parties only in situations required by law or when we have an appropriate basis for doing so. Recipients of data may include, in particular:

• entities operating IT infrastructure and IT systems,
• hosting service providers,
• subcontractors supporting the implementation of services provided to you.

How long will we process your data?

Data will be stored for the period necessary to fulfill concluded contracts or for the duration of our legitimate legal interest. In any case, this period will not be shorter than the duration of your use of the Website.

Please note that if the basis for data processing is our legitimate interest, you have the right to object to further data processing – in accordance with section 8 of this policy.

2. Newsletter

• What data do we collect?

We collect the user's email address.

• For what purposes do we process the data?

The data is processed for marketing purposes related to newsletter distribution, including providing information about offers, current promotions, contests, loyalty programs, and other marketing activities.

• Do you have to provide us with your data?

Providing your data is voluntary, but necessary to receive the newsletter.

• On what legal basis do we process your data?

Processing is based on:

• Article 6, paragraph 1, letter a of the GDPR – i.e., on the basis of consent to receive the newsletter, granted, among other things, by completing a form on the Website and clicking the confirmation button (e.g., "Subscribe"), checking the appropriate checkbox when placing an order or registering, or in another equivalent manner.

You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To do so, you can contact us by sending a message to: shop@kolibry.garden.

• Who can we share your data with?

Personal data may be transferred to third parties only in cases required by law or when we have an appropriate basis for doing so. Data recipients may include, in particular:

• entities operating our IT infrastructure,
• hosting service providers,
• subcontractors supporting the newsletter distribution.

• How long will we process your data?

The data will be processed until you withdraw your consent to receive the newsletter.

3. SMS Notifications

• What data do we collect?

We collect your phone number.

• For what purpose do we process data?

The data is used for marketing purposes related to sending text messages, in particular information about offers, current promotions, contests, loyalty programs, and other promotional activities.

• Do you have to provide us with your data?

Providing your data is voluntary, but it is necessary to receive SMS notifications.

• On what legal basis do we process your data?

Processing is based on:

• Article 6, paragraph 1, letter a of the GDPR – i.e., consent to receive SMS notifications, granted, among other things, by completing a form on the Website and clicking the confirmation button (e.g., "Sign up"), checking the appropriate box during registration or placing an order, or in another equivalent manner.

You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To do so, you can contact us at: shop@kolibry.garden.

• Who can we share your data with?

Personal data may only be transferred in cases required by law or when we have an appropriate legal basis for doing so. Data recipients may include, in particular:

• entities operating IT infrastructure and IT systems,
• hosting service providers,
• subcontractors sending SMS notifications.

• How long will we process your data?

The data will be processed until you withdraw your consent to receive SMS notifications.

4. Placing an order without registering an account on the Website

• What data do we collect?

We collect the data necessary to fulfill the order, in particular: name and surname, address, delivery address (if different from the main address), email address, telephone number, and in the case of entrepreneurs, also Tax Identification Number and company name.

• For what purposes do we process data?

Data is processed for the following purposes:

• fulfilling orders, including sending emails, delivering goods, and handling complaints,
• tailoring the content of the Website to the user's preferences based on their activity, including product or service recommendations,
• marketing Kolibry Garden products and services, including providing information about offers, promotions, contests, and loyalty programs,
• conducting correspondence using various communication channels, such as email, traditional mail, or instant messaging,
• creating analyses, summaries, and statistics, including marketing research and service development planning,
• pursuing claims or defending against potential claims.

• Do you have to provide us with your data?

Providing your data is voluntary, but failure to provide it prevents you from fully using the Website, including placing orders.

• On what legal basis do we process your data?

Processing is based on:

• Article 6 paragraph 1 letter b GDPR – performance of the sales or service provision contract concluded via the Website,
• Article 6 paragraph 1 letter c GDPR – legal obligations arising in particular from tax, accounting, and archiving regulations,
• Article 6 paragraph 1 letter c GDPR f GDPR – the legitimate interest of the controller, including the activities indicated above in the sections regarding data processing.

• Who can we share your data with?

Data may only be transferred in cases required by law or when we have an appropriate legal basis. Data recipients may include, in particular:

• entities operating IT infrastructure and systems,
• hosting service providers,
• subcontractors fulfilling orders,
• courier companies, carriers, payment operators, and experts in complaint processes,
• entities providing auditing, advisory, legal, tax, and accounting services,
• purchasers of receivables related to transactions on the Website – in the case of assignment of receivables, in particular in the case of payment arrears.

• To whom may we disclose your data?

Data may be disclosed only in cases provided for by law or when we have an appropriate legal basis. Data recipients may include in particular:

• entities operating IT infrastructure and IT systems,
• hosting service providers,
• subcontractors fulfilling orders,
• courier companies, carriers, payment operators and experts in complaint procedures,
• entities providing audit, advisory, legal, tax and accounting services,
• purchasers of receivables related to transactions in the Service – in the event of assignment of receivables, in particular in case of payment arrears.

• How long will we process your data?

The data retention period depends on the legal basis for processing and includes:

• the time necessary to perform the contract and the limitation period for related claims,
• the period of legal obligations resulting from legal provisions,
• the duration of the legitimate interest of the controller.

Remember that in the case of processing based on legitimate interest, you have the right to object in accordance with point 8 of this policy.

5. Accounts in the Service and placing orders using an Account

• What data do we collect?

We collect data necessary for registration and operation of the Account in the Service, in particular: first and last name, address, delivery address (if different), e-mail address, phone number, login, password, and in the case of entrepreneurs also VAT ID and company name.

• For what purpose do we process the data?

The data is processed for the following purposes:

• performance of the contract for the provision of electronic services consisting in creating and maintaining an Account in the Service,
• fulfillment of orders placed via the Account, including sending e-mails, delivery of goods and handling complaints,
• adjusting the Service content to user preferences based on their activity, including product and service recommendations,
• conducting marketing activities related to products and services of Kolibry Garden, including informing about offers, promotions, contests and loyalty programs,
• conducting correspondence using various communication channels such as e-mail, traditional mail and online communicators,
• creating analyses, summaries and statistics, including marketing research and service development planning,
• pursuing claims or defending against potential claims.

• Do you have to provide your data?

Providing data is voluntary, however it is a condition for creating an Account and using its functionalities.

• On what legal basis do we process your data?

Processing is based on:

• Art. 6(1)(b) GDPR – performance of a contract for the provision of Account services and fulfillment of orders placed through the Service,
• Art. 6(1)(c) GDPR – legal obligations resulting in particular from tax, accounting and archiving regulations,
• Art. 6(1)(f) GDPR – legitimate interest of the controller, covering the activities indicated above in the scope of data processing.

• To whom may we disclose your data?

Personal data may be disclosed only in cases provided for by law or when we have an appropriate legal basis. Data recipients may include in particular:

• entities operating IT infrastructure and IT systems,
• hosting service providers,
• subcontractors fulfilling orders,
• courier companies, carriers, payment intermediaries and experts in complaint procedures,
• entities providing audit, advisory, legal, tax and accounting services,
• purchasers of receivables arising from transactions concluded in the Service – in the event of their assignment, in particular in case of payment arrears.

• How long will we process your data?

The data processing period depends on the legal basis and includes:

• the time necessary to perform the contract concluded via the Service and the limitation period for claims arising from it,
• the duration of legal obligations resulting from legal provisions,
• the duration of the legitimate interest of the controller.

Remember that in the case of processing based on legitimate interest, you have the right to object to further data processing in accordance with point 8 of this policy.

6. Cookies

The cookie policy constitutes Annex No. 1 to this Privacy Policy.

• Can data be processed in processes involving automated decision-making, including “qualified” profiling?

Currently, we do not use processes involving automated decision-making that would produce legal effects for users or otherwise significantly affect their situation.

If such mechanisms are implemented in the future, we will ensure their compliance with applicable law, in particular with Article 22 GDPR.

• Can your personal data be transferred outside the European Economic Area (EEA)?

Currently, we do not plan to transfer your data outside the European Economic Area (EEA). However, we do not exclude that this may be necessary in the future.

In such a case, the data will be properly secured in accordance with applicable law, in particular through the use of standard contractual clauses (SCC).

7. What rights do you have in connection with data processing?

In connection with the processing of your personal data, you have certain rights which you may exercise at any time. In particular, you have the right to submit a request for:

1. access to data – obtaining information about data processing or receiving a copy thereof,
2. rectification of data – correcting incorrect or outdated information,
3. restriction of processing – suspension of operations on data or limitation of its use,
4. erasure of data – the so-called “right to be forgotten”,
5. data portability – transferring data to another controller.

The above requests may be submitted in the manner indicated in point 11 of this policy and will be considered in accordance with applicable law, in particular Articles 15–20 GDPR.

8. Right to object

Regardless of the above rights, you have the right to object to the processing of personal data carried out on the basis of the legitimate interest of the controller.

In case of objection:

1. if the data is processed for marketing purposes – we will immediately cease further processing,
2. if processing is based on another legitimate interest – we will cease processing unless we demonstrate that:
   
   
   • our interest overrides your interests, rights and freedoms, or
   • there are grounds for establishing, pursuing or defending claims.

You may exercise your right to object in particular by sending an appropriate statement in the manner indicated in point 11 of this policy.

9. Complaint to the supervisory authority

If you believe that the processing of your personal data violates applicable law, you have the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office (PUODO).

Current PUODO contact details are available in particular at: https://uodo.gov.pl/pl/p/kontakt.

10. Place of publication and updates of the privacy policy

This privacy policy may be subject to periodic changes. Each current version will always be available on the Service website at: www.kolibry.garden.

11. How can you contact us?

If you have any questions regarding how your personal data is used, you may contact us by phone, e-mail or by post using the contact details below:

Kolibry Garden (AM Sp. z o.o.)
ul. Zamknięta 10, lok. 1.5
30-554 Kraków
with the note: “personal data protection”

tel.: 797 818 888
e-mail: shop@kolibry.garden

Annex No. 1 to the Privacy Policy – Rules for the use of COOKIES

§1

This Policy defines the rules regarding the storage of information by the Administrator and access to information already stored on the Client’s devices in the form of Cookies.

All terms defined in the Privacy Policy retain their meaning also for the purposes of this Cookies Policy. Additionally, the following terms are given the following meanings:

• Cookies – IT data, in particular small text files, stored and saved on the end device through which the Client uses the Service. Cookies usually contain the name of the website from which they originate, the duration of their storage and a unique identifier,
• First-party Cookies – Cookies placed by the Administrator in connection with the provision of services electronically via the Service,
• Third-party Cookies – Cookies placed by third parties via the Service,
• Policy – this Cookies Policy constituting Annex No. 1 to the Privacy Policy,
• Device – an electronic device through which the Client accesses the Service.

§2

1. The Administrator, via Cookies, stores information on the Client’s Device or gains access to information already stored – in accordance with the rules set out in this Policy.
2. The Administrator uses the following types of Cookies:
• session cookies – stored on the Client’s Device only until the end of a given browser session. After it ends, the stored information is permanently deleted from the Device memory.
• persistent cookies – stored on the Client’s Device for the time specified in their parameters or until they are manually deleted. Closing the browser or turning off the Device does not delete them.
3. The use of Cookies by the Administrator does not cause changes in the configuration of the Client’s Device or the software installed on that Device.

§3

1. The Administrator uses First-party Cookies to adapt the content of the Service to the preferences and needs of the User, in particular taking into account the type of device used by the User.
   
   
   • “essential” cookies – enabling the use of services available within the Service, including authentication cookies used for functionalities requiring login;
   • security cookies – used to ensure the protection of the Service, including detecting abuse in authentication processes;
   • “performance” cookies – used to collect information on how Users use the Service;
   • “functional” cookies – enabling the storage of User settings and personalization of the interface, including e.g. language selection, region, font size or website appearance;
   • “advertising” cookies – enabling the presentation of advertising content tailored to the User’s interests.
     
     
2. As part of the use of Cookies, the Administrator uses the following tools and services:
   
   
   • Google Analytics – an analytical tool under which, upon opening the Service, information about users is processed, including data based on the IP address. Detailed information is available at: https://policies.google.com/technologies/types?hl=pl.
   • Google Ads and Facebook Ads – remarketing tools used to tailor advertisements to Users’ interests and display them in advertising networks of providers (Google and Meta/Facebook), including their partners.
   • Microsoft Clarity – a tool used to analyze user behavior in the Service to optimize it and improve user experience. The service is provided by Microsoft Corporation.
     Microsoft Clarity records user visits and allows their activity to be reproduced in the form of recordings and heatmaps. The tool does not allow the Administrator to identify the User, as it does not process data from forms containing personal data.
     To operate, Microsoft Clarity uses a tracking code utilizing Cookies of Microsoft Corporation. The data collected in this way is pseudonymized and is not used for direct user identification.
     
     

   Detailed information regarding data processing:

   • Google: https://policies.google.com/technologies/types?hl=pl
   • Facebook: https://www.facebook.com/policy/cookies/
   • Microsoft Clarity: https://clarity.microsoft.com/privacy
     
     
3. In connection with the use of Cookies, the Administrator processes only statistical data regarding activity in the Service. Personal data such as name, surname or address are not collected or recorded in this process.

§4

1. The Client may limit or disable access of Cookies to their Device in the web browser settings or through service configuration – in particular in such a way as to block automatic handling of Cookies or inform about each placement of Cookies on the Client’s Device.

   A description of the necessary actions can be found on the manufacturers’ websites, e.g.:

   • Mozilla Firefox: https://support.mozilla.org/pl/kb/W%C5%82%C4%85czanie%20i%20wy%C5%82%C4%85czanie%20obs%C5%82ugi%20ciasteczek
   • Google Chrome: https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=pl
   • Microsoft Edge: https://privacy.microsoft.com/pl-pl/windows-10-microsoft-edge-and-privacy
     
     
2. The Client may delete Cookies at any time.
   
   
3. Limiting the use of Cookies may affect some functionalities available on the Service website.