Privacy Policy

Thank you for visiting our web Site’s page available at http://bodychief.pl (hereinafter referred to as: "BodyChief Web Site" or “Internet-based Service” or "Web Site") or using our BodyChief application (hereinafter referred to as: "BodyChief application" or "Application"). BodyChief Web Site and BodyChief application are referred to collectively as "BodyChief". By means of BodyChief, it is possible to order the service of preparation and delivery of meals shown on the Web Site or in the Application as part of dietetic catering provided by the BodyChief owner (hereinafter referred to as: "Service" or "Diet").

 

TThis policy serves an informative purpose; thus, it is not a source of obligations for persons using BodyChief. The privacy policy contains mostly the principles of processing personal data by the BodyChief’s Data Controller, including the grounds, purposes and scope of the personal data processing and the rights of data subject, as well as information on the use of cookie files and analytical tools by BodyChief.

Please read the privacy policy,

BodyChief team

 

TABLE OF CONTENTS:

 

  1. GENERAL PROVISIONS
  2. BASES OF THE DATA PROCESSING
  3. PURPOSE, BASIS, PERIOD AND SCOPE OF PROCESSING OF DATA IN THE INTERNET -BASED SERVICE/ ON THE WEB SITE
  4. THE RECEIVERS OF DATA IN THE INTERNET-BASED SERVICE/ WEB SITE
  5. PROFILING IN THE INTERNET-BASED SERVICE/ WEB SITE
  6. RIGHTS OF DATA SUBJECTS
  7. COOKIES IN THE INTERNET BASED SERVICE/ WEB SITE, OPERATING DATA AND ANALYTICS
  8. FINAL PROVISIONS.

 

 

1) GENERAL PROVISIONS

  1. The present privacy policy of the Internet-based Service/ Web Site has an informational nature what means that it is not a source of obligations for the recipients of the services of the Internet-based service/ Web Site. The privacy policy contains first of all the principles related to the processing of personal data by the Administrator in the Internet Service/ on the Web Site, including the bases, purposes and the scope of personal data processing as well as the rights of the persons to whom they are related and also information related to the use of cookie files in the Internet Service/ on the Web Site and of analytical tools.
  2. The administrator of the personal data, which are collected via the Internet-based Service/ Web Site is the company BODY CHIEF SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with registered office in Wysogotowo, Poland, entered in the Register of Entrepreneurs of the Polish National Court Register (KRS) under number KRS 0000713725, the registration court, in which the documentation of the company is kept is Sąd Rejonowy Poznań - Nowe Miasto i Wilda w Poznaniu [the District Court for Poznań - New Town and Wilda in Poznań], VIII Wydział Gospodarczy Krajowego Rejestru Sądowego [Eight Commercial Division of the National Court Register], which has the following address of its seat and the following mailing address: ul. Grzybowa 10, 62-081 Wysogotowo, Poland, share capital in the amount of 100.000 PLN, Polish Tax Identification Number NIP: 7792479825, Polish Statistical Identification Number REGON:369298976, e-mail address: [email protected], the additional e-mail addresses and contact telephone numbers are indicated on the Web Site in the bookmark/ tab „Contact” and in the Application under the Settings -> Contact tab – hereinafter referred to as „the Administrator” and being at the same time the Service provider of the Web Site and the Seller.
  3. The contact data of the Inspector responsible for data protection who was appointed by the Administrator: Arnold Paszta, mailing address: ul. Grzybowa 10, 62-081 Wysogotowo, Poland, e-mail address: [email protected].
  4. The personal data in the Internet-based Service/ on the Web Site are processed by the Administrator in accordance with the provisions of law being in force, in particular in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as „GDPR” or „General Data Protection Regulation”. The official text of the General Data Protection Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
  5. The use of the Internet-based Service/ Web Site, including the conclusion of contracts is voluntary. Similarly the indication of personal data, which is connected with it, by the Recipient of Services who uses the Internet-based Service/ Web Site is voluntary subject to two exceptions: (1) conclusion of the contracts with the Administrator - the non-provision in the cases and within the scope indicated on the site of the Internet-based Service or in the Application and in the Regulations of the Internet-based Service/ Web Site and in the present privacy policy, of personal data being indispensable for the conclusion and for the execution of the contract for the provision of the Service or of the Electronic Service with the Administrator results in the lack of possibility of concluding the said contract. The indication of personal data is in such a case a contractual requirement and if the person to whom the data are related, wants to conclude the given contract with the Administrator, this person is obligated to indicate the required data. Each time the scope of data being required for the conclusion of the contract is indicated previously on the page of the Internet-based Service/ Web Site or in the Application and in the Regulations of the Internet-based Service/ Web Site; (2) the statutory obligations of the Administrator - the indication of personal data is a statutory requirement resulting from the provisions of law being generally in force, which impose the obligation on the Administrator to process the personal data (for example the processing of data in order to keep the accounting books) and their non-indication will make it impossible for the Administrator to fulfil the said obligations.
  6. The Administrator pays the utmost care in order to protect the interests of the persons to whom the personal data being processed by the Administrator are related and in particular the Administrator is responsible for and ensures that the data collected by the Administrator, are: (1) processed in accordance with law; (2) collected for designated purposes, which are compliant with law, are not subjected to further processing not being compliant with the said purposes; (3) are correct from the point of view of the substance and are adequate for the purposes for which they are being processed; (4) kept in a form allowing the identification of persons to whom they are related, not longer that it is indispensable for the achievement of the goal of the processing and (5) processed in a manner which assures the appropriate security of the personal data, including the protection against non-permitted processing or such a processing which is not compliant with law or against accidental loss, destruction or damage, with use of appropriate technical or organisational means.
  7. While taking into account the nature, the scope, the context and the purposes/ goals of processing as well as the risk of infringement of the rights or of freedoms of natural persons with different probability and importance of the threat, the Administrator implements appropriate technical and organisational means in order the processing takes place in accordance with the present regulation and in order to be able to demonstrate it. These means are subjected to review and to updates if the need arises. The Administrator uses technical means, which prevent the acquisition and modification of personal data, which are sent electronically, by unauthorised persons.
  8. Any words, expressions and acronyms, which appear in the present privacy policy and which begin with a capital letter (for example Service provider, Internet-based Service/ Web Site, Electronic Service, Bodychief, Application) have to be understood in accordance with their definition which is contained in the Regulations of the Internet-based Service/ Web Site, which are available on the pages of the Internet-based Service/ Web Side or in the Application.

 

2) BASES OF THE DATA PROCESSING

  1. The Administrator is authorised to process the personal data in the cases when - and within such a scope, in which at least one of the following conditions is met: (1) the person to whom the data are related, has expressed the consent to the processing of his/ her personal data for one purpose or for a bigger number of purposes; (2) the processing is indispensable for the execution of the contract to which such a person to whom the data are related is a party or for the taking of actions at the demand of the person to whom the data are related, before the conclusion of the contract; (3) the processing is indispensable for the fulfilment of the legal obligation being incumbent on the Administrator; Or (4) the processing is indispensable for the purposes resulting from legally justified interests being realised by the Administrator or by a third party, with exception of such a situation, in which the interests or the basic rights and freedoms of the person to whom the data are related have a superior nature in relation to these interests and they require the protection of personal data, in particular when the person to whom the data are related, is a child.
  2. The processing of personal data by the Administrator requires each time the existence of one of the bases indicated in point 2.1 of the privacy policy. The concrete bases of the processing of personal data of the recipients of the services of the Internet-based Service/ Web Site by the Administrator are indicated in the next successive point of the privacy policy - in relation to a given purpose of the processing of data by the Administrator.

 

3) PURPOSE, BASIS, PERIOD AND SCOPE OF PROCESSING OF DATA IN THE INTERNET -BASED SERVICE/ ON THE WEB SITE

  1. Each time the purpose, the basis, the period and the scope and the recipients of personal data being processed by the Administrator result from the actions being taken by a given Recipient of services or by the Client in the Internet-based Service/ Web Site. To give an example, if the Client decides to make purchases in the Internet-based Service/ on the Web Site and does not provide any data concerning their health (e.g. food allergies), then his/ her personal data will be processed in order to perform the concluded contract, but they will not be processed within the scope of health-related data due to the fact that they were not provided by the Client.
  2. The Administrator may process the personal data in the Internet-based Service/ on the Web Site for the following purposes, on the following bases, in the following periods and within the following scope:

 

 

Purpose of the data processing The legal basis of the processing and the period of the storage of data The scope of the processed data

The execution of the contract for the provision of the Service or of the Electronic Service or the taking of actions at the demand of the person to whom the data are related, before the conclusion of the above-mentioned contracts

Article 6 paragraph 1 letter b) of the General Data Protection Regulation (execution of the contract) and article 9 paragraph 2 letter a) of the General Data Protection Regulation (consent - it is related to the processing of the data related to health)

The data are stored during a period being indispensable for the execution, for the dissolution or for the expiry in another way of the concluded contract.

The maximal scope: first name and surname, e-mail address, contact telephone number, password and the data related to the provision of possible Services: address of the Service (street, number of the house/ flat, postal ZIP, locality: town/ village), address of the deliveries on the weekend/ on public holidays, code to the entrance phone and in case of Clients who have provided these data - the data related to health (i.e. health data provided in order to take account of it during the performance of the Service: information on health troubles, including alimentary allergies and other diseases which require the elimination or limitation of consumption of specific products, and, in the case of data provided when using selected functionalities of the Bodychief Application, in order to enable the use of additional functionalities of the Bodychief Application using the above-mentioned data: date of birth, height, weight and physical activity information).

In case of Recipients of services or of Clients who are not consumers, the Administrator may process in addition the business name of the company, the address of the conduct of the business/ of the registered office and the tax identification number (NIP) of the Recipient of the service or of the Client.

The indicated scope is the maximal scope.

Direct marketing

Article 6 paragraph 1 letter f) of the General Data Protection Regulation (legally justified interest of the administrator)

The data are kept during the period of the existence of the legally justified interest being realised by the Administrator, not longer, however, than during the prescription of claims in relation to the person to whom the data are related, on account of the business activity conducted by the Administrator. The prescription is defined by the provisions of law, in particular of the Civil Code (the basic term of prescription for claims connected with the conduct of business activity amounts to three years and for a contract of sale it amounts to two years).

The Administrator may not process the data for the purpose of direct marketing in case of the expression of an effective objection in this respect by the person to whom the data are related.

The maximal scope: first name and surname, address, e-mail address, contact telephone number and the history of the purchases made in the Internet-based Service/ on the Web Site so far.

If the Administrator uses scripts and/or advertising pixels of external websites (such as Facebook, Google or TikTok) for marketing purposes directly, the Administrator may process the following data related to the device or person using BodyChief:

  1. time information (e.g. event time),
  2. service information (e.g. country),
  3. website information (e.g. website type),
  4. product information (e.g. digital barcode),
  5. browser information (e.g. browser version),
  6. device information (e.g. advertising ID),
  7. purchase information (e.g. cart value),
  8. marketing information (e.g. ad click ID),
  9. personal data (e.g. IP address, e-mail address),
  10. behavioural data (e.g. browsing behaviour).

Marketing of the services and products of the Administrator

Article 6 paragraph 1 letter a) of the General Data Protection Regulation (consent)

The data are stored until the moment of the withdrawal of the consent by the person to whom the data are related, to the further processing of his/ her data for this purpose.

The maximal scope: first name and surname, address (street, number of the house/ flat, postal ZIP, locality: town/ village), e-mail address, contact telephone number and the history of the purchases made in the Internet-based Service/ on the Web Site so far.

If the Administrator uses scripts and/or advertising pixels of external websites (such as Facebook, Google or TikTok) for marketing purposes directly, the Administrator may process the following data related to the device or person using BodyChief:

  1. time information (e.g. event time),
  2. service information (e.g. country),
  3. website information (e.g. website type),
  4. product information (e.g. digital barcode),
  5. browser information (e.g. browser version),
  6. device information (e.g. advertising ID),
  7. purchase information (e.g. cart value),
  8. marketing information (e.g. ad click ID),
  9. personal data (e.g. IP address, e-mail address),
  10. behavioural data (e.g. browsing behaviour).

Marketing of the services and products of the partners of the Administrator

Article 6 paragraph 1 letter a) of the General Data Protection Regulation (consent)

The data are stored until the moment of the withdrawal of the consent by the person to whom the data are related, to the further processing of his/ her data for this purpose.

The maximal scope: first name and surname, address (street, number of the house/ flat, postal ZIP, locality: town/ village), e-mail address, contact telephone number and the history of the purchases made in the Internet-based Service/ on the Web Site so far.

Keeping of the accounting books

Article 6 paragraph 1 letter c) of the General Data Protection Regulation in connection with article 74 paragraph 2 of the Act of Parliament on accounting dated 30th January 2018 (Law gazette of 2018, item 395)

The data are stored during the period required by the provisions of law, which impose (the obligation) on the Administrator to keep the accounting books (five years starting from the beginning of the years, which follows the financial year to which the data are related).

The first name and the surname, the address of the residence/ of the conduct of business/ of the registered office (if it is different than the address of the delivery), business name of the company and the tax identification number (NIP) of the Recipient of the service or of the Client, number of the banking account (it is related to the situation when goods are returned).

The establishment, enforcement and defence of claims, which may be filed by the Administrator or against the Administrator

Article 6 paragraph 1 letter f) of the General Data Protection Regulation

The data are kept during the period of the existence of the legally justified interest being realised by the Administrator, not longer, however, than during the prescription of claims in relation to the person to whom the data are related, on account of the business activity conducted by the Administrator. The prescription is defined by the provisions of law, in particular of the Civil Code (the basic term of prescription for claims connected with the conduct of business activity amounts to three years and for a contract of sale it amounts to two years).

The maximal scope: first name and the surname, e-mail address, contact telephone number, password and the data related to the provision of possible Services: address of the Service (street, number of the house/ flat, postal ZIP, locality: town/ village), address of the deliveries on the weekend/ on public holidays, and in case of Clients who have provided these data - the data related to health (i.e. The information in health troubles, including alimentary allergies and other diseases which require the elimination or limitation of consumption of specific products), number of the banking account.

In case of Recipients of services or of Clients who are not consumers, the Administrator may process in addition the business name of the company, the address of the conduct of the business/ of the registered office and the tax identification number (NIP) of the Recipient of the service or of the Client.

The indicated scope is the maximal scope.

Using the BodyChief Website and ensuring its proper functioning

Article 6 paragraph 1 letter f) of the General Data Protection Regulation (legitimate interest of the administrator); processing is necessary for the purposes of the Administrator’s legitimate interests consisting in running and maintaining BodyChief.

The data are kept during the period of the existence of the legally justified interest being realised by the Administrator, not longer, however, than during the prescription of claims in relation to the person to whom the data are related, on account of the business activity conducted by the Administrator. The prescription is defined by the provisions of law, in particular of the Civil Code (the basic term of prescription for claims connected with the conduct of business activity amounts to three years and for a contract of sale it amounts to two years).

The maximal scope: IP number, location data, Website traffic source.

The indicated scope is the maximal scope.

Keeping statistics, doing research and analysing BodyChief Website traffic

Article 6 paragraph 1 letter f) of the General Data Protection Regulation (legitimate interest of the administrator); processing is necessary for the purposes of the Administrator's legitimate interests consisting in keeping statistics and analysing traffic on the BodyChief Website in order to improve its functioning and increase the sales of the Services.

The data are kept during the period of the existence of the legally justified interest being realised by the Administrator, not longer, however, than during the prescription of claims in relation to the person to whom the data are related, on account of the business activity conducted by the Administrator. The prescription is defined by the provisions of law, in particular of the Civil Code (the basic term of prescription for claims connected with the conduct of business activity amounts to three years and for a contract of sale it amounts to two years).

The maximal scope: sources and methods of acquiring BodyChief Website visitors and their behaviour on the Website or in the Application, information on devices and web browsers used to visit the BodyChief Website, geographic data and demographic data (age, gender) and interests, device IP address, device screen size, device type (unique device identifiers), web browser information and the preferred language used to display the BodyChief Website.

The indicated scope is the maximal scope.

CCTV

Article 6 paragraph 1 letter f) of the General Data Protection Regulation (legitimate interest of the administrator); processing is necessary to ensure the safety of people staying at the Administrator's premises, and property protection. Monitoring is carried out 24 hours a day and covers the area of the Administrator's seat and the adjacent area.

CCTV recordings are stored during 30 days from the date of recording. CCTV monitoring is carried out with respect for the dignity and personal rights of the people concerned. Recorded materials will be used only in the above-mentioned purposes, and will be accessed only by persons authorized to the personal data processing and legal entities.

Each of the authorized persons is obliged to maintain the secrecy resulting from these materials.

In the case of the image recordings being evidence in legal proceedings or the Company learning that they may constitute evidence in proceedings, the time limit shall be extended until the proceedings are legally concluded.

The scope: image, appearance and clothing special features.

Recording telephone conversations in order to enable the Administrator to improve the quality of the Service

Article 6 paragraph 1 letter a) of the General Data Protection Regulation.
The processing of data requires consent, which is understood as a voluntary, specific, conscious, unambiguous indication of will by which the data subject, in the form of a statement or a clear affirmative action, consents to the processing of data concerning his or her personal information.
If the phone call is continued after listening to the message, it means that a "consent" is expressed by the contacting person.
Personal data are stored for a period of up to 62 days. After that time, personal data in the form of voice recordings and data transmitted using it are permanently deleted, unless there are premises referred to in article 17 paragraph 3 letter e) of the General Data Protection Regulation, i.e. the data subject applies for securing the recording for a period of up to 3 months to establish, pursue or defend claims. Within the above-mentioned deadlines, law enforcement authorities may also apply for securing the recording as part of criminal proceedings if the recording constitutes evidence in a case. The recording constituting evidence in the case is then stored until the final conclusion of the proceedings.

Scope: voice timbre, telephone number and data of the person registered by the recording device.

 

 

 

4) THE RECEIVERS OF DATA IN THE INTERNET-BASED SERVICE/ WEB SITE

  1. For the correct operation of the Internet-based Service/ Web Site, including the realisation/ execution of the contracts for the provision of services being concluded, it is necessary that the Administrator uses the services of external entities (such as for example the provider of software, the IT company or the entity, which services the electronic payments and the payments made with a pay card). The Administrator uses exclusively the services of such processing entities, which provide sufficient guarantees of the implementation of appropriate technical and organisational means so as the processing meets the requirements of the General Data Protection Regulation and so as to protect the rights of the persons to whom the data are related. The personal data are not transferred neither to any third-party state nor to any international organisation.
  2. The transmission of data by the Administrator does not take place in each case and it is not made to all the recipients or categories of recipients who are designated in the privacy policy - the Administrator transmits the data exclusively when it is indispensable for the realisation of a given purpose of processing of personal data and only within the scope being indispensable for its realisation/ execution.
  3. Personal data may be transferred by the Administrator to a third country, but the Administrator ensures that in such a case it will be performed in relation to a country ensuring the adequate level of protection, in accordance with the GDPR Regulation. The data subject may obtain a copy of his or her data. The Administrator provides the collected personal data only in the case and within the scope necessary to achieve a given purpose of data processing, in accordance with this privacy policy.
  4. The personal data of the Recipients of services and of Clients of the Internet-based Service/ Web Site may be transmitted to the following recipients or categories of recipients:
    1. Carriers/ forwarders/ courier brokers - in the case of a Client who uses, in the Internet-based Service/ on the Web Site, the mode of shipment being the delivery of a parcel by a courier, the Administrator makes the collected personal data of the Client available to the selected carrier, forwarder or intermediary who executes the delivery services at the request of the Administrator within the scope being indispensable for the realisation of the delivery of the Service to the Client.
    2. Payment service providers handling electronic payments or card payments - in the case of a Client who uses the method of electronic payment or card payment in BodyChief, the Administrator provides the collected personal data of the Client to the selected payment service provider handling the above-mentioned payments in BodyChief within the necessary scope and for purposes related to the provision of payment services linked to the payment made by the Client.
    3. Providers of dietetic services - in the case of the Client who had indicated data related to health (i.e. Information on health troubles, including alimentary allergies and other diseases, which require the elimination or limitation of the consumption of specific products), the Administrator may use the dietetic services within the scope being indispensable for the realisation/ execution of the Service.
    4. The providers of marketing services - marketing agencies, which assure support for the Administrator in the field of marketing actions.
    5. Providers of services who provide the Administrator with technical solutions, with IT solutions and with organisational solutions, which make it possible for the Administrator to conduct business activities, including the Internet-based Service/ Web Site and the Electronic Services provided through them (in particular providers of computer software for the operation of the Internet-based Service/ Web Site , IT companies and providers of e-mail and of hosting, CCTV and helpline platform, as well as providers of software for the management of the company, of the marketing actions, of the sending of the Newsletter and for the provision of technical assistance to the Administrator) - the Administrator makes the collected personal data of the Client or of the Recipient of the services available to the provider who acts at his request only in case and within the scope being indispensable for the realisation of a given purpose of the processing of data being compliant with the present privacy policy.
    6. The provider of accounting services, of legal services, of advisory/ consulting services and of translation services who assures the accounting support, the legal support, the consulting support or the linguistic support for the Administrator (in particular the accounting firm, the law office, the inspector responsible for the protection of data, the debt collection company or the translation agency) - the Administrator makes the collected personal data of the Client available to the provider who acts at his request only in case and within the scope being indispensable for the realisation of the given purpose of the processing of data being compliant with the present privacy policy.
    7. Providers of plugins, scripts and other similar tools placed in BodyChief which enable the browser or the device of the BodyChief visitor to download content from the providers of the aforementioned plugins (e.g. logging with social network login details) and/or transfer data regarding the device or the visitor (including personal data) to these providers (e.g. for the purpose of displaying advertisements on these external websites) including:
      1. Meta Platforms Ireland Ltd. - the Administrator may use Facebook or Instagram social plugins in BodyChief (e.g. logging with Facebook login details) and/or Facebook and Instagram advertising pixels and therefore collect and share data of the device or the person using BodyChief to Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) within the scope and in accordance with the privacy policy available at: https://www.facebook.com/about/privacy/ and https://privacycenter.instagram.com/policy (the data contain information about activities in BodyChief, including information about the device, visited websites, purchases, displayed advertisements and the methods of using the services, regardless of whether the BodyChief user has a Facebook/Instagram account and is logged into their Facebook/Instagram account),
      2. Google Ireland Ltd. - the Administrator may use Google plugins in BodyChief (e.g. logging with Google login details) and/or Google advertising pixels and therefore collect and share data of the device or the person using BodyChief to Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) within the scope and in accordance with the privacy policy available at: https://policies.google.com/privacy?hl=pl (the data contain information about activities in BodyChief, including information about the device, visited websites, purchases, displayed advertisements and the methods of using the services, regardless of whether the BodyChief user has a Google account and is logged into their Google account),
      3. TikTok Technology Limited - the Administrator may use TikTok scripts and/or advertising pixels in BodyChief and therefore collect and share data of the device or the person using BodyChief to TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) within the scope and in accordance with the privacy policy available at: https://www.tiktok.com/legal/privacy-policy?lang=pl (the data contain information about activities in BodyChief, including information about the device, visited websites, purchases, displayed advertisements and the methods of using the services, regardless of whether the BodyChief user has a TikTok account and is logged into their TikTok account),
      4. Twitter International Company - the Administrator may use Twitter scripts and/or advertising pixels in BodyChief and therefore collect and share data of the device or the person using BodyChief to Twitter International Company (1 Cumberland Place, Fenian Street, Dublin 2, Ireland) within the scope and in accordance with the privacy policy available at: https://twitter.com/privacy , regardless of whether the BodyChief user has a Twitter account and is logged into their Twitter account),
      5. Pinterest Europe Limited - the Administrator may use Pinterest scripts and/or advertising pixels in BodyChief and therefore collect and share data of the device or the person using BodyChief to Pinterest Europe Limited (2nd Floor Palmerston House, Fenian Street, Dublin 2 Dublin, Ireland) within the scope and in accordance with the privacy policy available at: https://policy.pinterest.com/pl/privacy-policy , regardless of whether the BodyChief user has a Pinterest account and is logged into their Pinterest account).

 

5) PROFILING IN THE INTERNET-BASED SERVICE/ WEB SITE

  1. The General Data Protection Regulation imposes the obligation on the Administrator to inform about the automated decision making, including the profiling, which is mentioned in article 22 paragraphs 1 and 4 of the General Data Protection Regulation as well as - at least in these cases - (to provide) relevant/ important information about the principles of their making and also about the meaning/ importance and forecast consequences of such processing for the person to whom the data are related. While bearing it in mind, the Administrator indicates in this point of the privacy policy the pieces of information being related to possible profiling.
  2. The Administrator may use in the Internet-based Service/ on the Web Site profiling for the purposes of direct marketing and after the expression of the prior consents - for the purpose of the marketing of the services and products of the Administrator as well as for the purpose of the marketing of the service and of the products of the partners of the Administrator, but the decisions, which are made on the basis of profiling by the Administrator, are not related to the conclusion or to the refusal to conclude a contract for the provision of the Service, to the possibility of using Electronic Services in the Internet-based Service/ on the Web Site or to the conclusion or to the refusal to conclude any other contract. The effect of the use of profiling in the Internet-based Service/ Web Site may be for example the granting of a discount to a given person, the sending of a discount code to this person, the reminding of unfinished purchases, the sending of a proposal of a Service, which may correspond to the interests or to the preferences of a given person, the proposal of better conditions in comparison with the standard offer, the giving of a present in connection with the celebrated occasion (for example birthday or Public Holidays) or of a prize for loyal purchases. Despite the profiling the given person makes his/ her decisions freely on whether he/ she will want to benefit from the discount offered in this way, from the present, from the prize, or from better conditions and on whether to make the purchase in the Internet-based Service/ on the Web Site or use the services or products of the partner of the Administrator.
  3. The profiling in the Internet-based Service/ on the Web Site consists in an automatic analysis or forecast of the behaviour of the given person on the Web Site of the Internet-based Service or in the Application, for example by adding a specific Service into the basket, in viewing a concrete page of the Web Site or also by means of the analysis of the history of the purchases made so far on the Web Site. The purpose of profiling is the provision of the most satisfying service to the Client, which corresponds in a precise way to his/ her individual needs and expectations. The condition of such profiling is the possession of personal data of the given person by the Administrator in order to be able to send a discount code to this person subsequently.
  4. The person to whom the data are related, has the right to not to be subjected to a decision which is based exclusively on the automated processing, including the profiling, and which results in legal consequences towards such a person or which has an important impact in a similar way on such a person.

 

6) RIGHTS OF DATA SUBJECTS

  1. The right to access, to rectify, to limit, to remove or to transfer - the person to whom the data are related, has the right to demand the administrator to give access to his/ her personal data, to rectify them, to remove them (“the right to be forgotten”) or to limit the processing and he/ she has the right to submit an objection to the processing and also, he/ she has the right to transfer his/ her data. The detailed conditions of the exercising of the rights mentioned above, are indicated in articles from 15 to 21 of the General Data Protection Regulation.
  2. The right to withdraw the consent at any time – the person whose data are being processed by the Administrator on the basis of the expressed consent (on the basis of article 6 paragraph 1 letter a) or of article 9 paragraph 2 letter a) of the General Data Protection Regulation has the right to withdraw the consent at any time without impact on the compliance of the processing with law which was made on the basis of such a consent before its withdrawal.
  3. The right to submit a complaint to the supervisory body – the person whose data are being processed by the Administrator, has the right to submit a complaint to the supervisory body in the manner and according to the procedure defined in the provisions of the General Data Protection Regulation and of Polish law, in particular of the Act of Parliament on the protection of personal data. The Supervisory Body in Poland is the President of the Office for the Protection of Personal Data.
  4. The right to object - the person to whom the data are related, has the right at any time to make an objection - due to reasons connected with his/ her specific situation - against the processing of the personal data related to him / her based on article 6 paragraph 1 letter e) (public interest or tasks) or f) (legally justified interest of the administrator), including the profiling on the basis of these provisions. In such a case the Administrator has not to process these personal data unless the Administrator demonstrates the existence of important legally justified bases for processing, which are superior to the interests, rights and freedoms of the person to whom the data are related or of bases of the establishment, enforcement or defence of claims.
  5. Right to object against direct marketing - if the personal data are processed for the needs of direct marketing, the person to whom the data are related, has the right at any time to make an objection against the processing of the personal data related to him/ her for the needs of such marketing, including profiling, within the scope, in which such processing in connected with such direct marketing.
  6. In order to realise the rights, which are mentioned in the present point of the privacy policy, one may contact the Administrator by means of sending an appropriate message in writing or by e-mail to the address of the Administrator or of the inspector responsible for the protection of data of the Administrator, which is indicated at the beginning of the privacy policy or by using the contact form, which is available on the page of the Internet-based Service/ Web Site and in the Application under the Settings -> Contact tab. In case of the withdrawal of the voluntary consent the person who gave the consent, may withdraw this consent at any time also by means of the authorisation of the withdrawal of the consent by using the link intended for the removal, which has been sent to the e-mail address allocated to the Account of the Recipient of the Services or of the Order placed in the capacity of “Guest”. The withdrawal of a compulsory consent (connected with the processing of data related to health) is connected with the necessity to cease to use the services of the Service provider on the principles indicated in the Regulations.

 

7) COOKIES IN THE INTERNET BASED SERVICE/ WEB SITE, OPERATING DATA AND ANALYTICS

  1. The Cookie files (cookies) are small textual pieces of information in the form of text files, sent by the server and recorded at the side of the person who visits the page of the Internet-based Service/ Web Site or using the Application (for example on the hard disk of a computer, of a laptop or on the memory card of a smart phone - depending on what device is used by the person who visits our Internet-based Service/ Web Site). The detailed information related to Cookies and also the history of their creation may be found among others here: https://en.wikipedia.org/wiki/HTTP_cookie.
  2. In BodyChief the Administrator provides a tool for easy and active management of Cookies - Cookiebot. Active management allows, among other things, to check what kind of Cookies are or may be saved while using BodyChief, as well as to select and subsequently change the scope and purposes of using Cookies connected with the device and the person visiting BodyChief. When beginning to use BodyChief, the visitor is asked to select Cookie settings by Cookiebot. It is possible to change them later by changing the settings within the Cookiebot available on the website. You can read more about this tool at: https://www.cookiebot.com/en/what-is-cookiebot/.
  3. In the privacy policy, the Administrator provides a number of information on the use of Cookies in BodyChief, their types and purposes of use and their management by, for example, web browser settings and the Cookiebot tool. The Administrator encourages you to use the Cookiebot tool, which allows you to easily and actively manage Cookies when using BodyChief.
  4. Cookies which might be sent by BodyChief can be divided into different types, according to the following criteria:

     

    Their supplier:

     

    1. own (created by the Website or the Administrator's Application) and
    2. belonging to third parties/entities (other than the Administrator).
    Their storage period on the device of the person visiting the Online Store website:

     

    1. session cookies (stored until you log out of BodyChief or turn off your web browser) and
    2. permanent cookies (stored for a specific time defined by the parameters of each file or until being manually deleted).
    The purpose of their use:

     

    1. necessary (enabling the proper functioning of BodyChief),
    2. functional/preferential (enabling the adjustment of BodyChief to the preferences of the visitor),
    3. analytical and performance (collecting information on the way BodyChief is used),
    4. marketing, advertising and social (collecting information about the person visiting BodyChief in order to display advertisements to that person, personalise them, measure their effectiveness and conduct other marketing activities, including activities on websites and in web applications separate from BodyChief, such as social networks or other websites belonging to the same advertising networks as BodyChief).

     

  5. The specific purposes of the processing of data contained in Cookies while using the BodyChief Website are indicated on an ongoing basis as part of the Cookiebot tool available in BodyChief. This is why they can be checked at any time. The Administrator informs that the data contained in Cookies while using the BodyChief Website may be processed, among others, for the following purposes:

     

    Purposes of using Cookies in BodyChief identification of Service Recipients as logged into BodyChief and showing that they are logged in (strictly necessary cookies)
    remembering Services added to the cart in order to place an Order (strictly necessary cookies)
    remembering data from completed Order Forms, surveys or BodyChief login data (strictly necessary and/or functional/preferential cookies)
    adapting the content of BodyChief to the individual preferences of the Service Recipient (e.g. colours, font size, page layout) and optimising the use of BodyChief (functional/preferential cookies)
    keeping anonymous statistics showing how BodyChief is used (analytical and performance cookies)
    displaying and rendering advertisements, limiting the number of advertisement displays and ignoring advertisements that the visitor of BodyChief does not want to see, measuring the effectiveness of advertisements, as well as personalising them, i.e. studying the behaviour of BodyChief visitors through anonymous analysis of their activities (e.g. repeated visits to specific pages, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their expected interests, also when they visit other websites in the advertising network of Google Ireland Ltd., Facebook and Instagram (Meta Platforms Ireland Ltd.), TikTok (TikTok Technology Limited), Twitter (Twitter International Company) and Pinterest (Pinterest Europe Limited) (marketing, advertising and social cookies)

     

  6. It is possible to check what kind of Cookies (including the period of Cookies functioning and their supplier) are currently sent by BodyChief using the Cookiebot tool available in BodyChief or using the options available in the most popular web browsers:

     

    In the Chrome browser:

     

    (1) in the address bar, click on the padlock icon on the left, (2) go to the "Cookies" tab.

    In the Firefox browser:

     

    (1) in the address bar, click on the shield icon on the left, (2) go to the "Allowed" or "Blocked" tab, (3) click on the "Cross-site tracking cookies", "Social network trackers" or "Content from trackers”

    In the Internet Explorer browser:

     

    (1) click on the "Tools" menu, (2) go to the "Internet Options" tab, (3) go to the "General" tab, (4) go to the "Settings" tab, (5) click on the "View Files" box.

    In the Opera browser:

     

    (1) in the address bar, click on the padlock icon on the left, (2) go to the "Cookies" tab.

    In the Safari browser:

     

    (1) click on the "Preferences" menu, (2) go to the "Privacy" tab, (3) click on the "Manage website data" field.

    Regardless of the browser, using the tools available, e.g. on the website:

     

    https://www.cookiemetrix.com/ lub: https://www.cookie-checker.com/

     

  7. Most web browsers available on the market accept Cookies by default. It is possible to specify the terms of using cookies via the settings of the web browser. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the option of saving Cookies. In the latter case, however, it may affect some BodyChief functionalities (for example, it may not be possible to complete the Order path through the Order Form due to not remembering the Products in the cart in the next steps of placing the Order).
  8. Besides the possibility of managing Cookies via browser settings, the Administrator enables active management of Cookie files in BodyChief by the Cookiebot tool. Active management allows, among others, to check what kind of Cookies are or can be saved while using BodyChief, as well as to select and later change the scope and purposes of using Cookies connected with the device and the person visiting BodyChief. You can read more about this tool at: https://www.cookiebot.com/en/what-is-cookiebot/ .
  9. Web browser settings related to Cookies may be important from the perspective of consent to the use of Cookies by BodyChief. In accordance with the regulations, such consent may also be expressed through the settings of the web browser, however, we recommend using the more convenient Cookiebot tool available in BodyChief. Detailed information on changing the Cookies settings and their self-deletion in the most popular web browsers is available in the help section of the web browser and on the following websites (just click on the link):

    in the Chrome browser

  10. The Administrator may use Google Analytics services, provided by Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). These services help the Administrator keep statistics and analyse the traffic on the BodyChief Website. The collected data are processed in the framework of the above-mentioned services to generate statistics necessary in administering and analysing traffic on the BodyChief Website. The Administrator, using the above-mentioned services in BodyChief, collects information about activities in BodyChief including information about the device, source and medium of acquiring BodyChief visitors, the way they behave on the Website or in the Application, visited websites, purchases, displayed advertisements, Website entries, adding the Service to the cart, purchasing the Service and the methods of using the services, as well as information on the devices and browsers by which they visit the website, IP and domain, geographical data and demographic data (age, gender), interests and information on any interaction outside BodyChief with BodyChief social media accounts or interaction with BodyChief advertisements displayed outside BodyChief.
  11. It is possible to easily block sharing information about the person’s activity on the Website to Google Analytics. For this purpose, you can install a browser add-on provided by Google Inc. available at: https://tools.google.com/dlpage/gaoptout?hl=pl .

    Active management of Cookies in BodyChief is also possible using the available Cookiebot tool.
  12. The Administrator may use the Facebook Pixel and/or Instagram service provided by Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the Website. This service helps the Administrator measure the effectiveness of advertisements and analyse the actions taken by BodyChief visitors, as well as display advertisements adjusted to these people. Creating remarketing lists based on Cookies collected by Pixel Facebook takes place in the Facebook or Instagram panel. The data collected or made available by Pixel Facebook may contain information about activities in BodyChief including information about the device, visited websites, purchases, displayed advertisements, Website entries, adding the Service to the cart, purchasing the Service and the methods of using the services, as well as information regarding any interaction outside BodyChief with BodyChief social media accounts or interaction with BodyChief advertisements displayed outside BodyChief. Detailed information on the operation of the Facebook Pixel and Instagram can be found at the following internet address: https://www.facebook.com/business/help/742478679120153?helpref=page_content and https://pl-pl.facebook.com/business/tools/meta-pixel .
    1. Managing the operation of the Facebook Pixel (advertising preferences) is possible by changing the advertising settings in your Facebook.com account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen .
    2. Active management of Cookies in BodyChief is also possible using the available Cookiebot tool.
  13. The Administrator may use TikTok scripts and/or advertising pixels in BodyChief and therefore collect and share data of the device or person using BodyChief to TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) within the scope and in accordance with the privacy policy available at: https://www.tiktok.com/legal/privacy-policy?lang=pl (the data may contain information about activities in BodyChief including information about the device, visited websites, purchases, displayed advertisements, Website entries, adding the Service to the cart, purchasing the Service and the methods of using the services, as well as information on any interaction outside BodyChief with BodyChief social media accounts or interaction with BodyChief advertisements displayed outside BodyChief) regardless of whether the BodyChief user has a TikTok account and is logged into their TikTok account.
    1. Managing the operation of the Tik Tok script and/or advertising pixel (advertising preferences) is possible by changing the advertising settings in your TikTok account in accordance with the instructions available at: https://support.tiktok.com/en/account-and-privacy/personalized-ads-and-data/personalization-and-data
    2. Active management of Cookies in BodyChief is also possible using the available Cookiebot tool.
  14. The Administrator may use Twitter scripts and/or advertising pixels in BodyChief and therefore collect and share data of the device or person using BodyChief to Twitter International Company (1 Cumberland Place, Fenian Street, Dublin 2, Ireland) within the scope and in accordance with the privacy policy available at: https://twitter.com/privacy and https://help.twitter.com/pl/rules-and-policies/twitter-rules (the data may contain information about activities in BodyChief including information about the device, visited websites, purchases, displayed advertisements, Website entries, adding the Service to the cart, purchasing the Service and the methods of using the services, as well as information on any interaction outside BodyChief with BodyChief social media accounts or interaction with BodyChief advertisements displayed outside BodyChief) regardless of whether the BodyChief user has a Twitter account and is logged into their Twitter account.
    1. Managing the operation of the Twitter script and/or advertising pixel (advertising preferences) is possible by changing the advertising settings in your Twitter account in accordance with the instructions available at: https://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads
    2. Active management of Cookies in BodyChief is also possible using the available Cookiebot tool.
  15. The Administrator may use Pinterest scripts and/or advertising pixels in BodyChief and therefore collect and share data of the device or person using BodyChief to Pinterest Europe Limited (2nd Floor Palmerston House, Fenian Street, Dublin 2 Dublin, Ireland) within the scope and in accordance with the privacy policy available at: https://policy.pinterest.com/pl/privacy-policy (the data may contain information about activities in BodyChief including information about the device, visited websites, purchases, displayed advertisements, Website entries, adding the Service to the cart, purchasing the Service and the methods of using the services, as well as information on any interaction outside BodyChief with BodyChief social media accounts or interaction with BodyChief advertisements displayed outside BodyChief) regardless of whether the BodyChief user has a Pinterest account and is logged into their Pinterest account.
    1. Managing the operation of the Pinterest script and/or advertising pixel (advertising preferences) is possible by changing the advertising settings in your Pinterest account in accordance with the instructions available at: https://help.pinterest.com/en/article/personalization-and-data and https://help.pinterest.com/pl/article/edit-personalization-settings
    2. Active management of Cookies in BodyChief is also possible using the available Cookiebot tool.
  16. The Administrator may use on the BodyChief Website the services available as part of the Hotjar software provided by Hotjar Limited (Dragonara Business Center, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta). The software provider ensures its compliance with the General Data Protection Regulation. The service provider may use Hotjar to better understand the needs of BodyChief Website visitors and then optimise its operation and improve the convenience of using BodyChief. Hotjar is a technology service, which helps the Administrator better understand the experience of people visiting the BodyChief Website (e.g. how much time they spend in different sections, which links they choose to click, what they like or dislike about BodyChief, etc.), which enables the Administrator to build and maintain the BodyChief Website taking into account the opinions of people using it. Hotjar uses cookies and other technologies to collect data about the behaviour of people using the BodyChief Website and their devices. This includes the IP address of the device (processed during the session and stored de-identified), device screen size, device type (unique device identifiers), web browser information, geographic location (country only), and the preferred language used to display the BodyChief Website. The Hotjar provider stores above-mentioned information on behalf of the Administrator in a pseudonymised user profile. The Hotjar provider is contractually obliged not to sell any data collected on behalf of the Administrator. Neither the HotJar Provider nor the Administrator will ever use this information to identify individual persons or to match it with further data relating to an individual.
    1. More information about the Hotjar service can be found in the HotJar privacy policy at (link) and on the Hotjar service information website (link).
    2. It is possible to opt out of HotJar's data collection by visiting the opt-out page.
    3. Active management of Cookies in BodyChief is also possible using the available Cookiebot tool.

 

8) FINAL PROVISIONS

  1. The Internet-based Service/ Web Site may contain links to other Web Sites. The Administrator encourages that after the passage to other Web Sites, one should get acquainted with the privacy policy defined there. The present privacy policy is related only to the Internet-based Service/ Web Site of the Administrator.