Privacy policy - appendix no. 3

1. Data Controller and Definitions

  1. The data controller of the personal data of Customers / Users of the Online Store, also referred to as the Seller, is: ARS BEAUTY SP. Z O.O., telephone: +48 887 888 008, NIP: 1133140226, REGON: 529179417.
  2. The Data Controller can be contacted:
    by correspondence at Styrska 20, 04-188 Warszawa
    by email at info@pigmentapmu.eu
  3. User - a natural person visiting the Online Store's website(s) or using the services or functionalities described in this Privacy and Cookies Policy.
  4. Customer - a natural person with full legal capacity, a natural person who is a Consumer, a legal person, or an organizational unit without legal personality to which the law grants legal capacity, who enters into a Distance Sales Agreement with the Seller.
  5. Online Store - an online service run by the Seller, available at electronic addresses (websites): https://pigmentapmu.eu, through which the Customer/User can obtain information about Goods and their availability, and purchase Goods or order a service.
  6. Newsletter - information, including commercial information within the meaning of the Act of July 18, 2002, on the provision of electronic services (Journal of Laws of 2020, item 344), originating from the Seller, sent to the Customer/User electronically; its receipt is voluntary and requires the Customer's/User's consent.
  7. Account - a collection of data stored in the Online Store and in the Seller's ICT system concerning a given Customer/User and their orders and contracts, using which the Customer/User can place orders and enter into contracts.
  8. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2. Purposes, Legal Bases, and Period of Data Processing

  1. For the purpose of fulfilling the Distance Sales Agreement, the Seller processes information about the User's device to ensure the proper functioning of services: computer's IP address, information contained in cookies or other similar technologies, session data, web browser data, device data, activity data on the Website, including on individual subpages, geolocation information, if the User has consented to the service provider's access to geolocation. Geolocation information is used to provide more tailored product and service offers, personal data of Users: first name, last name, registered office address, correspondence address, email address, phone number, NIP (tax identification number), bank account number, or other personal data whose provision is necessary to complete the purchase and whose provision in the purchase process is required by the Administrator.
  2. This information does not contain data identifying Users, but in combination with other information, it may constitute personal data, and therefore the Administrator provides full protection under the GDPR.
  3. This data is processed in accordance with Art. 6 sec. 1 lit. b of the GDPR, for the purpose of service provision, i.e., the agreement for the provision of electronic services in accordance with the Regulations, and in accordance with Art. 6 sec. 1 lit. a of the GDPR, in connection with consent to the use of specific cookies or other similar technologies, expressed by appropriate web browser settings in accordance with the Telecommunications Law or in connection with consent to geolocation. Data is processed until the Customer/User ceases using the Online Store.
  4. The Administrator undertakes to take all measures required by Art. 32 of the GDPR, i.e., taking into account the state of technical knowledge, the cost of implementation, and the nature, scope, and purposes of processing, as well as the risk of violation of rights or freedoms of natural persons with varying likelihood and severity, the Administrator implements appropriate technical and organizational measures to ensure a level of security corresponding to this risk.

3. Administrator's Marketing Activities

  1. On the Online Store's website, the Data Controller may post marketing information about its products or services. The display of this content is carried out by the Data Controller in accordance with Art. 6 sec. 1 lit. f of the GDPR, i.e., in accordance with the Data Controller's legitimate interest in publishing content related to the services provided and promotional content of campaigns in which the Data Controller is involved. At the same time, this action does not violate the rights and freedoms of Customers/Users; Customers/Users expect to receive content of similar nature, and even anticipate it or it is their direct purpose of visiting the Online Store's website(s).

4. Recipients of User Data

  1. The Data Controller discloses users' personal data only to processors under concluded data processing agreements for the purpose of providing services to the Data Controller, e.g., hosting and website support, IT services, marketing, and PR support.

5. Transfer of Personal Data to Third Countries

  1. Personal data will not be processed in third countries.


6. Rights of Data Subjects

  1. Every data subject has the right of access (Art. 15 GDPR) - to obtain confirmation from the Data Controller as to whether their personal data is being processed. If personal data is processed, they are entitled to access it and obtain the following information: about the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data has been or will be disclosed, the period of data retention or the criteria for determining it, the right to request rectification, erasure or restriction of processing of personal data concerning the data subject, and to object to such processing, to receive a copy of the data (Art. 15 sec. 3 GDPR) - to obtain a copy of the processed data, with the first copy being free of charge and subsequent copies may be subject to a reasonable fee by the Data Controller resulting from administrative costs; to rectification (Art. 16 GDPR) - to request rectification of inaccurate personal data or completion of incomplete data; to erasure (Art. 17 GDPR) - to request erasure of their personal data if the Data Controller no longer has a legal basis for processing it or the data is no longer necessary for the purposes of processing; to restriction of processing (Art. 18 GDPR) - to request restriction of processing of personal data when the data subject contests the accuracy of the personal data – for a period enabling the Data Controller to verify the accuracy of the data, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead, the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, the data subject has objected to processing – pending the verification whether the legitimate grounds of the controller override those of the data subject; to data portability (Art. 20 GDPR) - to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller if the data is processed on the basis of consent of the data subject or a contract with them and if the data is processed by automated means; to object (Art. 21 GDPR) - to object to the processing of their personal data for the Data Controller's legitimate purposes, on grounds relating to their particular situation, including profiling. In such case, the Data Controller assesses the existence of compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of legal claims. If, according to the assessment, the interests of the data subject outweigh the interests of the controller, the Data Controller will be obliged to cease processing the data for these purposes; to withdraw consent at any time and without giving any reason, but the processing of personal data carried out before the withdrawal of consent will still remain lawful. Withdrawal of consent will result in the Data Controller ceasing to process personal data for the purpose for which the consent was given.
  2. To exercise the above-mentioned rights, the data subject should contact the Data Controller, using the provided contact details, and inform them which right and to what extent they wish to exercise.

7. President of the Personal Data Protection Office

  1. The data subject has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office with its registered office in Warsaw, ul. Stawki 2, who can be contacted as follows:
  2. by mail: ul. Stawki 2, 00-193 Warszawa;
  3. via the electronic inbox available at: https://www.uodo.gov.pl/pl/p/kontakt;
  4. Helpline: 606-950-000.

8. Data Protection Officer

  1. In any case, the data subject may also contact the Administrator's data protection officer directly via email or in writing to the Data Controller's address, provided in section 1 point 2 of this Privacy and Cookies Policy.

9. Changes to the Privacy Policy

  1. The privacy and cookies policy may be supplemented or updated in accordance with the Administrator's current needs to provide current and reliable information to Customers/Users.

10. Cookies

  1. The Online Store performs functions of obtaining information about Customers, Users, and their behavior in the following ways:
    by voluntarily entered information in forms for purposes resulting from the function of a specific form; by saving cookie files (so-called "cookies") on end devices; by collecting web server logs by the Online Store's hosting operator (necessary for the proper functioning of the service).
  2. Cookies are IT data, in particular text files, which are stored on the Customer's / User's end device and are intended for using the Online Store website. Cookies usually contain the name of the website from which they originate, their storage time on the end device, and a unique number.
  3. The Online Store uses cookies only after the Customer/User of the Store has given prior consent in this regard. Consent to the use of all cookies by the Online Store is given by clicking the "Close" button when the message about the use of cookies by the Online Store is displayed, or by closing this message.
  4. If the Customer/User of the Online Store does not consent to the use of cookies by the Online Store, they can use the "I do not consent" option, also available in the message about the use of cookies by the Online Store, or change the settings of the web browser they are currently using (this may, however, cause the Online Store website to function incorrectly).
  5. To manage cookie settings, select the web browser/system from the list and follow the instructions: Internet Explorer, Chrome, Safari, Firefox, Opera, Android, Safari (iOS), Windows Phone.
  6. The legal basis for processing personal data from cookies is the legitimate interests of the Data Controller, consisting in ensuring high-quality services and ensuring the security of services.
  7. Within the Online Store, two main types of cookies are used: "session" cookies and "persistent" cookies. "Session" cookies are temporary files that are stored on the User's end device until logging out, leaving the Online Store, or turning off the software (web browser). "Persistent" cookies are stored on the Customer's/User's end device for the time specified in the cookie parameters or until they are deleted by the Customer/User.

Functional cookies (required)

https://pigmentapmu.eu

monit_token: 365 days, cookie file
Identifies the store's customer.

shop_monit_token: 30 minutes, cookie file
Identifies the store's customer.

client: 1 day, cookie file
Identifies the logged-in customer / shopping cart of an unlogged customer.

affiliate: 90 days, cookie file
Stores information about the partner ID from which the store was accessed.

ordersDocuments: cookie file
Stores information about the document print status.

__idsui: 1095 days, cookie file
File necessary for the functioning of so-called light login on the website.

__idsual: 1095 days, cookie file
File necessary for the functioning of so-called light login on the website.

__IAI_SRC: 90 days, cookie file
Stores only the source from which the site was accessed.

login: cookie file
Stores information whether the user has logged in to the site.

CPA: 28 days, cookie file
Contains information about variables for CPA / CPS programs in which the site participates.

__IAIRSABTVARIANT__: 30 days, cookie file
Variant identifier for A/B testing and IdoSell RS engine configuration.

basket_id: 365 days, cookie file
Identifier of the user's shopping cart, assigned for the duration of the current session.

page_counter: 1 day, cookie file
Counter of visited pages.

LANGID: 180 days, cookie file
Stores information about the language selected by the website user.

REGID: 180 days, cookie file
Stores information about the website user's region.

CURRID: 180 days, cookie file
Stores information about the currency selected by the website user.

__IAIABT__: 30 days, cookie file
Stores the identifier of A/B tests, for testing and improving store functionality.

__IAIABTSHOP__: 30 days, cookie file
Stores the identifier of the store participating in the A/B test.

__IAIABTVARIANT__: 30 days, cookie file
Stores the identifier of the variant drawn in the ongoing A/B test.

toplayerwidgetcounter[]: cookie file
Stores the number of pop-up messages displayed.

samedayZipcode: 90 days, cookie file
Stores information about the website user's zip code, which is necessary to offer courier delivery in the SameDay service.

applePayAvailability: 30 days, cookie file
Stores information about whether the ApplePay payment method is available to the user.

paypalMerchant: 1 day, cookie file
PayPal account identifier.

toplayerNextShowTime_: cookie file
Stores information about the time when the next pop-up message should be displayed. 

rabateCode_clicked: 1 day, cookie file
Stores information about closing the bar informing about an active discount.

freeeshipping_clicked: 1 day, cookie file
Stores information about closing the bar informing about free shipping.

redirection: cookie file
Stores information about closing the pop-up message informing about the suggested language for the store.

filterHidden: 365 days, cookie file
After clicking the option to collapse the filter for goods, it saves information about which filter should be collapsed after refreshing the list of goods.

toplayerwidgetcounterclosedX_: cookie file
Stores information about closing the pop-up message.

cpa_currency: 60 minutes, cookie file
Contains information about the currency for CPA / CPS programs in which the site participates.

basket_products_count: cookie file
Stores information about the number of items in the shopping cart.

wishes_products_count: cookie file
Stores information about the number of items on the wish list.

remembered_mfa: 365 days, cookie file
Stores information about the remembered user for multi-factor authentication (MFA) purposes.

HOMELANDID: 180 days, cookie file
Stores information about the visitor's country.

IAI S.A.

iai_accounts_toplayer: 30 days, cookie file
Ensures the correct display of the pop-up message informing about the IdoAccounts login service (https://www.idosell.com/pl/tysiace-gotowych-do-uzycia-funkcji/logowanie-do-sklepu-z-konta-w-innym-serwisie/).

IdoSell

platform_id: cookie file
Stores information about whether the page is displayed in a mobile application.

paypalAvailability_: 1 day, cookie file
Stores information about whether the PayPal payment method is available to the user.

ck_cook: 3 days, cookie file
Stores information about whether the website user has consented to cookies.

IdoAccounts

accounts_terms: 365 days, cookie file
Stores information about whether the user has accepted the terms of the IdoAccounts service.

express_checkout_login: 365 days, cookie file
CookieNameExpressCheckoutLogin

Google

NID: 180 days, cookie file
These cookies (NID, ENID) are used to remember user preferences and other information, such as preferred language, the number of results displayed on a search results page (e.g., 10 or 20), and whether the user wants the Google SafeSearch filter enabled. This file is also necessary to offer the Google Pay payment service.

Google reCAPTCHA

_GRECAPTCHA: 1095 days, cookie file
This cookie is set by Google reCAPTCHA, which protects our site from spam queries in contact forms.

PayPal

ts: cookie
This cookie is typically provided by PayPal and supports payment services on the website.

ts_c: 1095 days, cookie
This cookie is typically provided by PayPal and is used for fraud prevention.

x-pp-s: cookie
This cookie is typically provided by PayPal and supports payment services on the website.

enforce_policy: 365 days, cookie
This cookie is typically provided by PayPal and supports payment services on the website.

tsrce: 3 days, cookie
This cookie is typically provided by PayPal and supports payment services on the website.

l7_az: 60 minutes, cookie
This cookie is essential for PayPal login functionality on the website.

LANG: 1 day, cookie
This cookie is typically provided by PayPal and supports payment services on the website.

nsid: cookie
Used in the context of transactions on the Website. The cookie is required for secure transactions.

Analytical cookies

IAI S.A.

__IAI_AC2: 45 days, cookie
Conversion Tracking Identifier (Activity Tracking) for collecting the history of sources preceding the order placement, as well as the source through which the order was placed according to the last-click attribution model.

Google Maps

SID: 3650 days, cookie
Contains digitally signed and encrypted records of a user's Google account ID and last login time. The combination of these cookies (SID, HSID) allows Google to block many types of attacks, such as attempts to steal content from forms submitted in Google services.

Advertising cookies

Meta (Facebook)

fbsr_: cookie
Contains a signed request for a Facebook App user.

fbss_: 365 days, cookie
Facebook shared session.

fbs_: 30 minutes, cookie
Facebook session.

Meta Pixel: 999 days, tracking pixel
Meta Pixel is a piece of code that allows measuring ad effectiveness by understanding the actions users take on the site and ensures that the store's ads are shown to the right people.

_fbp: 90 days, cookie
Cookie used for user profiling and for matching advertisements as accurately as possible to the user's profile.

fr: 90 days, cookie
Cookie used for user profiling and for matching advertisements as accurately as possible to the user's profile.

_fbc: 730 days, cookie
Last store visit.

tr: cookie
Cookie used for user profiling and for matching advertisements as accurately as possible to the user's profile.

sb: 402 days, cookie
This cookie helps identify and apply additional security measures if someone tries to access a Facebook account without authorization, for example, by entering randomly chosen passwords. It is also used to store information that allows Facebook to recover a user's account if they forget their password, or for additional authentication when they suspect someone has hacked into their account. This includes, for example, "sb" and "dbln" cookies, which enable secure identification of the user's browser.

usida: cookie
Collects a combination of the user's browser and a unique identifier, used to match ads to users.

wd: 9 days, cookie
This cookie helps direct traffic between servers and analyze the loading speed of Meta's Products for different users. Thanks to cookies, Meta can also record screen and window proportions and dimensions and knows if the user has high contrast mode enabled, so it can correctly display its websites and applications. For example, it may use "dpr" and "wd" cookies, among others, to provide the user with optimal screen parameters for their device.

locale: 9 days, cookie
This cookie contains the location of the last logged-in user in this browser.

datr: 7 days, cookie
The purpose of the datr cookie is to identify the web browser used to connect to Facebook regardless of the logged-in user. This cookie plays a key role in Facebook's security and integrity features.

https://pigmentapmu.eu

RSSID: 180 days, cookie
IdoSell RS user ID, used to display tailored product recommendations on the page.

__IAIRSUSER__: 60 minutes, cookie
IdoSell RS user ID, used to display tailored product recommendations on the page.

  1. Cookies are used for the following purposes:
    creating statistics that help understand how Customers/Users of the Online Store use websites, which enables improving their structure and content; maintaining the Customer's/User's session (after logging in), thanks to which the Customer/User does not have to re-enter their login and password on every subpage of the Online Store; determining the Customer's/User's profile in order to display product recommendations and tailored content in advertising networks, in particular the Google network.
  2. Web browsing software (web browser) usually allows the storage of cookies on the Customer's/User's end device by default. Customers/Users can change these settings. The web browser allows deleting cookies. It is also possible to automatically block cookies.
  3. Restrictions on the use of cookies may affect some functionalities available on the Online Store's websites.
  4. Cookies placed on the Customer's/User's end device and used may also be by advertisers and partners cooperating with the Online Store.
  5. Cookies may be used by the Google network to display advertisements tailored to how the Customer/User uses the Online Store. For this purpose, they may store information about the user's navigation path or time spent on a given page: https://policies.google.com/technologies/partner-sites.
  6. We recommend that the Customer/User read the privacy policies of these companies to learn the rules for using cookies used in statistics: Google Analytics Privacy Policy.
  7. Regarding information about Customer/User preferences collected by the Google advertising network, the Customer/User can view and edit information resulting from cookies using the tool: https://www.google.com/ads/preferences/.
  8. The Online Store's website contains plugins that may transfer Customer/User data to Administrators such as: Google Maps, Meta (Facebook), PayPal, Google reCAPTCHA, IdoAccounts, IdoSell, IAI S.A., Google.
  9. In order to properly implement the Distance Sales Agreement, the Data Administrator may share Customer/User data with courier entities. Currently available delivery methods in the Online Store are available at: https://www.ars-beauty.pl/pl/delivery.html.
  10. In order to properly implement the Distance Sales Agreement, the Administrator may share Customer/User data with online payment systems. Currently available prepayment methods in the Online Store are available at: https://www.ars-beauty.pl/pl/payments.html.
  11. More information on terms and privacy can also be found on the Google Privacy & Terms page.

11. Newsletter

  1. The Customer may consent to receive commercial information electronically by checking the appropriate option in the registration form or at a later date in the appropriate tab. If such consent is given, the Customer/User will receive information (Newsletter) from the Online Store, as well as other commercial information sent by the Seller, to the email address provided by them.
  2. The Customer may at any time unsubscribe from the Newsletter independently by unchecking the appropriate box on their Account page or by going to the form https://pigmentapmu.eu/newsletter, clicking the appropriate link located in the content of each Newsletter, or through Customer Service.

12. Account

  1. The Customer/User may not post or provide to the Seller any content, including opinions and other unlawful data, on the Online Store.
  2. The Customer/User gains access to the Account after registration.
  3. During registration, the Customer/User provides the account type or gender, first name, last name, company name, NIP (Tax Identification Number), data for issuing sales documents, shipping data, email address, and chooses a password. The Customer/User ensures that the data provided in the registration form is truthful. Registration requires thoroughly familiarizing oneself with the Regulations and checking the box on the registration form confirming that the Customer/User has read the Regulations and fully accepts all its provisions.
  4. At the moment the Customer/User is granted access to the Account, an indefinite electronic services agreement regarding the Account is concluded between the Seller and the Customer. The Consumer may withdraw from this agreement under the terms specified in the Regulations.
  5. Registering an Account on one of the Online Store's pages simultaneously means registering to access other pages where the Online Store is available.
  6. The Customer/User may terminate the electronic service agreement at any time with immediate effect, by informing the Seller via email or in writing to the Data Administrator's address, provided in Section 1, point 2 of this Privacy and Cookies Policy.
  7. The Seller has the right to terminate the service agreement regarding the Account in the event of discontinuing or transferring the Online Store service to a third party, the Customer's/User's violation of law or the provisions of the Regulations, as well as in the event of the Customer's/User's inactivity for a period of 6 months. The termination of the agreement occurs with a seven-day notice period. The Seller may stipulate that re-registration of the Account will require the Seller's permission.
Pigmenta