Privacy policy
ONLINE STORE PRIVACY POLICY
WWW.BOX4SUSHI.COM
§ 1
GENERAL PROVISIONS
The controller of personal data collected via the www.box4sushi.com online store is MTA BIZNES SERWIS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ entered into the Register of Entrepreneurs maintained by the District Court Lublin-Wschód in Lublin with its registered office in Świdnik, 6th Commercial Division of the National Court Register under KRS number: 0000880165, place of business and service address: ul. Piłsudskiego 1, 26-630 Jedlnia-Letnisko, Tax Identification Number (NIP): 7963000859, Polish National Business Registry Number [REGON]: 388023121, electronic mail (e-mail) address: contact@box4sushi.com, telephone number: +48 535 347 090, hereinafter referred to as the “Controller” and being at the same time the “Service Provider”.
Personal data collected by the Controller via the website are processed pursuant to the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR.
Any words or phrases capitalized in this Privacy Policy shall be understood in accordance with the definition contained in the Rules and Regulations of the www.box4sushi.com online store
§ 2
THE TYPE OF PERSONAL DATA PROCESSED, THE PURPOSE AND SCOPE OF DATA COLLECTION
PURPOSE OF PROCESSING AND LEGAL BASIS. The Controller processes the personal data of the Service Recipients of the www.box4sushi.com store in case of:
registration of an Account in the Store, in order to create an individual account and manage that Account, pursuant to Article 6, section 1, letter b) of the GDPR (performance of an agreement for electronic provision of services in accordance with the Rules and Regulations of the Store),
placing an order in the Store, in order to implement the sales agreement, pursuant to Article 6, section 1, letter b) of the GDPR (implementation of the sales agreement),
use of the Rating System, in order to learn about the Service Recipient's opinion on the Sales Agreement concluded with the Controller, pursuant to Article 6, section 1, letter f) of the GDPR (entrepreneur’s legitimate interest),
use of the Contact Form, in order to send a message to the Controller, on the basis of Article 6, section 1, letter f) of the GDPR (entrepreneur’s legitimate interest),
TYPE OF PERSONAL DATA PROCESSED. The Service Recipient provides, in the case of:
an Account: name, login, address, e-mail address,
an Order: name and surname, address, Tax ID No. (NIP), e-mail address, telephone number,
a Rating System: name and surname, login,
a Contact Form: name, e-mail address.
PERIOD OF PERSONAL DATA ARCHIVING The personal data of the Service Recipients shall be stored by the Controller:
in the case where the performance of an agreement is the basis for data processing, for as long as is necessary for performance of the agreement and thereafter for the period corresponding to the statute of limitation of claims. Unless otherwise provided by a specific regulation, the limitation period is six years, and for claims for periodic benefits and claims related to the conduct of business activity - three years.
in the case where the consent is the basis for data processing, for as long as the consent is not revoked, and after the revocation of consent, for a period of time corresponding to the statute of limitation of claims which the Controller can raise and which can be raised against the Controller. Unless otherwise provided by a specific regulation, the limitation period is six years, and for claims for periodic benefits and claims related to the conduct of business activity - three years.
When using the Store, additional information may be collected, in particular: the IP address assigned to the Service Recipient's computer or an external IP address of the Internet provider, domain name, browser type, access time, operating system type.
Upon separate consent, pursuant to Article 6, section 1, letter a) of the GDPR, data may also be processed in order to send commercial information by electronic means or to make telephone calls for the purpose of direct marketing – in connection with Article 10, section 2 of the Act of 18 July 2002 on electronic services or Article 172, section 1 of the Act of 16 July 2004 – Telecommunications Law, respectively, including those directed by profiling, provided that the Service Recipient has given the appropriate consent.
Navigational data may also be collected from Service Recipients, including information about the links and references they choose to click on or other actions they take in the Store. The legitimate interest of the Controller is the legal basis for such activities (Article 6, section 1, letter f) of the GDPR), which consists in facilitating the use of services provided electronically and in improving the functionality of those services.
Provision of personal data by the Service Recipient is voluntary.
The Controller shall take special care to protect the interests of data subjects, and in particular ensures that the data collected by it are:
processed lawfully,
collected for specified, legitimate purposes and not further processed in a way incompatible with those purposes,
substantively correct and adequate in relation to the purposes for which they are processed and kept in a form which permits identification of data subjects for no longer than is necessary to achieve the purpose of processing.
§ 3
PROVISION OF PERSONAL DATA
Service Recipients' personal data shall be transferred to service providers used by the Controller in the course of the Store operation, in particular to:
entities that deliver the Products,
payment system providers,
an accounting firm,
a hosting provider,
a provider of software that enables running the business,
entities that provide the mailing system,
provider of software needed to run an online store.
The service providers referred to in item 1 of this clause, to whom the personal data are transferred, depending on the contractual arrangements and circumstances, are either subject to instructions from the Controller as to the purposes and means of processing the data (processors) or they themselves determine the purposes and means of processing the data (controllers).
Service Recipients' personal data are stored only in the European Economic Area (EEA), subject to §5, item 5 and §6 of the Privacy Policy.
§ 4
THE RIGHT TO CONTROL, ACCESS AND RECTIFY ONE’S OWN DATA
The data subject shall have the right to access the content of their personal data and the right to rectify, erase, restrict processing thereof, the right to data portability, the right to object, the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
Legal grounds for the Service Recipient's request:
Access to data – Article 15 of the GDPR.
Rectification of data – Article 16 of the GDPR.
Deletion of data (the so-called right to be forgotten) – Article 17 of the GDPR.
Limitation of processing – Article 18 of the GDPR.
Transfer of data – Article 20 of the GDPR.
Objection – Article 21 of the GDPR.
Withdrawal of consent – Article 7, section 3 of the GDPR.
In order to exercise the rights referred to in item 2, an appropriate e-mail may be sent to: contact@box4sushi.com.
If the Service Recipient submits a claim under the aforementioned rights, the Controller shall comply with the request or refuse to comply with it immediately, but no later than within one month after receiving it. However, if – due to the complexity of the request or the number of requests – it is not possible for the Controller to fulfil the request within one month, the Controller shall fulfil the request within further two months by informing the Service Recipient about the intended extension of the deadline and the reasons for it within one month of receiving the request.
If it is determined that the processing of personal data violates the provisions of the GDPR, the data subject shall have the right to lodge a complaint with the President of the Office for Personal Data Protection.
§ 5
“COOKIES”
The Controller's website uses cookies.
The installation of cookies is necessary for correct rendering of services at the store’s website. Cookies contain information necessary for the proper functioning of the website, and they also provide the possibility to compile general statistics on website visits.
The website uses two types of cookies: “session” and “permanent”.
Session cookies are temporary files that are stored on the end device of the Service Recipient until logging out (leaving the site).
Permanent cookies are stored on the end device of the Service Recipient for the time specified in the “cookies” parameters or until they are deleted by the Service Recipient.
The Controller uses its own cookies to better understand how Users interact with the content of the site. The cookies collect information about the use of the website by the Service Recipient, the type of website from which the Service Recipient was redirected and the number of visits and the time of the Service Recipient's visit to the website. This information does not record specific personal information about the Service Recipient, but is used to compile statistics about the website use.
The Controller uses external cookies to collect general and anonymous statistical data via Google Analytics analytical tools (external cookie controller: Google Inc. with its registered office in the USA).
Cookies may also be used by advertising networks, in particular the Google network, to display advertisements tailored to the manner in which the Service Recipient uses the Store. For this purpose, they may store information about the Client's navigation path or the time spent on a particular page.
The Service Recipient shall have the right to decide on the access of cookies to their computer by selecting them beforehand in their browser window. Detailed information on the possibility and methods of using cookies is available in the software (web browser) settings.
§ 6
ADDITIONAL SERVICES CONNECTED WITH THE USER'S ACTIVITY IN THE STORE
The Store uses the so-called social media plugins. By displaying the www.box4sushi.com website which contains such a plugin, the Service Recipient's browser will establish a direct connection to the Facebook and Instagram servers.
The plugin content is transmitted by the respective service provider directly to the Service Recipient’s browser and it is integrated into the website. Thanks to this integration, service providers receive information that the Service Recipient's browser has displayed the www.box4sushi.com website, even if the Service Recipient does not have a profile with a given service provider or is not logged in at the moment. Such information (together with the Service Recipient's IP address) is sent by the browser directly to the service provider's server (some servers are located in the USA) and stored there.
If the Service Recipient logs into one of the aforementioned social media, the service provider will be able to directly associate the visit to www.box4sushi.com with the Service Recipient's profile in a given social media channel.
If the Service Recipient uses the plugin, e.g. by clicking on the “Like” or “Share” button, the corresponding information will also be transmitted directly to the server of the respective service provider and stored there.
The purpose and scope of data collection and their further processing and use by service providers, as well as the possibility of contact and the rights of the Service Recipient in this regard and the possibility to make adjustments to ensure the protection of the Service Recipient's privacy are described in the service providers' privacy policies:
https://www.facebook.com/policy.php
https://help.instagram.com/519522125107875?helpref=page_content
If the Service Recipient does not want the social media channels to attribute the data collected during visits to www.box4sushi.com directly to their profile on a given website, they must log out from that website before visiting www.box4sushi.com. The Service Recipient may also prevent plugins from being loaded on the website altogether by using appropriate browser extensions, such as blocking scripts with “NoScript” option.
The Controller uses remarketing tools on its website, i.e. Google Ads, which involves the use of Google LLC cookies related to the Google Ads service. Within the mechanism for managing cookie settings, the Service Recipient shall have the possibility to decide whether the Service Provider will be able to use Google Ads (the controller of external cookies: Google Inc. with its registered office in the USA) with respect to the Service Recipient.
§ 7
FINAL PROVISIONS
The Controller shall apply technical and organisational measures to ensure the protection of the personal data processed, which are appropriate to the risks and categories of data protected, and in particular to protect the data against their disclosure to unauthorised persons, against their appropriation by an unauthorised person, against their processing in violation of the applicable regulations, and against their alteration, loss, damage or destruction.
The Controller shall make available appropriate technical measures to prevent unauthorised persons from acquiring and modifying personal data sent electronically.
To matters not settled by this Privacy Policy the provisions of the General Data Protection Regulation and other applicable provisions of the Polish law shall be applied respectively.