Privacy policy

PRIVACY POLICY AND COOKIES POLICY

The Privacy Policy and the Cookies Policy (hereinafter referred to also as the Policy) describe the principles for the processing of personal data and the use of Cookies in relation to the functioning of the website at www.osheedropin.eu (hereinafter: Website) in the manner required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR).

Unless specified otherwise, the definitions used in the Policy have the meanings assigned to them in the Terms and Conditions.

§ 1 Preliminary Provisions

Website Operator, Personal Data Controller: The Operator of the Website and the Controller of the personal data of an individual who visits the Website and uses it (hereinafter: User) is OSHEE Future Sp. z o.o. with its registered office in Krakow at Al. 3 Maja 9, 30-062 Kraków, KRS (National Court Register) No.: 0001129029, REGON (statistical number): 529228297, NIP (tax identification number): 6772513613 (hereinafter referred to also as the Operator or the Controller). The Controller can be contacted by post in matters related to personal data protection and the use of Cookies at Aleja 3 Maja 9, 30-062 Kraków or via e-mail at iod@oshee.eu.

§ 2 Purposes, Legal Basis for Data Processing, Data Storage Periods

Purpose of processing	Legal basis of processing	Period of storage
Conclusion and performance of a contract by and between the User and the Controller, including the registration of the Account on the Website	Article 6(1)(b) of GDPR	Until the end of the collaboration between the User and the Controller after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Fulfilment of the Controller's legal obligations, including those under tax and accounting provisions	Article 6(1)(c) of GDPR in conjunction with the relevant generally applicable provisions of law	Until the expiry of the term for archiving documentation (including accounting and bookkeeping documentation) stipulated in legal provisions after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Marketing of products or services provided by the Controller	Article 6(1)(a) of GDPR	Until the withdrawal of the User's consent to the processing of personal data or until the Controller has determined that the data is no longer useful for the purpose of the processing after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Personalisation of online advertising (including profiling) targeted at the User	Article 6(1)(a) of GDPR	Until the withdrawal of the User's consent to the processing of personal data or until the Controller has determined that the data is no longer useful for the purpose of the processing after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Distribution of the newsletter by the Controller	Article 6(1)(a) of GDPR	Until the withdrawal of the User's consent to the processing of personal data or until the Controller has determined that the data is no longer useful for the purpose of the processing after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Publication of User reviews of the Controller's products on the Website	Article 6(1)(a) of GDPR	Until the withdrawal of the User's consent to the processing of personal data or until the Controller has determined that the data is no longer useful for the purpose of the processing after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Providing the User with notifications regarding the availability of products on the Website	Article 6(1)(a) of GDPR	Until the withdrawal of the User's consent to the processing of personal data or until the Controller has determined that the data is no longer useful for the purpose of the processing after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Operation of the Website by the Controller	legitimate interest of the Controller Article 6(1)(f) of GDPR	Until the User has raised a legitimate objection to the processing of personal data or until the Controller has established that the data is no longer useful for the purpose of processing, after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Establishing and maintaining contacts with the Controller via the contact form available on the Website	legitimate interest of the Controller Article 6(1)(f) of GDPR	For the duration of the contacts between the User and the Controller after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Conducting analyses and keeping statistics on the use of the Website by Users	legitimate interest of the Controller Article 6(1)(f) of GDPR	For the period necessary to conduct analyses and keep statistics on the use of the Website after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Processing of Cookies necessary to ensure the proper functioning of the Website, in accordance with the principles described in §8 of the Policy	legitimate interest of the Controller Article 6(1)(f) of GDPR	For the period specified in the descriptions of the individual Cookie files, in accordance with §8 of the Policy, after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
The processing of Cookies other than those necessary to ensure the proper functioning of the Website, in accordance with the principles described in §8 of the Policy	Article 6(1)(a) of GDPR	For the period specified in the descriptions of the individual Cookie files, in accordance with §8 of the Policy or until the withdrawal of the consent to the processing of personal data by the User, after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Registration of User activity in server logs	legitimate interest of the Controller Article 6(1)(f) of GDPR	For the period resulting from the Controller's principles of the protection of IT systems after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Maintaining the secrecy of legally protected information and the need to protect IT systems	legitimate interest of the Controller Article 6(1)(f) of GDPR	For the period resulting from the Controller's principles of the protection of IT systems after which the data will be deleted unless the Controller has first demonstrated the need to further process the data
Establishment, exercise or defence of claims	legitimate interest of the Controller Article 6(1)(f) of GDPR, Article 9(2)(f) of GDPR	Until the expiry of the period of limitation of claims arising from the law or until such claims have become final after which the data will be deleted unless the Controller has first demonstrated the need to further process the data

§ 3 Information on the Obligation to Provide Data

The provision of personal data is necessary for the conclusion and performance of a contract between the User and the Controller (it applies to the processing processes mentioned in §2 of the Policy where the legal basis for processing is Article 6(1)(b) of GDPR) and for the fulfilment of the Controller's legal obligations (it applies to the processing processes mentioned in §2 of the Policy where the legal basis for processing is Article 6(1)(c) of GDPR). In the event of failure to provide data it will be impossible to conclude and perform the contract.

The provision of personal data which is processed based on the User's consent (it applies to the processing processes mentioned in §2 of the Policy where the legal basis for processing is Article 6(1)(a) of GDPR) is voluntary. The consequence of failing to provide personal data will be that the Controller will not be able to carry out the processes for which the personal data is required.

The provision of personal data where the processing is based on the legitimate interest of the Controller (it applies to the processing processes mentioned in §2 of the Policy where the legal basis for processing is Article 6(1)(f) of GDPR) is voluntary. The consequence of failing to provide personal data will be that the Controller will not be able to carry out the processes for which the personal data is required.

§ 4 Data Recipients

The User's personal data may be disclosed to the Controller's employees, co-workers, advisors, service providers (e.g. providers of legal, marketing or IT services) and to public authorities acting on the basis of generally applicable legal provisions, with the exception of public authorities which may receive personal data in the context of a specific procedure under the law of the European Union or its Member State.

The following providers of services to the Controller are also recipients of the User's personal data upon the non-amendable principles defined by these providers:

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: Google LLC), link to Google LLC Privacy Policy: https://policies.google.com/privacy?hl=pl;
Meta Platforms, Inc., 1601 Willow Road Menlo Park, CA 94025 USA (hereinafter: Meta Platforms, Inc.), link to the Privacy Policy of Meta Platforms, Inc.: https://www.facebook.com/privacy/policy/
klaviyo 125 Summer St Floor 6, Boston, MA 02111, United States, hereinafter: klaviyo, link to the Privacy Policy of klaviyo https://www.klaviyo.com/legal/privacy/privacy-notice
Hotjar Ltd. Hotjar Ltd, Level 2, St Julians Business Centre 3 Elia Zammit Street St Julians STJ 3155 Malta (hereinafter: Hotjar Ltd.), link do the Privacy Policy of Hotjar Ltd.: Hotjar - Privacy Policy;
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-7329, USA (hereinafter: Microsoft Corporation), link to the Privacy Policy of Microsoft Corporation: https://www.microsoft.com/pl-pl/privacy/privacystatement.

A detailed description of the tools provided by the aforementioned entities can be found in §9 of the Policy.

§ 5 Transfer of Data to a Third Country or International Organisation

The Controller uses IT services provided by a US entity. In order to use these services, the Controller's subcontractor must have access to personal data administered by the Controller. In this way, personal data is transferred to another country, i.e. the USA. Even though the European data protection laws do not apply in the USA, the USA has been recognised as a country providing adequate protection for personal data if the transfer occurs under the Data Privacy Framework. As personal data is transferred under the Data Privacy Framework, the data will be protected as if it were processed in Poland. Further details can be obtained here: https://www.dataprivacyframework.gov/ or by contacting the Controller.

The providers of services to the Controller mentioned in §4 of the Policy may use servers located in third countries within the meaning of the GDPR to store personal data.

§ 6 Rights in Relation to Data Processing

In relation to the processing of personal data mentioned above, the User has the following rights:

the right of access to data (Article 15 of GDPR);
the right to rectification of data (Article 16 of GDPR);
the right to erasure of data (Article 17 of GDPR), subject to Article 17(3) of GDPR;
the right to restrict data processing (Article 18 of GDPR);
the right to data portability (Article 20 of GDPR) - it applies to processing based on a consent pursuant to Article 6(1)(a) of GDPR or Article 9(2)(a) of GDPR or based on a contract pursuant to Article 6(1)(b) of GDPR and at the same time it is carried out by automated means;
the right to object to the processing (Article 21 of GDPR) - it applies to processing in accordance with Article 6(1)(e) or (f) of GDPR;
the right to withdraw the consent at any time, which does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal - it applies to processing based on the consent pursuant to Article 6(1)(a) of GDPR or Article 9(2)(a) of GDPR;
the right to lodge a complaint to the supervisory authority, namely the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warszawa).

The rights mentioned above are not absolute and will not apply to all processing operations on the User's personal data.

If the User would like to exercise the rights specified in items (a) to (g) above or if the User has any questions or comments regarding the processing of personal data, the User may contact the Controller using the contact details provided in §1 of the Policy.

The User may independently modify certain settings of the Website related to the processing of personal data in the following processes according to the instructions given below:

1. Newsletter distribution: Users subscribe to the newsletter by entering their e-mail addresses in the form at the bottom of the Website and then confirming their desire to receive the newsletter by clicking on the link contained in the message sent to the User's indicated e-mail address. The User may withdraw their consent to the receipt of the newsletter at any time by changing the settings in the customer panel (Your Account -> Settings -> Newsletter) or by clicking on the "Unsubscribe" link in the footer of each newsletter.

2. The use of Cookies other than necessary for the proper functioning of the Website: The User may change the scope of the consents given regarding Cookies at any time by using the mechanisms described in §8 of the Policy.

3. Notifications of product availability on the Website: In order to receive notifications on product availability, please enter your e-mail address in the form which appears next to products that are not available when you browse the Website. Users may withdraw their consent at any time by sending the relevant information to the e-mail address: sklep@osheedropin.eu.

4. Publication of Users' reviews of the Controller's products on the Website: The consent to the processing of data for the purposes of publishing reviews is given by ticking the appropriate check-box in the review form next to each product on the Website. The User may withdraw their consent at any time by sending information about their intention to delete reviews linked to their e-mail address to sklep@oshee.eu.

5. Marketing of the Controller's products or services: The consent to the receipt of marketing information is given by ticking the appropriate check-box when registering an Account on the Website. The User may withdraw their consent at any time by changing the settings in the Customer panel (Your Account -> Settings -> Privacy).

6. Personalisation of advertising addressed to the User on the Internet: The consent to the personalisation of advertising is given by ticking the appropriate check-box when registering an Account on the Website. The user may withdraw their consent at any time by changing the settings in the Customer panel (Your Account -> Settings -> Privacy).

§ 7 Automated Decision-Making

In relation to the functioning of the Website, Users may be subject to profiling, i.e. profiles can be created which contain information about the interests of Users. Some functions of the Website may allow personal data to be used to create statistics to adapt content and advertising to relevant Users. On the basis of the profiling, the Controller will not make decisions regarding the User which would produce legal effects for the User or significantly affect the User in a similar manner.

§ 8 Cookies

1. The Website uses Cookies, i.e. small text files which the Website stores in the memory of the device used by the User to browse the Website. Cookies may be stored by the Operator of the Website visited by the User (own Cookies) or by external entities (third-party Cookies).

2. The Website may use different types of cookies. Some cookies (session Cookies) are stored on the User's device only until the browser is closed or the User logs out of the website, and some cookies (persistent Cookies) are stored in the device memory for the time specified in the parameters of the Cookies or until they are deleted by the User.

3. The Operator may store Cookies on the User's device if they are necessary to ensure the proper functioning of the Website, i.e. to enable communication via the Website. The storage of Cookies for any other purpose (e.g. the provision of personalised advertising) is only possible if the User has given their consent to this.

4. Cookies can be managed by the User using the Cookiebot available on the Website. When visiting the Website for the first time, the User will receive automatic information on the cookies stored and will be able to indicate the scope of the Cookies to which they agree. The User has the right to withdraw their consent at any time by changing their Cookie settings by clicking on the paperclip icon located in the bottom left-hand corner of the displayed page of the Website. With the use of this icon, the User can also obtain, at any time, detailed information on the purposes for which individual Cookies are used, the entities that use these cookies and the period of the use of Cookies.

5. The managing of Cookies by the User is also possible through the settings of the Internet browser used by the User. The user has the right to obtain information on the type of Cookies used, the entities that use the Cookies and the period of using the Cookies as well as to modify the scope of consents given and to delete stored Cookies at any time through the settings of their browser.

6. The instructions on how to manage Cookies in browser settings are available in various resources on the Internet, e.g. on this website.

§ 9 Analytical, Statistical and Marketing Tools on the Website

The Operator uses tools to carry out analytical, statistical and marketing activities on the Website.

The Controller uses analytical and marketing tools that collect the following information about the User and the User's activity on the Website:

information about the operating system and Web browser,
viewed sub-sites,
time spent on the Website,
transitions between individual sub-sites,
clicks on links,
sources from which the User navigates to the Website,
approximate location of the User,
User’s interests determined based on their online activities.

The following analytical, statistical and marketing tools function on the Website:

1. Google Analytics is a tool that enables the automatic collection of information about the User's use of the Website through a tracking code implemented in the code of the website, which uses Google LLC Cookies. The activities of the Operator within the framework of Google Analytics are based on its legitimate interest in conducting analyses and keeping statistics on the use of the Website by Users.

Google Analytics does not collect data which would allow for identification of the User, but only information concerning, for example, the operating system and Web browser used by the User, the sub-sites viewed by the User, the time spent on websites and sub-sites, the sources from which the User navigates to the Website, and the approximate location of the User (limited to the name of the city/town/village).

Detailed information on the use of data within Google Analytics is available here.

2. Google Ads Customer Match is a tool for marketing the products and services offered by the Operator of the Website. In order to use this mechanism, the Operator makes available to Google LLC a hashed database of e-mail addresses of Website Users thanks to which it is possible to target the User with personalised advertising in Google LLC's advertising network (e.g. via YouTube, Gmail, Google Finance). The Website Operator bases its activities within Google Ads Customer Match on the consent of the Service User.

Detailed information on how Google Ads Customer Match works is available here.

3. Facebook Custom Audience is a tool that allows the Website Operator to target advertising of the Website Operator's products to specific groups of Users using tools provided by Meta Platforms, Inc. The operation of Facebook Custom Audience is possible thanks to the Facebook Pixel implemented on the Website, which automatically collects information on User activity on the Website; it is information regarding, for example, viewing the content of a specific website, purchasing on the Website, subscribing to a newsletter.

The use of Facebook Custom Audience is only possible with the consent of the Website User.

Detailed information on the operation of Facebook Custom Audience is available here.

4. Hotjar Behaviour Analytics allows for analysing User behaviour on the Website (including identification of the User's most interesting content on the Website, problematic functions of the Website, content omitted by the User) through the use of Cookies stored by Hotjat Ltd. The Website Operator bases the use of the Hotjar Behaviour Analytics service on its legitimate interest in conducting analyses and keeping statistics on Users' use of the Website.

Detailed information on the operation of Hotjar Behaviour Analytics is available here.

5. Microsoft Clarity is an analytical tool that makes it possible to record User behaviour on the Website and reproduce it in the form of video recordings of the User's movements on the Website and generate so-called heat maps. Microsoft Clarity is used to improve the operation of the Website and to adapt the content displayed on the Website to the needs of Users.

Detailed information on how Microsoft Clarity works is available here.

§ 10 Server Logs

The use of the Website involves sending requests to the server on which the Website is stored. Every request sent to the server is recorded in the server logs. The logs include, among other things, the User's IP address, the date and time of the connection to the server, information about the Web browser and the operating system used by the User. The information saved in the server logs is used for the administration of the Website.

§ 11 Links to Other Websites

The Website contains links that redirect the User to the Operator's profiles on the social networks: Facebook, Instagram, LinkedIn, X, TikTok, YouTube.

Information on the processing of personal data within the individual social media is available in the dedicated information note.

The Operator is not responsible for the functioning of the social networks and for the use of the personal data of their users by the social networks.

§ 12 Amendments to the Policy. Archived Versions of the Policy

The Policy is verified on an ongoing basis and updated if necessary. The current version of the Policy has been adopted and is in effective as of 2 April 2025.

Download file

Language

Oshee Drop In

Privacy policy