PRIVACY POLICY AND COOKIE POLICY
botland.com.pl

Effective from 2024-09-16

§ 1 General Provisions

1. The controller of personal data of users of the online store located under the domain www.botland.store is BOTLAND B. DERKACZ SP. K., based in Gola, Gola 25A, 63-640 Bralin, Poland, registered in the National Court Register kept by the District Court in Poznań — Nowe Miasto and Wilda in Poznań, IX Commercial Division of the National Court Register under the National Court Register (KRS) number: 0000983968, TIN: 6192023594, National Official Business Register (REGON): 36218016, with a fully paid-up share capital of PLN 5,000.00 (hereinafter: "Administrator"). 

2. The Administrator has designated an electronic contact point for direct communication with the authorities of member states, the Commission, the Digital Services Council: [email protected]. This same contact point can be used by any Client for direct and quick communication with the Administrator. The Administrator can also be contacted in writing at its address: Gola 25A, 63-640 Bralin, Poland, via the contact form available on the website, or by phone at: +48 62 593 10 54 (Customer Service hours: 9-16 on working days, call charged as per standard phone rates according to the service provider’s tariff used by the Client). Communication can be conducted in Polish or English. 

3. The purpose of this Policy is to outline the actions taken regarding personal data collected through the Administrator’s website and the related services and tools used by its users, as well as within the scope of entering into and performing contracts through offline contact. 

4. If necessary, the provisions of this Policy may be subject to change. Any changes will be communicated to users by announcing the new content of the Policy, and in the case of the database of persons who have given consent to data processing via email or provided email data when entering into contracts, they will be notified of the changes also via email.

§ 2 Basis for Processing, Purposes, and Storage of Personal Data

1. Users' personal data are processed in accordance with the General Data Protection Regulation (GDPR), the polish Personal Data Protection Act, the polish Personal Data Protection Act of May 10, 2018, the polish Telecommunications Law Act of July 16, 2004, and the polish Act on the Provision of Electronic Services of July 18, 2002, as amended, and for the purpose of making notifications under Article 16(1) of the Regulation of the European Parliament and of the Council (EU) 2022/2065 of October 19, 2022, on a single market for digital services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 2022, p. 1, as amended; "DSA") also based on Article 3(h) of the DSA. 

2. The Administrator may collect the following data for the following purposes:

3. Users' personal data are stored no longer than necessary to achieve the purpose of processing, i.e., until consent is withdrawn if processing is based on such consent, until the expiration of claims by the Administrator and the other party concerning the performance of concluded contracts (in the case of sales/service contracts, 2 years from the end of the year), and until the resolution of inquiries sent via email or until the conclusion of complaint handling. After this period, the Client's personal data will be processed by the Administrator based on Article 6(1)(f) GDPR, i.e., for purposes arising from the legitimate interests pursued in the conduct of marketing campaigns. 

4. To the extent necessary for the proper functioning of the website, its functionalities, and the proper execution of payment operations (if such is carried out through the website), the site uses User metadata. Metadata means the process of reading and recognizing by the website's IT system the configuration and components of the user's computer to adjust the site to its capabilities and establish a secure connection between the user's computer and the site. Importantly, such metadata cannot lead to the identification of the User and are not harmful to the data stored on the computer. However, the User has the right to withdraw consent to the processing of metadata at any time by appropriately configuring their browser or downloading an appropriate plugin provided by the browser manufacturer. For this purpose, please consult the software manufacturer's recommendations. 

5. Users' personal data obtained due to the performance of the user account maintenance agreement are stored for 2 years from the last purchase made using the account and no longer than 3 years from that activity. 

6. The Administrator may use profiling for direct marketing purposes, but decisions made based on it by the Administrator do not concern the conclusion or refusal to conclude a contract or the ability to use electronic services. The result of using profiling may be, for example, granting a discount to a person, sending a discount code, reminding about unfinished purchases, sending a product offer that may match the interests or preferences of the person, or offering better conditions compared to the standard offer. Despite profiling, the person freely decides whether to use the received discount or better conditions and make a purchase. Profiling involves the automatic analysis or prediction of a person's behavior on the Administrator's site, e.g., by adding a specific product to the cart, viewing a specific product page, or analyzing the history of activities on the site. The condition for such profiling is that the Administrator has the personal data of the person to send, for example, a discount code. 

7. To the extent necessary for the proper functioning of the website, its functionalities may collect other information during use by the User, including: 

1. IP address; 

2. information about the device, hardware, and software, such as hardware identifiers, mobile device identifiers (e.g., Apple Identifier for Advertising [“IDFA”] or advertising identifier on an Android device [“AAID”]), 

3. platform type, 

4. settings and components, 

5. browser data, including browser type and preferred language.

8. Considering the nature, scope, context, and purposes of processing and the risk of violating the rights or freedoms of individuals with varying likelihood and severity, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Administrator employs technical measures to prevent unauthorized persons from acquiring and modifying personal data transmitted electronically.

§ 3 Data sharing

1. The Administrator ensures that all collected personal data is used to fulfill obligations towards users. This information will not be shared with third parties except in situations where:

   1. explicit consent is given by the individuals concerned, or

   2. if the obligation to provide this data arises or will arise from applicable law, e.g., to law enforcement authorities.

2. Additionally, the personal data of service recipients and customers may be transferred to the following recipients or categories of recipients:

• service providers supplying the Administrator with technical, IT, and organizational solutions, enabling the Administrator to conduct business activities, including the website and services provided through it (in particular, software providers, marketing agencies, email and hosting service providers, software providers for company management and technical support for the Administrator, and product delivery operators) - the Administrator shares the collected personal data of the Client with a selected provider acting on its behalf only if and to the extent necessary to achieve the given purpose of data processing consistent with this privacy policy.

• accounting, legal, and advisory service providers providing the Administrator with accounting, legal, or advisory support (in particular, an accounting office, law firm, or debt collection company) - the Administrator shares the collected personal data of the Client with a selected provider acting on its behalf only if and to the extent necessary to achieve the given purpose of data processing consistent with this privacy policy.

3. The Administrator may share anonymized data (i.e., data that does not identify specific Users) with external service providers to better recognize the attractiveness of advertisements and services for users. In this regard, due to the location of software providers, data may be transferred – in compliance with protection principles – to third countries that ensure the standards of contractual provisions approved by the European Commission for personal data processing or have the appropriate authorization to act under bilateral data processing agreements between the European Union and the third country, not being a member of the European Economic Area. These entities for the Administrator are:

• Google LLC. (headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Google Analytics tools used for analyzing website statistics, Google Tag Manager for managing scripts by easily adding code snippets to the site or application and tracking user activities on the website, Google Ads for displaying sponsored links in Google search results and on sites participating in the Google AdSense program, Google Workspace for comprehensive site editing and coordination of work of those working on it (including Google Drive, Gmail, Google Sheets, Google Forms, Google Looker Studio);

• Meta Platforms, Inc. (headquarters: 1 Meta Way, Menlo Park, CA 94025, USA) for Facebook pixel used to track conversions from Facebook ads, optimize them based on collected data and statistics, and build a targeted audience list for future ads.

• Microsoft Corporation (headquarters: 1 Microsoft Way, Redmond, WA 98052, USA) for Microsoft Clarity analytical tools to analyze website statistics and track user activities on the website;

4. The Administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection. 

5. The Administrator continuously conducts risk analysis to ensure that personal data is processed securely – ensuring primarily that only authorized persons have access to the data and only to the extent necessary due to the tasks performed by them. The Administrator ensures that all operations on personal data are recorded and carried out only by authorized employees and collaborators. 

6. The Administrator takes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantees for the application of appropriate security measures whenever they process personal data on behalf of the Administrator. However, it is not responsible for any data leaks or manipulation by entities cooperating with it and will take all actions to restore data security in such a situation. 

7. Third-party analytical technologies integrated with the Administrator's services (including SDK [Software Development Kit] and API [Application Program Interfaces]) may combine data collected in connection with the User's use of the Administrator's site with information they have collected separately over time and/or across different platforms. Many of these companies collect and use information based on their data protection policies, which can be found on their websites. The Administrator encourages reviewing these policies. 

8. The Administrator's site may use the functionality of Google Analytics, a web analytics service provided by Google, LLC. ("Google"). Google Analytics uses cookies to help website operators analyze how visitors use the site. Information generated by the cookie about the use of the website by visitors is generally transmitted to and stored by Google on servers in the United States. According to current IT standards, the IP addresses of users visiting the Administrator's site are shortened. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. On behalf of the Administrator, Google will use this information to evaluate the website for its users, compile reports on website traffic, and provide other services related to website traffic and internet usage to website operators. Google will not combine the IP address provided by Google Analytics with any other data held by Google. More information on how Google Analytics collects and uses data can be found on the official Google page athttps://policies.google.com/technologies/partner-sites?hl=en-US. In addition, any User can prevent Google from collecting and processing data about their use of the website by downloading and installing the browser plugin available athttps://tools.google.com/dlpage/gaoptout?hl=en-US. 

9. The Administrator, when sharing data with third parties, ensures that this is done only to entities that meet the criteria and requirements specified under Articles 46 or 49 GDPR. Where applicable, the Administrator will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. In accordance with the Court of Justice of the European Union's decision of July 16, 2020, the Administrator continues to evaluate the legal system of the countries to which data is transferred and, if necessary, updates measures to ensure adequate levels of protection. 

10. For data transferred to the United States, the Administrator, when sharing data with third parties, ensures that this is done in accordance with the European Commission's decision of July 10, 2023, only to entities and organizations in the USA that ensure compliance with the new "EU-US Data Privacy Framework." The list of these organizations has been published by the US Department of Commerce. Transferring personal data from the EEA to organizations that have joined the "EU-US Data Privacy Framework" and are on this list is possible without additional authorizations or legal instruments such as standard contractual clauses or binding corporate rules. However, if a data importer in the USA has not joined the "EU-US Data Privacy Framework," transferring data to them is possible and will be done by fulfilling the conditions specified in Articles 46 or 49 GDPR. In such cases, the Administrator will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. 

11. The Administrator may, after obtaining the User's prior consent expressed by checking the appropriate icon during the ordering process, transfer the User's data (in particular, email address and order information) to the TrustMate portal (operated by TrustMate S.A., based in Poland, Wrocław, postal code 50-062, Bartoszowicka 3, KRS: 0000737597, TIN: 8971854393, REGON: 369980751, Share capital: 2.843.170 PLN fully paid) to obtain the User's opinion on the order. These data will be transferred only after obtaining the User's consent and may be published by the Administrator, including on the TrustMate.pl portal. 

12. The Administrator may, after obtaining the User's prior consent expressed by checking the appropriate icon during the ordering process, transfer the User's data (in particular, email address and order information) to the Opineo.pl portal (operated by Ringier Axel Springer sp. z o.o., based in Poland, Warsaw, ul. Domaniewska 49, 02-672 Warsaw, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register under KRS number: 0000420780, with share capital of 106,000 PLN fully paid, TIN: 5272677009, REGON: 146127300; Correspondence address for Opineo.pl matters: ul. Marii Curie-Skłodowskiej 12, 50-381 Wrocław, or email address: [email protected], contact phone number: 12 26 00 200 (Mon-Fri from 9:00 to 17:00)). 

13. The store contains links to other websites. After navigating to other websites, please review the privacy policy established there. This privacy policy applies only to the online store located at botland.com.pl and does not cover data concerning products of other Entities that have been placed in the Store commercially, guest, on a reciprocal basis, or not for commercial purposes. The Administrator encourages all users to review these documents before using the Store.

§ 4 User Rights

1. A user whose personal data is being processed has the right to:

1. access, rectify, restrict, delete, or transfer – the data subject has the right to request access to their personal data, rectification, deletion ("right to be forgotten"), or restriction of processing, as well as the right to object to processing and data portability. The detailed conditions for exercising the aforementioned rights are specified in Articles 15-21 of the GDPR.

2. withdraw consent at any time – a person whose data is processed by the Administrator based on expressed consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3. lodge a complaint with a supervisory authority – a person whose data is processed by the Administrator has the right to lodge a complaint with a supervisory authority in their country of origin in the manner and mode specified in the GDPR and Polish law, particularly the Polish Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office in Warsaw.

4. object – a person whose data is concerned has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the administrator), including profiling based on these provisions. The Administrator may no longer process such personal data unless he demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject or grounds for establishing, pursuing, or defending claims.

5. object to direct marketing – if personal data is processed for direct marketing purposes (based on the legitimate interest of the Administrator, not on the data subject's consent), the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling to the extent that it is related to such direct marketing.

2. The exercise of the above rights is based on a user request sent to the email address [email protected]. Such a request should include the user's first and last name. 

3. The user ensures that the data provided or published by them on the service is correct.

§ 5 Cookies

1. "Cookies" are understood as IT data, in particular, text files, stored on users' end devices (usually on the computer's hard drive or mobile device) used to save specific settings and data in the user's browser to use websites. These files allow recognizing the user's device and properly displaying the website, ensuring comfort during its use. Therefore, storing "cookies" enables appropriate preparation of the website and offers according to the user's preferences - the server recognizes and remembers, among others, preferences such as visits, clicks, and previous activities. 

2. The current list of cookies used on the Store's website by the Administrator is available at the following link: https://botland.store/content/299-cookies 

3. "Cookies" contain, in particular, the domain name of the website they come from, the time they are stored on the end device, and a unique number used to identify the browser connecting to the website. 

4. Cookies are used to::

1. adjust the content of websites to the user's preferences and optimize the use of websites,

2. create anonymous statistics that, by helping to determine how the user uses websites, allow improving their structure and content,

3. deliver advertising content tailored to the user's interests.

Cookies are not used to identify the user, and they do not establish the user's identity based on them.

5. The primary division of cookies distinguishes between:

1. Essential cookies – absolutely necessary for the proper functioning of the website or functionalities that the user wants to use, as without them, we could not provide many services we offer. Some of them also ensure the security of services provided by us electronically.

2. Functional cookies – important for the operation of the website because: 

• they enhance the functionality of websites; without them, the website will work correctly, but it will not be tailored to the user's preferences,

• they ensure a high level of website functionality; without them, the level of functionality may be reduced, but their absence should not prevent the complete use of the site,

• they support most of the website's functionalities; blocking them will cause some functions not to work correctly.

3. Business cookies – enable the implementation of the business model on which the website is made available; blocking them will not cause the entire functionality to be unavailable, but it may reduce the quality of the service due to the inability to generate revenue by the website owner to subsidize its operation. This category includes, for example, advertising cookies.

4. Cookies used for website configuration – enable setting functions and services on websites.

5. Cookies used for website security and reliability – enable authentication verification and optimization of website performance.

6. Authentication cookies – enable informing when the user is logged in, allowing the website to display appropriate information and functions.

7. Session status cookies – enable saving information on how users use the website. They may relate to the most frequently visited pages or error messages displayed on some pages. Cookies used to save the "session status" help improve services and increase the comfort of browsing websites.

8. Cookies for tracking processes on the site – enable the efficient operation of the website and its available functions.

9. Advertising cookies – allow displaying advertisements that are more interesting for users and more valuable for publishers and advertisers; cookies can also be used to personalize advertising and to display ads outside of websites.

10. Cookies accessing the location – enable adjusting the displayed information to the user's location.

11. Cookies for analysis, research, or audience audit – enable the website owner to better understand users' preferences and, through analysis, improve and develop products and services. Typically, the website owner or a research company collects information anonymously and processes data on trends without identifying personal data of individual users.

6. Using cookies to adjust the content of websites to the user's preferences does not generally mean collecting any information that allows identifying the user, although this information may sometimes be personal data, i.e., data that allows assigning certain behaviors to a specific user. Personal data collected using cookies may be collected only to perform specific functions for the user. Such data is encrypted in a way that prevents unauthorized access. 

7. Cookies used by this site are not harmful to the user or the end device they use, so it is recommended not to disable their handling in browsers for the proper functioning of the service. In many cases, the software used to browse websites (web browser) by default allows storing information in the form of cookies and other similar technologies on the user's end device. The user can change the way cookies are used by the browser at any time. To do this, change the browser settings. The method of changing the settings varies depending on the software (web browser) used. Appropriate guidelines can be found on the subpages, depending on the browser you are using. 

8. Cookies are also used to facilitate logging into the user account, including via social media, and to allow transitioning between subpages on websites without having to log in again on each subpage. At the same time, cookies are used to secure websites, e.g., to prevent unauthorized access. 

9. Within the cookie technology, the Administrator may use tracking pixels or clear GIF files to collect information about how the user uses their services and their response to marketing messages sent via email. A pixel is a software code that allows embedding an object on the site, usually a one-pixel image, which enables tracking user behavior on the websites where it is placed. Upon providing the appropriate consent, the browser automatically establishes a direct connection to the server hosting the pixel, so the data collected by the pixel is processed within the data protection policy of the partner who administers the server. 

10. The Administrator may use internet log files (which contain technical data, such as the user's IP address) to monitor traffic within their services, resolve technical problems, detect and counteract fraud, and enforce the User Agreement. 

11. The Administrator informs that the site does not respond to DNT (Do Not Track) signals, but the user can disable certain forms of tracking online, including some analytical data and personalized ads, by changing cookie settings in their browser or using our cookie consent tools (if applicable). 

12. Detailed information on changing cookie settings and deleting them independently in the most popular web browsers are available in the help section of the web browser and on the following pages (click the appropriate link): 

1. Google Chrome 

2. Mozilla Firefox

3. Microsoft Edge 

4. Opera

5. Safari macOS

6. Safari iOS/iPad OS

13. Detailed information on managing cookies on a mobile phone or other mobile device should be found in the user manual of the mobile device.

Previous versions:

Version 1.1 (Gola, until 2024-09-15)