-
Definitions and General Information
Controller – The controller of personal data is Hemp Plant Sp. z o.o. with its registered office in Pszczyna, ul. Zdrojowa 8, 43-200 Pszczyna, entered into the National Court Register under number 0000806740, registration files deposited with the Katowice East District Court in Katowice, VIII Economic Department of the National Court Register, Tax Identification Number (NIP): 6381839121, National Business Registry Number (REGON): 384504332, email: katarzyna.w@hempplant.pl.
Personal Data – information about an identified or identifiable natural person. An identifiable natural person is one who can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Cookies – means computer data, in particular small text files, stored and stored on devices through which the User uses the website of the Service.
Administrator’s Cookies – means Cookies placed by the Administrator, related to the provision of electronic services by the Administrator through the Service.
Third-party Cookies – means Cookies placed by the Administrator’s partners through the website of the Service.
Service – the website: https://cannova.pl/.
Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
User – any person visiting the Service, using a computer, tablet, phone, or mobile device and the Internet.
-
Legal Basis for Processing User Data and their Scope
-
Personal data collected by the Administrator are processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”), the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000) and the Act of 18 July 2002 on the provision of electronic services (Journal of Laws of 2017, item 1219, as amended).
-
The Administrator processes only personal data provided by the User in connection with the use of the Service. The processing of User data takes place within the scope of:
-
establishing contact – based on art. 6(1)(a) GDPR, i.e., based on the consent given by the person whose data it concerns,
-
order fulfillment (data scope: first name, last name, address, email address, telephone number, optionally company name if applicable) – based on art. 6(1)(b) GDPR, i.e., for the performance of a contract to which the User is a party,
-
debt collection – based on art. 6(1)(f) GDPR, i.e., because processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party,
-
fulfillment of legal obligations incumbent on the Administrator in connection with conducting business activities – based on art. 6(1)(c) GDPR, i.e., because processing is necessary to fulfill a legal obligation incumbent on the Administrator,
-
conducting marketing activities for products or services, including newsletter distribution – based on separately given consent (art. 6(1)(a) GDPR),
-
sending commercial information by electronic means based on separately given consent (art. 6(1)(a) GDPR),
-
using telecommunications end devices and automatic calling systems for direct marketing purposes in accordance with art. 172 of the Telecommunications Law Act of 16 July 2004 (Journal of Laws of 2017, item 1907, as amended) – based on separately given consent. Viewing the content of the Service does not require the provision of personal data other than automatically collected information about connection parameters.
-
Compliance of Processing with the Law and Application of Appropriate Security Measures
-
The Administrator processes data lawfully, collects them for specified, lawful purposes, and does not subject them to further processing incompatible with those purposes. Data is collected only to the extent necessary and necessary in relation to the purposes for which it is processed. Personal data of Users may be disclosed by the Administrator to third parties who may be interested in concluding an agreement with the User, the detailed content of which will be determined directly between the User and the third party.
-
The Administrator does not process special categories of personal data.
-
The Administrator makes every effort to protect the personal data of Users against unauthorized access by third parties and, for this purpose, applies organizational and technical security measures at a high level. The Administrator does not disclose personal data to any unauthorized recipients in accordance with the absolute laws in this regard. The Administrator may entrust another entity, by written agreement, with the processing of personal data on behalf of the Administrator. Data may be made available to entities authorized to receive it under the absolutely binding provisions of the law.
-
The Administrator applies security measures for servers, connections, and the Service. All connections related to the execution of electronic payments by Users, in the case of choosing such an option, will be made via a secure SSL encrypted connection. However, the actions taken by the Administrator may be insufficient if Users do not follow security rules.
-
Automated Processing of Personal Data (Profiling)
-
In order to ensure the most advantageous, tailored, personalized offer for its Users and for purposes necessary to conclude or perform a contract between the person whose data it concerns and the Administrator, as well as with the explicit consent of the person whose data it concerns, the data Administrator may use Profiling.
-
In the case of processing data for direct marketing purposes, including Profiling, processing based on the legitimate interest of the Administrator, for scientific, historical, or statistical research purposes, data subjects have the right to object, due to their particular situation. The Administrator does not make decisions based solely on automated processing, including Profiling, which significantly affects the person whose data it concerns. The Administrator implements appropriate safeguards for the rights, freedoms, and legitimate interests of the person whose data it concerns, at least the right to obtain human intervention on the part of the Administrator, to express their own position, and to challenge decisions resulting from automated data processing.
-
Duration of Personal Data Processing
-
Personal data will be processed for a period:
-
necessary to fulfill agreements concluded through the Service, including after their performance due to the possibility for the parties to exercise their rights arising from the contract, as well as to pursue claims – until the expiration of the limitation period for claims;
-
until the withdrawal of the given consent or objection to the processing of data – in cases of processing personal data of the User on the basis of separate consent.
-
The Administrator also stores the personal data of Users when it is necessary to fulfill its legal obligations, resolve disputes, enforce User obligations, maintain security, prevent fraud and abuse.
-
User Rights
-
The Administrator ensures the exercise of the rights referred to in point 2 below for Users. To exercise these rights, you should send the appropriate request (request) by email to: katarzyna.w@hempplant.pl
-
The User has the right to:
-
access the data content – in accordance with art. 15 GDPR,
-
rectification/updating of data – in accordance with art. 16 GDPR,
-
erasure of data – in accordance with art. 17 GDPR,
-
restriction of data processing – in accordance with art. 18 GDPR,
-
data portability – in accordance with art. 20 GDPR,
-
object to data processing – in accordance with art. 21 GDPR,
-
withdrawal of consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal – in accordance with art. 7(3) GDPR,
-
lodge a complaint with the supervisory authority – in accordance with art. 77 GDPR.
-
The Administrator considers the requests submitted immediately, but no later than one month from the date of receipt. However, if, due to the complex nature of the request or the number of requests, the Administrator is unable to consider the User’s request within the specified period, the User will be informed of the intended extension of the period and the deadline for considering the request, not exceeding 2 months.
-
The Administrator informs about the rectification or erasure of personal data or restriction of processing carried out in accordance with the User’s request to each recipient to whom the personal data have been disclosed, unless this proves impossible or requires a disproportionate effort.
-
Provision of Information
-
In order to perform the contract, the Administrator may disclose data collected from Users to entities including in particular: employees, co-workers, entities providing legal services to the Administrator, IT support, operators of online payment systems, accounting office conducting the Administrator’s accounting, third parties, which are understood as a Partner or Contractor, as defined in the Service Regulations.
-
In such cases, the amount of data transferred is limited to the required minimum. In addition, information provided by Users may be made available to competent public authorities if required by applicable law.
-
Personal data of Users not indicated above are not disclosed to third parties in a form that would allow for any identification of Users unless the User has given consent to this.
-
Personal data of Users will not be transferred to countries outside the European Economic Area.
-
Cookies Files and Their Use
-
When using the Service on the User’s end device, small files, in particular text files containing information allowing to remember login data, recently selected products, products in the User’s basket (hereinafter: “cookies files”) are saved. Cookies enable the collection of statistical data, as mentioned in point 2 below.
-
Cookies files do not contain User-identifying data, which means that it is not possible to determine their identity based on them. The files used by the Service are in no way harmful to the User or the device and do not interfere with its software or settings.
-
The cookie system does not interfere with the operation of the User’s computer and can be disabled.
-
Cookies enable:
-
maintaining the User’s session (after logging in) so that the User does not have to re-enter the Login and Password on each subpage of the Service;
-
creating statistics of subpages viewed on the Service.
-
We remind you that browsers by default have the option enabled to save cookies files.
-
If the User does not consent to the storage of these files on the end device, the User should change the settings of the Internet browser used.
-
Preventing the storage of cookies files may involve:
-
not saving cookies files on the end device;
-
informing the User each time a given cookie file is saved on the device; deleting files after using the Service.
-
To use the option suitable for the User, you should familiarize yourself with the information on managing cookies files, which are most often found in the “Settings” of the browser or in the “Help” tab.
-
The Administrator informs that if the files are necessary for the operation of the Service, limiting their use may make it difficult to use the Service.
-
The settings of the User’s device browser should allow for the saving of cookies files and should allow for consent to be given by clicking the “ok” option in the window that appears after entering the Service with the information: “This site uses cookies to provide services at the highest level. Continuing to use the site is tantamount to agreeing to their use – these files will be saved on the end device”.
-
Changes to the Privacy and Cookies Policy
-
The Administrator has the right to change this document, about which the User will be notified in a manner enabling them to familiarize themselves with the changes before they enter into force, e.g., by posting relevant information on the main pages of the Service, and in the case of significant changes, also by sending a notification to the User’s provided email address.
-
Continued use of the Service after the publication or sending of a notification of changes to this document is considered as consent to the collection, use, and sharing of the User’s personal data according to the updated content of the document.
-
This document does not limit any rights granted to the User in accordance with universally applicable law.