I. General information

This privacy policy (hereinafter referred to as the “Policy“) of the www.born2drift.com website (hereinafter referred to as the “Website“) is intended for users of the Website who are natural persons (hereinafter referred to as “Users“) and contains information on the processing of Users’ personal data in connection with the use of the Website to the extent required by Art. 13 of the Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as “GDPR“), as well as on the cookies used by the Website to the extent required by Article 173 of the Polish Act of 16 July 2004 – Telecommunications Law.

II. Controller of personal data of www.born2drift.com website users

The controller of Users’ personal data, i.e. the entity deciding about purposes and ways of processing their personal data is born2drift.com Sp. z o.o. based in Wrocław, ul. Jeździecka 19/503, 53 – 032 Wrocław, e-mail address: info@born2drift.com (hereinafter referred to as the “Controller“).

III. Purposes and legal basis of personal data processing

The Controller processes Users’ personal data for the following purposes:

A. Creating a customer account

The User’s personal data may be processed by the Controller in order for the User to set up and maintain a customer account (hereinafter referred to as the “Account“) in the Service. In order to register an Account, only the User’s e-mail address is processed. After creating an Account, User may complete his/her data by providing his/her first and last name and user name. The basis for the processing of User data in this case is Article 6.1.a) of GDPR, i.e. the User’s consent to provide his/her personal data in order to set up and maintain an Account. The User may withdraw his/her consent to the processing of his/her personal data for this purpose at any time by deleting the Account.

B. Processing of orders placed by the User via the Website

In order to process orders placed by Users for goods offered through the Website, the Controller processes the User’s personal data necessary to identify the person placing the order, as well as to receive payment for the goods and to address the ordered products. This data includes: name and surname, telephone number, e-mail address and shipping address: street, house and flat number, city, postal code and country/region. The data of the means of payment used by the User to pay for the order in the form of payment card details or bank account number are also processed. The basis for the processing of the above personal data of the User is Article 6(1)(b) of the GDPR, i.e. the performance of the contract of sale of the goods being the subject of the order concluded with the User. If the User wishes to issue a VAT invoice, the Controller may additionally require the User to provide the tax identification number (NIP), and the basis for the processing of the User’s personal data for the purpose of issuing a VAT invoice is Article 6(1)(c) GDPR, i.e. the performance of a legal obligation incumbent on the Controller.

C. Sending a newsletter

In order to send the newsletter to Users who have given their consent, the Controller processes only the User’s e-mail address entered in the newsletter subscription form. The legal basis for the processing of User data for this purpose is Article 6(1)(a) of the GDPR, i.e. the User’s consent to receive the newsletter.

D. Contact with the User via contact form or e-mail

In order to reply to the User’s message addressed to the Controller via the contact form or by e-mail, the Controller may process the User’s personal data entered in the contact form, i.e. name and surname and e-mail address or to the e-mail message and other personal data indicated by the User in the content of the message. The legal basis for the processing of the User’s data for this purpose is Article 6(1)(a) of the GDPR, i.e. the User’s consent to the processing of his/her data in order to reply to the User’s message.

E. Keeping statistics on the use of the Website’s functionalities

The Controller may process the User’s personal data in order to keep statistics on the use of individual functionalities of the Website, to facilitate the use of the Website and to ensure the IT security of the Website. Personal data concerning the User’s activity on the Website and the amount of time spent on each subpage of the Website, the User’s search history, location, IP address, device ID, data concerning the Internet browser and the User’s operating system are then processed. The basis for the processing of User data in such a case is Article 6(1)(f) GDPR, i.e. the Controller’s legitimate legal interest in processing the User’s personal data.

F. Determination, investigation and defence of the Controller’s claims

The Controller may process the User’s personal data if it proves necessary in order to establish, assert and enforce possible claims of the Controller against the User and to defend against possible claims of the User in court or out-of-court proceedings. The personal data of the User given while purchasing goods in the Service and other data necessary to prove the existence of the claim or resulting from generally binding legal regulations may be processed then. The basis for the processing of User’s personal data in such a case is Article 6 (1) (f) GDPR, i.e. the Controller’s legitimate legal interest in processing User’s data.

IV. Recipients of Users’ personal data

User personal data may be transferred by the Controller to external recipients, if this is necessary for the proper functioning of the Service and the improvement of the activity carried out by the Controller. The entities to which the User’s personal data may be transferred with the highest probability are

– Internet payment operators in order to realize payments for orders made by Users;

– courier companies, in particular DPD Polska Sp. z o.o. with its seat in Warsaw and FedEx Express Poland Sp. z o.o. with its seat in Wrocław, for the purpose of addressing products ordered by Users via the Service;

– entities providing the Controller with IT services in connection with the functioning of the Service;

– entities providing accounting services to the Controller, e.g. in case of necessity of posting VAT invoices issued to the User;

– entities providing legal services for the Controller, e.g. in case of legal claims by the User against the Controller and the need to defend the Controller.

The Controller guarantees that the entities to which the Users’ personal data will be transferred are entities which guarantee a high level of protection of the data, and that appropriate agreements on entrusting the processing of the Users’ personal data will be concluded with all the above-mentioned entities.

The Controller guarantees that Users’ personal data shall not be transferred to countries outside the European Economic Area or to international organisations.

V. Period of storage of Users’ personal data

The User’s personal data processed for the purpose of realization of orders placed by the User shall be processed by the Controller until the realization of the order, i.e. collection of payment and delivery of the ordered product to the User, and after its realization no longer than for the period of limitation of claims resulting from the realized order, which is, as a rule, 6 years counting from the end of the year in which the order was realized, and in the case of orders placed by Users who are entrepreneurs – 3 years counting from the end of the year in which the order was realized.

The User’s personal data processed in order to set up and maintain the Account shall be stored by the Controller for the period of maintaining the Account, i.e. until its deletion by the User.

Data concerning orders which result in tax obligations on the Controller’s side, e.g. in terms of issuing a VAT invoice, shall be stored by the Controller for the obligatory period of storing tax documentation, which, as a rule, is 5 years counting from the end of the calendar year in which the deadline for tax payment expired.

User personal data processed for the purpose of sending marketing materials by the Controller, including a newsletter, will be stored by the Controller until the User withdraws his or her consent to receive them.

The User’s personal data processed for the purpose of replying to the User’s message sent via contact form or e-mail do not have a precise period of storage by the Controller, however, they will not be processed longer than it is necessary for the purposes for which they were collected, i.e. replying to the enquiry.

Personal data from cookies stored on the User’s terminal device will be stored for a period corresponding to the life cycle of cookies stored on the User’s terminal device or until they are deleted from the device by the User.

In the case when storing the User’s personal data proves necessary to assert or defend claims to which the Controller is entitled or against the Controller, the User’s personal data can be stored until the final conclusion of court proceedings pending in the matter of these claims and the enforcement of the decision made in these proceedings.

VI. Users’ rights related to the processing of their personal data

A. Right to withdraw consent

The User has the right to withdraw his or her consent to the processing of his or her personal data at any time, provided that the consent constitutes the legal basis for the processing of his or her personal data (Art. 6(1)(a) of GDPR). Consent for data processing may be withdrawn by sending the Controller a declaration indicating such a wish, e.g. in the form of an e-mail message. Withdrawal of the consent is effective from the moment of receipt of the above statement of withdrawal by the Controller and does not affect the lawfulness of processing of the User’s personal data performed by the Controller before its withdrawal.

Legal basis: Article 7(3) of GDPR

B. Right to demand access to data

The User has the right to obtain confirmation from the Controller as to whether his/her personal data are being processed and, if this is the case, has the right to:

(a) obtain access to his/her personal data;

(b) obtain information on: the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients of that data, the intended period of storage of the User’s data or the criteria for determining that period, the User’s rights under the GDPR and the right to lodge a complaint with the supervisory authority, the source of that data, automated decision-making, including profiling, and the safeguards applied in connection with the transfer of that data outside the European Economic Area;

c) obtain a copy of his/her personal data free of charge, however, for each subsequent copy of the User’s personal data, the Controller may request a fee reflecting the costs of its preparation.

Legal basis: Article 15 of GDPR

C. Right to rectification

The User has the right to rectify and complete the personal data provided by him. The User may do so by submitting a request to rectify such data (if incorrect) or to complete it (if incomplete).

Legal basis: Article 16 of GDPR

D. Right to erasure (“right to be forgotten”)

You have the right to request the erasure of all or some of the data concerning you.

The User may request the erasure of their personal data if:

(a) the User’s personal data are no longer necessary for the purposes for which they were collected or for which they were processed;

b) the User’s personal data are processed unlawfully;

c) to object to the processing, if its basis is the legitimate legal interest of the Controller;

d) the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the Controller is subject;

(e) the personal data were collected in connection with the offering of information society services.

Despite the request for erasure of personal data in connection with the lodging of an objection (point c) above), the Controller may continue to process the User’s personal data to the extent necessary for the establishment, assertion or defence of claims, and to the extent necessary to comply with a legal obligation requiring processing under Union law or the law of a Member State to which the Controller is subject.

Legal basis: Article 17 of GDPR

E. Right to restrict data processing

The User has the right to request the Controller to restrict the processing of his/her personal data, i.e. not to undertake any processing activities in relation to such data beyond the mere storage thereof, in the following cases:

(a) where he/she questions the correctness of his/her personal data – for a period allowing him/her to verify the correctness of the data;

b) when the processing of the data is unlawful, but the User opposes its erasure by requesting instead the restriction of the processing;

c) when the User’s personal data are no longer necessary for the purposes for which they were collected or used, but they are necessary for the establishment, assertion or defence of claims;

d) where the User has objected to the use of his/her data, in which case the restriction shall take place for the time necessary to consider whether the protection of the interests, rights and freedoms of the User outweighs the interests pursued by the Controller in processing his/her personal data.

Legal basis: Article 18 of GDPR

F. Right to data portability to another controller

Where the User’s personal data are processed by the Controller on the basis of the consent given by the User or for the purpose of entering into a contract with the User (Article 6(1)(a) and (b) of GDPR), the User has the right to receive in a structured, commonly used readable format the personal data that he or she has provided to the Controller, and has the right to transfer this personal data to another controller without hindrance from the Controller, provided that this is technically possible.

Legal basis: Article 20 of GDPR

G. Right to object to processing

The User has the right to object at any time to the processing of his/her personal data where the processing is based on the legitimate legal interest of the Controller (Article 6(1)(f) of GDPR). If the User’s objection proves to be justified, and the Controller has no other legitimate legal basis for processing the User’s personal data, as well as a basis for determining, asserting or defending his/her claims, the Controller shall delete the User’s personal data to the use of which the User has raised an objection.

Legal basis: Article 21 of GDPR

If, in the exercise of the above-mentioned rights described in items A-G), the User submits a request to the Controller, the request shall be met or refused immediately, but no later than within one month of its receipt. However, if, due to the complexity of the request or the number of requests, the User is unable to comply with the User’s request within one month, the request will be complied with within a maximum of a further two months after informing the User of the need to extend this period.

H. Right to lodge a complaint with a supervisory authority

If the User considers that the right to personal data protection or other rights granted to the User under GDPR have been violated, the User has the right to lodge a complaint to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection.

Legal basis: art. 77 of GDPR

VII. Voluntariness of providing personal data

Providing personal data by the User is always voluntary, but necessary in order to:

– creating an Account;

– placing orders for products through the Website;

– receiving the newsletter;

– contact with the Controller via the contact form or e-mail.

Failure to provide the data required for the aforementioned purposes by the User shall result in the User’s inability to perform the aforementioned activities.

VIII. Possibility of profiling the Users’ personal data by the Controller

As a rule, Users’ personal data shall not be subject to profiling or the basis for automated decision-making in another manner.

IX. Data collected automatically upon entering the Service website (cookies)

The Controller informs that while using the Website short text information called “cookies” are stored in the User’s end device. Cookie files contain such IT data as: the IP address concerning the User, name of the website they come from, time of their storage on the User’s end device, recording of parameters and statistics and a unique number. Cookies” are directed to the Service server through a web browser installed in the User’s end device. Cookies are used on the Website in order to:

a) maintaining technical correctness and continuity of the session between the Service server and the User’s final device;

b) optimisation of use of the Website by User and adjustment of their display on User’s end device;

c) ensuring safety of use of the Service;

d) gathering statistics on visits to websites of the Service, supporting improvement of their structure and content;

e) display on the User’s terminal equipment of advertising content optimally adapted to his/her preferences. Within the Service there are two types of “cookies” used: “session” and “permanent”. “Session” “cookies” are files subject to automatic removal from the final device of the User of the Service after his/her logging out from the Service or after leaving by him/her the websites of the Service or after switching off the web browser. “Permanent” files “cookies” are stored in the terminal equipment of User for the time specified in the parameters of files “cookies” or until their removal by User. “Permanent” “cookies” are installed in the User’s terminal equipment only with his/her consent. The Controller informs that:

  • Internet browsers by default accept the installation of “cookies” in the final device of the User. Each User of the Website may at any time change the settings concerning “cookies” in the Internet browser used by him in such a way that the browser automatically blocks the use of “cookies” or informs the User of their placement in his or her terminal equipment each time. Detailed information on the possibility and methods of using cookies is available in the settings of the Internet browser used by the Service User.

  • Restricting the use of cookies by a User may adversely affect the correctness and continuity of the provision of Services on the Website. Cookies installed in Service User’s end device may be used by advertisers or business partners cooperating with the Controller. Cookies may be considered personal data only in connection with other data identifying identity, provided to the Controller by the User while using the Service.

Only the Controller has access to cookies processed by the Website’s server.

If the User does not agree to save and receive information in cookies, the User can change the rules regarding cookies by means of the settings of User’s Internet browser.

X. Changes to the Privacy Policy

If it is necessary to update the information contained in this Privacy Policy or if it is necessary to ensure its compliance with the applicable laws or technological conditions of the functioning of the Website, this Privacy Policy may be amended. Users will be informed of any changes to the Privacy Policy through a notice displayed on the Website.