Privacy policy

Privacy Policy of the Online Store www.hookahteka.com

§1 General Provisions

  1. The controller of personal data collected through the Online Store www.hookahteka.com is Eugeniusz Kudryzycki conducting business under the name HOOKAHTEKA Eugeniusz Kudryzycki, registered address: al. Prymasa Tysiąclecia 83A/U9a, 01-242 Warsaw, correspondence address: al. Prymasa Tysiąclecia 83A/U9a, 01-242 Warsaw, VAT number (NIP): 5252857010, REGON: 388552629, registered in the Central Register and Information on Business Activity (CEIDG), email address: info@hookahteka.com, hereinafter referred to as the “Controller”, who is also the Service Provider.
  2. Personal data collected by the Controller through the website is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”.

§2 Types of Personal Data Processed, Purpose and Scope of Data Collection

  1. Purpose of processing and legal basis. The Controller processes personal data of Store Users (www.hookahteka.com) in the following cases:
    • placing an order in the Store, for the purpose of performing the sales contract. Personal data is processed on the basis of Art. 6(1)(b) GDPR (performance of a sales contract).
    • use of the contact form by the user. Personal data is processed on the basis of Art. 6(1)(f) GDPR as a legitimate interest of the Controller.
    • subscription to the Newsletter for the purpose of sending commercial information electronically. Personal data is processed upon separate consent, on the basis of Art. 6(1)(a) GDPR.
  2. Types of personal data processed. The Controller processes the following categories of personal data of Users:
    • First and last name,
    • Address,
    • Email address,
    • VAT number (NIP),
    • Company name,
    • Phone number.
  3. Retention period of personal data. Personal data of Users is retained by the Controller:

    a. where the legal basis for processing is the performance of a contract, for as long as necessary to perform the contract, and thereafter for a period corresponding to the limitation period for claims. Unless a specific provision states otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity – three years.

    b. where the legal basis for processing is consent, until the consent is withdrawn, and after withdrawal of consent for a period corresponding to the limitation period for claims that the Controller may raise and that may be raised against the Controller. Unless a specific provision states otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity – three years.

  4. When using the website, additional information may be collected, in particular: the IP address assigned to the User’s computer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type.
  5. Upon separate consent, on the basis of Art. 6(1)(a) GDPR, data may also be processed for the purpose of sending commercial information electronically in connection with Art. 10(2) of the Act of 18 July 2002 on the provision of electronic services.
  6. Navigation data may also be collected from Users, including information about links and references they choose to click on or other actions taken in the Store. The legal basis for this type of activity is the legitimate interest of the Controller (Art. 6(1)(f) GDPR), consisting in facilitating the use of services provided electronically and improving the functionality of these services.
  7. Provision of personal data by the user is voluntary.
  8. Personal data will also be processed in an automated manner in the form of profiling, if the User gives consent on the basis of Art. 6(1)(a) GDPR. The consequence of profiling will be the assignment of a profile to a given person for the purpose of making decisions concerning them or analysing or predicting their preferences, behaviour and attitudes.
  9. The Controller takes special care to protect the interests of the persons whose data it processes, and in particular ensures that the data collected is:
    • processed in accordance with the law,
    • collected for specified, lawful purposes and not subject to further processing incompatible with those purposes,
    • factually correct and adequate in relation to the purposes for which it is processed, and stored in a form which permits identification of data subjects for no longer than is necessary to achieve the purpose of processing.

§3 Disclosure of Personal Data

  1. Personal data of Users is transferred to service providers used by the Controller in operating the Store. Service providers to whom personal data is transferred, depending on contractual arrangements and circumstances, either follow the Controller’s instructions as to the purposes and methods of processing such data (processors) or independently determine the purposes and methods of processing (controllers).
  2. Users’ personal data is stored exclusively within the European Economic Area (EEA), subject to §5 point 5 of this Privacy Policy.

§4 Right to Control, Access and Rectification of Personal Data

  1. The data subject has the right to access the content of their personal data and the right to rectification, erasure, restriction of processing, the right to data portability, the right to object, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  2. Legal bases for the User’s requests:
    • Access to data – Art. 15 GDPR.
    • Rectification of data – Art. 16 GDPR.
    • Erasure of data (right to be forgotten) – Art. 17 GDPR.
    • Restriction of processing – Art. 18 GDPR.
    • Data portability – Art. 20 GDPR.
    • Objection – Art. 21 GDPR.
    • Withdrawal of consent – Art. 7(3) GDPR.
  3. To exercise the rights referred to in point 2, you may send an appropriate email to: info@hookahteka.com.
  4. Where a User exercises a right arising from the above provisions, the Controller fulfils the request or refuses to fulfil it immediately, but no later than within one month of receipt. However, if – due to the complex nature of the request or the number of requests – the Controller is unable to fulfil the request within one month, it will fulfil it within the next two months, informing the user in advance within one month of receiving the request of the intended extension of the deadline and its reasons.
  5. If it is found that the processing of personal data violates the provisions of the GDPR, the data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

§5 Cookies

  1. The Controller’s website uses cookies.
  2. The installation of cookies is necessary for the proper provision of services on the Store’s website. Cookies contain information necessary for the proper functioning of the website, and also provide the ability to compile general statistics of website visits.
  3. The website uses the following types of cookies: persistent.

    a. “Persistent” cookies are stored on the User’s end device for the time specified in the cookie parameters or until they are deleted by the User.

  4. The Controller uses its own cookies to better understand how users interact with the website content. The files collect information about how Users use the website, the type of website from which the user was redirected, and the number of visits and time spent on the website by the user. This information does not record specific personal data of the user, but is used to compile statistics on the use of the website.
  5. The Controller uses external cookies to collect general and anonymous statistical data via Google Analytics analytical tools (administrator of external cookies: Google Inc. based in the USA). Data transfers to the USA are carried out on the basis of the EU-US Data Privacy Framework adopted by the European Commission on 10 July 2023.
  6. The user has the right to decide on the access of cookies to their computer by selecting them in advance in their browser window. Detailed information on the possibility and methods of handling cookies is available in the software settings (web browser).

§6 Final Provisions

  1. The Controller applies technical and organisational measures to ensure the protection of processed personal data appropriate to the threats and categories of data subject to protection, and in particular secures data against unauthorised disclosure, removal by an unauthorised person, processing in violation of applicable regulations, and change, loss, damage or destruction.
  2. The Controller provides appropriate technical means to prevent the acquisition and modification of personal data transmitted electronically by unauthorised persons.
  3. In matters not regulated by this Privacy Policy, the provisions of the GDPR and other applicable provisions of Polish law shall apply accordingly.
  4. This Privacy Policy may be updated. Any changes will be published on this page with an updated date.