Privacy and cookies policy

TABLE OF CONTENTS:
1. GENERAL PROVISIONS
2. BASIS FOR THE PROCESSING OF DATA
3. PURPOSE, BASIS AND PERIOD OF PROCESSING DATA IN THE ONLINE SHOP
4. DATA RECIPIENTS IN THE ONLINE SHOP
5. PROFILING IN THE ONLINE SHOP
6. THE RIGHTS OF THE DATA SUBJECT
7. COOKIES IN THE ONLINE SHOP AND ANALYTICS
8. FINAL PROVISIONS

1. GENERAL PROVISIONS
1.1. This Online Shop Privacy Policy is of informative nature, which means that it is not a source of obligations for 
Service Recipients or Customers of the Online Shop. The Privacy Policy contains, above all, the principles
concerning the processing of data by the Controller in the Online Shop, including the basis, purpose, scope and
period of personal data processing and the rights of data subjects as well as information regarding the use of
cookies and analytical tools in the Online Shop.
1.2. The Controller of the personal data collected via the Online Shop shall be PAWEŁ NAWROCKI, running a
business under the name JANINA KOWALSKA SKLEP INTERNETOWY entered into the Central Registration
and Information on Business of the Republic of Poland run by the Minister of Economy, having: the address of
the business place and the delivery address: Siercza 584, 32-020 Siercza, Poland, tax identification number:
6852105514, national economy register (REGON) number 386905880, e-mail address: (1)
kontakt@navdesign.pl, (2) contact@navdesign.eu, telephone number: +48 691959963 – hereinafter referred to
as “Controller” and being simultaneously the Service Provider of the Online Shop and the Seller.
1.3. Personal data in the Online Shop shall be processed by the Controller in accordance with the binding legal
regulations, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ­ hereinafter
referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eurlex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
1.4. Using the Online Shop, including shopping, is voluntary. Similarly, providing personal data by the Service
Recipient or the Customer using the Online Shop is voluntary, subject to two exceptions: (1) entering into
contracts with the Controller – failure to provide the personal data necessary for the conclusion and
performance of the Sales Contract or a contract for the provision of an Electronic Service with the Controller in
the cases and within the scope indicated on the website of the Online Shop and the Terms and Conditions of
the Online Shop and this Privacy Policy shall result in no possibility to enter into the contract. Providing personal
data is a contractual requirement in such a case and if the data subject is willing to enter into the contract with
the Controller, they shall be obligated to provide the required data. The scope of the data required to enter into
the contract is each time specified in advance on the website of the Online Shop and in the Terms and
Conditions of the Online Shop; (2) statutory obligations of the Controller – specifying the personal data is a
statutory requirement resulting from the commonly binding legal regulations obligating the Controller to process
the personal data (e.g. processing data to fiscal books and ledgers) and failure to specify the data will render it
impossible for the Controller to perform the obligations.
1.5. The Controller assures due diligence to protect the interest of persons being data subjects, in particular being
responsible and liable for and assuring that the data collected are: (1) processed in accordance with the Act; (2)
collected for specific, legal purposes and not subject to further processing inconsistent with the purposes; (3)
correct as regards the subject matter and adequate as regards the purpose of the processing; (4) stored in a
form making it possible to identify the people they apply to, no longer than it proves necessary to attain the
purpose of processing and (5) processed in a manner ensuring security of the personal data, including the
protection against illicit or illegal processing or accidental loss, damage or destruction, with the use of
appropriate technical and organisational measures.
1.6. Taking into account the nature, scope, context and purpose of processing as well as the risk of breaching the
rights or freedoms of natural persons with varied likelihood and degree of threat, the Controller is implementing
appropriate technical and organisational measures so that the processing takes place pursuant to the
Regulation and it is possible to show it. The measures are reviewed and updated, as necessary. The Controller
applies technical measures preventing the acquisition and modification of personal data sent electronically by
unauthorised persons.
1.7. Any words, phrases and acronyms used in this privacy policy starting with a capital letter (e.g. Seller, Online
Shop, Electronic Service) shall be understood in accordance with the definition contained in the Terms and
Conditions of the Online Shop available on the websites of the Online Shop.
2. BASIS FOR THE PROCESSING OF DATA

2.1. The Controller is authorised to process the personal data in cases, and to the extent, when at least one of the
following conditions is met: (1) the data subject consented to the processing of their data to one or more
specified ends; (2) processing is necessary for contract performance the data subject is a party to, or to take
actions to the request of the data subject, prior to contract conclusion; (3) processing is necessary to meet the
legal obligation of the Controller; or (4) processing is necessary for the needs resulting from the legally justified
interests of the Controller or third party, except for situations when the interests or basic rights and freedoms of
the data subject override such interests and they require personal data protection, especially when the data
subject is a child.
2.2. The processing of personal data by the Controller each time requires having at least one basis indicated in item
2.1 of the privacy policy. Specific bases for processing personal data of the Service Recipients or the
Customers of the Online Shop by the Controller are specified in the following point of the privacy policy – as
regards the specific goal of processing personal data by the Controller.

3. PURPOSE, BASIS AND PERIOD OF PROCESSING DATA IN THE ONLINE SHOP

3.1. Each time, the purpose, basis, and period as well as the recipients of personal data being processed by the
Controller result from actions undertaken by a given Service Recipient or Customer in the Online Shop. For
instance, in the case the Customer decides to purchase a Product in the Online Shop and selects collecting the
purchased Product personally instead of shipment, their personal data will be processed with a view of
performing the Sales Contract entered into, but they will not be made available to the courier delivering the
shipment to the Controller’s order.
3.2. The Controller may process the personal data in the Online Shop for the purposes, on the bases and within the
periods as follows:

periods as follows: Purpose of data processing

Legal basis for processing data

Period of data storage

The performance of the
Sales Contract or a contract
for the provision of an
Electronic Service or taking
actions to the request of the
data subject, prior to entering
into the above contracts.

Article 6, par. 1, point b) of the
GDPR Regulation (contract
performance) – the processing is
required to perform the Sales
Contract of which the data subject is
party or to take action to the request
of the data subject, prior to entering
into the contract.

The data shall be stored for the period
necessary for the performance,
termination or expiry of the concluded
Sales Agreement or contract for the
provision of Electronic Services.

Direct marketing

Article 6, par. 1, point f) of the
GDPR Regulation (legitimate
interest of the Controller) – the
processing is required for achieving
the goals based on the legitimate
interest of the Controller which
includes upholding interests and
strengthening reputation of the Controller and the Online Shop as well as his commitment for increasing sales of Products.

The data shall be stored for the period
of the legitimate interest of the
Controller, however no longer than the
period of limitation of claims as regards
the data subject under the business
activity of the Controller. The period of
limitation shall be specified by legal
provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years, and for a Sales Contract two years). The Controller may not process the data for the needs of direct marketing in the case of expressing clear objection in this field by the data subject.

Marketing

Article 6, par. 1, point a) of the GDPR Regulation (consent) – the data subject expressed the consent to process its personal data for marketing purposes by the Controller.

The data are stored until the data subject withdraws the consent to further process their data to that end. 

Expressing an opinion on the concluded Sales Contract by the Customer

Article 6, par. 1, point a) of the GDPR Regulation (consent) – the data subject expressed the consent to process its personal data for purpose of expressing an opinion.

The data are stored until the data subject withdraws the consent to further process their data to that end.

Keeping tax books

Article 6, par. 1, point c) of the GDPR Regulation in relation with Article 86 §1 of Tax Ordinance Act, consolidated text of 17 January 2017 (Journal of Laws of 2017 item 201).

The data shall be stored for the legally required period, requesting the Controller to store tax books (till the lapse of the period of limitation of a tax obligation, unless acts on taxes stipulate otherwise).

Determining, pursuing or defence of claims on the side of the Controller, or ones that may arise as regards the Controller

rticle 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for the purposes resulting from the legitimate interests of the Controller which includes determining, pursuing or defence of claims on the side of the Controller, or ones that may arise as regards the Controller.

The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims against the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims against the Controller amounts to six years).

Use of the Online Shop website and ensuring its proper functioning

Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for the purposes resulting from the legitimate interests of the Controller which includes operating and maintenance of the Online Shop 

The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years, and for a Sales Contract two years). 

Preparing statistics and analysing the manner of the data subject conduct on the website of the Online Shop

Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for the purposes resulting from the legitimate interests of the Controller which includes preparing statistics and analysing the manner of the data subject conduct on the website of the Online Shop in order to improve the functioning of the Online Shop and increase sales of Products.

The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years, and for a Sales Contract two years).   

4. DATA RECIPIENTS IN THE ONLINE SHOP

4.1. For the needs of proper Online Shop functioning, inclusive of the performance of the Contracts of Sale entered
into, it shall be necessary for the Controller to make use of external companies’ services (e.g. software provider,
courier, or payment system provider). The Controller uses solely the services of such processing entities which
ensure sufficient guarantee to implement appropriate technical and organisational measures so that the
processing meets the requirements set out in the GDPR Regulation and protects the rights of data subjects.
4.2. The Controller may provide personal data to a third country, while the Controller ensures that it shall only be a
third country which is considered to provide adequate level of protection – in accordance with the GDPR
Regulation, and in the case of other countries, the data transfer will occur on the basis of the standard
contractual clauses. The Controller ensures that the data subject has a right to get a copy of their data. The
Controller provides personal data to a third country only in case and scope necessary to execute a certain
purpose of data processing consistent with this privacy policy.
4.3. Providing data by the Controller does not take place in every case and not to all the recipients or categories of
recipients defined in the privacy policy – the Controller provides the data only in the case it proves necessary to
attain a given purpose of personal data processing and solely within the necessary scope.
4.4. Personal data of the Online Shop Service Recipients or Customers may be provided to the following recipients
or categories of recipients:
4.4.1. carriers/forwarders/couriers/entities operating warehouses and/or responsible for shipping process – in
the case of a Customer who selects the Online Shop to deliver the Product by post or courier, the Controller
makes the collected Customer’s personal data available to the selected carrier, forwarder or agent performing
shipment for the Controller, and if the delivery is to be made from the external warehouse – to the entity
operating warehouse and/or responsible for shipping process – to the extent necessary to deliver the Product to
the Customer.
4.4.2. e-payments or payment card service providers – in the case of a Customer who uses in the Online Shop the
option of e-payment or payment card, the Controller makes the collected Customer’s personal data available to
the selected payment service provider in the Online Shop for the Controller to the extent necessary to perform
the payment of the Customer.
4.4.3. service providers rendering for the Controller technical, IT or organisational solutions, making it
possible for the Controller to conduct a business, inclusive of the Online Shop and Electronic Services
provided via it (in particular computer software providers for the Online Shop, e-mail companies and hosting
providers as well as software providers for company management and technical aid for the Controller) – the
Controller makes the collected personal data of the Customer available to the selected provider operating to
their order only in the case and to the extent necessary for attaining a given purpose of data processing in
accordance herewith.
4.4.4. accounting, legal and consulting services providers rendering for the Controller accounting, legal or
consulting services (in particular an accounting agency, law firm or debt collection company) – the Controller
makes the collected personal data of the Customer available to the selected provider operating to their order
only in the case and to the extent necessary for attaining a given purpose of data processing in accordance
herewith.
4.4.5. providers of social plugins implemented in the Online Shop, of scripts and other similar tools enabling a
person using the Online Shop to download content from the providers of the said plugins (e.g. logging in
using social network login details) and for this purpose providing the providers with the personal data of the
visitor, including also:
4.4.5.1. Meta Platforms Ireland Ltd. - The Administrator uses Facebook social plugins on the Online Store website
(e.g. the Like button, Share or login using Facebook login details) and therefore collects and provides personal
data of the Service Recipient using the Store website to Meta Platforms Ireland Ltd. (4 Grand Canal Square,
Grand Canal Harbour, Dublin 2 Ireland) to the extent and in accordance with the privacy rules available - in
the case of Facebook - here: https://www.facebook.com/about/privacy/ (this data includes information about
activities on the Online Store website - including information about the device, visited websites, purchases,
displayed ads and how to use services - regardless of whether the Service Recipient has a Facebook account
and is logged in to Facebook).

5. PROFILING IN THE ONLINE SHOP

5.1. The GDPR Regulation obligates the Controller to inform about the automated decision-making process,
including profiling referred to in Article 22, par. 1 and 4 of the GDPR Regulation, and – at least in those cases –
the vital information concerning the decision-making process as well as the meaning and foreseeable
consequences of processing for the person being the data subject. Bearing in mind the above, the Controller
specifies in this point of the privacy policy the information concerning the possible profiling.
5.2. The Controller may use profiling in the Online Shop for direct marketing purposes, yet the decisions made on its
basis by the Controller do not concern the conclusion or rejection to conclude the Sales Contract, or the
possibility to make use of Electronic Services in the Online Shop. The result of profiling in the Online Shop may
be e.g. discount for a given person, sending a discount code, reminding about unfinished purchase process,
sending Product offers, which may be related to the interests or preferences of the person, or offering better
conditions as compared with the standard offer of the Online Shop. Regardless of profiling, the person makes
decisions freely, whether they want to use the discount given, or better conditions and buy a product in the
Online Shop.
5.3. Profiling in the Online Shop consists in automatic analysis or forecast of the conduct of a given person on the
website of the Online Shop, e.g. by adding a given Product to the cart, browsing the page of a given product in
the Online Shop, or the analysis of the history of purchase in the Online Shop. The condition for such profiling is
for the Controller to have the personal data of the person, so that they can later send them e.g. a discount code.
5.4. The data subject shall have the right not to depend on the decision, which is only based on automated
processing, including profiling, and has some legal effects on the person or similarly affects them.

6. THE RIGHTS OF THE DATA SUBJECT

6.1. The right to access, rectify, restrict, erase or transmit – the data subject shall have the right to demand the
Controller to have access to their personal data, rectify, erase (“the right to be forgotten”) or restrict the
processing and shall have the right to object to the processing and transmit their data. Detailed conditions of the
above rights shall be indicated in Articles 15­22 of the GDPR Regulation.
6.2. The right to withdraw the consent at any time – the person whose data are being processed by the
Controller on the basis of the consent given (pursuant to Article 6, par. 1, point a) or Article 9, par. 2, point a) of
the GDPR Regulation), they shall have the right to withdraw their consent at any time without any impact on the
compatibility with the right to process made based on the consent prior to the withdrawal.
6.3. The right to lodge a complaint with a supervisory body – the person whose data are being processed by the
Controller shall have the right to lodge a complaint with a supervisory body in a manner and mode specified in
the provisions of the GDPR Regulation and the Polish law, in particular the Personal Data Protection Act. The
supervisory body in Poland shall be the President of the Office for Personal Data Protection.
6.4. The right to object – the data subject shall have the right, at any time, to lodge a complaint – for reasons
related to their particular situation – as regards the processing of their personal data based on Article 6, par. 1,
point e) (public interest or official authority) or f) (legitimate interest of the controller) in the case of profiling
based on the provisions. The Controller in such a case must stop processing the personal data, unless they
show the existence of legally significant and justified bases for the processing, overriding the interests, rights
and freedoms of the data subject, or the bases for determining, pursuing or defending the claims.
6.5. The right to object as regards direct marketing – in the case the personal data are being processed for the
needs of direct marketing, the data subject shall have the right, at any time, to lodge a complaint as regards the
processing of their personal data for the needs of such marketing, including profiling, to the extent to which the
processing is related to direct marketing.
6.6. To perform the rights mentioned in this point of the privacy policy, one may contact the Controller by sending
them an appropriate message in writing or via e-mail to the address of the Controller indicated at the beginning
of the privacy policy or using the contact form available on the Online Shop’s website.

7. COOKIES IN THE ONLINE SHOP AND ANALYTICS

7.1. Cookies are small pieces of text files sent by the server and saved at the visitor’s of the Online Shop (e.g. on the
hard disk of a computer, laptop, or smartphone’s memory card – depending on the type of device used by the
Online Shop’s visitor). Detailed information on Cookies as well as the history of their origin can be found e.g. at:
https://en.wikipedia.org/wiki/HTTP_cookie.
7.2. Cookies, which can be sent via the Online Shop website, can be divided into various types, according to the
following criteria:

With regard to the provider: 

1) own (created by the Controller’s Online Shop website) and 

2) belonging to other persons/third parties (other than the Controller)

With regard to the period of their retention on the appliance of the Online Shop’s visitor: 

1) session cookies (stored till the moment of closing of the Website or a browser) and 

2) persistent cookies (having some expiration period, defined by parameters of each file or until they are removed by hand)

With regard to the purpose of their usage: 

 1) strictly necessary cookies (enabling proper functioning of the Online Shop website), 

 2) functional/preferential cookies (enabling adjustment of the Online Shop website to the visitor’s preferences), 

 3) analytical and performance cookies (collecting information on the use of the Online Shop website), 

 4) targeting, advertising or social cookies (collecting information on a visitor of the Online Shop website in order to display personalised advertisements to such a person and for other marketing activities, including those performed on sites different from the Online Shop website, such as social networks or other websites belonging to the same advertising networks as the Online Store).

7.3. The Controller may process information contained in Cookies during visiting of the Online Shop website for the 
following specific purposes:

Purposes of using Cookies
on the Controller’s Online
Shop website

Identification of the Service Recipients as logged in to the Online
Shop and showing them that they are actually logged in (strictly
necessary Cookies)

Saving Products added to the cart to place an Order (strictly
necessary Cookies)

Saving data from the filled-in forms, questionnaires, or login data for
the Online Shop (strictly necessary Cookies and/or
functional/preferential Cookies)

Adjustment of the Online Shop website contents to individual
preferences of the Service Recipient (e.g. colours, font size, layout)
and optimisation of the use of the website (functional/preferential
Cookies)

Keeping anonymous statistics presenting the visitor’s behaviours on
the Online Shop website (statistical Cookies)

Displaying and rendering advertisements, limiting the number of
displaying advertisements and ignoring advertisements that a Service
Recipient does not want to see, measuring the effectiveness of
advertisements, as well as personalizing advertisements, i.e.
evaluating the conduct of visitors of the Online Store through
anonymous analysis of their activities (e.g. repeated visits on
particular pages, key words etc.) to create their profile and provide
them with adverts matching their interests, also when they visit other
websites in the advertising network of Google Inc. and Facebook, i.e.
Meta Platforms Ireland Ltd. (marketing, advertising and social
Cookies)

7.4. It is possible to check which Cookie files are being sent in a given moment by the Online Shop website
(including the expiry period of Cookies and their provider). In the most popular web browsers, it can be done in
the following ways:

In Chrome browser:
(1) in the address bar, click the
’locked’ icon on the left, (2) go
to the benchmark „Cookie
files”.

In Firefox browser:
(1) in the address bar, click the
’shield’ icon on the left, (2) go to
the benchmark „Allowed” or
„Blocked”, (3) click the button
„Tracking cookies between
websites”, „Tracing elements of
social networks or „Content with
tracing elements”

In Internet Explorer browser:
(1) Click „Tools” menu, (2) go to
„Internet options” benchmark,
(3) go to „General” benchmark,
(4) then go to „Settings”, (5) click
the button „Display files”

In Opera browser:
(1) in the address bar, click the
’locked’ icon on the left, (2) go
to the benchmark „Cookie
files”.

In Safari browser:
(1) click menu „Preferences”, (2)
go to „Privacy” benchmark, (3)
click the button „Manage website
data”

Independent of the browser
used, you can apply tools
available e.g. at:
https://www.cookiemetrix.com/
or: https://www.cookie-checker.com/
7.5. As a standard, most internet browsers on the market accept saving Cookies by default. Every person ha

7.5. As a standard, most internet browsers on the market accept saving Cookies by default. Every person has the 
possibility to specify the conditions of using Cookies in the browser settings. It means that one may, e.g.
partially restrict (e.g. temporarily) or fully disable saving Cookies – in the latter case it may have an impact on
some functionalities of the Online Shop (for instance it may prove impossible to go through the Order using the
Order Form owing to failure to save the Products in the cart in the course of subsequent stages of Order
placement).
7.6. The browser settings concerning Cookies are essential as regards the consent to use Cookies by our Online
Shop – in accordance with the law, such consent may also be expressed in the browser settings. In view of lack
of such consent, change the browser setting accordingly as regards Cookies. Detailed information concerning
the change in Cookies settings and their individual removal in the most common browsers is available in the
help section of the browser and the following websites (click the link):
• Chrome
• Firefox
• Internet Explorer
• Opera
• Safari
• Microsoft Edge
7.7. The Controller may use Google Analytics, Universal Analytics services in the Online Shop, which are provided
by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). The services help the Controller to
analyse the frequency of visits in the Online Shop. The data collected are processed under the above services
to generate statistics helpful while administering the Online Shop. The data are of collective nature. Using the
above services in the Online Shop, the Controller collects such data as the sources and medium of acquiring
visitors of the Online Shop and the manner of their conduct on the website of the Online Shop, information
concerning their devices and browsers used to visit the website, IP and domain, geographical data and
demographic data (age, sex) and interests.
7.8. It is possible to easily block sharing information with Google Analytics as regards the activity on the website of
the Online Shop – install to that end an opt-out add-on made available by Google Ireland Ltd. available at:
https://tools.google.com/dlpage/gaoptout?hl=pl.
7.9. Due to the possibility that the Administrator uses advertising and analytical services provided by Google Ireland
Ltd. in the Online Shop, the Administrator points out that full information on the principles of processing of data
of visitors to the Online Shop (including information saved in cookies) by Google Ireland Ltd. can be found in the
privacy policy of Google services available at: https://policies.google.com/technologies/partner-sites.
7.10. The Controller may use Meta Pixel service, which is provided by Meta Platforms Ireland Limited (4 Grand Canal
Square, Grand Canal Harbour, Dublin 2, Ireland). The service helps the Controller to measure an effectiveness
of adverts and to find out what actions the users of the Online Store undertake in order to show them matching
adverts. You can find detailed information on the Meta Pixel at the following internet address:
https://www.facebook.com/business/help/742478679120153?helpref=page_content.
7.11. Managing Meta Pixel is possible through ads settings on a Facebook user’s account:
https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.

8. FINAL PROVISIONS

8.1. The Online Shop may contain links to other websites. The Controller encourages that at the time of being
transferred to other websites, become familiar with the privacy policy. This privacy policy shall apply only to the
Online Shop of the Controller.