1. This Privacy Policy (hereinafter – the Privacy Policy) defines how BUYEU PL (hereinafter – the Company, we or the Data Controller) processes personal data on the website buyeu.pl, in the customer account, as well as when providing services for the purchase of goods, delivery, returns, customer service, and other related services.
2. In matters related to the processing of personal data, exercising the rights of data subjects, requests, complaints or other privacy-related information, you may contact us electronically at: buyeu.pl.
3. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter – GDPR), the Electronic Communications Law, other applicable provisions of European Union law and the law of the Republic of Poland, as well as recommendations of competent supervisory authorities.
4. The Company processes personal data in accordance with the following principles:
4.1. personal data is collected for specified, explicit and lawful purposes;
4.2. personal data is processed lawfully, fairly and in a transparent manner;
4.3. only personal data that is adequate, relevant and necessary for achieving the specified purposes is processed;
4.4. personal data is processed only when there is at least one lawful basis for processing:
4.4.1. consent of the data subject;
4.4.2. conclusion or performance of a contract;
4.4.3. fulfillment of a legal obligation;
4.4.4. existence of a legitimate interest of the Company or a third party, provided that the interests, rights and freedoms of the data subject do not override it;
4.5. reasonable measures are taken to ensure that inaccurate or incomplete data is corrected, supplemented or updated;
4.6. personal data is stored no longer than necessary to achieve the purposes for which it is processed, except where a longer retention period results from legal provisions or where such storage is necessary for establishing, pursuing or defending legal claims;
4.7. access to personal data is granted only to persons for whom such access is necessary to perform their duties;
4.8. appropriate technical and organizational measures for the security of personal data are applied.
5. The Company’s services may be used by:
5.1. natural persons who are of legal age and have legal capacity, as well as legal persons and their duly authorized representatives. Minors may use the services only in cases permitted by law. If, in accordance with applicable law or due to the nature of a given service, the consent of parents or other legal representatives is required, such consent must be obtained before starting to use the service.
6. In cases where the Company’s services are considered information society services and the processing of personal data is based on the consent of a minor, such consent may be given independently by a minor who has reached the age of 14. In the case of a minor under 14 years of age, consent is given or confirmed by their legal representative.
7. The Company has the right to request information or documents confirming the legality of consent or authorization to represent.
8. If a given service, due to its nature, is not intended for minors, the Company has the right to refuse registration, acceptance of an order or provision of services until the required confirmation from a legal representative or another lawful basis for using the service is provided.
II. Collection, Processing and Storage of Personal Data
9. Depending on how you use our services, the Company may process the following personal data:
9.1. first and last name;
9.2. phone number;
9.3. email address;
9.4. delivery, pickup, return addresses and other addresses related to the provision of services;
9.5. account and registration data, such as login details, account identifiers, information about password changes and security logs;
9.6. information regarding orders, purchases, delivery, returns and customer service;
9.7. information on payments and settlements to the extent necessary for the provision of services, refunds, accounting and payment administration;
9.8. correspondence and communication data with customer service, including the content of inquiries, complaints and claims;
9.9. IP address, date and time of login, information about the device, browser, operating system and other technical information;
9.10. data from cookies and similar technologies;
9.11. information regarding marketing preferences and consents;
9.12. other data that you provide when using our services or that arises in connection with the provision of services.
10. Personal data is processed for the following purposes and on the following legal bases:
10.1. for registration, creation and administration of an account – on the basis of contract performance or taking steps prior to entering into a contract;
10.2. for ordering, purchasing, delivery, return of goods and provision of other services – on the basis of contract performance;
10.3. for issuing invoices and financial documents, maintaining accounting records and administering payments – on the basis of contract performance and legal obligation;
10.4. for resolving issues related to the purchase of goods, shipping, delivery, returns or performance of other contractual obligations – on the basis of contract performance, legal obligation or legitimate interest; the legitimate interest of the Company is to ensure proper service provision, avoid losses, manage disputes and defend its rights;
10.5. for handling inquiries, requests, complaints, claims and disputes of customers – on the basis of contract performance, legal obligation or legitimate interest; the legitimate interest of the Company is to ensure high-quality customer service, resolve disputes, collect and store evidence related to communication and defend its rights;
10.6. for ensuring the functioning of the website, security, fraud prevention, protection of systems and improvement of service quality – on the basis of legitimate interest; the legitimate interest of the Company is to ensure the security of the website, systems, services, customers and business operations, detect technical issues, prevent unlawful use and reduce the risk of fraud;
10.7. for conducting statistics, analyses and improving services – on the basis of legitimate interest, and where required by law – on the basis of consent; the legitimate interest of the Company is to analyze the use of services, improve the functioning of the website, user experience and service quality;
10.8. for sending newsletters, offers and other direct marketing information:
10.8.1. by electronic means or other electronic communication channels – generally on the basis of consent, and where permitted by law also on another lawful basis, for example when offers concerning similar goods or services are sent to existing customers, with a clear and free option to opt out at any time;
10.8.2. by telephone – on the basis of prior consent, where required by applicable law;
10.8.3. for presenting offers and information about the Company’s services within the customer account or on the website – on the basis of legitimate interest, when such information is related to the Company’s services and is addressed to existing customers, with a clear possibility to object at any time; in cases where consent is required under applicable law, data is processed on the basis of consent;
10.9. for establishing, pursuing or defending legal claims – on the basis of legitimate interest; the legitimate interest of the Company is to defend its rights, interests and assets in judicial, pre-trial or administrative proceedings.
11. When registering, placing an order or otherwise providing data, the customer is obliged to provide correct, accurate and complete data. If the data necessary for registration, order processing, delivery, return, settlement or responding to an inquiry is not provided, the Company may not be able to conclude or perform the contract, provide services or properly handle the request.
12. As a rule, personal data is obtained directly from the customer when they register, place an order, use the website, contact us or otherwise use our services.
13. In some cases, where it is necessary for the provision of services, fulfillment of legal obligations or ensuring legitimate interests, personal data may be obtained not directly from the customer, but from third parties, for example:
13.1. from payment service providers, banks or financial intermediaries – information about payment status, payment confirmation, refunds, failed payments or other information necessary for settlement administration;
13.2. from shipping, logistics, warehousing and delivery service providers – information about shipment acceptance, transport, delivery progress, delivery status, non-delivery, return or other data related to shipment handling;
13.3. from persons acting on behalf of the customer, such as representatives, proxies or employees of a legal entity – identification data, contact data, order or delivery data;
13.4. from public registers or institutions, where permitted by law and necessary to fulfill legal requirements, prevent fraud, handle disputes or protect rights;
13.5. from IT service providers, communication, customer service or other service providers acting on our behalf, who provide information generated in connection with the use of their solutions;
13.6. from other third parties, where the customer requests inclusion of their data in the service or where such data collection is permitted by law.
14. When processing and storing personal data, the Company implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or other unlawful processing.
15. Personal data is stored no longer than necessary to achieve the purposes for which it was collected and processed, except where a longer retention period results from legal provisions or where such storage is necessary for establishing, pursuing or defending legal claims. The following basic retention periods apply:
15.1. account and registration data is stored for as long as the account remains active and for 3 years after the last active login or account closure, unless longer retention is necessary due to pending orders, disputes, debt administration or defense of legal claims;
15.2. data related to orders, purchases, delivery, returns and related transactions is stored for 10 years from the date of execution, cancellation or return of the order to the extent necessary for accounting, tax obligations, dispute administration and protection of rights;
15.3. invoices, payment data, accounting documents and other financial documents are stored for 10 years, unless applicable law provides for a longer or shorter period;
15.4. data related to customer service inquiries, correspondence, complaints, claims and dispute resolution is stored for 3 years from the resolution of the case or last contact, and if a dispute or legal proceeding is initiated – until its final conclusion and for an additional 1 year thereafter if necessary to protect rights;
15.5. data related to direct marketing is stored for 3 years from the last active confirmation of consent or last meaningful interaction with a marketing message, unless consent is withdrawn earlier or an objection is raised;
15.6. the fact of opting out of direct marketing and related minimal data may be stored for 5 years from the date of withdrawal to ensure that no unwanted communications are sent and to demonstrate compliance;
15.7. data related to consents and proof of their obtaining is stored for 5 years from withdrawal or expiration to demonstrate that consent was obtained and its scope;
15.8. technical logs, security logs, IP addresses, login records and system logs are generally stored for 90 days, unless longer retention is necessary to investigate incidents, prevent fraud, ensure security or protect legal claims; in such cases they may be stored for up to 1 year;
15.9. where legal provisions establish mandatory retention periods, those periods apply.
16. Necessary, functional, analytical, statistical, marketing and other cookies and similar technologies may be used on the website.
16.1. necessary cookies are used to ensure the functioning of the website and provision of services;
16.2. analytical, functional, marketing or other non-essential cookies are used only after obtaining user consent, where required by law;
16.3. detailed information about cookies, their purposes and management options is provided in a separate Cookie Policy.
17. Direct marketing communications are sent only when a valid legal basis exists.
17.1. the customer has the right to opt out at any time by clicking the unsubscribe link in the newsletter or contacting us using the contact details provided in this Privacy Policy;
17.2. opting out of direct marketing does not affect the sending of non-marketing communications, such as those related to order processing, account administration, security, service changes or legal obligations.
18. The Company may use statistical, aggregated, anonymized or otherwise non-identifiable data for business analysis, planning, service improvement and other lawful business purposes.
III. Use and Disclosure of Personal Data to Third Parties
19. The Company may transfer personal data to third parties only to the extent necessary to achieve the purposes indicated in this Privacy Policy, perform a contract, fulfill legal obligations or ensure the legitimate interests of the Company.
20. Personal data may be transferred to the following categories of recipients:
20.1. payment service providers, banks and financial transaction intermediaries (for example Paysera) or other payment partners;
20.2. shipping, logistics, warehousing and delivery service providers, courier companies, parcel locker operators and warehouse partners;
20.3. IT service providers, hosting, cloud computing, system maintenance and data storage providers;
20.4. customer service, communication, marketing and analytics service providers;
20.5. accounting, auditing, legal, debt administration, fraud prevention and other related service providers;
20.6. other partners or service providers where necessary to provide the Company’s services or ensure its legitimate interests.
21. Personal data may also be transferred to public authorities, local authorities, courts, law enforcement agencies, supervisory authorities and other competent institutions where required by law or where such transfer is necessary to protect the rights and legitimate interests of the Company, to establish, pursue or defend legal claims.
22. Where third parties process personal data on behalf of the Company, they act as processors and process personal data only in accordance with the Company’s instructions and with appropriate technical and organizational security measures.
23. If personal data is transferred outside the European Economic Area, the Company ensures that such transfer is carried out in accordance with GDPR requirements and with appropriate safeguards, such as standard contractual clauses approved by the European Commission, an adequacy decision or other lawful data transfer mechanisms.
24. Information about the applied safeguards and, where applicable, a copy thereof or information on where they can be accessed, may be obtained by contacting us electronically at: info@buyeu.pl.
IV. Change, Update of Personal Data and Rights of Data Subjects
25. The customer has the right to change, update, correct or supplement the data provided in their account or otherwise. If necessary, the Company may request additional information required to verify identity in order to protect personal data and the rights and freedoms of others.
26. The customer has the right to:
26.1. obtain information about the processing of their personal data;
26.2. access their personal data;
26.3. request correction of inaccurate data or completion of incomplete data;
26.4. request deletion of data where there is a legal basis for doing so;
26.5. request restriction of data processing;
26.6. exercise the right to data portability where applicable;
26.7. object to data processing where it is based on legitimate interest;
26.8. withdraw consent at any time where data is processed on the basis of consent; withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal;
26.9. object at any time to the processing of personal data for direct marketing purposes;
26.10. lodge a complaint with the Data Protection Authority.
27. Where personal data is processed on the basis of legitimate interest, the customer has the right, for reasons related to their particular situation, to object to such processing.
28. Where the right to data portability applies, the customer has the right to receive their personal data in a structured, commonly used and machine-readable format or, where technically feasible, to request its transfer to another controller.
V. Submission of Requests or Claims
29. To exercise their rights, obtain information about personal data processing or submit a request, complaint or claim, the customer may contact us electronically at: info@buyeu.pl.
30. If necessary, the Company may request additional information required to verify identity in order to protect personal data and the rights and freedoms of others.
31. The Company provides information about processed personal data and responds to requests in accordance with the procedures and deadlines specified by law, generally no later than within one month from the date of receipt of the request, except where, due to the complexity or number of requests, this period may be extended in accordance with legal provisions.
32. The customer has the right to lodge a complaint with the Data Protection Authority.
VI. Changes to the Privacy Policy
33. The Company has the right to partially or fully amend this Privacy Policy by publishing it on the website buyeu.pl.
34. Changes to the Privacy Policy come into effect on the date of their publication on the website, unless another effective date is specified in the Privacy Policy or its amendment.
35. In the case of significant changes to the Privacy Policy, the Company may additionally inform customers electronically, via the customer account or by other customary communication methods.