TABLE OF CONTENTS:
- GENERAL PROVISIONS
- LEGAL GROUNDS FOR PROCESSING
- PURPOSE, LEGAL BASIS AND RETENTION PERIOD OF DATA PROCESSING IN THE ONLINE STORE
- DATA RECIPIENTS IN THE ONLINE STORE
- PROFILING IN THE ONLINE STORE
- RIGHTS OF THE DATA SUBJECT
- COOKIES IN THE ONLINE STORE AND ANALYTICS
- FINAL PROVISIONS
1. GENERAL PROVISIONS
1.1. This Privacy Policy of the Online Store is for informational purposes, which means it is not a source of obligations for Service Recipients or Customers of the Online Store. The Privacy Policy primarily contains the rules regarding the processing of personal data by the Controller in the Online Store, including the legal grounds, purposes and retention periods of personal data processing, as well as the rights of data subjects, and information regarding the use of Cookies and analytics tools in the Online Store.
1.2. The controller of personal data collected via the Online Store is sortedclothes.eu, VAT ID (NIP) 6272741133, REGON 361186746, email address: info@sortedclothes.eu – hereinafter referred to as the “Controller”, who is also the Service Provider of the Online Store and the Seller.
1.3. Personal data in the Online Store is processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) – hereinafter referred to as “GDPR”. Official GDPR text: https://eur-lex.europa.eu/eli/reg/2016/679/oj
1.4. Using the Online Store, including making purchases, is voluntary. Likewise, providing personal data by the Service Recipient or Customer using the Online Store is voluntary, subject to two exceptions: (1) concluding contracts with the Controller – failure to provide, in the cases and scope indicated on the Online Store website, in the Online Store Terms and Conditions and in this Privacy Policy, the personal data necessary to conclude and perform the Sales Agreement or the agreement for the provision of an Electronic Service with the Controller will result in the inability to conclude such a contract. In such a case, providing personal data is a contractual requirement; if the data subject wishes to conclude the relevant contract with the Controller, they are required to provide the requested data. Each time, the scope of data required to conclude the contract is indicated in advance on the Online Store website and in the Online Store Terms and Conditions; (2) statutory obligations of the Controller – providing personal data is a legal requirement resulting from generally applicable laws obliging the Controller to process personal data (e.g., processing data for tax or accounting records) and failure to provide such data will prevent the Controller from fulfilling those obligations.
1.5. The Controller takes special care to protect the interests of data subjects whose personal data it processes and, in particular, is responsible for and ensures that the data it collects is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) accurate and adequate in relation to the purposes for which it is processed; (4) kept in a form that permits identification of data subjects for no longer than is necessary to achieve the purpose of processing; and (5) processed in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1.6. Taking into account the nature, scope, context and purposes of processing and the risk of infringement of the rights or freedoms of natural persons of varying likelihood and severity, the Controller implements appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. These measures are reviewed and updated as necessary. The Controller applies technical measures to prevent unauthorized persons from obtaining and modifying personal data transmitted electronically.
1.7. All words, expressions and acronyms used in this Privacy Policy and beginning with a capital letter (e.g., Seller, Online Store, Electronic Service) shall be understood in accordance with their definitions contained in the Online Store Terms and Conditions available on the Online Store website.
2. LEGAL GROUNDS FOR PROCESSING
2.1. The Controller is entitled to process personal data where – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2.2. Processing of personal data by the Controller always requires at least one of the legal bases indicated in section 2.1 of this Privacy Policy. The specific legal bases for processing of personal data of Service Recipients and Customers are indicated in the next section of this Privacy Policy – for each purpose of processing personal data by the Controller.
3. PURPOSE, LEGAL BASIS AND RETENTION PERIOD OF DATA PROCESSING IN THE ONLINE STORE
3.1. Each time, the purpose, legal basis, retention period and recipients of personal data processed by the Controller result from the actions taken by the Service Recipient or Customer in the Online Store or by the Controller.
3.2. The Controller may process personal data within the Online Store for the following purposes, on the legal bases and for the periods indicated below:
| Purpose of data processing | Legal basis | Retention period |
|---|---|---|
| Performance of the Sales Agreement or an agreement for the provision of an Electronic Service, or taking steps at the request of the data subject prior to entering into such agreements | Article 6(1)(b) GDPR (performance of a contract) | Data is stored for the period necessary to perform, terminate or otherwise expire the Sales Agreement or the agreement for the provision of an Electronic Service. |
| Direct marketing | Article 6(1)(f) GDPR (legitimate interest) – the Controller’s legitimate interest consists in maintaining the Controller’s reputation and the reputation of its Online Store and in pursuing sales of Products | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than until the limitation period for claims arising from the Controller’s business activity expires (as determined by applicable law). The Controller shall not process data for direct marketing if the data subject effectively objects to such processing. |
| Marketing based on consent | Article 6(1)(a) GDPR (consent) | Data is stored until the data subject withdraws consent for further processing for this purpose. |
| Customer reviews/opinions about the concluded Sales Agreement | Article 6(1)(a) GDPR (consent) | Data is stored until the data subject withdraws consent for further processing for this purpose. |
| Keeping tax or accounting records | Article 6(1)(c) GDPR (legal obligation) in conjunction with applicable tax/accounting laws | Data is stored for the period required by law for retaining tax/accounting documentation (e.g., generally 5 years counted in accordance with accounting rules and/or until the tax liability limitation period expires, unless laws provide otherwise). |
| Establishment, exercise or defence of claims | Article 6(1)(f) GDPR (legitimate interest) – the Controller’s legitimate interest consists in establishing, pursuing or defending claims | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than until the limitation period for potential claims expires (depending on the type of claim and applicable law). |
| Use of the Online Store and ensuring its proper functioning | Article 6(1)(f) GDPR (legitimate interest) – operating and maintaining the Online Store | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than until the limitation period for claims related to the Controller’s business activity expires (subject to applicable law). |
| Statistics and traffic analysis in the Online Store | As a rule, analytics/marketing technologies (cookies/identifiers) require consent under ePrivacy rules; therefore, where required: – Article 6(1)(a) GDPR (consent) – for analytics/marketing cookies and similar identifiers and, in limited cases: – Article 6(1)(f) GDPR (legitimate interest) – for strictly necessary, aggregated operational statistics (where permitted) | For consent-based processing: until consent is withdrawn (and in any case according to cookie lifetimes/configuration). For strictly necessary operational logs/statistics: no longer than necessary for the stated purpose. |
4. DATA RECIPIENTS IN THE ONLINE STORE
4.1. For the proper functioning of the Online Store, including performance of Sales Agreements, it is necessary for the Controller to use external service providers (such as, for example, a software provider, courier or payment service provider). The Controller uses only such processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that processing meets GDPR requirements and protects the rights of data subjects.
4.2. Personal data may be transferred by the Controller to a third country (outside the European Economic Area). In such a case, the Controller ensures that the transfer will take place: (a) to a country recognized by the European Commission as ensuring an adequate level of protection, or (b) on the basis of appropriate safeguards (e.g., Standard Contractual Clauses), and where required, with additional measures. The data subject has the right to obtain a copy of the safeguards. The Controller transfers personal data only where and to the extent necessary to achieve a specific processing purpose consistent with this Privacy Policy.
4.3. Data is not transferred in every case and not to all recipients/categories indicated in this Privacy Policy – data is transferred only when necessary for the relevant purpose of processing and only to the extent necessary.
4.4. Personal data of Service Recipients and Customers of the Online Store may be transferred to the following recipients or categories of recipients:
4.4.1. carriers / freight forwarders / courier brokers / entities handling warehousing and/or dispatch – where a Customer uses postal or courier delivery, the Controller provides the Customer’s personal data to the selected carrier/freight forwarder/intermediary responsible for deliveries on behalf of the Controller, and where shipping is performed from an external warehouse – to the entity handling warehousing and/or dispatch, to the extent necessary to deliver the Product to the Customer.
4.4.2. electronic payment or card payment service providers – where a Customer uses electronic or card payment methods, the Controller provides the Customer’s personal data to the selected payment service provider, to the extent necessary to process the payment.
4.4.3. credit providers / lessors – where a Customer uses instalment payments or leasing payments (if available), the Controller provides the Customer’s personal data to the selected credit provider/lessor, to the extent necessary to process the payment.
4.4.4. review/survey system providers – where a Customer has consented to provide a review/opinion about a Sales Agreement, the Controller provides the Customer’s personal data to the selected entity providing the review/survey system, to the extent necessary to enable the Customer to submit a review.
4.4.5. providers of technical, IT and organisational solutions enabling the Controller to conduct business activity, including the Online Store and Electronic Services (in particular: e-commerce software providers, email and hosting providers, business management tools, and technical support providers) – the Controller provides personal data only where and to the extent necessary for the relevant purpose. Within this category, Google Ireland Limited and Meta Platforms Ireland Limited (if marketing/analytics tools are used) may have access to data collected via Cookies and similar technologies for analytics and/or remarketing – subject to the user’s choices and consents collected via the cookie banner/consent management tool.
4.4.6. accounting, legal and advisory service providers supporting the Controller (in particular: accounting office, law firm, debt collection company) – the Controller provides personal data only where and to the extent necessary for the relevant purpose.
5. PROFILING IN THE ONLINE STORE
5.1. GDPR obliges the Controller to provide information on automated decision-making, including profiling referred to in Article 22(1) and (4) GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. With this in mind, the Controller provides in this section information concerning possible profiling.
5.2. The Controller may use profiling in the Online Store for direct marketing purposes, but decisions made on its basis do not concern the conclusion or refusal to conclude a Sales Agreement nor the ability to use Electronic Services in the Online Store. The effect of profiling may be, for example, granting a discount, sending a discount code, reminding about an unfinished purchase, proposing a Product that may match a person’s interests or preferences, or offering better conditions compared to the standard offer. Despite profiling, the person remains free to decide whether to use the received discount/better conditions and make a purchase.
5.3. Profiling in the Online Store consists of automatic analysis or prediction of a person’s behaviour on the Online Store, e.g., by adding a Product to the cart, browsing a Product page, or analysing purchase history. A condition for such profiling is that the Controller has the person’s personal data so that it may, for example, send a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
6. RIGHTS OF THE DATA SUBJECT
6.1. Right of access, rectification, restriction, erasure or data portability – the data subject has the right to request from the Controller access to their personal data, rectification, erasure (“right to be forgotten”) or restriction of processing, as well as the right to object to processing and the right to data portability. Detailed conditions for exercising these rights are set out in Articles 15–21 GDPR.
6.2. Right to withdraw consent at any time – where personal data is processed on the basis of consent (Article 6(1)(a) GDPR, and where relevant also Article 9(2)(a) GDPR), the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – the data subject has the right to lodge a complaint with a supervisory authority in the manner and under the rules set out in GDPR and applicable national law. In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
6.4. Right to object – the data subject has the right to object at any time, on grounds relating to their particular situation, to processing of personal data based on Article 6(1)(e) (public interest/task) or (f) (legitimate interests), including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for processing overriding the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of legal claims.
6.5. Right to object to direct marketing – where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent it is related to such direct marketing.
6.6. In order to exercise the rights referred to in this section of the Privacy Policy, you may contact the Controller by sending an appropriate message in writing or by email to the Controller’s address indicated at the beginning of this Privacy Policy or by using the contact form available on the Online Store website.
7. COOKIES IN THE ONLINE STORE AND ANALYTICS
7.1. Cookies are small text information in the form of text files, sent by a server and stored on the device of a person visiting the Online Store website (e.g., on the hard drive of a computer, laptop or on a smartphone memory card – depending on the device used). More information about Cookies can be found, for example, here: https://en.wikipedia.org/wiki/HTTP_cookie.
7.2. Cookies (and similar technologies) that may be used by the Online Store can be divided into different types according to the following criteria:
| By provider | By storage period | By purpose |
|---|---|---|
| 1) first-party (set by the Controller’s Online Store) 2) third-party (set by entities other than the Controller) | 1) session (stored until logging out or closing the browser) 2) persistent (stored for a defined period or until manually deleted) | 1) strictly necessary (ensuring proper functioning of the Online Store) 2) functional/preference (enabling adaptation to user preferences) 3) analytics/performance (usage/traffic measurement) 4) marketing/advertising/social (personalised ads and marketing activities, also outside the Online Store) |
7.3. The Controller may process data contained in Cookies and similar identifiers for the following purposes:
| Cookie purpose in the Online Store | Examples / description |
|---|---|
| Strictly necessary | Identifying logged-in users; maintaining session state; remembering Products added to the cart to place an Order; remembering data entered in forms necessary to complete the Order. |
| Functional / preference | Remembering preferences (e.g., language, layout, font size) and optimising user experience. |
| Analytics / performance | Generating statistics and analysing traffic to improve the Online Store (subject to user consent where required). |
| Marketing / remarketing | Building audiences/profiles based on activity and displaying tailored ads, including within Google and Meta advertising networks (subject to user consent where required). |
7.4. It is possible to check in the most popular web browsers which Cookies (including their lifetime and provider) are currently set by the Online Store in the following ways:
| Browser | How to check Cookies |
|---|---|
| Chrome | (1) Click the padlock icon to the left of the address bar, (2) open Cookies / Site settings. |
| Firefox | (1) Click the shield icon to the left of the address bar, (2) review allowed/blocked trackers and cookie settings for the site. |
| Internet Explorer | (1) Tools, (2) Internet Options, (3) General, (4) Settings, (5) View files. |
| Opera | (1) Click the padlock icon to the left of the address bar, (2) open Cookies / Site settings. |
| Safari | (1) Preferences, (2) Privacy, (3) Manage Website Data. |
| Other tools | You may also use external tools such as: https://www.cookiemetrix.com/ or https://www.cookie-checker.com/ |
7.5. Most browsers accept Cookies by default. You can define the conditions for using Cookies via your browser settings. You can partially restrict or completely disable Cookies; however, disabling strictly necessary Cookies may affect certain functionalities of the Online Store (e.g., the checkout process due to not remembering Products in the cart).
7.6. Cookie consent: where required by applicable ePrivacy rules and GDPR, the Online Store uses analytics and marketing Cookies (and similar identifiers) only after obtaining the user’s consent via a cookie banner/consent management tool. Withdrawal of consent is possible at any time via the cookie settings available on the Online Store.
7.7. The Controller may use Google Analytics 4 (GA4) provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Meta Pixel provided by Meta Platforms Ireland Limited (Ireland). These services help the Controller generate statistics and analyse traffic in the Online Store and conduct marketing/remarketing activities, depending on the user’s consent choices and tool configuration. Depending on configuration and consents, the Controller may collect data such as traffic source/medium, user behaviour on the site, device/browser information, IP/approximate location and identifiers used for measurement and advertising.
7.8. You can limit analytics/marketing tracking by adjusting your cookie preferences in the cookie settings on the Online Store and by configuring your browser privacy settings. Depending on the implementation, vendor opt-out mechanisms may also be available.
7.9. More information about Google’s technologies and partner sites can be found here: https://policies.google.com/technologies/partner-sites
8. FINAL PROVISIONS
8.1. The Online Store may contain links to other websites. The Controller encourages users to read the privacy policy established on those other websites after leaving the Online Store. This Privacy Policy applies only to the Controller’s Online Store.<br<