Privacy Policy and Cookie Information

PRIVACY POLICY AND COOKIE INFORMATION

for the online store www.orientfashion.pl

1. Preamble

This Privacy Policy describes the principles of processing personal data and the use of cookies in connection with the use of the online store available at www.orientfashion.pl (hereinafter: “Service” or “Store”).

The document is intended to provide Users with information required by law, in particular by Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

2. Data Controller and Contact

1) The controller of personal data is ORIENT FASHION sp. z o.o. with its registered office in Pabianice, ul. Rzgowska 17, 95-200 Pabianice, Poland, VAT ID: 7262654864, REGON: 101831987 (hereinafter: “Controller”).

2) Contact for privacy matters: e-mail: sklep@orientfashion.pl, tel.: +48 42 211 66 85.

3) The Controller may use processors (e.g. hosting, payments, shipping, IT tools) based on data processing agreements.

3. Definitions

For the purposes of this Policy:

1) “User” – any person using the Service.

2) “Customer” – a User placing an order in the Store.

3) “Personal data” – information about an identified or identifiable natural person.

4) “Cookies” – small text files stored on the User’s device.

5) “First-party cookies” – cookies set by the Service.

6) “Third-party cookies” – cookies set by third parties (e.g. analytics, social media), if used by the Service.

4. Scope of processed data

The Controller may process in particular:

a) identification data: first name and last name;

b) contact data: e-mail address, phone number;

c) address data: delivery and/or billing address (street, number, postal code, city, country);

d) company data (for business Customers): company name, VAT ID;

e) order-related data: order history, product details, payments, complaints;

f) technical and operational data: IP address, device identifiers, browser data, server logs;

g) data from cookies and similar technologies (to the extent described in this Policy).

Providing data is voluntary, however it is necessary to the extent required to fulfill an order – necessary for concluding and performing the contract.

5. Purposes and legal bases for processing (GDPR)

The Controller processes personal data for the following purposes and on the following bases:

1) Conclusion and performance of the sales contract and order processing (Art. 6(1)(b) GDPR).

2) Fulfillment of legal obligations, including accounting and tax obligations (Art. 6(1)(c) GDPR).

3) Handling complaints, returns (if applicable) and asserting/defending claims (Art. 6(1)(f) GDPR).

4) Conducting correspondence and handling inquiries (Art. 6(1)(f) GDPR – legitimate interest).

5) Direct marketing of own products/services (Art. 6(1)(f) GDPR) – to the extent permitted by law.

6) Newsletter and electronic marketing communication – based on consent (Art. 6(1)(a) GDPR), if the User has given consent. Consent can be withdrawn at any time.

7) Analytics and statistics (e.g. improving the Service) – based on consent to analytical cookies, if such cookies are used (Art. 6(1)(a) GDPR) or on legitimate interest for necessary cookies (Art. 6(1)(f) GDPR).

6. Recipients of data

Data may be transferred only to the extent necessary to achieve the purposes described in the Policy, in particular to:

1) entities providing hosting/IT infrastructure maintenance services;

2) electronic payment operators and banks – for the purpose of processing payments;

3) courier companies and logistics operators – for the purpose of delivering the order;

4) providers of accounting and advisory services – to the extent required by law;

5) providers of analytical/marketing tools – only if the User has given consent (e.g. to analytical/marketing cookies);

6) public authorities – when required by law.

The current list of providers may result from the store’s configuration and will be disclosed upon request, unless this conflicts with legal provisions.

7. Transfer of data outside the EEA

The Controller does not generally plan to transfer data outside the European Economic Area (EEA). However, if it uses providers who may process data outside the EEA (e.g. as part of analytical tools), the transfer is carried out only in accordance with the GDPR, based on appropriate safeguards (e.g. standard contractual clauses).

8. Data retention period

Data are retained for the period necessary to achieve the purposes, in particular:

1) data related to an order – for the duration of the contract performance, and then for the period resulting from legal obligations (e.g. tax and accounting) and until limitation periods for claims expire;

2) Customer account data – until the account is deleted (subject to legal obligations and claims);

3) data processed based on consent (e.g. newsletter) – until consent is withdrawn;

4) logs and technical data – for the period resulting from security and service administration needs.

9. User Rights

The User has the right to:

1) access to data,

2) rectification of data,

3) deletion of data (“the right to be forgotten”) – in cases provided by law,

4) restriction of processing,

5) data portability,

6) objection to processing based on legitimate interest,

7) withdrawal of consent at any time (without affecting the lawfulness of processing prior to withdrawal),

8) lodge a complaint with the supervisory authority: the President of the Personal Data Protection Office (UODO).

To exercise their rights, the User may contact the Controller at sklep@orientfashion.pl.

10. Automated decision-making and profiling

The Controller may use data to a limited extent for statistical and marketing purposes, including to tailor content or offers (profiling), provided this is based on consent to marketing cookies or is legally permitted. The Controller does not make decisions producing legal effects against the User solely through automated means, unless required by law or the User has given consent.

11. Data security

The Controller applies appropriate technical and organizational measures to ensure the protection of personal data, including e.g. encryption of transmission (SSL/TLS), access control, backups and IT infrastructure protections.

12. Cookies – general information

1) The Service uses cookies and similar technologies to ensure proper operation, improve functionality and – with consent – for analytical and marketing purposes.

2) Cookies do not change the configuration of the User’s device.

3) The User can manage cookies through browser settings and (if available) via the cookie consent banner in the Service.

13. Types of cookies and purposes

The Service may use the following categories of cookies:

1) Necessary (technical) – required for the Service to operate (e.g. cart, login, session).

2) Functional – remembering preferences (e.g. language, settings).

3) Analytical/statistical – helping to understand how Users use the Service (e.g. visit statistics).

4) Marketing – enabling tailored ads and remarketing activities.

Analytical and marketing cookies are used only if the User has given consent.

14. Third-party cookies

The Service may use third-party cookies from providers (e.g. analytics tools, advertising pixels, social plugins) only when the User has given consent to the appropriate cookie category in the consent banner.

The range of tools used depends on the current configuration of the Service.

15. Managing cookies

1) The User may change cookie settings in the browser at any time, including blocking or deleting cookies.

2) Restricting cookies may affect some Service functions (e.g. cart, login).

3) If the Service has a cookie consent panel, the User can change their preferences at any time through that panel.

16. Server logs

The Service may record connection parameter information (e.g. IP address, request time, browser type) in server logs. These data are used for administering the Service, ensuring security and diagnostics.

17. Changes to the Privacy Policy

The Controller may update this Policy, in particular in case of changes in legal regulations, technological or organizational changes. The current version of the Policy is published in the Service.

18. Effective date

The Privacy Policy is effective from the date of publication on www.orientfashion.pl.