PRIVACY AND COOKIES POLICY
www.ardenharness.com
§ 1 General Provisions
The administrator of personal data of users of the website located at the domain www.ardenharness.com is ARDEN S.C. DOROTA STILLER, BRONISŁAWA ADAMCZAK, JULIUSZ ADAMCZAK, with its registered office at Sycowska 15, 60-003 Poznań, entered into the Central Register and Information on Economic Activity of the Republic of Poland, maintained by the minister competent for economic affairs, under the tax identification number (NIP): 7792121526 and the statistical number (REGON): 639767451 (hereinafter referred to as the "Administrator").
The Administrator has designated an electronic contact point for direct communication with the authorities of the Member States, the Commission, and the Digital Services Board: shop@ardenharness.com. The same contact point can be used by any Customer for direct and quick communication with the Administrator. The Administrator can also be contacted in writing at the following address: ul. Sycowska 15, 60-003 Poznań, or by phone at: +48 607 55 55 47 and +48 61 830 74 62 (communication in Polish), +48 607 075 903 (communication in English), +48 607 663 877 (communication in German). The call is charged as a standard phone call, according to the tariff plan of the service provider used by the Customer.
The purpose of this Policy is to define the actions taken regarding personal data collected through the Administrator's website and related services and tools used by its users, as well as in the context of concluding and executing contracts outside the website.
If necessary, the provisions of this Policy may be amended. Any changes will be communicated to users by publishing the new version of the Policy, and in the case of a database of individuals who have consented to the processing of data, they will also be notified by email if they have provided their email address during the execution of contracts.
§ 2 Legal Basis, Purposes, and Storage of Personal Data
Users' personal data is processed in accordance with the General Data Protection Regulation (GDPR), the Personal Data Protection Act, the Act on the Protection of Personal Data of May 10, 2018, and the Act on Providing Services by Electronic Means of July 18, 2002, as amended, and for the purpose of making a notification under Article 16(1) of Regulation (EU) 2022/2065 of the European Parliament and of the Council of October 19, 2022, on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ EU L 2022.277.1, as amended; "DSA"), also based on Article 3(h) of the DSA.
The Administrator may collect the following data for the following purposes:
Purpose of Processing
Legal Basis
Storage Period
Scope of Processed Data
Execution of a contract with the Customer or taking action at the request of the data subject before concluding the contract
Article 6(1)(b) GDPR (performance of a contract)
For the duration of the contract until the expiration of legal obligations related to accounting
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Company name; - Tax identification number (NIP)
Direct marketing
Article 6(1)(f) GDPR (legitimate interest of the Administrator)
Until the consent is withdrawn – remember, you can withdraw your consent at any time. Processing data until you withdraw your consent remains lawful.
- Email address; - Phone number
Marketing
Article 6(1)(a) GDPR (consent)
Until the consent is withdrawn – remember, you can withdraw your consent at any time. Processing data until you withdraw your consent remains lawful.
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country)
Maintaining accounting records
Article 6(1)(c) GDPR in connection with Article 86(1) of the Tax Ordinance (Journal of Laws 2023, item 2383) or Article 74(2) of the Accounting Act (Journal of Laws 2023, item 120)
Data is stored for the period required by law, including the statute of limitations for tax obligations (unless tax laws provide otherwise) or accounting records (5 years, counting from the beginning of the year following the financial year to which the data relates)
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Refunding money
Performance of a contract or taking action at the request of the data subject before concluding the contract (Article 6(1)(b) GDPR)
5 years after the end of business relations with the Customer
- First and last name; - Email address; - Phone number; - PESEL (Polish personal identification number); - Address (street, house number, apartment number, postal code, city, country); - Business entity data
Establishing, pursuing, or defending claims that the Administrator may raise or that may be raised against the Administrator
Article 6(1)(f) GDPR
Data is stored for the duration of the legally justified interest, but no longer than the statute of limitations for claims against the data subject in connection with the business activity conducted
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Conducting research and analysis to improve the available services
Article 6(1)(f) GDPR
Data is processed until the expiration of the period in which claims can be pursued
- Company name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Computer components; - Settings; - Installed software
Collecting telemetric data
Article 6(1)(f) GDPR
Until the expiration or deletion of cookies used for analytical purposes
- IP address; - Approximate location based on IP address; - User identifier; - Sharing and use of software
Customer account registration
Performance of a contract or taking action at the request of the data subject before concluding the contract (Article 6(1)(b) GDPR)
5 years after the end of business relations with the Customer
- First and last name; - Email address; - Phone number; - PESEL (Polish personal identification number); - Address (street, house number, apartment number, postal code, city, country); - Business entity data
Providing customer service
Performance of a contract or taking action at the request of the data subject before concluding the contract (Article 6(1)(b) GDPR)
5 years after the end of business relations with the Customer; 2 years after the last update of the Customer's inquiry
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Business entity data
Ensuring proper functioning of the website and its improvement
Article 6(1)(f) GDPR
5 years after the end of business relations with the Customer
- As above; - Information about activities performed on the website (button clicks, visit duration, notifications read, other information depending on the specific business case)
Enabling the Customer to reset their password
Protection and security of the website, Customer interests, and Customer security (Article 6(1)(f) GDPR)
5 years after the end of business relations with the Customer
- First and last name; - Email address; - Business entity data; - Customer password; - User ID
Monitoring compliance with regulations, contracts, and privacy policy
Protection and security of the website, Customer interests, and Customer security (Article 6(1)(f) GDPR)
5 years after the end of business relations with the Customer
- Transaction data; - Business entity data
Handling requests regarding personal data
Article 6(1)(c) GDPR
For the duration of the legally justified interest of the Administrator, but no longer than the statute of limitations for claims against the data subject in connection with the business activity conducted
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Providing information to authorities responsible for enforcing the law and other state institutions
Article 6(1)(c) GDPR
For the duration of the legally justified interest of the Administrator, but no longer than the statute of limitations for claims against the data subject in connection with the business activity conducted
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Fulfilling legal obligations under Article 16(1), (4), (5), and (6) of the DSA
Article 6(1)(c) GDPR
Until the notification is made regarding: 1) the decision taken by the Administrator regarding the notification; 2) the possibility to appeal the decision referred to in point 2)
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Processing personal data in the context of proceedings conducted by public administration authorities, including law enforcement agencies, regarding the purposes or legal basis for processing personal data
Article 6(1)(c) GDPR
For the duration of such obligation
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Taking actions in the field of identification and reporting of potential threats related to products, ensuring product compliance with safety requirements, and informing the relevant authorities or users about the need to take safety measures
Article 6(1)(c) GDPR
For the duration of such obligation
- First and last name; - Email address; - Phone number; - Address (street, house number, apartment number, postal code, city, country); - Tax identification number (NIP); - Company name
Users' personal data is stored no longer than necessary to achieve the purpose of processing, i.e., until the consent is withdrawn if the processing is based on such consent, until the statute of limitations for claims of the Administrator and the other party in the context of executed contracts (in the case of sales/service contracts, 2 years, counting from the end of the year), and until the inquiry made via email is resolved or the complaint is processed. After this period, the Customer's personal data will be processed by the Administrator based on Article 6(1)(f) GDPR, i.e., for purposes arising from the legitimate interests pursued for the purposes of marketing campaigns.
The Administrator may use profiling for direct marketing purposes, but decisions made based on it by the Administrator do not concern the conclusion or refusal to conclude a contract or the possibility of using electronic services. The result of using profiling may be, for example, granting a discount to a person, sending them a discount code, reminding them of unfinished purchases, sending a product proposal that may match their interests or preferences, or offering better conditions compared to the standard offer. Despite profiling, the person freely decides whether they want to use the discount or better conditions received in this way and make a purchase. Profiling involves automatic analysis or prediction of a person's behavior on the Administrator's website, e.g., by adding a specific product to the cart, browsing a specific product page, or analyzing the history of activity on the website. The condition for such profiling is that the Administrator has the personal data of the person to be able to send them, for example, a discount code.
To the extent necessary for the proper functioning of the website and its functionalities, the website may, while the User is using it, collect other information, including but not limited to:
a) IP address;
b) Information about the device, hardware, and software, such as hardware identifiers, mobile device identifiers (e.g., Apple Identifier for Advertising ["IDFA"] or advertising identifier on Android devices ["AAID"]);
c) Type of platform;
d) Data about the web browser, including browser type and preferred language;
Considering the nature, scope, context, and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons with varying likelihood and severity of the threat, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Administrator applies technical measures to prevent unauthorized persons from obtaining and modifying personal data transmitted electronically.
§ 3 Data Sharing
The Administrator ensures that all collected personal data is used to fulfill obligations to users. This information will not be shared with third parties except in cases where:
a) Prior explicit consent has been given by the individuals concerned for such action, or:
b) The obligation to transfer this data arises or will arise from applicable laws, e.g., to law enforcement authorities.
Additionally, personal data of service recipients and customers may be transferred to the following recipients or categories of recipients:
a) Service providers supplying the Administrator with technical, IT, and organizational solutions enabling the Administrator to conduct business activities, including the website and electronic services provided through it (in particular, computer software providers, marketing agencies, email and hosting providers, software providers for business management and technical support to the Administrator, and the product delivery operator) – the Administrator shares the collected personal data of the Customer with the selected provider acting on its behalf only in the case and to the extent necessary to achieve the given data processing purpose in accordance with this privacy policy.
b) Accounting, legal, and advisory service providers providing the Administrator with accounting, legal, or advisory support (in particular, accounting offices, law firms, or debt collection companies) – the Administrator shares the collected personal data of the Customer with the selected provider acting on its behalf only in the case and to the extent necessary to achieve the given data processing purpose in accordance with this privacy policy.
c) Payment gateway providers and solutions for executing payments on the website – the Administrator shares the collected personal data of the Customer with the selected provider acting on its behalf only in the case and to the extent necessary to achieve the given data processing purpose in accordance with this privacy policy.
d) Carriers / forwarders / courier brokers – in the case of a Customer who uses the method of delivery of the Product by postal or courier shipment in the Online Store, the Administrator shares the collected personal data of the Customer with the selected carrier, forwarder, or intermediary performing shipments on behalf of the Administrator to the extent necessary to deliver the Product to the Customer.
The Administrator may share anonymized data (i.e., data that does not identify specific Users) with external service providers to better understand the attractiveness of advertisements and services for users, and in this regard, due to the location of software providers, data may be transferred – in compliance with data protection principles – to third countries, ensuring, however, standard contractual clauses approved by the European Commission for the processing of personal data or having appropriate authorizations to do so based on bilateral data processing agreements between the European Union and the given third country, which is not a member of the European Economic Area. These entities in the case of the Administrator are:
Google LLC. (headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Google Analytics tools used to analyze website statistics, Google Tag Manager: used to manage scripts by easily adding code snippets to the website or application and tracking user actions on the website, Google Ads used to display sponsored links in Google search results and on partner pages within the Google AdSense program, Google Workspace allowing comprehensive website editing and coordination of work of people working on it (including Google Drive, Gmail, Google Sheets, Google Forms, Google Looker Studio);
Microsoft Corporation (headquarters: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) for Microsoft Clarity analytical tools to analyze website statistics and track user actions on the website;
The Administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection.
The Administrator continuously conducts risk analysis to ensure that personal data is processed by it in a secure manner – ensuring primarily that only authorized persons have access to the data and only to the extent necessary due to the tasks they perform. The Administrator ensures that all operations on personal data are recorded and performed only by authorized employees and collaborators.
The Administrator takes all necessary steps to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures in each case when they process personal data on behalf of the Administrator.
In the case of each website access, the server automatically records only so-called server logs, e.g., the name of the requested file, IP address, date and time of access, the amount of data transferred, and the internet service provider making the request (so-called access logs) and documents the website access. This data is analyzed only to ensure the proper functioning of the website and to improve the offer. The above serves, in accordance with Article 6(1)(f) GDPR, to protect our legitimate interest, which is the optimal and correct presentation of our websites and offer. All access data is deleted within seven days from the end of the visit to the website.
The Administrator's website may use Google Analytics functionality, a website traffic analysis service provided by Google, LLC. ("Google"). Google Analytics uses cookies to help website operators analyze how visitors use the site. Information generated by the cookie about the use of the website by visitors is usually transmitted to and stored by Google on servers in the United States. According to current IT standards, the IP addresses of users visiting the Administrator's website are shortened. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. On behalf of the Administrator, Google will use this information to evaluate the website for its users, compile reports on website activity, and provide other services related to website activity and internet usage to website operators. Google will not associate the IP address transmitted within Google Analytics with any other data held by Google. More information on how Google Analytics collects and uses data can be found on Google's official website at: www.google.com/policies/privacy/partners. In addition, each User can prevent Google from collecting and processing data about their use of the website by downloading and installing the browser plugin available at: http://tools.google.com/dlpage/gaoptout.
The Administrator, when sharing data with third parties, makes every effort to ensure that this is done only to entities that meet the criteria and requirements set out in Articles 46 or 49 of the GDPR. In appropriate cases, the Administrator will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. In accordance with the judgment of the Court of Justice of the European Union of July 16, 2020, the Administrator continues to assess the legal systems of the countries to which data is transferred and, as necessary, updates measures to ensure appropriate levels of protection.
With regard to data transferred to the United States, the Administrator, when sharing data with third parties, makes every effort to ensure that this is done, in accordance with the decision of the European Commission of July 10, 2023, only to entities and organizations in the USA that ensure compliance with the new "EU-US Data Privacy Framework." The list of these organizations has been published by the US Department of Commerce. The transfer of personal data from the EEA to organizations that have joined the "EU-US Data Privacy Framework" program and are on this list is possible without the need to obtain additional permits or apply legal instruments such as standard contractual clauses or binding corporate rules. However, if a given data importer in the USA has not joined the "EU-US Data Privacy Framework" program, the transfer of personal data to it is possible and will take place after meeting the conditions set out in Articles 46 or 49 of the GDPR. In such cases, the Administrator will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA.
§ 4 User Rights
The User, whose personal data is processed, has the right to:
a) Access, rectification, restriction, deletion, or portability – the data subject has the right to request from the Administrator access to their personal data, its rectification, deletion ("right to be forgotten"), or restriction of processing, and has the right to object to processing, as well as the right to data portability. The detailed conditions for exercising the above rights are set out in Articles 15-21 of the GDPR.
b) Withdraw consent at any time – if the data is processed by the Administrator based on consent (under Article 6(1)(a) or Article 9(2)(a) GDPR), the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
c) Lodge a complaint with a supervisory authority – the data subject has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office in Warsaw.
d) Object – the data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the Administrator), including profiling based on these provisions. In such a case, the Administrator may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
e) Object to direct marketing – if personal data is processed for direct marketing purposes (based on the legitimate interest of the Administrator, not on the basis of the data subject's consent), the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.
The exercise of the above rights is based on the User's request sent to the email address shop@ardenharness.com. Such a request should include the User's first and last name.
The User ensures that the data provided or published by them on the website is correct.
§ 5 Cookies
"Cookies" should be understood as IT data, in particular text files, stored on users' end devices (usually on the computer's hard drive or mobile device) used to store certain settings and data by the user's browser to use websites. These files allow the user's device to be recognized and the website to be displayed appropriately, ensuring comfort during its use. Storing "cookies" thus allows the website and offer to be tailored to the user's preferences – the server recognizes the user and remembers, among other things, preferences such as visits, clicks, previous actions.
"Cookies" contain, in particular, the domain name of the website from which they originate, the time they are stored on the end device, and a unique number used to identify the browser from which the connection to the website is made.
"Cookies" are used for:
a) Adjusting the content of websites to the user's preferences and optimizing the use of websites,
b) Creating anonymous statistics that, by helping to determine how the user uses websites, enable improving their structure and content,
c) Providing users of the website with advertising content tailored to their interests.
"Cookies" do not serve to identify the user, and their identity is not determined based on them.
The basic division of "cookies" is their distinction into:
a) Essential "cookies" – are absolutely necessary for the proper functioning of the website or functionalities that the user wants to use, as without them we could not provide many services we offer. Some of them also ensure the security of services provided by us electronically.
b) Functional "cookies" – are important for the operation of the website because:
- They enrich the functionality of websites; without them, the website will function correctly, but it will not be tailored to the user's preferences,
- They ensure a high level of website functionality; without them, the level of website functionality may decrease, but their absence should not completely prevent the use of the website,
- They serve most website functionalities; blocking them will cause selected functions not to work properly.
c) Business "cookies" – enable the implementation of the business model on which the website is based; blocking them will not make the entire functionality unavailable, but may reduce the level of service provision due to the inability of the website owner to generate revenue subsidizing its operation. This category includes, for example, advertising "cookies."
d) Website configuration "cookies" – allow setting functions and services on websites.
e) Security and reliability "cookies" – allow verification of authenticity and optimization of website performance.
f) Authentication "cookies" – allow informing when the user is logged in, so the website can display appropriate information and functions.
g) Session state "cookies" – allow saving information about how users use the website. They may concern the most frequently visited pages or possible error messages displayed on some pages. "Cookies" used to save the so-called "session state" help improve services and increase the comfort of browsing websites.
h) Process monitoring "cookies" – allow the smooth operation of the website and its available functions.
i) Advertising "cookies" – allow displaying advertisements that are more interesting to users and more valuable to publishers and advertisers; "cookies" can also be used to personalize advertising and to display advertisements outside websites.
j) Analytics, research, or audience audit "cookies" – allow the website owner to better understand the preferences of their users and, through analysis, improve and develop products and services. Typically, the website owner or research company collects anonymous information and processes data on trends without identifying the personal data of individual users.
The use of "cookies" to adjust the content of websites to the user's preferences does not generally involve the collection of any information allowing the identification of the user, although this information may sometimes have the nature of personal data, i.e., data enabling the assignment of certain behaviors to a specific user. Personal data collected using "cookies" may be collected only to perform specific functions for the user. Such data is encrypted in a way that prevents access by unauthorized persons.
"Cookies" used by this website are not harmful to the user or the end device used by them, so for the proper functioning of the website, it is recommended not to disable their support in browsers. In many cases, the software used to browse websites (web browser) by default allows the storage of information in the form of "cookies" and other similar technologies on the user's end device. The user can at any time change the way "cookies" are used by the browser. To do this, change the browser settings. The method of changing settings varies depending on the software used (web browser). Appropriate instructions can be found on the subpages, depending on the browser you use.
"Cookies" are also used to facilitate logging into the user's account, including through social media, and to enable navigation between subpages on websites without the need to log in again on each subpage. At the same time, "cookies" are used to secure websites, e.g., to prevent access by unauthorized persons.
Within the "cookies" technology, the Administrator may use tracking pixels or clear GIFs to collect information about how the user uses its services and their response to marketing messages sent by email. A pixel is a software code that allows embedding an object on a page, usually an image the size of a pixel, which allows tracking user behavior on websites where it is placed. After giving appropriate consent, the browser automatically establishes a direct connection with the server storing the pixel, so the processing of data collected by the pixel takes place within the data protection policy of the partner who administers the server.
The Administrator may use internet log files (which contain technical data, such as the user's IP address) to monitor traffic within its services, resolve technical problems, detect and prevent fraud, and enforce the User Agreement.
The Administrator informs that the website does not respond to DNT (Do Not Track) signals, but the user can disable certain forms of tracking on the internet, including some analytical data and personalized advertising, by changing the "cookies" settings in their browser or using our tools for expressing consent to the use of "cookies" (if applicable).
Detailed information on changing "cookies" settings and deleting them yourself in the most popular web browsers is available in the browser's help section and on the following pages (just click on the link):
a) Google Chrome
b) Mozilla Firefox
c) Microsoft Edge
d) Opera
e) Safari macOS
f) Safari iOS/iPad OS
Detailed information on managing "cookies" on a mobile phone or other mobile device should be found in the user manual of the mobile device.