Privacy policy

Last updated: August 28, 2025

§1 Personal Data Administration

1. The Controller of personal data is Mikołaj Pasiński, conducting business activity under the business name Mikołaj Pasiński, ul. Łukasza Górnickiego 19/4, 50-337 Wrocław, Poland. The business activity is entered into the Central Registration and Information on Business (CEIDG) under tax identification number (NIP): 7542681796 and statistical number (REGON): 383818778.
2. Contact with the person supervising the processing of personal data in the organization is possible electronically at: shop@gosiaherba.com, in writing to the Administrator’s address, or by phone at: +48 601 385 337.
3. This Policy sets out the rules concerning the processing of personal data by the Controller within the Online Service, including the legal grounds, purposes, and scope of personal data processing, as well as the rights of data subjects.
4. Personal data is processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR). Official text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
5. The User’s rights are not absolute and do not apply to all data processing activities.

§2 Definitions

1. Administrator – Mikołaj Pasiński, conducting business activity under the business name Mikołaj Pasiński, ul. Łukasza Górnickiego 19/4, 50-337 Wrocław, Poland. The business activity is entered into the Central Registration and Information on Business (CEIDG) under tax identification number (NIP): 7542681796 and statistical number (REGON): 383818778.
2. Personal Data – information relating to an identified or identifiable natural person, who can be identified directly or indirectly in particular by reference to one or more specific factors determining their physical, physiological, genetic, mental, economic, cultural or social identity, including the IP address of a device, an online identifier as well as information collected through cookies or other similar technologies.
3. Policy – this Privacy Policy.
4. Cookies Policy – the document setting out the rules for the use of cookies within the Service, available at: https://shop.gosiaherba.com/pl/policies/privacy-policy.
5. Profiling – automated processing of personal data consisting of analysing and predicting a user’s behaviour.
6. GDPR / Regulation (EU) 2016/679 – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
7. Service – the online service operated by the Administrator at: shop.gosiaherba.com.
8. User – any natural person visiting the Service or using one or more of the services or functionalities described in the Policy.

§3 Security

1. The Administrator has implemented appropriate technical and organizational measures that ensure the security of personal data processing, and in particular is responsible for and guarantees that the data collected by him are:
   
   • processed lawfully;
   • collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes;
   • factually correct and adequate in relation to the purposes for which they are processed;
   • stored in a form permitting identification of the data subjects no longer than is necessary to achieve the purpose of processing; and
   • processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.

§4 Purposes and Legal Grounds for Data Processing

1. Based on Article 6(1)(a) of the GDPR (consent), personal data may be processed for the following purposes:
   
   • Retargeting and behavioural advertising, including the display of personalised advertisements based on the User’s activity history in the Service and in other online services. Processing of data for these purposes takes place solely on the basis of the User’s consent expressed in the cookies banner. Data may be collected through cookies and similar technologies, in accordance with the Cookies Policy.
   • Publication of reviews.
   • Storing data in cookies in accordance with the Cookies Policy available at: https://shop.gosiaherba.com/pl/policies/privacy-policy.
   • Servicing and maintaining the User’s account within the Service.
   • Contact through remote communication tools, in particular by phone, e-mail, or applications.
   • Content moderation.
   • Content personalisation.
   • Marketing of the Administrator’s products and services and those of the Administrator’s partners.
   • Participation in webinars or online training.
   • Participation in contests and loyalty programmes.
   • Invitations to participate in surveys and market research.
2. Based on Article 6(1)(b) of the GDPR (performance of a contract), personal data may be processed for the following purposes:
   
   • Managing the User’s account.
   • Performance of a sales contract or a contract for the provision of a Service, or taking action at the request of the data subject prior to or after the conclusion of such contract, in particular: exercising warranty rights, handling complaints.
   • Handling complaints or withdrawal from a distance contract.
3. Based on Article 6(1)(c) of the GDPR (legal obligation of the Administrator), personal data may be processed for the following purposes:
   
   • Issuing and storing invoices, bills, or fulfilling other obligations arising from tax and accounting regulations (archival obligation regarding accounting documents).
   • Cooperation with law enforcement authorities and public institutions.
   • Creating registers and other documentation required by the provisions of the GDPR.
4. Based on Article 6(1)(f) of the GDPR (legitimate interests of the Administrator), personal data may be processed for the following purposes:
   
   • Operation of the Service shop.gosiaherba.com.
   • Storing data necessary for the proper functioning of the Service in cookies in accordance with the Cookies Policy.
   • Managing accounts on Facebook, Instagram, TikTok, Threads and interacting with Users of those platforms.
   • Securing the Service, managing the Service and ensuring its proper functioning.
   • Compiling statistics and analysing traffic within the Online Service.
   • Direct marketing.
   • Establishing claims raised by or against the Administrator.
   • Contact with the User.
5. Personal data may also be processed for other purposes if the Administrator has an appropriate legal basis for doing so, in particular as provided in Article 6 of the GDPR, provided that such purpose does not infringe the rights and freedoms of the User. In such a case, the User will be informed of the new purpose of processing before processing for that purpose begins.

§5 Profiling

1. The Administrator applies profiling for marketing purposes, consisting of analysing the User’s activity in the Service by means of cookies and similar technologies.
2. Profiling may include:
   
   • personalisation of advertisements based on browsing history,
   • analysis of the User’s interactions with content in the Service,
   • adjustment of displayed advertising content in external services (e.g. Google Ads, Facebook).
3. Profiling is carried out solely on the basis of the User’s consent.
4. The User may withdraw consent to profiling at any time by changing settings or by contacting the Administrator at: shop@gosiaherba.com.

§6 Period of Processing of Personal Data

1. The period of data processing by the Administrator depends on the type of service provided and the purpose of the processing. As a rule, data are processed for the duration of the provision of the service, until withdrawal of consent or submission of a valid objection to data processing in cases where the legal basis for processing is the Administrator’s legitimate interest.
2. The period of processing may be extended if processing is necessary to establish or pursue potential claims or to defend against claims, and thereafter only if and to the extent required by law. After the processing period has expired, the data are irreversibly deleted or anonymised.
3. Specific storage periods depending on the purpose include, for example:
   
   • Data related to contract performance – stored for the duration of the contract, and thereafter until the expiry of the limitation period for claims (3 or 6 years).
   • Accounting and tax data – stored for the period required by tax law (currently 5 years).
   • Data obtained on the basis of consent – stored until the consent is withdrawn.
   • Data related to user inquiries – stored for up to 12 months after the end of correspondence.

§7 Rights of the User

1. The User has the following rights with respect to their Personal Data:
   
   • the right to access their Personal Data,
   • the right to rectify Personal Data at any time,
   • the right to erase their Personal Data at any time,
   • the right to receive a copy of their data,
   • the right to restrict the processing of Personal Data,
   • the right to object to the processing of Personal Data,
   • the right to data portability,
   • the right to withdraw consent; withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal,
   • the right to object to the processing of Personal Data on the basis of the Administrator’s legitimate interest for marketing purposes, direct marketing, as well as for purposes other than marketing,
   • the right to lodge a complaint with a supervisory authority.
2. In order to exercise the above rights, the User may contact the Administrator by sending a message to: shop@gosiaherba.com or by correspondence to the Administrator’s registered address. The Administrator undertakes to consider the request within 30 days from its receipt.
3. In certain cases, the Administrator may refuse to fulfil the User’s request if legal provisions impose an obligation to continue processing the data.

§8 Recipients of Personal Data

1. For the proper operation of the Service, the Administrator transfers the User’s Personal Data to other external entities, in particular: hosting providers, courier companies, postal operators, and payment operators.
2. The Administrator reserves the right to disclose Personal Data when required by applicable law, including the obligation to provide information to competent administrative authorities or law enforcement agencies.

§9 Security of Personal Data

1. The Administrator continuously conducts risk analyses to ensure that Personal Data are processed in a secure manner. In particular, the Administrator ensures that access to the data is granted only to authorised persons and only to the extent necessary for the tasks they perform.
2. The Administrator is obliged to take all actions permitted by law to ensure that all operations on Personal Data are recorded and carried out only by an authorised entity.
3. The Administrator is also obliged to ensure that other entities cooperating with the Administrator provide guarantees of applying appropriate security measures whenever they process Personal Data on behalf of the Administrator.
4. The Administrator applies technical safeguards such as encrypted data transmission (SSL/TLS), restricted access to systems, and procedures to protect against unauthorised access to data.

§10 Amendments to the Privacy Policy

1. The Policy is subject to ongoing verification and updates.
2. The current version of the Policy was adopted and has been in force since 2025-08-05.