- The owner of the Shop and the Personal Data Controller is HERSTMOTO Spółka z ograniczoną odpowiedzialnością (limited liability company) with registered office in Krakow (30-524), ul. Henryka Kamieńskiego 30, NIP: 6793206715, REGON: 387301428, entered in the register of entrepreneurs kept by the District Court for Krakowa-Śródmieście in Kraków, XI Commercial Division of the National Register Court under KRS number 0000863135, with share capital of 5,000 PLN; email: firstname.lastname@example.org.
- Personal data gathered by HERSTMOTO Sp. z o.o. through the Online Shop is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as GDPR.
- HERSTMOTO Sp. z o.o. takes the utmost care to respect the privacy of Customers who visit the Online Shop.
Section 1 The type of processed data, the purposes and legal basis for processing
- HERSTMOTO Sp. z o.o. gathers information concerning natural persons who make acts in the law that are not directly related to their business, natural persons who conduct business or professional activity in their own name and natural persons who represent legal persons or organizational units which are not legal persons but have the capacity to make acts in the law, granted to them by a statute, which conduct business or professional activity in their own name, hereinafter collectively referred to as the Customers.
- The Customers’ personal data are gathered when:
a) the Customer registers an account in the Online Shop; the data is processed to create and manage an individual account. Legal basis: processing is necessary for the performance of the agreement for the provision of the Account service, Article 6(1)(b) of GDPR;
b) the Customer places an order in the Online Shop; the data is processed to perform the sales agreement. Legal basis: processing is necessary for the performance of the sales agreement, Article 6(1)(b) of GDPR;
c) the Customer subscribes to the Newsletter; the data are processed to perform the agreement for rendering an electronic service. Legal basis: the data subject’s consent for the provision of the Newsletter service; Article 6(1)(a) of GDPR;
d) the Customer uses the contact form in the Online Shop; the data are processed in order to perform the agreement for rendering an electronic service. Legal basis: processing is necessary for the performance of the agreement for the provision of the contact form service, Article 6(1)(b) of GDPR;
e) the Customer uses the option to post an opinion; the data are processed in order to perform the agreement for rendering an electronic service. Legal basis: processing is necessary for the performance of the agreement for the provision of the opinion posting service, Article 6(1)(b) of GDPR.
- When the Customer registers an account in the Online Shop, the Customer needs to provide:
a) email address;
b) first and last name;
c) address details:
d) post code and place name;
f) street and house/apartment number.
g) phone number.
- During registration in the Online Shop, the Customer determines his or her individual password to the account on his or her own. The Customer may change the password later, in accordance with principles set forth in Section 5.
- When the Customer makes an order in the Online Shop, the Customer needs to provide the following data:
a) email address;
b) address details:
c) post code and place name;
e) street and house/apartment number.
f) first and last name;
g) phone number.
- When it comes to Entrepreneurs, they also need to provide the following data:
a) the Entrepreneur’s business name;
b) NIP / EU VAT number.
- When the Customer subscribes to the Newsletter, the Customer needs to provide the following data:
a) email address;
b) first and last name.
- When the Customer uses the contact form, the Customer needs to provide the following data:
a) email address;
b) first name;
- When the Customer posts an opinion, the Customer needs to provide the following data:
a) email address;
- When the Customer is using the Shop Website, additional information may be collected as well, in particular: the IP address assigned to the Customer’s computer or the external IP address of the Internet service provider, the domain name, the type of browser, the access time, or the type of the operating system.
- The Customers’ navigation data may also be collected, including information on links that the users click on or other activities in the Online Shop. Legal basis: legitimate interests pursued by the Controller (Art. 6(1)(f) of GDPR), which consists in facilitating the use of electronic services and improving the functionality of these services.
- It is possible that some personal data provided by the Customer when he or she was using the features of the Online Shop will be processed in order to establish, pursue and enforce claims. Such data include: first name, last name and data concerning the use of services, provided that the claims arise from the way in which the Customer uses services, and other data required to prove the existence of the claim, including the extent of the loss. Legal basis: legitimate interest (Article 6(a)(f) of GDPR), which consists in establishing, pursuing and enforcing claims and defending oneself against claims in proceedings before courts or other state authorities.
- Giving personal data to HERSTMOTO Sp. z o.o. in relation to concluded sales agreements or the provision of services through the Shop Website is voluntary, with the stipulation that failure to provide data specified in the registration form makes it impossible to register and create the Customer Account, whereas in the case of making an order without creating the Customer Account, it makes it impossible for the Customer’s order to be placed and executed.
Section 2 Sharing, entrusting and storing the data
- The Customer’s personal data are transferred to the providers of services used by HERSTMOTO sp. z o.o. to run the Online Shop. Depending on contractual arrangements and circumstances, the service providers who receive personal data are either subject to the instructions of HERSTMOTO sp. z o.o. as to the purposes and means of data processing (processors) or determine the purposes and means of data processing on their own (controllers).
a) Processors. HERSTMOTO sp. z o.o. relies on service providers who process personal data solely at the request of HERSTMOTO sp. z o.o. They include e.g. hosting providers, providers of accounting services, as well as providers of marketing systems, systems to analyse traffic in the Online Shop and systems to analyse the effectiveness of marketing campaigns.
b) Controllers. HERSTMOTO sp. z o.o. relies on service providers who do not act solely at its request and individually determine the purposes and means of using the Customer’s personal data. They provide banking services and electronic payment services.
- Location. Service providers have their registered offices mainly in Poland and other countries of the European Economic Area (EEA).
- The Customers’ personal data are stored as follows:
a) When the basis for personal data processing is consent, the Customer’s personal data are processed by HERSTMOTO sp. z o.o. until the consent is withdrawn. When the consent is withdrawn, the data are processed for a time period which corresponds to the limitation period of claims which may be brought by or against HERSTMOTO sp. z o.o. Unless a specific regulation provides otherwise, the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity, this period is three years.
b) When the basis for data processing is the performance of an agreement, the personal data of the Customer will be processed by HERSTMOTO sp. z o.o. for as long as it is necessary to perform the agreement, and afterwards for the limitation period of claims. Unless a specific regulation provides otherwise, the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity, this period is three years.
- When the Customer makes a purchase in the Online Shop, depending on the Customer’s choice, personal data may be transferred to the following entities to deliver ordered products:
a) a courier company;
- Navigation data may be used to ensure better customer service, analysis of statistical data and adjustment of the Online Shop to the Customers’ preferences, as well as to manage the Online Shop.
- If the Customer subscribes to the Newsletter, HERSTMOTO sp. z o.o. will send electronic messages with commercial information on special offers and new products available in the Online Shop to the Customer’s email address.
- When a request is submitted to HERSTMOTO sp. z o.o., it discloses personal data to authorized state authorities, in particular to organizational units of the Public Prosecutor’s Office, the Police, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.
Section 3 Cookies mechanism and IP address
- The Online Shop uses small files called cookies. HERSTMOTO sp. z o.o. saves them on the device of the person who visits the Online Shop, if it is enabled by the web browser. Cookie files usually include the name of the domain that they come from, their expiry time and an individual, randomly chosen number which identifies the file. Information gathered by means of such files help HERSTMOTO sp. z o.o. adjust its products to individual preferences and actual needs of people who visit the Online Shop. They also make it possible to compile general visit statistics of products presented in the Online Shop.
- HERSTMOTO sp. z o.o. uses three types of cookie files:
a) Session cookies: when the session of a given browser ends or the computer is turned off, saved information is erased from the device memory. The session cookie mechanism does not make it possible to download any personal data nor any confidential information from the Customers’ computers.
b) Persistent cookies: they are stored in the Customer’s device memory and stay there until they are deleted or expire. The persistent cookie mechanism does not make it possible to download any personal data nor any confidential information from the Customers’ computers.
c) Third party cookies: information which comes e.g. from advertising servers or the servers of companies and service providers (e.g. searching or maps placed on the website) which cooperate with the owner of a given website. This type of cookies makes it possible to adjust advertisements (which make it possible to use websites free of charge) to the preferences and customs of their users. They also enable us to assess the effectiveness of advertising activities (e.g. thanks to counting how many people clicked on a given advertisement and were redirected to the advertiser’s website). On the basis of information obtained from these cookies, it is possible to create the so-called general users’ profiles, thanks to which they will see advertisements adjusted to their potential interests. As part of its business, the Controller uses the services of the following external entities which use third party cookies:
- Facebook (https://www.facebook.com/about/privacy)
More information about cookie files of the above mentioned entities can be found in their privacy policies.
- HERSTMOTO sp. z o.o. uses its own cookies for the following purposes:
a) to authenticate the Customer in the Online Shop and maintain the Customer’s session in the Online Shop (after logging in), so that the Customer does not have to re-enter his or her login and password on every webpage of the Online Shop;
b) to analyse, research and audit viewing figures, in particular to compile anonymous statistics that help us understand how Customers use the Shop Website, which makes it possible to improve its structure and content.
- HERSTMOTO sp. z o.o. uses external cookies for the following purposes:
a) to promote the Online Shop through facebook.com (the controller of external cookies is: Facebook Inc with its registered office in the USA or Facebook Ireland with its registered office in Ireland).
b) collecting general and anonymous static data via Google Analytics analytical tools (external cookie administrator: Google Inc., based in the USA);
c) popularizing the Store using social networking sites using the addthis.com tool (external cookie administrator: AddThis, Inc. based in the USA);
- The cookie mechanism is safe for the computers belonging to the Customers of the Online Shop. In particular, it is impossible for viruses, unwanted software or malware to get to the Customers’ computers. Nevertheless, in their browsers, Customers may limit or disable the access of cookies to their computers. If a Customer uses this option, using the Online Shop will still be possible, except for features which by nature require cookie files.
- Below, we present how you can change the settings of popular web browsers with regard to cookie files:
a) Internet Explorer browser;
b) Microsoft EDGE browser;
c) Mozilla Firefox browser;
d) Chrome browser;
e) Safari browser;
f) Opera browser.
- HERSTMOTO sp. z o.o. may collect the Customers’ IP addresses. An IP address is a number assigned to the computer of the person visiting the Online Shop by his or her Internet provider. The IP number enables Internet access. In most cases, it is assigned to a computer dynamically, i.e. it changes every time you connect to the Internet. This is why it is commonly treated as non-personal identifying information. The IP address is used by HERSTMOTO sp. z o.o. to diagnose technical problems with the server, to compile statistical analyses (e.g. checking from which regions come the most of our visitors), as information that is useful for managing and improving the Online Shop, for safety purposes and to potentially identify automatic programs which are used to browse the Online Shop and which overburden the server.
- The Online Shop contains links to other websites. HERSTMOTO sp. z o.o. shall not be liable for their privacy protection principles.
Section 4 Rights of data subjects
- The right to withdraw consent: the legal basis is Article 7(3) of GDPR.
a) The Customer has the right to withdraw any consent he or she gave to HERSTMOTO sp. z o.o.
b) Consent withdrawal shall be effective from the moment when the Customer withdraws his or her consent.
c) Consent withdrawal shall not affect the lawfulness of processing by HERSTMOTO sp. z o.o. prior to the withdrawal.
d) Consent withdrawal shall have no negative consequences for the Customer, but it may make it impossible to continue using such services or features which HERSTMOTO sp. z o.o. may provide solely pursuant to such a consent, as required by the law.
- The right to object to the processing of personal data: the legal basis is Article 21 of GDPR.
a) The Customer shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data, including profiling, if HERSTMOTO sp. z o.o. processes his or her data on the basis of legitimate interests, e.g. marketing the products and services offered by HERSTMOTO sp. z o.o., keeping statistics of using individual features of the Online Shop, facilitating the use of the Online Shop and checking satisfaction.
b) An email resignation from receiving marketing communications concerning products or services shall mean that the Customer objects to the processing of his or her personal data, including profiling, for such purposes.
c) If the Customer’s objection turns out to be valid and HERSTMOTO sp. z o.o. has no other legal basis for processing the personal data, then the personal data that the Customer did not want to be processed will be deleted.
- The right to data erasure (the right to be forgotten): the legal basis is Article 17 of GDPR.
a) The Customer shall have the right to demand that all or some of his or her personal data be erased.
b) The Customer shall have the right to demand the erasure of personal data if:
- the personal data no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Customer withdrew a specific consent, in which case his or her data shall be erased to the extent to which they were processed on the basis of the Customer’s consent;
- the Customer objected to using his or her data for marketing purposes;
- the personal data are processed unlawfully;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which HERSTMOTO sp. z o.o. is subject;
- the personal data have been collected in relation to the offer of information society services.
c) Despite the demand to erase personal data in relation to making an objection or withdrawing a consent, HERSTMOTO sp. z o.o. may keep some personal data to the extent to which processing is necessary to establish, pursue or defend claims, as well as to comply with a legal obligation which involves data processing pursuant to EU law or the law of a Member State to which HERSTMOTO sp. z o.o. is the subject. It concerns in particular such personal data as: first name, last name and email address, which are kept for the purposes of processing complaints and claims related to using the services of HERSTMOTO sp. z o.o., as well as the address of residence or correspondence address and order number, which are kept for the purposes of processing complaints and claims related to the provision of services or to the concluded sales agreements.
- The right to restrict the processing of personal data: the legal basis is Article 18 of GDPR.
a) The Customer shall have the right to demand that the processing of his or her personal data be restricted. Reporting such a demand makes it impossible to use specific features or services which require the processing of personal data included in the demand, until the demand is processed. Moreover, HERSTMOTO sp. z o.o. shall not send any communications, including marketing communications.
b) The Customer has the right to demand the restriction of personal data use in the following cases:
- when the Customer questions the correctness of his or her personal data: in this case, HERSTMOTO sp. z o.o. shall restrict the use of such data for the time period necessary to verify the correctness of such data, but not for longer than 7 days;
- when personal data processing is unlawful and instead of requesting that the data be erased, the Customer chooses to request that their use be restricted;
- when personal data are no longer necessary in relation to the purposes for which they were collected or used, but the Customer needs them to establish, pursue or defend claims;
- when the Customer objected against using his or her data, in which case the use of such data is restricted for the time required to determine whether, due to the Customer’s particular situation, the protection of interests, rights and freedoms of the Customer overrides the interests which the Controller pursues by processing the Customer’s personal data.
- The right of access to data: the legal basis is Article 15 of GDPR.
a) The Customer shall have the right to obtain from the Controller confirmation as to whether or not his or her personal data are being processed, and, where that is the case, the Customer shall have the right to:
- access his or her personal data;
- obtain information on the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients of such data; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the Customer’s rights arising from GDPR and the right to lodge a complaint with a supervisory authority; the source of such data; the existence of automated decision-making, including profiling and safeguards related to the transfer of such data outside the European Union;
- obtain a copy of his or her personal data.
- The right to rectification: the legal basis is Article 16 of GDPR.
- The right to data portability: the legal basis is Article 20 of GDPR.
a) The Customer shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, and have the right to transmit those data to another controller chosen by the Customer. The Customer shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. In this case, the Controller shall send the Customer’s personal data as a csv file, that is the commonly used and machine-readable format which makes it possible to send received data to another personal data controller.
- If the Customer moves for an entitlement arising out of the abovementioned rights, HERSTMOTO sp. z o.o. shall either comply with the request or refuse to comply with it forthwith, but not later than a month after it received the request. However, if due to the complexity of the request or the number of requests HERSTMOTO sp. z o.o. cannot satisfy the request within a month, it shall satisfy the request within the next two months, having informed the Customer about its intent to prolong the time limit and the reasons behind this decision within a month after the request was received.
- The Customer may submit complaints, enquiries and applications concerning the processing or his or her data and the exercise of his or her rights to the Controller.
- The Customer shall have the right to complain to the President of the Office of Competition and Consumer Protection with regard to the violation of his or her right to the protection of personal data or other rights granted to him or her by GDPR.
Section 5 Security management: Password
- HERSTMOTO sp. z o.o. shall ensure that the Customers have a safe and encrypted connection when they send personal data and when they log in to the Customer Account on the Website. HERSTMOTO sp. z o.o. uses an SSL certificate issued by one of the leading world companies dealing with the security and encryption of data send via the Internet.
- In case the Customer who has an account in the Online Shop loses his or her password in any way, the Online Shop makes it possible to generate a new password. HERSTMOTO sp. z o.o. does not send any password reminders. The password is stored in an encrypted form, in a way which makes it impossible to read it. In order to generate a new password, the Customer needs to give his or her email address in the form available when you click on “You forgot your password” in the login form in the Online Shop. The Customer will then receive an email with a redirection to a dedicated form published on the Shop Website, where the Customer may set a new password. The email will be sent to the email addresses provided during registration or saved during the last change of the account profile.
- HERSTMOTO sp. z o.o. shall never send any correspondence, including electronic correspondence, asking the User to provide login data, in particular the password to the Customer Account.
- Date of last modification: 01 January 2022