Privacy & Cookies Policy

This document sets out the conditions for processing personal data (hereinafter also referred to as the “data”) and cookie files in the naturo.org.pl e-store, run via a website available at the address: naturo.org.pl, hereinafter referred to as “the Store”

TABLE OF CONTENTS

§1. HOW TO CONTACT THE DATA CONTROLLER 1

§2. THE GROUNDS FOR THE PROCESSING OF YOUR DATA

§3. INFORMATION ON DATA PROCESSING TO ENTER INTO AND PERFORM AGREEMENTS, AND ON THE POTENTIAL EXERCISE AND DEFENCE OF LEGAL CLAIMS 1

§4. INFORMATION ON DATA PROCESSING FOR DIRECT MARKETING PURPOSES 2

§5. INFORMATION ON DATA PROCESSING FOR SECURITY ASSURANCE PURPOSES 2

§6. INFORMATION ON DATA PROCESSING TO SEND NOTIFICATIONS ABOUT PRODUCTS 2

§7. INFORMATION ON DATA RECIPIENTS 3

§8. INFORMATION ON DATA TRANSFER TO THIRD COUNTRIES 3

§9. UNCONDITIONAL RIGHTS VESTED IN DATA SUBJECTS 3

§10. CONDITIONAL RIGHTS VESTED IN DATA SUBJECTS 4

§11. COOKIE FILES – INTRODUCTION 4

§12. DATA CONTROLLER’S COOKIE FILES 5

§13. THIRD-PARTY COOKIE FILES 5

§14. CONSENT TO THE USE AND MANAGEMENT OF COOKIE FILES 6

§15. CACHE MEMORY 6

§16. LINKS TO OTHER WEBSITES OR SOFTWARE 6

§17. AMENDMENTS TO THE PRIVACY AND COOKIE FILE POLICY 6

§1. HOW TO CONTACT THE DATA CONTROLLER

The Controller of the personal data processed as part of the Store is Naturo Sp. z o.o. with its registered office in Elizówka (21-003), at ul. Szafranowa 6/Hala H1, entered in the Enterprise Register of the National Court Register (KRS) under No. 0000462546, NIP (Tax ID No.): 7123278825 and REGON (National Business Registry Number): 061556075

You may contact the Data Controller

1. by post: Naturo Sp. z o.o., ul. Szafranowa 6/Hala H1, 21-003 Elizówka,

2. by e-mail: sklepnaturo@naturo.org.pl, 3. by phone: + 48 517949977.

§2. THE GROUNDS FOR THE PROCESSING OF YOUR DATA

Collecting personal data, we always provide information about the legal basis for processing. This arises directly from the provisions of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). If we inform you about:

• Article 6 (1)(a) of the GDPR, this means that we process your personal data based on the received consent,

• Article 6 (1)(b) of the GDPR, this means that we process your data because it is necessary for the performance of a contract or in order to take steps

at the request of the data subject prior to entering into a contract,

• Article 6 (1)(c) of the GDPR, this means that we process your personal data because it is necessary for compliance with a legal obligation,

• Article 6 (1)(f) of the GDPR, this means that we process your personal data to pursue our legitimate interest.

§3. INFORMATION ON DATA PROCESSING TO ENTER INTO AND PERFORM AGREEMENTS, AND ON THE POTENTIAL EXERCISE AND DEFENCE OF LEGAL CLAIMS

1. We may process personal data that is necessary for the performance of the agreement we have made with you. However, prior to entering into such agreement, we may process personal data in order to take steps at your request. The data are processed under Article 6 (1)(b) of the GDPR.

2. During the term of the agreement and afterwards, we process the personal data of its party to examine or defend potential legal claims. Our legitimate interest includes, for example, the possibility to provide a reply to a potential complaint, to which we are obliged under separate civil law provisions. In such event, we will process personal data based on our legitimate interest, i.e., the defence or exercise of potential legal claims. The data are processed under Article 6 (1)(f) of the GDPR.

3. We will store the data for no longer than is necessary for the purposes for which the personal data are processed, no longer than until relevant claims are time-barred under separate legal regulations.

4. You have the right to request access to you data, to have your data rectified or erased, to request restriction of processing, to data portability, and the right to lodge a complaint with a supervisory authority. Where the data is processed for purposes set forth in Point 2, you also have the right to object to such processing.

5. The data is freely given, but the failure to provide the data will make the conclusion and/or performance of the agreement impossible.

6. The recipients of the data include our hosting service provider, electronic-mail service provider, IT service provider, transport service provider, electronic payment service provider, providers of legal, advisory and debt-collection services and other entities whose services we use as part of the specified purpose for processing.

§4. INFORMATION ON DATA PROCESSING FOR DIRECT MARKETING PURPOSES

1. We may process your data for direct marketing purposes. This happens for example when we reply to your message, presenting the details of our offer.

2. The data are processed under Article 6 (1)(f) of the GDPR.

3. We well store your data for as long as it is necessary to perform our agreement.

4. You have the right to request access to you data, to have your data rectified or erased, to request restriction of processing, to data portability, to object to data processing, and the right to lodge a complaint with a supervisory authority.

5. The data is freely given, but the failure to provide the data will make the fulfilment of direct marketing tasks impossible.

6. The recipients of the data include our hosting service provider, IT service provider, and electronic mail service provider.

§5. INFORMATION ON DATA PROCESSING FOR SECURITY ASSURANCE PURPOSES

1. Once you enter our website, to assure the security of our services, we process such data as:

   • the public IP address of the device from which a query has been sent,

   • browser type and language,

   • date and time of the query,

   • the number of bites sent by the server,

   • the URL of a previously visited website, if our website has been accessed via a link,

   • information on any errors that have occurred in the course of query handling.

2. As regards the said processing, our legitimate interest is to maintain a server event log and secure the Store against potential hacker attacks and other instances of abuse. This includes the possibility to identify the IP address of a person engaged in an illicit action in the Store area, such as attempts to break safeguards, publication of illegal content, or attempts to use our servers for illicit purposes.

3. The data are processed under Article 6 (1)(f) of the GDPR.

4. We will store the data for no longer than is necessary for the purposes for which the personal data are processed, no longer than until relevant claims are time-barred under separate legal regulations.

5. You have the right to request access to you data, to have your data rectified or erased, to request restriction of processing, to object to the processing, and the right to lodge a complaint with a supervisory authority.

6. The use of the Store is conditional upon the provision of the data. The failure to provide the data will make the use of the Store impossible.

7. The recipients of the data include our hosting service provider and IT service provider.

§6. INFORMATION ON DATA PROCESSING TO SEND NOTIFICATIONS ABOUT PRODUCTS

1. The Store has the functionality of sending notifications about selected products to the e-mail address provided by the user.

2. Our legitimate interest in respect of such processing is to respond to the user’s request, and to Secure the Store against potential abuse afterwards.

3. The data are processed under Article 6 (1)(f) of the GDPR.

4. We will store the data for no longer than is necessary for the purposes for which the personal data are processed, no longer than until relevant claims are time-barred under separate legal regulations.

5. The data subject has the right to request access to their data, to have the data rectified or erased, to request restriction of processing, to object to the processing, and the right to lodge a complaint with a supervisory authority.

6. The provision of the data is a condition for sending the notification. The failure to provide the data will make this action impossible.

7. The recipients of the data include our hosting service provider and IT service provider.

§7. INFORMATION ON DATA RECIPIENTS

We use third-party services in the course of data processing. Therefore, third parties may be the recipients of your personal data. In collecting personal data, we always inform data subjects about such recipients, providing only a brief summary of the entities, taking into account the need to assure a reader-friendly message. Given the above, we would like to explain that when we inform you about specific categories of recipients, we mean the following entities:

• Provider of transport services / couriers: UPS Polska Sp. z o.o., ul. Prądzyńskiego 1/3, 01-222 Warsaw; InPost S.A, ul. Wielicka 28, 30-552

Kraków; Poczta Polska Spółka Akcyjna, ul. Rodziny Hiszpańskich 8, 00-940 Warsaw; Żabka Polska sp. z o.o., ul. Stanisława Matyi 8 61-586 Poznań.

• IT service provider: SKY SHOP.

• Hosting service provider: home.pl Spółka Akcyjna, ul. Zbożowa 4, 70-653 Szczecin.

• Electronic mail service provider: home.pl Spółka Akcyjna, ul. Zbożowa 4, 70-653 Szczecin.

• Provider of legal/ advisory/ debt-collection services - these service providers are selected on a case-by-case basis, depending on individual demand.

• Electronic payment service provider: Alior Bank Spółka Akcyjna, ul. Łopuszańska 38D, 02-232 Warsaw; Autopay S.A., ul. Powstańców

Warszawy 6, 81-718 Sopot.

§8. INFORMATION ON DATA TRANSFER TO THIRD COUNTRIES

Your personal data will not be transferred outside the European Economic Area.

§9. UNCONDITIONAL RIGHTS VESTED IN DATA SUBJECTS

Referring to the rights related to the processing of your data, we mean the following entitlements. The possibility to exercise the rights listed below is independent of the legal basis for the processing of the personal data.

The right to request access to data

You have the right to obtain a confirmation whether we process your personal data. If yes, you have the right to request access to the data, and receive additional information about:

• the purposes for the processing,

• the categories of relevant data,

• the recipients or categories of recipients to whom the data have been or will be disclosed, in particular about recipients in third countries or

international organisations,

• where possible, on the planned period of data storage, and where it is not possible, about the criteria to specify the length of the period,

• the right to request data rectification, erasure or restriction of processing, to object to such processing and the right to lodge a complaint with the supervisory authority,

• the sources of your data, if your data have not been collected from you,

• automated decision-making, including profiling, and about the rules for such actions, and on the significance and the expected consequences of such processing for you.

Having obtained such request, we are obliged to provide a copy of the personal data that is subject to processing. If such request is submitted by e-mail, and if no other reservation is made, we will also provide information by electronic means.

The right to have your data rectified

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The right to have your data erased (the right to be forgotten)

You have the right to obtain from us the erasure of personal data concerning you without undue delay. In such event, we have the obligation to erase personal data without undue delay where one of the following grounds applies:

• you have withdrawn your consent on which the processing is based and there is no other legal ground for the processing,

• you have successfully objected to the processing of data concerning you,

• your personal data have been unlawfully processed,

• your personal data have to be erased for compliance with a legal obligation,

• your personal data have been collected in relation to the offer of information society services.

The right to restriction of processing

You have the right to obtain from us restriction of processing where one of the following applies:

• you contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the personal data,

• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,

• we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims,

• you have objected to the processing of your data, pending the verification whether the legitimate grounds on our part override those of the data subject.

Automated decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The right does not apply if such decision

• is necessary for entering into, or performance of, an agreement between you and us,

• is authorised by Union law or the law of the Republic of Poland and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or

• is based on your explicit consent.

The right to lodge a complaint

You have the right to lodge a complaint in relation to the processing of your data with the supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (President of the Personal Data Protection Office), ul. Stawki 2, 00-193 Warsaw, tel. 22 531 03 00, fax. 22 531 03 01, e-mail: kancelaria@uodo.gov.pl.

§10. CONDITIONAL RIGHTS VESTED IN DATA SUBJECTS

Referring to the rights related to the processing of your data, we mean the following entitlements. The exercise of the rights listed below each time depends on the legal basis for the processing of the personal data.

The right to withdraw consent to the processing

If we process your personal data based on your consent, you have the right to withdraw consent to the processing at any time. Of course, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The right to data portability

You have the right to receive your personal data which you have provided, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us, where the processing:

• is based on consent or on a contract, and

• is carried out by automated means.

In exercising your right to data portability, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible. The right shall not adversely affect the rights and freedoms of others.

The right to object

If your personal data are processed pursuant to Article 6 (1)(f) of the GDPR, you have the right to object to the processing of such data on grounds relating to your particular situation.

In such event, we will no longer process your personal data, unless we demonstrate:

• compelling legitimate grounds for the processing which override your interests, rights and freedoms, or

• grounds for the establishment, exercise or defence of legal claims.

If you object to the processing of data for direct marketing purposes, we will no longer process your data for such purposes.

§11. COOKIE FILES – INTRODUCTION

The Store's website uses cookies. They are commonly used small files with a string of characters, that are sent to, and saved on, an end device (e.g., a computer, a laptop, a tablet, or smartphone) that you use while visiting our online Store. The information is also sent to the memory of the browser being used that sends it back on the next visit to the website. Cookie files may be categorised taking into account three classification methods.

In terms of the purposes for which cookie files are used, they may be divided into three categories:

• Essential cookies – these files allow the correct operation of the website and its functionalities, e.g. cookies used for authentication or security purposes. If they are not saved on your device, the use of the website will not be possible.

• Analytical cookies – these files allow the monitoring of the opened websites, web traffic sources, and the time spent on a given website. If

they are not saved, the use of the website's functionalities will not be restricted.

• Advertising cookies – the files allows the display of personalised advertisements in the website area, or outside the website. If they are not saved, the use of the website's functionalities will not be restricted.

In terms of their expiration, we can make a distinction between two categories of cookie files:

• session cookies – existing until the end of a given session,

• persistent cookies – existing after a session ends.

In terms of making a distinction between the entity that administers cookie files, there are:

• our cookie files,

• and third-party cookie files.

§12. THE CONTROLLER'S COOKIE FILES

The cookie files that we administer allow:

• access authentication,

• maintenance of an open session after sign in,

• safeguards to protect the Store against hacker attacks,

• the browser to “remember” the contents of completed form fields (optionally),

• the browser to “remember” items added to the Basket.

Thanks to this, the Store's functionalities are easier and more convenient to use.

§13. THIRD-PARTY COOKIE FILES

The use of third-party cookie files is conditional upon the provisions of privacy and cookie file policies in place at these entities.

GOOGLE

We use cookie files administered by Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA, as part of the following services:

• Google Ads – advertising cookies to conduct and assess the effectiveness of advertising campaigns held with the use of the Google Ads service,

• Google Analytics – analytical files to explore user behaviour and traffic, and prepare traffic statistics.

The data being collected by Google Inc. are anonymous and collective. They do not include any features allowing the identification of the Store's users (understood as personal data). In using the above services, we collect such data as sources from which Store users have been acquired, and their behaviour in the Store, information on the devices and browsers they use, IP addresses, domain, demographics (age, gender), interests and geographic data.

For more information on the above services go to: https://policies.google.com/technologies/cookies?hl=pl

FACEBOOK

We use cookie files administered by Meta Inc. 1 Hacker Way, Menlo Park, CA 94025, USA:

• Functional cookies used by Meta Inc. 1 Hacker Way, Menlo Park, CA 94025, USA: These files may be used to connect your Facebook account to your Store account. The files may also be used for processing the activities that you have performed with the use of “Share” or “Like” options on Facebook. The processing of such activities may be public.

• Advertising pixel tags used by Meta Inc. 1 Hacker Way, Menlo Park, CA 94025, USA: They are elements published in digital contents, allowing the record of information about, e.g., the activity on a given website, and the assessment of advertisement effectiveness. The pixel tags from Facebook Inc. may be managed via the Facebook website, in the user panel.

For more information on the above issues, go to https://www.facebook.com/policies/cookies/

The use of third-party cookie files is conditional upon the provisions of privacy and cookie file policies in place at these entities. The current principles of third parties in this regard may be found on the above-mentioned websites and under the following link: https://www.e- regulaminy.pl/biuletyn/polityki-prywatnosci-i-plikow-cookies/.

§14. CONSENT TO THE USE AND MANAGEMENT OF COOKIE FILES

Except for essential cookies, cookies will be processed on the basis of user’s consent.

The consent to use cookies is freely given and may be withdrawn at any time. Please note that the failure to provide consent to the use of certain cookie files may hinder the use of the Store and its functionalities, and even make it impossible.

Users may consent to the processing of cookie files:

• with the use of settings in software installed in the user’s ICT terminal device,

• with the use of a button containing a statement on their consent to the processing of cookie files or confirmation of having read the relevant terms & conditions,

• with the use of settings available in the website area.

§15. CACHE MEMORY

While using the Store's website, we may automatically use the cache memory that is installed on your device. It is possible to store data between sessions in the cache memory, i.e., between subsequent visits of the Store's website. The purpose of using the cache memory is to accelerate the Store's operations, by eliminating the situation where the same data are downloaded from the Store multiple times, thus overloading user’s internet connection. Cache memory may be used to store such data as sign in passwords.

§16. LINKS TO OTHER WEBSITES OR SOFTWARE

The Store may offer links to other websites and software. We assume no responsibility for the terms and conditions of privacy and cookie processing policy applicable on those websites or in that software. We recommend reading the privacy and cookie policies of the websites and software after using the links or before installing the software.

§17. AMENDMENTS TO THE PRIVACY AND COOKIE FILE POLICY

1. The Privacy and Cookie File Policy is effective from the date of its publication on the Store's website.

2. The Privacy and Cookie File Policy will be amended by publishing its new wording on the Store’s website.

3. Information about amendments to the Privacy and Cookie File Policy will be published on the Store's website no later than 3 days before its new wording enters into force.