PRIVACY POLICY

Fabrica Cacti Łukasz Sędyka

Due to the application, as of 25 May 2018, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), Fabrica Cacti Łukasz Sędyka provides this document titled “Privacy Policy”.

1. DEFINITIONS

  1. Controller – Fabrica Cacti Łukasz Sędyka, Address: ul. Rynek 6, 24-173 Markuszów, Poland.
  2. Personal Data – any information relating to an identified or identifiable natural person, identified directly or indirectly by reference to one or more factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including the IP address, location data, online identifier, and information collected via cookies and similar technologies.
  3. Policy – this Privacy Policy.
  4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  5. Website/Service – the website operated by the Controller at: https://fabricacacti.com
  6. User – any natural person visiting the Website or using one or more services or functionalities described in this Policy.

2. DATA PROCESSING IN CONNECTION WITH USING THE WEBSITE

2.1. When the User uses the Website, the Controller collects data to the extent necessary to provide individual services and also collects information about the User’s activity on the Website. Detailed rules, purposes, and legal bases for processing personal data collected while using the Website are described below.

3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING ON THE WEBSITE

USING THE WEBSITE

3.1. Personal data of all persons using the Website (including IP address or other identifiers and information collected via cookies or similar technologies) who are not registered Users are processed by the Controller:

3.1.1. to provide electronic services, including displaying content available on the Website and providing contact forms and handling enquiries – the legal basis is necessity for the performance of a contract (Article 6(1)(b) GDPR);

3.1.2. to process purchases made without registration on the Website – the legal basis is necessity for the performance of a contract (Article 6(1)(b) GDPR);

3.1.3. to handle complaints relating to orders – the legal basis is necessity for the performance of a contract (Article 6(1)(b) GDPR);

3.1.4. for analytics and statistics – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in analysing Users’ activity and preferences in order to improve the Website functionality and service quality;

3.1.5. to establish, pursue, or defend legal claims – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in protecting the Controller’s rights;

3.1.6. for the Controller’s marketing purposes and, where applicable, for presenting advertisements (including behavioural advertising), in accordance with the rules described in this Policy and subject to obtaining cookie consent where required.

3.2. The User’s activity on the Website, including personal data, may be recorded in system logs. Log data may be processed for technical and security purposes (e.g., backups, testing, detecting irregularities, preventing abuse and attacks) – the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

ACCOUNT REGISTRATION (if the Website provides an account feature)

3.3. Users who register an account may be asked to provide data necessary to create and maintain the account. Providing mandatory data is required; failure to provide it prevents registration. Providing additional data is voluntary.

3.4. Personal data is processed:

  • to provide and maintain the account – Article 6(1)(b) GDPR; optional data – consent, Article 6(1)(a) GDPR;
  • for analytics and statistics – Article 6(1)(f) GDPR;
  • to establish, pursue, or defend legal claims – Article 6(1)(f) GDPR;
  • for marketing purposes – in accordance with Section 4.

3.5. If the User provides personal data of third parties through the Website, the User may do so only if it does not violate applicable law or the rights of such persons.

PLACING ORDERS

3.6. Placing an order involves processing the User’s personal data. Providing mandatory data is required to accept and fulfil the order; failure to provide it makes fulfilment impossible.

3.7. Personal data is processed:

  • to fulfil the order – Article 6(1)(b) GDPR;
  • to comply with legal obligations (including tax and accounting obligations) – Article 6(1)(c) GDPR;
  • for analytics and statistics – Article 6(1)(f) GDPR;
  • to establish, pursue, or defend legal claims – Article 6(1)(f) GDPR.

CONTACT FORMS

3.8. The Controller provides contact via forms and/or email. Using a contact form requires providing data necessary to respond. Other data is voluntary.

3.9. Personal data is processed:

  • to identify the sender and handle the enquiry – Article 6(1)(b) GDPR;
  • for analytics and statistics – Article 6(1)(f) GDPR.

4. MARKETING

4.1. The Controller may process Users’ personal data for marketing activities, which may include:

  • displaying marketing content not tailored to User preferences (contextual advertising),
  • displaying marketing content tailored to User interests (behavioural advertising),
  • sending email notifications about offers or content (which may include commercial information),
  • other direct marketing activities, provided an appropriate legal basis exists (e.g., consent).

4.2. In some cases, the Controller may use profiling, i.e., automated processing of data to evaluate certain factors related to individuals, in particular to tailor marketing content.

4.3. The User has the right to object at any time to the processing of personal data for direct marketing purposes.

4A. NEWSLETTER

4A.1. If the User subscribes to the newsletter, the Controller processes personal data (in particular the email address, and optionally the first name) to send newsletter messages, including updates, offers, products, educational content, and information related to the Fabrica Cactii brand.

4A.2. The legal basis for processing personal data for the newsletter is:

  • the User’s consent (Article 6(1)(a) GDPR).

4A.3. Consent may be withdrawn at any time:

  • by clicking the “unsubscribe” link included in each newsletter message, or
  • by contacting the Controller at: mail@fabricacacti.com.

4A.4. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4A.5. Newsletter data is stored for as long as the subscription is active, i.e., until consent is withdrawn or the User unsubscribes.

4A.6. The Controller may use external newsletter delivery providers (processors acting on the Controller’s behalf). Data is shared only to the extent necessary to provide the newsletter service, based on a data processing agreement.

5. SOCIAL MEDIA

5.1. The Controller processes personal data of persons visiting the Controller’s profiles on social media platforms (e.g., Facebook, Instagram, YouTube) solely in connection with operating the profiles, communicating with users, informing about activity, and promoting products and services. The legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

6. MOBILE VERSIONS

6.1. The Controller also processes personal data to enable use of the Website and its services via mobile versions – Article 6(1)(b) GDPR.

7. COOKIES AND SIMILAR TECHNOLOGIES

7.1. Cookies are small text files stored on the User’s device. They facilitate Website use (e.g., remembering a session, cart contents, and preferences).

7.2. The Controller uses “service cookies” mainly to:

  • provide electronic services,
  • ensure security,
  • improve the quality and functionality of the Website.

7.3. The Controller may use cookies for analytics and marketing purposes (e.g., statistics, behavioural advertising). Where consent is required by law for marketing/analytics cookies, such cookies are used only after obtaining the User’s consent, which can be withdrawn at any time via browser settings or the cookie consent mechanism available on the Website.

7.4. If third-party tools are used on the Website (e.g., analytics solutions), details are provided in the privacy policies of those third parties.

8. PERSONAL DATA RETENTION PERIOD

8.1. The retention period depends on the purpose. As a rule, data is processed:

  • for the duration of providing services or fulfilling an order,
  • until consent is withdrawn or an effective objection is raised (where applicable),
  • for the period required by law (e.g., accounting/tax),
  • as long as necessary to establish, pursue, or defend claims.

8.2. After the retention period, data is deleted or anonymized.

9. DATA SUBJECT RIGHTS

9.1. Data subjects have the right to:

  • access data and obtain information about processing,
  • receive a copy of data,
  • rectify data,
  • erase data (where applicable),
  • restrict processing,
  • data portability,
  • object to processing (including direct marketing),
  • withdraw consent (where processing is based on consent),
  • lodge a complaint with the President of the Personal Data Protection Office in Poland (UODO) or another competent supervisory authority.

9.2. Requests may be submitted:

  • in writing to: Fabrica Cacti Łukasz Sędyka, ul. Rynek 6, 24-173 Markuszów, Poland, or
  • by email to: mail@fabricacacti.com

9.3. The Controller may request additional information if needed to identify the requesting person.

9.4. The Controller will respond within one month of receiving the request (with a possible extension under GDPR, with reasons provided).

10. DATA RECIPIENTS

10.1. Personal data may be disclosed to external entities supporting the Controller in operating the Website and fulfilling orders, in particular:

  • IT and hosting providers,
  • payment operators and banks,
  • accounting and legal service providers,
  • courier and postal operators,
  • analytics and marketing tool providers (as determined by cookie consent settings).

10.2. Data may be disclosed to public authorities only where required by law.

11. TRANSFERS OUTSIDE THE EEA

11.1. If tools are used that may involve processing outside the EEA, the Controller ensures an adequate level of protection using GDPR mechanisms (e.g., Standard Contractual Clauses or other appropriate safeguards).

11.2. The Controller informs Users about transfers outside the EEA at the data collection stage or via information about the tools used.

12. PERSONAL DATA SECURITY

12.1. The Controller applies organisational and technical measures to protect personal data, including limiting access to authorised persons and maintaining IT security measures.

12.2. The Controller also ensures that processors and partners provide appropriate safeguards whenever they process personal data on behalf of the Controller.

13. CONTACT DETAILS

Contact with the Controller is possible via:

  • email: mail@fabricacacti.com
  • postal address: Fabrica Cacti Łukasz Sędyka, ul. Rynek 6, 24-173 Markuszów, Poland

14. CHANGES TO THIS PRIVACY POLICY

14.1. This Policy is reviewed on an ongoing basis and updated when necessary. The current version is published on the Website.