PERSONAL DATA PRIVACY POLICY (GDPR)
hegemonshop.com
Effective from 1 May 2025.
§1
Identity of the personal data controller.
1. The controller of personal data provided during the use of the Website and/or the online store operated under the name hegemonshop.com is ManaSource spółka z ograniczoną odpowiedzialnością (limited liability company) with its registered office in Szczecin, at Bolesława Śmiałego 11/8, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court Szczecin-Centre in Szczecin, XIII Commercial Division of the National Court Register, under KRS number: 0001125418, REGON: 52957185900000, NIP: 8513317798, e-mail address: contact@hegemonshop.com, phone number: +48 739 213 788.
2. The data are processed in accordance with currently applicable legal regulations, including: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), the Act of 10 May 2018 on the Protection of Personal Data, as well as the Act of 12 July 2024 on Electronic Communications Law.
3. This Privacy Policy sets out the rules for the processing of data of Users of the Website and/or the Store, as well as of persons who enter into contracts with the Data Controller, including those related to the execution of Orders and/or contracts, and of data collected through contact with the Data Controller (via e-mail, by phone, or by traditional correspondence), as well as of persons who like and/or follow the Data Controller’s fanpage on social media, if maintained.
§2
Definitions.
1. In this Privacy Policy, the following definitions shall apply:
- Personal Data Controller – the entity that determines the purposes and means of personal data processing, which for the purposes of this policy shall mean: ManaSource spółka z ograniczoną odpowiedzialnością, with its registered office in Szczecin at Bolesława Śmiałego 11/8, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court Szczecin-Centre in Szczecin, XIII Commercial Division of the National Court Register, under KRS number: 0001125418, REGON: 52957185900000, NIP: 8513317798, e-mail address: contact@hegemonshop.com, phone number: +48 739 213 788.
- Personal Data – any information that, without excessive time or cost, may lead to the identification of a natural person, including their identification, address, and contact details.
- Third Country – a country outside the European Economic Area (EEA).
- Website – the website available at hegemonshop.com, through which the User may browse the content, subscribe to the newsletter, or contact the Personal Data Controller via the contact details or contact forms available on the Website.
- Store – the online store available at hegemonshop.com, through which the Buyer may purchase specified Goods and/or Digital Products.
- User/Data Subject – a natural person whose data is processed and who uses the services available on the Website/Store.
§3
Purposes of Personal Data Processing
1. The Personal Data Controller processes personal data only when permitted by currently applicable legal regulations, including for the following purposes:
- the preparation and execution of the concluded sales contract, including the conclusion of a distance contract via the online store (Order), where the data subject is a party, as well as the exercise of rights arising from it (non-conformity with the contract, withdrawal from the contract, etc.), based on Article 6(1)(b) of the GDPR;
- documenting the execution of concluded contracts, including issuing receipts or invoices, and maintaining accounting and tax records, based on Article 6(1)(c) of the GDPR, in order to fulfill the legal obligations incumbent on the Personal Data Controller under Article 70 of the Act of 29 August 1997, the Tax Ordinance;
- taking actions at the request of the data subject, including responding to inquiries via electronic communication means or traditional correspondence, based on Article 6(1)(b) of the GDPR;
- sending ordered marketing information via electronic means to the User's provided e-mail address, based on the User’s consent, in accordance with Article 6(1)(a) of the GDPR and Article 398 of the Act of 12 July 2024 on Electronic Communications Law;
- registration and creation of an Account in the Store, based on Article 6(1)(a) of the GDPR, i.e., the consent of the data subject;
- marketing of the Personal Data Controller's own products and services via traditional means, based on Article 6(1)(f) of the GDPR, i.e., for the purpose of pursuing legitimate interests of the Personal Data Controller or the data subject;
- sending an e-mail requesting a review of the Store and/or Goods/Product, based on Article 6(1)(f) of the GDPR, i.e., for the legitimate interest of the data controller (the Seller), which is the improvement of the offer and/or the Goods/Product and/or the Store through the collection of reliable feedback by the Store owner;
- asserting rights and claims by the Personal Data Controller or the data subject, based on Article 6(1)(f) of the GDPR, and carried out in the legitimate interest of the data controller.
2. The provision of personal data is necessary for the execution of a distance contract, including the shipment of Goods or provision of a Digital Product and/or the issuance of an accounting document, the pursuit of claims, as well as responding to User inquiries.
Providing personal data in other cases is voluntary.
3. Failure to provide the required data will prevent the execution of the distance contract (Order), the issuance of a receipt or invoice, or establishing contact at the request of the data subject.
§4
Sposoby pozyskiwania danych osobowych.
- Dane osobowe Użytkownika gromadzone są bezpośrednio od osób, których dane dotyczą, tj. poprzez:
-
- wypełnienie formularza zapisu na newsletter,
- wypełnienie formularza zamówienia w Sklepie,
- rejestracja konta w Serwisie i/lub Sklepie,
- podanie danych do przygotowania, zawarcia umowy i realizacji umowy (Zamówienia) dostępnymi drogami kontaktu,
- bezpośredni kontakt z administratorem danych za pomocą danych teleadresowych dostępnych na stronie lub w formie tradycyjnej w miejscu prowadzenia działalności.
§5
Scope of Personal Data Processing
1. The scope of processed personal data is limited to the minimum necessary for the provision of services, including:
- subscribing to the newsletter: e-mail address,
- placing an Order in the Store: first and last name, e-mail address, phone number, delivery address, or collection point address (if applicable),
- registering an account on the Website and/or in the Store: first and last name, e-mail address, password, login,
- issuing a receipt, invoice, or other accounting document: first and last name or entity name, registered office address, tax identification number (NIP),
- preparing, concluding, and executing the contract: first and last name, address, ID card number, etc.
§6
Personal Data Retention Period
1. The duration of personal data processing depends on the purpose for which the data was collected and is defined as follows:
- for the conclusion and performance of a sales contract, including distance sales (Orders) – for the period necessary to document the performance of the contract, including issuing a receipt or invoice – 5 years, counted from the end of the calendar year in which the tax payment deadline expired, pursuant to Article 112 of the Act of 11 March 2004 on the Goods and Services Tax, in conjunction with Article 70 of the Act of 29 August 1997 – the Tax Ordinance;
- for the purpose of sending commercial information by electronic means (newsletter) and/or creating an Account in the Store and/or sending review requests via external satisfaction survey platforms – until consent is withdrawn, without affecting the lawfulness of processing based on consent before its withdrawal;
- for the period necessary to respond to a question submitted via contact form or telephone, but no longer than 6 months, unless the data subject decides to enter into a contract with the Personal Data Controller;
- for the purpose of pursuing claims, pursuant to Article 118 of the Act of 23 April 1964 – Civil Code. Unless otherwise provided by specific legislation, the limitation period is six years, and for claims for periodic performance or those related to business activity – three years.
§7
Recipients of Personal Data
1. The User’s personal data may be entrusted to other entities for the purpose of providing services on behalf of the Data Controller, particularly entities supporting the activities of the Personal Data Controller in the areas of:
- website and/or Store hosting,
- e-mail hosting,
- servicing and maintenance of IT systems in which data is processed, including for newsletter automation, issuance of accounting documents, order handling, etc.,
- accounting services,
- marketing services,
- courier service brokerage,
- logistical support for Orders in the Store.
The User’s personal data may also be shared with entities providing courier or postal services, banks, or electronic payment operators featured on the Website, as indicated in the Store’s Terms and Conditions.
§8
Transfer of Data Outside the European Economic Area (EEA)
The User’s personal data is not transferred to third countries or international organizations.
§9
Fanpage of the Data Controller on Social Media Platforms
1. The Data Controller is also a joint controller of the personal data of individuals who follow or interact with the Data Controller’s social media pages—particularly those who use electronic means of communication via the fanpage on Facebook (@HegemonShop) and/or Instagram under the account name @hegemon.shop, both administered by the Data Controller within these platforms.
2. In all other respects, the controller of the personal data of Users of these social media services is Meta Platforms, Inc., Menlo Park, California / Meta Platforms Ireland Limited (formerly: Facebook Inc., headquartered at 1 Hacker Way, Menlo Park, CA 94025, USA). The processing of such data is carried out in accordance with the terms and privacy policies of those platforms, including those published at: https://www.facebook.com/privacy
3. The personal data of a User who likes and/or follows the Data Controller's fanpage on social media platforms will be processed outside the European Economic Area (EEA), namely in so-called third countries, particularly within the territory of the United States of America, in connection with the use of IT solutions whose servers are located outside the EEA.
4. The User’s personal data will be processed in the United States of America (USA). The transfer of data to the USA is based on the European Commission’s adequacy decision of 10 July 2023, which recognizes an adequate level of protection for personal data provided by the so-called EU-US Data Privacy Framework, in relation to providers listed in the U.S. Department of Commerce registry, including Meta Platforms, Inc., Menlo Park, California, USA.
§10
Rights of Data Subjects
1. Data subjects have the right to:
- access their personal data, including the right to receive the first copy of the personal data free of charge,
- rectify data that is inaccurate or has changed,
- request the erasure of data, unless other legal provisions require the Data Controller to retain the data for a specified period,
- data portability, provided that the processing is based on a contract or the data subject’s consent, and the processing is carried out by automated means,
- withdraw consent to the processing of personal data—if such processing was based on the data subject’s consent. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to its withdrawal,
- object to the processing of their data, on grounds relating to their particular situation, where the processing is based on Article 6(1)(e) or (f) of the GDPR, and also to request restriction of processing,
- not be subject to automated profiling, where the Data Controller makes decisions based solely on automated processing that produce legal effects concerning the data subject or similarly significantly affect them,
- exercise control over data processing and obtain information on the identity of the Data Controller, as well as on the purpose, scope, and method of data processing, the content and source of the data, and the manner in which the data is shared, including the recipients or categories of recipients of the data.
2. To exercise the right to information, access, rectification, or any other rights, the data subject may contact the Data Controller.
3. The data subject also has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if the processing of their data violates the provisions of the General Data Protection Regulation (GDPR). A complaint may be submitted either electronically or in writing to the following address:
Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, Poland
§11
Final Provisions
In the event of a change to this Privacy Policy, in particular where required by applied technical solutions or changes in applicable legislation concerning the privacy of data subjects, appropriate amendments will be introduced to this Privacy Policy (GDPR), which shall take effect 14 days after publication on the website of the Service and/or Store.