Ekogram store privacy policy
This Privacy Policy (hereinafter referred to as the " Policy ") contains information on the processing of your personal data in connection with the use of the "Ekogram" online store operating at the Internet address https://ekogram.pl/ (hereinafter referred to as the " Store ").
All capitalized terms not otherwise defined in the Policy have the meaning given to them in the Regulations, available at: https://ekogram.pl/en/pages/regulamin
Personal data administrator
The Controller of your personal data is Nutkraft spółka z ograniczoną odpowiedzialnością with its registered office in Kraków (address: ul. Bolesława Prusa 10/18, 30-109 Kraków), entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register under the KRS number: 0000915853, Tax Identification Number (NIP): PL6772467020, National Business Registry Number (REGON): 38965943000000, with the share capital of PLN 5,000 ( five thousand zlotys), fully paid up (hereinafter referred to as the " Controller ").
Contact with the Administrator
In all matters related to the processing of personal data, you can contact the Administrator via e-mail at the address: kontakt@ekogram.pl .
Personal data protection measures
The Administrator uses modern organizational and technical security measures to ensure the best possible protection of your personal data and guarantees that it processes them in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the " GDPR "), the Act of 10 May 2018 on the protection of personal data and other provisions on the protection of personal data.
Information about personal data being processed
Using the Store requires the processing of your personal data. Below you will find detailed information about the purposes and legal basis of processing, as well as the processing period and whether providing your data is mandatory or voluntary.
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Conclusion and performance of the Agreement for the provision of the Account Service |
1) name and surname 2) e-mail address
optional: 1) phone number 2) residential/business address (street, house number, apartment number, city, postal code, country) 3) delivery address (if different from the residential/business address) 4) billing address (if different from your residential/business address) 5) optional - company name and Tax Identification Number (if the Buyer is an Entrepreneur or an Entrepreneur with Consumer rights) |
Article 6(1)(b) of the GDPR
(processing is necessary to perform the Agreement for the provision of the Account Service concluded with the data subject or to take steps to conclude it) |
|
Providing the above-mentioned personal data is a condition for concluding and performing the contract for the provision of the Account Service (providing the data is voluntary, but the consequence of not providing the data will be the inability to conclude and perform the above-mentioned contract, including creating an Account).
The Administrator will process the above-mentioned personal data until the statute of limitations for claims arising from the Account Service Provision Agreement expires. |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Conclusion and performance of the Sales Agreement |
1) name and surname 2) e-mail address 3) phone number 4) residential/business address (street, house number, apartment number, city, postal code, country) 5) delivery address (if different from the residential/business address) 6) billing address (if different from your residential/business address) 7) optional - company name and Tax Identification Number (if the Buyer is an Entrepreneur or an Entrepreneur with Consumer rights) |
Article 6(1)(b) of the GDPR
(processing is necessary to perform the Sales Agreement concluded with the data subject or to take steps to conclude it)
|
|
Providing the above-mentioned personal data is a condition for concluding and performing the Sales Agreement (providing the data is voluntary, but failure to provide the data will result in the inability to conclude and perform the Sales Agreement).
The Administrator will process the above-mentioned personal data until the statute of limitations for claims arising from the Sales Agreement expires. |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Conclusion and performance of the Newsletter Delivery Agreement
|
e-mail address
|
Article 6(1)(b) of the GDPR
(processing is necessary to perform the Newsletter Agreement concluded with the data subject or to take steps to conclude it)
and
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Administrator, in this case informing about new products and promotions available in the Store)
|
|
Providing the above-mentioned personal data is voluntary, but necessary in order to receive the Newsletter (the consequence of not providing them will be the inability to receive the Newsletter).
The Administrator will process the above-mentioned personal data until an objection is effectively raised or the purpose of processing is achieved or until the claims arising from the Newsletter Delivery Agreement expire (depending on which of the aforementioned events occurs first).
|
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Conducting the complaint procedure |
1) name and surname 2) e-mail address |
Article 6(1)(c) of the GDPR
(processing is necessary to fulfil the legal obligation incumbent on the Controller, in this case the obligations: - responding to a complaint – Article 7a of the Consumer Rights Act; - exercising the Customer's rights arising from the provisions on the Controller's liability in the event of non-compliance of the Subject of the digital provision with the Agreement relating to it) |
|
Providing the above-mentioned personal data is a condition for receiving a response to a complaint or exercising the Customer's rights arising from the provisions on the Controller's liability in the event of non-compliance of the physical Goods with the Sales Agreement or the Digital Goods with the Agreement relating to them (providing such data is voluntary, but failure to provide them will result in the inability to receive a response to the complaint and exercise the above-mentioned rights).
The Administrator will process the above-mentioned personal data for the duration of the complaint procedure, and in the event of the execution of the above-mentioned Customer rights – until their limitation period expires.
|
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Conducting verification proceedings and considering appeals against decisions regarding the handling of inadmissible content
|
1) name and surname/name, 2) contact details, including e-mail address
|
Article 6(1)(c) of the GDPR
(processing is necessary to fulfil the legal obligation incumbent on the Controller, in this case the obligations: - providing a mechanism for reporting unacceptable content (Article 16 of Regulation 2022/2065 on the single market for digital services and amending Directive 2000/31/EC (Digital Services Act) (hereinafter referred to as the " DSA "), - handling complaints (Article 20 DSA). |
|
Providing the above-mentioned personal data is a condition for receiving a response to the notification or exercising the User's rights arising from the provisions of the DSA (providing the data is voluntary, but the consequence of not providing the data will be the inability to receive a response to the notification and to exercise the above-mentioned rights).
|
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Sending email notifications |
e-mail address |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Administrator, in this case informing Customers about activities undertaken in connection with the performance of Agreements concluded with Customers) |
|
Providing the above-mentioned personal data is voluntary, but necessary in order to receive information about activities related to the performance of Agreements concluded with Clients (the consequence of failure to provide such data will be the inability to receive the above-mentioned information).
The Administrator will process the above-mentioned personal data until the objection is effectively raised or the purpose of processing is achieved (depending on which of the above-mentioned events occurs first). |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Handling customer inquiries |
1) name 2) e-mail address 3) other data contained in the message to the Administrator |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Administrator, in this case to respond to the received inquiry) |
|
Providing the above-mentioned personal data is voluntary, but necessary in order to receive a response to your inquiry (the consequence of not providing them will be the inability to receive a response).
The Administrator will process the above-mentioned personal data until the objection is effectively raised or the purpose of processing is achieved (depending on which of the above-mentioned events occurs first). |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Sharing Product Reviews |
1) name and surname 2) optional – other data included in the Opinion |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Controller, in this case providing the Opinion for information and promotional purposes) |
|
Providing the above-mentioned personal data is voluntary, but necessary in order to add an Opinion (the consequence of not providing them will be the inability to add an Opinion).
The Administrator will process the above-mentioned personal data until the objection is effectively raised or the purpose of processing is achieved (depending on which of the above-mentioned events occurs first). |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Informing Customers about the availability of previously unavailable Goods |
e-mail address |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Controller, in this case informing Customers about the availability of previously unavailable Goods) |
|
Providing the above-mentioned personal data is voluntary, but necessary in order to receive notification of the availability of previously unavailable Goods (the consequence of failure to provide them will be the inability to receive the above-mentioned notification).
The Administrator will process the above-mentioned personal data until the objection is effectively raised or the purpose of processing is achieved (depending on which of the above-mentioned events occurs first). |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Fulfilling tax obligations (including issuing VAT invoices, storing accounting records) |
1) name and surname/company 2) residential/registered office address 3) Tax Identification Number |
Article 6(1)(c) of the GDPR
(processing is necessary to fulfill the legal obligation incumbent on the Administrator, in this case, obligations arising from tax law) |
|
Providing the above-mentioned personal data is voluntary, but necessary for the Administrator to fulfill its tax obligations (the consequence of failure to provide them will be the inability of the Administrator to fulfill the above-mentioned obligations).
The Administrator will process the above-mentioned personal data for a period of 5 years from the end of the year in which the tax payment deadline for the previous year expired. |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Fulfillment of obligations related to the protection of personal data |
1) name and surname 2) the contact details you provided (e-mail address; correspondence address; telephone number) |
Article 6(1)(c) of the GDPR
(processing is necessary to fulfil the legal obligation incumbent on the Controller, in this case the obligations arising from the provisions on personal data protection) |
|
Providing the above-mentioned personal data is voluntary, but necessary for the Controller to properly perform its obligations under the provisions on personal data protection, including the exercise of the rights granted to you by the GDPR (the consequence of not providing the above-mentioned data will be the inability to properly exercise the above-mentioned rights).
The Administrator will process the above-mentioned personal data until the expiry of the limitation periods for claims for violation of personal data protection provisions. |
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
|
Establishing, pursuing or defending against claims |
1) name and surname/company 2) e-mail address 3) residential/registered office address 4) PESEL number 5) Tax Identification Number |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Controller, in this case to establish, pursue or defend against claims that may arise in connection with the performance of Agreements concluded with the Controller) |
|
|
Providing the above-mentioned personal data is voluntary, but necessary for the purpose of establishing, pursuing or defending against claims that may arise in connection with the performance of the Agreements concluded with the Controller (the consequence of not providing the above-mentioned data will be the inability of the Controller to take the above-mentioned actions)
The Administrator will process the above-mentioned personal data until the expiry of the limitation periods for claims that may arise in connection with the performance of Agreements concluded with the Administrator. |
|||
|
|
|
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Analysis of your activity in the Store |
1) date and time of visit 2) device IP number 3) type of device operating system 4) approximate location 5) type of web browser 6) time spent in the Store 7) viewed products 8) visited subpages and other actions taken within the Store |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Administrator, in this case obtaining information about your activity in the Store) |
|
Providing the above-mentioned personal data is voluntary, but necessary in order for the Administrator to obtain information about your activity in the Store (the consequence of not providing them will be the inability of the Administrator to obtain the above-mentioned information).
|
||
|
Purpose of processing |
Personal data processed |
Legal basis |
|
Store Administration |
1) IP address 2) server date and time 3) information about the web browser 4) information about the operating system
The above data is saved automatically in the so-called server logs each time the Store is used (administering it without the use of server logs and automatic saving would not be possible). |
Article 6(1)(f) of the GDPR
(processing is necessary to pursue the legitimate interest of the Administrator, in this case ensuring the proper functioning of the Store) |
|
Providing the above-mentioned personal data is voluntary, but necessary to ensure the proper functioning of the Store (the consequence of not providing them will be the inability to ensure the proper functioning of the Store).
The Administrator will process the above-mentioned personal data until an objection is effectively raised or the purpose of processing is achieved. |
||
Profiling
In order to create your profile for marketing purposes and to send you direct marketing tailored to your preferences, the Administrator will process your personal data in an automated manner, including profiling – however, this will not produce any legal effects on you or significantly affect your situation in a similar way.
The scope of profiled personal data corresponds to the scope indicated above in relation to the analysis of your activity in the Store and the data you save in your Account.
The legal basis for the processing of personal data for the above purpose is Article 6(1)(f) of the GDPR, pursuant to which the Controller may process personal data to pursue its legitimate interest, in this case, to conduct marketing activities tailored to recipients' preferences. Providing the aforementioned personal data is voluntary, but necessary to achieve the aforementioned purpose (the consequence of failure to provide such data will be the Controller's inability to conduct marketing activities tailored to recipients' preferences).
The Administrator will process personal data for the purpose of profiling until an objection is effectively raised or the purpose of processing is achieved.
Recipients of personal data
The recipients of personal data will be the following external entities cooperating with the Administrator:
and) hosting company;
b) logistics operator and courier companies;
c) online payment system providers;
d) newsletter service provider;
e) opinion management system provider;
f) companies providing tools for analysing activity in the Store and directing direct marketing to people using it (including Google Analytics);
g) a company providing accounting services;
h) a company providing legal services.
Furthermore, personal data may also be transferred to public or private entities if such an obligation results from generally applicable legal provisions, a final court judgment or a final administrative decision.
Transfer of personal data to a third country
In connection with the Controller's use of services provided by Google LLC and Meta Platforms, your personal data may be transferred to the following third countries: United Kingdom, Canada, USA, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia, and Australia. The basis for transferring data to the aforementioned third countries is:
- in the case of the United Kingdom, Canada, Israel, Japan and South Korea – decisions of the European Commission establishing the adequate level of protection of personal data in each of the above-mentioned third countries;
- for the USA – Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 based on Regulation (EU) 2016/679 of the European Parliament and of the Council, determining the adequate level of protection of personal data ensured by the EU-US data protection framework;
- in the case of Chile, Brazil, Saudi Arabia, Qatar, India, China, Singapore, Taiwan (Republic of China), Indonesia and Australia - contractual clauses ensuring an adequate level of protection, in line with the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council.
You can obtain a copy of the data transferred to a third country from the Controller.
Right
In connection with the processing of personal data, you have the following rights:
1) the right to be informed about the personal data processed by the Controller and to receive a copy of this data (the so-called right of access). The first copy of the data is free of charge; the Controller may charge a fee for subsequent copies;
2) if the processed data becomes outdated or incomplete (or otherwise incorrect), you have the right to request its rectification;
3) in certain situations you can ask the Administrator to delete your personal data, e.g. when:
and) the data will no longer be necessary for the Controller for the purposes he informed about;
b) you have effectively withdrawn your consent to data processing - unless the Administrator has the right to process data on a different legal basis;
c) the processing is unlawful;
d) the need to delete data results from a legal obligation incumbent on the Administrator;
4) in the event that personal data are processed by the Administrator on the basis of consent granted for processing or for the purpose of performing the Agreement concluded with him, you have the right to transfer your data to another controller;
5) if personal data are processed by the Controller on the basis of your consent to processing, you have the right to withdraw this consent at any time (withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal);
6) if you believe that the personal data being processed are incorrect, their processing is unlawful, or the Controller no longer needs certain data, you may request that the Controller not perform any operations on the data for a specified period of time (e.g. to verify the accuracy of the data or to pursue claims) but only store them;
7) You have the right to object to the processing of your personal data based on the Controller's legitimate interest. If your objection is successful, the Controller will cease processing your personal data for this purpose;
8) You have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that the processing of your personal data violates the provisions of the GDPR.
Cookies
1. The Administrator hereby informs you that the Store uses "cookies" (cookies) installed on your end device. These are small text files that can be read by the Administrator's system, as well as by systems belonging to other entities whose services the Administrator uses (e.g., Facebook, Google).
2. The Administrator uses cookies for the following purposes:
and) ensuring the proper operation of the Store – thanks to cookies, it is possible to ensure the efficient operation of the Store, use its functions and conveniently navigate between individual subpages;
b) increasing the comfort of browsing the Store – thanks to cookies, it is possible to detect errors on some subpages and constantly improve them;
c) Creating statistics – cookies are used to analyze how users use the Store. This allows us to continually improve the Store and tailor its operation to user preferences;
d) conducting marketing activities – thanks to cookies, the Administrator can target users with advertisements tailored to their preferences.
3. The Administrator may place both persistent and temporary (session) cookies on your device. Session cookies are typically deleted when you close your browser, but closing your browser does not delete persistent cookies.
4. Information about the cookies used by the Administrator is displayed in the panel located at the bottom of the Store's website. Depending on your decision, you can enable or disable cookies from specific categories (except essential cookies) and change these settings at any time.
5. Data collected using cookies does not allow the Administrator to identify you.
6. Detailed information about the types of cookies used by the Administrator can be found in the panel located at the bottom of the Store's website.
7. Using most commonly used browsers, you can check whether cookies have been installed on your device, delete installed cookies, and block the Store from installing them in the future. However, disabling or limiting the use of cookies may cause significant difficulties in using the Store, for example, requiring you to log in to each subpage, longer page loading times, or limitations in the use of certain functionalities.
Final provisions
In matters not regulated by the Policy, generally applicable provisions on personal data protection apply.
The policy is effective from 1 October 2025.
