PRIVACY POLICY AND COOKIE POLICY

The use of the website under the name www.homefragrance.com signifies acceptance of the following terms and conditions of the Privacy Policy and Cookie Policy. 

§1 GENERAL PROVISIONS

This Privacy Policy and Cookie Policy defines the principles of processing and protection of personal data provided by Users and Cookies, as well as other technologies appearing on the website under the name www.homefragrance.com.      

The administrator of the website and the controller of the personal data provided within its framework is Nowe Spółka Akcyjna with its registered office in Warsaw, at ul. Górczewska 224 lok 62, 01-460 Warsaw, entered into the Register of Entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under KRS number: 0000588228, REGON (BUSINESS ID): 140951103, NIP (TAX IDENTIFICATION NUMBER): 7010068256, with the share capital of PLN 122,016.00, paid up in full.

In case of any doubts regarding the provisions of this Privacy Policy and Cookie Policy, please contact the Controller via e-mail: office@nowegroup.com.pl.  

The Controller reserves the right to make changes to the privacy policy, and every User of this website is obliged to be familiar with the current privacy policy. The reason for changes may include development of Internet technology, changes in the generally applicable law or development of the Website, e.g. using new tools by the Controller. The publication date of the current Privacy Policy is located at the bottom of the page. 

§2 DEFINITIONS

Data Controller – Nowe Spółka Akcyjna with its registered office in Warsaw, ul. Górczewska 224 lok 62, 01-460 Warsaw, entered into the Register of Entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under KRS number: 0000588228, REGON (BUSINESS ID): 140951103, NIP (TAX IDENTIFICATION NUMBER): 7010068256, with a fully paid-up share capital of PLN 122,016.00.

User – any entity visiting and using the website.

Website – the website located at www.homfrangrance.com 

Form or Forms – places on the Website that allow the User to enter personal data for purposes specified therein, such as sending a newsletter, placing orders or establishing contact with the User.

Newsletter – denotes a free service provided electronically, a digital service, by the Controller to the User through the transmission of electronic letters, through which the Controller informs about events, services, products and other elements relevant from the Controller's perspective and/or in order to fulfil the legitimate purpose of the Controller, which is direct marketing, including sending marketing and commercial content with the User's consent.

GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data Protection Act – the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000, as amended).

Act on the Provision of Electronic Services – the Act of 18 July 2002 on the provision of services by electronic means (Journal of Laws of 2020, item 344, as amended).

Telecommunications Act – the Act of 16 July 2004 Telecommunications Law (Journal of Laws of 2021, item 576, as amended).

§3 PERSONAL DATA AND PRINCIPLES OF THEIR PROCESSING

WHO IS THE CONTROLLER OF THE USER'S PERSONAL DATA?

The Controller of the User's personal data is Nowe Spółka Akcyjna with its registered office in Warsaw, ul. Górczewska 224 lok 62, 01-460 Warsaw, entered into the Register of Entrepreneurs of the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under KRS number: 0000588228, REGON (BUSINESS ID): 140951103, NIP (TAX IDENTIFICATION NUMBER): 7010068256, with a fully paid-up share capital of PLN 122,016.00.

The Controller administers the data jointly with social media platforms providers, such as Facebook, Instagram, etc., as indicated in this document, in relation to the data of individuals using social media and following the Controller's profile on a specific social media platform, as well as engaging in interactions with the Controller. The co-administration principles are specified below for each social media platform on which the Controller has a profile.

IS PROVIDING DATA VOLUNTARY? WHAT ARE THE CONSEQUENCES OF NOT PROVIDING DATA?

The provision of data is voluntary, however, the failure to provide certain information, generally marked on the Controller's websites as mandatory, will result in the inability to perform a specific service and achieve a certain goal or take specific actions.

The provision by the User of non-mandatory data or excessive data that the Controller does not need to process is based on the User's decision. In such cases, the processing takes place on the basis of the premise contained in Article 6(1)(a) of the GDPR (consent). The User grants consent to the processing of such data and the anonymisation of the data the Controller does not require or wish to process, yet the User has provided them to the Controller.

FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS DO WE PROCESS THE USER'S PERSONAL DATA PROVIDED WHEN USING THE WEBSITE?

The User’s personal data on the Controller’s Website may be processed for the following purposes and on the following legal grounds:

The provision by the User of non-mandatory data or excessive data that the Controller does not need to process is based on the User's decision. In such cases, the processing takes place on the basis of the premise contained in Article 6(1)(a) of the GDPR (consent). The User grants consent to the processing of such data and the anonymisation of the data the Controller does not require or wish to process, yet the User has provided them to the Controller.

HOW IS THE DATA COLLECTED?

Only the data voluntarily provided by the user (except, in certain situations, data collected automatically through cookies and login data, as discussed below) is collected and processed.

During a visit to the website, data related to the visit itself is automatically collected, such as the user's IP address, domain name, browser type, operating system type, etc. (login data). Automatically collected data may be used to analyse user behaviour on the website, gather demographic data about users or personalise the content of the website for improvement purposes. However, these data are processed solely for site administration, ensuring efficient hosting service, directing marketing content, and are not associated with individual user data. More about cookies can be found in the later part of this privacy policy.

Data may also be collected to fill out forms on the Website, as mentioned in the later part of the privacy policy.

Information Society Services

The Controller does not collect data from children. Users should be at least 16 years old to independently give consent to the processing of personal data for the provision of information society services, including for marketing purposes, or obtain consent from a legal guardian (e.g., a parent) for this purpose.

In the case where the User is under 16 years old, they should not use the Website and the service at www.homefragrancerange.com.

The Controller is entitled to make reasonable efforts to verify whether the User meets the age requirement mentioned above or whether the person exercising parental authority or guardianship over the User under 16 years old has given consent or approved it.

WHAT ARE THE USER'S RIGHTS?

The User has the rights outlined in Articles 15-21 of the GDPR at any time:

• the right to access their data,
• the right to data portability,
• the right to correct data, 
• the right to rectify data,
• the right to delete data if there is no legal basis for processing,
• the right to restrict processing if it occurred improperly or without a legal basis,
• the right to object to the processing of data based on the legitimate interest of the controller,
• the right to lodge a complaint with the supervisory authority – the President of the Office for Personal Data Protection (according to the rules specified in the Personal Data Protection Act) if they believe that the processing of their data is not in compliance with the currently applicable legal regulations,
• the right to be forgotten if further processing is not provided for by currently applicable legal regulations.

The Controller emphasises that these rights are not absolute and do not apply to all activities related to the processing of the User's personal data. This applies, for example, to the right to obtain a copy of the data. This right cannot adversely affect the rights and freedoms of other individuals, such as copyright or professional secrecy. To learn about the limitations regarding User's rights, please refer to the content of the GDPR. 

However, the User always has the right to lodge a complaint with the supervisory authority.

In order to exercise their rights, the User may contact the Controller via email at office@nowegroup.com.pl or by mail to the address of the Controller's place of business, if provided in this privacy policy, specifying the scope of their requests. A response will be provided no later than 30 days from the date of receipt of the request and its justification, unless an extension of this period is justified in accordance with the GDPR.

CAN THE USER WITHDRAW THEIR CONSENT?

If the User has given consent for a specific action, such consent can be withdrawn at any time. This will result in the removal of the email address from the Controller's mailing list and the cessation of the specified actions (in the case of data registration based on consent). The withdrawal of consent does not affect the processing of data carried out based on consent before its withdrawal.

In some cases, data may not be completely deleted and will be retained for defence against possible claims for the period specified by the Civil Code or to fulfil legal obligations imposed on the Controller.

Each time, the Controller will address the User's request, appropriately justifying further actions resulting from legal obligations.

DO WE TRANSFER USER DATA TO THIRD COUNTRIES?

User data may be transferred outside the European Union – to third countries. 

Due to the fact that the Controller uses external providers of various services, such as Meta Platforms Ireland Limited (Facebook and its subsidiaries), further referred to as Meta or Facebook, Google, Microsoft, etc., User data may be transferred to the United States of America (US) in connection with their storage on American servers (in their entirety or in part). Google and Facebook employ compliance mechanisms provided for by the GDPR (e.g., certifications) or standard contractual clauses for their services. They will only be transferred to recipients who guarantee the highest level of data protection and security, including through:  

1. cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued,
2. use of standard contractual clauses issued by the European Commission (as is the case, for example, with Google),
3. use of binding corporate rules approved by the relevant supervisory authority,

or to those to whom the User has given consent to the transfer of their personal data.

Detailed information is available in the privacy policy of each of these service providers, accessible on their websites. For example:

Google Ireland Limited      : https://policies.google.com/privacy?hl=pl

Meta Platforms Ireland Limited     .: https://www.facebook.com/privacy/explanation

UAB MailerLite: https://www.mailerlite.com/legal/privacy-policy

Currently, services offered by Google Ireland Limited and Meta Platforms Ireland Limited are mainly provided by entities located in the European Union. However, it is advisable to read the privacy policy of these providers each time to obtain up-to-date information regarding the protection of personal data. MailerLite may store some data in the United States or use service providers from this country, but the data is mainly processed in the European Union.

HOW LONG DO WE STORE USER DATA?

The User’s data will be stored by the Controller for the duration of providing specific services/achieving goals specified in the table above, as well as:

1. during the period of service provision and cooperation, as well as for the duration of the statute of limitations according to legal regulations – with regard to data provided by contractors, clients or Users,
2. during the period of conducting talks and negotiations preceding the conclusion of a contract or the provision of a service – with regard to data provided in the inquiry or quotation request,
3. during the period required by legal regulations, including tax law – with regard to personal data related to fulfilling obligations arising from applicable laws,
4. until the effective objection is raised under Article 21 of the GDPR – with regard to personal data processed based on the legitimate interests of the Controller, including for direct marketing purposes,
5. until the withdrawal of consent or the achievement of the processing goal, the business goal – with regard to personal data processed based on consent. After withdrawing consent, data may still be processed to defend against potential claims in accordance with the limitation period for these claims or a (shorter) period indicated to the User,
6. until the data becomes outdated or loses its relevance – with regard to personal data processed mainly for analytical and statistical purposes, the use of cookies, and the administration of the Controller's Websites,
7. for a maximum period of 3 years for individuals who have unsubscribed from the newsletter to defend against potential claims (e.g., information about the subscription date and the date of unsubscribing from the newsletter, the number of newsletters received, actions and activities undertaken related to received messages), or after a period of 1 year of no activity by a particular subscriber, e.g., not opening any messages from the Controller.

The data retention periods indicated in years are counted at the end of each year in which the data processing began. This is done to streamline the data processing and management process.

Detailed data processing periods for individual processing activities are included in the Controller's register of processing activities.

LINKS REFERRING TO OTHER WEBSITES

The Website may contain links referring to other websites. They will either open in a new browser window or in the same window. The Controller is not responsible for the content provided by these websites. The User is obliged to read the privacy policy or terms of service of these websites.    

DATA SECURITY

The personal data of the User is stored and protected with due diligence, following the internal procedures implemented by the Controller. The Controller processes information about the User using appropriate technical and organisational measures that meet the requirements of universally applicable legal regulations, especially those concerning personal data protection. These measures are primarily aimed at securing the personal data of Users from unauthorised access.

In particular, only authorised individuals who are obliged to keep this data confidential or entities entrusted with the processing of personal data based on a separate data processing agreement have access to the personal data of Users.

At the same time, the User should take care to secure their personal data transmitted over the Internet, especially by not disclosing their login credentials to third parties, using antivirus protection and keeping their software up to date.

WHO CAN BE THE RECIPIENTS OF PERSONAL DATA?

The Controller informs that they use the services of external entities.  Entities entrusted with the processing of personal data (such as courier companies, electronic payment intermediaries, accounting service providers, companies facilitating newsletter delivery) guarantee the application of appropriate measures for the protection and security of personal data required by legal regulations, especially the GDPR.

The Controller informs the User that they entrust the processing of personal data to the following entities including:

1. MH-INFO Sp. z o.o. with its registered office in Rzeszów at al. Tadeusz Rejtana 53A/113 – for the purpose of storing personal data on the server,
2. MH-INFO Sp. z o.o. with its registered office in Rzeszów at al. Tadeusz Rejtana 53A/113 – for the purpose of managing the domain and mail server,
3. Afera Studio Michał Kwiatkowski with its registered office in Bydgoszcz, at ul. Przemysłowa 8, Bydgoskie Centrum Biznesu, 85-758 Bydgoszcz – for the purpose of IT support or IT management of the Website,

1. other contractors or subcontractors engaged in technical, administrative or legal support services for the Controller and its clients, e.g., accounting, IT, graphic design, copywriting, debt collection agencies, lawyers, etc.

Personal data may also be disclosed to other recipients, including authorities such as the tax office, for the purpose of fulfilling legal and tax obligations related to settlements and accounting.

Entities processing personal data, like the Controller, ensure compliance with European standards for the protection of personal data, including standards set by legal acts and decisions of the European Commission. They apply compliance mechanisms, including when transferring data outside the EEA, such as standard contractual clauses adopted by the European Commission in decision 2021/915 of 4 June 2021, concerning standard contractual clauses between controllers and processors based on Article 28(7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of the Regulation (EU) 2018/1725 of the European Parliament and of the Council https://eur-lex.europa.eu/legal-content/PL/TXT/PDF/?uri=CELEX:32021D0915&from=PL.

HAVE WE APPOINTED A DATA PROTECTION OFFICER? The Personal Data Controller hereby informs that they have not appointed a Data Protection Officer (DPO) and independently performs the duties related to the processing of personal data.

The User acknowledges that their personal data may be disclosed to authorised state authorities in connection with proceedings conducted by them, upon their request and after meeting the conditions confirming the necessity of obtaining this data from the Controller.

DO WE PROFILE USER DATA?

The personal data of the User will not be used for automated decision-making that affects the User's rights, obligations or freedoms within the meaning of the GDPR.

Within the website and tracking technologies, the User's data may be profiled, helping to better personalise the offers sent by the Controller to the User (mainly through so-called behavioural advertising). However, this should not have any impact on the User's legal situation, especially on the terms of agreements already concluded or agreements they intend to conclude. It can only help in better matching content and targeted ads to the User's interests. The information used is anonymous and is not associated with personal data provided by the User, for example, in the purchasing process. It results from statistical data such as gender, age, interests, approximate location and behaviour on the Website.

Every User has the right to object to profiling if it would have a negative impact on their rights and obligations.

If you want to learn more about behavioural advertising, click here: https://www.youronlinechoices.com/pl/o-reklamie-behawioralnej

§4 FORMS

The Controller employs the following types of forms on the Website:

Contact form – allows sending messages to the Controller and contacting them electronically.  Personal data such as name, surname, email address, phone number and data provided in the message content are processed by the Controller in accordance with this Privacy Policy for the purpose of contacting the User.

After the contact with you is concluded, the data may be archived, which is a legally justified interest of the Controller. The Controller cannot specify the exact archiving period, and therefore, the deletion of messages. However, the maximum period will not exceed the statutory limitation periods resulting from legal provisions.

The Controller may entrust the processing of personal data to third parties without separate consent from the User (based on a data processing agreement). Data obtained from forms cannot be transferred to third parties.

 If the User uses services from external providers such as Google, they should read their privacy policy, available from these service providers on their websites.

§5 DISCLAIMER AND COPYRIGHT

1. The content presented on the Website does not constitute specialised advice or instructions (e.g., educational) and does not refer to a specific factual situation. If the User needs assistance in a specific matter, they should contact a person authorised to provide such advice or the Controller at the contact details provided. The Controller is not responsible for the use of the content on the Website or actions or omissions taken on its basis.
2. All content placed on the Website is subject to copyright of specified individuals and/or the Controller (e.g., photos, texts, other materials, etc.). The Controller does not consent to copying these contents in whole or in part without their explicit, prior consent.
3. The Controller hereby informs the User that any dissemination of content made available by the Controller constitutes a violation of legal provisions and may incur civil or criminal liability. The Controller may also demand appropriate compensation for the incurred material or non-material losses in accordance with applicable regulations.
4. The Controller is not responsible for the use of materials available on the Website in a manner contrary to the law.
5. The content on the Website is current as of the date of posting, unless otherwise indicated.

§6 TECHNOLOGIES

In order to use the Controller's website, it is necessary to have:

1. Device with access to the Internet,
2. Active email inbox receiving email messages,
3. Internet browser allowing the display of websites,
4. Software enabling the reading of content in presented formats such as pdf, video, mp3, mp4.

§7 COOKIE POLICY 

1. Similar to most websites, the Controller's Website uses tracking technologies, i.e., cookies, to improve the Website for the needs of its visitors.
2. The Website does not automatically collect any information except for the information contained in cookies.
3. Cookies are computer data, small text files that are stored on an end device, e.g., computer, tablet, smartphone, when you use the Website.
4. These can be own cookies (directly from the Website) and third-party cookies (from other websites than the Website).
5. Cookies allow customising the content of my website to the individual needs of the User and the needs of other users visiting it. They also enable the creation of statistics that show how users of the Website use it and navigate through it. This helps to improve my website, its content, structure and appearance.
6. The Controller uses the following third-party cookies on the Website:
7. Embedded Google Analytics code – for the purpose of analysing Website statistics. Google Analytics uses its own cookies to analyse the actions and behaviours of Website Users. These files are used to store information, such as which page the User came from to the current website. They help to improve the Website.

This tool is used under an agreement with Google Ireland Limited, but it is provided by Google LLC. The actions taken while using the Google Analytics code are based on the Controller's legitimate interest in creating and using statistics, which then allows for improving the Controller's services and optimising the Website.

While using the Google Analytics tool, the Controller does not process any User data that allows for identification.

The Controller recommends reviewing the details related to the use of the Google Analytics tool, the possibility of disabling the tracking code, and, if necessary, asking questions to the provider of this tool at the following link: https://support.google.com/analytics#topic=3544906 or reading the privacy policies at the following link: https://policies.google.com/privacy?hl=pl&_ga=2.64139695.1899084027.1676390445-251481724.1675757116.

1. Web push notifications from the browser – for better communication with the User and faster delivery of valuable content or offers, the Controller allows consenting to receive web push notifications from the User's browser.

In order to consent to receiving web push notifications, the User should select the “show notifications” or similar option on the message sent by their web browser (each browser may name this option differently).

Consent to receive the aforementioned notifications can be withdrawn at any time by changing the settings of the User's web browser. The Controller does not process any personal data of Users using web push notifications. Users are identified solely based on information stored by their web browsers, to which the Controller does not have access.

1. Tools for assessing the effectiveness of Google Ads advertising campaigns – for conducting advertising and remarketing campaigns, which is the legitimate interest of the Controller.

The Controller does not collect any data that would allow the identification of the User's personal data. The Controller recommends reviewing Google's privacy policy to understand the details of how these features work and their potential deactivation from the User's browser.

1. Content from external portals and websites of third-party providers,

The Controller may embed content from external portals, services, blogs and other external websites. In particular, these may include videos from YouTube or Vimeo and audio recordings on the SoundCloud portal.

These third-party entities may store certain data about the content played by the User. 

If you do not want this to happen, log out of the respective portal (if you have an account and are logged in) before visiting my Website or do not play specific content on the Website. You can also change your browser settings to block the display of specific content from specific portals. 

By playing recordings available on the SoundCloud portal, you are using services provided by SoundCloud, which is an independent entity providing electronic services to the User. Details regarding the processing of personal data by SoundCloud are included in the privacy policy of this portal: https://soundcloud.com/pages/privacy and the cookie policy: https://soundcloud.com/pages/cookies, as well as the terms of use: https://soundcloud.com/terms-of-use.

YouTube

The YouTube service is operated by Google Ireland Limited and allows for playing recordings found on the Controller's Website. YouTube may store cookies on the User's device about the playback of recordings and assigns them to the User's YouTube account if logged in.

By using recordings posted on the YouTube portal, the User is using electronic services provided by Google Ireland Limited. Details regarding the processing of personal data by YouTube are included in the Privacy Policy and terms of use of this portal: https://policies.google.com/privacy and https://www.youtube.com/t/terms.

1. Affiliate links and partner programmes

Affiliate links to specific products or services of third-party entities may appear on the Controller's Website. This is a way to monetise the content on the Website, which is generally provided free of charge. Clicking on a link will not result in any charges to the User. If you go to an external entity's website by clicking on an affiliate link and make a purchase, I may receive a commission. By using the Website, you agree to the use of cookies for this purpose.

Popup windows with advertisements for products from third-party entities may also appear on the Website, as part of the so-called Google AdSense. The Controller informs that they have no influence on the content or appearance of these ads, which are decided by the provider's algorithm, in this case, Google Ireland Limited.    You can modify ad settings and personalisation directly from your browser by visiting: https://adssettings.google.com/authenticated.

The provider also ensures the handling system and newsletter delivery as well as the contact form.

7. The Controller again recommends reviewing the privacy policy of each of the above service providers to understand the options for making changes and settings that ensure the protection of User rights.
8. Two types of cookies are used on the Website: session cookies, which are deleted after closing the browser, logging out or leaving the website, and persistent cookies, which are stored on the user's end device, allowing the recognition of the browser upon the next entry to the website, for a period specified in the cookie parameters or until they are deleted by the User.
9. In many cases, software used for browsing websites (web browser) allows the storage of cookies on the User's end device by default. Website Users can change cookie settings at any time. These settings can be changed, in particular, to block the automatic handling of cookies in the web browser settings or to inform about their placement in the User's device each time the Website is accessed. Detailed information on the possibilities and methods of handling cookies is available in the software settings (web browser).
10. The Controller informs that limiting the use of cookies (disabling or restricting them) may affect some functionalities available on the Website and make its operation more difficult.
11. More information about cookies is available at http://wszystkoociasteczkach.pl/ or in the “Help” section of the web browser menu.

§8 CONSENT TO COOKIES

During the first visit to the Website, you must give your consent to cookies or take other possible actions indicated in the message to continue using the content of the Website. Using the Website means giving consent.  If you do not want to give such consent, leave the Website. Additionally, you can always change your browser settings, disable or delete cookies. Necessary information can be found in the “help” section of the User's browser.

§9 SERVER LOGS

1. Using the Website involves sending queries to the server where the Website is stored.
2. Each query directed to the server is recorded in server logs. The logs include the User's IP address, server date and time, information about the internet browser and operating system used by the User.
3. The server logs are recorded and stored on the server.
4. The server logs are used to administer the Website, and their content is not disclosed to anyone other than individuals and entities authorised to administer the server.
5. The Controller does not use server logs in any way to identify the User.

Date of Privacy Policy publication: ___________________

Date of last update: ________________________