1. Data controller
The data controller of personal data is a company registered in Estonia under the name Pybe OÜ, registered office address: Sepapaja 6 – Tallinn 15551 – Estonia, Registry code: 16150380
Our contact details:
- •Correspondence address: Sepapaja 6 – Tallinn 15551 – Estonia
- •E-mail address: firstname.lastname@example.org
- •You can also contact us by using contact forms or support systems available on the Website.
2. What personal data we process
The Administrator processes the following personal data of the Users on the Website:
- •First name and last name;
- •User’s name (nick) on the Website;
- •E-mail address;
- •bank account number / other payment details and purchase history;
- •image (if, for example, you post your photo on the Website);
- •User’s data from social media (if the User connects his Account with a social media account or uses “plugins” on the Website);
- •IP address;
It may happen that the Administrator will also process other personal data that the User provides to us on his/her own.
3. How do we collect your personal data
We obtain information about Users through the Website, for example in the following way:
- •Through your use of the Website, when User provides information about himself/herself in the Website, e.g. when the User registers an Account or makes a purchase;
- •When User contacts the Administrator using the forms available on the Website;
- •When we contact you e.g. when we ask you to give us your opinion about your purchase;
- •In the automated manner when you use the Website, e.g. by saving cookies.
We use a number of IT and organizational security measures to minimize the risk of data seizure, its destruction or disintegration, such as: firewall system, anti-virus and anti-spam security systems, internal access procedures, data processing and emergency recovery, as well as a backup system operating at many levels. Your personal data is stored on the external servers. Whenever it is possible, we use a high level of HTTPS / SSL connection encryption in accordance with accepted best practices.
However, please remember that using the Internet always carries the risk of specific security incidents, but we assure you that thanks to the implemented procedures we aim at reducing this risk as much as it is possible, by regular reviews of IT systems and their updates, as well as active monitoring of critical system points.
4. Personal data of minors.
Pursuant to the provisions of T&C, in order to use the Services, you should have full legal capacity, which basically means that you must be at least 18 years old. We do NOT intentionally process any personal data of persons under 18 years of age.
5. Personal data of minors.
The Administrator is authorized to process personal data in cases where at least one of the following conditions is met: (1) the data owner has agreed to the processing of his/her personal data in one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data owner is party or to take action at the request of the data subject prior to the conclusion of the contract; (3) processing is necessary to fulfill the legal obligation of the Administrator; or (4) processing is necessary for purposes arising from legitimate interests pursued by the Administrator or by a third party, except when the interests or fundamental rights and freedoms of the data owner, requiring the protection of personal data, prevail over those interests.
Your personal data will be processed for the following purposes and for the following periods:
|The purpose of data processing||Legal basis for personal data processing||Data retention period||Requirement for providing data – contractual* / statutory**|
|Registration and maintenance of the User’s Account or Affiliate Account on the Website.||Article 6 sec. (1) letter (b) of the GDPR (performance of the contract)||From the date of registration of the Account until the Account is deleted.||Contractual|
|Processing with purchases and transactions.||Article 6 sec. (1) letter (b) of the GDPR (performance of the contract)||Period necessary to process specific purchase or transaction and to process with claims arising from these purchases and transactions (no longer than 10 years from the given purchase or transaction)||Contractual|
|Newsletter||Article 6 sec. (1) letter (a) of the GDPR (consent)||Until the consent is revoked.||Contractual|
|Reply to inquires submitted through Website contact forms||Article 6 sec. (1) letter (a) of the GDPR (consent)||The period necessary to answer the inquiry addressed to the Administrator.||Contractual|
|Direct marketing||Article 6 sec. (1) letter (f) of the GDPR (legitimate interest)||No longer than 3 years from the last User’s purchase, unless the User previously objects to the processing of his / her data for direct marketing purposes.||N/A|
|Expressing an opinion about the purchase by the User||Article 6 sec. (1) letter (f) of the GDPR (legitimate interest)||No longer than for the period of availability of a given product, unless the User previously objects to the processing of his / her data for this purpose.||N/A|
|Statistical purposes. Improving the Services we offer.||Article 6 sec. (1) letter (f) of the GDPR (legitimate interest)||No longer than 5 years from collecting personal data of a given person.||N/A|
|Analysis of the frequency of Users refunds requests. Preventing abuse.||Article 6 sec. (1) letter (f) of the GDPR (legitimate interest)||The data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than 5 years from the date of the last refund request submitted by the User.||N/A|
|Fraud detection, investigation and prevention||Article 6 sec. (1) letter (f) of the GDPR (legitimate interest)||The data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than during the period of limitation of given claims related to the business activity conducted by the Administrator.||N/A|
|Establishment, investigation, defense of other claims that may be raised by the Administrator or which may be raised against the Administrator.||Article 6 sec. (1) letter (f) of the GDPR (legitimate interest)||The data is stored for the duration of the legitimate interest pursued by the Administrator, but no longer than during the period of limitation of given claims related to the business activity conducted by the Administrator.||N/A|
|Settlement of transactions. Keeping tax books||Article 6 sec. (1) letter (c) of the GDPR (legal obligation)||The data is stored for the period provided by applicable laws (describing the time period during which accounting or tax documents have to be kept)||statutory|
|Dealing with complaints||Article 6 sec. (1) letter (c) of the GDPR (legal obligation)||The period necessary to deal with a given complaint, no longer than expiration period of the claims arising from the complaint.||statutory|
|Handling abuse reports or reports about infringement of third party rights||Article 6 sec. (1) letter (c) of the GDPR (legal obligation)||The period necessary to deal with a given report.||statutory|
|Compliance with other laws applicable to the business activity conducted by the Administrator (e.g. anti-money laundering laws)||Article 6 sec. (1) letter (c) of the GDPR (legal obligation)||The data is stored for the period required by applicable laws (describing the time period during which data has to be processed in order to comply with legal obligation).||statutory|
* if the requirement to provide data is contractual, it means that providing data is a condition for concluding a contract or providing a service by the Administrator. Providing personal data is voluntary, but the consequence of not providing data will be the inability to conclude a contract with the Administrator or the inability to provide the service by the Administrator.
** if the requirement to provide data is statutory, it means that providing data is necessary for the Administrator to fulfill his obligations under generally applicable law. Failure to provide data will prevent the Administrator from performing these obligations and may result in refusal to provide specific Service to the User.
6. Your rights
Each data subject has the following rights:
- 1)The right of access to personal data;
- 2)The right to rectify personal data;
- 3)The right to erase personal data;
- 4)The right to request the transfer of personal data (right to data portability);
- 5)The right to object for reasons related to the special situation of the data subject to the processing of their personal data based on the legitimate interest of the Administrator, including profiling on this basis;
- 6)The right to object to the processing of personal data for direct marketing purposes, including profiling, to the extent that the processing is related to such direct marketing;
- 7)if personal data is processed by the Administrator on the basis of consent – the right to withdraw consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
- 8)The right to file a complaint with the supervisory authority.
7. Personal data recipients
Your personal data may be shared by us to third parties (so-called recipients). The sharing of personal data is necessary for the provision of Services on the Website and for the fulfillment of our contracts or in order to comply with legal obligation or it is related to our legitimate interest.
The categories of recipients to whom we may share your personal data are as follows:
- 1)Payment operators, handling payments on the Website – in order to process with payment for your purchase or transactions between you and us;
- 2)Service providers who provide us with technical, IT and organizational solutions (e.g. software suppliers, e-mail providers, hosting providers, cookies providers etc;
- 3)Entities providing the Administrator with accounting, legal or advisory support;
- 4)Entities who provide us with online advertising targeting and measurement services (e.g. Google Adwords).
- 6)Social media – if you use plugins of such social media available on the Website.
- 7)Public authorities – if we are obliged to do so pursuant to a decision of an appropriate public authority.
8. Transfer of data outside of EU
We are based in the European Union (EU), but the Website has a global reach. It is therefore possible that your personal data may be transferred outside of EU.
Your personal data may be for example transferred to USA in the following ways:
- •to Facebook (Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA) – if you use “plugin” available on the Website of the given social media. The plugin contains the logo of a given social media site. The plugin allows you to connect the User directly to his/her profile on a given social media. Facebook may then obtain information that the User has used the Website.
- •Quality Unit LLC (3 Germay Dr unit 4-1130, Wilmington, DE 19804, USA) – if you sign up to our Affiliate Program.
Privacy laws in countries outside of the EU may not offer the same level of protection as in an EU country. However, if we share your data outside of the EU, we will ensure an appropriate level of protection for your data such transfer will be based on:
- •on the basis of an adequacy decision by the European Commission (Article 45 of the GDPR);
- •recognized appropriate safeguards, such as standard data protection clauses (Articles 46-47 GDPR).
- •in the absence of a decision of the European Commission or solutions provided for in articles 46-47 of GDPR, the transfer of data outside the EU will take place on the basis of art. 49 sec. 1 point a) or point b) of the GDPR, i.e. the transfer of data will be based on your consent or transfer will be necessary for the performance of a contract to which the User is a party or to take pre-contractual measures to which the User is a party.
Personal data may be processed in an automated manner, including in the form of profiling.
Profiling will be aimed at adjusting the offers of purchase of the Products to expected preferences of the User, based on previous purchases or previously viewed offers.
We assure you that automated data processing and profiling will not cause any negative effects for the User.
We are using several types of cookies on the Website:
- •Necessary cookies. Necessary cookies enable basic functions of the website. The website will not work properly without these cookies.
- •Analytical cookies and cookies that improve performance. These cookies collect information on how Users use the Website and Services and allow us to improve the functioning of the Website. An example of analytical cookies are cookies used within Google Analytics.
- •Functional cookies. These cookies make it possible to remember the choices made by the User while using the Website and Services. As a result, we will try to provide Users with personalized functionalities.
- •Advertising cookies. The Website uses advertising networks to manage advertising content displayed on the Website. Other entities may use tracking technologies to collect information about your activity on websites in order to deliver advertisements that are assessed as matched for you (e.g. the Google Adwords network).
It is also possible to distinguish the following types of cookies:
- •Session cookies: they are stored on the User’s device and remain there until the end of the browser session.
- •Persistent cookies: they are stored on the User’s device and remain there until they are deleted. Ending a browser session or turning off the device does not delete them from the User’s device.
Cookies placed on the User’s end device may also be used by advertisers and partners cooperating with the Website operator. It is recommended to read the privacy protection policies of these entities to learn about the rules of using cookies in the statistics. Cookies may be used by advertising networks, in particular the Google network, to display advertisements matched to the manner in which the user uses the website. For this purpose, they may keep information about the user’s navigation path or the time spent on a given page.