Privacy and Cookies Policy

Publication date: 01/12/2023.

I take your personal data and its protection very seriously. This Privacy Policy applies to personal data that I process in connection with my activity.

The document you are reading is based on legal provisions in the field of personal data, including the provisions of the GDPR (General Data Protection Regulation of 27 April 2016) and the Act of 10 May 2018 on the protection of personal data.

The content of the Privacy Policy may change at any time. I will inform you about the changes and provide the current version of the document. I cooperate with entities that provide a high degree of protection of the processed personal data.

Contact me

For any matter related to the protection of your personal data, you can contact me at email address info@looklashes.nl and phone number +31626303552

Data Controller

The Data Controller of your personal data processed in connection with my activity is Katarzyna Borowiec, Look Lashes, Distelweide 129, 2272VS Voorburg, VAT EU:NL002509233B31

What does this Privacy Policy contain?

Here you will find information, among other things, about the principles of processing your personal data, the purposes for which I process your data, and the legal bases that allow me to do so, the tools I use as part of the website, as well as about the recipients of your data and your rights.

What data do I process, for what purpose and on what basis?

The personal data that I receive from you are processed for the following purposes and on the following legal bases:

PROCESSING PURPOSE | DATA RANGE | LEGAL BASIS

Contact with you | email address (first and last name), data contained in the message, phone number, other data provided by you in the correspondence | The legal basis for such processing is Art. 6 (1) a of the GDPR, which allows me to process data based on consent to respond to your message, and Art. 6 (1) f of the GDPR, which allows me to implement my legitimate interest, which is to ensure efficient and effective communication between the site administrator and the user.

Placing and executing an order for products/services | name and surname, address, email address, residential address, phone number, additionally: VAT number, data about the conducted business activity | Providing data is voluntary but necessary to execute the order. |

The legal basis for such processing is Art. 6 (1) b of the GDPR, which allows processing data for the purpose of taking actions aimed at concluding a contract and for the execution of a contract concluded through placing an order.

Issuing an invoice and fulfilling legal and tax obligations | data related to business activity, name and surname, address, VAT number | The legal basis for such data processing is primarily Art. 6 (1) c of the GDPR, which allows the processing of personal data if such processing is necessary for the administrator to comply with legal obligations.

Consideration of complaints and consideration of withdrawal from the contract | email address, name and surname, data contained in the content of the complaint, bank account number, residential address, phone number | The legal basis for such data processing is firstly Art. 6 (1) b of the GDPR, which allows processing personal data if they are necessary for the performance of a contract or to take actions aimed at concluding a contract, secondly Art. 6 (1) c of the GDPR, which allows processing personal data if such processing is necessary for the administrator to comply with legal obligations.

Marketing purpose (newsletter) | email address, first name, phone number | The legal basis for such data processing is primarily Art. 6 (1) a of the GDPR, i.e., your consent to receive commercial information from me, marketing content, and Art. 6 (1) f of the GDPR, which allows the processing of personal data if the administrator implements their legally justified interest (in this case, the interest is the marketing purpose of their own services and products).

Contact with you via ManyChat | – identification data (name and surname, email address), publicly available information in social media profiles, associated pages and accounts, teleinformatic data (IP addresses, geographical location, usage data, cookie files data, browser data), data from chat history and content, information about the use of chatbot, other electronic and personal data, the scope of which is determined and controlled by the Administrator according to the available functions within the ManyChat service. | In order to provide you with informational or educational content without passing on commercial information, the Administrator processes your data for the purpose of direct marketing, directed to you based on Art. 6 (1) f of the GDPR, i.e., legally justified interest of the administrator. To present you with commercial information about products or services, the Administrator processes your data based on Art. 6 (1) a of the GDPR, i.e., your consent given before sending this information via ManyChat. To subscribe to the Administrator, i.e., to receive informational and educational content, as well as commercial information about services and products of the Administrator, the Administrator processes your data based on Art. 6 (1) a of the GDPR, i.e., your consent to the subscription given before sending this information via ManyChat. In order to fulfill the obligation in the case of certain content, the administrator processes your data based on Art. 6 (1) b of the GDPR in relation to the informational content sent depending on the content of the message sent as part of using the ManyChat tool.

Archival and evidential purpose, for the needs of securing information that can serve to prove facts | all data listed in the table concerning data processing by me | The legal basis for such data processing is Art. 6 (1) f of the GDPR, which allows processing personal data if the administrator implements their legally justified interest (in this case, the interest of the administrator is to have personal data that will allow proving facts related to the use of the site, performance of the contract, data processing on a legally justified basis).

Establishing, pursuing, or defending against claims | all the above-mentioned data | The legal basis for such data processing is Art. 6 (1) f of the GDPR, which allows processing personal data if the administrator implements their legally justified interest (in this case, the interest of the administrator is to have personal data that will allow establishing claims, pursuing claims, or defending against claims of users of the site or third parties or clients).

Managing the site, using tools to improve the site and analyze data related to the use of the site | IP, behavior on the site | The legal basis for such data processing is Art. 6 (1) f of the GDPR, which allows processing personal data if the administrator implements their legally justified interest (in this case, the interest of the administrator is to act to optimize the site, including the content presented on the site, to the needs of users, perfecting the administrator’s offer).

Using cookies on the site | IP, user behavior on the site | The legal basis for such data processing is Art. 6 (1) a of the GDPR, which allows processing personal data with your consent. You give your consent during the first visit to the site.

Managing the administrator’s profiles in social media | data that are related to the use of a given social media platform | The basis for processing is the administrator’s entitlement implemented based on Art. 6 (1) f of the GDPR, i.e., the legally justified interest of the administrator in managing the profile on a given platform and your consent (Art. 6 (1) a of the GDPR), which you express, e.g., by joining a group created by the administrator on a given platform.

Fulfilling obligations in the field of personal data protection (e.g., the obligation to create registers and records) | the scope of data is determined by legal provisions and varies depending on the content of the specific legal obligation resting on the administrator | The basis for processing is Art. 6 (1) c of the GDPR, i.e., it takes place based on legal provisions that require the processing of personal data.

Posting comments/opinions on the site | name, email address | The basis for processing is Art. 6 (1) a of the GDPR, i.e., your consent, which you express to add a comment on our site.

Your rights related to the processing of personal data

I inform you that you have the following rights related to the processing of your personal data:

If you want to exercise your right, write to the address indicated in this document

Right of access to information — means that every person whose data is processed has the right to know what is happening with their personal data. Among other things, for this purpose, the Privacy Policy was created, which you are reading. Right of access to personal data — means that if I, as the administrator of your data, receive a request from you for access to your data, then I am obliged to provide you with such information. I have to fulfill my duties in this respect, as a data administrator, immediately, no later than within a month. If it will be impossible within this period, then I have the obligation to at least inform you whether I process your data and then I can extend the deadline for a complete response to your request by two months. Right to rectification of personal data — means that you can demand the administrator of your data to correct incorrect data or complete incomplete data.

Right to Erasure of Personal Data, Right to be Forgotten — means that you can demand me, as the administrator of your personal data, to delete them, inform the person to whom your data was transferred about their deletion. You also have the right to demand that your data, which I have made public, also be deleted by other administrators. As the administrator of your data, I am also obliged, at your request, to inform you which recipients have been given your data subject to deletion.

Right to Restrict Processing of Personal Data — means that you can demand a restriction on the processing of your personal data. This happens, for example, when you disagree with the correctness of the processed data or when you believe you no longer need the data for processing purposes.

Right to Object to Processing of Personal Data — means that you can object to your data being processed by the administrator.

Right to Data Portability — means that under certain conditions you can request the transfer of your data directly to another specified administrator.

Right to Lodge a Complaint — means that if you believe that the processing of your data by me violates the law, you can file a complaint with the President of the Personal Data Protection Office.

Right to Withdraw Consent — means that if data is processed based on your consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing your personal data until the consent is withdrawn.

Recipients of Data

Your personal data may be transferred to third parties, whose services I use in connection with the operation of the websites www.looklashes.nl, www.looklashes-shop.com, and my social media profiles http://www.instagram.com/look.lashes/ and www.facebook.com/LookLashesKB. I ensure that I carefully select entities with whom I cooperate or whose services I use, always aiming to ensure adequate data protection.

Below you will find a list of all entities whose services I use. They are divided into two groups: the first group is entities that process data within the European Economic Area, and the second — entities that process data outside the European Economic Area (e.g., in the USA).

In the case of transferring personal data outside the European Economic Area, entities that perform such processing maintain an appropriate level of data protection in line with EU standards, among other things, by applying standard contractual clauses adopted by the European Commission.

Entities processing data in the European Economic Area

• Service providing IT system maintenance and hosting (maintaining data on a server).
• Provider of fast online payments
• Technical and Business Support
• Marketing Support

Entities processing data outside the European Economic Area:

• MANYCHAT INC., 535 Mission St, San Francisco, CA 94105, USA
• GoDaddy is headquartered in Tempe, 2155 E. GoDaddy Way, United States
  • A tool for efficient communication with the community and for achieving marketing goals, enabling the sending of automated messages on the META platform within the Instagram social service.
• Shopify (USA) Inc’s headquarters is located at 33 New Montgomery St Ste 750 San Francisco California 94105.
  • E-commerce platform.

Requirement to Provide Personal Data

Usually, providing personal data is voluntary and depends on your decision. However, there are times when providing certain personal data is necessary to meet your expectations in terms of concluding a contract or using my services. If you order a product — providing your data is necessary to fulfill your requests related to the concluded contract.

If you contact me in any matter related to the site, products, or services I provide, providing your contact data may be necessary to give you an answer to your question.

If the requirement to provide your data results from legal provisions — providing data is your obligation.

Automated Decision-Making and Profiling

Your data is not used by me for automated decision-making that could affect your legal situation or cause other similarly significant effects.

Tools implemented on the site may profile user behavior to improve the site and adapt displayed content to user preferences, where in this case, data is mainly analyzed anonymously (location, age, interests).

I use cookies and analytical tools like any website. Later in the Privacy Policy, I indicate how cookies work and how these actions affect you.

How Long Do I Process Your Data?

In accordance with applicable laws, I process your data only for as long as is needed to achieve the set goal. After this period, your personal data will be irreversibly deleted or destroyed. An additional year related to the processing of personal data collected for the purpose of executing a contract results from the fact that a report may be made by you just before the expiration of the limitation period.

I process your data for the period:

3 or 6 years + 1 year

• • Regarding personal data processed for the purpose of establishing, pursuing, or defending claims; the choice of 3 or 6 years depends on whether both parties are entrepreneurs or not.
• Until effective objection or achievement of the processing goal
  
  • Regarding personal data processed based on the legally justified interest of the administrator;
• Until becoming outdated or losing usefulness
  
  • Regarding personal data processed mainly for the purposes of administering the website;
• Until withdrawal of consent or loss of usefulness
  
  • Regarding personal data processed based on your consent, unless otherwise indicated at the time of giving consent.

Social Media

I run profiles on social media platforms, and this site contains plugins redirecting to them.

I am the administrator of the profile on a given platform, and I process your data (first name, last name, nickname, other data indicated by you on your profile) mainly for managing my profile, building a community, and interacting with followers.

The provider of the given social media platform sets the rules on the platform and the rules for processing data for its own purposes, so I encourage you to familiarize yourself with the terms and privacy policy of each platform. I do not process data collected by social media platforms for my own purposes.

Plugins leading to my profiles allow you to directly connect to my profile by clicking on the platform icon. The social media platform may obtain information about your use of my site, especially when you are logged in as its user.

If you do not want social media portals to obtain information about your activity, I recommend logging out of your profiles and using your browser in incognito mode.

On my site, you will find plugins redirecting you to my profiles on the platforms below, and I also indicate the privacy policies of the platforms so that you can familiarize yourself with them according to my recommendations:

• Facebook: https://www.facebook.com/LookLashesKB
  
  • Platform Privacy Policy: https://www.facebook.com/privacy/explanation
• Instagram: https://www.instagram.com/look.lashes
  
  • Platform Privacy Policy: https://help.instagram.com/519522125107875?helpref=page_content
• TikTok: https://www.tiktok.com/@looklashesacademy
  
  • Platform Privacy Policy: https://www.tiktok.com/legal/privacy-policy?lang=pl
• YouTube:Look Lashes – Katarzyna Borowiec – YouTube
  
  • Platform Privacy Policy: https://support.google.com/youtube/answer/7671399
• LinkedIn: __________________________________
  
  • Platform Privacy Policy: https://www.linkedin.com/legal/privacy-policy
• Pinterest: __________________________________

  Platform Privacy Policy: https://policy.pinterest.com/pl/privacy-policy

  Sending a Newsletter

  The information below is just a summary regarding the sending of the newsletter by me. More information can be found here: Newsletter Terms and Conditions.

  Your data provided in the newsletter sign-up form (first name, last name) are processed for the purpose of sending the newsletter and based on your consent. Remember to confirm your subscription to the newsletter after receiving the first message. If you don’t, you won’t receive further messages from me.

  I use the services of a newsletter provider that ensures the protection of your data, i.e. _______________ based in / ___________________ (provider’s privacy policy is available at the link ___________________).

  Your data will not be transferred to a third country outside the European Union for the purpose of sending the newsletter.

  Providing your data in the newsletter sign-up form is voluntary but necessary to send you the newsletter based on your consent, as well as to send you information about marketing of own products or services based on my, as an administrator, legitimate interest (i.e., Article 6(1)(f) of the GDPR) and to pursue any claims related to sending the newsletter.

  You will receive my newsletter until you end the subscription or until I stop sending the newsletter.

  If there is no subscriber activity for 1 year, I may stop sending the newsletter, and in that case, I will remove you from my list of subscribers.

  The mechanism for unsubscribing from the newsletter service (canceling the newsletter subscription) is not complicated and consists of clicking an active link with the information Unsubscribe from the newsletter” or another of the same meaning.

  After you exercise this right and unsubscribe from the newsletter, your data related to the newsletter subscription will be stored for the period necessary to defend against potential claims. This is my legitimate interest as the data administrator.”

  The personal data provided during the newsletter subscription may be transferred to the following entities: the service providing IT system maintenance and hosting, the email service provider, the newsletter service provider, and third parties supporting me in sending the newsletter, with whom I have entered into appropriate agreements.

  Like in every case where I process your data, you have the right to access your data, receive a copy of it, the right to rectification, deletion, restriction of processing, the right to data portability, the right to object, and the right to withdraw consent at any time.

  However, remember that withdrawing consent for data processing will not affect the legality of the data processing that has been carried out based on your consent before its withdrawal.

  You also have the right to lodge a complaint with the President of the Office for Personal Data Protection if you believe that the processing of your data violates legal provisions. Your data will not be processed in an automated manner.

  Withdrawal of consent for data processing

  If the processing of personal data is based on consent, you can withdraw this consent at any time, at your discretion.

  If you would like to withdraw consent for the processing of personal data, simply send an email directly to the Administrator’s address indicated at the beginning of this document.

  If the processing of your personal data was based on consent, its withdrawal does not mean that the processing of personal data until that point was illegal. In other words, until the withdrawal of consent, I have the right to process your personal data, and its revocation does not affect the legality of the processing to date.

  Comments and opinions on the website

  I allow users to leave comments and opinions on the site. Adding a comment or opinion is entirely voluntary.

  To leave a comment or opinion, fill out the form by providing your name and email address. By posting a comment or opinion on the site, you consent to the processing of data related to it.

  The provider of the comment system on our site is ___________ (I recommend reviewing the provider’s privacy policy: _______________________). The provider of the opinion system on our site is ___________ (I recommend reviewing the provider’s privacy policy: _______________________).

  Please adhere to the rules of mutual respect.

  I reserve the right to moderate comments and opinions, particularly to remove those that are offensive, vulgar, promotional, or infringe on the rights and personal goods of other entities.

  Cookies and tools implemented on the site

  This website, like many others, uses cookies. Cookies are short text information stored on the device you use when browsing websites. They can be read by us (‘own cookies’, which we use to ensure the proper functioning of this site, improve our offer), as well as by systems belonging to other entities whose services we use (‘external cookies’). Remember, you have the right to change your browser’s cookie settings or delete them.

  During the first visit to the site, information about the use of cookies is displayed.

  My site uses the following tracking technologies:

  social media plugins redirecting to my social profiles, as mentioned above,” “analytical and marketing tools, such as: META Pixel, ManyChat.

  META Pixel

  META Pixel is an analytical tool, a piece of code implemented on the site, allowing for targeting marketing actions to people who have visited my site or are interested in my activities.

  The data collected as part of the tool are anonymous (location, gender, age, online activity), although the provider may combine them with data that it has collected about you as part of your use of its platform.

  META Pixel helps me determine the effectiveness of my ads, reach a specific audience, and shows their reactions to my activities.

  Read more about the tool on the provider’s website: https://pl-pl.facebook.com/business/help/742478679120153?id=1205376682832142.

  ManyChat

  I use ManyChat, a tool that facilitates communication with you on social media (e.g., Instagram) in my marketing activities. ManyChat allows you to send messages to you with content specified by me.

  I can use the ManyChat tool in several ways.

  Send you content without commercial information or direct marketing

  Send you commercial information and direct marketing

  Send you content containing commercial information, direct marketing, and allow you to subscribe within the ManyChat tool

  To send you an educational or informational message, it is enough that you use the ‘keyword’ in the comment to my content published as part of my channel on social media, including on the Instagram platform.

  Then, I can send you messages of this nature for 24 hours. After this time, the conversation window will no longer be current, and I will not write automated messages to you.

  If you do not want to receive messages from me, it is enough not to use the ‘keyword’. After receiving a message from me, you can object or withdraw the given consent, depending on the basis of data processing.

  To send you messages containing commercial information or direct marketing via ManyChat, I need your consent.

  You can give this consent upon the first message sent to you after you use the ‘keyword’, which is sent by me to you using the ManyChat tool.

  Using the keyword triggers the ManyChat tool. If you do not want to receive messages of this nature, do not give me consent and do not enter the ‘keyword’, which is indicated under each of my content in which I use automation.
  The message containing commercial information can only be sent to you for 24 hours from the moment you enter the ‘keyword’ and give consent. You can withdraw the given consent at any time.
  To send you commercial information, messages containing direct marketing related to my products or services, I need your consent. The same applies to using the subscription option within the ManyChat tool.
  By subscribing, I can send messages to you for longer than 24 hours.
  If you do not want to receive messages from me, it is enough not to use the ‘keyword’ and not to express consent to send messages.
  In each of the above situations, you can withdraw the given consent at any time.
  I carry out marketing activities and contact you through the ManyChat tool, as it is an official Business Partner of Meta Inc, a trusted and verified entity by Meta Inc.
  According to ManyChat’s declarations, it complies with Meta’s security guidelines, including Meta’s data security requirements and Meta’s Privacy Policy. As part of the Meta Business Partner requirements, ManyChat is subject to periodic audits for compliance with Meta guidelines.
  ManyChat, as a marketing tool or for communication with my community, plays two roles in data processing:
  it can act as a data controller, usually in relation to my data
  “and”
  “is a data processor, processor, usually in relation to your data.”
  “The data that ManyChat can process as a processor include your identification data (name and surname, email address), publicly available information in your social media profiles, your linked pages and accounts, teleinformatics data (IP addresses, geographical location, usage data, cookie data, browser data), and others.”
  “In addition, if I communicate with you via ManyChat or enter data into this service, your identification data, publicly available information about the social media profile (photo, name, date of birth, gender, geographic location), chat history and content, chatbot usage information, and other electronic data sent, stored, sent or received by you and other personal data, the scope of which is determined and controlled by me and in accordance with the available functions within the ManyChat service, will also be processed, about which I will inform you before processing these data, if it occurs.

  The source of obtaining the above-mentioned data is the registration process in the ManyChat service and the use of this service both by me and by you, in particular communication with you and integration of applications (e.g., Facebook, Instagram, Telegram, Zapier) and other applications specified on the page http://www.apps.manychat.com/.”

  “An integral part of my agreement with ManyChat (Terms of Use: https://manychat.com/legal/tos) is an annex regarding data processing, which defines the rules for data processing by ManyChat. You can read more here: https://manychat.com/legal/dpa.”

  “ManyChat as a processor processes data until the termination of the contract with me, and as an administrator also until the resignation from receiving marketing communications and the expiry of the legally required period of their storage, including until the limitation period for claims.”

  “In connection with the use of ManyChat, personal data may be transferred outside the European Economic Area based on Standard Contractual Clauses.”

  “According to ManyChat’s declaration, it also applies appropriate security measures for data processing. Detailed information about the security measures applied by ManyChat can be found at the link: https://manychat.com/legal/dpa.”

  “ManyChat also uses subprocessors, which means that your data may be transferred to these entities as part of the use of the ManyChat service.”

  ManyChat cooperates with the following entities:

  subcontractors processing for the purpose of providing the ManyChat Service

  Name

  Purpose of processing

  Location

  Amazon Web Services, Inc.

  Cloud service provider in hosting and data storage

  USA

  Freshworks, Inc.

  Cloud-based software supporting customer interactions, e.g., through chat or email

  USA

  Hotjar Limited

  The source of obtaining the above-mentioned data is the registration process in the ManyChat service and the use of this service both by me and by you, in particular communication with you and integration of applications (e.g., Facebook, Instagram, Telegram, Zapier) and other applications specified on the page http://www.apps.manychat.com/.”

  “An integral part of my agreement with ManyChat (Terms of Use: https://manychat.com/legal/tos) is an annex regarding data processing, which defines the rules for data processing by ManyChat. You can read more here: https://manychat.com/legal/dpa.”

  “ManyChat as a processor processes data until the termination of the contract with me, and as an administrator also until the resignation from receiving marketing communications and the expiry of the legally required period of their storage, including until the limitation period for claims.”

  “In connection with the use of ManyChat, personal data may be transferred outside the European Economic Area based on Standard Contractual Clauses.”

  “According to ManyChat’s declaration, it also applies appropriate security measures for data processing. Detailed information about the security measures applied by ManyChat can be found at the link: https://manychat.com/legal/dpa.”

  “ManyChat also uses subprocessors, which means that your data may be transferred to these entities as part of the use of the ManyChat service.”

  ManyChat cooperates with the following entities:

  subcontractors processing for the purpose of providing the ManyChat Service

  Name

  Purpose of processing

  Location

  Amazon Web Services, Inc.

  Cloud service provider in hosting and data storage

  USA

  Freshworks, Inc.

  Cloud-based software supporting customer interactions, e.g., through chat or email

  USA

  Hotjar Limited

  Affiliate partner marketing

  USA

  InMoment, Inc. (Wootric)

  Marketing (NPS)

  USA

  Intercom, Inc.

  Cloud-based CRM platform

  USA

  PartnerStack, Inc.

  Affiliate partner marketing

  USA

  Stripe, Inc.

  Payment and billing gateway

  USA

  The Rocket Science Group LLC d/b/a Mailchimp

  Ad hoc email communication with the Client

  USA

  Zoom Video Communications, Inc.

  Video conferencing system

  USA

  Usercentrics GmbH

  Consent management service

  Germany

  ManyChat partners:

  Name

  Purpose of Processing

  Location

  Manychat, Inc.

  Services and support

  USA

  OctoHub LLC

  Services and support

  Armenia

  ManyChat, SL

  Services and support

  Spain

  These entities may change, so you can regularly check here and at https://manychat.com/legal/service-providers.

  I have also subscribed to ManyChat notifications, available at www.manychat.com/legal/subscribe-subprocessor-updates, so ManyChat will send me a notification about engaging a new Sub-Processor at least ten calendar days before the new entity gets access to the data.

  Learn more about data processing by ManyChat and the security measures applied by clicking the links below:

  https://manychat.com/legal/dpa

  https://manychat.com/legal/privacy

  https://manychat.com/legal/service-providers

  I may use the help of third parties who technically support me in operating ManyChat. I use entities for whom the protection of your data is important and enter into appropriate data processing agreements with them.

  Final Provisions

  The materials posted on this website constitute the administrator’s own intellectual creation and are legally protected.

  Using the provided content beyond the permitted personal use may result in the risk of criminal and civil liability.

  If you have doubts about the legal nature of the provided content (or how you can legally use it), write me a message (email address indicated at the beginning of this document), and I will provide you with a comprehensive answer.

  Remember also that the provided contents are educational in nature and do not constitute and do not replace individual expert advice.

  Finally, I remind you that the content of this Privacy Policy may change, for example, when I change the service provider or the functionality scope on the site. For your convenience, the date of the Privacy Policy update is indicated at the beginning of the document.

  Thank you for your time!

  Look Lashes

  Distelweide 129

  2272VS Voorburg

  The Netherlands

  Email: info@looklashes.nl