Privacy policy

Privacy Policy

This Privacy Policy describes how we process information about you, including personal data and cookies, in compliance with the General Data Protection Regulation (GDPR).

  1. General Information

    This policy applies to websites operating under the URL: holivica.com.

    The operator of the service and controller of personal data (hereinafter "Controller" or "We") is: Holivica sp. z o. o., Henryka Wolińskiego Street 24A/50, 20-491 Lublin, Poland, VAT EU PL9462738041.

    Controller's contact email address: shop@holivica.com.

    The Controller is responsible for your personal data concerning data voluntarily provided on the Website or collected automatically.

    The Website uses your personal data for the following purposes, based on the legal grounds detailed in Section 4:

    • Operating the newsletter (Consent)
    • Conducting online chat conversations (Consent for initiation, Contract/Legitimate Interest for follow-up)
    • Order processing, including preparation, packaging, and shipping of goods (Contract)
    • Customer relationship management and order management (Contract, Legitimate Interest)
    • Providing requested services (Contract)
    • Presenting offers or information (Legitimate Interest or Consent, depending on context)
    • Online advertising, remarketing, and campaign measurement (Consent)
    • Improving website functionality and user experience (Legitimate Interest, Consent for non-essential cookies)
    • Complying with legal obligations (Legal Obligation)

    The Service performs functions of acquiring information about users and their behavior in the following ways:

    • Through data voluntarily entered in forms, which are entered into the Controller's systems.
    • By storing cookie files and similar tracking technologies (e.g., pixels, tags) on end devices, subject to your consent where required.
    • Through data processed by our e-commerce platform provider (Shopify) as a data processor.
    • Through data processed by our order management system (BaseLinker) as a data processor.

  2. Selected methods of data protection used by the Operator

    Login and personal data entry points are protected in the transmission layer (SSL certificate). This ensures that personal and login data entered on the website are encrypted on the user's computer and can only be read on the target server.

    We regularly review our security measures and update them as necessary.

  3. Hosting and E-commerce Platform

    The website is hosted and our e-commerce services are provided by Shopify International Ltd. (or the relevant Shopify entity as per our agreement with them), which acts as a data processor on our behalf. Shopify processes data in accordance with our instructions and their Data Processing Addendum. For more information on how Shopify processes data, please refer to Shopify's Privacy Policy.

  4. Your rights and further information on how your data is used

    In certain situations, the Controller has the right to transfer your personal data to other recipients if this is necessary for the performance of a contract concluded with you, for the fulfillment of obligations incumbent on the Controller, or based on your consent. This concerns the following categories of recipients:

    • Shopify (our e-commerce platform provider and hosting company)
    • Order management and CRM systems (e.g., BaseLinker Sp. z o.o.)
    • Couriers (e.g., Fastway for deliveries to Ireland, Packeta for other cross-border EU deliveries)
    • Postal operators
    • Insurance companies (if applicable for shipping)
    • Banks and Payment operators (for processing payments)
    • Comment system operators (if used, subject to your interaction)
    • Online chat solution providers (if used, subject to your interaction)
    • Authorized employees and associates who require access to the data to achieve the purpose of the website and fulfill your orders.
    • Advertising and analytics partners (e.g., Meta Platforms Ireland Ltd. and its global affiliates including Meta Platforms Inc., Google Ireland Ltd. and its global affiliates including Google LLC, TikTok Technology Ltd. and its global affiliates including TikTok Inc.), for the purpose of online advertising, remarketing, audience building, and campaign measurement. The use of their tracking technologies is subject to your explicit consent.
    • Companies providing other marketing services to the Controller (e.g., email marketing platforms, subject to your consent where required).

    Legal Basis for Processing:

    We process your personal data based on the following legal bases under GDPR:

    • Consent (Article 6(1)(a) GDPR): Where you have given clear consent for us to process your personal data for a specific purpose (e.g., subscribing to our newsletter, consenting to non-essential cookies and tracking technologies for advertising and analytics). You can withdraw your consent at any time.
    • Contract (Article 6(1)(b) GDPR): When processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (e.g., processing your order, delivering goods, providing customer support related to your purchase, order management).
    • Legal Obligation (Article 6(1)(c) GDPR): When processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax and accounting requirements, responding to legal requests).
    • Legitimate Interests (Article 6(1)(f) GDPR): When processing is necessary for our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., internal order management, improving our core services, fraud prevention, direct marketing to existing customers about similar products (subject to ePrivacy rules), ensuring the security of our website). You have the right to object to processing based on legitimate interests.

    Data Retention:

    Your personal data processed by the Controller will be kept no longer than necessary for the purposes for which the personal data are processed. Specific retention periods include:

    • Data necessary for the performance of a contract (e.g., order details): for the duration of the contract and thereafter for the period required by law (e.g., accounting or tax regulations, typically 5-7 years).
    • Data processed based on consent (e.g., newsletter subscription, consent for marketing cookies): until you withdraw your consent or the data is no longer needed for the consented purpose.
    • Marketing data (where processed based on legitimate interest or consent): for no more than 3 years from your last interaction or until consent is withdrawn/objection is raised.
    • Data for analytical purposes: typically anonymized or pseudonymized and retained as long as necessary for the analytical purpose.

    Your Rights:

    You have the following rights regarding your personal data:

    • Right of access: You can request access to the personal data we hold about you.
    • Right to rectification: You can request correction of inaccurate or incomplete personal data.
    • Right to erasure ('right to be forgotten'): You can request the deletion of your personal data under certain conditions.
    • Right to restriction of processing: You can request that we limit the processing of your personal data under certain circumstances.
    • Right to data portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller where processing is based on consent or a contract and is carried out by automated means.
    • Right to object: You have the right to object to the processing of your personal data where it is based on our legitimate interests, including profiling. You also have the absolute right to object to processing for direct marketing purposes.
    • Right to withdraw consent: If processing is based on your consent, you have the right to withdraw that consent at any time.

    To exercise any of these rights, please contact us at shop@holivica.com.

    Right to Lodge a Complaint:

    You have the right to lodge a complaint against the Controller's actions with a supervisory authority. The lead supervisory authority for Holivica sp. z o. o. is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), Stawki 2, 00-193 Warsaw, Poland. Website: https://uodo.gov.pl/.

    If you are a resident of Ireland, you also have the right to lodge a complaint with the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. Website: https://www.dataprotection.ie.

    Provision of Data:

    Providing personal data is voluntary. However, providing certain personal data is necessary for the operation of the Service and to enter into a contract with us. Failure to provide this data may result in the inability to use certain services or complete transactions.

    Automated Decision-Making and Profiling:

    Automated decision-making, including profiling, may occur in relation to you for the purpose of providing services under the concluded contract (e.g., fraud detection) and, subject to your explicit consent, for the purpose of direct marketing and online advertising (e.g., personalizing offers and ads based on your browsing history or purchase history). You have rights related to automated decision-making as described above.

    International Data Transfers:

    Personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA), known as "third countries". This primarily occurs when using services from providers such as:

    • Shopify (for e-commerce platform hosting and processing, potentially with data centers in North America or other regions outside the EEA).
    • Meta Platforms Inc. (USA), Google LLC (USA), TikTok Inc. (USA) for advertising and analytics services, where data collected through pixels/tags on our website is transferred to their servers in the USA or other third countries.
    For such transfers, we and our partners rely on appropriate safeguards as required by GDPR to protect your personal data to a standard equivalent to that within the EEA. These safeguards typically include Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision where applicable. Our order management system (BaseLinker Sp. z o.o.) and primary EU courier (Packeta) are based within the EEA and are expected to process data within the EEA, though you should consult their privacy policies for details on their sub-processors. For more details on the specific safeguards used by our key processors like Shopify, Meta, Google, and TikTok, please refer to their respective privacy policies and data processing addenda/agreements.

  5. Information in forms

    The service collects information voluntarily provided by the user, including personal data, if provided.

    The service may record information about connection parameters (timestamp, IP address).

    The data provided in the form are processed for a purpose resulting from the function of a specific form, e.g., to process a service request or business contact, service registration, etc. The context and description of the form always clearly inform about the purpose of data collection and the legal basis for processing.

  6. Administrator logs

    Information about user behavior on the websites may be logged. This data is used for the administration of the service, to ensure its security, and for statistical analysis to improve the service, based on our legitimate interest.

  7. Relevant marketing techniques, Advertising, and Analytics

    The Operator uses various marketing and analytics tools, subject to your consent where required:

    • Google Analytics: We use Google Analytics (Google Ireland Ltd. and its global affiliates including Google LLC) for statistical analysis of website traffic. We transmit anonymized or pseudonymized information to Google Analytics. This service is based on the use of cookies on the user's end device. We will only use Google Analytics cookies if you provide your explicit consent through our cookie consent management tool. You can find out more about how Google uses data at www.google.com/policies/privacy/partners/.
    • Meta Pixels (Facebook & Instagram Ads): We use Meta Pixels provided by Meta Platforms Ireland Ltd. (and its global affiliates including Meta Platforms Inc.). These pixels are small pieces of code on our website that allow us to measure, optimize, and build audiences for our advertising campaigns on Meta platforms. They enable us to track conversions, show ads to people who have visited our website (remarketing), and create lookalike audiences. Data collected may include your IP address, browser type, pages visited, and actions taken. Use of Meta Pixels is subject to your explicit consent. For more information, see Meta's Privacy Policy.
    • Google Ads Tags: We use Google Ads conversion tracking tags and remarketing tags provided by Google Ireland Ltd. (and its global affiliates including Google LLC). These tags help us measure the effectiveness of our advertising campaigns on Google's advertising network and to show targeted ads to users who have previously visited our site. Data collected may include your IP address, cookie ID, and browsing behavior. Use of these tags is subject to your explicit consent. For more information, see Google's Privacy Policy.
    • TikTok Pixel: We use the TikTok Pixel provided by TikTok Technology Ltd. (and its global affiliates including TikTok Inc.). This pixel helps us track user actions on our website after viewing or clicking on our TikTok ads, measure ad performance, and build audiences for advertising on TikTok. Data collected may include your IP address, device information, and browsing activity. Use of the TikTok Pixel is subject to your explicit consent. For more information, see TikTok's Privacy Policy.

    The use of all such tracking technologies for advertising and personalized analytics is based on your explicit consent, which you can manage through our cookie consent tool.

  8. Information about cookies and similar technologies

    Websites use cookies and similar technologies (e.g., pixels, tags). Cookies are small text files stored on the User's end device. Pixels and tags are small pieces of code embedded in web pages or emails that can transmit information.

    The website uses different types of cookies/technologies:

    • Strictly Necessary Cookies: Essential for website functionality, security, and transaction processing. They do not require consent.
    • Performance/Analytical Cookies: Help us understand how visitors interact with the website (e.g., Google Analytics). These require your consent.
    • Functional Cookies: Remember choices you make to improve your experience (e.g., language preferences). These may require your consent.
    • Marketing/Targeting Cookies & Pixels: Used to deliver relevant advertisements, track ad effectiveness, and build audiences (e.g., Meta Pixel, Google Ads Tags, TikTok Pixel). These require your explicit consent.

    Cookies can be "session" or "persistent". "Session" cookies are deleted when you close your browser. "Persistent" cookies remain on your device for a set period or until you delete them.

    We use a cookie consent tool to manage your preferences for non-essential cookies and tracking technologies. You can change your consent choices at any time through this tool.

  9. Cookie management - How to grant and withdraw consent in practice?

    You can manage your preferences for non-essential cookies and tracking technologies through our cookie consent management tool, which will appear when you first visit our website and is usually accessible via a link in the website footer.

    Additionally, you can change your browser settings to refuse or delete cookies. Disabling cookies essential for authentication, security, or user preferences may impact website functionality. Consult your browser's help documentation for instructions.

    This Privacy Policy may be updated from time to time. We will notify you of any significant changes by posting the new policy on our website and updating the "Last Updated" date. We encourage you to review this policy periodically.

    Last Updated: 03.06.2025