Privacy Policy

ONLINE SHOP PRIVACY POLICY – IvyDuston.com

Free Mom! – Ivy Duston

TABLE OF CONTENTS

1. General Provisions
   
2. Basis for the Processing of Data
   
3. Purpose, Basis and Period of Processing Data in the Online Shop
   
4. Data Recipients in the Online Shop
   
5. Profiling in the Online Shop
   
6. The Rights of the Data Subject
   
7. Cookies in the Online Shop and Analytics
   
8. Final Provisions
   

---

1. GENERAL PROVISIONS

1.1. This Privacy Policy of the Online Shop is of informative nature, which means it is not a source of obligations for Service Recipients or Customers. It contains the principles concerning the processing of data by the Controller, including the basis, purpose, period of processing, and rights of data subjects, as well as information regarding the use of cookies and analytical tools.

1.2. The Controller of personal data collected via the Online Shop is WinCulum Spółka z o.o. , based in Rzeszów, Poland (address: al. Józefa Piłsudskiego 17/4, 35-074 Rzeszów, Poland), registered in the register of entrepreneurs of National Court Registry under the number (KRS): PL0001079984; register court which holds the company’s documentation: District Court based in Rzeszów, XII Commercial Department of National Court Registry; tax ID no. NIP (VAT UE): PL5170443265, National Economy Register No. REGON 527405460;  email: kontakt@iwonaduszynska.pl, phone: +48 517 163 512. Hereinafter referred to as the “Controller” and being simultaneously the Service Provider of the Online Shop and the Seller.

1.2. The Controller of the personal data collected via the Online Shop shall be the company WinCulum Iwona Duszyńska based in Rzeszów, Poland (the office address and correspondence address: al. Józefa Piłsudskiego 17/4, 35-074 Rzeszów, Poland), e-mail address: kontakt@iwonaduszynska.pl and telephone number: +48 517 163 512 – hereinafter referred to as “Controller” and being simultaneously the Service Provider of the Online Shop and the Seller.

1.3. The Controller processes personal data in accordance with GDPR (EU Regulation 2016/679) and Philippine Data Privacy Act of 2012 (Republic Act No. 10173), ensuring compliance with the rights of natural persons located in the Philippines.

1.4. Using the Online Shop, including shopping, is voluntary. Providing personal data is voluntary, except where necessary for:

• (a) entering into contracts with the Controller;
  
• (b) fulfilling statutory obligations.
  

1.5. The Controller ensures that personal data are: processed legally and correctly, collected for specific purposes, accurate, stored no longer than necessary, and secured against unauthorized access, loss, or damage.

1.6. The Controller applies appropriate technical and organizational measures to protect personal data, reviewed and updated regularly.

1.7. Any words starting with a capital letter (e.g., Seller, Online Shop) are defined in the Online Shop Regulations.

---

2. BASIS FOR THE PROCESSING OF DATA

2.1. The Controller processes personal data only when at least one of the following is met:

• Consent of the data subject;
  
• Necessity for contract performance;
  
• Legal obligation;
  
• Legitimate interest of the Controller, provided it does not override the rights of the data subject.
  

2.2. The legal basis for each type of processing is specified in Section 3 below.

---

3. PURPOSE, BASIS AND PERIOD OF PROCESSING DATA3.1. Each time, the purpose, basis, period as well as the recipients of personal data being processed by the Controller result from actions undertaken by a given Service Recipient or Customer in the Online Shop.

3.2 Purpose, Basis, and Period of Processing Data

The Controller processes personal data of Customers in the Online Shop for the following
purposes:
Delivery of purchased digital products and bonuses: The Customer’s email address is used to send the
purchased Product and any related bonuses. This processing is necessary to perform the Sales Contract
and is based on Article 6(1)(b) of the GDPR. The emails used for delivery will be stored until the delivery
is completed, typically 30 days after purchase.
Direct marketing and personalized offers: The Customer’s email address may also be used by the
Controller to send information about related products, promotions, and personalized offers, as well as for
advertising targeting on social media platforms, such as Facebook Pixel. This processing is based on the
legitimate interest of the Controller under Article 6(1)(f) of the GDPR. The Customer has the right to opt
out of marketing communications at any time, which will immediately stop further marketing emails and
social media targeting.
Accounting and statutory obligations: Personal data may be processed to maintain ledgers and fulfill
statutory accounting obligations in accordance with Article 6(1)(c) of the GDPR and Article 74(2) of the
Accounting Act. These records are stored for the legally required period, typically 5 years from the
beginning of the year following the financial year to which the data relate.
Operation of the Online Shop: The Controller processes data to ensure the proper functioning of the
Online Shop and its electronic services. This is based on the legitimate interest of the Controller under
Article 6(1)(f) of the GDPR. Data are stored for the duration of the legitimate interest, but no longer than
the limitation period for claims under the business activity of the Controller, typically 3 years.
Website analytics and statistics: The Controller may use Customer data to analyze the behavior on the
Online Shop, improve its functioning, and increase sales. This processing is also based on the legitimate
interest of the Controller under Article 6(1)(f) of the GDPR. Data are stored for the period of the legitimate
interest, up to 3 years.

4. DATA RECIPIENTS IN THE ONLINE SHOP

4.1. For the needs of proper Online Shop functioning, inclusive of the performance of the Sales Contract entered into, it shall be necessary for the Controller to make use of external companies’ services (e.g., software providers or payment system providers). The Controller uses solely the services of such processing entities which ensure sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements set out in the GDPR Regulation, the Philippine Data Privacy Act of 2012, and protects the rights of data subjects.

4.2. The Controller may provide personal data to a third country, while the Controller ensures that it shall only be a third country which is considered to provide an adequate level of protection – in accordance with the GDPR Regulation and the Philippine Data Privacy Act, and in the case of other countries, the data transfer will occur on the basis of standard contractual clauses or other legal safeguards. The Controller ensures that the data subject has a right to get a copy of their data. The Controller provides personal data to a third country only in the case and scope necessary to execute a certain purpose of data processing consistent with this Privacy Policy.

4.3. Providing data by the Controller does not take place in every case and not to all the recipients or categories of recipients defined in the Privacy Policy – the Controller provides the data only in cases where it proves necessary to attain a given purpose of personal data processing and solely within the necessary scope.

4.4. Personal data of the Online Shop Service Recipients or Customers may be provided to the following recipients or categories of recipients:

• E-payment or payment card service providers – in the case of a Customer who uses the Online Shop’s e-payment or payment card option, the Controller makes the collected Customer’s personal data available to the selected payment service provider, including Xendit, solely to the extent necessary to perform the payment. Xendit processes payment-related personal data (such as card information) in compliance with applicable legal regulations and only to the degree necessary to complete the transaction.
  
• Service providers rendering technical, IT, or organisational solutions – making it possible for the Controller to conduct business, including the Online Shop and Electronic Services provided via it (in particular computer software providers for the Online Shop, email companies, and hosting providers, as well as software providers for company management and technical support). The Controller makes the collected personal data of the Customer available to the selected provider only to the extent necessary for attaining a given purpose of data processing in accordance herewith.
  
• Accounting, legal, and counselling services providers – rendering accounting, legal, or counselling services (in particular an accounting agency, law firm, or debt collection company). The Controller makes the collected personal data of the Customer available to the selected provider only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith.

---

5. PROFILING IN THE ONLINE SHOP

5.1. The GDPR Regulation obligates the Controller to inform about the automated decision-making process, including profiling referred to in Article 22, par. 1 and 4 of the GDPR Regulation, and – at least in those cases – the vital information concerning the decision-making process as well as the meaning and foreseeable consequences of processing for the person being the data subject. Bearing in mind the above, the Controller specifies in this point of the privacy policy the information concerning the possible profiling.

5.2. The Controller may use profiling in the Online Shop for direct marketing purposes. The decisions made on its basis by the Controller do not concern the conclusion or rejection to conclude the Sales Contract, or the possibility to make use of Electronic Services in the Online Shop. The result of profiling in the Online Shop may be, for example:

• sending a discount code;
  
• reminding about an unfinished purchase process;
  
• sending product offers or bonuses, which may be related to the interests or preferences of the person;
  
• offering better conditions compared to the standard offer of the Online Shop.
  

5.3. Profiling in the Online Shop consists in the automatic analysis or forecast of the conduct of a given person on the website of the Online Shop, e.g.:

• adding a given Product to the cart;
  
• browsing the page of a given Product in the Online Shop;
  
• analysing the history of purchases in the Online Shop;
  
• using the Customer’s email address for sending purchased digital products, bonuses, and targeted offers;
  
• using Customer email and browsing data for targeted advertising on social media platforms, including the use of hashed emails for Facebook Pixel.
  

The condition for such profiling is for the Controller to have the personal data of the person, so that they can later send them e.g., a discount code, digital products, or marketing messages tailored to their preferences.

5.4. The Controller uses the Customer’s email address and browsing data for profiling and direct marketing purposes, such as sending personalized offers, discount codes, product recommendations, and promotional campaigns via social media. Customers have the right to withdraw consent at any time, which will stop further marketing communications.

5.5. The data subject shall have the right not to depend on a decision which is only based on automated processing, including profiling, and has some legal effects on the person or similarly affects them. The data subject retains full control over purchasing decisions, including whether to use any discounts, promotions, or product offers received as a result of profiling.

---

6. THE RIGHTS OF THE DATA SUBJECT

6.1. The right to access, rectify, restrict, erase or transmit – the data subject shall have the right to demand the Controller to have access to their personal data, rectify, erase (“the right to be forgotten”) or restrict the processing and shall have the right to object to the processing and transmit their data. Detailed conditions of the above rights shall be indicated in Articles 15–22 of the GDPR Regulation, as well as in accordance with the Philippine Data Privacy Act of 2012.

6.2. The right to withdraw the consent at any time – the person whose data are being processed by the Controller on the basis of the consent given (pursuant to Article 6, par. 1, point a) or Article 9, par. 2, point a) of the GDPR Regulation, or under the DPA 2012), shall have the right to withdraw their consent at any time without any impact on the lawfulness of processing made based on the consent prior to the withdrawal. Withdrawal of consent for marketing purposes and profiling shall immediately stop further marketing communications, including personalized offers, discount codes, product recommendations, and targeting through social media platforms such as Facebook Pixel.

6.3. The right to lodge a complaint with a supervisory body – the person whose data are being processed by the Controller shall have the right to lodge a complaint with a supervisory body in a manner and mode specified in the provisions of the GDPR Regulation, Polish law, and Philippine law. The supervisory body in Poland shall be the President of the Office for Personal Data Protection. In the Philippines, the National Privacy Commission (NPC) is the competent authority to handle complaints regarding personal data processing.

6.4. The right to object – the data subject shall have the right, at any time, to object – for reasons related to their particular situation – to the processing of their personal data based on Article 6, par. 1, point e) (public interest or official authority) or f) (legitimate interest of the Controller), including in cases of profiling. The Controller must stop processing the personal data unless they demonstrate legally significant and justified grounds for the processing, overriding the interests, rights and freedoms of the data subject, or the bases for establishing, pursuing or defending claims.

6.5. The right to object as regards direct marketing – in the case the personal data are being processed for direct marketing purposes, the data subject shall have the right, at any time, to lodge a complaint regarding the processing of their personal data for such marketing, including profiling, to the extent to which the processing is related to direct marketing. This includes emails used to send purchased digital products, marketing campaigns, or advertising via social media platforms such as Facebook Pixel.

6.6. Exercise of rights – to perform the rights mentioned in this point of the Privacy Policy, one may contact the Controller by sending an appropriate message in writing or via e-mail to the address of the Controller indicated at the beginning of the Privacy Policy. The Controller shall respond to the request without undue delay and in accordance with the applicable laws, including GDPR, the Polish Personal Data Protection Act, and the Philippine Data Privacy Act of 2012.

---

7. COOKIES IN THE ONLINE SHOP AND ANALYTICS
7.1. Cookies are small pieces of text files sent by the server and saved at the visitor’s of the Online Shop (e.g. on the hard disk of a computer, laptop, or smartphone’s memory card – depending on the type of device used by the Online Shop’s visitor). Detailed information on Cookies as well as the history of their origin can be found e.g. at: https://en.wikipedia.org/wiki/HTTP_cookie.

7.2. The Controller may provide a tool on the Online Shop’s website for easy and active management of Cookies – available after the first entry to the website, and then, after closing it, available in the bottom corner of the page. Active management allows, among other things, to check what cookies are or can be saved when using the website, as well as to select and later change the scope and purposes of using cookies in relation to the device and the person visiting the website. When starting to use the website, the visitor will be asked to select cookie settings. They can be changed later by changing the settings in this tool available on the website.

7.3. Below in this section, the Controller provides a number of information regarding the use of Cookies on the Online Shop’s website, their types and purposes, and their management using e.g. web browser settings and/or the Cookie management tool available on the website. The Controller encourages to use the Cookie management tool available on the website, which allows you to easily actively manage Cookies while using the website, and if it is not available, read the information below, including: managing cookies from the browser level.

7.4. Cookie files, which can be sent via the Online Shop website, can be divided into various types, according to the following criteria:

• With regard to the provider: own (created by the Controller’s Online Shop website) and belonging to other persons/third parties (other than the Controller)
  
• With regard to the period of their retention on the appliance of the Online Shop’s visitor: session cookies (stored till the moment of logging out from the Online Shop or closing a browser) and persistent cookies (having some expiration period, defined by parameters of each file or until they are removed by hand)
  
• With regard to the purpose of their usage: strictly necessary cookies (enabling proper functioning of the Online Shop website), functional/preferential cookies (enabling adjustment of the Online Shop website to the visitor’s preferences), analytical and performance cookies (collecting information on the use of the Online Shop website), targeting, advertising or social cookies (collecting information on the visitor of the Online Shop website in order to display advertisements, personalization and measuring the effectiveness of advertisements and for other marketing activities, including those performed on sites different from the Online Shop website, such as social medias and other websites belonging to the same advertising networks as the Online Shop).
  

7.5. The Controller may process information contained in Cookies during visiting of the Online Shop website for the following particular reasons:

Purposes of using Cookies on the Controller’s Online Shop website

Identifying a Service Recipient as logged in to the Online Shop and showing that they are logged in (strictly necessary Cookies)

Saving Products added to the cart to place an Order (strictly necessary Cookies)

Saving data from the filled-in Order Forms, questionnaires or the login data on the Online Shop website (strictly necessary Cookies and/or functional/preferential Cookies)

Adjustment of the Online Shop website contents to individual preferences of the Service Recipient (e.g. colours, font size, layout) and optimisation of the use of the website (functional/preferential Cookies)

Keeping anonymous statistics presenting the visitor’s behaviours on the Online Shop website (analytical and performance Cookies)

Displaying and rendering the advertisements, limiting the number of ads displayed, ignoring ads which the Service Recipient wishes not to see, measuring ad effectiveness and ad personalization, namely evaluating the conduct of visitors of the Online Shop through anonymous analysis of their activities (e.g., repeated visits on particular pages, key words etc.) to create their profile and provide them with adverts matching their interests, also when they visit other websites in the advertising network of Facebook, i.e., Meta Platforms Ireland Ltd. (marketing, advertising and social Cookies). The Controller may also use hashed Customer emails to target advertisements on Facebook Pixel.

7.6. Checking which Cookie files are being sent in a given moment by the Online Shop website can be done, independent of the browser used, e.g., at the following sites: https://www.cookiemetrix.com and https://www.cookie-checker.com.

7.7. As a standard, most internet browsers on the market accept saving Cookies by default. Every person has the possibility to specify the conditions of using Cookies in the browser settings. It means that one may, e.g., partially restrict (e.g., temporarily) or fully disable saving Cookies – in the latter case it may have an impact on some functionalities of the Online Shop (for instance, it may prove impossible to go through the Order using the Order Form owing to failure to save the Products in the cart in the course of subsequent stages of Order placement).

7.8. The browser settings concerning Cookies are essential as regards the consent to use Cookies by our Online Shop – in accordance with the law, such consent may also be expressed in the browser settings. In view of lack of such consent, change the browser setting accordingly as regards Cookies. Detailed information concerning the change in Cookies settings and their individual removal in the most common browsers is available in the help section of the browser and the following websites (click the link):

• Chrome
  
• Firefox
  
• Internet Explorer
  
• Opera
  
• Safari
  
• Microsoft Edge

---

8. FINAL PROVISIONS

8.1. Links to other websites may be present; this policy applies only to IvyDuston.com

8.2. The Controller reserves the right to update or modify this Privacy Policy at any time. Updated versions will be published on the Online Shop website. Continued use of the Online Shop constitutes acceptance of the updated Privacy Policy.