Privacy Policy and Cookies

1. Data Controller and definitions

1. The controller of the personal data of Customers / Users of the Online Store, also referred to as the Seller, is: BIOSHI S.A., phone: Ten tekst zmienisz w ADMINISTRACJA / Dane Twojej firmy / Dane kontaktowe, Polish Tax ID (NIP): PL6762649713, REGON (National Business Registry Number): 526170605.
2. You can contact the Data Controller:
   1. at the correspondence address: Jasnogórska 1, 31-358 Kraków;
   2. at the e-mail address: contact@ebio24.fr.
3. User - a natural person visiting the Online Store website(s) or using the services or functionalities described in this Privacy and Cookie Policy.
4. Customer - a natural person with full legal capacity, a natural person who is a Consumer, a legal person, or an organisational unit without legal personality to which the law grants legal capacity, who concludes a Distance Selling Contract with the Seller.
5. Online Store - the website operated by the Seller, available at the electronic addresses (sites): https://ebio24.fr, through which the Customer/User can obtain information about Goods and their availability and purchase Goods or order the provision of a service.
6. Newsletter - information, including commercial information within the meaning of the Polish Act of 18 July 2002 on providing services by electronic means (Journal of Laws of 2020, item 344), originating from the Seller and sent to the Customer/User electronically; receiving it is voluntary and requires the Customer's/User's consent.
7. Account - a collection of data stored in the Online Store and in the Seller's IT system concerning a given Customer/User and the orders placed and contracts concluded by them, using which the Customer/User can place orders and conclude contracts.
8. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).



Data Protection Officer

1. The Company has appointed a Data Protection Officer.
2. In matters related to the processing of personal data, you can contact us by e-mail at: iod@bioshi.pl

2. Scope of processed data

1. In order to perform the Distance Selling Contract, the Seller processes:
   1. information regarding the User's device to ensure the proper functioning of the services: computer IP address, information contained in cookies or other similar technologies, session data, web browser data, device data, activity data on the Website, including on individual subpages;
   2. geolocation information, if the User has consented to the service provider's access to geolocation. Geolocation information is used to provide more tailored product and service offers;
   3. Users' personal data: first name, surname, registered office address, correspondence address, e-mail address, phone number, Polish Tax ID (NIP), bank account number, or other personal data whose provision is necessary to complete a purchase, and the provision of which is required by the Controller during the purchasing process.
2. This information does not contain data concerning the identity of Users, but when combined with other information, it may constitute personal data, and therefore the Controller covers it with the full protection granted under the GDPR.

3. Purposes, legal bases, and data processing duration

1. Personal data provided to the Controller during the registration of a shopping account in the online store will be processed for the purpose of communication, maintaining the customer account (in the case of account registration), and fulfilling orders placed in the online store owned by the Controller, pursuant to Article 6(1)(b) of the GDPR, as well as for the purpose of fulfilling legal and tax obligations in connection with executed orders, pursuant to Article 6(1)(c) of the GDPR. The obtained personal data may also be used for the Controller's legitimate interest, which is considered to be the marketing of its own products and services, based on the premise indicated in Article 6(1)(f) of the GDPR. The data is processed until the Customer/User ceases to use the Online Store.
2. This data is processed in accordance with Article 6(1)(b) of the GDPR, for the purpose of service provision, i.e., the contract for the provision of services by electronic means in accordance with the Terms and Conditions, and in accordance with Article 6(1)(a) of the GDPR, in connection with consent for the use of specific cookies or other similar technologies, expressed through appropriate browser settings in accordance with the Polish Act of 12 July 2024 — Electronic Communications Law (PKE), or in connection with consent for geolocation. The data is processed until the Customer/User ceases to use the Online Store.
3. Personal data obtained via the contact form will be used to process the submitted inquiry and for possible further contact, in accordance with the consent granted, based on the premise indicated in Article 6(1)(a) of the GDPR. The personal data in question may also be used for the Controller's legitimate interest, which is considered to be the marketing of its own products and services, based on the premise indicated in Article 6(1)(f) of the GDPR. The granted consent may be withdrawn at any time, which does not affect the lawfulness of the processing that was carried out on the basis of consent before its withdrawal. Providing data is voluntary, but necessary to process/respond to the submitted request/question.
4. Data provided to the Controller during account registration may be processed to improve the quality of services provided by using them exclusively for training purposes, pursuant to Article 6(1)(f) of the GDPR. The data subject has the right to object to the processing of their personal data for this purpose.

4. Controller's marketing activities

1. On the Online Store website, the Data Controller may post marketing information about its products or services. The display of this content is performed by the Data Controller in accordance with Article 6(1)(f) of the GDPR, i.e., in accordance with the Data Controller's legitimate interest consisting of publishing content related to the services provided and content about promotional campaigns in which the Data Controller is involved. At the same time, this action does not violate the rights and freedoms of Customers/Users; Customers/Users expect to receive content of similar substance, and may even expect it, or it is their direct purpose of visiting the Online Store website(s).

5. Recipients of user data

1. The Data Controller discloses users' personal data exclusively to processors acting under personal data processing agreements concluded pursuant to Article 28 of the GDPR, for the purpose of performing services for the Data Controller, e.g., hosting and servicing the Website, IT services, marketing and PR services.

6. Transfer of personal data to third countries

1. As a general principle, the Users' personal data is processed within the territory of the European Economic Area (EEA). In certain cases, data may be transferred to third countries — in particular to the United States of America — in connection with the use of services provided by suppliers established in such countries (for example, Google LLC, Meta Platforms). In such cases, the transfer takes place only on the basis of appropriate safeguards provided for in the GDPR, in particular on the basis of the Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 concerning the EU-US Data Privacy Framework, or on the basis of Standard Contractual Clauses approved by the European Commission (Article 46 of the GDPR).

7. Rights of data subjects

Every data subject has the right to:

1. access (Art. 15 GDPR) - obtain confirmation from the Data Controller as to whether their personal data is being processed. If data about the person is being processed, they are entitled to access it and obtain the following information: about the purposes of the processing, categories of personal data, recipients or categories of recipients to whom the data has been or will be disclosed, the period of data storage or the criteria for determining it, the right to request the rectification, erasure, or restriction of the processing of personal data to which the data subject is entitled, and to object to such processing;
2. receive a copy of the data (Art. 15(3) GDPR) - obtain a copy of the data undergoing processing, provided that the first copy is free of charge, and for subsequent copies, the Data Controller may impose a fee of a reasonable amount resulting from administrative costs;
3. rectification (Art. 16 GDPR) - request the rectification of their personal data that is incorrect, or the completion of incomplete data;
4. erasure (Art. 17 GDPR) - request the erasure of their personal data if the Data Controller no longer has a legal basis for processing it or the data is no longer necessary for the purposes of processing;
5. restriction of processing (Art. 18 GDPR) - request the restriction of personal data processing when:
   5.1. the data subject contests the accuracy of the personal data – for a period allowing the Data Controller to verify the accuracy of this data,
   5.2. the processing is unlawful and the data subject opposes the erasure of the data, requesting the restriction of its use,
   5.3. the Data Controller no longer needs this data, but it is needed by the data subject to establish, exercise, or defend legal claims,
   5.4. the data subject has objected to the processing – pending the verification of whether the legitimate grounds on the part of the controller override the grounds for the data subject's objection;
6. data portability (Art. 20 GDPR) - receive, in a structured, commonly used, machine-readable format, the personal data concerning them that they have provided to the Data Controller, and to request the transmission of this data to another Controller, if the data is processed on the basis of the data subject's consent or a contract concluded with them, and if the data is processed in an automated manner;
7. object (Art. 21 GDPR) - object to the processing of their personal data for the controller's legitimate purposes, for reasons related to their particular situation, including profiling. In such a case, the Data Controller assesses the existence of valid legitimate grounds for the processing that override the interests, rights, and freedoms of the data subjects, or grounds for the establishment, exercise, or defence of legal claims. If, according to the assessment, the interests of the data subject outweigh the interests of the controller, the Data Controller will be obliged to cease processing data for these purposes;
8. withdraw consent at any time and without giving any reason, but the processing of personal data carried out before the withdrawal of consent will remain lawful. The withdrawal of consent will result in the Controller ceasing to process personal data for the purpose for which this consent was expressed.

To exercise the aforementioned rights, the data subject should contact the Data Controller using the provided contact details and inform them which right and to what extent they wish to exercise.

8. Supervisory authority for personal data protection

The data subject has the right to lodge a complaint with a supervisory authority. In Poland, this authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO), with its registered office in Warsaw, ul. Stawki 2, who can be contacted in the following ways:

1. by post: ul. Stawki 2, 00-193 Warsaw, Poland;
2. via the electronic inbox available on the website: https://www.uodo.gov.pl/pl/p/kontakt;
3. Helpline: +48 606-950-000.

Pursuant to Article 77 of the GDPR, the data subject also has the right to lodge a complaint with the supervisory authority of the EU/EEA Member State of their habitual residence, place of work, or the place of the alleged infringement. A complete list of national supervisory authorities is available on the website of the European Data Protection Board (EDPB): https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9. Changes to the Privacy Policy

1. The Privacy and Cookie Policy may be supplemented or updated in accordance with the current needs of the Controller to ensure up-to-date and reliable information for Customers/Users.

10. Cookies

1. The Online Store performs functions of obtaining information about Customers, Users, and their behaviour in the following way:
   1.1. through information voluntarily entered in forms for purposes resulting from the function of a specific form;
   1.2. by saving cookies on terminal devices;
   1.3. by collecting web server logs by the Online Store's hosting operator (necessary for the proper functioning of the service).
2. Cookies constitute IT data, in particular text files, that are stored on the Customer/User's terminal device and are intended for use of the Online Store's website. Cookies typically contain the name of the website they originate from, the time of storing them on the terminal device, and a unique number.
3. The Online Store uses cookies only after the Customer/User of the Store has given prior and explicit consent in this regard. Consent for the Online Store to use cookies is given by clicking the button: "Close" while the message about the use of cookies by the Online Store is displayed. Closing the message, ignoring it, or continuing to use the website without an affirmative action does not constitute consent, in accordance with the judgment of the Court of Justice of the European Union of 1 October 2019 in case C-673/17 — Planet49.
4. If the Customer/User of the Online Store does not agree to the Online Store's use of cookies, they may use the option: "I do not agree", also available in the message about the use of cookies by the Online Store, or make changes to the settings of the web browser they are currently using (however, this may cause the Online Store's website to function incorrectly).
5. In order to manage cookie settings, you should select a web browser/system from the list and follow the instructions: Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, Android, Safari (iOS).
6. The legal basis for processing personal data derived from cookies is the legitimate interests of the Data Controller, consisting of ensuring high-quality services and ensuring service security (with regard to strictly necessary cookies), as well as the Customer/User's consent (Article 6(1)(a) of the GDPR in conjunction with Article 397 of the Polish Electronic Communications Law of 12 July 2024) — with regard to the remaining cookies (analytical, marketing, functional).
7. Within the Online Store, two main types of cookies are used: "session" cookies and "persistent" cookies. "Session" cookies are temporary files that are stored on the User's terminal device until logging out, leaving the Online Store, or turning off the software (web browser). "Persistent" cookies are stored on the Customer/User's terminal device for the time specified in the cookie parameters or until they are deleted by the Customer/User.

8. Cookies are used for the following purposes:
   8.1. creating statistics that help understand how Customers/Users of the Online Store use the websites, which allows for improving their structure and content;
   8.2. maintaining the Customer/User session (after logging in), thanks to which the Customer/User does not have to re-enter their username and password on every subpage of the Online Store;
   8.3. determining the Customer/User profile in order to display product recommendations and tailored materials in advertising networks, in particular the Google network.
9. Web browsing software (web browser) usually defaults to allowing cookies to be stored on the Customer/User's terminal device. Customers/Users can change settings in this regard. The web browser allows for the deletion of cookies. It is also possible to automatically block cookies.
10. Limitations on the use of cookies may affect some functionalities available on the Online Store's websites.
11. Cookies placed on the Customer/User's terminal device may also be used by advertisers and partners cooperating with the Online Store.
12. Cookies may be used by the Google network to display advertisements tailored to the way the Customer/User uses the Online Store. For this purpose, they may keep information about the user's navigation path or the time spent on a given page: https://policies.google.com/technologies/partner-sites.
13. We recommend that the Customer/User read the privacy policies of these companies to learn about the rules for the use of cookies used in statistics: Google Analytics Privacy Policy.
14. Regarding information about Customer/User preferences collected by the Google advertising network, the Customer/User can view and edit information derived from cookies using the tool: https://www.google.com/ads/preferences/.
15. Plugins are placed on the Online Store's website that may transfer Customer/User data to Controllers such as, e.g.: . In connection with the use of these providers' services, data may be transferred to third countries (in particular to the United States of America) on the basis of appropriate safeguards provided for in the GDPR, in particular the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795).
16. In order to properly execute the Distance Selling Contract, the Data Controller may share Customer/User data with courier entities. The currently available delivery methods in the Online Store are available at: https://ebio24.fr/en/delivery.
17. In order to properly execute the Distance Selling Contract, the Controller may share Customer/User data with online payment systems. The currently available prepayment methods in the Online Store are available at: https://ebio24.fr/en/payments.
18. More information on terms and privacy can also be found on the page Privacy & Terms — Google.

11. Newsletter

1. The Customer may agree to receive commercial information electronically by selecting the appropriate option in the registration form or at a later date in the appropriate tab. In the case of such consent, the Customer/User will receive information (Newsletter) from the Online Store to the e-mail address provided by them, as well as other commercial information sent by the Seller.
2. The Customer may at any time unsubscribe from the Newsletter on their own by unchecking the appropriate box on their Account page or by going to the form https://ebio24.fr/fr/newsletter.html, clicking the appropriate link located in the content of each Newsletter, or via Customer Service.

12. Account

1. The Customer/User may not post or provide to the Seller any content, including reviews and other data, that is unlawful.
2. The Customer/User gains access to the Account after registration.
3. As part of registration, the Customer/User provides the account type or gender, first name, surname, company name, Polish Tax ID (NIP), data for the sales document, shipping data, e-mail address, and selects a password. The Customer/User ensures that the data provided by them in the registration form is truthful. Registration requires careful reading of the Terms and Conditions and ticking the box on the registration form confirming that the Customer/User has read the Terms and Conditions and fully accepts all its provisions.
4. At the moment the Customer/User is granted access to the Account, a contract for the provision of services by electronic means regarding the Account is concluded between the Seller and the Customer for an indefinite period. The Consumer may withdraw from this contract on the terms specified in the Terms and Conditions.
5. Registration of an Account on one of the Online Store's pages simultaneously means registration enabling access to other pages under which the Online Store is available.
6. The Customer/User may terminate the contract for the provision of services by electronic means at any time with immediate effect by informing the Seller via e-mail or in writing to the Data Controller's address provided in section 1, point 2 of this Privacy and Cookie Policy.
7. The Seller has the right to terminate the service agreement regarding the Account in the event of ceasing to provide or transferring the Online Store service to a third party, violation of the law or provisions of the Terms and Conditions by the Customer/User, as well as in the event of the Customer/User's inactivity for a period of 6 months. Termination of the contract takes place with a seven-day notice period. The Seller may reserve that re-registration of the Account will require the Seller's permission.