featured icon Free shipping for orders over 80 EUR
Shop all

Privacy Policy

§ 1 General

The controller of personal data of users of the website available at www.nunalu.care is Nunalu Spółka z o.o., with its registered office in Droszków, 66-003, ul. Ptasia 31, entered into the National Court Register maintained by the District Court for the city of Zielona Góra, 8th Commercial Division of the National Court Register under KRS number 0000990065, with Tax Identification Number (NIP): 9292072642 and Statistical Number (REGON): 522974560, with a fully paid-up share capital of PLN 5,000.00 (hereinafter referred to as the “Controller”).

The Controller may be contacted:
(1) via email: hello@nunalu.care
(2) in writing at the Controller’s address: Droszków, 66-003, ul. Ptasia 31.

The purpose of this Privacy Policy is to define the actions taken regarding personal data collected via the Controller’s website and the related services and tools used by its users, as well as in connection with concluding and executing agreements outside of the website.

If necessary, the provisions of this Policy may be amended. Changes will be communicated to users by publishing the updated Policy, and in the case of individuals who have given consent for data processing via email or provided their email address when concluding agreements, such individuals will also be notified via email.

§ 2 Legal Basis, Purpose, and Storage of Personal Data

Users’ personal data is processed in accordance with the General Data Protection Regulation (GDPR), the Personal Data Protection Act, the Act of May 10, 2018 on personal data protection, and the Act of July 18, 2002 on electronic service provision.

If personal data is processed as a result of an email or complaint submitted by the user, such processing is based on Article 6(1)(b) of the GDPR, which allows processing necessary to take steps at the request of the data subject.

If the user has given separate consent, their personal data may also be processed by the Controller for marketing purposes, including sending commercial information via email to the address provided by the user (Article 6(1)(a) of the GDPR).

When the Controller concludes and performs a sales agreement or service agreement, the other party is required to provide data necessary for the conclusion of the agreement (which is a contractual requirement, and in the case of tax numbers, also a legal requirement). For this purpose, the Controller processes personal data (Article 6(1)(b) of the GDPR).

In cases involving research and analysis to improve available services (e.g. tracking tools), the data processing is based on Article 6(1)(f) of the GDPR.

Users’ personal data is stored no longer than necessary to achieve the purpose of processing, i.e. until the consent is withdrawn (if the processing is based on consent), until the expiry of claims between the Controller and the other party regarding the concluded agreements (in the case of sales/service agreements — 2 years, counted until the end of the calendar year), or until the request sent via email is fulfilled or the complaint is resolved.

The Controller may use profiling for direct marketing purposes, but decisions based on such profiling do not relate to the conclusion or denial of contracts or the possibility of using electronic services. The result of profiling may be, for example, a discount granted to a person, sending a discount code, reminding about unfinished purchases, suggesting a product that may suit the person’s interests or preferences, or offering better terms compared to the standard offer. Despite profiling, the individual freely decides whether to use the discount or better terms offered in this way. Profiling involves automated analysis or forecasting of a person’s behavior on the Controller’s website, e.g. adding a specific product to the cart, browsing a specific product page, or analyzing previous activity on the website. The condition for such profiling is that the Controller holds the person’s personal data in order to send them, for example, a discount code.

To ensure proper functioning of the website and its features, the website may, while being used by the User, collect additional information, including but not limited to:

  • IP address;
  • information about the device, hardware, and software such as hardware identifiers, mobile device identifiers (e.g., Apple Identifier for Advertising [“IDFA”] or Android Advertising ID [“AAID”]),
  • platform type,
  • settings and components,
  • presence of required plugins;
  • browser data, including browser type and preferred language.

Taking into account the nature, scope, context, and purposes of processing, as well as the risk of violation of the rights or freedoms of natural persons with varying likelihood and severity, the Controller implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the GDPR and to demonstrate such compliance. These measures are reviewed and updated when necessary. The Controller applies technical measures to prevent unauthorized persons from acquiring or modifying personal data transmitted electronically.

Additionally, the Controller may collect the following data for the following purposes:

Execution of a Contract with the Client or Taking Action at the Request of the Data Subject Before Concluding a Contract

  • Legal Basis: Article 6(1)(b) of the GDPR (contract performance)
  • Retention Period: Data is stored for the period necessary to perform, terminate, or otherwise expire the concluded contract.
  • Scope of Data Processed:
    Full name, email address, phone number, address (street, building number, apartment number, postal code, city, country), company name, Tax Identification Number (NIP)

Marketing

  • Legal Basis: Article 6(1)(f) of the GDPR (legitimate interest of the controller)
  • Retention Period: Data is stored for the period in which the legitimate interest of the Controller is pursued, no longer than until the expiration of claims against the data subject related to the activities conducted by the Controller.
  • Additional Notes: The Controller may process the data for direct marketing purposes only after obtaining consent and in the absence of objection from the data subject.
  • Scope of Data Processed:
    Email address, phone number

Customer Feedback

  • Legal Basis: Article 6(1)(a) of the GDPR (consent)
  • Retention Period: Data is stored until the consent is withdrawn by the person whose data is processed for this purpose.
  • Scope of Data Processed:
    Full name, email address, phone number

Maintaining Accounting Records

  • Legal Basis: Article 6(1)(c) of the GDPR in connection with Article 86 § 1 of the Tax Ordinance of January 17, 2017, and Article 74 sec. 2 of the Accounting Act of January 30, 2018
  • Retention Period: Data is stored for the period required by tax law or accounting regulations (5 years from the beginning of the year following the financial year the data relates to), unless the law specifies otherwise.
  • Scope of Data Processed:
    Full name, email address, phone number, address (street, building number, apartment number, postal code, city, country), Tax Identification Number (NIP), company name

Establishment, Pursuit, or Defense of Claims Raised by or Against the Controller

  • Legal Basis: Article 6(1)(f) of the GDPR (legitimate interest of the controller)
  • Retention Period: Data is stored for the duration of the legally justified interest pursued by the Controller, but no longer than the limitation period for claims regarding the person to whom the data pertains.
  • Scope of Data Processed:
    Full name, email address, phone number, address (street, building number, apartment number, postal code, city, country), company name

§ 3 Data Sharing

The Administrator ensures that all collected personal data is used to fulfill obligations to users. This information will not be shared with third parties except in situations where:

  • The explicit consent of the individuals concerned has been given for such actions, or
  • The obligation to disclose this data arises or will arise from applicable legal regulations, e.g., to law enforcement authorities.

Additionally, personal data of service recipients and customers may be transferred to the following recipients or categories of recipients:

  • Service providers who supply the Administrator with technical, IT, and organizational solutions that enable the Administrator to conduct business activities, including the website and electronic services provided through it (in particular, software providers, marketing agencies, email and hosting service providers, software providers for business management, and technical support providers for the Administrator and product delivery operator) – the Administrator shares the collected personal data of the Customer with a selected provider acting on its behalf only to the extent necessary to fulfill the specific data processing purpose in accordance with this privacy policy.
  • Providers of accounting, legal, and advisory services who provide the Administrator with accounting, legal, or advisory support (in particular, accounting offices, law firms, or debt collection companies) – the Administrator shares the collected personal data of the Customer with a selected provider acting on its behalf only to the extent necessary to fulfill the specific data processing purpose in accordance with this privacy policy.

The Administrator may share anonymized data (i.e., data that does not identify specific users) with external service providers for the purpose of better understanding the attractiveness of advertisements and services for users. In this regard, due to the location of the software providers, data may be transferred – while ensuring protection principles – to third countries, provided they offer a standard contractual arrangement approved by the European Commission for personal data processing or have the appropriate authorization to do so under bilateral data processing agreements between the European Union and the third country, which is not a member of the European Economic Area. For the Administrator, these entities are:

  • Google LLC. (headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for tools such as Google Analytics for analyzing website statistics, Google Tag Manager for managing scripts through easy addition of code snippets to a website or app and tracking user actions on the website, and Google Ads for displaying sponsored links in Google search results and on cooperating websites under the Google AdSense program.
  • Meta Platforms, Inc. (headquarters: 1601 Willow Road, Menlo Park, CA 94025, USA) for Facebook Pixel to track conversions from Facebook ads, optimize them based on collected data and statistics, and build a targeted audience for future ads.

The Administrator’s website may use Google Analytics, a web analytics service provided by Google LLC (“Google”). Google Analytics uses cookies to help website operators analyze how visitors use the site. The information generated by the cookie about the use of the website by visitors is usually transferred to Google and stored on its servers in the United States. According to current IT standards, the IP addresses of users visiting the Administrator’s website are anonymized. In exceptional cases, the full IP address is sent to a Google server in the United States and anonymized there. On behalf of the Administrator, Google will use this information to evaluate the website for its users, prepare reports on website traffic, and provide other services related to website traffic and internet usage for website operators. Google will not associate the IP address provided in Google Analytics with any other data it holds. For more information on how Google Analytics collects and uses data, visit Google’s official website at www.google.com/policies/privacy/partners. Additionally, any user can prevent Google from collecting and processing data related to their use of the website by downloading and installing a browser plugin at the following link: http://tools.google.com/dlpage/gaoptout.

When sharing data with third parties, the Administrator ensures that it is only done with entities holding certificates under the (former) EU–US and Switzerland–US Privacy Shield programs, which can be found at www.privacyshield.gov. Such entities, when using information from the European Economic Area (EEA), will do so in compliance with the “Accountability for Onward Transfer” principle of the Privacy Shield program. In relevant cases, the Administrator will rely on the EU standard contractual clauses and other safeguards to enable transfers outside the EEA. According to the decision of the Court of Justice of the European Union from July 16, 2020, regarding the EU–US Privacy Shield and guidelines from the European Data Protection Board, the Administrator continues to assess the legal system of the countries to which data is transferred and, if necessary, updates measures to ensure appropriate levels of protection.

§ 4 User Rights

A user whose personal data is being processed has the right to:

  • Access, rectification, restriction, erasure, or data portability – the individual whose data is processed has the right to request access to their personal data, rectification, erasure (“right to be forgotten”), or restriction of processing, and has the right to object to processing, as well as the right to data portability. The detailed conditions for exercising the above rights are specified in Articles 15-21 of the GDPR.
  • Withdrawal of consent at any time – an individual whose data is processed by the Administrator based on their consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw their consent at any time, without affecting the lawfulness of processing carried out based on the consent before its withdrawal.
  • Filing a complaint with the supervisory authority – an individual whose data is processed by the Administrator has the right to file a complaint with the supervisory authority in the manner and procedure specified by the provisions of the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office in Warsaw.
  • Objection – an individual whose data is processed has the right to object at any time, on grounds related to their particular situation, to the processing of their personal data based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the administrator), including profiling based on those provisions. In such a case, the Administrator must no longer process those personal data unless they demonstrate the existence of compelling legitimate grounds for processing that override the interests, rights, and freedoms of the individual concerned, or the grounds for the establishment, exercise, or defense of legal claims.
  • Objection to direct marketing – if personal data is processed for direct marketing purposes (based on the legitimate interest of the Administrator, not on the consent of the data subject), the individual whose data is being processed has the right to object at any time to the processing of their personal data for such marketing purposes, including profiling, to the extent that the processing is related to direct marketing.

The exercise of the above rights is carried out upon the user’s request sent to the email address hello@nunalu.care Such a request should include the user’s full name.
The user ensures that the data they provide or publish on the website is accurate.

§ 5 Cookies

“Cookies” refers to data, particularly text files, stored on the end devices of users (usually on the computer’s hard drive or mobile device) used to save certain settings and data by the user’s browser to enable browsing of websites. These files allow the device to be recognized and the website to be displayed accordingly, providing comfort during its use. Storing cookies thus allows for proper customization of the website and offerings according to the user’s preferences – the server recognizes and remembers, among other things, preferences such as: visits, clicks, and previous actions.
Cookies contain, in particular, the domain name of the website from which they originate, the time they are stored on the end device, and a unique number used to identify the browser from which the connection to the website is made.

Cookies are used for:

  • Adjusting the content of websites to user preferences and optimizing website use.
  • Creating anonymous statistics to help determine how users use websites, which allows for the improvement of their structure and content.
  • Delivering advertising content tailored to users’ interests.

Cookies do not serve to identify the user and do not establish their identity.

The main division of cookies is based on:

  • Necessary cookies – these are absolutely necessary for the proper functioning of the website or the functionalities that the user wishes to use, as without them, many services we offer could not be provided. Some also ensure the security of electronic services.
  • Functional cookies – these are important for the functioning of the website because they:
    • Enrich the website’s functionality. Without them, the website will function properly, but will not be tailored to the user’s preferences.
    • Ensure a high level of functionality. Without them, the level of website functionality may decrease, but their absence should not prevent full use of the site.
    • Ensure most of the website’s functionalities. Blocking them will cause selected functions not to work properly.
  • Business cookies – these enable the realization of the business model based on which the website is made available. Blocking them will not make the website entirely unavailable, but may reduce the service quality due to the inability to generate revenue subsidizing its operation. This category includes, for example, advertising cookies.
  • Configuration cookies – these allow settings for functions and services on the website.
  • Security and reliability cookies – these enable the verification of authenticity and the optimization of website performance.
  • Authentication cookies – these allow informing when the user is logged in, so that the website can display appropriate information and functions.
  • Session state cookies – these allow saving information about how users use the website. They may concern the most visited pages or possible error messages displayed on certain pages. Session cookies help improve services and increase the comfort of browsing.
  • Process cookies – these allow the website and available functions to operate smoothly.
  • Advertising cookies – these enable displaying ads that are more interesting to users and more valuable for publishers and advertisers. Cookies can also be used to personalize ads, as well as to display ads outside of websites.
  • Location access cookies – these enable adjusting displayed information to the user’s location.
  • Analysis, research, or audience auditing cookies – these enable the website owner to better understand user preferences and improve and develop products and services through analysis. Usually, the website owner or a research company collects anonymous information and processes data about trends without identifying personal data of individual users.

The use of cookies to adjust website content to user preferences does not generally involve collecting any information that would allow the identification of the user, although sometimes such data may be considered personal data, as they enable the attribution of certain behaviors to a specific user. Personal data collected through cookies can only be collected to perform specific functions for the user. Such data is encrypted to prevent unauthorized access.

Cookies used by this website are not harmful to either the user or the end device they are using. Therefore, it is recommended not to disable cookie handling in browsers for the proper functioning of the service. In many cases, software used to browse websites (the web browser) by default allows storing information in the form of cookies and other similar technologies on the user’s end device. The user can change how cookies are used by their browser at any time. To do so, the browser settings should be changed. The method for changing settings differs depending on the software (web browser) being used. Appropriate instructions can be found on the help pages, depending on the browser used.

In the context of cookies technology, the Administrator may use tracking pixels or clear GIF files to gather information about how the user interacts with the services and responds to marketing messages sent by email. A pixel is a software code that enables embedding an object, typically an image of pixel size, on the website, allowing the tracking of user behavior on websites where it has been placed. After giving the appropriate consent, the browser automatically establishes a direct connection with the server hosting the pixel, so the processing of data collected through the pixel is done under the data protection policy of the partner who manages the aforementioned server.

The Administrator may also use web log files (which contain technical data, such as the user’s IP address) to monitor traffic on its services, resolve technical issues, detect fraud, and prevent it, as well as enforce the provisions of the user agreement.

The Administrator informs that the website does not respond to Do Not Track (DNT) signals, but the user can disable certain forms of tracking online, including some analytical data and personalized ads, by changing cookie settings in their browser or using our cookie consent tools (if applicable).

Detailed information on changing cookie settings and deleting them in the most popular web browsers can be found in the browser’s help section and on the following pages (just click on the respective link):

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Opera
  • Safari macOS
  • Safari iOS/iPad OS

Detailed information on managing cookies on mobile phones or other mobile devices should be available in the mobile device’s user manual.