Privacy policy
of the GL Hair Group Online Store
1. General provisions
1.1. The Privacy Policy contains information regarding the processing of personal data of users of the GL Hair Group Online Store and the use of cookies on the GL Hair Group Online Store website.
1.2. The Administrator of personal data processed in connection with the use of the GL Hair Group Online Store is GL Hair Group sp. z o.o.
1.3. Contact with the GL Hair Group Online Store is possible for the BUYER in the following ways:
a) via traditional mail: 44-109 Gliwice, ul. A. Gaudiego 6;
b) via e-mail: contact@glhairgroup.com
1.4. Each User is required to read this privacy policy before using the website.
1.5. User’s consent for specific processing activities, such as marketing communications or non-essential cookies, is collected separately through active opt-in mechanisms on the Website (e.g., checkboxes or consent banners)
1.6. The Privacy Policy is available at www.glhairgroup.com and in a written version at the address of the company's registered office.
2. Definitions
2.1. Website – the GL Hair Group Online Store website.
2.2. Administrator – GL Hair Group sp. z o.o. ., with its registered office in Gliwice (44-109) at ul. A. Gaudiego 6, KRS: 0000757816, Registry Court: District Court in Gliwice, Commercial Division of the National Court Register, share capital: 10.000,00 PLN, NIP: 6312512210, REGON: 240553641.
2.3. User – a natural person, which Personal data are processed in connection with using the Website.
2.4. Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.5. Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.6. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
2.7. Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Administrator.
2.8. Pliki cookies – files and technologies used to collect and store information about Users, their preferences and online activities.
2.9. Supervisory authority – President of the Personal Data Protection Office in Poland.
2.10. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3. Principles relating to processing of personal data
Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
4. Legal Basis and Purposes of Processing
4.1. Personal data is processed based on the following legal grounds:
a) Contract Performance: Processing is necessary for the performance of the sales contract and providing electronic services such as order fulfillment and communication (Art. 6(1)(b) GDPR).
b) Legal Obligations: Processing is required for compliance with legal, tax, and accounting obligations, such as issuing invoices and keeping books (Art. 6(1)(c) GDPR).
c) Legitimate Interests: Processing is conducted for the Administrator's legitimate interests, including defense against claims, debt collection, and fraud prevention (Art. 6(1)(f) GDPR).
d) Consent: With separate consent, data may be processed for marketing purposes, such as sending the newsletter (Art. 6(1)(a) GDPR).
e) Representatives: The Administrator also processes the contact data (name, position, business e-mail) of the BUYER'S employees or representatives for the purpose of executing the contract (Art. 6(1)(f) GDPR).
4.2. Processing of Personal data includes:
a) contact details, account details, and profile data of the User, such as: first name, last name, telephone number, postal address, email address;
b) information about the User's device: computer IP address, information contained in cookies or other similar technologies, session data, web browser data, device data, data regarding activity on the Website, including on individual subpages;
c) information about the use of the Website, including searches for offers, orders placed, dates and times of access, and any other actions taken on the Website;
d) data necessary for payment transactions, including information about the payment account, bank account, payment instrument used, date, time, and amount of the payment, expiry date of the payment instrument, billing postal code, email address assigned to the account, IBAN, address, and other details related to the transaction;
e) communication information, including email addresses, phone calls, messages, and text notifications;
f) other data provided in forms available on the Website, in particular as part of complaints submitted to the Administrator by Users.
5. Personal Data Processing Methods
5.1. The sources of personal data processed by the Administrator are the Users (data provided in connection with the use of the Website and during the order process).
5.2. The Administrator uses automated decision-making processes, including profiling. Profiling involves the analysis of User preferences and behaviors on the Website to provide tailored search results, personalized marketing content, and to manage loyalty programs. The User has the right to object to such profiling at any time, which may be exercised by changing browser settings or contacting the Administrator.
5.3. The Administrator entrusts the processing of personal data to entities providing hosting, accounting, legal, IT services, payment system providers, and marketing services, based on data processing agreements compliant with the GDPR.
5.4. The Administrator reserves the right to disclose selected information regarding the User to competent authorities or third parties who request such information based on an appropriate legal basis and in accordance with the provisions of applicable law.
5.5. The Administrator transfer Personal data to recipients in third countries outside the European Economic Area (EEA), particularly to the United States, in connection with the use of services provided by entities such as Shopify, PayPal and Google LLC. These transfers are conducted in accordance with GDPR requirements, specifically based on Standard Contractual Clauses approved by the European Commission or within the framework of the EU-U.S. Data Privacy Framework.
5.6. The User's personal data may be used by the Administrator for marketing purposes if the User has consented to it.
5.7. The period of data processing by the Administrator depends on the type and purpose of processing. As a rule, data is processed for the duration of the User's use of the Website, or until the withdrawal of consent or the submission of an effective objection to data processing in cases where the legal basis for processing is the Administrator's legitimate interest. Billing and payment data are stored for a period of 5 years, in accordance with applicable tax regulations. Data concerning the User's account on the Website are stored until its closure. Data related to claims resulting from the use of the Website are stored for the period of limitation of claims resulting from applicable regulations.
5.8. The data processing period may be extended if and to the extent required by law.
5.9. After the processing period, the data is irreversibly deleted or anonymized.
6. Cookies
6.1. The Administrator uses cookies placed by the website in the data that the User's web browser automatically stores on the User's device.
6.2. The cookies used by the Administrator store information about the content that the User views and interacts with.
6.3. The Administrator uses cookies for the purpose of:
a) ensuring the proper functioning of the Website (functional cookies);
b) obtaining information about how the Website is used and improving its performance (analytical cookies);
c) collecting information about User preferences and behaviors for the purpose of personalizing marketing content and advertising (marketing cookies).
6.4. Detailed information about Cookies is presented in the table below:
|
File name |
Provider |
Function |
Retention period |
Data collected |
PHPSESSID |
glhairgroup.com |
Maintains user session and ensures proper website operation |
Session |
Session ID |
cookie_consent |
glhairgroup.com |
Stores the user's cookie consent preferences |
12 months |
Consent status |
6.5. During a visit to the Website, a message is displayed to the User informing them that the Administrator uses cookies. The User consents to the use of cookies, to the use of specific categories of cookies defined in section 6.3, or refuses consent to the use of cookies by the Administrator.
6.6. Non-essential cookies (analytical and marketing) are only stored on your device with your prior, active, and explicit consent.
6.7. At any time, the User may grant, change, or withdraw consent for the use of cookies in the browser settings, i.e., enable, change, or disable settings relating to each of the categories of cookies defined in section 6.3.
6.8. Cookies are stored on the User's device for a period of up to 12 months or until they are deleted by the User.
7. Rights Resulting from Personal Data Protection
7.1. The User has the right to obtain confirmation from the Administrator as to whether their personal data is being processed. If data about the person is being processed, they are entitled to access it and obtain the following information: about the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data has been or will be disclosed, about the data storage period or the criteria for determining it, about the right to request rectification, erasure, or restriction of processing of personal data to which the data subject is entitled, and to object to such processing (Article 15 GDPR).
7.2. The User has the right to obtain a copy of the data undergoing processing, whereby the first copy is free of charge, and for subsequent copies, the Administrator may impose a fee in a reasonable amount resulting from administrative costs (Article 15(3) GDPR).
7.3. The User has the right to request the rectification of personal data concerning them that is incorrect, or the completion of incomplete data (Article 16 GDPR).
7.4. The User has the right to request the deletion of their personal data if the Administrator no longer has a basis for processing it or the data is no longer necessary for the purposes of processing (Article 17 GDPR).
7.5. The User has the right to request the restriction of processing of personal data (Article 18 GDPR) when:
a) the data subject contests the accuracy of the personal data – for a period allowing the Administrator to verify the accuracy of the data,
b) the processing is unlawful and the data subject opposes its erasure, requesting the restriction of its use instead,
c) the Administrator no longer needs the data, but it is required by the data subject to establish, exercise, or defend claims,
d) the data subject has objected to processing – until it is determined whether the legitimate grounds on the part of the Administrator override the grounds for the objection of the data subject.
7.6. The User has the right to receive the personal data concerning them, which they have provided to the Administrator, in a structured, commonly used, and machine-readable format, and the right to request that this data be sent to another Administrator, if the data is processed based on the consent of the data subject or a contract concluded with them and if the data is processed in an automated manner (Article 20 GDPR).
7.7. The User has the right to object to the processing of their personal data for the Administrator's legitimate interests, for reasons related to their particular situation, including profiling. In such a case, the Administrator evaluates the existence of valid legitimate grounds for processing that override the interests, rights, and freedoms of the data subjects, or grounds for establishing, exercising, or defending claims. If, according to the assessment, the interests of the data subject are more important than the interests of the Administrator, the Administrator will be obliged to stop processing the data for these purposes (Article 21 GDPR).
7.8. The User has the right to withdraw consent for the processing of personal data at any time and without giving a reason, but the processing of personal data carried out before the withdrawal of consent will remain lawful. The withdrawal of consent will result in the Administrator ceasing to process personal data for the purpose for which the consent was expressed.
7.9. To exercise the above-mentioned rights, the User should contact the Administrator and inform them which right and to what extent they want to exercise. For this purpose, the User may contact the Administrator electronically at contact@glhairgroup.com.
8. Personal Data Security
8.1. The Administrator continuously conducts risk analysis to ensure that personal data is processed by them in a secure manner – ensuring primarily that only authorized persons have access to the data and only to the extent necessary for the tasks they perform. The Administrator ensures that all operations on Personal Data are recorded and performed only by authorized employees and associates..
8.2. The Administrator takes all necessary actions to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Administrator.
9. Supervision of Personal Data Protection
9.1. The User has the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office (PUODO) with its registered office in Warsaw at ul. Stawki 2. The supervisory authority can be contacted:
a) by post: ul. Stawki 2, 00-193 Warsaw;
b) via the electronic delivery box: https://www.uodo.gov.pl/pl/p/kontakt;
c) by phone: (22) 531 03 00.
9.2. In all matters regarding the processing of personal data and the exercise of rights related to data processing, the User may contact the Administrator directly:
a) By mail: 44-109 Gliwice, ul. A. Gaudiego 6;
b) Via e-mail: contact@glhairgroup.com.
10. Final provisions
10.1. The Operator reserves the right to change the privacy policy at any time. Users will be informed of any changes to the privacy policy by posting relevant information on the Website and through an individual notification on the User's account.
10.2. Changes to the privacy policy enter into force on the date of their publication on the Website. Use of the Website after the changes to the privacy policy have entered into force is equivalent to their acceptance.
10.3. In matters not regulated in this privacy policy, the provisions of the GDPR shall apply.