This Privacy Policy is for informational purposes and outlines the rules for collecting, processing, and using personal data of users of the website https://www.profarm.com.pl/. It also includes information about the use of cookies and analytics tools on the site.

DEFINITIONS

Controller – Przedsiębiorstwo Produkcji Farmaceutyczno – Kosmetycznej PROFARM  limited liability company with its registered office in Lębork,  Słupska 18, 84-300 Lębork, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for Gdańsk-Północ in Gdańsk, 8th Commercial Division of the National Court Register under KRS number: 0000086544, NIP: 8410003568, REGON: 770504939, with share capital of PLN 864,000.

personal data - any information relating to an identified or identifiable natural person by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, including location data, device IP address, internet identifier and information collected through cookies and other similar technologies.

PKE - The Polish Electronic Communications Law of July 12, 2024 (Journal of Laws, item 1221, as amended).

Policy - this Privacy Policy.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individual persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Store – the Controller's online store operating within the Website, at the following address: https://sklep.profarm.com.pl/

Website – the Controller's website: https://www.profarm.com.pl/.

User - any person visiting the Website or using one or more services or functionalities available on the Website.

 

GENERAL PROVISIONS
 

1. The controller of personal data is Przedsiębiorstwo Produkcji Farmaceutyczno – Kosmetycznej PROFARM  limited liability company with its registered office in Lębork,  Słupska 18, 84-300 Lębork, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for Gdańsk-Północ in Gdańsk, 8th Commercial Division of the National Court Register under KRS number: 0000086544, NIP: 8410003568, REGON: 770504939, with share capital of PLN 864,000.Personal data on the Website is processed by the Administrator in accordance with applicable law, in particular in accordance with the GDPR.
2. Personal data on the Website/Store is processed by the Controller in accordance with applicable legal provisions, in particular with the provisions of the GDPR.
3. The Store forms part of the Website; therefore, the following provisions regarding the processing and protection of personal data, as well as the Cookie Policy, apply equally to the Store.
4. The use of the Website/Store, the conclusion of any agreements and the related provision of personal data by the User using the Website is voluntary, subject to the following:
   1. failure to provide personal data necessary for the conclusion and performance of the contracts with the Administrator results in the inability to conclude such a contract;
   2. the Controller’s statutory obligations – the provision of personal data is a statutory requirement resulting from generally applicable laws imposing on the Controller the obligation to process personal data and failure to provide such data will prevent the Administrator from performing these obligations;
   3. the provision of data is necessary to achieve the purposes referred to below. If the User does not provide personal data, it will not be possible to achieve the purposes of personal data processing.
5. The Controller takes special care to protect the interests of persons whose personal data it processes and in particular is responsible for and ensures the data it collects is processed lawfully; collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes; factually accurate and adequate in relation to the purposes for which they are processed; stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

THE RIGHTS OF DATA SUBJECTS

In connection with the processing of personal data, the User has the following rights:

1. The right to access User’s data and obtain information about the processing of its personal data.

Users have the right to obtain confirmation from the Controller as to whether it processes User’s personal data, the right to request access to this data and the right to obtain information from the Controller regarding the purposes of processing and the categories of personal data processed, information about the recipients or categories of recipients to whom the personal data are disclosed, the planned period of storage of personal data, source of the data if they were not collected from the data subject, and information on whether the Controller makes automated decisions regarding the data subject, including on the basis of profiling. Users also have the right to obtain a copy of the data.

2. The right to rectify data when it is incorrect.
3. The right to request the deletion of data.

The right to deletion of data applies when the User’s data is no longer necessary for which it was collected by the Controller; Users withdraw their consent to the processing of data; Users object to the processing of their data; the User’s data is processed unlawfully; the data must be deleted in order to comply with a legal obligation or the data has been collected in connection with the provision of information society services.

4. The right to request restriction of data processing for a specified period of time and within a specified scope.

A request to restrict data processing will not affect any processing that has already been carried out. When User data is incorrect – Users may request that its processing be restricted for a period enabling the Controller to verify the accuracy of the data; the processing of User data is unlawful, but Users do not want the data to be deleted; the Uset data is no longer necessary for the Controller, but is necessary for Users to establish, exercise or defend their legal claims; or Users have objected to the processing of their data – until it is determined whether the legitimate grounds of the Controller override the grounds for the objection.

5. The right to transfer data by the data subject to another controller.

The right to transfer data is available when the processing of Users data is based on consent or a contract when the processing is carried out by automated means.

6. Right to object to data processing.

Submitting an objection will not affect any actions already taken. The right to object to data processing is available when the processing of Users’ personal data is based on a legitimate interest and the objection is justified due to the User’s particular situation, as well as when the User’s personal data is processed for direct marketing purposes, including profiling.

7. The right to lodge a complaint with the President of the Personal Data Protection Office if the User believe that the processing of its personal data violates the provisions of the GDPR.

The User can make use of these rights by sending a request to the Controller’s email address:  profarm@profarm.com.pl.  

To ensure that the User are eligible to apply, the Controller may ask the User to provide authentication details.

 

LEGAL BASIS FOR DATA PROCESSING

The Controller makes every effort to ensure proper protection of personal data, in particular by applying the organizational and legal measures required under the GDPR.

The Controller is authorised the process personal data in cases where at least one of the following conditions is met:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into contract;
3. processing is necessary for compliance with a legal obligation to which the Controller is subject;
4. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

PURPOSES OF PERSONAL DATA PROCESSING

Personal data of all persons using the Website (including IP addresses or other identifiers and information collected through cookies or other similar technologies) are processed by the Controller:

1. in order to provide electronic services in the scope of making the content collected on the Website available to Users, including handling User inquiries or using the contact form – the legal basis for processing is:

- the User’s consent to marketing activities (Article 6(1)(a) of the GDPR)
- the Controller’s legitimate interest (Article 6(1)(f) GDPR) in ensuring efficient and effective communication between the Controller and the User.

2. for marketing purposes to send commercial information, marketing content or to provide digital content or services via a newsletter – the legal basis for processing is:

- the User’s consent to marketing activities (Article 6 (1)(a) of the GDPR),
- necessity of processing for the performance of a contract for mailing services or for the supply of digital content/services (Article 6(1)(b) GDPR);
– the Controller’s legitimate interest (Article 6(1)(f) GDPR) in promoting its own products and services.

3. to fulfil orders placed by the User in the Store – the basis for processing in the necessity of processing for the performance of the sales contract (Article 6(1)(b) of the GDPR),
4. in order to perform the contract for provision of account maintenance services in the Store – the basis for processing is the necessity of processing for the performance of the contract  (Article  6(1)(b) of the GDPR),
5. for analytical and statistical purposes, including the analysis of how the User uses and navigates the Website or the Store, management of the Website or Store, use of tools that improve the functionality of the Website or Store, and analysis of data related to the use of the Website or Store in order to tailor it to the needs and behavior of Users. – the legal basis for processing is the the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in analysing the activity of Users and their preferences in order to improve the functionalities used and the services provided;

User activity on the Website and in the Store, including personal data, is recorded in system logs (a special computer program used to store chronological records containing information about events and actions related to the IT system used to provide services by the Administrator). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes this data for technical and administrative purposes, for the purposes of ensuring the security of the IT system and its management, as well as for analytical and statistical purposes – in this respect, the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

 

6. for the purpose of researching preferences regarding services and products and analysing bysiness processes by conducting surveys – the legal basis for processing is :

- the User’s consent to answer survey questions (Article 6(1)(a) of the GDPR),
- the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) for archiving purposes and possible defence against claims,

7. to operate and manage social media profiles – the legal basis for processing is the the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) to manage a profile on a given platform,
8. for the use of cookies on the Website and Store – the legal basis for processing is:

- the User’s consent (Article 6(1)(a) of the GDPR) to the use of all Cookies,
- the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) in the use of the necessary Cookies to ensure the proper functioning of the Website/Store and to ensure the security of the Website/Store,

9. to fulfil legal obligations related to the protection of personal data – the legal basis for processing is the applicable legal provisions that require the processing of such data (Article 6(1)(c) of the GDPR),
10. for the purpose of possible establishment, investigation or defence against claims – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of its rights.

 

CONTACT FORM

The Controller provide Users with a contact form on the Website, enabling them to contact the Controller.

In order to contact the Controller via the contact form, the following personal data must be provided:

1. first name;
2. email address.

Therefore, personal data is processed:

1. to identify the sender and handle their request to contact the Controller sent via the contact form – the legal basis for processing is:

- the User’s consent to marketing activities (Article 6(1)(a) of the GDPR),
- the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) in ensuring efficient and effective communication between the Controller and the User,

2. for analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in keeping statistics on the number of requests submitted by Users via the Website in order to improve its functionality.

 

NEWSLETTER

If the User has provided the Controller with their email address for the purpose of receiving the newsletter, the Controller provides the newsletter service to that User. Failure to provide the data necessary for this purpose will result in the newsletter not being sent.

In this case, the User's Personal Data is processed:

1. in order to provide the newsletter service, including the sending of commercial information, marketing content or the provision of content or digital services via the newsletter – the legal basis for processing is:

- the User’s consent to marketing activities (Article 6 (1)(a) of the GDPR),
- necessity of processing for the performance of a contract for the provision of shipping services/ a contract for the supply of digital content or digital services (Article 6(1)(b) of the GDPR),
- the Controller’s legitimate interest (Article 6(1) (f)  of the GDPR) in relation to its own services and products,

2. for analytical and statistical purposes – the legal basis for processing is the the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in conducting analyses of User activity on the Website or in the Store in order to improve the functionalities used;
3. for the purpose of possible establishment, investigation or defence against claims – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f)  of the GDPR).

SOCIAL MEDIA

The Controller processes the personal data of Users visiting the Controller’s profiles on social media  (Facebook). This data is processed solely in connection with the maintenance of the profile, including for the purpose of informing Users about the Controller’s activities, promoting various events and products, conducting courses  and webinars, as well as for the purpose of communicating with Users via the functionalities available on social media (comments, messages, chat, invitations, reactions). The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in the promotion of its own brand.

INFORMATION ON CATEGORIES OF RECIPIENTS OF PERSONAL DATA

User’s personal data may be disclosed or transferred only to:

• employees and associates of the Controller authorised to process personal data in connection with the performance of their duties,
• technical and organisational service providers for the Controller to the extent necessary for the performance of their tasks, but only within the scope of authorisations or entrustments, in particular: suppliers and entities specialising in providing technical support for ICT systems, including hosting providers, mailing system providers, invoicing system providers, accounting firms providing accounting services, law firms providing legal advice and representation services,
• with regard to statistical and advertising data, the joint controller of personal data is the entity responsible for operating the website, i.e. Meta Platforms Ireland Limited – with regard to Facebook. Detailed information on data processing by Meta can be found at this link: https://pl-pl.facebook.com/privacy/policy?section_id=0-WhatIsThePrivacy
• entities authorised by law.

The Controller shall only use the services of processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.

The Controller transfers data only when it is necessary to achieve the purpose of personal data processing and only to extent necessary to achieve it.

The Controller reserves the right to disclose information about the User to competent authorities or third parties who request such information on the basis of a relevant legal basis and in accordance with applicable law.

TRANSFER OF PERSONAL DATA TO A THIRS COUNTRY OR AN INTERNATIONAL ORGANISATION

The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. The controller therefore transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily through:

1. cooperating with personal data processors in countries for which an appropriate decision has been issued by the European Commission;
2. using standard contractual clauses issued by the European Commission;
3. applying binding corporate rules approved by the competent supervisory authority;

The Controller shall inform the User of its intention to transfer personal data outside the EEA at the time of collection.

PERIOD OF STORAGE OF PERSONAL DATA

The period for which data is processed by the Controller depends on the type of service provided and the purpose of the processing. As a rule, data is processed for the time necessary to respond to an inquiry or to provide the service, until the consent is withdrawn or an effective objection to the processing is submitted in cases where the legal basis for processing is the Controller’s legitimate interest.

 

The processing period may be extended if the data is necessary for the establishment, exercise, or defence of potential legal claims, and after that period – only if and to the extent required by applicable law. Once the processing period has expired, the data is irreversibly deleted or anonymized.

INFORMATION ON AUTOMATED DECISION-MAKING

The Administrator does not make automated decisions regarding the User, including profiling as referred to in Article 22(1) and (4) of the GDPR.

 

COOKIES POLICY

The Controller uses information stored in cookies to ensure maximum convenience when using the Website and the Store. These cookies may also be used by research and advertising partners cooperating with the Controller. If the User does not consent to the use of cookies, cookie settings can be adjusted in the web browser and on the Website.

This Cookie Policy applies to cookies used on the Website and in the Store.

GENERAL PROVISIONS

1. This policy on cookies and similar technologies used on the Website is for informational purposes only and is intended to clearly present the rules governing the use of cookies and similar technologies on the Website.
2. In the remainder of this document, the term “Controller” shall refer to Przedsiębiorstwo Produkcji Farmaceutyczno–Kosmetycznej PROFARM sp. z o.o., with its registered office in Lębork, ul. Słupska 18, 84-300 Lębork, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for Gdańsk-Północ in Gdańsk, 8th Commercial Division of the National Court Register under KRS number: 0000086544, NIP: 8410003568, REGON: 770504939 with share capital of PLN 864,000 ("Controller").
3. The provisions of the GDPR and PKE will apply accordingly.
4. The User can contact the Administrator at the above address, by email at profarm@profarm.com.pl or in writing to Przedsiębiorstwo Produkcji Farmaceutyczno – Kosmetycznej PROFARM sp. z o.o., ul. Słupska 18, 84-300 Lębork.
5. To the extent that cookies contain the User’s personal data, the Controller shall also act as the controller of such personal data. The rules governing the processing of this data are outlined in the Privacy Policy.

 

1. COOKIES

 

1. The Controller informs that the Website uses cookies, which are installed on the User’s end device. Cookies are IT data, particularly text files, stored on the User’s device when browsing the Website. Cookies typically contain the domain name of the website from which they originate, the time they are stored on the end device, and a unique identifier. The Controller may process data stored in cookies when Users visit the Website for the following purposes:
   1. adapting the Website’s content to the User’s preferences and optimizing the use of the Website – in particular, cookies enable recognition of the User’s device and the appropriate display of the website according to the User’s individual needs;
   2. ensuring the proper functioning of the Website - Cookies allow for the efficient operation of the Website, use of available features and conveniently navigate between individual subpages;
   3. ensuring security – Cookies are used to authenticate Users and prevent unauthorised use of the User's account;
   4. creating statistics that help understand how Website Users use the websites, which allows improving their structure and content;
   5. maintaining session status after logging into an account – thanks to Cookies, it is not necessary to enter authentication data on each subpage viewed, which contributes to the comfort of using the Website;
   6. analysing the use of the Website and generating statistics and reports on its performance, which help improve the Website’s structure and content.
2. The Cookies used by the Website are secure and do not cause any configuration changes to User’s computer, laptop or smartphone, or to the software installed on the device.
3. Obtaining and storing information through cookies—except when necessary to ensure the proper functioning, security, and basic operations of the Website, including service stability through basic statistical measures—is only permitted with the User’s consent. During the User’s first visit to the Website, they are informed about the use of Cookies. The User may, however, modify their Cookie preferences at any time in the settings available on the Website.
4. By selecting the ‘Accept all’ button, the User agrees to the use of all Cookies operating on the Website. The User may select the ‘Customise’ option. The ‘Customise’ function allows the User to decide which types of Cookies will be used on the Website. However, disabling some Cookies may affect the quality of User’s browsing experience.
5. The basis for processing data to the extent that Cookies contain Users' personal data is the legitimate interest of the Controller or a third party (Article 6(1)(f) of the GDPR), i.e. the need to ensure the highest quality of content presented by the Controller and to ensure the proper functioning of the Website. In the case of the use of all Cookies, the basis for data processing is the User's consent (Article 6(1)(a) of the GDPR).
6. Information about Cookies used by the Controller is displayed in a panel on the Website. Depending on the User's decision, it is possible to enable or disable cookies of individual categories (except for necessary Cookies) and change these settings at any time. If it is not possible to specify the scope of use of Cookies from the Website, the settings of the browser used by the User remain valid.
7. Data collected through Cookies does not generally allow the Controller to identify the User. However, some information, depending on its content and how it is used, may be linked to a specific person, e.g. through an IP address, and thus be considered personal data. With regard to information collected by cookies that may be linked to a specific person, the provisions of the Privacy Policy apply.
8. The Controller uses the following cookies or tools that use them:

1. necessary cookies of the Website – these files enable the proper and safe functioning of the Website, therefore their deactivation is not possible (the operation of these files is a condition for using the Website).
2. Google Analytics –enables the collection of statistical data on how Users use the website, including the analysis of online services and activities. Google Analytics uses cookies that are stored on user’s computer and enable the analysis of user’s use of the website. Details about Google Analytics are available by clicking on the link: https://analytics.google.com/analytics/web/provision/?hl=pl#/provision.

 

9. The Cookies used by the Controller are primarily used to optimise the User's experience when using the Website. In this regard, the Controller also cooperates with other companies that provide tools to support the Controller primarily in ensuring the proper functioning of the Website. For the purposes of the Controller's activities, the browser or other software installed on the User's device also stores Cookies from third parties (for example - Google Ireland Limited in relation to Google Analytics), which may become controllers of the User's personal data or act as joint controllers of personal data together with the Administrator. Cookies sent by these entities are intended to ensure the security of the Website.
10. Using most commonly used browsers, the User can check whether Cookies have been installed on the end device, as well as delete installed cookies and block their installation in the future by the Website. However, disabling or limiting the use of cookies may cause difficulties in using the Website, e.g. in the form of the need to log in on each subpage, longer loading times of the Website, or restrictions on the use of certain functionalities.

 

PERSONAL DATA SECURITY

The Controller takes appropriate measures to ensure adequate protection of personal data, in particular by implementing the organisational and legal safeguards required under the GDPR.

CONTACT DETAILS

Users may contact the Administrator via email at: profarm@profarm.com.pl or in writing at the following address: Przedsiębiorstwo Produkcji Farmaceutyczno – Kosmetycznej PROFARM Sp z o.o., ul. Słupska 18, 84-300 Lębork.

This Privacy Policy and Cookie Policy is reviewed regularly and updated as necessary. The current version of the Policy was adopted and is effective as of June 26, 2025.