GENERAL PROVISIONS
1.1. This Privacy Policy contains information regarding the principles of personal data processing by the Administrator of OkiTalki in the Service, including the legal bases, purposes and scope of personal data processing and the rights of the data subjects.
1.2. The scope of the information provided corresponds to the requirements of the GDPR.
1.3. In the Policy, the user of the Service will also find information concerning the use of cookies or similar technologies (in the case of using web pages) and mobile device identifiers (in the case of using the mobile application), including information about the possibility of combining data held by the Administrator and the Administrator’s use of analytics tools. This information may constitute the user’s personal data.
1.4. Before starting to use the Service, including before registering an account, the user should read the content of the Privacy Policy.

DEFINITIONS
Capitalized terms have the meanings assigned to them below, in the Regulations.
2.1. Administrator – Termokvrc Siarhei Ramanko, with its registered office in Poland, ul. Al. 1000-lecia Państwa Polskiego 10A-107, 15-111 Białystok, telephone number +48 517 672 444, entered in the register of entrepreneurs of the National Court Register kept by the Court, [Division], under no., TAX ID (NIP): 5423453622, REGON: 522765684.
2.2. Client – a natural person with full legal capacity who has reached the age of 18, or a legal person or an organizational unit without legal personality to which the law grants legal capacity, who, under the terms set out in the Regulations, places an Order and concludes a Sales Agreement with the Seller.
2.3. Regulations – the terms and conditions specifying the rules for concluding and performing sales contracts concluded within the Service and the rules for the Administrator’s provision of electronic services within the Service, available at […].
2.4. RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016 No 119, p. 1, as amended).
2.5. Service – the online shop owned and administered by the Administrator, accessible via the mobile application […] and the website www.Okitalki.com
.

PROCESSING OF DATA BY THE SERVICE ADMINISTRATOR
3.1. Administrator – Termokvrc Siarhei Ramanko, with its registered office in Poland, ul. Al. 1000-lecia Państwa Polskiego 10A-107, 15-111 Białystok, telephone number +48 517 672 444, entered in the register of entrepreneurs of the National Court Register kept by the Court, [Division], under no., TAX ID (NIP): 5423453622, REGON: 522765684 – simultaneously providing services within the Service in accordance with the provisions of the Regulations.
3.2. The Administrator may be contacted:

by post at the address: Poland, ul. Al. 1000-lecia Państwa Polskiego 10A-107, 15-111 Białystok;

by telephone at: +48 517 672 444;

electronically at the e-mail address: info@okitalki.com
.
3.3. Use of the Service is voluntary. Providing personal data by a Service user is voluntary, subject to the following reservations:

in cases and to the extent indicated in the Regulations, the Florist Regulations or the Privacy Policy with regard to the personal data necessary to conclude a contract with the Administrator or to provide services related to the account – failure to provide the data may result in the impossibility of performing the contract or service;

where the Administrator is required to fulfil statutory obligations in connection with the performance of an Order – the processing of personal data is related to the fulfilment by the Administrator of obligations imposed on it by generally applicable laws (e.g., for the purpose of maintaining accounting or tax records); failure to provide the data will make it impossible to fulfil these obligations and, consequently, to properly perform the service.
3.4. The Administrator exercises particular care to protect the interests of the data subjects whose personal data it processes, and in particular ensures that the data collected are lawful and processed only for specific, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes.
3.5. The Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the GDPR. These measures are reviewed and updated as necessary. The Administrator applies technical measures to prevent unauthorized acquisition and modification of personal data transmitted electronically.

FOR WHAT PURPOSE AND FOR HOW LONG WILL THE DATA BE PROCESSED?
The Administrator may process personal data within the Service for the following purposes, on the legal bases and for the periods indicated below:

I. For Clients or Service users, for the purpose of:

performance of a contract to which the data subject is a party, or taking steps at the data subject’s request prior to entering into a contract, i.e., for the performance of the Order. This may include processing geolocation information, among others.
i. Legal basis: Art. 6(1)(b) GDPR.
ii. Processing period: until the Order is fulfilled, and in the case of account creation – for the duration of the account services.

fulfilment of a legal obligation incumbent on the Administrator in connection with the performance of the Order. Such obligations arise, for example, from accounting or tax law.
i. Legal basis: Art. 6(1)(c) GDPR.
ii. Processing period: for accounting documentation purposes – for a period of 5 years counting from the end of the calendar year in which the operations, transactions and proceedings were finally completed, paid, settled or became time-barred. For tax documentation purposes – for a period of 5 years counting from the end of the calendar year in which the tax payment deadline expired.

purposes pursued on the basis of the so-called legitimate interest of the Administrator pursuant to Art. 6(1)(f) GDPR, i.e.:
i. marketing, implemented by displaying or delivering commercial information, including, subject to obtaining the appropriate consent, via electronic communication devices or by phone (direct marketing). Marketing may be carried out on the basis of profiling; in such a case data processed for marketing purposes include information reflecting the user’s characteristics, behaviors or preferences. By using profiling, the Administrator may tailor offers to the user’s, including the Client’s, interests and needs.
ii. adapting the content of the Service according to users’ behavior.
iii. communication, including via tools within the Service, also for the purpose of responding to inquiries and handling complaints.
iv. organizing and conducting contests and other marketing campaigns.
v. preventing fraud.
vi. where applicable – for the purpose of pursuing or securing claims and defending against claims.
vii. for statistical purposes and analysis of the quality of services provided, i.e.:
• compiling statistics and analysing traffic in the Service – for the purpose of improving the functioning of the Service and increasing sales;
• improving services – by analysing Customers’ or users’ feedback.
viii. for the Administrator’s internal administrative purposes.
Processing period for purposes pursued on the basis of the Administrator’s legitimate interest: for the duration of the legitimate interest pursued by the Administrator, but not longer than the limitation period for claims; the Administrator may not process data for direct marketing purposes if the data subject has validly objected to such processing.

purposes based on given consents, i.e., pursuant to Art. 6(1)(a) GDPR:
i. newsletter;
ii. marketing of cooperating entities’ services and products;
iii. leaving a review by the Client, e.g., regarding the fulfillment of the Order.
Processing period: until the consent is withdrawn by the data subject.

II. For Florists, for the purpose of:

performance of a contract to which the Florist is a party, or taking steps at the Florist’s request prior to entering into a contract with the Administrator.
i. Legal basis: Art. 6(1)(b) GDPR.
ii. Processing period: for the duration of the cooperation agreement or for the period of provision of account services.

fulfilment of a legal obligation incumbent on the Administrator in connection with the performance of the cooperation agreement with the Florist. Such obligations arise, for example, from accounting or tax law.
i. Legal basis: Art. 6(1)(c) GDPR.
ii. Processing period: for accounting documentation purposes – for a period of 5 years counting from the end of the calendar year in which the operations, transactions and proceedings were finally completed, paid, settled or became time-barred. For tax documentation purposes – for a period of 5 years counting from the end of the calendar year in which the tax payment deadline expired.

purposes pursued on the basis of the so-called legitimate interest of the Administrator pursuant to Art. 6(1)(f) GDPR, i.e.:
i. adapting the content of the Service according to users’ behavior.
ii. where applicable – for the purpose of pursuing or securing claims and defending against claims.
iii. preventing fraud.
iv. for the Administrator’s internal administrative, analytical and statistical purposes.
Processing period for purposes pursued on the basis of the Administrator’s legitimate interest: for the duration of the legitimate interest pursued by the Administrator, but not longer than the limitation period for claims; the Administrator may not process data for direct marketing purposes if the data subject has validly objected to such processing.

WHERE DO YOUR PERSONAL DATA COME FROM?
The Administrator processes your personal data obtained directly from you (e.g., data provided in a registration form or in a submitted review), as well as data obtained from other sources (e.g., data provided in a form by a person who ordered a Bouquet for you). Such other sources may include, among others, partners or limited-access sources, e.g., social networking services (i.e., Facebook); Google, Apple (in case of registration or logging into an account in the Service via those portals). In each case the Administrator verifies whether it has a legal basis for processing personal data.

Social media platforms
The Administrator runs accounts on social media platforms (e.g., Facebook, Instagram, TikTok), where users have the ability to comment, send messages and post reviews about the Administrator or its offer. The Administrator may process information, including personal data concerning users, or combine them with other information it holds for the purposes of promoting its services or for analytical and statistical purposes related to improving service quality.
The Administrator will not publish users’ reviews that may constitute personal data without their consent.

TO WHOM MAY DATA BE DISCLOSED?
6.1. A recipient of data within the meaning of the GDPR is both an entity that processes personal data on behalf of the Administrator and an entity to which data are disclosed for its own purposes (e.g., public administration bodies).
6.2. For the correct functioning of the Service and for contract performance, the Administrator may use the services of external entities (such as software providers, couriers, payment service providers). The Administrator uses only such data-processing service providers that provide adequate guarantees of implementation of appropriate technical and organizational measures.
6.3. Recipients of your data may include:

public authorities, institutions or third parties entitled to request access to or receive personal data on the basis of legal provisions;

entities to whom the Administrator has entrusted the processing of personal data on the basis of concluded agreements in connection with its business activity, e.g., suppliers and carriers of shipments (e.g., couriers), IT and other service providers processing data on behalf of the Administrator; providers of accounting, legal and advisory services; entities providing advisory-control services, e.g., audit firms, law firms;

entities handling electronic or card payments – in the case of a Client using electronic or card payment methods in the Service the Administrator discloses the Client’s collected personal data to the selected entity handling such payments in the Service on behalf of the Administrator to the extent necessary to process the payment;

providers of review survey systems – in the case of a Client who agreed to leave a review of the Order;

entities to whom the user (Client) has given consent to disclose and process their personal data;

the Administrator’s partners.
6.4. Personal data may be transferred by the Administrator to a third country; the Administrator ensures that in such case such transfer will be made to a country ensuring an adequate level of protection – in accordance with the GDPR, and in the case of other countries, on the basis of appropriate safeguards, including standard contractual clauses. The Administrator transfers personal data in accordance with the principle of data minimization and only where and to the extent necessary to achieve the given purpose of processing in accordance with this Privacy Policy.

PROFILING IN THE SERVICE
7.1. The Administrator may use profiling for marketing purposes. Profiling is used by the Administrator to analyse a user’s (including a Client’s) preferences or interests, viewership or the development of provided services based on automated processing by the Administrator of data from devices used by the user while using the website (e.g., computer, mobile devices) and the user’s behavior.
7.2. The result of profiling in the Service may be, for example, granting a given person a discount, displaying a product suggestion that may correspond to that person’s interests or preferences, or offering a personalized offer. The person subject to profiling decides whether they want to use the discount or the proposed terms.
7.3. Profiling in the Service consists of automatic analysis of the Client’s purchasing behavior or prediction of such behavior, e.g., taking into account browsing of specific products or analysis of purchase history.
7.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

YOUR RIGHTS AS A DATA SUBJECT
8.1. You have the right to access your personal data, including obtaining a copy of the data.
8.2. If you consider that your personal data processed by the Administrator are inaccurate, you have the right to have them rectified or completed.
8.3. You have the right to request deletion of your personal data in cases provided for by law.
8.4. You have the right to request restriction of processing of your personal data.
8.5. You have the right to object to the processing of your personal data where they are processed for the purposes of the Administrator’s legitimate interest.
8.6. If personal data are processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
8.7. You have the right to receive from the Administrator your personal data in a structured format and to transfer personal data to another controller.
8.8. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or otherwise significantly affects you, unless the decision is necessary for the performance of a contract, is permitted by law or you have given your explicit prior consent.
8.9. In cases where processing is based on consent, you have the right to withdraw consent for individual processing purposes at any time. You may withdraw consent by contacting the Administrator at the contact details indicated in the Privacy Policy. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
8.10. You have the right to lodge a complaint with a supervisory authority in the manner and under the procedure set out in the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.
8.11. To exercise the rights referred to in this section of the Privacy Policy, you may contact the Administrator by sending a written request or an electronic message to the Administrator’s address indicated in the introduction to the Privacy Policy or by using the contact form available in the Service.

USE OF COOKIES AND SIMILAR TECHNOLOGIES AND ANALYTICS IN THE SERVICE
9.1. Cookies are small text files that are stored on a user’s end device (e.g., laptop, tablet, smartphone) when visiting a website. Cookies do not cause harmful changes to the end device and do not contain malicious software. A cookie stores information that is created in cooperation with a specific end device. This is not equivalent to the Administrator obtaining information about the user’s identity.
9.2. In the case of the mobile application, mobile device identifiers are used instead of cookies. A device identifier is a series of digits and letters that allows identification of a mobile device (tablet, smartphone) and is stored on that device. Mobile device identifiers are used in the mobile application for the functioning of many processes, e.g., activation of the mobile application, adding and displaying loyalty cards in the mobile app, or configuring and displaying add-ons before logging in.
9.3. Cookies that may be sent by the Service’s website can be divided into different types according to the following criteria.

By provider:
a. first-party (provided by the Service’s website Administrator)
b. belonging to third parties (other than the Administrator),

By storage period on the user’s device:
a. session (stored until logging out of the Service or closing the web browser)
b. persistent (stored for a specified time defined by each cookie’s parameters or until manually deleted)

By purpose:
a. necessary (enabling the proper functioning of the Service’s website),
b. functional/preference (allowing adjustment of the website to the visitor’s preferences),
c. analytical (collecting information about how the website is used)
d. marketing or advertising (collecting information about the visitor to display ads to that person, personalise them, measure effectiveness and run marketing campaigns, including on external websites unrelated to the Service, such as sites belonging to the same advertising networks or social media platforms).
9.4. List of cookies used by the Administrator
9.4.1. Absolutely necessary (technical) cookies: such a cookie is necessary for the Website User to navigate and use its functions. Without such cookies it is not possible to use basic Website functions. These cookies help remember the state of the website, choose the language (using the i18nextLng cookie), save the selected darkstore (using the darkstoreId cookie). Opting out of some of the indicated types of cookies may result in certain subpages or Service functions being unusable.
9.4.2. Analytical cookies: necessary for the correct operation and to ensure the full functionality of the Website as well as for performing various service functions and facilitating interaction with the Website. ● recognising users, counting their number and collecting information, for example about performed actions, visited pages and views in the Service; ● identifying your hardware or software, such as the type of browser or device; ● collecting information on how you interact with the Service, for example whether a service or product has been purchased. Such cookies do not collect information enabling the identification of the Website User and are aggregated data (data collected and presented in aggregated form for statistical analysis purposes in accordance with applicable law and are not personal data). Analytical cookies are used to improve the convenience of using the Website and to increase user satisfaction with the Website.
9.5. List of mobile device identifiers used by the Administrator […]
9.6. In addition, in connection with the user’s use of the Service, the Administrator may obtain the following information:

In the case of users visiting the Service’s website […]

In the case of users using the Service’s mobile application […]
Geolocation information of users may be processed for the performance of the Order.
9.7. It is possible to set cookie preferences via your own web browser settings. You may partially (temporarily) restrict or completely disable the saving of cookies – however, the latter may affect some Service functionalities.
9.8. Most web browsers available on the market accept cookies by default. Everyone can set cookie preferences via their own web browser settings. In accordance with the applicable law, consent to cookies may also be expressed through the web browser settings.
9.9. Detailed information on changing cookie settings and deleting them yourself is available in the browser help section:

in Chrome: https://support.google.com/chrome/answer/95647?hl=en

in Firefox: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored

in Internet Explorer: https://support.microsoft.com/en-us/help/278835/how-to-delete-cookie-files-in-internet-explorer

in Opera: https://www.opera.com/pl/use-cases/clean-browser-and-remove-trackers

in Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

in Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

9.10. Where cookies or other information stored on or obtained from the user’s device (similar technologies) may constitute personal data, the Administrator may process such data, depending on the relationship with the user, for the purposes indicated in section 4 of the Privacy Policy.
9.11. The Administrator may use Google Analytics services provided by Google Ireland Limited in the Service. These services are used to compile statistics and analyse traffic in the Service and to study the effectiveness of promotional activities. By using the aforementioned services in the Service the Administrator collects data such as: traffic sources, users’ behaviour on the website, information about devices and browsers, IP and domain, geographic data and demographic data (age, gender) and interests.
9.12. It is possible to block the sharing of information with Google Analytics on the Service, for example by installing the browser add-on provided by Google Ireland Ltd.: https://tools.google.com/dlpage/gaoptout?hl=pl
. Information about data processing by Google Ireland Ltd. is available in Google’s services privacy policy: https://policies.google.com/technologies/partner-sites
.
9.13. The Administrator may use the Facebook Pixel in the Service – a service provided by Meta Platforms Ireland Limited. The service helps the Administrator measure ad effectiveness and display tailored ads to users visiting its Service. Management of the Facebook Pixel can be done via ad settings in your Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
.

LINKS TO OTHER SITES
The Service may contain links to other websites. The Administrator is not responsible for the use of cookies on those sites or for compliance with privacy policies on those sites. It is recommended that after navigating to other websites the user reads the Privacy Policy and Cookie Policy applicable on those sites.

Version dated www.okitalki.com