For the purpose of this document:
‘Personal Data Controller’ means András Munkácsi sole proprietor doing business as András Munkácsi, Marszałkowska 111, 00-102 Warszawa, NIP: 5252735407, REGON: 369197726;
‘personal data’ means information about an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by an identifier such as his or her name and surname, identification number, location data, internet identifier or one or more factors specifying his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘newsletter’ means the electronic form of a newsletter used to inform users about new products available on the website, new entries on the blog, updates relating to applications;
‘personal data breach’ means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, regardless of whether it is a third party. Public authorities which may receive personal data in connection with a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by such public authorities must be in compliance with the data protection rules applicable to the purposes of the processing;
‘restriction of processing’ means the indication of stored personal data with the aim of limiting their processing in the future;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 of this Regulation and this authority is President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the personal data controller;
‘data confidentiality’ means a property ensuring that data is not made available to unauthorised entities;
‘processing’ means any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Regulation’ means Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: the ‘GDPR’);
‘website ’ means a website to be found at feelinmyskin.com;
‘act’ means Act of 10 May 2018 on personal data protection.
‘data erasure’ means erasure of personal data or its alteration which makes identification of the data subject impossible (‘anonymisation’),
‘authentication’ means an activity aiming at verification of the identity of the entity;
‘user’means a natural person who has full or limited capacity to perform legal acts, a legal person or an organisational unit with a legal personality, using the feelinmyskin.com website, “a person authorised to process data” by the Personal Data Controller (hereinafter the “Controller”) or another person whom the Controller has granted authorisation to process personal data in the IT system and the person who downloaded the Application and registered the User Account in the Application, i.e. the person to whom the Controller provides services electronically via the Application;
‘consent of the data subject’ means a voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, signifies his/her consent to the processing of personal data relating to him or her by way of a statement or a clear affirmative action;
‘application’ means the Feelin My Skin mobile application created by the Controller;
‘User Account’ means the set of resources and rights to which the User is entitled in connection with downloading the Application and registering in the Application;
‘data collected automatically’ means demographic data and data concerning the use of the Application which do not allow for unambiguous identification of the User.
Personal Data Controller. Purposes, scope and grounds for processing
The Personal Data Controller is András Munkácsi sole proprietor doing business as András Munkácsi, Marszałkowska 111, 00-102 Warszawa, NIP: 5252735407, REGON: 369197726.
Contact with the Personal Data Controller regarding any matter relating to the user’s personal data protection is possible by sending an email to: firstname.lastname@example.org, with a ‘Personal data’ note.
The personal data of the user are processed exclusively for the following purposes:
sending commercial and marketing information by means of a newsletter;
maintaining contact by means of a contact form available on the website;
acceptance and publication of the user’s comments regarding the content presented on the website provided by means of the form;
establishment, exercise or defence of legal claims of the Personal Data Controller, including for the purposes of recovery and conducting court proceedings;
The basis for processing of personal data of the users using the contact form and commenting on the content presented on the website is the user’s consent collected in compliance with Article 6(1)(a) of the GDPR.
The basis for processing of personal data of the users using the newsletter for marketing and promotional purposes is the user’s voluntary consent, collected in accordance with Article 6(1)(a) of GDPR, the Act of 18 July 2002 on the provision of services by electronic means and the Act of 16 July 2004 – telecommunications law.
The Personal Data Controller has the right to establish, exercise or defend his or her legal claims, pursuant to Article 6(1)(f) of GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller.
The Personal Data Controller processes the following personal data of a user:
Contact form: Name and surname, email address, IP address;
comments: Name, email address, URL; IP address;
newsletter: email address.
Making the users’ personal data available
The Personal Data Controller has the right to make the personal data of a user available, without his or her consent, only to authorised entities pursuant to specific provisions (i.e. courts, law-enforcement authorities).
We neither make the personal data of our users available to other entities nor sell or lend them.
Receiving the newsletter by a user is possible only upon provision of an email address in the newsletter form and provision of a consent to personal data processing, to personal data processing for marketing purposes in line with the Act from 16 April 2004 – telecomunications law – as well as provision of consent for receiving commercial information by electronic means in accordance with the Act of 18 July 2002 – on the provision of electronic services.
Resignation from receiving marketing and promotional information as well as commercial information by means of a newsletter is possible upon sending a request for removal of the address from the website’s database to the following email address email@example.com from the email address provided in the course of registration to the newsletter; the note “Resignation from the newsletter subscription’ should be added.
Comments and opinions left by the user on the website – blog – are made available and distributed only based on the consent given by the user expressed by ticking a consent clause located below the form.
The personal data of the user collected by means of a contact form are processed only for the purposes of making and maintaining contact between the user and the Controller, to which the user consents by ticking a clause located under the contact form.
The Controller collects personal data through the Feelin My Skin mobile application.
The terms of using the Application, including technical data and requirements, are described in the Terms and Conditions of the Feelin My Skin mobile application.
User Account in the Application
After downloading the Application to a mobile device (smartphone, tablet), the User creates a User Account.
When creating a User Account, the User enters his or her e-mail address and defines its password.
The password for the User Account in the Application should consist of at least 8 characters, upper- and lower-case letters, numbers and special characters.
The e-mail address provided by the User during the registration of the User Account must be confirmed by the User.
The Controller will send an e-mail with a registration confirmation link to the User’s e-mail address provided upon creating a User account. The User must click on the activation link or copy it to the address bar of its web browser and then confirm it by pressing “Enter”. After that, a confirmation of the registration process completion will be displayed in the web browser and the User will be able to use all functionalities of the Application.
Registration confirmation via the activation link, is necessary for creating a User Account and further use of the Application to be possible.
The Application’s access to resources available on the User’s mobile device
To function properly, the Application may require access to the resources available on the User’s mobile device.
The User may, but does not have to, consent to the Application accessing the resources of its mobile device, however, refusing access to some of those resources may limit or prevent the use of certain functionalities of the Application.
The User may withdraw the consent authorising the Application to access the resources on his or her mobile device at any time by changing the access settings on the device.
The Application may require access to: the gallery, camera, calendar and notifications.
Deletion of the User Account
The User may delete the User Account by selecting a specific option in the Application settings.
The Controller will notify the User about the deletion of the User Account by e-mail sent to the User’s e-mail address provided during the User Account registration.
Collection of personal data by the Application
The Controller collects the following personal data of the User:
User’s name and surname
User’s image (the so-called avatar) – optional
contact details: e-mail address, website address, links to the User’s accounts on social media sites – optional
User’s birth date – optional (publication of this information is at the User’s discretion)
location information (town/city, country) – optional (publication of this information is at the User’s discretion)
information about the User’s skin type – optional (publication of this information is at the User’s discretion)
Users’ data will be processed through the Application for the following purposes:
to provide services by electronic means and to enable the use of the services available within the Application, including registration and use of the Application, making the functionalities of the Application available to Users, maintaining contact, maintaining and operating the account in the Application (Article 6(1)(b) of the GDPR) and, in the case of data belonging to special categories of data, on the basis of the User’s consent (Article 9(2)(a) of the GDPR);
to handle the electronic contact form made available within the Application on the basis of the Controller’s legitimate interest consisting in the handling of inquiries and requests, including responding to them (Article 6(1)(f) of the GDPR);
to potentially establish, exercise or defend legal claims on the basis of Controller’s legitimate interest consisting in protecting its rights (Article 6(1)(f) of the GDPR);
to allow the Controller to offer products or services directly on the basis of the Controller’s legitimate interest, consisting in particular in the sending of e-mail notifications about offers or content, which in some cases contain commercial information, and conducting other activities related to direct marketing of products or services, including contextual (i.e. not adjusted to the User’s preferences) and behavioural (i.e. adjusted to the User’s preferences) advertising (Article 6(1)(f) of the GDPR); whereby you will be invited to give your consent to receive commercial information by e-mail or other electronic means of communication;
for analytical and statistical purposes on the basis of the Controller ‘s legitimate interest consisting in conducting analyses of User’s activity and their preferences in order to optimise services and products and improve the functionalities of the Application (Article 6(1)(f) of the GDPR);
for archival purposes on the basis of the Controller’s legitimate interest consisting in securing information in the event of a legal need to prove facts which constitute the fulfilment of the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).
The Controller does not collect personal data without the User’s consent, only data without such qualities, in particular demographic data and data concerning the use of the Application.
Data collected automatically do not allow for unambiguous identification of the User.
Data collected automatically may be used by the Controller to improve the quality of the services provided, in particular in the event of an error in the Application. In the situation described above, data collected automatically will concern the error in the Application, including the condition of the User’s mobile device at the time of the error occurrence, identification of the User’s mobile device, physical location of the User’s mobile device at the time of the occurrence of error.
The User is not able to change or delete data collected automatically.
Application data on the User’s mobile device
The following data are stored on the User’s mobile device: an encrypted unique Application identifier – it is stored on the device until the Application is removed. The identifier of the Application and information about the brand, model and hardware identifier of the mobile device are sent to the Controller in the process of device registration in the Application and are used to unambiguously identify the Application and the mobile device.
Communication between the Mobile Application and the Controller is conducted using encryption mechanisms.
Consent given by a user for the processing of his or her personal data is voluntary and can be withdrawn at any time. Withdrawal of the consent does not affect the lawfulness of the processing already conducted based on the consent given by the user before its withdrawal. Withdrawal of the consent results in erasure of the user’s email address from the address database maintained by the Personal Data Controller, used for sending out marketing and commercial information.
The user has the right to obtain access to his or her personal data and upon the user’s request, the Personal Data Controller will provide a copy of the personal data which are subject to processing.
The user has the right to demand that the Personal Data Controller rectify inaccurate personal data concerning him or her without undue delay and complete personal data which are incomplete.
The user has the right to have his or her data erased (‘right to be forgotten’), whereas the Personal Data Controller is obliged to erase them without undue delay in a situation when: a) the personal data are no longer necessary in relation to the purposes for which they have been collected, b) the data subject has withdrawn consent which constitutes the basis for processing, c) the data subject objects to the processing regarding his or her personal data, d) the personal data have been unlawfully processed, e) the personal data have to be erased for compliance with a legal obligation specified in the provisions of law.
The user has the right to obtain restriction of the processing of his or her personal data provided that the user contests the accuracy of the processed data, the processing is unlawful and the user opposes data erasure, the Personal Data Controller no longer needs the user’s data, but they are required by the user for the establishment, exercise or defence of legal claims as well as when the user objects to the processing.
The user has the right to object at any time to the processing of personal data concerning him or her and the personal data controller must discontinue processing the personal data unless the controller demonstrates compelling legitimate grounds for continued processing.
The user also has the right to transfer data and the Personal Data Controller is obliged to make those data available to the user in a structured, commonly used and machine-readable format. The user has the right to transmit the received data to another entity without hindrance from the Personal Data Controller in accordance with the provisions of this Regulation.
The user’s personal data will be processed by the Personal Data Controller for the following periods: for the period determined by the consent given by the user for the processing of his or her personal data and within 30 days from the day of consent withdrawal or sending a request to the Personal Data Controller’s address to erase the data, unless the requirement to process data arises from specific rules about which the Controller will inform the user within 30 days from the receipt of the request.
The user has the right to lodge a complaint with a supervisory authority: The President of the Personal Data Protection Office – ul. Stawki 2, 00-193, Warsaw, in case of establishment of a personal data breach by the Personal Data Controller or of processing of the personal data of the user which does not comply with the personal data protection rules.
The Personal Data Controller ensures that he or she makes their best endeavours to process the personal data with the utmost respect for the privacy of data subjects as well as with the utmost care for the security of the processed personal data and in particular, the Controller ensures that all measures of physical, technological, organisational protection specified by law and aiming at securing personal data filling systems have been taken.
The User is responsible for the accuracy and factual correctness of the personal data he or she provides.
In order to ensure the protection of the User’s personal data, the User is obliged to protect the login and password which are used to operate his or her User Account. The Users using the Application bear responsibility for making their login and password available to third parties.
Information on payment
The personal data of Users making payments via the mobile application, to the extent necessary for the payment execution, are entrusted to App Store for iOS devices or Google Play for Android devices.
The feelinmyskin.com website uses the Google Analytics plugin (a tool created by Google Inc.). Google Analytics is a service that analyzes Internet services using the so-called “Cookies”, text files that are saved on the website User’s computer and enable feelinmyskin.com to analyze the use of the website by Users.
The feelinmyskin.com website uses Google Analytics to analyze how Users use the website and to constantly improve the service.
The information obtained from the cookie files about the way the User uses the feelinmyskin.com website is transferred and saved on the Google Inc. servers located in the United States.
The feelinmyskin.com website uses Google Analytics with the following settings:
IP anonymisation – this means that the Users’ IP addresses of the feelinmyskin.com website are processed after being shortened to exclude the possibility of referring them to a specific User. The IP address is not collated with other Google data;
Disabled Advertising and Remarketing options – which means that the feelinmyskin.com website will not send personalized ads to the Users and will not display advertisements of the website when User uses Google search engine;
Disabled Demographics and Interest Reports options – which means that the feelinmyskin.com website does not collect information about sex and age of the User and does not combine this information with information about their interests;
Disabled User-ID – which means that the feelinmyskin.com internet service does not allow to combine data from interactions with multiple devices and different sessions with unique User identifiers; the website does not use the User-ID function and does not allow assigning one or more sessions (along with all activity in these sessions) to a unique and permanent identifier;
Disabled option to share data with Google Inc. – feelinmyskin.com website does not provide Users’ data collected from cookies:
to other Google services used to analyze online behaviors and trends that are intended to improve Google’s tools;
for the purposes of comparative analysis involving the use of data to create tools and materials helpful in the marketing activities of a given industry;
for Google technical support – Google support does not receive access to collected data;
to Google’s marketing and sales specialists to improve the effectiveness of using Google tools through feelinmyskin.com.
The maximum period of User’s data storage by the feelinmyskin.com website is 26 months.
The user can prevent the saving of cookies by setting the appropriate settings in the browser software. Changing those settings may cause the User to lose the access to some of the functions of the feelinmyskin.com website. In order to disable Google Analytics tracking, the User can install a browser extension available at the following address: tools.google.com/dlpage/gaoptout.