Privacy Policy

1. General information

The controller of personal data processed through the FLŌR online store, available at flor.wroclaw.pl, is Maria Komarnytska FLOR more than flowers (registered address: ul. Legnicka 62a, 54-204 Wrocław), NIP: 8943214368, REGON: 525666474; contact details: phone +48 731 552 400, +48 794 552 400, email flor.flowerstore@gmail.com. The Controller is also the personal data controller within the meaning of the GDPR.

2. Scope and sources of data

The Controller processes personal data voluntarily provided by the User in connection with using the Store and placing orders. The scope of data collected includes, in particular: – first and last name, – correspondence / delivery address, – email address, – phone number, – invoicing data (tax ID, company name, address) — if the User requests an invoice, – payment data (transferred directly to the payment operator), – order information (products, transaction history), – technical data (IP address, device data, server logs), – data exchanged in correspondence (email, phone). Sources of data: – directly from the User (order form, contact), – automatically (server logs, cookies, analytics tools), – from partners / processors (payment operator, courier companies).

3. Purposes of processing and legal bases

1. Order and contract fulfilment — processing necessary to conclude and perform the sales contract (Art. 6(1)(b) GDPR): address, contact, transaction and billing data. 2. Payment handling — processing for billing and payment execution (Art. 6(1)(b) GDPR). 3. Fulfilment of legal obligations — keeping accounting and billing records (Art. 6(1)(c) GDPR). 4. Direct marketing and ad profiling — based on consent (Art. 6(1)(a)) for newsletters, remarketing and personalised ads; consent is voluntary and given separately. 5. The Controller's legitimate interest (Art. 6(1)(f)) — pursuing or defending claims, ensuring site security, detecting and preventing fraud — always balanced against the User's interests. 6. Handling requests and complaints — based on Art. 6(1)(b)/(c)/(f) depending on the situation. 7. Cookie consents are managed through the relevant tool on the site.

4. Data retention period

– Order and accounting data (invoices, receipts) — for the period required by tax and accounting law (typically 5 years from the end of the year the document relates to). – Data needed to fulfil an order (contact, delivery address) — for the duration of order fulfilment plus the claims limitation period (typically 2–3 years). – Marketing data (marketing consents) — until consent is withdrawn. – User account data — for the life of the account plus 12 months after closure for evidentiary purposes, unless the law requires longer retention. – Server logs and technical data — typically up to 12 months. – Data processed to prevent abuse — for the period necessary for risk analysis, or until claims are time-barred. All periods are minimised and depend on applicable law and legitimate needs.

5. Recipients of data

Data may be disclosed only to entities that support the provision of services, including: – the payment operator (Przelewy24), – courier and logistics companies, – the accounting office, – IT service providers (hosting, backup), – analytics and advertising providers: Google Analytics (Google Ireland Limited), Meta Pixel / Facebook (Meta Platforms Ireland Limited), TikTok Pixel (TikTok Technology Limited). The Controller has data processing agreements in place with these entities in accordance with the GDPR.

6. International data transfer

Where platforms or services are used that may process data outside the European Economic Area (EEA), the Controller ensures appropriate legal safeguards (e.g. Standard Contractual Clauses – SCC) or other legally recognised mechanisms. Information about the safeguards applied is available on request.

7. Cookies and tracking technologies

The Store uses cookies and similar technologies. Types of cookies: – essential (technical) — necessary for the Store to function correctly; no consent required, – analytical (Google Analytics) — help analyse traffic; require consent, – marketing / profiling (Meta Pixel, TikTok Pixel) — used for remarketing and personalised ads; require consent. The User consents to the use of cookies via the consent interface (banner / window) on the site and may change cookie settings in the browser or on the site at any time.

8. Profiling and behavioural advertising

The Store uses profiling and behavioural advertising tools (Meta Pixel, TikTok Pixel) for remarketing and building audience lists. This is based on the User's consent and uses cookies. The User may withdraw consent at any time.

9. User rights and how to exercise them

In connection with the processing of personal data, the User has the right to: – access their data and receive a copy, – rectify (correct) their data, – erase their data ("the right to be forgotten") — to the extent provided by law, – restrict processing, – data portability, – object to processing based on legitimate interest, – withdraw consent (where processing is based on consent) — withdrawal does not affect the lawfulness of processing before it, – lodge a complaint with the supervisory authority (the President of the Personal Data Protection Office — PUODO). How to submit a request: send it to flor.flowerstore@gmail.com or by post to the Controller's address. The Controller responds promptly, no later than 1 month from receiving the request; this period may be extended by a further 2 months if necessary due to the complexity or number of requests. The Controller may ask for proof of identity to verify the requester.

10. Children

The services are not intended for persons under 16 years of age (in accordance with applicable Polish/EU law). The Controller does not knowingly collect personal data from children under this age. If the Controller learns that a child's data was submitted without a guardian's consent, it will be deleted at the guardian's request.

11. Data security

The Controller applies appropriate technical and organisational measures to protect data (transmission encryption, access controls, regular backups, data processing agreements with processors). Despite these safeguards, risk cannot be entirely excluded; the Controller works to keep it to a minimum.

12. Circumstances of data disclosure

Data may be disclosed to public authorities on the basis of applicable law (e.g. court orders, law enforcement requests). The Controller discloses data only within the limits of, and on the basis of, applicable law.

13. Changes to the Privacy Policy

This Policy may be updated. The Controller will inform Users of any material changes via the Store's website and will update the "Last updated" date.

14. Contact and further information

For data protection matters, please contact flor.flowerstore@gmail.com or by post at ul. Legnicka 62a, 54-204 Wrocław. For customer service matters: flor.flowerstore@gmail.com, phone +48 731 552 400, +48 794 552 400. The User has the right to lodge a complaint with the supervisory authority if they believe the processing of their data violates the law. A complaint may be lodged in the member state of their habitual residence, place of work, or place of the alleged infringement. In Poland, the supervisory authority within the meaning of the GDPR is the President of the Personal Data Protection Office (PUODO).