Privacy Policy

1. This Privacy Policy sets out the rules for the processing of personal data obtained via the online store www.makeup.pl (hereinafter referred to as the "Online Store").

2. The owner of the Online Store and at the same time the data administrator is EXIMIA COMPANY Sp. z o.o. with its registered office in Warsaw (00-503), ul. Żurawia 6/12 lok. 766, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number 0000758664, NIP: 7010892966, REGON: 381847818, hereinafter referred to as EXIMIA COMPANY Sp. z o.o.

3. Personal data collected by EXIMIA COMPANY Sp. z o.o. via the Online Store are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as GDPR.

4. EXIMIA COMPANY Sp. z o.o. pays particular attention to respecting the privacy of Customers visiting the Online Store.

§ 1 Types of processed data, purposes and legal basis

1. EXIMIA COMPANY Sp. z o.o. collects information about natural persons performing legal actions not directly related to their business activity, natural persons conducting business or professional activity on their own behalf, and natural persons representing legal persons or organizational units that are not legal persons, to whom the law grants legal capacity, hereinafter collectively referred to as Customers.

2. Customers' personal data are collected in the following cases:

a) registration of an account in the Online Store, for the purpose of creating an individual account and managing it. Legal basis: necessity to perform the contract for the provision of the Account service (Art. 6(1)(b) GDPR);

b) placing an order in the Online Store, for the purpose of performing the sales contract. Legal basis: necessity to perform the sales contract (Art. 6(1)(b) GDPR);

c) subscription to the newsletter, for the purpose of performing the contract for the provision of the Newsletter service by electronic means. Legal basis: consent of the data subject to perform the Newsletter service contract (Art. 6(1)(a) GDPR).

3. When registering an account in the Online Store, the Customer provides:

a) email address;

b) address details:

a. postal code and city;

b. country;

c. street with house/apartment number.

c) first and last name;

d) phone number.

4. During account registration in the Online Store, the Customer independently sets an individual password for their account. The Customer may change the password later, as described in §6.

5. When placing an order in the Online Store, the Customer provides the following data:

a) email address;

b) address details:

a. postal code and city;

b. country;

c. street with house/apartment number.

c) first and last name;

d) phone number.

6. For Entrepreneurs, the above scope of data is additionally extended by:

a) company name;

b) NIP number.

7. When using the Newsletter service, the Customer only provides their email address.

8. When using the Online Store website, additional information may be collected, in particular: IP address assigned to the Customer's computer or external IP address of the Internet provider, domain name, browser type, access time, operating system type.

9. Navigation data may also be collected from Customers, including information about links and references they choose to click or other activities undertaken in the Online Store. Legal basis: legitimate interest (Art. 6(1)(f) GDPR), consisting in facilitating the use of services provided electronically and improving the functionality of these services.

10. For the purpose of establishing, pursuing, and enforcing claims, some personal data provided by the Customer when using the Online Store's functionalities may be processed, such as: first name, last name, data regarding the use of services, if the claims result from the manner in which the Customer uses the services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis: legitimate interest (Art. 6(1)(f) GDPR), consisting in establishing, pursuing, and enforcing claims and defending against claims in proceedings before courts and other state authorities.

11. Providing personal data to EXIMIA COMPANY Sp. z o.o. is voluntary, in connection with concluded sales contracts or provision of services via the Online Store website, with the reservation that failure to provide certain data specified in the registration forms will prevent registration and creation of a Customer Account, and in the case of placing an order without registering a Customer Account, will prevent the submission and fulfillment of the Customer's order.

§ 2 To whom are data disclosed or entrusted and how long are they stored?

1. The Customer's personal data are transferred to service providers used by EXIMIA COMPANY Sp. z o.o. in running the Online Store. Service providers to whom personal data are transferred, depending on contractual arrangements and circumstances, either follow the instructions of EXIMIA COMPANY Sp. z o.o. regarding the purposes and methods of processing these data (processors) or independently determine the purposes and methods of their processing (controllers).

a) Processors. EXIMIA COMPANY Sp. z o.o. uses providers who process personal data solely on the instructions of EXIMIA COMPANY Sp. z o.o. These include, among others, providers of hosting services, marketing systems, traffic analysis systems in the Online Store, campaign effectiveness analysis systems;

b) Controllers. EXIMIA COMPANY Sp. z o.o. uses providers who do not act solely on instructions and independently determine the purposes and methods of using Customers' personal data. They provide electronic payment and banking services.

2. Location. Service providers are based in Poland and other countries of the European Economic Area (EEA).

3. Customers' personal data are stored:

a) If the legal basis for processing personal data is consent, the Customer's personal data are processed by EXIMIA COMPANY Sp. z o.o. until the consent is withdrawn, and after withdrawal of consent for a period corresponding to the limitation period for claims that may be raised by EXIMIA COMPANY Sp. z o.o. and that may be raised against it. Unless a specific provision states otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity - three years.

b) If the legal basis for processing data is the performance of a contract, the Customer's personal data are processed by EXIMIA COMPANY Sp. z o.o. as long as it is necessary to perform the contract, and after that for a period corresponding to the limitation period for claims. Unless a specific provision states otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity - three years.

4. In the case of a purchase in the Online Store, personal data may be transferred, depending on the Customer's choice, to the following entities for the purpose of delivering the ordered goods:

a) courier company;

b) InPost Paczkomaty Sp. z o.o. based in Kraków, providing delivery and locker system services (Paczkomaty);

c) Poczta Polska S.A. based in Warsaw.

5. If the Customer chooses payment via the przelewy24.pl system, their personal data are transferred to the extent necessary for payment processing to PayPro S.A. based in Poznań (60-327 Poznań, ul. Kanclerska 15), entered into the Register of Entrepreneurs kept by the District Court Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under KRS number 0000347935, NIP 7792369887, Regon 301345068.

6. Navigation data may be used to provide Customers with better service, statistical data analysis, and to adapt the Online Store to Customers' preferences, as well as to administer the Online Store.

7. If the Customer subscribes to the newsletter, EXIMIA COMPANY Sp. z o.o. will send electronic messages containing commercial information about promotions and new products available in the Online Store to their email address.

8. In the case of a request, EXIMIA COMPANY Sp. z o.o. discloses personal data to authorized state authorities, in particular to organizational units of the Prosecutor's Office, Police, President of the Personal Data Protection Office, President of the Office of Competition and Consumer Protection, or President of the Office of Electronic Communications.

§ 3 Cookies mechanism, IP address

1. The Online Store uses small files called cookies. They are saved by EXIMIA COMPANY Sp. z o.o. on the device of the person visiting the Online Store, if the web browser allows it. A cookie file usually contains the domain name it comes from, its "expiration time," and an individual, randomly selected number identifying the file. Information collected using such files helps tailor the products offered by EXIMIA COMPANY Sp. z o.o. to the individual preferences and actual needs of visitors to the Online Store. They also allow the development of general statistics of visits to products presented in the Online Store.

2. EXIMIA COMPANY Sp. z o.o. uses two types of cookies:

a) Session cookies: after ending the session of a given browser or turning off the computer, the saved information is deleted from the device's memory. The session cookies mechanism does not allow the collection of any personal data or any confidential information from Customers' computers.

b) Persistent cookies: are stored in the memory of the Customer's device and remain there until they are deleted or expire. The persistent cookies mechanism does not allow the collection of any personal data or any confidential information from Customers' computers.

3. EXIMIA COMPANY Sp. z o.o. uses its own cookies for:

a) authenticating the Customer in the Online Store and ensuring the Customer's session in the Online Store (after logging in), thanks to which the Customer does not have to enter their login and password on every subpage of the Online Store;

b) analysis and research as well as audit of viewership, in particular to create anonymous statistics that help understand how Customers use the Online Store website, which allows improving its structure and content.

4. EXIMIA COMPANY Sp. z o.o. uses external cookies for:

a) collecting general and anonymous statistical data via Google Analytics analytical tools (external cookies administrator: Google Inc based in the USA);

b) presenting the Rzetelny Regulamin Certificate via the rzetelnyregulamin.pl website (external cookies administrator: Rzetelna Grupa sp. z o.o. based in Warsaw).

5. The cookies mechanism is safe for Customers' computers of the Online Store. In particular, it is not possible for viruses or other unwanted software or malware to get to Customers' computers via this route. Nevertheless, Customers can limit or disable cookies access to their computers in their browsers. If this option is used, using the Online Store will be possible, except for functions that by their nature require cookies.

6. Below we present how to change the settings of popular web browsers regarding the use of cookies:

a) Internet Explorer browser;

b) Microsoft EDGE browser;

c) Mozilla Firefox browser;

d) Chrome and Chrome Mobile browser;

e) Safari and Safari Mobile browser;

f) Opera browser.

7. EXIMIA COMPANY Sp. z o.o. may collect Customers' IP addresses. An IP address is a number assigned to the computer of a person visiting the Online Store by the Internet service provider. The IP number enables access to the Internet. In most cases, it is assigned to the computer dynamically, i.e., it changes with each connection to the Internet. The IP address is used by EXIMIA COMPANY Sp. z o.o. for diagnosing technical problems with the server, creating statistical analyses (e.g., determining from which regions we record the most visits), as information useful for administering and improving the Online Store, as well as for security purposes and possible identification of unwanted automatic programs browsing the Online Store's content that burden the server.

8. The Online Store contains links and references to other websites. EXIMIA COMPANY Sp. z o.o. is not responsible for the privacy policies applicable on those websites.

§ 4 Rights of data subjects

1. Right to withdraw consent - legal basis: Art. 7(3) GDPR.

a) The Customer has the right to withdraw any consent given to EXIMIA COMPANY Sp. z o.o.

b) Withdrawal of consent is effective from the moment of withdrawal.

c) Withdrawal of consent does not affect processing carried out by EXIMIA COMPANY Sp. z o.o. lawfully before its withdrawal.

d) Withdrawal of consent does not entail any negative consequences for the Customer, but may prevent further use of services or functionalities that, according to the law, EXIMIA COMPANY Sp. z o.o. may provide only with consent.

2. Right to object to data processing - legal basis: Art. 21 GDPR.

a) The Customer has the right at any time to object - for reasons related to their particular situation - to the processing of their personal data, including profiling, if EXIMIA COMPANY Sp. z o.o. processes their data based on legitimate interest, e.g., marketing products and services of EXIMIA COMPANY Sp. z o.o., compiling statistics on the use of individual functionalities of the Online Store, facilitating the use of the Online Store, and conducting satisfaction surveys.

b) Opting out by email from receiving marketing communications regarding products or services will mean the Customer's objection to the processing of their personal data, including profiling for these purposes.

c) If the Customer's objection is justified and EXIMIA COMPANY Sp. z o.o. has no other legal basis for processing personal data, the Customer's personal data will be deleted with respect to the processing to which the Customer objected.

3. Right to erasure ("right to be forgotten") - legal basis: Art. 17 GDPR.

a) The Customer has the right to request the deletion of all or some personal data.

b) The Customer has the right to request the deletion of personal data if:

a. personal data are no longer necessary for the purposes for which they were collected or processed;

b. the Customer has withdrawn a specific consent, to the extent that personal data were processed based on their consent;

c. the Customer has objected to the use of their data for marketing purposes;

d. personal data are processed unlawfully;

e. personal data must be deleted to comply with a legal obligation under Union law or the law of a Member State to which EXIMIA COMPANY Sp. z o.o. is subject;

f. personal data were collected in connection with the offering of information society services.

c) Despite a request for deletion of personal data, in connection with an objection or withdrawal of consent, EXIMIA COMPANY Sp. z o.o. may retain certain personal data to the extent that processing is necessary to establish, pursue, or defend claims, as well as to comply with a legal obligation requiring processing under Union law or the law of a Member State to which EXIMIA COMPANY Sp. z o.o. is subject. This applies in particular to personal data including: first name, last name, email address, which are retained for the purpose of handling complaints and claims related to the use of EXIMIA COMPANY Sp. z o.o. services, or additionally the address of residence/correspondence address, order number, which are retained for the purpose of handling complaints and claims related to concluded sales contracts or provision of services.

4. Right to restrict data processing - legal basis: Art. 18 GDPR.

a) The Customer has the right to request restriction of the processing of their personal data. Submitting a request, until it is considered, prevents the use of certain functionalities or services, the use of which involves the processing of data covered by the request. EXIMIA COMPANY Sp. z o.o. will also not send any communications, including marketing communications.

b) The Customer has the right to request restriction of the use of personal data in the following cases:

a. when they question the accuracy of their personal data – then EXIMIA COMPANY Sp. z o.o. restricts their use for the time needed to verify the accuracy of the data, but no longer than 7 days;

b. when data processing is unlawful and instead of deleting the data, the Customer requests restriction of their use;

c. when personal data are no longer necessary for the purposes for which they were collected or used but are needed by the Customer to establish, pursue, or defend claims;

d. when the Customer has objected to the use of their data – then restriction occurs for the time needed to consider whether, due to the particular situation, the protection of the Customer's interests, rights, and freedoms outweighs the interests pursued by the Administrator by processing the Customer's personal data.

5. Right of access to data - legal basis: Art. 15 GDPR.

a) The Customer has the right to obtain confirmation from the Administrator whether personal data are being processed, and if so, the Customer has the right to:

a. access their personal data;

b. obtain information about the purposes of processing, categories of processed personal data, recipients or categories of recipients of these data, planned period of data storage or criteria for determining this period (if it is not possible to specify the planned period of data processing), rights available to the Customer under GDPR and the right to lodge a complaint with the supervisory authority, the source of these data, automated decision-making, including profiling, and safeguards applied in connection with the transfer of these data outside the European Union;

c. obtain a copy of their personal data.

6. Right to rectification of data - legal basis: Art. 16 GDPR.

a) The Customer has the right to request the Administrator to promptly rectify their personal data that are incorrect. Taking into account the purposes of processing, the Customer has the right to request the completion of incomplete personal data, including by submitting an additional statement, by sending a request to the email address in accordance with §7 of the Privacy Policy.

7. Right to data portability - legal basis: Art. 20 GDPR.

a) The Customer has the right to receive their personal data provided to the Administrator and then send them to another data controller chosen by themselves. The Customer also has the right to request that personal data be sent by the Administrator directly to such a controller, if technically feasible. In such a case, the Administrator will send the Customer's personal data in the form of a csv file, which is a commonly used, machine-readable format and allows the received data to be transferred to another data controller.

8. In the event that the Customer exercises the rights resulting from the above, EXIMIA COMPANY Sp. z o.o. fulfills the request or refuses to fulfill it immediately, but no later than within one month of receiving it. If, due to the complicated nature of the request or the number of requests, EXIMIA COMPANY Sp. z o.o. cannot fulfill the request within one month, it will fulfill it within the next two months, informing the Customer in advance within one month of receiving the request about the intended extension of the deadline and its reasons.

9. The Customer may submit complaints, inquiries, and requests to the Administrator regarding the processing of their personal data and the exercise of their rights.

10. The Customer has the right to request EXIMIA COMPANY Sp. z o.o. to provide a copy of standard contractual clauses by sending an inquiry as indicated in §7 of the Privacy Policy.

11. The Customer has the right to lodge a complaint with the President of the Personal Data Protection Office regarding the violation of their rights to personal data protection or other rights granted under GDPR.

§ 5 Services tailored to preferences and interests (profiling)

1. Profiling means any form of automated processing of Personal Data that involves the use of Personal Data to evaluate certain personal factors of a Natural Person, in particular to analyze or predict aspects concerning the work performance of that Natural Person, their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

2. Customers' personal data may be processed in an automated manner (profiling), but this will not have any legal effects or similarly significantly affect the Customers' situation.

3. Profiling of personal data by EXIMIA COMPANY Sp. z o.o. consists of processing Customers' data in an automated and manual manner, by using them to assess certain information about the Customer, in particular to analyze or predict their personal preferences and interests.

4. In order to reach the Customer with marketing communications via the Online Store website, EXIMIA COMPANY Sp. z o.o. uses its own cookies mechanisms to collect information about the Customer's activity on the Online Store website. Details regarding the use of cookies are set out in §3. Legal basis: legitimate interest (Art. 6(1)(f) GDPR), consisting in tailoring marketing communications to preferences and interests.

§ 6 Security management - password

1. EXIMIA COMPANY Sp. z o.o. provides Customers with a secure and encrypted connection when transmitting personal data and when logging into the Customer Account in the Service. EXIMIA COMPANY Sp. z o.o. uses an SSL certificate issued by one of the world's leading companies in the field of security and encryption of data transmitted over the Internet.

2. If a Customer with an account in the Store has lost their access password in any way, the Online Store allows the generation of a new password. EXIMIA COMPANY Sp. z o.o. does not send password reminders. The password is stored in the database in encrypted form, making it impossible to read. To generate a new password, you must provide your email address in the form available under the "Remind password" link provided at the login form to the account in the Online Store. The new password will be automatically sent to the email address provided during registration or saved in the last profile change.

3. EXIMIA COMPANY Sp. z o.o. never sends any correspondence, including electronic correspondence, requesting login data, especially the access password to the Customer's account.

§ 7 Changes to the Privacy Policy

1. The Privacy Policy may change, about which EXIMIA COMPANY Sp. z o.o. will inform Customers 7 days in advance.

2. Questions regarding the Privacy Policy should be sent to: [email protected]

3. Date of last modification: 01.08.2025.