Privacy Policy

Data Protection and Privacy Policy

Data protection is a matter of trust and we would like to reassure you that your data are in good hands with us. The protection and legally compliant collection, processing and use of your data is an important matter to us, so that your privacy is respected.

To make you feel safe when visiting the BusyNosesShop.com online shop, this Data Protection and Privacy Policy will inform you about:

  • what data we collect when you use the BusyNosesShop.com online shop;
  • the purpose for which we collect your data;
  • your rights and settings options, in particular how you can object to your data being processed and how you can withdraw any consents you may have given.

1. Which company is responsible for the BusyNosesShop.com online shop?

The controller responsible for processing your data in terms of the European General Data Protection Regulation (GDPR) when you use the BusyNosesShop.com online shop is

Busy Noses Barbara Mińska
Aluzyjna 21E/107
03-149 Warsaw
Poland

Therefore, “we,” “us,” “Busy Noses” as used hereinafter shall mean Busy Noses Barbara Mińska as the operator of the BusyNosesShop.com online shop. For further details about our company and contact details, please refer to our legal details.

2. What data we collect

2.1 When you visit our website

You can visit the BusyNosesShop.com online shop without providing information about yourself. In that case, we will collect the technical access data that your browser will transmit automatically to our server when you browse our websites. Access data include the following information, in particular:

  • Time and date of access
  • Address of the accessed website and of the accessing website
  • Content of the Request (addresses and names of the requested files)
  • Information on the browser and operating system used (versions, language settings)
  • Online identification data (e.g. IP address, device identification, session IDs)
  • Error messages, where applicable (if the requested content cannot be displayed)
  • Last visited page from where you were redirected to a page of the BusyNosesShop.com online shop via a link

When visiting our website, your access data will be automatically stored in our server’s log files and subsequently anonymized by abbreviating or deleting your IP address. It will then no longer be possible to draw conclusions as to your person based on the server log files.

Moreover, when you visit the BusyNosesShop.com online shop we will also collect such data that you provide directly by using the functions provided. We will, for example, learn about the products that you are interested in when you use the search function.

2.2 Cookies

We use cookies in the BusyNosesShop.com online shop. Such cookies may be BusyNosesShop.com cookies or third-party cookies. A cookie is a standardized text file that is kept on your computer by your web browser for a period of time as predefined by the respective provider. Cookies enable us to locally store information such as language settings, shopping cart contents and temporary identification features that may be called up during subsequent website visits in order to reload the respective settings. You can review and delete the cookies used in the security settings of your browser. You can configure your browser settings according to your preferences and, for example, refuse to accept third-party cookies or any cookies. Please note that in this case you may not be able to use all features of our website.

Our own BusyNosesShop.com cookies are meant to make your website visit more user-friendly and safer.

We use third-party cookies for web analyses and advertising purposes. For more detailed information please refer to sections 6 and 7 in this Data Protection and Privacy Policy.

2.3 When you register for a BusyNosesShop.com account

Of course, you do not have to create a personal BusyNosesShop.com account but can shop as a guest in our BusyNosesShop.com online shop. However, registration with our online shop can make future shopping with us easier and provide a more customized, simpler shopping experience. For example, your address data, payment methods, and delivery service provider are pre-selected for your next order. For example, we can store the data related to your account (e.g. order data and the products you have viewed) in our customer database and use such connected data to show you personalized product recommendations and more relevant search results that are geared towards your former shopping interests.

If you register for a BusyNosesShop.com account, we will provide you with direct password protected access to your master data (e.g. BusyNosesShop.com customer number, name, address, date of birth, telephone number, e-mail address, payment data), order data (ordered products, item numbers, size information), and other information stored by us. Normally, any mandatory information required for registration is marked separately, e.g. with an asterisk (“*”). If we are asking for optional information, we will inform you about why we are collecting such information. For security reasons, we will also briefly store your IP address used during registration.

You can delete your BusyNosesShop.com account and any data stored therein at any time. To do so, please send us an informal notice (e.g. via e-mail) to office@busynosesshop.com or use our contact form. Please note: Deletion of your account does not automatically extend to the order processes and the personal data stored for this purpose (cf. section 6: For how long will my data be stored?).

2.4 When you place an order with the BusyNosesShop.com online shop

We will collect data about the products you order. We will also store data that accrue directly in connection with the execution of your orders. Order data include the following, in particular:

  • Information on the products ordered, such as item numbers and size
  • Email address
  • Invoice and delivery address
  • Payment data
  • Information on payment behavior and creditworthiness data that we may receive from credit agencies about you
  • Details on returns and complaints (e.g. reasons for return, notice of defects)
  • Order numbers
  • Shippers’ tracking numbers (e.g. Polish Mail)

Even if you place several orders as a guest and use identical master data, our systems will keep your data in a uniform customer data record to facilitate maintenance of our customer database. If you use such master data at a later point in time to register for a BusyNosesShop.com account we can link your customer data record to your account to enable you to access your former orders.

If you have purchased goods and services from us, we are also entitled to send you information about our own similar goods and services via the e-mail address sent when you made the purchase (§ 7 III UWG, the German Fair Trade Practices Act). You can object to this use of your e-mail address at any time, either to cover all merchandising of our goods and services in general or for individual merchandising measures, e.g. by e-mail, without incurring any costs other than the transmission costs according to the basic rates.

2.5 When you contact us

We will collect the communication data that accrues when you contact us via a contact form on our website, via email, by telephone, or other means. Depending on the channel you use, this may comprise for example your contact details (e.g. your email address or phone number) and the contents of your message.

3. For which purposes will by data by used by BusyNosesShop.com?

3.1 Provision of the BusyNosesShop.com online shop

When visiting the BusyNosesShop.com online shop websites, we will process the access data, server log files, and cookies that accrue in this context to provide you with our website and the contents and functions called up by you and to ensure stability and safety for our IT systems and databases.

Legal basis:

The legal basis when using the BusyNosesShop.com online shop with your BusyNosesShop.com account is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract).

The legal basis when using the BusyNosesShop.com online shop without registering is Article 6 para. 1 lit. f GDPR (weighing of interests based on our above-mentioned legitimate interests).

The overriding legal basis if you have consented to data processing is your consent (Article 6 para. 1 lit. a GDPR).

3.2 Contract performance, in particular purchasing process

We process your data in order to perform the contracts that we have concluded with you and to render the services you have requested. The purposes are based primarily on the specific contract contents or purpose of the services you have requested. You may find further details on the purposes of processing in the respective contract documents and terms and conditions, for example in our General Terms and Conditions. Examples include:

  • Set-up and provision of your account
  • Performance of purchase contracts
  • Non-promotional communication with you (e.g. safety information and changes related to contracts)
  • Legal basis:

The legal basis for this type of data processing is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract)

3.3 Personalization of the BusyNosesShop.com online shop

Information that we receive from you helps us to consistently improve your shopping experience and our service and to design it to be more customer-friendly and individual for you. The information transferred by you and automatically generated information (e. g. access, master, and order data, as well as search entries) are therefore used to personalize the contents in the BusyNosesShop.com online shop based on your interests and needs derived therefrom. We can thus make it easier for you, for example, to find products that are relevant for you more quickly (we can, for example, show products in the search results first that match the products saved in your wish list or that match categories that you select particularly often).

We also use this information for individual product recommendations, to the extent that they are part of our personalized service offers (e. g. customer account, consultation services).

Legal basis:

The legal basis when using the BusyNosesShop.com online shop or another personalized service with your BusyNosesShop.com customer account is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract).

When you use the BusyNosesShop.com online shop or another personalized service without logging in, the personalization is based on Article 6 para. 1 lit. f GDPR (weighing of interests based on our above-mentioned legitimate interest to provide you with personalized contents and product recommendations).

To the extent that the personalization is based on your consent, your consent constitutes the prevailing legal basis (Article 6 para. 1 lit. a GDPR).

You do not want personalization?​

If you do not want us to use your master and order data for the personalization during your visit in the BusyNosesShop.com online shop, you can log out of your personal customer account at any time and use the BusyNosesShop.com online shop as a guest. Then, we will no longer consider the data from your BusyNosesShop.com customer account for the personalization. The personalization is then exclusively based on your access data, which we collect as part of the web analysis (section 4) during your visit.

If you do not want us to do this either, you can deactivate the personalization based on your access data at any time by deactivating the web analysis services mentioned in section 4.

You can also find detailed notes regarding your data protection rights and selection options in section 7 (Your data protection rights) and section 8 (Rights of withdrawal and objection).

3.4 Customer service and communication under existing customer relationships

We will process your data as part of our customer service. This will include the following, for example:

Processing of your concerns and requests by our BusyNosesShop.com customer service

Non-promotional communication with you (e.g. safety information and technical support)

Legal basis:

The legal basis for this type of data processing is Article 6 para. 1 lit. b GDPR (performance of a contract and taking of steps prior to entering into a contract)

3.5 Payment processing

Depending on the payment method agreed, the data necessary for payment processing (e.g. direct debit or credit card data) will be passed on to the respective payment service provider. Some of the payment service providers will collect such data on their own authority, in which case their respective privacy notices will apply.

The transmission of your data to external payment service providers is based on Article 6 para. 1 lit. b GDPR (contract performance).

If you choose to pay by credit card in the check-out process, your credit card company will carry out a two-factor risk/authentication check.

In the first step, the following data will be sent to the credit card company:

  • Your name (title, first name, surname)
  • Your address
  • Delivery address if this is different
  • Your email address.

If the transmitted data indicates discrepancies that could indicate an increased risk, a second check level follows, in which case additional interaction with the cardholder is required (request of a second factor, such as a password or PIN entry).

1. Data recipient

Recipients are Stripe, PayPal, Przelewy24 and the banks involved (the issuing bank – the issuer – and our bank as a bank that accepts credit cards – the acquirer).

2. Purpose and legal basis of data processing

Data transmission takes place for the following purposes and is based on the following legal bases:

a) Contract execution

You have signed a contract with us and, on check-out, have selected a specific payment method, which requires the transmission of certain data to complete the payment.

Legal basis: Article 6(1)(1)(b) GDPR.

b) Customer authentication obligations

For credit card payments, we are obliged to transfer the above-mentioned data.

Legal basis: Article 6(1)(1)(c) GDPR in conjunction with the corresponding provisions of EU Directive 2015/2366 (PSD 2) or the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).

c) Preventing card misuse

With contracts that contain a credit risk or where the counterparty may fear a potential payment default, there is a legitimate interest in minimising this risk through additional authentication.

Legal basis: Article 6(1)(1)(f) GDPR

3. Intention of the controller to transmit the personal data to a third country or to an international organisation

Data transfer to third countries can potentially occur in cases where the banks involved (firstly, the card-issuing bank – the issuer – and secondly the merchant’s bank that accepts credit cards – the acquirer) are located in third countries.

This transmission is permitted under Art. 49 GDPR.

4. Information about whether the personal data must be provided by law or under contract or to conclude a contract, whether the data subject must provide the personal data, and what the potential consequences of not providing that data are

In the context of the chosen payment method we are obligated to provide the personal information needed for the legally required customer authentication. The consequence of not providing that information would be denial of the selected payment type.

5. The existence of automated decision-making, including profiling according to Article 22 Paragraphs 1 and 4 and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.

An automated authentication or risk assessment takes place. An analysis software calculates a score for each transaction, based on the transmitted data. If a transaction is classified as low risk, it is approved without the cardholder being asked to enter an additional code. One result may be failure of the authentication and denial of the chosen payment method.

You want to object to your credit card data being stored?​

If you do not want your credit card data to be stored, you can object at any time by sending us an informal notice to the address or email address provided under section 1 above. In this case, you will have to re-enter your credit card details for each purchase.

Our payment service provider for payments via PayPal is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”).

Our payment service provider for payments via Przelewy24 is PayPro SA, ul. Pastelowa 8, 60-198 Poznań.

Our payment service provider for payments via Stripe is Stripe Payments Europe, Ltd. Dublinie, 1 Grand Canal Street Lower, Dublin, Ireland.

3.6 Internal market research, optimization, and enhancement of our offer

We will use your access data and the data you provide (e.g. master data, order data, returns data) for internal statistical purposes and market research purposes. Prior to that we will pseudonymize or anonymize your data, for example by replacing your name and other data suitable for identification with random data.

That way we can learn, for example, which of our shop pages and products are particularly popular, which devices our customers use in general, and which regions our website is accessed from. This information helps us to continuously optimize our existing offer and to develop new functions and services.

Legal basis:

The legal basis for this type of data processing is Article 6 para. 1 lit. f GDPR (weighing of interests based on our above-mentioned legitimate interests).

3.7 Processing for consented purposes

The overriding legal basis if you have consented to the processing of your data for specific purposes is your consent (Article 6 para. 1 lit. a GDPR).

Withdrawal of consents

Article 7 para. 3 GDPR gives you the right to withdraw any consent once given at any time. This means that in future we will no longer continue data processing that was based on your consent. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.

4. Web analysis

4.1 Google Analytics

Our website uses the web analysis function “Google Analytics” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies valid for a period of 14 months to collect your access data when visiting our website. Google combines the access data on our behalf into pseudonymous user profiles and transmits them to a Google server located in the U.S. after first anonymizing your IP address. Therefore, we cannot determine which user profiles are associated with a specific user. This means that we can neither identify nor determine how you use our website based on the data collected by Google. Google has moreover submitted to the EU-US Privacy Shield in case that personal data is to be transmitted to the U.S. in exceptional cases. Google has thus undertaken to guarantee the European data privacy principles and the present data privacy level also during data processing in the U.S.

Google will use the information collected through cookies on our behalf to analyze use of our website, to compile reports on the website activities, and to provide other services relating to website use and Internet use for us. You may also find further information in the Google Analytics Privacy Policy.

You can object to such web analysis by Google at any time by using one of the following options:

  • You can set your browser to block Google Analytics cookies.
  • You can adjust your Google ads settings in Google.
  • You can use an opt-out cookie by clicking here: Google Analytics Opt-out​
  • You can install the opt-out plugin provided by Google under http://www.google.com/settings/ads/plugin in your Firefox, Internet Explorer, or Chrome browser (does not work for mobile devices).

The legal basis for this type of data processing is Article 6 para. 1 lit. a GDPR (your consent).

5. With whom will my data be shared?

Basically, we will share your data only if:

  • you have expressly consented to this under Article 6 para. 1 lit. a GDPR,
  • sharing is necessary under Article 6 para. 1 lit. f GDPR in order to assert, exercise, or defend legal claims, and there is no reason to assume that you have an overriding legitimate interest in your data not being shared,
  • sharing is necessary for compliance with a legal obligation in terms of Article 6 para. 1 lit. c or e GDPR, in particular if we are required to provide information to a public authority, or
  • sharing is permitted by law and necessary under Article 6 para. 1 lit. b GDPR in order to perform a contract with you or take steps at your request prior to entering into a contract.

Some of the data processing described herein may be performed by external service providers acting on our behalf. The service providers mentioned herein may include, in particular, computer centers storing and maintaining our website and databases, IT service providers servicing our systems as well as consulting companies.

If and insofar as we share data to our service providers, such data may be used only to perform their tasks and duties. Processing of your data by commissioned service providers will take place within the scope of order processing in terms of Article 28 GDPR. Service providers were carefully selected and commissioned by us. They are contractually bound by our instructions, have implemented adequate technical and organizational measures to protect the rights of the data subjects, and are subject to regular controls performed by us.

If and insofar as your data is shared to a service provider located outside the European Economic Area (EEA), we will inform you separately thereof and of the specific guarantees on which the data transfer is based, if necessary. Please contact our data protection officer if you wish to receive copies of guarantees as proof of reasonable data protection (cf. section 1).

6. For how long will my data be stored?

Unless otherwise provided herein, your data will be stored only for as long as necessary to fulfill our contractual or statutory obligations or the purposes for which the data was originally collected or for as long as we have a legitimate interest in storing such data.

In all other cases your personal data will be deleted, except for such data that we must keep to comply with statutory retention periods. However, in such cases we will restrict data processing, i.e. your data will only be used to comply with statutory obligations.

If you decide to cancel or delete your BusyNosesShop.com account, all personal data stored therein will be deleted. If and insofar as your data cannot or does not have to be deleted completely for legal reasons, the data concerned will be restricted for further processing. Normally, your order and payment data and other data, if applicable, will be subject to statutory retention obligations, for example under the German Commercial Code and German Tax Code. We are hence obligated to retain such data for up to 10 years.

Even if your data is not subject to statutory retention obligations, we may refrain from deleting your data in cases permitted by law and restrict its processing instead. This may apply, in particular, in those cases where the data concerned may be required for further contract processing or to assert rights or for legal defense purposes. The duration of restriction of processing will depend on the statutory limitation periods.

7. Your data protection rights

You may contact our data protection officer at any time to exercise your statutory data protection rights described hereinafter (cf. section 1):

You always have the right to obtain information about our processing of your personal data. When providing such information, we will explain our data processing process and provide you with an overview of your personal data we store.

If any of the data we store is incorrect or no longer current, you have the right to have such data rectified.

You can also demand that your data be erased. If erasure is not possible in exceptional cases due to other legal provisions, the data will be blocked such as to be available only for said statutory purpose.

You can also restrict the processing of your data, e.g. if you think that the data stored by us is not correct.

You have a right to data portability, i.e. we will provide you with a digital copy of the personal data you have provided, at your request.

You also have the right to lodge a complaint with a data protection supervisory authority. Our competent supervisory authority is UODO, Stawki 2, 00-193 Warsaw, Poland.

8. Right of withdrawal and objection

If you wish to exercise your right of withdrawal or objection below, please send us an. informal notice to the contact addresses mentioned in section 1 above.

Withdrawal of consents​

Article 7 para. 3 GDPR gives you the right to withdraw any consent once given at any time. This means that in future we will no longer continue data processing that was based on your consent. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.

Objection to the processing of your data​

If and insofar as we process your data based on legitimate interests pursuant to Article 6 para. 1 lit. f GDPR, you have the right under Article 21 GDPR to object to our processing of your data if there are reasons for this that follow from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection that will be complied with even if you fail to provide reasons.

9. Data security

We have adequate technical measures in place to ensure data security, in particular to protect your data against risks during data transmission as well as against unauthorized access by third parties. These measures will be adjusted from time to time in line with the state of the art. To secure the personal data you provide on our website we use transport layer security (TLS) which encrypts the data you provide.

10. Changes to this Data Protection and Privacy Policy

We will update this Data Protection and Privacy Policy occasionally, for example when we adjust our website or when the statutory or official provisions change. Material changes will be documented in this Data Protection and Privacy Policy, and we will procure our customers’ consent, if necessary.