Privacy policy
Last update date: 18 December 2023
1. GENERAL PROVISIONS
1.1. We are concerned about your privacy and the security of your personal data and have therefore
prepared this privacy policy (hereinafter – the Privacy Policy), which explains how we process and
protect your personal data, what your rights are, and provides other information about the processing of your personal data.
1.2. For the purposes of this Privacy Policy, the term “personal data“ (hereinafter – the Personal Data)
means any information or a set of information from which we can directly or indirectly identify you,
such as your name, surname, email address, telephone number, order information, etc.
1.3. In processing your Personal Data, we comply with the requirements of the General Data Protection Regulation 2016/679 (EU) (hereinafter – the GDPR) and other data protection legislation, as well as with the instructions of the supervisory authorities.
1.4. This Privacy Policy applies when you visit our online shop at http://www.gafaro.com (hereinafter = the Website), our social media accounts founder Instagram @justinagafaro; TikTok bygafaro, Instagram @bygafaro and Facebook GAFARO COSMETICS (hereinafter – the Social Media Accounts), view the information we provide to you, order the goods or services we offer you, contact us by phone or through email, enquire about our offers, or ask any other questions.
1.5. The Website may contain links to external websites, such as those of our business partners or websites advertising our services. If you follow any of the third party links on the Website, please note that these websites have their own separate privacy policies and that this Privacy Policy does not apply to them. Please review their privacy policies before submitting your Personal Information to these websites. Before you use third party services, they may ask for your permission to process your Personal Data.
1.6. If you order goods or services from us, use the Website, visit our Social Media Accounts, contact us, subscribe to our newsletters, we will assume that you have read and agreed to the terms of the Privacy Policy and the purposes, uses and procedures for using your Personal Data as set out in it. If you do not agree to the Privacy Policy, you may not use the Website, Social Media Accounts, or contact us about our service offers.
1.7. This Privacy Policy is subject to change, so please visit the Website from time to time to read the
latest version of the published Privacy Policy.
2. WHO ARE WE?
2.1. The controller of your personal data is GAFARO COSMETICS, address: 32-34 Avenue Kléber, 75016 Paris, France (hereinafter – the Seller or we).
2.2. We operate the Website and the Social Media Accounts.
3. WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?
3.1. We process your Personal Data obtained in the following ways:
3.1.1. When you provide your Personal Data to us, for example, by registering on the Website,
ordering our goods or services, contacting us by email or telephone, etc.;
3.1.2. When we collect your Personal Data when you use the Website, Social Media Accounts, for
example, your IP address, the history of visiting the Website, preferences, URL links opened,
etc.;
3.1.3. Where we receive the Personal Data from other persons, for example, where we receive
information from public registers, state or local government authorities or bodies, our
partners, other third parties such as payment institutions, about the payments made, etc;
3.1.4. where your Personal Data is provided to us by other persons with your consent, including
where your data is provided by companies (your employers), for example, by providing your
contact details for the receipt of goods or services, by naming you as the recipient of the
goods or services or as an authorised person, etc.
3.2. We process your Personal Data in order to offer and sell goods to you, to offer and provide services to you, to fulfil our contractual obligations to you, to pursue our legitimate interests or the legitimate interests of third parties, or to comply with any legal requirements or obligations.
3.3. By providing your Personal Data to us, you are responsible for the accuracy, completeness and
timeliness of that Personal Data. Where you provide the Personal Data about other persons (for
example), you are responsible for the accuracy, completeness and timeliness of such Personal Data, as well as for the consent of such person to the provision of their Personal Data to us. When you provide such data, we may ask you to confirm that you have the right to provide it (for example, by completing forms for ordering services or registering on the Website). Where necessary (for example, where such person enquires about our receipt of his or her Personal Data), we will identify you as the provider of such data.
3.4. We process your Personal Data for the following purposes and under the following conditions:
3.4.1. The Purpose: registration on the Website, use of the registered user account and user identification.
3.4.1.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, address, account No., list of favourite
products, history of visits to the account, history of use of the account, and
content associated with the account;
3.4.1.2. The time limits of the processing of Personal Data: during the period of use of
the account and for 5 years from the last access to the account, and in case of
withdrawal of consent, until the expiry of the consent (where the data is
processed on the basis of consent);
3.4.1.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 3) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.2. The Purpose: sale of goods, including the delivery of goods, provision of services.
3.4.2.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, address, account No., credit institution,
relationship with the legal entity represented, order history, shopping cart
history, payment history, other information necessary for the provision of
services;
3.4.2.2. The time limits of the processing of Personal Data: during the validity period of
the contract and not longer than 5 years after the performance of the
contract, and in case of withdrawal of consent, until the expiry of the consent
(where the data is processed on the basis of consent);
3.4.2.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 3) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.2.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, address, account No., credit institution,
relationship with the legal entity represented, order history, shopping cart
history, payment history, other information necessary for the provision of
services;
3.4.2.2. The time limits of the processing of Personal Data: during the validity period of
the contract and not longer than 5 years after the performance of the
contract, and in case of withdrawal of consent, until the expiry of the consent
(where the data is processed on the basis of consent);
3.4.2.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 3) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.3. The Purpose: fulfilling warranty obligations, managing product quality issues.
3.4.3.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, address, account No., credit institution,
relationship with the legal entity represented, order history, payment history,
other information necessary for the warranty service or the resolution of
product quality issues;
3.4.3.2. The time limits of the processing of Personal Data: during the issue
administration period and for 5 years after the completion of the issue
administration or the last contact;
3.4.3.3. The legal basis for the processing of Personal data: 1) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 2) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.3.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, address, account No., credit institution,
relationship with the legal entity represented, order history, payment history,
other information necessary for the warranty service or the resolution of
product quality issues;
3.4.3.2. The time limits of the processing of Personal Data: during the issue
administration period and for 5 years after the completion of the issue
administration or the last contact;
3.4.3.3. The legal basis for the processing of Personal data: 1) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 2) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.4. The Purpose: consultations on our services, administration of your enquiries.
3.4.4.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, relationship with the legal entity
represented, history of acquisition of goods or use of services, and content of
enquiry and reply to enquiry;
3.4.4.2. The time limits of the processing of Personal Data: during the issue
administration period and for 5 years after the completion of the issue
administration or the last contact, and in case of withdrawal of consent, until
the expiry of the consent (where the data is processed on the basis of
consent);
3.4.4.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.4.1. The Personal Data processed: the first name, surname, username,
Facebook/Google account name and profile picture, gender in the profile,
email, password, telephone number, relationship with the legal entity
represented, history of acquisition of goods or use of services, and content of
enquiry and reply to enquiry;
3.4.4.2. The time limits of the processing of Personal Data: during the issue
administration period and for 5 years after the completion of the issue
administration or the last contact, and in case of withdrawal of consent, until
the expiry of the consent (where the data is processed on the basis of
consent);
3.4.4.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.5. The Purpose: drafting and implementing agreements necessary for our operations, and other
internal administration.
3.4.5.1. The Personal Data processed: the first name, surname, telephone number,
email, address, relationship with the legal entity where a legal entity is
represented, position, workplace, and other data necessary for cooperation;
3.4.5.2. The time limits of the processing of Personal Data: during the period of
provision of services / cooperation and for 5 years after the completion of the
provision of services / cooperation, unless a longer period is mandatory under
the applicable legal acts;
3.4.5.3. The legal basis for the processing of Personal data: 1) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 2) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.6. The Purpose: financial transactions, financial accounting, debt management.
3.4.6.1. The Personal Data processed: the first name, surname, email, telephone
number, relationship with the legal entity where a legal entity is represented,
address, settlement account No, credit institution, payment information, debt
information, data transferred by a company / application administering the
collection of payments, and payment approvals;
3.4.6.2. The time limits of the processing of Personal Data: in accordance with the
governing legislation and where no storage period is specified in the
legislation, for the duration of the contract/cooperation between the parties
and for 10 years after the end of the contract/relationship (last contact).
Where the data do not fall within the above storage period, the duration of the
contract/cooperation between the parties and 10 years after the end of the
contract/relationship (last contact);
3.4.6.3. The legal basis for the processing of Personal data: 1) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 2) the processing is necessary for compliance with a legal
obligation to which the data controller is subject (Article 6(1)(c) of the GDPR); 3) the legitimate interests of the data controller or a third party (Article
6(1)(f) of the GDPR).
3.4.7. The Purpose: Managing, operating, securing and improving the quality of electronic
information delivery channels (the Website, Social Media Accounts).
3.4.7.1. The Personal Data processed: 1) IP address, data collected via cookies and
settings, browser used, date and time of login, mobile device model and
manufacturer, mobile device operating system (iOS, Android), password usage
information; 2) data collected via the integration of Social Media Accounts;
3.4.7.2. The time limits of the processing of Personal Data: 1) Website data are stored
as set out in the Section Cookies and other tracking technologies of this
Privacy Policy; 2) Website data not covered by cookies are stored for a
maximum period of 1 year from the date of collection, unless the person
withdraws his/her consent (in the case of processing on the basis of consent);
and 3) the Social Media Accounts store the information under the conditions
established by the owner of this network;
3.4.7.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.8. The Purpose: sending news, conducting surveys, direct marketing.
3.4.8.1. The Personal Data processed: the first name, surname, email, telephone
number, the user preferences about the goods and services of interest, the
data requested in the survey advertisement / questionnaire;
3.4.8.2. The time limits of the processing of Personal Data: Personal Data are processed
for five years after the consent has been obtained;
3.4.8.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
internal administration.
3.4.5.1. The Personal Data processed: the first name, surname, telephone number,
email, address, relationship with the legal entity where a legal entity is
represented, position, workplace, and other data necessary for cooperation;
3.4.5.2. The time limits of the processing of Personal Data: during the period of
provision of services / cooperation and for 5 years after the completion of the
provision of services / cooperation, unless a longer period is mandatory under
the applicable legal acts;
3.4.5.3. The legal basis for the processing of Personal data: 1) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 2) the legitimate interests of the data controller or a third party
(Article 6(1)(f) of the GDPR).
3.4.6. The Purpose: financial transactions, financial accounting, debt management.
3.4.6.1. The Personal Data processed: the first name, surname, email, telephone
number, relationship with the legal entity where a legal entity is represented,
address, settlement account No, credit institution, payment information, debt
information, data transferred by a company / application administering the
collection of payments, and payment approvals;
3.4.6.2. The time limits of the processing of Personal Data: in accordance with the
governing legislation and where no storage period is specified in the
legislation, for the duration of the contract/cooperation between the parties
and for 10 years after the end of the contract/relationship (last contact).
Where the data do not fall within the above storage period, the duration of the
contract/cooperation between the parties and 10 years after the end of the
contract/relationship (last contact);
3.4.6.3. The legal basis for the processing of Personal data: 1) the processing is
necessary for the conclusion and performance of a contract (Article 6(1)(b) of
the GDPR); 2) the processing is necessary for compliance with a legal
obligation to which the data controller is subject (Article 6(1)(c) of the GDPR); 3) the legitimate interests of the data controller or a third party (Article
6(1)(f) of the GDPR).
3.4.7. The Purpose: Managing, operating, securing and improving the quality of electronic
information delivery channels (the Website, Social Media Accounts).
3.4.7.1. The Personal Data processed: 1) IP address, data collected via cookies and
settings, browser used, date and time of login, mobile device model and
manufacturer, mobile device operating system (iOS, Android), password usage
information; 2) data collected via the integration of Social Media Accounts;
3.4.7.2. The time limits of the processing of Personal Data: 1) Website data are stored
as set out in the Section Cookies and other tracking technologies of this
Privacy Policy; 2) Website data not covered by cookies are stored for a
maximum period of 1 year from the date of collection, unless the person
withdraws his/her consent (in the case of processing on the basis of consent);
and 3) the Social Media Accounts store the information under the conditions
established by the owner of this network;
3.4.7.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.8. The Purpose: sending news, conducting surveys, direct marketing.
3.4.8.1. The Personal Data processed: the first name, surname, email, telephone
number, the user preferences about the goods and services of interest, the
data requested in the survey advertisement / questionnaire;
3.4.8.2. The time limits of the processing of Personal Data: Personal Data are processed
for five years after the consent has been obtained;
3.4.8.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.9. The Purpose: organising promotional competitions, games and promotions, conducting
surveys.
surveys.
3.4.9.1. The Personal Data processed: the first name, surname, Facebook / Google
account name and profile image, gender in the profile, personal identification
code (where necessary), telephone number, email, the data requested in the
advertisement / questionnaire of a competition, promotion or game, and other
content provided by the person;
3.4.9.2. The time limits of the processing of Personal Data: Personal data is stored for
the duration of the game, promotion, competition and for 1 year after the end
of the game, promotion, competition or survey;
3.4.9.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.10. The Purpose: resolution of disputes and claims.
3.4.11. The Personal Data processed: the first name, surname, Facebook / Google
account name and profile image, gender in the profile, personal identification
code (where necessary), telephone number, email, content of claim or any
other similar document, and information / documents related to the dispute /
claim;
3.4.12. The time limits of the processing of Personal Data: for the entire duration of
the dispute/claim and for 3 years after the end of the out-of-court hearing of a
dispute/claim and for 10 years after the end of the court proceedings;
3.4.13. The legal basis for the processing of Personal data: 1) the processing is
necessary for compliance with a legal obligation to which the data controller is subject (Article 6(1)(c) of the GDPR); 2) the legitimate interests of the data
controller or a third party (Article 6(1)(f) of the GDPR). You have the right to object to or withdraw your consent to the processing of your data at any time where the
processing is based on your consent.
account name and profile image, gender in the profile, personal identification
code (where necessary), telephone number, email, the data requested in the
advertisement / questionnaire of a competition, promotion or game, and other
content provided by the person;
3.4.9.2. The time limits of the processing of Personal Data: Personal data is stored for
the duration of the game, promotion, competition and for 1 year after the end
of the game, promotion, competition or survey;
3.4.9.3. The legal basis for the processing of Personal data: 1) the data subject’s
consent to such processing (Article 6(1)(a) of the GDPR); 2) the legitimate
interests of the data controller or a third party (Article 6(1)(f) of the GDPR).
3.4.10. The Purpose: resolution of disputes and claims.
3.4.11. The Personal Data processed: the first name, surname, Facebook / Google
account name and profile image, gender in the profile, personal identification
code (where necessary), telephone number, email, content of claim or any
other similar document, and information / documents related to the dispute /
claim;
3.4.12. The time limits of the processing of Personal Data: for the entire duration of
the dispute/claim and for 3 years after the end of the out-of-court hearing of a
dispute/claim and for 10 years after the end of the court proceedings;
3.4.13. The legal basis for the processing of Personal data: 1) the processing is
necessary for compliance with a legal obligation to which the data controller is subject (Article 6(1)(c) of the GDPR); 2) the legitimate interests of the data
controller or a third party (Article 6(1)(f) of the GDPR). You have the right to object to or withdraw your consent to the processing of your data at any time where the
processing is based on your consent.
3.5. We post information about ourselves and our activities on our Social Media Accounts, and we may organise games, competitions, promotions or surveys on these Social Media Accounts as well. In addition to this Privacy Policy, users of Social Media Accounts are also subject to the privacy policies and rules of the operators of the social networks where the Social Media Accounts are located. When you interact with us on Social Media Accounts, we may see certain of your account information depending on the privacy settings you have chosen for the social network, such as your profile name, surname, image, gender, email address and location, if you have made this information publicly available. If you post information when interacting with us on our Social Media Accounts, depending on the privacy settings you have chosen, the information you post may be made public (for example, displayed on our specific Social Media Account).
3.6. In some cases, we may send you messages relating to the ordering or provision of goods or services, for
example, we may inform you of the confirmation of an order for goods or services, the expiry date of
services ordered, reminders of changes in the provision of goods or services ordered. Such messages
are necessary for the proper execution of your orders. They are not considered to be promotional
communications.
3.7. You have the right to change and update the information you provide to us. In some cases (e.g. when fulfilling your orders, placing your adverts) it is necessary for us to have accurate up-to-date
information about you, and we may ask you to confirm periodically that the information we hold about you is correct.
4. HOW DO WE USE YOUR PERSONAL DATA AND WHAT PRINCIPLES DO WE FOLLOW?
4.1. We only collect and process the Personal Data that is necessary to achieve our stated purposes for the processing of Personal Data.
4.2. In processing your Personal Data, we:
4.2.1. comply with the requirements of the applicable and valid legislation, including the GDPR;
4.2.2. process your Personal Data in a lawful, fair and transparent manner;
4.2.3. We collect your Personal Data for specified, clearly defined and legitimate purposes and do
not process it in a way that is incompatible with those purposes, except to the extent
permitted by law;
4.2.4. We take all reasonable steps to ensure that the Personal Data that is not accurate or
complete in relation to the purposes for which it is processed is promptly rectified,
supplemented, suspended or erased;
4.2.5. We keep your Personal Data in a form which permits your identification for no longer than is
necessary for the purposes for which such data is processed;
4.2.6. We do not disclose Personal Data to third parties and will not make it publicly available,
other than as set out in the Privacy Policy or applicable law;
4.2.7. We ensure that your Personal Data is processed securely.
5. TO WHOM AND WHEN DO WE TRANSFER YOUR PERSONAL DATA?
5.1. We will only transfer your Personal Data as set out in this Privacy Policy.
5.2. We may transfer your Personal Data:
5.2.1. to our partners or consultants, such as auditors, lawyers, tax advisors, etc., as well as to the
processors of Personal Data who we employ, such as ancillary service providers, IT companies, companies providing advertising and marketing services, companies providing
financial accounting services, etc. We require data processors to store, process and handle
Personal Data as responsibly as we do and only according to our instructions. We have
engaged the following partners and data processors:
5.2.1.1. Financial accounting, financial and legal services: https://www.etl-global.com/
5.2.1.2. Collection of payments:
5.2.1.2.1. Stripe Inc. (USA and Ireland) (data are securely transferred in
accordance with the adequacy decision adopted by the
European Commission);
5.2.1.2.2. PayPal (Europe) S.à.r.l. et Cie, S.C.A. (Luxembourg), PayPal
Holdings Inc. (USA) (data are securely transferred to the
service provider by signing the EU Standard Contractual
Clauses for Data Transfers Outside the European Economic
Area as approved by the European Commission);
5.2.1.2.3. UAB Decentralized (https://coingate.com/);
5.2.1.2.4. BITCOINFORME, S.L. (https://bit2me.com/) ;
5.2.1.3. Logistics, parcel delivery – ShipAway.
5.2.1.4. In order to publish your content on our Social Media accounts, we provide data to the following social media platform operators:
5.2.1.4.1. LinkedIn Ireland Unlimited Company (Ireland);
5.2.1.4.2. LinkedIn Corporation (USA) (data are securely transferred in
accordance with the adequacy decision adopted by the
European Commission);
5.2.1.4.3. Meta Platforms Ireland Limited (Facebook) (Ireland);
5.2.1.4.4. Meta Platforms, Inc. (Facebook) (JAV) (data are securely
transferred to the service provider in accordance with the
adequacy decision adopted by the European Commission).
5.2.1.4.5. TikTok Technology Limited (Ireland).
5.2.1.4.6. TikTok Information Tecnologies UK Limited (United Kingdom)
(data are securely transferred to the service provider in
accordance with the adequacy decision adopted by the
European Commission).
5.2.2. We are continuously operating and improving the Website and the services we provide to
protect the security and confidentiality of the Personal Data we process and to enable us to
perform certain business-related functions to make our services accessible and functional.
For this reason, we send your profile data to the following service providers that provide
cloud and hosting services, IT security, maintenance and technical services and
communication services:
5.2.2.1. Amazon Web Services, Inc. (USA) (data are securely transferred to the service
provider in accordance with the adequacy decision adopted by the European
Commission);
5.2.2.2. Google Ireland Ltd. (Ireland), Google LLC (USA) (data are securely transferred
to the service provider in accordance with the adequacy decision adopted by
the European Commission);
5.2.2.3. Apple Distribution International (Ireland), Apple Inc. (USA) (data are securely
transferred to the service provider by signing the EU standard contractual
clauses for data transfers outside the European Economic Area, approved by
the European Commission);
5.2.2.4. Microsoft Ireland Operations Limited (Ireland), Microsoft Corporation (USA)
(data are securely transferred in accordance with the adequacy decision
adopted by the European Commission);
5.2.2.5. The hosting and server service provider – Shopify International Limited
(Ireland) Shopify Inc. (Canada) (data are securely transferred in accordance
with the adequacy decision adopted by the European Commission).
5.2.3. To state or local self-government bodies and institutions, law enforcement and pre-trial
investigation bodies, courts and other dispute resolution bodies, other persons exercising
functions assigned by law, in accordance with the procedure provided for by law. We
provide these entities with the information required by law or specified by the entities
themselves;
5.2.4. To other third parties, such as payment institutions, parcel delivery companies, etc;
5.2.5. Where appropriate, to companies that are considering buying or acquiring our business or
entering into joint ventures or other forms of cooperation with us, and to companies
established by us.
5.3. We usually process the Personal Data within the European Economic Area, but in some cases your Personal Data may be transferred outside the European Economic Area (hereinafter – the EEA). Your Personal Data is transferred outside the EEA only under the following conditions:
5.3.1. the data is transferred only to our trusted partners who ensure the provision of our services
to you;
5.3.2. we have signed data processing or provision agreements with such partners under which they
ensure the security of your Personal Data;
5.3.3. the European Commission has adopted an adequacy decision in favour of the country in
which our partner is established, i.e. an adequate level of protection is provided; arba
5.3.4. you have given your consent to the transfer of your Personal Data outside the European
Economic Area.
3.6. In some cases, we may send you messages relating to the ordering or provision of goods or services, for
example, we may inform you of the confirmation of an order for goods or services, the expiry date of
services ordered, reminders of changes in the provision of goods or services ordered. Such messages
are necessary for the proper execution of your orders. They are not considered to be promotional
communications.
3.7. You have the right to change and update the information you provide to us. In some cases (e.g. when fulfilling your orders, placing your adverts) it is necessary for us to have accurate up-to-date
information about you, and we may ask you to confirm periodically that the information we hold about you is correct.
4. HOW DO WE USE YOUR PERSONAL DATA AND WHAT PRINCIPLES DO WE FOLLOW?
4.1. We only collect and process the Personal Data that is necessary to achieve our stated purposes for the processing of Personal Data.
4.2. In processing your Personal Data, we:
4.2.1. comply with the requirements of the applicable and valid legislation, including the GDPR;
4.2.2. process your Personal Data in a lawful, fair and transparent manner;
4.2.3. We collect your Personal Data for specified, clearly defined and legitimate purposes and do
not process it in a way that is incompatible with those purposes, except to the extent
permitted by law;
4.2.4. We take all reasonable steps to ensure that the Personal Data that is not accurate or
complete in relation to the purposes for which it is processed is promptly rectified,
supplemented, suspended or erased;
4.2.5. We keep your Personal Data in a form which permits your identification for no longer than is
necessary for the purposes for which such data is processed;
4.2.6. We do not disclose Personal Data to third parties and will not make it publicly available,
other than as set out in the Privacy Policy or applicable law;
4.2.7. We ensure that your Personal Data is processed securely.
5. TO WHOM AND WHEN DO WE TRANSFER YOUR PERSONAL DATA?
5.1. We will only transfer your Personal Data as set out in this Privacy Policy.
5.2. We may transfer your Personal Data:
5.2.1. to our partners or consultants, such as auditors, lawyers, tax advisors, etc., as well as to the
processors of Personal Data who we employ, such as ancillary service providers, IT companies, companies providing advertising and marketing services, companies providing
financial accounting services, etc. We require data processors to store, process and handle
Personal Data as responsibly as we do and only according to our instructions. We have
engaged the following partners and data processors:
5.2.1.1. Financial accounting, financial and legal services: https://www.etl-global.com/
5.2.1.2. Collection of payments:
5.2.1.2.1. Stripe Inc. (USA and Ireland) (data are securely transferred in
accordance with the adequacy decision adopted by the
European Commission);
5.2.1.2.2. PayPal (Europe) S.à.r.l. et Cie, S.C.A. (Luxembourg), PayPal
Holdings Inc. (USA) (data are securely transferred to the
service provider by signing the EU Standard Contractual
Clauses for Data Transfers Outside the European Economic
Area as approved by the European Commission);
5.2.1.2.3. UAB Decentralized (https://coingate.com/);
5.2.1.2.4. BITCOINFORME, S.L. (https://bit2me.com/) ;
5.2.1.3. Logistics, parcel delivery – ShipAway.
5.2.1.4. In order to publish your content on our Social Media accounts, we provide data to the following social media platform operators:
5.2.1.4.1. LinkedIn Ireland Unlimited Company (Ireland);
5.2.1.4.2. LinkedIn Corporation (USA) (data are securely transferred in
accordance with the adequacy decision adopted by the
European Commission);
5.2.1.4.3. Meta Platforms Ireland Limited (Facebook) (Ireland);
5.2.1.4.4. Meta Platforms, Inc. (Facebook) (JAV) (data are securely
transferred to the service provider in accordance with the
adequacy decision adopted by the European Commission).
5.2.1.4.5. TikTok Technology Limited (Ireland).
5.2.1.4.6. TikTok Information Tecnologies UK Limited (United Kingdom)
(data are securely transferred to the service provider in
accordance with the adequacy decision adopted by the
European Commission).
5.2.2. We are continuously operating and improving the Website and the services we provide to
protect the security and confidentiality of the Personal Data we process and to enable us to
perform certain business-related functions to make our services accessible and functional.
For this reason, we send your profile data to the following service providers that provide
cloud and hosting services, IT security, maintenance and technical services and
communication services:
5.2.2.1. Amazon Web Services, Inc. (USA) (data are securely transferred to the service
provider in accordance with the adequacy decision adopted by the European
Commission);
5.2.2.2. Google Ireland Ltd. (Ireland), Google LLC (USA) (data are securely transferred
to the service provider in accordance with the adequacy decision adopted by
the European Commission);
5.2.2.3. Apple Distribution International (Ireland), Apple Inc. (USA) (data are securely
transferred to the service provider by signing the EU standard contractual
clauses for data transfers outside the European Economic Area, approved by
the European Commission);
5.2.2.4. Microsoft Ireland Operations Limited (Ireland), Microsoft Corporation (USA)
(data are securely transferred in accordance with the adequacy decision
adopted by the European Commission);
5.2.2.5. The hosting and server service provider – Shopify International Limited
(Ireland) Shopify Inc. (Canada) (data are securely transferred in accordance
with the adequacy decision adopted by the European Commission).
5.2.3. To state or local self-government bodies and institutions, law enforcement and pre-trial
investigation bodies, courts and other dispute resolution bodies, other persons exercising
functions assigned by law, in accordance with the procedure provided for by law. We
provide these entities with the information required by law or specified by the entities
themselves;
5.2.4. To other third parties, such as payment institutions, parcel delivery companies, etc;
5.2.5. Where appropriate, to companies that are considering buying or acquiring our business or
entering into joint ventures or other forms of cooperation with us, and to companies
established by us.
5.3. We usually process the Personal Data within the European Economic Area, but in some cases your Personal Data may be transferred outside the European Economic Area (hereinafter – the EEA). Your Personal Data is transferred outside the EEA only under the following conditions:
5.3.1. the data is transferred only to our trusted partners who ensure the provision of our services
to you;
5.3.2. we have signed data processing or provision agreements with such partners under which they
ensure the security of your Personal Data;
5.3.3. the European Commission has adopted an adequacy decision in favour of the country in
which our partner is established, i.e. an adequate level of protection is provided; arba
5.3.4. you have given your consent to the transfer of your Personal Data outside the European
Economic Area.
6. WHAT RIGHTS DO YOU HAVE?
6.1. As a data subject, you have the following rights in relation to your Personal Data:
6.1.1. To know (be informed) about the processing of your Personal Data (the right to know);
6.1.2. To know about your Personal Data and how it is processed (the right of access);
6.1.3. To request the rectification or, taking into account the purposes of the processing of your
Personal Data, the completion of incomplete Personal Data (the right to rectification);
6.1.4. To request the erasure of your Personal Data or the suspension of the processing of your
Personal Data (other than storage) (the right to erasure and the right to be forgotten);
6.1.5. To request us to restrict the processing of your Personal Data on one of the legitimate
grounds (the right to restrict);
6.1.6. The right to data portability (the right to portability). This right will only be exercised if
there are grounds for its exercise and appropriate technical measures in place to ensure that
the transfer of the requested Personal Data does not expose the data of others to the risk of
a security breach;
6.1.7. To object to the processing of your Personal Data where we process Personal Data on the
basis of our legitimate interest or that of a third party, including profiling. If you object, we
will only continue to process your Personal Data for compelling legitimate grounds which
override your interests, rights and freedoms or for the establishment, exercise or defence of
legal claims;
6.1.8. To withdraw your consent to the processing of your Personal Data where such data is
processed or intended to be processed for direct marketing purposes, including profiling in
relation to such direct marketing (based on the Personal Data you have provided, profiling
may be carried out for the purpose of direct marketing in order to provide you with
individually tailored solutions and offers. You may withdraw or object to the processing of
your Personal Data by automated processing, including profiling, at any time).
6.2. If you do not want your personal data to be processed for the purpose of direct marketing, games, promotions, competitions, surveys, including profiling, you may refuse such processing without giving reasons for your refusal (objection) by sending an email to: support@gafaro.com or by any other means indicated in the message provided to you (for example, by clicking on the relevant link in the newsletter).
6.3. We may refuse to exercise your rights listed above, except to object to the processing of your Personal Data for the purpose of direct marketing or in other cases where the processing of Personal Data is carried out with your consent, where we are not permitted to comply with the provisions of the GDPR at your request, or where, in the cases provided for by law, it is necessary to ensure the prevention, investigation and detection of criminal offences, breaches of professional or occupational ethics, and to protect the rights and freedoms enjoyed by the data subject, us and other persons.
6.4. You can exercise some of your rights as a data subject by directly changing the settings of your
account and the information you provide in it. You may submit any request or instruction relating to
the processing of your Personal Data to us in writing at: support@gafaro.com. When making such a
request, we may ask you to fill in the necessary forms in order to better understand the content of
your request, as well as to provide us with an identity document or other information that will help us verify your identity. If you submit your request by email, we may ask you to come to us or to submit your request in writing, depending on the content of your request.
6.5. Upon receipt of your request or instruction regarding the processing of your Personal Data, we will provide you with a response within no later than 1 month from the date of the request and will carry out the actions set out in the request, or inform you why we refuse to do so. If necessary, the time limit may be extended by a further 2 months, depending on the complexity and number of requests. In this case, we will inform you of the extension within 1 month of receipt of the request.
6.6. If Personal Data is erased at your request, we will only retain copies of the information that is
necessary to protect our legitimate interests and those of others, to comply with obligations of public authorities, to resolve disputes, to identify interference or to comply with any agreements you have entered into with us.
7. WILL WE SEND YOU NEWSLETTERS?
7.1. You can give us your consent if you would like to receive our offers and information about our services, activities and offers.
7.2. If you give your consent, we will send you news of your choice by email or by text message to the telephone number you have provided.
7.3. With your consent, we may, by email or by contacting the telephone number you have provided,
enquire about the quality of our services and support and invite you to complete quality assessment
questionnaires.
7.4. We will try not to abuse the right you have given us to share news. When we send out newsletters with your prior consent, we may collect information about the individuals who receive them, such as which message they opened, which links they clicked on, etc. This information is collected in order to provide you with more relevant and tailored news.
7.5. Your contact details may be passed on to our partners/data processors who provide us with
newsletters or quality assessment services.
7.6. Once you have consented to receive newsletters or to share your views on the quality of our services, you may withdraw your consent at any time as set out in Clause 6.2 of this Privacy Policy or in the manner specified in the message sent with the newsletter. We will then immediately stop sending newsletters according to your contact details.
7.7. Withdrawal of consent does not automatically oblige us to erase your Personal Data or to provide you with information about the Personal Data we process, and if you wish us to do the same, you must make such a request separately.
7.8. Our advertising partners use a variety of mobile and web cookies in order to show you more relevant personalised advertising. You will only be shown personalised advertising with your consent, which will be valid on all devices (Android, iOS, web, etc.). Personalised advertising cookies are used to measure the group, activate contextual advertising and/or targeted promotions. If you authorise the use of cookies, a user profile with a pseudonym will be generated, but it will not be possible to identify the person. We have no control over these third-party tracking technologies and their use. These service providers are subject to confidentiality agreements with us and other legal restrictions. Third-party cookies are governed by the privacy policy of those third parties. You can opt out of personalised cookies by changing your browser settings or in other ways that are set out in Section 10 of this Privacy Policy.
8. HOW WILL WE ORGANISE GAMES, PROMOTIONS AND COMPETITIONS?
8.1. Participation in any games, promotions or competitions we publish is optional. In order to participate
in a competition, game or promotion that we announce, you must provide the information that we
specify, including your Personal Data. Otherwise, you will not be able to participate in the game,
contest or promotion.
8.2. You have the right to refuse to participate in our games, competitions and promotions at any time and to withdraw your consent to the processing and use of your Personal Data for this purpose. You can do so by emailing us at: support@gafaro.com or by any other means (for example, by clicking on the relevant link in the email). If you withdraw your consent, you will be removed from the list of participants in the game, promotion or competition and will no longer participate in the game, promotion or competition.
8.3. If you participate in our games, competitions and promotions, we have the right to contact you using the contact details you have provided to us and/or to publish information about you as a winner on the Website, Social Media Accounts or any other information publishing channels we specify in the rules of the game, competition or promotion.
8.4. We may use a software application based on automated decision making to process game, promotion or competition registrations and/or determine winners. This will be notified in the rules of the game, promotion or competition or will be apparent from the links we provide. In this case, if you do not wish to be subject to automated decision-making, you will not be able to participate in the game, promotion or competition.
9. HOW DO WE PROTECT YOUR PERSONAL DATA?
9.1. Your Personal Data is processed responsibly and securely and is protected against loss, unauthorised use and alteration. We have put in place physical and technical measures to protect the information we collect from accidental or unlawful destruction, damage, alteration, loss, disclosure, as well as any other unauthorized processing. The security measures for Personal Data are determined taking into account the risks involved in the processing of Personal Data.
9.2. Our employees are under a written obligation not to disclose or distribute your Personal Data to third parties.
10. HOW DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
10.1. Cookies are small files that are stored on the browser of the device of the Website visitors when you browse websites. Other technologies, including data we store in your browser or device, identifiers associated with your device and other software may be used for similar purposes. Cookies are used extensively to make websites work or work better and more efficiently. For the purposes of this Policy, all such technologies are referred to as “cookies”.
10.2. We use cookies to analyse information flows and user behaviour, to promote trust and ensure security, to ensure the proper functioning of the Website, to improve the Website, to remember your
preferences, to personalise the content shown to you, and to link the Website to Social Media
Accounts.
10.3. You can choose whether to accept cookies. If you do not agree to cookies being placed on your
computer or the browser of any other device, you can tick the cookie consent bar, change the settings of the browser you are using, and disable cookies (either all at once, or one at a time, or in groups). If you wish to refuse cookies on your mobile device, you must follow the official instructions for that device. Please note that in some cases, refusing cookies may slow down your browsing speed, restrict the functionality of certain websites or block access to a website. Further information is available at: http://www.AllAboutCookies.org arba https://www.google.com/privacy_ads.html.
10.4. You can deactivate the use of third party cookies for advertising purposes by visiting the Network Advertising deactivation page at: http://www.networkadvertising.org/managing/opt_out.asp.
10.5. We may use required cookies which are necessary for the operation of the Website, analytical cookies, functional cookies which are designed to analyse the use of the Website, to remember users’ preferences and to tailor them to the Website so that we can provide enhanced functionality,
performance cookies, third party cookies used by third parties and advertising cookies which are
designed to show you personalised and generic advertising.
10.6. We use Google Analytics, a web analytics service provided by Google Inc, to analyse your use of the Website, to compile reports based on that analysis, and to plan and forecast the performance of the Website and the services. The data collected by Google Analytics is generally transmitted to and
stored by Google Inc. server in the USA. We have implemented IP anonymisation on the Website, so
that Google Inc. will hide your IP address in the EU Member States and other countries that are
signatories to the Agreement on the European Economic Area. You can prevent Google Analytics from analysing the information by changing your browser settings. In this case, an opt-out cookie will be stored for you. However, if you delete all cookies, the opt-out cookie may also be deleted. You can also prevent Google Inc. capture data generated by a cookie based on your use of the Website and process such data by downloading and installing an opt-out browser add-in available at: https://tools.google.com/dlpage/gaoptout?hl=en.
10.7. We use Google Adsense, an online advertising service provided by Google Inc. This information is used to evaluate your use of the Website in relation to the advertisements displayed on the Website and to provide reports based on the information. The data collected by Google Adsense is generally transmitted to and stored by Google Inc. server in the USA. If you do not wish to receive tailored advertising and/or wish to refuse Google’s cookies, you can deactivate the Google Inc. advertising settings at: https://www.google.com/settings/ads by changing your settings as required. In this case, an opt-out cookie may be set for you. However, if you delete all cookies, the opt-out cookie may also be deleted.
10.8. We use Google Remarketing, a remarketing technology provided by Google Inc. This technology allows users to receive repeated advertisements from the partner network websites of Google Inc. If you do not wish to receive tailored advertising and/or wish to opt-out of Google Inc. cookies, you can disable the Google Inc. advertising settings at: https://www.google.com/settings/ads by changing your settings as required. In this case, an opt-out cookie may be set for you. However, if you delete all cookies, the opt-out cookie may also be deleted.
10.9. The cookies used in our Websites are as follows:
10.9.1. _ga. This is an analytical cookie that tracks the user’s actions on the Website: counts the
number of visitors, sessions, etc. It is created when the Website is visited, is valid for 2
years and uses a unique ID;
10.9.2. _gat. This is a cookie designed to filter real requests from computer-generated ones. It is
created when you visit the Website, is valid for 10 minutes and uses data (value 0 or 1);
10.9.3. _gid. This is a cookie designed to distinguish between users. It is generated when the
Website is visited, valid for 24 hours, uses a unique ID.
10.9.4. AcceptCookie. This is a cookie designed to distinguish between users who have accepted or
rejected cookies. It is created when you visit the Website, is valid for 1 year and uses
True/False values.
10.9.5. XSRF_TOKEN. This is a cookie used to maintain security. It is created when the Website is
visited, valid for 2 hours, uses a unique ID.
10.9.6. _fbp. This is a cookie used for Facebook advertising purposes. Created when you visit the
Website, valid for 3 months, uses a unique ID.
10.9.7. Fr. This is a cookie used for Facebook advertising purposes. It is created when you visit the
Website, valid for 3 months, uses a unique ID.
10.9.8. tr. This is a cookie used for Facebook advertising purposes. Created when you visit the
Website, valid until the end of the session, uses a unique ID.
11. CONTACT US
11.1. If you have any questions about the information contained in this Privacy Policy, please contact us by:
E-mail: support@gafaro.com
Address: 32-34 Avenue Kléber, 75016 Paris, France
Tel: +33 6 77 33 74 55
11.2. If you wish to make a complaint about our processing of Personal Data, please submit it to us in writing, providing as much information as possible. We will co-operate with you and endeavour to
resolve any issues promptly.
11.3. If you believe that your rights under the GDPR have been infringed, you may lodge a complaint with a supervisory authority. For more information and contact details, please visit:
https://edpb.europa.eu/about-edpb/about-edpb/members_en. We aim to resolve all disputes
promptly and amicably, so you are welcome to contact us first.
12. FINAL PROVISIONS
12.1. We may change this Privacy Policy. We will notify you of any changes by posting the updated Privacy Policy on the Website or by other customary means of communication. Any additions or changes to this Privacy Policy will be effective as of the date of update specified in the Privacy Policy, unless a different effective date is specified.
12.2. If you continue to use the Website, order goods from us, use our Social Media Accounts, contact us after the terms and conditions of the Privacy Policy have been amended, you will be deemed to have accepted the terms and conditions of the Privacy Policy as amended.
