Privacy Policy
Information on personal data processing (GDPR) - why, how long and on what basis we process your data and what rights you have.
Last updated: 2026-01-01
1. Data controller
The controller of your personal data is Best Immune International sp. z o.o., ul. Krakowska 14, 33-100 Tarnów, Polska, Tax ID (NIP) 8733294533. GDPR contact: shop@bestimmuneint.com.
2. What data we process and why
| Purpose | Data | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Order fulfilment (sales contract) | Name, email, phone, shipping address | Art. 6(1)(b) - performance of contract | Until contract completion + accounting law periods (5 years) |
| Issuing and storing accounting documents | Invoice data, amounts, payment history | Art. 6(1)(c) - legal obligation (Polish Accounting Act) | 5 years from end of fiscal year |
| Handling complaints and withdrawals | Contact data, order number, correspondence | Art. 6(1)(b) and (c) | Until warranty expiry + claims limitation period |
| Newsletter (if subscribed) | Email, signup IP (≤ 12 months), consent text, locale | Art. 6(1)(a) - consent | Until consent withdrawn. After unsubscribe we keep only the email in "unsubscribed" status as a suppression list to prevent re-spam (Art. 6(1)(f) - legitimate interest). |
| Product reviews | Name, email (for purchase verification), review content, IP | Art. 6(1)(a) (consent) + (f) (legitimate interest - moderation, security) | IP: 12 months, review content: until order data deletion |
| Security and fraud prevention (anti-spam, rate-limiting) | IP address, user-agent, request timestamps | Art. 6(1)(f) - legitimate interest | 90 days |
| Website analytics (only after consent in banner) | Anonymised cookie IDs, technical browser data | Art. 6(1)(a) - consent (ePrivacy) | Until consent withdrawn / 12 months |
| Cookie-consent log (proof of consent) | Consent ID (localStorage), hashed IP, user-agent, choice (analytics/marketing), version, timestamp | Art. 6(1)(c) read with Art. 7(1) GDPR (accountability for consent) | Hashed IP: 12 months. The decision record is retained as proof of consent/withdrawal. |
3. Data recipients
Your data may be shared with processors under data processing agreements (Art. 28 GDPR):
- payment operator - PayU S.A. (Poznań)
- delivery operators - InPost, DPD, Poczta Polska
- transactional email (SMTP) provider
- server hosting provider
- accounting / legal service
4. Transfers outside the EEA
We process data in the EU/EEA. If for technical reasons data must be transferred outside the EEA (e.g. CDN provider), we ensure an adequate level of protection through Standard Contractual Clauses (SCCs) per EC Decision 2021/914.
5. Your rights
Under the GDPR you have the following rights:
- right of access (Art. 15)
- right to rectification (Art. 16)
- right to erasure ("right to be forgotten") (Art. 17) - subject to accounting obligations
- right to restriction of processing (Art. 18)
- right to data portability (Art. 20)
- right to object to processing based on legitimate interest (Art. 21)
- right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)
- right to lodge a complaint with the supervisory authority (in Poland: UODO, uodo.gov.pl) if you believe the processing infringes the GDPR
To exercise these rights, contact shop@bestimmuneint.com. We respond within 1 month.
6. Cookies
We use three categories of cookies: necessary (always on - session, cart, language), analytics and marketing (activated only after consent in the banner). You can change your settings anytime via the "Cookie settings" link in the footer.
7. Profiling and automated decisions
We do not make fully automated decisions, including profiling, that produce legal effects (Art. 22 GDPR).
8. Security
We apply technical and organisational measures appropriate to the risk: HTTPS/TLS, hashed passwords (bcrypt 12+ rounds), 2FA for admins, regular backups, role-based access control.
9. Contact
For privacy and GDPR matters contact us at shop@bestimmuneint.com or by post at ul. Krakowska 14, 33-100 Tarnów, Polska. Full documentation: see Terms of Service.