Privacy policy



About us

The Controller of your personal data is Arkana Cosmetics spółka z ograniczoną odpowiedzialnością spółka komandytowa, with its registered office in Wrocław (51-649) at ul. Bacciarellego 54, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register, under KRS number: 370832, NIP [Tax ID No.]: 8971768179, hereinafter referred to as: “the Company” or “the Controller”. The Company did not appoint a Data Protection Officer. Personal data are collected and processed in a manner and on the rules specified in the Policy in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “the GDPR”. The Privacy Policy specifies the manner of processing your personal data with regard to the main activity of the Company (electronic commerce, the so-called e-commerce) as well as within the additional activities (marketing, organization of the Company’s work etc.). We also specified the manner of using cookies.


General provisions

We pay particular attention to the privacy protection of our customers, contractors and employees. One of the key aspects is the protection of rights and freedoms of natural persons in connection with the processing of personal data. We strive to ensure that your data are processed in accordance with the GDPR, the Personal Data Protection Act, as well as with detailed regulations (included, among others, in the Labour Law or the Accounting Act). The Company is the Controller of personal data within the meaning of Article 4(7) of the GDPR. We also use the services of processing entities, referred to in Article 4(8) of the GDPR who process personal data on behalf of the Controller (e.g. accounting and IT companies, security firms, law firms, hosting providers and ICT services, carriers, entities handling electronic payments). We, as the Company, implement appropriate technical and organizational measures to ensure a level of security appropriate to the potential risk of violation of the rights or freedoms of natural persons with varying likelihood of occurrence and severity of the threat. We also apply policies and procedures, as well as we organize regular trainings that increase the knowledge and competences of our lawyers in this area.


Why do we use your personal data?

We, as the Employer, process the personal data of our employees and persons who cooperate with us on a basis other than employment relationship (Article 6(1)(B)(C) of the GDPR). Contact details obtained from customers who do the shopping via the e-store are used to conclude and efficiently perform agreements or to take actions at the request of the Customer before concluding the agreement (Article 6(1)(B) of the GDPR). We also conduct marketing activities and within its framework we strive to reach the widest possible range of interested persons to provide them with up-to-date information on our products and services (Article 6(1)(A) of the GDPR). In addition, we process data to accept and process complaints and conduct correspondence with our Customers (Article 6(1)(C) of the GDPR). We process data to assess and analyse activities and information about the Customer, including as part of the automated processing of personal data (profiling) to present general advertisements, offers or promotions (rebates) on the Company’s products or services, in a manner adapted to the interests of a given Customer (without significantly affecting his or her decisions), in particular to perform the Newsletter Agreement, market and statistical analyses. We provide third parties with your data upon your consent or when we are obliged to do so under the provisions of law.

On which rules and basis do we process your personal data?

We strive to protect the interests of the data subjects with due diligence and, in particular, we ensure that the data are:

  • processed in accordance with law, in a fair and transparent manner for the data subject;
  • collected for specific, explicit and legitimate purposes and not processed further in a manner inconsistent with these purposes;
  • adequate, relevant and limited to what is necessary for the purposes for which they are processed;
  • correct and updated as necessary; we take actions for personal data that are improper in the light of purposes of processing to be immediately deleted or corrected;
  • stored in a form allowing for identification of the data subject for a period of not more than it is necessary for the purposes;
  • processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss or destruction.


Your data are processed on the basis of the consents which can be withdrawn at any time. Another case is the situation in which the processing of your data is necessary for the performance of the agreement to which you are a party or to take action at your request, before the conclusion of the agreement. In some situations, processing is necessary to fulfill the legal obligation imposed on us as the Controller. Such obligations arise, for example, from the provisions of the Labour Law or the Accounting Act. Processing may also be necessary for the purposes arising from our legitimate interests, an example of which is the pursuit of claims from our business activities. Usually, we will process personal data such as: name and surname, address, e-mail address, telephone number, bank account number, business address, tax identification number.

Remember that providing your personal data when placing an order in the E-store or when registering for participation in the contest organized by us is voluntary, but it is the condition for the placement of an order or the correct participation in the contest.


What rights are you entitled to?

We strive to provide you with all relevant information in a concise, clear, understandable and easily accessible form, and to communicate with you with regard to the processing of your personal data in connection with the fulfilment of your right to:

  • information provided when acquiring personal data,
  • information provided upon request on whether the data are processed and other matters specified in Article 15 of the GDPR, including the right to copy data,
  • correct data;
  • be forgotten;
  • restriction of processing;
  • transfer data;
  • file an objection;
  • not being subject to decisions based solely on automated processing (including profiling),
  • information on personal data breach,
  • withdrawal of the previously granted consent to the processing of personal data (however, the withdrawal does not affect the lawfulness of data processing on the basis of consent before its withdrawal),
  • make a complaint against the illegal processing of personal data (the President of the Office for the Protection of Personal Data, address: ul. Stawki 2, 00-193 Warszawa).


Before making a complaint remember that you have the right to file an objection against the processing of your personal data in order to perform legally justified interests of the Company or a third party, including, in particular, processing for marketing and profiling purposes (if there are no other important legitimate grounds for processing superior to the interests of the Customer).

In order to contact us regarding the execution of a given right, send a message to the following address:


In what manner will we contact you?

We provide information in writing or in other manners, including electronic means, where appropriate. If you request this, we can provide verbal information if we can confirm your identity by other means. If you submit your request electronically, if possible, the information will also be transmitted electronically, unless you specify another preferred form of communication.


When do we fulfil your request?

We try to provide information without unnecessary delay, in principle, within one month from the date of receiving a request. If necessary, we will extend this deadline by another two months due to the complexity of the request or the number of requests. However, in each case, we will inform you of actions taken and (if applicable) of the extended deadline stating the reason for the delay within one month from the date of receiving the request.


Subcontractors/processing entities

If we cooperate with entities that process personal data on our behalf, we exclusively use the services of such processing entities that provide sufficient guarantees to implement the appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the data subjects.  We verify in detail the entities to which we entrust the processing of your data. We conclude detailed agreements with them, and we periodically audit the compliance of the processing operations with the content of such agreements and provisions of law.


How do we take care of your data?

In order to comply with legal requirements, we have developed detailed procedures covering the following issues:

  • data protection in the design phase and default data protection,
  • impact assessment for data protection,
  • notification of breaches,
  • preparing a register of data processing activities,
  • data retention,
  • execution of rights of data subjects.


We regularly check and update our records in order to be able to demonstrate compliance with legal requirements in accordance with the principle of accountability formulated in the GDPR, but we also strive to incorporate the best market practices  in the interests of the data subjects.


Data retention

Personal data are stored in a form allowing for identification of the data subject for a period of not more than it is necessary for the purposes for which the data are processed. After such a period, the data are anonymized (depersonalized) or deleted. Deleting personal data is complete and permanent. We ensure:

  • limiting the period of storage of personal data to the strict minimum,
  • setting a date for the deletion of personal data and criteria for determining this date or a periodic review.


We determine the period of data processing in the first place on the basis of the provisions of law (e.g. time of storing of employee documentation, accounting documents), as well as the legitimate interest of the Controller (e.g. marketing activity). Retention policy includes data processed both in paper and in electronic form.



We ensure that every person acting with our authorization and having access to your personal data will process it only at our request, unless other requirements arise from EU law or the law of a Member State



We may also collect your personal data via Facebook. We would like you to know that we also protect your data collected using communication channels such as:

- website and any other websites marked or co-branded with the Facebook brand (including subdomains, international versions, widgets and versions for mobile phones), whose operating principles are based on regulations made available in particular at, provided by Facebook Inc. or Facebook Ireland Limited, including via the Facebook Lead Ads function aimed at direct marketing of the Controller’s own products or services.  The rules for the protection and use of the Personal Data by the Facebook Service are available, for example, at:  The Controller has no influence on the content of the legal regulations of the Facebook Website, including personal data.

- applications enabling the Controller to run advertising campaigns on the Facebook Website, including contests.






Cookie files are small text files saved on your computer, where settings and other important information used on websites you visit are stored. Cookies can contain website settings or be used to follow interactions of users with a website. We use “cookies” in order to, among others, adapt the contents of our site to your preferences and optimize the use of websites, maintain your session (after logging in), so that the user does not have to re-enter the login and password on every subpage, as well as support and enforce actions to maintain security.

Due to the fact that cookie technology (or a functionality similar to cookies) used by the Controller collects information about every person visiting the E-Store, the following provisions of the Policy apply to those who use the E-Store, regardless of whether they remain its Customers (they place Orders, book Products or have an Account, hereinafter referred to as “the Visitor”). The E-Store uses technology that stores and gains access to information on a computer or another device connected to the network (in particular with the use of cookies or related solutions), in order to ensure maximum comfort when using the E-Store, including for statistical purposes and for adapting the Controller’s presented advertising contents to the Visitor’s interests. During the visit in the E-Store, data on the Visitor’s Internet activity may be automatically collected. Due to the fact that the Controller may use solutions with a functionality similar to cookies – the following provisions of the Policy should also apply to these technologies accordingly. A cookie file is small text information sent by the server and stored on the Visitor’s device (usually on the hard disk of a computer or on a mobile device). It stores information that the E-Store may need to adapt to the ways the Visitor uses it and to collect statistics data about the E-Store and data regarding the domain name of the Internet service provider or the Visitor’s country of origin. When the Visitor uses the E-Store, cookies are used to identify his or her browser or device – cookies collect various types of information which, as a rule, do not constitute personal data (they do not allow for the identification of the Visitor). Some information, depending on its contents and use, may, however, be associated with a specific person – assigning certain behaviours to a specific Visitor, e.g. by linking them to the data provided during the registration of the Account in the E-Store – and thereby be considered as personal data. In relation to information collected by cookies that may be associated with a specific person, the provisions of the Policy relating to the Personal Data apply, in particular those regarding the rights of the data subject. Information on data collected by cookies is also made available, among others, in the content of the information clause placed in a visible and easily accessible place during the first visit in the E-Store. Obtaining and storing information with the use of cookies is possible based on the Visitor’s consent. Normally, web browsers or other software installed on a computer or another device connected to the network allow cookies to be placed on such devices by default, and thus to collect information about the Visitors. In the web browser settings or as part of the privacy policy management on our site, the consent expressed to use cookie technology may be modified or revoked at any time (but some parts of the Store may not work properly as a result). Revoking the consent does not affect the lawfulness of the processing, which was made on the basis of the consent before it is revoked (detailed information on how to revoke the consent is presented in the next sections of this Policy).  The basis for processing data obtained in such a way is the legitimate interest of the Controller, which is the need to provide the top quality content presented by the Controller by adapting it to the preferences of the Visitors and the marketing – including direct marketing – of the Controller’s products and services.

The cookies are primarily used to make it easier for the Visitor to use the E-Store, for example, by “remembering” information provided once so that it would not have to be provided every time, as well as they adjust its content, including presented advertisements, to his or her preferences. Cookies are also used to increase the usability and personalization of the content of the E-Store, including presentation, creation, granting and implementation of advertisements, offers or promotions (rebates) dedicated to a given Visitor in accordance with his or her interests (it applies only if he is an adult and has given consent to such action). With the help of the cookie technology used in the E-Store, it is possible for the Controller to familiarize themselves with the Visitor’s preferences – for example, by analysing how often he visits the Store. The analysis of online behaviours helps to understand the habits and expectations of the Visitors better and to adapt to their needs and interests. Thanks to this technology, it is possible to present advertisements tailored to the Visitors’ needs and interests (for example, an advertisement resulting from browsing only cosmetics in the “Make-up removal” category) and to prepare better promotions and surprises for those adult Visitors who have given their consent. Based on cookie files, the Controller also uses technology that allows for reaching the Visitors who have visited the E-Store or Application before with advertising messages when using other websites by them. The Visitor may object to the Controller’s actions undertaken for the purpose described above. In the event of the Visitor’s consent, including to the presentation, creation, granting and implementation of dedicated advertisements, offers or promotions (rebates) adapted to his or her preferences, it may be revoked at any time – but this will not affect the lawfulness of processing, which was made on the basis of the consent before it is revoked. Cookies used in the E-Store are harmful neither to the Visitor nor to the computer/ terminal device used by him; therefore we recommend not switching them off in the browsers. The E-Store uses two types of cookies: session cookies that remain stored on the Visitor’s computer or mobile device until he logs out of the website or switches off the software (web browser), and permanent cookies, which remain on the Visitor’s device for the time specified in the parameters of cookies or until they are manually removed from the web browser. Depending mainly on the purposes and legal basis for the processing of Personal Data collected by cookies, they may be stored for the time indicated in para.13 of the Policy. The Personal Data collected by cookies regarding the Visitor who is not a Customer will be kept until he files an objection. The Controller may remove the Personal Data if they are not used for marketing purposes for 3 years, unless the provisions of law oblige the Controller to process the Personal Data for a longer period. Some Personal Data may be stored longer in case the Visitor has any claims against the Controller or in case the Controller seeks redress or defence against claims (including third parties) during the prescription period defined by the provisions of law, in particular the provisions of the Civil Code. In any case, a longer period of storage of Personal Data is decisive. The Visitor may change the way cookies are used by managing the expressed consents as part of the privacy settings on our site, including blocking or removing those that come from the E-Store (and other websites). In order to do this, you should change your browser settings. The method of removal varies depending on the web browser used. Information on how to delete cookies should be located in the "Help" section of the selected web browser. Removal of cookies is not tantamount to removal of the Personal Data by the Controller obtained through cookies. For example, in Internet Explorer, cookies can be modified from:  Tools -> Internet Options -> Privacy; in the Mozilla Firefox browser: Tools -> Options -> Privacy; while in Google Chrome:  Settings -> Show advanced settings -> Privacy -> Content settings -> Cookies. Access paths may vary depending on the browser version used. Detailed information on managing cookies on a mobile phone or another mobile device can be found in the user’s manual/ user guide for a given telephone or mobile device. It is also possible to block cookies of third parties with the simultaneous acceptance of cookies used directly by the Controller (option “block third party websites’ cookies”). Restricting the use of cookies on a given device makes it impossible or significantly hinders the proper use of the E-Store, for example it may be connected with the inability to maintain the login session.

At any time, you can contact the Controller by sending a message by postal service or e-mail to The Controller stores correspondence for statistical purposes and for the best and quickest response to appearing inquiries, as well as in the scope of complaint settlements and decisions made on the basis of notifications about administrative interventions in the indicated Account. The addresses and data collected in this way will not be used for communication for purposes other than handling your inquiry. In the case of contact with the Controller in order to perform specific actions (e.g. submitting a complaint on a form), the Controller may ask the person to provide data again, including personal data, e.g. such as name, surname, e-mail address, etc. to confirm his or her identity and allow for responding in a given matter and to perform the requested action. Providing these data is not mandatory, but it may be necessary to perform activities or obtain information that is of interest to a given person. Taking into account the condition of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying likelihood of occurrence and threat type, the Controller implements appropriate technical and organizational measures to ensure the protection of the Personal Data processed adequate to threats and categories of data covered by the protection, in particular, he protects the data against being made available to unauthorized persons, being taken away by an unauthorized person, being processed with violation of applicable provisions and change, loss, damage or destruction. Providing information on technical and organizational measures that provide protection of processing outside may impair their effectiveness and thus it jeopardizes the proper protection of the personal data. The Controller provides, for example, the following technical measures to prevent the collection and modification of the Personal Data sent electronically by unauthorized persons:

- securing the data set against unauthorized access.

- SSL certificate in the E-Store pages where the Personal Data are provided.

- encryption of data used to authorize a person using the functionality of the E-Store.

- access to the Account only after providing an individual login and password.