Administrator: Sonrisa Clinic Sp. z o.o., registered in Łódź, ul. Złotno 24a, 94-221 Łódź, KRS: 000001201869, NIP: 7272894044
Service: The website and online store available at www.prenatalni.pl.
User: Any natural person, legal entity, or organizational unit using the Service.
Customer: A natural person, legal entity, or organizational unit without legal personality that has concluded or intends to conclude a Sales Agreement with the Administrator.
Consumer: A natural person making a purchase for purposes not directly related to their business or professional activity.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal Data: Any information about an identified or identifiable natural person.
Processing: Operations performed on personal data, such as collecting, recording, storing, compiling, modifying, disclosing, and erasing.
Cookies: Small text files saved on the User’s device by the web browser when visiting the Service.
Order: A declaration of intent by the Customer constituting an offer to conclude a Sales Agreement.
Sales Agreement: A product sales agreement concluded between the Customer and the Administrator via the Service.
SONRISA CLINIC SP. Z O.O.
ul. Złotno 24A, 94-221 Łódź
KRS: 000001201869, NIP: 7272894044
Email: kontakt@prenatalni.pl
3.1. Data processed in connection with the conclusion and performance of a Sales Agreement:
- Full name / company name
- Home address
- Email address
- Phone number
- Invoice address (if different from delivery address)
- VAT number (in the case of a business invoice).
We process this data for the purpose of:
- Concluding and performing the sales agreement (legal basis: Art. 6(1)(b) GDPR)
- Issuing an invoice or receipt and fulfilling tax obligations (legal basis: Art. 6(1)(c) GDPR – tax law provisions)
- Handling complaints and returns (legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR)
- Archiving financial documents for the period required by law (legal basis: Art. 6(1)(c) GDPR)
- Establishing, defending, or pursuing claims – for the duration of the limitation period (legal basis: Art. 6(1)(f) GDPR)
3.2. Data processed for marketing purposes
With the User’s separate consent (Art. 6(1)(a) GDPR), we may process:
- Email address – for the purpose of sending newsletters and commercial information
Consent to marketing is voluntary and may be withdrawn at any time without negative consequences for the performance of the sales agreement. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.
3.3. Data processed for analytical and security purposes
Based on the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), we process:
- IP addresses and technical device data – to ensure the security of the Service
- Service access logs – for technical diagnostics
- Data on behavior within the Service (pages viewed, clicks, time spent) – to improve Service functionality and analyze effectiveness
Purpose of Processing | Retention Period |
Order fulfillment | Until the limitation period expires (generally 3 years; for consumer claims – 6 years from the due date) |
Financial documents (invoices) | Until the limitation period expires (generally 3 years; for consumer claims – 6 years from the due date) |
Newsletter / Marketing | Until consent is withdrawn or an objection is raised |
Analytical data (anonymized) | Indefinitely after anonymization; prior to anonymization – a maximum of 26 months |
Security data (logs) | Up to 12 months from collection |
Complaint proceedings | Until the conclusion of proceedings + limitation period for claims |
Under the GDPR, you have the following rights with regard to your personal data:
Right of access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether your personal data is being processed, and if so, to access it and receive information about the purposes of processing, categories of data, recipients, and planned retention periods.
Right to rectification (Art. 16 GDPR)
You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.
Right to erasure (Art. 17 GDPR)
You have the right to request the erasure of your personal data if: the data is no longer necessary for the purposes for which it was collected; consent has been withdrawn and there is no other legal basis for processing; an objection to processing has been raised; the data was processed unlawfully. This right does not apply where processing is necessary to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.
Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of processing in the circumstances specified in Art. 18 GDPR (e.g., when you contest the accuracy of the data or have raised an objection).
Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and the right to transmit that data to another controller – where processing is based on consent or a contract and is carried out by automated means.
Right to object (Art. 21 GDPR)
You have the right to object at any time to processing of data based on the legitimate interest of the Administrator (Art. 6(1)(f) GDPR), including profiling. The Administrator shall cease processing unless it demonstrates compelling legitimate grounds for the processing which override your interests, or processing is necessary for the establishment, exercise, or defense of legal claims.
Right to withdraw consent
You may withdraw your consent to the processing of data for marketing purposes at any time (e.g., by unsubscribing from the newsletter or contacting the Administrator). Withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal.
Right to lodge a complaint with a supervisory authority
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Moniuszki 1A, 00-014 Warsaw.
How to exercise your rights?
To exercise your rights, please contact us by email at: kontakt@prenatalni.pl or in writing to the Administrator’s registered address. We will respond to your request without undue delay, and in any event within 30 days of receipt. If necessary, this period may be extended by a further 60 days, of which you will be informed.
In the course of conducting business, your personal data may be shared with the following categories of recipients:
6.1. Processors acting on behalf of the Administrator
- Hosting and server service providers – for data storage and Service operation
- E-commerce and CMS platform providers – operating the online store software
- Electronic payment operators (e.g., Przelewy24, PayU, Stripe, PayPal) – solely to the extent necessary to process transactions
- Courier and logistics companies (e.g., InPost, DPD, DHL, Polish Post) – to the extent necessary to fulfill deliveries
- Accounting and invoicing service providers – to the extent necessary to issue sales documents
- Analytical and marketing tool providers (e.g., Google Analytics, Meta Pixel) – based on separate consent or legitimate interest
- Email marketing service providers (e.g., Mailchimp, GetResponse, FreshMail) – based on consent
- CRM system providers – supporting customer service
6.2. Public authorities and authorized entities
Data may be shared with state authorities (e.g., courts, law enforcement agencies, tax authorities) solely on the basis of applicable law and only to the extent required by them.
6.3. Transfers outside the European Economic Area (EEA)
Some tool providers (e.g., Google, Meta/Facebook) may process data outside the EEA. In such cases, the transfer takes place on the basis of standard contractual clauses approved by the European Commission (Art. 46(2)(c) GDPR) or other mechanisms ensuring an adequate level of data protection. Details are available in the privacy policies of the respective providers.
The Administrator applies appropriate technical and organizational measures to protect processed personal data, in particular:
- SSL/TLS connection encryption (HTTPS protocol) for all pages of the Service
- Password encryption using strong cryptographic algorithms (e.g., bcrypt)
- Regular data backups
- Restriction of access to data exclusively to authorized employees and associates
- Application of the principle of least privilege
- Regular software updates and security patching
- Security monitoring of the Service and infrastructure
- Employee training in personal data protection
- Conclusion of data processing agreements with external entities
Despite the security measures in place, the Administrator cannot guarantee 100% security of data transmission over the Internet. In the event of a personal data breach that may pose a high risk to the rights or freedoms of natural persons, the Administrator will notify the affected Users without undue delay.
8.1. What are cookies?
Cookies are small text files sent by the Service to the User’s web browser and stored on their device (computer, phone, tablet). Cookies allow, among other things, for the retention of User settings, maintenance of login sessions, operation of the shopping cart, and analysis of user behavior.
8.2. Types of cookies used
A) By storage duration:
Type | Description |
Session cookies | Temporary files that are deleted when the browser session ends (when the browser window is closed). Essential for the proper functioning of the Service during a single visit. |
Persistent cookies | Files stored on the User’s device for a specified period (from a few days to several years), even after the browser is closed. Used to remember preferences and facilitate subsequent visits. |
Category | Examples and Purpose |
Essential (always active) | Login session, shopping cart, CSRF security tokens, language/currency selection. Essential for store operation – do not require consent. |
Functional | Remembering User preferences (e.g., font size, recently viewed products). Require consent. |
Analytical | Google Analytics, Hotjar – traffic measurement, behavior analysis. Require consent. |
Marketing | Meta Pixel (Facebook/Instagram), Google Ads, TikTok Pixel – remarketing and ad targeting. Require consent. |
Partner (third-party) | Third-party tools (e.g., chat, payment widget, social media buttons). The relevant third-party provider is responsible for these cookies. |
8.3. Detailed list of cookies used
Cookie Name | Purpose / Provider / Duration |
_ga, _ga_XXXX | Google Analytics – user identification; duration: 2 years |
_gid | Google Analytics – user differentiation; duration: 24 hours |
_gat | Google Analytics – request rate limiting; duration: 1 minute |
_fbp | Meta (Facebook/Instagram) Pixel – remarketing; duration: 3 months |
fr | Facebook – advertising; duration: 3 months |
PHPSESSID / session_id | Store session, shopping cart; duration: session or up to 30 days |
csrf_token | Form security; duration: session |
cart_id | Shopping cart identification; duration: up to 7 days |
user_preferences | Saved User settings; duration: up to 12 months |
cookie_consent | Remembering cookie consent choice; duration: 12 months |
_gcl_au | Google Ads – conversions; duration: 3 months |
_ttp | TikTok Pixel – conversion tracking; duration: 13 months |
The above list is subject to change as the Service develops. The current list is always available in the cookie management panel within the Service.
8.4. Managing cookies – Consent Management Platform (CMP)
Upon the first visit to the Service, a cookie banner is displayed allowing the management of consent for individual cookie categories. Preferences can be changed at any time by clicking the “Manage cookies” icon/link available in the footer of the Service.
Browser settings:
Users may manage cookies at any time through their web browser settings:
- Google Chrome: Menu → Settings → Privacy and security → Cookies and other site data
- Mozilla Firefox: Menu → Settings → Privacy & Security → Cookies and Site Data
- Microsoft Edge: Menu → Settings → Cookies and site permissions
- Safari: Preferences → Privacy → Manage Website Data
- Opera: Menu → Settings → Advanced → Privacy and security
Note: Disabling all cookies, including essential ones, may prevent the use of certain features of the Service, including placing orders, logging into an account, and using the shopping cart.
9.1. Google Analytics
The Service uses Google Analytics – a web analytics service provided by Google LLC (or Google Ireland Limited in the case of the EEA). Google Analytics uses cookies to analyze how the Service is used. Information generated by cookies (including IP address) is transmitted to Google’s servers. The Administrator uses the IP anonymization feature (IP masking). Details: https://policies.google.com/privacy
9.2. Meta Pixel (Facebook / Instagram)
The Service uses the tracking pixel of Meta Platforms Ireland Limited. Meta Pixel enables the measurement of the effectiveness of ads displayed on Facebook and Instagram and the creation of advertising audiences. Processing is carried out based on the User’s consent. Details: https://www.facebook.com/policy.php
9.3. Google Ads and Remarketing
The Service may use Google Ads Remarketing, which allows the Service’s ads to be displayed to Users who have previously visited the Service. Processing is based on consent.
9.4. Payment Operators
The Service integrates with external payment operators. Transaction data is transmitted to the selected operator (Przelewy24, PayU, Stripe, or another) and is subject to their privacy policy. The Administrator does not store full payment card details.
9.5. Embedded External Content
The Service may contain social media plugins (e.g., Facebook “Like” buttons, share buttons), chat widgets, and other external elements. Interaction with these elements may result in data being transmitted to third parties, even without actively clicking a button. The Administrator recommends reviewing the privacy policies of these parties.
The Administrator may profile Users based on their behavior within the Service (e.g., product categories viewed, purchase history) for the purpose of personalizing displayed content and product recommendations. Profiling is carried out on the basis of the Administrator’s legitimate interest or the User’s consent.
The profiling conducted by the Administrator does not lead to automated decision-making that produces legal effects concerning the User or similarly significantly affects them within the meaning of Art. 22 GDPR. The User has the right to object to profiling.
The Administrator reserves the right to amend this Policy in the event of:
- Changes to applicable law, in particular regarding personal data protection
- Changes to the methods, purposes, or legal bases for processing personal data
- Implementation of new services, functionalities, or tools within the Service
The Administrator will inform Users of material changes to the Policy by:
- Displaying an appropriate notice on the Service for at least 14 days before the changes take effect
- Sending information to the email address provided by the User (for account holders and newsletter subscribers)
Continued use of the Service after the changes take effect constitutes acceptance of the new Policy. Previous versions of the Policy are available in the archive on the Service’s website.
- This Policy is effective from 1 April 2026.
- This Policy constitutes an integral part of the Terms and Conditions of the prenatalni.pl service.
- Matters not regulated by this Policy shall be governed by generally applicable law.
- Any disputes arising from this Policy that cannot be resolved amicably shall be settled by the court having jurisdiction over the Administrator’s registered seat.
