byMAYA - Privacy policy

Privacy policy

The purpose of the byMAYA privacy policy (hereinafter: the policy) is to inform customers, potential customers or visitors of the byMAYA website about the purposes and legal basis of the processing of personal data. Aurora Borealis doo, a company based in Andraž nad Polzelo 100, 3313 Polzela, Slovenia, e-mail info@bymayashop.com (hereinafter: Aurora Borealis or the seller or the person responsible for the processing of personal data), takes care of your personal data in order to guarantee their protection at all times of commercial activity. At AuroraBorealis we care about your privacy, which is why we always carefully protect your information.

This privacy policy is subject to change or amendment at any time without notice or notice.By using the seller's website, after the modification or amendments have been implemented, the individual confirms that he agrees with the changes and additions made.

All our activities relating to the processing of personal data comply with European legislation (in particular the Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and the free circulation of such data) (General Regulation on data protection or GDPR), with the Conventions of the European Council (ETS No. 108, ETS No. 181, ETS No. 185,ETS No. 189), with the national legislation of the Republic of Slovenia (Law on data protection personal data (ZVOP-1, Official Gazette of the Republic ofSlovenia n. 94/07) and with the law on electronic commerce (ZEPT, Ur. I. RS, n.96/09 and 19/15), etc.).

The privacy policy concerns the processing of personal information Aurora Borealis receives from you when you visit and use the Aurora Borealis group websites or when this data is otherwise provided to the company (by purchasing over the phone or inAurora Borealis physical stores etc. ).

Data controller and responsible for the protection of personal dataThe owner of the processing of personal data is the company Aurora Borealis d.o.o., with registered office in Andraž nad Polzelo 100, 3313 Polzela, Slovenia.Aurora Borealis has appointed an authorized data protection officer, reachable at the e-mail address info@bymayashop.com.

If you have any questions about the application of this policy, or in relation to the exercise of your rights deriving from this policy, please contact the data protection officer, via the contact provided in the next point of the policy. Data of the authorized person
Email address
maja@bymayashop.com (only for GDPR related issues).

Basic concepts
By personal data, we mean any information on the basis of which a natural person can be identified (this includes, for example, name, surname, e-mail address, telephone number, etc ...). The data controller indicates a legal person who determines the purposes and means ofthe processing of personal data. Processor means a natural or legal person who processes personal data on behalf of the controller. By processing we mean the collection, storage, access and all other forms of use of personal data. EEA means the European Economic Area, which designates all member states of the EuropeanUnion, Iceland, Norway and Liechtenstein.

Personal data
The information or personal data identifies you as an identified or identifiable natural person. A person is considered identifiable who can be identified, directly or indirectly, in particular by specifying an identifier such as a name, an identification number, a position data, a web identifier or by reference to one or more specific elements characteristic of his identity. physical, physiological, psychic, economic, cultural or social.In accordance with the purposes set out in this Privacy Policy, the seller collects the following personal data:basic information about the user (name and surname, residential address, date of birth, location);contact details and information on your communication with the operator (e-mail address, telephone number, date, time and content of postal or e-mail communication, date, time and duration of telephone calls, recording of the call);channel and campaign - the way to acquire a member or source through which the user came into contact with the manager (website and advertising campaign or action, callcenter, physical store); information regarding a user purchases and invoices issued (date and place of purchase, the items purchased, the prices of the products purchased, the total purchase quantity, payment methods, shipping address, telephone number and date of issue, the person who issued the invoice, etc.) and data on how to resolve product complaints; information about the user's use of the site in the possession of the seller (dates and times of visits to the website, the pages visited or URL, dwell time per page, the number of pages visited, the total time on the site, the setting on the website) and information about the use of messages received (e-mail, SMS) fromthe seller ;personal data deriving from forms voluntarily filled in by the user, which the user voluntarily provides by entering data in a form, for example in the context of prize competitions or with the use of configurators to identify the optimal products to meet the needs of the user; other data that the user voluntarily provides to the seller upon request for certain services that require such information to the extent that this information is necessary for the provision of the service. The seller doe snot collect or process the user's personal data except when the user authorizes or agrees, i.e. through the use of the website, when ordering products or services, when subscribing to the newsletter, when participating in a prize game etc…

The seller processes the user's data even when there is a legal basis, a contractual basis or when it has a legitimate interest. The seller only collects personal data that is relevant and necessary to fulf ill the purposes for which this data is processed.The period in which the seller retains the collected data is described in more detail in the retention of personal data chapter of this policy. Purpose of the processing and legal basis for the processing of personal data.

The seller collects and processes the user's personal data on the following legal basis:
Treatment according to the lawContract based processing
Treatment based on the consent of the interested party
Processing on the basis of legitimate interest
Contract processing
The seller needs the user's information when necessary for the conclusion, implementation and fulfillment of contractual obligations.
The provision of personal data in this case is voluntary.In the event that the user does not provide personal data, it will not be possible for him to enter into a contract with the seller, nor can the seller provide for the provision of services or products under the contract, as he cannot have the information necessary for the execution of the same. Treatment based on consentThe seller processes the user's data when the user gives his explicit consent. When the processing is based on consent, we will make sure that you have all the information necessary to make your decision. You can withdraw your consent at any time. If you withdraw your consent, the seller will no longer be able to provide you with certain services.Treatment based on legitimate interestThe seller may also process user data on the basis of the legitimate interest pursued by the seller, unless such interests prevail over the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data. In case of legitimate interest, the seller must always carry out an assessment in accordance with the General Data Protection Regulation.In case of processing on the basis of a legitimate interest, the user has the right to object. The user can read more information on your rights at the end of this policy.

Treatment according to the law
The seller processes the user's personal data when such processing is required of us by the legislation that binds us (for example, tax legislation that requires the storage of issued invoices). This personal data is processed in accordance with legal requirements. Purpose of the user's personal data processing The seller collects and processes the user's personal data for the following purposes: Communication with the user regarding the provision of site services and responses to their requests. This includes, in particular, notifications and answering questions, resolving complaints, completing satisfaction surveys, etc. This processing is carried out on the basis of a legitimate interest in ensuring efficient communication and the proper functioning of the company towards users. Conclusion and fulfillment of the obligations deriving from the conclusion of the contract. Conclusion and execution of the conclusion of the contract with the seller, including the fulfillment of the user's orders by the seller (supply of products and services), communication with the user, verification of payments and fulfillment of other obligations of the seller and / or the user. The seller processes personal data on the basis of a contract and a pre-contractual relationship. In the event that the seller is not provided with all the information necessary for the conclusion of the contract, the seller reserves the right to postpone or cancel the order. Direct notification to customers of special offers, discounts and other content by email or SMS The company Aurora Borealis, in accordance with the law ZEKom-1 (Law on electronic communications of the Republic of Slovenia, which is implemented on the basis of Directive 2002/58 / CE of the European Parliament and of the European Council of 12 July 2002), informs customers about their products, services or contents. The user can revoke the consent given at any time by requesting the termination of this communication and the related processing of personal data (right to object). Direct notification of special offers and other content by email. The Aurora Borealis company will inform customers about its products, services, discounts and content by e-mail based on the consent provided. The customer may, at any time, request the termination of such communications and the processing of personal data by recalling the consent. The user can revoke the consent given at any time through the contacts listed on the site: https://www.carniumbotanicals.it/contact-us/ General statistical processing of data on customers and their orders, and potential buyers (contacts ) for the purposes of internal analysis of sales, buybacks, aggregation of customer behavior, optimization of advertising and business optimization. The Aurora Borealis company performs general statistical processing of data about customers and their orders and potential customers (contacts), based on which it conducts an internal analysis of sales, repeat purchases and aggregate customer behavior and monitors and optimizes its business performance and optimizes advertising, for example: Sales are monitored through the company's sales channels (internet, shops, call centers); monitoring includes the number of customers who have made purchases, the speed and value of purchases; general statistical data on sales, such as the average value of the cart, the number of products in the order and the like; replies to e-mails, SMS, phone calls and various advertisements (TV ads, radio ads, web advertisements) and, based on this, optimize advertising (decide what, where, to whom and how to advertise). Such statistical monitoring allows the seller to optimally optimize business and advertising, and on the basis of this offer users convenient products and services. The declared processing of personal data is carried out on the basis of the legitimate interest in the proper functioning of the seller and the provision of quality services to users. Expiry date: 5 years from the start of processing. Consultants access to past orders and other data to offer better service and offers. The sales and support consultants will have access to the registered user's personal data and the history of their purchases and based on this they will be able to offer you a better service and more personalized offers. The user can stop this type of data processing at any time by writing a request to the email address info@ bymayashop.com

‍Personalized basic communication (via email, SMS, phone calls, mail, notifications via browser, information on the site, social networks) with discounts, offers and contents. information on the site, social networks), AuroraBorealis tries to present offers, discounts and other content that may be of interest to users based on their past interactions with the site. For this it uses the following data: demographic data (sex, age); purchase history (items purchased, number of purchases); simple management of behavior on the byMAYA site (by viewing individual products or contents which canactivate the sending of personalized messages) without using this data to create user profiles).

In doing this, Aurora Borealis does not use any semi-automatic or automatic profiling, but only selects the appropriate recipient series for individual messages. In this, they never dedicate themselves to the data of an individual, but perform the aggregate processing of larger groups. Based on this information, it can therefore depend on which messages the customer will receive from the company. The customer can interrupt this type of communication at any time via the unsubscribe link in the messages received or by writing a request to the e-mail address info@bymayashop.com.Use of FacebookCustom Audiences Use of Facebook Custom Audiences advertising tools (»AdaptedFacebook recipients«)The AuroraBorealis company, for online advertising, also uses the Facebook CustomAudiences application ("Adapted Facebook recipients"), as part of the consent granted for the communication of personalized offers based on the user's profile. This service works as follows: The user's e-mail address is uploaded to Facebook and obtained during the purchase or voluntary subscription to the newsletter. Facebook makes a comparison between the user's email address and its user base and determines whether the user of the site is also aFacebook user. If it isn't, Facebook doesn't do any business. If, on the other hand, he is a Facebook user, the same Facebook will add him to the list of anew personalized audience, to which only and exclusively the Aurora Borealis d.o.o. company. can send personalized advertising. Thanks to this, more targeted and personalized ads can be shown to the user on Facebook, and above all additional discounts. The user can interrupt this process at any time by writing a request to the email address info@bymayashop.com.Using an online account and accessing information under the GDPR.

The AuroraBorealis company processes the user's personal data to ensure access and use o fhis user account with the provider, which allows him to access the user's personal data that process them and modify the consents provided. The user can also use this profile to access the history of orders he has placed on the site. Personal data is processed on the basis of the legitimate interest of the company. Communication with offers and customized content based on the user's profile.Based on the user's consent, the provider also carries out personalized communications, which are carried out through various communication channels (via email, phone calls, post, notifications via browser, information on the website, socialnetworks). Since the Aurora Borealis company wants to offer you the best possible offers and content tailored exactly to the user's needs, they design the profile with the user's consent, which is the basis for personalized communication. For this they can use the following information: demographic data (sex, date of birth or age, address); customer purchase history (products purchased, time of purchase, number of purchases); responses to various AuroraBorealis questionnaires; behavior on Aurora Borealis websites (viewing individual products or content, adding products to the cart, Internet transactions); user responses (opening a message, clicking on a link, purchasing) to the various messages sent by the seller. Based on the user profile, the content of the offers that the user receives from the seller may vary as follows: which products and contents are presented to them; what offers you will receive (customers with a higher number or frequency of purchases at Aurora Borealis get better offers); how often the messages will be sent and through which communication channels. The user can revoke the consent given at any time via the unsubscribe link in the messages received or by writing are quest to the e-mail address info@bymayashop.com.Enforcement of legal claims, protection of our rights and dispute resolution. Personal data is collected for a defined purpose in accordance with the law.Legalobligations.The data is collected for the purpose of fulfilling legal obligations, eg. archiving of invoices for tax law purposes. Data is only processed to the extent necessary to meet legal requirements.Retention ofpersonal dataThe seller will keep personal data only for the time necessary to achieve the purpose for which the personal data were collected. The seller retains such personal data by processing them in accordance with the law andfor the period prescribed by law.

The personal data, processed by the part of the seller for the performance of a contractual relationship, are kept for the necessary period of the execution of the contract and 5 years after its termination, except in cases where it comes between the user and the seller. a dispute relating to the contract; in this case the seller keeps the data for another 5 years after the final judicial or arbitration decision or judicial settlement, but if there is no dispute, it keeps them for 5 years from the date of the amicable settlement. Personal data, processed by the seller on the basis of the individual's personal consent, are stored permanently until the individual's consent is revoked. The seller deletes this data even before the revocation only when the purpose of the processing of personal data has been achieved. At the end of the retention period, the data controller deletes or anonymizes the personal data effectively and permanently so that they can no longer be linked to a specific individual. The operator defines the deadlines in more detail in the table below:
Purpose of the treatment: Expiration date
Communication with the user regarding the provision of site services and responses to their requests: 6 months from the end of the communication
Conclusion and fulfillment of the obligations deriving from the conclusion of the contract: 5 years from the execution of the contract
Direct notification to customers of special offers, discounts and other content via email/SMS: Until cancellation
Direct notification of special offers and other content by email: Untilcancellation
Access to orders and other data by consultants in order to provide a better service: Until cancellation
Processing of data on unacceptable orders, in order to prevent fraud: 5 years from thes tart of processing
Automatic communication via e-mail with the user based on the start of the online purchase process: Untilcancellation
Personalized basic communication (via email, SMS, phone calls, emails, browser notifications, website information, social networks) with discounts, offers and personalized content: Until cancellation
Use of theFacebook advertising tool "Facebook Custom Audience": Until cancellation
Use of the online account: Until cancellation
Access to specific information on the website: Until cancellation

Expiration date
Communication with the user regarding the provision of site services and responses to their requests: 6 months from the end of the communication
Conclusion and fulfillment of the obligations deriving from the conclusion of the contract: 5 years from the execution of the contract
Direct notification to customers of special offers, discounts and other content via emailor SMS: until cancellation
Direct notification of special offers and other content by email.: Until cancellation
Access to orders and other data by consultants in order to provide a better service: Until cancellation
Processing of data on unacceptable orders, in order to prevent fraud: 5 years from the start of processing
Automatic communication via e-mail with the user based on the start of the online purchase process: Until cancellation
Personalized basic communication (via email, SMS, phone calls, emails, browser notifications, website information, social networks) with discounts, offers and personalized content: Until cancellation
Use of the Facebook advertising tool "Facebook Custom Audience: Until cancellation
Use of the online account: Until cancellationAccess to specific information on the website: Until cancellation
Personalized newsletters. Until cancellation
Marketing communication through user profiling: Until cancellation
Data processing for the purpose of a contractual relationship: The seller may entrust certain tasks regarding the processing of user data to other people (on a contractual basis).

The contractors may process the data exclusively on behalf of the seller, within the limits of the seller's authorization (in a written contract or other legal act) and in accordance with the purposes defined in this privacy policy. The contractors with which the seller is involved are: accounting services, law firms and other legal consultancy providers, data processing and analysis providers,IT maintenance system suppliers, e-mail service providers (Sendinblue and others), payment system providers such as Adyen, PayPal, PayU, Klarna, Sofort, Multibanco, dot Pay and others,
customer relationship management systems (CRM),providers of online advertising solutions (eg Google, Facebook).The seller will never pass on your personal data to unauthorized third parties.The seller or its contractors will not expose this information to third countries except theUnited States, for which the user has been informed and for which he has given his consent. The seller and its contractors will transmit the personal data to the United States with the appropriate security measures for the transfer.Freedom of choiceThe information transmitted is controlled by the user. If you choose not to provide your data to the seller, the seller will not be able to provide you with certain products or services.Those who wish to unsubscribe from the byMAYA newsletter must send an e-mail to the address info@bymayashop.com.If the user's personal data (postal code, e-mail address, residential address, telephone number) undergo changes, the user is requested to communicate it to the address info@bymayashop.com

Automatic registration of information (non-personal data)
Every time you access a website, some general information, non-personal information (number of visits, average time spent on the website, pages visited) are automatically recorded (not as part of the registration). This information is used to measure the attractiveness of the Aurora Borealis site and to improve the content and usability. User information is not subject to further processing and is not forwarded to third parties.

Cookies
Cookies are non-visible documents temporarily stored on the user's hard drive and allow the seller to identify the user's computer during future visits. The seller uses cookies only to collect information on the use of the website and to optimize their online advertising activities.Advertising cookies anonymously monitor the use (by the user) of the seller's website, unless the user consents to the use of cookies. SafetyThe seller is strongly committed to ensuring the security of personal data. User data is protected from loss, destruction, falsification, manipulation and unauthorized access or unauthorized discovery at any time. For the protection of personal data, Aurora Borealis implements organizational and technical measures: employee training; employee supervision and periodic inspections of the operations performed by individual employees; careful selectionand control of the persons in charge of contractual processing; backup of electronically stored data; regular maintenance and updating of IT equipment; adoption of adequate internal rules and instructions regarding the protection of personal data. Conditions applicable to the consent of minors in relation to information society servicesMinors under the age of 18 must not provide any personal data on the website or otherwise without the permission (consent or approval) of the holder of parental responsibility (one of the parents or guardians). The seller will never knowingly collect personal data from people who are aware that they are minors(under 18 years of age), nor will they use them in any way or disclose them to unauthorized third parties without the authorization of the holder of parental responsibility.This is without prejudice to the general contract law of the Member States, such as the rules on the validity, formulation or effect of a contract relating to a child.Taking into account the available technology, in such cases, the seller will make every reasonable effort to verify whether the holder of parental responsibility for the care of the child has given or granted consent. Individual rights for data processingIf you have any questions about the privacy policy or the processing of personal data, you can contact the seller at any time at the email address info@bymayashop.com.Based on th erequest, the seller will provide the user with the requested information or (in accordance with the law) will take care of the realization of the user's rights.The user has the following rights regarding the processing: Right of withdrawal from the contract: if as an individual the user is allowed to process his personal data (for one or more specific purposes), he has the right to withdraw his consent at any time without prejudice to the legality of the data processing that with the consent was expressed until its cancellation;The consent can be canceled by a written declaration sent to the operator to one of the contacts listed on www.carniumbotanicals.it/contact-us/The withdrawal of consent to the processing of personal data has no negative consequences or penalties for the individual. However, it is possible that after the cancellation of the authorization to process personal data, the controller will no longer be able to offer one or more of its services, in the case of services that cannot be provided without personal data ( e.g. benefits club or personalized information). Right of access to personal data: Each individual has the right to obtain from the seller(personal data operator) confirmation of the processing of his personal data and, if this is the case, access to personal data and other information(purpose of the processing, types of personal data, users, retention periods or criteria for determining the periods, existence of the right to rectify ordelete data, existence of the right to restrictions or objections to processing, existence of the right to appeal to the supervisory authority ,source of the data if the data has not been collected with the user, existence of automated decision-making processes, including profiling and the reasons forwhich it was carried out, and the meaning and consequences of such processing for the user, and other information in accordance with article 15 of the GDPR);

Right to Correction of Personal Data
Everyone has the right to ask the seller to rectify inaccurate personal data without undue delay. Everyone has the right to integrate incomplete information, including the submission of a complementary declaration, taking into account the purposes of the data processing; Right to delete personal data ("right to be forgotten"): everyone has the right to obtain from the seller the deletion of personal data without undue delay. The seller must delete the data without undue delay when one of the following reasons exists:(a) the data are no longer necessary for the purposes for which they were collected or otherwise processed,(b) if there has been a withdrawal of consent and there is no other legal basis for the processing,(c) if you object to the processing and if there is no legitimate overriding reason to proceed with the processing,(d) the data has been processed illegally,(e) the data must be deleted for the fulfillment of legal obligations under EU law or the law of the Member State applicable to the seller,(f) the data was collected regarding the offers of information society services.As an individual, you have no right to delete data in some cases described in paragraph 3. of article 17 of the GDPR; Right to restrict data processing: Everyone has the right to restrict the seller's data processing when one of the following exists:(a) if the accuracy of the data is contested for a period that allows the seller to verify the accuracy of the data,(b) the processing is illegal and the user opposes the deletion of the data, asking instead for a restriction on their use,(c) the seller no longer needs the data for processing purposes, but they are necessary for you to exercise, carry out and defend legal claims,(d) has submitted an objection regarding the processing until it is verified that the seller's legitimate reasons prevail over his reasons; Right to data portability: everyone has the right to receive personal data (provided to the seller by the user) in a structured format, widely used and readable by a device, and also has the right to forward this data to another operator without the vendor to whom they were supplied being able to hinder it, this applies if:(a) the processing is based on consent or contract e(b) the processing is carried out by automated means. Right to object to the processing of personal data: each individual has, for reasons relating to his or her particular situation, the right to contest, at any time, the processing of personal data necessary for the performance of tasks in the public interest or for the execution of the public authority granted to the seller (point (e) article 6 (1) of the GDPR) or for the legitimate interests pursued by the seller or a third party (point (f) article 6 (1) of the GDPR), including profiling ; the seller ceases to process the personal data, unless he prove sthe legitimate reasons necessary for the processing that override his interests, rights and freedoms, or if it is a question of exercising, carrying out and defending legal claims.

Where personal data is processed for marketing purposes, an individual has the right to object to the processing of the data at any time. This applies to the data concerning him including profiling, if this refers to such direct marketing; when an individual objects to processing for direct marketing purposes, the data is no longer processed.When the data is processed for scientific or historical research purposes or for statistical purposes, an individual has the right to object to the processing of data relating to it, on grounds relating to his or her particular situation, unless the processing is necessary for the '' execution of the task that is carried out for reasons of public interest; Right to lodge a complaint with the supervisory authority: Without prejudice to any other legal resource (administrative or otherwise), everyone has the right to lodge a complaint with the supervisory authority, in particular in the country in which they reside, in which there is your place of work and where an infringement allegedly has occurred (in Slovenia, the supervisory authority is theInformation Commissioner), or if you believe that the processing of your personal data violates data protection rules personal. Without prejudice to any other resource (administrative or extrajudicial), everyone has the right to an effective remedy, that is, against a legal decision bound to the supervisory authority in relation to it, and the same also applies in cases where the supervisory authority control does not process your complaint or inform you of the status of the case or the decision on the complaint within three months. The courts of the Member State in which the supervisory authority is established are competent for proceedings against the supervisory authority. Each individual can direct all requests concerning the enforcement of personal data rights to the operator in writing, to one of the contacts listed on the contact-us website /For the purposes of reliable identification, in the event of the enforcement of the rights on personal data, the data controller may request additional information from the individual and may refuse to act only if it proves that the subject cannot be reliably identified.At the request of the individual, with whom it exercises its rights in relation to personal data, the operator must respond without undue delay and no later than one month after receipt of the request. Notification of a personal data breach to the supervisory authorityIn the event of a violation of the protection of personal data, the seller is required to inform the competent supervisory body, except in cases where it is likely that the rights and freedoms of individuals have not been compromised by the infringement. Where there is a suspicion that a crime has been committed, the seller is obliged to inform the police and / or the competent prosecutor's office. In the event that there is an infringement that can cause a high risk to the rights and freedoms of individuals, the seller is obliged to immediately or without undue delay inform all individuals to whom the personal data refer. The notice must be carried out in understandable and clear language.

Access to social networks
Through the byMAYA website it is possible to access the web plugins defined below, which the provider uses in its operation:FacebookInstagramYouTube In providing their services, each of these social networks operates in accordance with its terms of use and its privacy policies. Aurora Borealis assumes no responsibility for the use of social networks for which it provides access through its website.Questions and requests relating to the method of use must be addressed to individual social networks.The privacy policies of the aforementioned social networks are available at the linksbelow:Instagramhttps://help.instagram.com/519522125107875Facebook:https://www.facebook.com/about/privacy/Youtube: https://policies.google.com/privacy?hl=itPublicationofchanges

Any changes to the privacy policy will be posted on this site.

Last change: 16. 3. 2022

Privacy policy

Subscribe to ourmailing list!

Subscribe to our
mailing list!