Privacy Policy of the Online Store dreamroots.eu

The policy is effective from: 01.01.2026

1. General provisions

This Online Store privacy policy is for informational purposes only, i.e., it does not create obligations for Online Store Customers. The privacy policy defines the rules for processing personal data by the Administrator in the Online Store, including the basis, purposes, and scope of personal data processing, the rights of the data subjects, as well as information on the use of cookies and analytical tools in the Online Store.

The Administrator of personal data collected through the Online Store is the company operating under the name: DREAMROOTS GROUP Sp. z o.o. based at (38-220) Dębowiec 748, registered in the business register by the District Court in Rzeszów, 12th Commercial Division of the National Court Register under number KRS 0000826092, NIP 6852339577, operating the online store at dreamroots.eu, hereinafter referred to as the "Administrator".

Contact with the Administrator regarding personal data protection matters is possible via the email address: hello@dreamroots.com

The Online Store operates on the e-commerce platform Shopify, whose operator for customers from the European Economic Area is Shopify International Ltd. based in Dublin (Ireland), a company from the Shopify Inc. group based in Ottawa (Canada). Shopify acts as a data processor on behalf of the Administrator, to the extent necessary to provide and operate the store platform (including hosting, cart management, order processing, and payments). Detailed information about data processing by Shopify can be found in Shopify's Privacy Policy available at: https://www.shopify.com/legal/privacy.

Personal data in the Online Store is processed by the Administrator in accordance with applicable laws, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as "GDPR" or "GDPR Regulation" – and the Personal Data Protection Act of 10 May 2018.

Using the Online Store, including making purchases, is voluntary. Similarly, providing personal data by the Customer using the Online Store is voluntary, subject to:

a) entering into contracts with the Administrator – in cases and to the extent indicated on the Online Store website and in the Online Store Regulations and this privacy policy, failure to provide personal data necessary to conclude and perform the Sales Agreement or the Electronic Service Agreement with the Administrator results in the inability to conclude such an agreement.

b) statutory obligations of the Administrator – i.e., providing personal data is a legal requirement arising from generally applicable laws imposing on the Administrator the obligation to process personal data (e.g., processing data for the purpose of maintaining tax or accounting records), and failure to provide such data will prevent the Administrator from fulfilling these obligations.

The Administrator is responsible for and ensures that the data collected is:

a) processed lawfully; b) factually correct and adequate in relation to the purposes for which they are processed; c) stored in a form that allows identification of the data subjects no longer than necessary to achieve the purpose of processing; and d) processed in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by means of appropriate technical or organizational measures.

The Administrator implements appropriate technical and organizational measures to prevent unauthorized persons from acquiring and modifying personal data transmitted electronically.

2. Grounds for data processing

The Administrator is authorized to process personal data in cases where at least one of the following conditions is met:

a) the data subject has given consent to the processing of their personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary to fulfill a legal obligation incumbent on the Administrator; d) processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except in cases where the interests or fundamental rights and freedoms of the data subject requiring protection of personal data prevail, especially when the data subject is a child.

3. Purpose, basis, period, and scope of data processing in the Online Store

Each time, the purpose, basis, period, scope, and recipients of personal data processed by the Administrator result from the actions taken by the given Customer in the Online Store. The Administrator may process personal data in the Online Store for the following purposes:

a) Performance of the Sales Agreement or the electronic services agreement or taking actions at the request of the person to whom the data relates before concluding the above agreements (i.e., name and surname, email address, contact phone number, delivery address – including: street, house number, apartment number, postal code, city, country; residence/business/headquarters address if different from the delivery address) is stored for the period necessary to perform, terminate, or otherwise expire the concluded agreement.

b) Establishing, pursuing, or defending claims that the Administrator may raise or that are raised against the Administrator – data to the maximum extent as above and, in the case of Customers who are not consumers, also company name, VAT number – are stored for the duration of the legally justified interest pursued by the Administrator, but no longer than the limitation period for claims against the person to whom the data relates, arising from the business activity conducted by the Administrator.

c) Marketing – the name and email address are stored until the consent is withdrawn by the person to whom the data relates.

d) Direct marketing – the email address is stored for the duration of the legally justified interest pursued by the Administrator, but no longer than the limitation period for claims against the person to whom the data relates, arising from the business activity conducted by the Administrator.

4. Data recipients in the Online Store

For the execution of Sales Agreements and for the proper functioning of the Online Store, it is necessary for the Administrator to use the services of external entities. Personal data of Online Store Customers may be transferred to the following recipients or categories of recipients:

a) carriers/shippers/courier brokers – concerning the Customer who uses product delivery by postal or courier shipment in the Online Store;

b) entities handling electronic payments or payment cards – concerning the Customer who uses electronic payment methods or payment cards in the Online Store;

c) to providers supplying the Administrator with technical, IT, and organizational solutions enabling the Administrator to conduct business activities, including the Online Store and Electronic Services provided through it — in particular Shopify International Ltd. (Ireland) as the store platform operator and other entities from the Shopify group;

d) to providers of marketing and electronic services, social media platforms providing marketing and promotional services;

e) to providers of accounting, legal, and advisory services supporting the Administrator with accounting, legal, or advisory assistance.

Data transfer outside the European Economic Area

In connection with the use of the Shopify platform and other tools (including analytical and marketing), clients' personal data may be transferred to countries outside the European Economic Area (EEA), in particular to Canada (headquarters of Shopify Inc.) and the United States. Data transfer takes place only with the use of appropriate safeguards provided for in Chapter V of the GDPR, including:

• decisions of the European Commission recognizing an adequate level of data protection (including the decision regarding Canada and the Data Privacy Framework for certified entities in the USA),
• standard contractual clauses (SCC) approved by the European Commission,
• other legally required safeguards.

The client has the right to obtain a copy of the applied safeguards by contacting the Administrator at the address hello@dreamroots.com

5. Rights of the data subject

Right of access, rectification, restriction, deletion, or transfer – a person whose data is concerned has the right to request from the Administrator access to their personal data, their rectification, deletion ("right to be forgotten") or restriction of processing, and has the right to object to their processing, as well as the right to data portability.

Right to withdraw consent at any time – a person whose data is processed by the Administrator based on given consent has the right to withdraw consent at any time without affecting the lawfulness of processing carried out based on consent before its withdrawal.

Right to file a complaint with the supervisory authority – a person whose data is processed by the Administrator has the right to file a complaint with the President of the Personal Data Protection Office in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act.

Right to object – the data subject has the right to object at any time – for reasons related to their particular situation – to the processing of their personal data, including profiling.

Right to object regarding direct marketing – if personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling.

To exercise the above rights, please contact us at: hello@dreamroots.com

6. Cookies in the Online Store

The Administrator may process data contained in Cookies during visitors' use of the Online Store website for the following purposes:

a) identifying Service Users as logged into the Online Store and showing that they are logged in; b) remembering Products added to the cart for placing an Order; c) remembering data from completed Order Forms, surveys, or login data to the Online Store; d) customizing the content of the Online Store website to the individual preferences of the Service User and optimizing the use of the Online Store pages; e) conducting anonymous statistics showing how the Online Store website is used; f) profiling.

Internet browser settings regarding Cookies are important in terms of consent to the use of Cookies by our Online Store.

The Administrator may use Google Analytics and Universal Analytics services provided by Google in the Online Store. These services help the Administrator analyze traffic in the Online Store. The collected data is processed within these services in an anonymized manner (preventing identification of individuals) to generate statistics helpful in managing the Online Store. This data is aggregate and anonymous.

7. Security

The Online Store website is equipped with security measures aimed at protecting data under our control from loss, misuse, or modification. We commit to protecting all information disclosed to us by Customers in accordance with security and confidentiality standards.

8. Final Provisions

This privacy policy applies only to the Administrator's Online Store operated at dreamroots.eu. The Online Store may contain links to other websites that have their own privacy policies.