Privacy policy www.allnutrition.co.uk

Table of Contents

I. General information

  1. This document specifies the privacy principles applicable in the Online Shop www.allnutrition.co.uk (hereinafter referred to as the “Online Shop”).
  2. For the purposes of data protection legislation, we are the data controller of your personal data. SFD SPÓŁKA AKCYJNA with registered office in Opole, Poland (45-315), Głogowska 41, entered into the register of entrepreneurs of the National Court Register kept by the District Court in Opole, VIII Economic Department of the National Court Register under number KRS 0000373427, share capital of PLN 4.404.491, NIP (tax identification number): 7543022222, REGON (Polish business registry number): 160360680, E-Mail: [email protected].
  3. SFD SPÓŁKA AKCYJNA has appointed a Personal Data Protection Officer, who can be contacted at E-Mail: [email protected].
  4. We are committed to complying with the GDPR and the Data Protection Act 2018 (DPA).

II. Personal information

  1. The data controller collects information provided voluntarily by the Online Shop Customers. However, the provision of marked personal data is a condition for placing an order.
  2. Moreover, the data controller may record the information about connection parameters, like IP addresses, for technical purposes, for server administration and for collection of general, statistical demographic information (e.g. about the region from which the connection comes), and also for security purposes.
  3. The data controller shall make an extra effort in order to protect privacy and information about the Online Shop Customers provided to him. The data controller shall exercise due diligence when selecting and applying appropriate technical measures, including those of programming and organizational nature, in order to protect the processed data, and in particular he shall protect the data from unauthorized access, disclosure, loss and destruction, unauthorized modification, and also from their processing with the breach of the applicable provisions of law.
  4. Personal data will be:

    1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’).
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
    4. accurate and, where necessary, kept up to date (‘accuracy’).
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’).
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

III. The lawful bases we use to process data

  1. We will only ever process your data if we have a lawful basis to do so. The lawful bases we rely on are:

    1. Contract – This is where we process your data to fulfil a contractual arrangement, we have made with you or because you have asked us to carry out a service before entering into a contract.
    2. Consent – This is where we have asked you to provide permission to process your data for a particular purpose.
    3. Legitimate Interests – This is where we rely on our interests as a basis for processing.
    4. Legal Obligation –This is where we have a statutory or other legal obligation to process the data, such as to comply with regulatory requirements and/or requests.
    5. Vital interests –This is where the processing of personal data is necessary to protect someone’s life.
  2. Customer personal data are collected for:

    1. registration of an account in the Online Store for the purpose of establishment and management of an individual account. Legal grounds: processing is necessary for the performance of a contract on establishment and management of an Account service (article 6 sec. 1 letter b of GDPR).
    2. placement of an order in the Online Store for the purpose of the performance of a sales contract. Legal grounds: processing is necessary for the performance of a sales contract (article 6 sec. 1 letter b of GDPR).
    3. subscription of the Newsletter. Legal grounds: consent of a data subject for the performance of a contract concerning Newsletter service (article 6 sec. 1 letter a of GDPR);
    4. use of the contact form service. Legal grounds: legitimate interests (article 6 sec. 1 letter f of GDPR).
    5. use of the service to publish opinions. Legal basis – consent (Article 6(1) letter a of the GDPR).
    6. customer satisfaction surveys using external solutions, based on their consent for marketing activities (article 6 sec. 1 letter a of GDPR).
    7. using the selection of supplementation service. Legal basis - the Customer's consent to the provision of the supplementation service (article 6 sec. 1 letter a of GDPR), and in relation to specific categories of personal data - the consent of the data subject (article 9 sec. 2 letter a of GDPR).
    8. conducting analytics, marketing or internet remarketing activities. Legal basis - consent of the data subject by means of an action confirming consent in the form of ticking a checkbox or consent to the installation of cookies of the marketing or analytical solutions used (article 6 sec. 1 letter a of GDPR).
    9. for the purpose of receiving marketing information via the WhatsApp application. Legal basis – consent of the data subject for marketing purposes (Article 6(1)(a) of the GDPR). Providing your telephone number is voluntary. The use of WhatsApp for marketing purposes involves the transfer of your telephone number to WhatsApp Ireland Limited. Consent may be withdrawn at any time.
    10. for the purpose of receiving marketing information via SMS. Legal basis – consent of the data subject for marketing purposes (Article 6(1)(a) of the GDPR). Providing your telephone number is voluntary. You may withdraw your consent at any time.
  3. When registering in the online shop, the Customer provides:

    1. e-mail address.
    2. date of birth. The data provided in point b) is processed in order to verify the Customer's age, which is a legal requirement for the sale of products intended exclusively for adults. The legal basis for the processing of this data is the fulfilment of a legal obligation by the Controller (Article 6(1)(c) of the GDPR).
  4. During registration of an account in the Online Store, the Customer defines an individual access password to their account. The Customer may change an account later.
  5. In the case of ordering in the Online Shop, Customer provides the following information:

    1. e-mail.
    2. address data:
    1. postal code and place of residence.
    2. country.
    3. street and house/flat number.
    1. name and surname.
    2. phone number.
  6. In case of subscription of the newsletter, User specifies only e-mail address.
  7. When using the contact form service, the Customer shall provide the following data:

    1. e-mail.
    2. name and surname.
  8. When using the publish opinion service, the Customer shall provide the following data:

    1. e-mail.
    2. pseudonym/nick.
  9. In the case of using the service, the selection of supplementation, the Customer provides:

    1. e-mail.
    2. weight.
    3. height.
    4. age.
    5. information on previously used dietary supplements.
  10. During the Website browsing additional information may be collected such as IP address assigned to User's computer or external IP address of your ISP's, domain name, browser type, time of access, the type of operating system.
  11. Navigation data may be collected from the Customers, including information on links and references they click, or other activities undertaken by them in our Online Store. Legal grounds- legitimate interests (article 6 sec. 1 letter f of GDPR) in form of facilitation of use of services rendered by electronic means and improvement of functionality of such services.
  12. To determine, exercise and enforce claims, come personal data provided by the Customer when using functionalities of the Online Store may be provided, such as: name, surname, information about use of services, if claims result from the manner of user of services by the Customer, other data necessary to prove existence of claim, including the volume of suffered losses. Legal grounds- legitimate interests (article 6 sec. 1 letter f of GDPR) in form of determination, exercising and enforcement of claims and defence against claims in litigation and proceeding in front of other public authorities.
  13. Personal data are provided to SFD SPÓŁKA AKCYJNA on voluntary basis in relation to concluded sales contracts or services rendered via the Online Store Website, provided that, however, without data specified in the data forms in the Registration process, Registration and establishment of a Customer Account is not possible, and if orders are placed without Registration of Customer Account, placement and fulfilment of Customer order will be impossible.
  14. In compliance with the applicable legal provisions, we process your personal data for a term of time that is necessary to meet the designated purpose. After such term, the personal data of Customers will be irrevocably deleted or destroyed.
  15. Personal data processed covered by the consent statement will be processed until the consent is revoked.
  16. We process personal data during the term of the agreement, as well as during a period of expiry of claims resulting from the provisions of the law.

IV. Your rights

  1. The right to withdraw consent – legal ground: article 7 sec. 3 of GDPR.

    1. The Customer has a right to withdraw consent granted to SFD SPÓŁKA AKCYJNA.
    2. Withdrawal of consent shall be effective as the time of withdrawal.
    3. Withdrawal of consent shall not affect the lawfulness of processing before its withdrawal.
    4. Withdrawal of consent shall not entail any negative consequences for the Customer but may prevent them from further use of services of functionalities, which may be lawfully provided by SFD SPÓŁKA AKCYJNA only upon consent of the Customer.
  2. Right to object to personal data processing - legal ground: article 21 of GDPR.

    1. The Customer shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, including profiling, if SFD SPÓŁKA AKCYJNA processes their data on the basis of a legitimate interest, such e.g. marketing of SFD SPÓŁKA AKCYJNA’s products and services, statistic concerning use of individual functionalities of the Online Store and facilitation of use of the Online Store, and Customer satisfaction surveys;
    2. An e-mail resignation from marketing communications on products or services will mean the Customer’s objection to processing of their personal data, including profiling for those purposes;
    3. If the Customer’s objection is reasonable and SFD SPÓŁKA AKCYJNA has no other legal grounds to process personal data, the Customer’s personal data, whose processing has been objected by the Customer, will be deleted.
  3. Right to erasure (“right to be forgotten”) - legal ground: article 17 of GDPR.

    1. The Customer has the right to demand erasure of all or some personal data;
    2. The Customer has the right to demand the erasure of some personal data, if:
    1. the personal data are no longer necessary in relation to the purposes for which they were collected or processed;
    2. the Customer has withdrawn consent in the scope in which personal data have been processed on the basis of their consent;
    3. the Customer has objected to use of their data for marketing purposes;
    4. the personal data are unlawfully processed;
    5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which SFD SPÓŁKA AKCYJNA is subject;
    6. the personal data have been collected in relation to the offer of information society services.
    1. Despite of demand of erasure of personal data in relation to an objection or withdrawal of consent, SFD SPÓŁKA AKCYJNA may retain some full personal data in the scope, in which processing is necessary for determination, claiming or defence against claims, and for fulfilment of the legal obligation requiring data processing under the legislation of the European Union or a Member State to which SFD SPÓŁKA AKCYJNA is subject. It refers in particular to: name, surname, e-mail address, which are retained for the purpose of examination of complaints and claims related to use of SFD SPÓŁKA AKCYJNA services, or additionally an address of residence/ correspondences, order number, which are retained for the purpose of examination of complaints and claims related to concluded sales agreements or service agreements.
  4. Right to restriction of processing- legal ground: article 18 of GDPR.

    1. The Customer shall have the right to obtain from the controller restriction of their personal data processing. Submission of such demand, until its examination, prevents the use of specified functionalities or services, the use of which would be related with processing of personal data subject to such demand. Moreover, SFD SPÓŁKA AKCYJNA will not send any message, including marketing communications.
    2. The Customer shall have the right to demand restriction of their personal data processing in the following cases:
    1. when he questions the correctness of his personal data - then the SFD SPÓŁKA AKCYJNA limits their use for the time needed to verify the correctness of the data;
    2. When data processing is unlawful and the Customer demands restriction of their use instead of their erasure;
    3. When personal data are no longer necessary for the purposes of their collection or use, but they are needed by the Customer in order to determine, exercise or defend claims;
    4. When the Customer objected to proceeding of their data- then the restriction is introduced for a period necessary to consider whether, due to exceptional circumstances – protection of the Customer’s interests, rights and freedoms prevails over the interests, which are exercise by the Controller when proceeding Customer’s personal data.
  5. Right of access to data - legal ground: article 15 of GDPR.

    1. The Customer shall have the right to obtain a confirmation from the Controller, whether or not it processes personal data, and if yes, the Customer shall have the right to:
    1. obtain access to their personal data;
    2. obtain information on the purposes of the processing, the categories of processes personal data, the recipients or categories of recipients of such data, the envisaged period for which the personal data will be stored or the criteria used to determine that period (if determination of the planned period of data processing is not possible), on Customer’s rights under the GDPR and the right to lodge a complaint with a supervisory authority, on the source of such data, automated decision-making, including profiling and security devices applied due to the transfer of such data outside the European Union;
    3. obtain copies of their personal data.
  6. Right to rectification - legal ground: article 16 of GDPR

    1. The Customer shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning the Customer. Taking into account the purposes of the processing, the Customer shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, sending the respective request to the e-mail address in compliance with of the Privacy Policy.
  7. Right to data portability- legal ground: article 20 of GDPR.

    1. The Customer shall have the right to obtain their personal data, which were provided to the Controller, and then to send them to another data controller selected by the Customer. The Customer shall have the right to demand that such personal data are sent directly by us to another data controller, if this is technically feasible. In such case the Controller shall sent the Customer’s personal data in a csv file, which is a commonly used machine-readable format, allowing transfer of processed data to another data controller.
  8. If the Customer wishes to exercise any of the foregoing rights, SFD SPÓŁKA AKCYJNA fulfils a request or refuses to fulfil it promptly, but no later than within a month of its receipt. If, however, due to a complex nature of a demand or a number of demands SFD SPÓŁKA AKCYJNA is not able to fulfil demand within one month, it shall fulfil it during the following two months, notifying the Customer earlier within a month from receipt of the demand on the intended prolongation of the period and about own activities.
  9. The Customer may file complaints, questions or requests concerning processing of their personal data and execution of this right.
  10. The Customer has the right to demand that SFD SPÓŁKA AKCYJNA provides copies of standard contractual clauses, sending a request in the was define in of the Privacy Policy.
  11. You can read more about these rights on the UK Information Commissioner's Office website at https://ico.org.uk/for-the-public/.
  12. We encourage you to get in touch if you have any concerns with how we collect or use your personal data. You have the right to lodge a complaint directly with a Data Protection Authority. The Data Protection Authority in the UK is the Information Commissioner's Office (ICO), you can contact the ICO here: ico.org.uk/make-a-complaint.

V. Recipients of personal data

  1. Recipients of the Customer's personal data may by entities performing the order at the Seller's request and handling it, such as shipment companies, accounting companies, suppliers of the goods, assembly services, providers of IT solutions, payment processing companies, banks, companies providing marketing services, telecommunication providers, law offices, authorised state authorities.
  2. If the Customer selects payment via the PayU system, his/her personal data are transferred in the scope necessary for execution of the payment to PayU S.A. with its registered office in Poznań (60-324 Poznań, ul. Grunwaldzka 182) entered into the Register of Entrepreneurs kept by the District Court of Poznań - Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register under the KRS no.: 0000274399.
  3. Transaction data, including personal data, may be transferred to PayU to the extent necessary to handle payment for the order. The Customer has the right to access their data and correct it. The provision of data is voluntary and at the same time necessary for the use of the website.
  4. SFD SPÓŁKA AKCYJNA provides personal data to authorized national authorities, in particular to organizational units of the prosecutor's office, police, Personal Data Protection Authority, in case of requests addressed to our company.
  5. We do not allow third-party suppliers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
  6. In order to process your personal data for the purposes set out in this Privacy Policy, we may transfer your personal data to third parties that are based outside of the EEA or the UK. For any personal data transfers to the EEA, we will continue to follow all regulatory and legal requirements set out EU-UK Trade and Cooperation Agreement, and any subsequent arrangements that are agreed.
  7. Whenever we transfer your personal data out of the EEA, we attach a similar degree of protection to it (as it would receive in the EEA) by ensuring at least one of the following safeguards is implemented:

    1. We will only transfer your personal data to countries, territories or sectors within a country that have been deemed to provide an adequate level of protection for personal data by the European Commission.
    2. The transfer is subject to a legally binding and enforceable commitment on the recipient to protection the personal data (e.g. through the use of European Commission approved standard contractual clauses).
    3. The transfer is made subject to binding corporate rules.
    4. The transfer is based on a derogation from restrictions on transferring personal data outside of the EEA (such as where you give your consent, the transfer is necessary for the performance of contract with you, or the transfer is necessary for the establishment, exercise or defence of legal claims).

VI. Cookies

  1. We use cookies on our website.
  2. When viewing the Online Service websites “cookie” files are used, which are small text files recorded in the Customer’s target device in connection with using the Online Service. They are used in order to improve the experience with the Online Service websites.
  3. The “cookie” files used by the Controller are safe for the Customer’s devices. In particular, it is not possible for viruses or other unwanted or malicious software to enter the Customer’s devices in that way. Those files allow to identify the software used by the Customer and to adjust the Online Service to each Customer individually. “Cookie” files sometimes contain information about the domain name of their origin, how long they are kept in the device and the ascribed value.
  4. Due to the purpose of collecting cookies, we distinguish the following Cookies:

    1. necessary Cookies: necessary for the proper functioning of the service - files processed on the basis of the legitimate interest of the controller.
    2. statistics Cookies: they allow us to study website traffic, learn about our users' preferences, analyse their behaviour on the site and enable interactions with external networks and platforms - files processed based on the user's voluntary consent.
    3. marketing Cookies: they allow us to tailor the advertising and content displayed to our users' preferences and to conduct personalized marketing campaigns - files processed based on the user's voluntary consent.
  5. “Cookie” files may be used by advertisement networks, by the Google network, in order to display advertisements adjusted to the way the Customer uses the Online Service. To that end, the information may be retained about the Customer’s navigation path or the time spent on the given website.
  6. As regards the information about the Customer’s preferences collected by the advertising network Google, the Customer may view and edit the information related to cookie files by means of the following tool: https://www.google.com/ads/preferences/.
  7. The Customer may, by himself and at any time, change the “cookie” files settings, specifying the conditions of their storing and of their access to the Customer’s device. The settings referred to in the previous sentence may be changed by the Customer through the web browser settings or through configuration of the service. Those settings may be changed in particular so as to block automatic support for “cookie” files in the web browser settings or to inform each time they are introduced to the Customer’s device. Detailed information about the possibilities and ways of supporting cookie files is available in the software (web browser) settings.
  8. To learn how to manage cookies, including how to disable them in your browser, you can use the help section of your browser. You can learn more about this by pressing the F1 key while in your browser. In addition, you will find appropriate tips on the following pages, depending on the browser you are using: Firefox Chrome Safari Internet Explorer / Microsoft Edge
  9. The Customer may remove “cookie” files at any time, using the functions available in the web browser he uses.
  10. Limitation of the “cookie” files application may affect some functionalities available on the Online Service website.
  11. SFD SPÓŁKA AKCYJNA uses external cookies to:

    1. popularise the Online Store using the social networking service of facebook.com (controller of third-party Cookies: Meta Platforms Ireland Limited, with its registered office in Ireland);
    2. present advertising tailored to the Customer's preferences by means of the online advertising tool of facebook.com (controller of third-party Cookies: Meta Platforms Ireland Limited, with its registered office in Ireland);
    3. present advertising tailored to the Customer's preferences by means of the Google Ads online advertising tool (controller of third-party Cookies: Google Ireland Limited, with its registered office in Ireland);
    4. The presentation of multimedia content on the Shop's websites, which is downloaded from the external website www.youtube.com (external cookie controller: Google Ireland Limited, based in Ireland);
    5. collect general and anonymous statistical data through Google Analytics (administrator of external cookies: Google Inc seated in the USA);
    6. the collection and analysis of data regarding individuals’ preferences and purchasing decisions for the purpose of compiling statistics and optimizing marketing activities, as well as informing customers about changes to the terms and conditions (external cookie provider: BloomReach, Inc., based in Mountain View, United States);
    7. to present ads tailored to Customer preference using the web tool Criteo (administrator of external cookies: Criteo SA seated in the France).
    8. displaying advertisements tailored to the Customer's preferences using the online advertising tool Microsoft Advertising (external cookie manager: Microsoft Ireland Operations Limited with registered office in Ireland) - detailed information- https://privacy.microsoft.com/de-de/privacystatement.
    9. researching online store visitor behaviour using the Microsoft Activity Mapping tool (external cookie administrator: Microsoft Ireland Operations Limited with registered office in Ireland) - detailed information - https://privacy.microsoft.com/de-de/privacystatement.
    10. displaying advertisements as part of the implementation of a targeted marketing campaign to a specific target group via the remarketing tool within the Microsoft advertising system (external cookie manager: Microsoft Ireland Operations Limited with registered office in Ireland) - detailed information-https://privacy.microsoft.com/de-de/privacystatement.
    11. Freshworks (https://www.freshworks.com/pl/), a tool for supporting customer service in handling email inquiries – Freshworks Inc., 16192 Coastal Highway, Lewes, Delaware 19958, USA.
    12. provision of an external search engine for the online store (https://www.luigisbox.com) – Luigi’s Box, s.r.o., a limited liability company registered under the laws of Slovakia, with its registered office at Tallerova 4, Bratislava – Staré Mesto district 811 02, Slovakia.

VII. Amendments to the Privacy Policy

  1. This Privacy Policy come into force on 12.06.2026.
  2. The data controller will always post information about changes to the Privacy Policy in the Online Shop. With each change, a new version of the Policy will appear with a new date.
  3. Please send all additional questions related to the Privacy Policy to: [email protected].