PRIVACY POLICY

GENERAL PROVISIONS

1. This Privacy Policy (hereinafter referred to as the “Privacy Policy”) defines the principles for processing personal data obtained through the website https://vaduse.com (https://vaduse.com) (hereinafter referred to as the “Online Store”) and is directed towards the users of the Online Store. The owner of the Online Store and the data controller is VADUSE DERMATOLOGIE SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, located at Tomasza Zana 43 / 2.1, 20-601 Lublin, registered in the commercial register under KRS number 0000870278. The share capital amounts to 90 000 PLN. NIP: 7123410242, REGON: 387546390, email address: vaduse@vaduse.pl mailto:vaduse@vaduse.pl), contact phone number: +48 693966218 (charged at the standard connection rate — according to the pricing of the respective operator), (hereinafter referred to as the “Administrator”). Contact with the
Administrator can be made by mail, telephone, or via email.

2. The personal data collected by the Administrator through the Online Store are processed in accordance with the Regulation of the European Parliament and Council (EU) 2016/679 of April 27, 2016, on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”).

3. The Administrator places significant importance on protecting the privacy of users of the Online Store and the security of processing their personal data.

PURPOSES, LEGAL BASES FOR PROCESSING, CATEGORIES OF PERSONAL DATA

CONSENT

1. The Administrator processes your data based on consent.

2. The Administrator also processes your data based on consent when you agree to the use of cookies other than those necessary for providing the service delivered electronically, including the installation of cookies by third parties and the transfer of data collected through those cookies to the aforementioned entities. You can withdraw your consent for the installation of cookies other than those necessary for delivering the service electronically at any time, either in the browser settings on the device you use or from the Online Store at the page footer by clicking the link “Change privacy settings.” The withdrawal of consent
does not affect the legality of the processing of data collected through cookies  
consent is withdrawn.

3. We use tools that allow the display of personalized advertisements, such as 
search, remarketing, ads displayed on YouTube, and on social media. Dedicated ads will be displayed if the phrase you entered in the search engine matches the list of phrases set in our campaign; as well as if Google’s algorithm targets you based on the sites you visit, videos you watch on YouTube, etc. You can withdraw your consent for us to use the aforementioned tools, including Google Marketing Platform cookies. You can do this on the Google Marketing Platform opt-out page or the Network Advertising Initiative opt-out page.

CONCLUSION AND PERFORMANCE OF THE CONTRACT

1. The Administrator processes your personal data to take actions at your request aimed at concluding a contract with the Administrator or when it is necessary for the performance of an already concluded contract (Article 6, paragraph 1, letter b of GDPR), including but not limited to:

a. concluding contracts with the Administrator for the provision of electronic services as mentioned in the Regulations of the Online Store, related to setting up an Account in the Online Store and its execution,

b. concluding a Sales Agreement for goods with the Administrator and its execution,

c. sending inquiries to the Administrator via email or contact forms available on the Website.

LEGAL OBLIGATION

1. The Administrator processes your personal data to fulfill a legal obligation imposed on the Administrator (Article 6, paragraph 1, letter c of GDPR).

2. In practice, this means a necessity to process your personal data in connection with fulfilling obligations arising from legal provisions, particularly obligations under tax laws, the Accounting Act, the Electronic Services Act, the Civil Code, and the Consumer Rights Act.

LEGITIMATE INTEREST OF THE ADMINISTRATOR OR A THIRD PARTY

1. The Administrator may process your personal data if it is necessary for the purposes of legitimate interests pursued by the Administrator or a third party (Article 6, paragraph 1, letter f of GDPR), including but not limited to the following cases:

MANAGING CUSTOMER RELATIONSHIPS

1. The Administrator internally analyzes past cooperation with you to create summaries, analyses, and statistics related to sales. Based on this information, the Administrator gains insights helpful for preparing offers, determining prices, better tailoring the offer to your interests, conducting better-targeted marketing actions, and improving the quality of services provided.

2. Pursuing claims by the Administrator and defending against claims directed at the Administrator.

3. In the event of your non-fulfillment or improper fulfillment of the agreement concluded with the Administrator, the Administrator may, under applicable law, pursue claims from you,e.g., seeking payment for sold goods.

4. In case of claims directed by you against the Administrator, the Administrator processes your personal data to defend against such claims.

5. Enabling Customers to make payments through payment services.

6. If you choose the online payment method, the Administrator transfers your personal data to the payment service provider to enable you to make payment using your chosen method (credit card or bank transfer).

CONTACTING THE ADMINISTRATOR

1. You can contact the Administrator via email or the online contact forms available on the Website. In such cases, the Administrator may process your personal data to communicate with you and address your inquiry.

2. Data retention for accountability, i.e., proving compliance with regulations on the processing of personal data.

WEBSITE OPERATION

1. The Administrator uses necessary cookies for the proper functioning of the Website. The use of necessary cookies may involve processing your personal data, based on the legitimate interest of the Administrator in managing the website.

CREATING AUDIENCE DATABASES

1. If you are a registered Customer, your email address stored in the Administrator’s mailing database may be sent to Facebook and Instagram to create an audience group for advertising purposes using that email address. When using this function, the email address is hashed before being sent to Facebook and Instagram to create the audience group. The email address will be used in the matching process conducted by Facebook and Instagram. Facebook and Instagram do not disclose the email address to third parties or other advertisers and delete the email address immediately after the matching process is completed. Facebook and Instagram have implemented processes and procedures to ensure confidentiality and security of the email address transmitted to them and the collection of Facebook user IDs creating the audience group formed using the email address, including through the use of technical and physical safeguards.

PROFILING

1. Based on the information about you collected during previous cooperation (i.e., information on purchase history in the Online Store, your activity history in the Online Store), the Administrator displays personalized advertisements to you on the Online Store website https://vaduse.com.](ordered-list-item-level:0)

2. Marketing of products and services offered by the Administrator.

3. The Administrator sends you marketing information about the goods and services offered by the Administrator, provided that you previously consented to receive telephone contact (SMS messages) or email contact for direct marketing purposes.

4. The Administrator does not send spam, i.e., unsolicited commercial information.

5. The Administrator does not share any personal data, particularly email addresses or phone numbers, with third parties for the purpose of enabling them to engage in direct marketing activities regarding goods and services.

RECIPIENTS OF PERSONAL DATA

1. In connection with processing your personal data for the purposes mentioned in the Privacy Policy, the Administrator may disclose your data to the following recipients or categories of recipients: entities providing services: transportation, postal, logistics, accounting, legal advice, IT, payment services, banks where the Administrator has a bank account regarding the transfer of amounts to your account in the event of returns, complaints, overpayments, legal representatives representing the Administrator, entities responsible for delivering cookies.

PLANNED DATA RETENTION PERIOD

1. Personal data are retained for the period necessary to achieve the purposes indicated in Section I of this Privacy Policy.

2. In the case of data processed based on consent (concerning cookies), until such consent is withdrawn, or until the retention periods of individual cookies specified in the Cookie Policy expire, if such expiration occurs before consent is withdrawn.

3. In the case of data processed for the purpose of concluding and performing the contract (Section I.2 of the Privacy Policy), the Administrator processes personal data until the expiry of the limitation period for civil claims arising from them.

4. In the case of data processed to fulfill a legal obligation, the processing period is determined by legal regulations.

5. In the case of data processed to achieve the legitimate interest of the Administrator or a third party, the period of retention of personal data varies depending on the specific purpose of processing:

6. For data processed for the purpose of managing customer relationships, data is processed until you lodge an objection based on Article 21, paragraph 1 of GDPR regarding your specific situation, but no longer than you use the Administrator’s services or remain in commercial relations with the Administrator;

7. For data processed for the purposes of pursuing claims by the Administrator or defending against claims directed at the Administrator, the Administrator processes personal data for this purpose until the pursued claim is enforced or the claims are barred, depending on which event occurs earlier.

8. For data processed to secure claims related to the sale of goods, the Administrator processes personal data indefinitely, as long as you remain in commercial relations with the Administrator or there are unfulfilled claims against you by the Administrator.

9. For data processed for accountability purposes, the Administrator processes personal data for as long as necessary to document compliance with legal requirements and enable verification of compliance by authorized public authorities.

10. For data processed for profiling purposes, data is processed until you raise an objection based on Article 21, paragraph 2 of GDPR, but no longer than you use the Administrator’s services or remain in commercial relations with the Administrator.

11. For data processed for marketing of products and services offered by the Administrator, the Administrator processes personal data for this purpose until you withdraw your consent to receive commercial information via email, SMS, or file an objection to the processing of personal data.

RIGHTS OF THE DATA SUBJECT

RIGHT TO ACCESS DATA

1. You have the right to access your data, including the right to obtain a copy of the data, including electronically.

RIGHT TO RECTIFICATION OF DATA

1. You have the right to request the rectification of incorrect personal data. You have the right to request the completion of incomplete personal data.

RIGHT TO ERASURE OF DATA

1. You have the right to request the Administrator to delete your personal data if:

a. the data is no longer necessary for the purposes for which it was collected or otherwise processed;

b. you object due to your particular situation to the processing of your personal data based on the legitimate interest of the Administrator or a third party, and there are no overriding legitimate grounds for processing;

c. you object to the processing of your data for direct marketing purposes;

d. your personal data has been processed unlawfully;

2. Personal data must be erased to comply with a legal obligation under the law of the European Union or under Polish law applicable to the Administrator. However, the Administrator notes that this right is subject to significant restrictions. The Administrator will not be able to fulfill your request if further processing is necessary for:

a. fulfilling a legal obligation requiring processing under EU or national law (e.g., if the limitation period for tax obligations arising from the agreement concluded between the Administrator and you has not yet expired, if the retention period for accounting documents issued in connection with the agreement concluded between the Administrator and you has not yet expired);

b. establishing, pursuing, or defending claims.

RIGHT TO RESTRICT PROCESSING

1. You have the right to request the restriction of the processing of personal data if:

a. you contest the accuracy of the personal data for a period enabling the Administrator to verify the accuracy of such data;

b. the processing is unlawful, and you oppose the erasure of personal data, instead requesting the restriction of their use;

c. the Administrator no longer needs the personal data for the purposes of processing, but you require them to establish, pursue, or defend claims;

d. you have lodged an objection due to your particular situation to the processing of your personal data based on the legitimate interest of the Administrator or a third party—to the extent until it is established whether the legitimate grounds on the part of the Administrator override the grounds for objection raised by you.

RIGHT TO DATA PORTABILITY

1. You have the right to receive your data provided by you in a commonly used format readable by computer programs, which the Administrator processes automatically based on the concluded agreement with you or based on your consent. You also have the right to request the transmission of the aforementioned file to another data controller if technically feasible.

RIGHT TO OBJECT

1. You have the right to object at any time for reasons related to your particular situation to the processing of your personal data based on the legitimate interests of the Administrator or a third party (Section I.4 of this Privacy Policy).

2. The Administrator has the right to refuse to cease processing your data if it demonstrates:

a. the existence of important legally justified grounds for processing that override your interests or rights and freedoms, or

b. the existence of grounds for establishing, pursuing, or defending claims.

3. You have the right to object at any time if the Administrator processes your data for direct marketing purposes, including profiling.

COMPLAINT TO THE SUPERVISORY AUTHORITY

1. You have the right to lodge a complaint with the supervisory authority, i.e., the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).

VOLUNTARY PROVISION OF DATA

1. If you create an account in the Online Store as a consumer, it is necessary to provide the following data: email address, login password for the account, first and last name, phone number, street, house number, postal code, city. Providing the aforementioned data is voluntary; however, refusal to provide it will prevent the creation of the account in the Online Store.

2. If you create an account in the Online Store as an entrepreneur (COMPANY), it is necessary to provide the following data: email address, login password for the account, first and last name, phone number, NIP number, the name under which you conduct your business (Field: company name), street, house number, postal code, city. Providing the aforementioned data is voluntary; however, refusal to provide it will prevent the creation of the account in the Online Store.

3. When concluding a sales contract for goods, you may also provide a different delivery address than during registration. Providing the aforementioned data is voluntary.

4. If you agree to receive VAT invoices electronically, the Administrator will send them to the
address provided during account registration in the Online Store; however, you may provide

a different email address at the stage of placing the order in the Online Store. Providing the aforementioned data is voluntary; however, refusal to provide it will result in invoices being sent by default to the email address indicated when the account was created in the Online Store.

5. If you place an order through the Online Store for the collection of returned goods, the Administrator processes your data to the extent necessary to fulfill this contract, i.e., first name, last name, phone number, email address, invoice or receipt number related to the returned goods, identification of the returned goods, the address from which the returned goods should be collected. You also have the option to provide a bank account number for the refund for the returned goods. Providing the aforementioned data is voluntary; however, refusal to provide it will prevent placing an order for the collection of returned
goods via the returns form on the Online Store site.

6. If you wish to file a complaint regarding the goods through the complaints form available in the Online Store, you must provide the following personal data: first name, last name, company name (if applicable), correspondence address, contact phone number, email address, invoice or receipt number concerning the complained goods, identification of the complained goods. You also have the option to provide a bank account number for the refund. Providing the aforementioned data is voluntary; however, refusal to provide it will
prevent filing a complaint via the complaints form on the Online Store site.

7. If you wish to receive information via email about promotions, new products, and discounts regarding the Administrator’s offer, you must consent to telephone contact and to receiving commercial information in accordance with Article 2, point 2 of the Act of July 18, 2002, on the provision of electronic services, for direct marketing purposes. Providing the aforementioned data is voluntary; however, refusal to provide it will prevent the Administrator from contacting you via email.

SOURCES OF DATA COLLECTION

1. The Administrator obtains your personal data directly from you.

DATA TRANSFER TO THIRD COUNTRIES

1. If you accept cookies installed on the Website by third parties, data collected through these cookies may be transferred to third countries.

SECURITY OF PERSONAL DATA

1. The Administrator employs technical and organizational measures to secure personal data against unauthorized access, loss, or damage, appropriate to the identified risks associated with data processing.

2. To prevent unauthorized access to and modification of personal data transmitted by you during registration and login to the Online Store account, the Administrator ensures encryption of the connection to the Administrator’s server using an SSL certificate.

3. Actions taken by the Administrator may be insufficient if you do not adhere to security principles. In particular, you should keep your login and password for the Online Store account confidential and not share them with third parties. The Administrator will not request them from you except during login.

4. To prevent unauthorized persons from using the Account, you should always log out after finishing your use of the Online Store.

5. This Privacy Policy is effective as of October 25, 2025.