Privacy policy

The definitions used in the Terms and Conditions of One TRIBE EU apply accordingly to this Privacy Policy.

WHO WE ARE AND HOW TO CONTACT US – DATA CONTROLLER

The controller of your personal data is One Tribe EU Sp. z o.o., with its registered office in Barlinek, ul. Górna 28/34, 74-320 Barlinek, entered in the register of entrepreneurs kept by the District Court Szczecin-Centrum in Szczecin, 13th Commercial Division of the National Court Register under KRS No. 0001167971, REGON: 541473685, NIP (VAT ID): 5971762821. For any matters relating to personal data processing, please contact us at: info@onetribecosmetics.com.

WHAT DATA WE PROCESS

When you use our Store and the Service, we process data necessary to fulfil orders and operate your account: identification and contact details, delivery and billing addresses, payment information provided by payment operators, purchase and complaint history, account settings and communication preferences (contact details (email address or phone number), delivery details (country/region, first name, last name, address, apartment number if applicable, postal code, city), choice of delivery method presented along with the cost, choice of payment method (card details: number, expiration date, security code, first and last name of the cardholder). We also collect technical data related to the use of the Service, such as IP address, device identifiers, system logs, and information derived from cookies and similar technologies. The data come from you (forms, checkout, registration, contact), from our payment partners and carriers (payment and delivery status), and from analytics/marketing tool providers—strictly to the extent you have consented to or which is necessary for the Service to function.

PURPOSES AND LEGAL BASES OF PROCESSING

We process data in order to conclude and perform the sales contract, operate the Client account and handle any queries (Article 6(1)(b) GDPR), and to comply with tax, accounting and consumer-protection obligations (Article 6(1)(c) GDPR). We safeguard payment and Service security, prevent fraud, and conduct basic analytics and statistics (Article 6(1)(f) GDPR – our legitimate interests). We send marketing communications only in accordance with the law—either on the basis of our legitimate interest in relation to existing clients or on the basis of your consent. You may withdraw consent at any time. We verify product reviews transparently (in line with the Omnibus Directive) and clearly indicate whether a review originates from a genuine purchaser. If we publish a review together with identifying details, we do so only with consent.

HOW LONG WE KEEP YOUR DATA

We retain accounting documents for periods required by law (as a rule, five years counted from the end of the relevant tax year). Data concerning complaints and lack of conformity are kept until the matter is resolved and limitation periods expire. Client account data are stored until the account is deleted, while retaining documentation we are legally obliged to keep. Marketing data are processed until consent is withdrawn or an objection is raised. Records of consent (proof of grant) are retained for accountability for up to six years. Security logs and technical data are generally kept for up to twelve months, and longer only if required for incident analysis or the defence of claims.

WHO WE DISCLOSE DATA TO

We disclose data only where necessary. In particular, data may be shared with payment operators (e.g., Adyen/Stripe/PayU, PayPal, Google Pay), carriers and logistics partners, as well as trusted IT providers (hosting, shop system, CRM, e-mail/SMS, analytics, anti-fraud), law firms and auditors upon their lawful request. Public authorities may obtain data where required by law. With processors we enter into data processing agreements pursuant to Article 28 GDPR. Where we use service providers outside the EEA, we rely on the European Commission’s Standard Contractual Clauses together with any necessary supplementary measures; details are available on request.

COOKIES

To ensure the Service operates smoothly and securely, we use cookies and similar technologies. Some cookies are strictly necessary—they maintain a logged-in session, remember basket contents, support checkout, or display the website in the correct language. These cookies operate on the basis of our legitimate interests and do not require consent. Other cookies—analytics and marketing—are activated only after you give explicit consent via the cookies banner. They help us understand which content is most useful, measure campaign effectiveness, limit repeated ad displays, and tailor content to your preferences (e.g., abandoned-basket reminders or cosmetic recommendations). Consent is voluntary and may be withdrawn at any time without affecting your ability to shop—use the “Cookies settings” link available in the footer or in the banner.

On your first visit we display a clear banner with “Accept”, “Reject” and “Manage preferences” options. Under “Manage” you can enable only those categories you want. You can change settings at any time.

We use the following categories:

A) Necessary (technical) – enable core Service functionality and security (session, basket, checkout, language preferences). Without them, the shop cannot function properly.
B) Analytics/statistical – help us understand how users navigate the site (e.g., total visits, navigation paths) and improve the shop and its accessibility. These operate only with your consent.
C) Marketing/advertising – used to measure and personalise marketing communications, including frequency capping and cross-device linkage for the same user. We use these only with consent.

Who can set cookies. In addition to our own cookies (first-party), cookies from our partners (third-party) may operate within the Service. You can change your consents and detailed settings at any time via the sticky cookie icon displayed at the bottom-left of the screen (the “Cookie Settings” panel), and also from the panel available in the footer of the Service.

Retention. “Session” cookies are deleted when the browser is closed; “persistent” cookies remain on the device until their expiry or manual deletion. Specific periods (e.g., 1 day, 30 days, 6 months) are shown in the cookies panel.

The scope and list of vendors may change as the Service and marketing campaigns evolve. We always present the up-to-date list—together with exact retention periods and purposes—in the Service, where you can also check whether a given vendor processes data outside the EEA and on what legal basis.

Opt-out and alternatives. You may delete cookies in your browser at any time or block their storage (browser publishers provide instructions). Please note that restricting necessary cookies may prevent logging in, purchasing or saving a basket. We honour “Do Not Track” to the extent permitted by the technologies and vendors we use.

Profiling and cookies. Tailoring content and ads may involve marketing profiling, but it does not produce legal effects concerning you or similarly significantly affect you. You may object to profiling via the e-mail address provided in this Policy and within the Service. If we apply personalised prices within the meaning of the Omnibus Directive, we will always inform you directly at the point of price display.

EXERCISING YOUR RIGHTS

Under the GDPR you have the following rights across the EU/EEA in relation to your personal data: to request access (including confirmation whether we process data and access to their content), rectification of inaccurate or completion of incomplete data, erasure (“right to be forgotten”) in cases provided by law, restriction of processing, and data portability to another controller or to you—where processing is based on consent or on a contract and carried out by automated means. You also have the right to object to processing based on our legitimate interests—in particular to direct marketing and related profiling; once such an objection is made, we will no longer conduct that marketing.

Where processing is based on consent, you may withdraw it at any time—without affecting the lawfulness of processing carried out before withdrawal. Marketing consents and preferences for non-essential cookies can be changed in your account settings, via the unsubscribe link in a message, in the Cookies settings panel on the website, or by contacting us.

To exercise your rights, please contact us by e-mail at the address indicated in this Policy or by post at the Controller’s address set out above. To protect privacy and security, we may ask you to verify your identity or clarify your request (e.g., scope, system or period). We respond without undue delay and no later than one month from receipt of the request; where necessary, this period may be extended by up to two further months due to complexity or number of requests—in which case we will inform you of the reasons and the expected response time.

Independently of the above, you have the right to lodge a complaint with the supervisory authority competent for data protection in your habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO). If you live in another EU/EEA country, you may lodge a complaint with your local authority. A directory of authorities with contact details is publicly available on the European Data Protection Board’s website. Exercising the right to complain does not preclude seeking judicial remedies.

If we were to take automated decisions producing legal effects concerning you or similarly significantly affecting you (as a rule, we do not take such decisions), you would have the right to obtain human intervention, to express your point of view and to contest the decision. Moreover, where we apply personalised pricing within the meaning of the Omnibus Directive, we will clearly inform you at the point of price display and honour your right to object to such marketing profiling. When exercising your rights, please indicate which right you wish to exercise, which data your request concerns, and your preferred method of communication.

INFORMATION SECURITY

We use TLS encryption, access controls and data minimisation, and we work with providers that meet recognised security standards (including SCA/3-D Secure requirements on the side of payment operators). We maintain backups and apply incident-response procedures.

UPDATING THIS PRIVACY POLICY

If technologies, laws or the scope of our services change, we will update this Policy and, where required by law, provide prior notice of material changes. The most current version is always available on the Service and as a downloadable PDF.

This Privacy Policy is effective as of 31 October 2025.