Skip to content

🚧 TEST STOREwe're building this shop in the open! For real orders visit www.alohafungi.pl

Privacy Policy

§ 1. General provisions

The administrator of the website https://alohafungi.com is Aloha Wealth and Wellness Spółka z ograniczoną odpowiedzialnością, with its registered office in Warsaw, ul. Solec 81B/73A, 00-382 Warszawa, KRS 0000677233, NIP 7010688450, REGON 367259274.

This policy contains information about the processing of personal data while using the store and about the use of cookies. It is informational in nature and does not constitute a contract or terms of service.

Terms beginning with a capital letter should be understood in accordance with the definitions set out in the store terms of service. Detailed information about the processing of specific data is provided when it is collected, in the relevant privacy notices.

The data controller takes measures ensuring appropriate security safeguards through the entities it cooperates with and conducts a risk analysis so that data is processed securely, with access granted only to authorized persons.

§ 2. Data controller and contact details

The controller of the data collected by the online store, including from cookies and online activity, as well as through communication channels, is Aloha Wealth and Wellness Spółka z ograniczoną odpowiedzialnością, ul. Solec 81B/73A, 00-382 Warszawa, KRS 0000677233, NIP 7010688450, REGON 367259274.

Contact for data protection matters: aloha@alohafungi.com.

§ 3. What personal data is processed by the data controller

Personal data is information that allows the direct or indirect identification of a natural person, including: IP address, first and last name, address, email, phone number.

The data controller processes the data of:

  • store users and account holders;
  • customers;
  • business partners;
  • newsletter subscribers;
  • persons who consent to marketing communication;
  • persons who contact us through various channels, including Instagram and Facebook.

Data from social media channels (Facebook, Instagram) is processed in accordance with their regulations, available on the pages of those services. The data controller has no influence over the content of those regulations.

§ 4. Scope, purpose, legal basis, and retention period of the data collected

Purposes and legal bases of processing:

  • Delivering and displaying content. Data: IP address, cookies.
    • Legal basis: Article 6(1)(f) GDPR (the legitimate interest of the data controller).
  • Providing the account service. Data: email, password, IP address, cookies, first name, last name.
    • Legal basis: Article 6(1)(b) GDPR.
    • Period: for the duration of providing the service.
  • Concluding a contract. Data: IP address, cookies, email, first and last name, address (street, house number, postal code, country), invoice details, payment details, phone number.
    • Legal basis: Article 6(1)(b) GDPR.
    • Period: 6 years.
  • Transactional order notifications in the channel selected by the customer, including WhatsApp. Data: customer identifier, WhatsApp channel identifier, order number, order status, and shipment status.
    • Legal basis: Article 6(1)(b) GDPR (performance of a contract).
    • The channel can be turned off in the account panel.
  • Fulfilling obligations as a seller. Data: first name, last name, order and payment data, email, phone, address, bank account number, NIP, PESEL.
    • Legal basis: Article 6(1)(c) GDPR (tax obligations).
    • Period: 5 years from the end of the calendar year in which the payment deadline fell.
  • Sending the newsletter and commercial information. Data: email, phone, order data, first name, last name, address, IP, cookies.
    • Legal basis: Article 6(1)(a) GDPR (consent).
    • Period: 5 years.
  • Statistical and analytical purposes, adapting the site to preferences.
    • Legal basis: Article 6(1)(a) GDPR (consent).
    • Period: up to 12 months.
  • Pursuing the legitimate interest of the controller (Article 6(1)(f) GDPR):
    • handling complaints;
    • running and securing the store, analysis of abuse;
    • preparing personalized advertisements and offers;
    • establishing, defending, and pursuing claims;
    • archiving data;
    • period: 6 years.

User activity recorded in system logs (a chronological record of events) is processed on the basis of legitimate interest for a period of up to 12 months for service, technical, analytical, statistical, and system security purposes.

After the retention period expires, the data will be deleted or anonymized.

Health data · Your Ritual (Article 9 GDPR)

Category and legal basis

Your Ritual may store health data within the meaning of Article 9 GDPR if you give separate consent in your account panel. This consists of sleep/energy/calm ratings (1 to 5), the entry date, and the date and version of the consent. Purpose: a personal wellbeing journal visible only to you. The data is not used for aggregate analytics, inference, or medical claims. The legal basis is Article 9(2)(a) GDPR, that is, explicit consent. Minimization: we store a maximum of 30 entries, and older entries are deleted.

Withdrawal of consent

You can withdraw consent in your account panel by setting the Ritual toggle to OFF. Withdrawal of consent deletes all Ritual entries from the database without contacting the data controller. When the account is deleted, all Ritual data is removed automatically.

Security and access

Ritual data is stored in customer.metadata in a PostgreSQL database encrypted at rest. Only the logged-in account owner has access, through a private account path. The data is linked to a customer identifier, so this is pseudonymization in the system, not anonymization.

§ 5. Data recipients

Data is transferred only when it is necessary to achieve a given purpose, and only to the extent necessary.

Your data may be transferred to the following categories of recipients:

  • IT providers: Vercel Inc. (USA, hosting), Neon Inc. (USA, database, with SCC);
  • Analytics and monitoring tools: PostHog, Inc. (analytics, instance in the EU), Functional Software, Inc. / Sentry (error monitoring), Vercel, Inc. (cookieless analytics);
  • Payment operators: Montonio UAB (Lithuania), Stripe Payments Europe (Ireland), PayPro SA (Poland);
  • Shipping operator: InPost sp. z o.o.;
  • Invoicing operator: Fakturownia.pl;
  • Transactional email operator: Resend, Inc. (USA, with SCC);
  • WhatsApp notification operator: Meta Platforms Ireland Limited as processor for transactional order messages;
  • Marketing agencies (if activated): Meta Platforms Ireland Limited, Google Ireland Limited;
  • Providers of accounting, legal, and advisory services;
  • Public authorities to the extent required by law.

§ 6. Transfer of data outside the EEA

The transfer of data outside the European Economic Area takes place only on the terms set out in Articles 46, 47, or 49 GDPR, ensuring an adequate level of protection through:

  • cooperation with entities in countries covered by a European Commission adequacy decision;
  • the European Commission's standard contractual clauses (SCC);
  • binding corporate rules approved by a supervisory authority.

The data controller provides information about its intention to transfer data outside the EEA at the stage of collecting it.

§ 7. Profiling of personal data

Data is processed in an automated manner for the purposes of ordinary profiling (adapting messages and banners to interests) in order to better tailor marketing communications about the products and services of the data controller and related entities.

For this purpose, the following are used: visit frequency, order data, activity in sales channels, IP address, cookies, purchasing methods, interest in the offer or newsletter, and sociodemographic data (gender, age, location).

Information from profiling is intended to form the basis for analyzing customer expectations and the direction of activities, without significantly affecting the customer's decisions.

§ 8. Voluntary provision of personal data

Providing data is voluntary but necessary to achieve the processing purposes set out in § 4. The data controller will not be able to achieve these purposes without the provision of personal data.

§ 9. Data subject rights related to the protection of personal data

Correspondence regarding the exercise of rights should be directed to the address indicated in § 2.

Every data subject has the right to:

  • access to the content of the data and a copy of it;
  • rectification;
  • erasure (the right to be forgotten);
  • restriction of processing;
  • data portability to another controller (where processing is based on a contract, Article 6(1)(b), or on consent, Article 6(1)(a));
  • object to processing, in particular direct marketing based on Article 6(1)(f);
  • withdraw consent at any time (without affecting processing carried out before the withdrawal);
  • lodge a complaint with the President of the Personal Data Protection Office.

If you suspect a violation of your rights, you can file a complaint with: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, kancelaria@uodo.gov.pl.

§ 10. Cookies and similar technology

The store uses cookies and similar technologies. A detailed description of the cookie categories, the legal bases for their use, the retention periods, and how to manage consents can be found in our Cookie Policy.

Obtaining and storing information from cookies other than those that are necessary is possible only on the basis of consent given by the user in the cookie banner. The setting selected during the first visit is saved and can be changed at any time.

§ 11. Analytics and marketing tools

PostHog (product analytics)

The PostHog analytics tool (PostHog, Inc.; data processed in an instance in the European Union). It helps us understand how Users use the store (statistics, funnels, events) in order to improve it. It works after consent to analytics cookies has been given. Privacy policy: https://posthog.com/privacy.

Vercel Analytics

Performance and traffic measurement provided by Vercel, Inc. It works in cookieless mode, meaning it does not store cookies that identify the User.

Sentry (error monitoring)

A tool for detecting and diagnosing technical errors (Functional Software, Inc. / Sentry). It serves solely to improve the stability and security of the store; personal data is minimized and redacted. Privacy policy: https://sentry.io/privacy/.

§ 12. Changes to the privacy policy

The policy is periodically reviewed and updated. In the event of an update, the user is notified by a notice displayed on the site or by email.

A user who does not accept the terms after a newer version comes into effect may stop using the store.

Last updated: 26-06-2026