Aloha Fungi B2B

Version 1.0 · in force from 25 May 2026

1. Introduction

This privacy policy (hereinafter: the "Policy") describes the rules of personal data processing in connection with the activities conducted by ALOHA WEALTH AND WELLNESS Sp. z o.o. in the B2B segment - i.e. the sale of raw materials (extracts and powders from functional mushrooms and plants), made-to-order products (private label), cooperation with distributors, trade partners and suppliers.

The Policy fulfils the information obligation arising from Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter: "GDPR" or "RODO").

⚠️ The scope of this Policy is limited to B2B activities. The processing of consumer data (buyers in the online store alohafungi.pl) and the data of TCM consultation clients, including health data within the meaning of Article 9(1) GDPR, is governed by separate privacy policies published by the Data Controller separately.

2. Data Controller

The controller of your personal data within the meaning of Article 4(7) GDPR is:

ALOHA WEALTH AND WELLNESS Sp. z o.o.
ul. Solec 81B/73A, 00-382 Warsaw, Poland
KRS: 0000677233, NIP: 7010688450, REGON: 367259274
EORI Number: PL701068845000000
District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register

(hereinafter: the "Data Controller", "Aloha" or "we")

In all matters related to the processing of personal data, including for the purpose of exercising the rights provided under GDPR (Chapter 8 of the Policy), you may contact the Data Controller:

e-mail: rodo@alohafungi.pl (recommended - the fastest path to a response)
by post: to the registered office address indicated above, with the annotation "Personal Data"

Data Protection Officer (DPO): The Data Controller is not obliged to appoint a Data Protection Officer under Article 37(1) GDPR. For matters related to personal data protection, please contact us at rodo@alohafungi.pl.

3. Definitions

For the purposes of the Policy, the following terms have the meanings indicated below:

Term	Meaning
Personal data	any information relating to an identified or identifiable natural person (Article 4(1) GDPR)
Counterparty	an entrepreneur being a party to an agreement or commercial negotiations with the Data Controller in the B2B segment
Counterparty's Representative	a natural person acting on behalf of the Counterparty - a board member, attorney, employee, contact person
PKE	Act of 12 July 2024 - Electronic Communications Law (Journal of Laws 2024 item 1221) (Ustawa Prawo komunikacji elektronicznej)

4. Categories of data subjects whose data we process

As part of its B2B activities, the Data Controller processes personal data of the following categories of persons:

Counterparties' Representatives - persons designated for contact, board members, attorneys, employees of Counterparties;
Counterparties who are natural persons conducting business activity (sole proprietors) - to the extent that their company data simultaneously constitutes their personal data;
Subscribers to B2B marketing communications (newsletter, product materials);
Persons contacting us via the contact form, e-mail or telephone on commercial matters;
Website users - to the extent of data collected automatically (cookies, server logs).

5. Purposes and legal bases of processing

The table below sets out in detail the purposes, legal bases and retention periods of personal data. It constitutes the fulfilment of the information obligation under Article 13(1)(c) and (d) and (2)(a) GDPR.

5.1. Conclusion and performance of a B2B agreement

Element	Description
Purpose	Conclusion and performance of an agreement with a Counterparty (sale of raw materials, private label production, distribution) - including the receipt of orders, issuance of confirmations, organisation of delivery, handling of complaints
Categories of data	first name, surname, business e-mail address, business phone number, job title, company, registered office/delivery address, NIP, KRS, bank account numbers (to the extent necessary for settlements)
Legal basis	Article 6(1)(b) GDPR - processing necessary for the performance of an agreement or for taking steps prior to its conclusion - where the Counterparty is a natural person (e.g. sole proprietor); Article 6(1)(f) GDPR - legitimate interest of the Data Controller consisting in performing the agreement with a legal person and contacting its Representatives - where the Counterparty is a company or organisational unit
Retention period	for the duration of the agreement and for 6 years after its termination - the period corresponding to the limitation period for claims arising from commercial agreements (Article 118 of the Civil Code - 6 years for claims related to the conduct of business activity, counted to the end of the calendar year)

5.2. Issuance and storage of invoices and bookkeeping

Element	Description
Purpose	Issuance and storage of VAT invoices, keeping accounting books, tax records
Categories of data	identification data of the Counterparty (company, address, NIP), data of the Representative indicated on the invoice, bank account numbers
Legal basis	Article 6(1)(c) GDPR - legal obligation incumbent on the Data Controller, arising in particular from: the Act of 29 September 1994 on Accounting (Ustawa o rachunkowości), the Act of 11 March 2004 on the Tax on Goods and Services (Ustawa o podatku od towarów i usług), the Act of 29 August 1997 - Tax Ordinance (Ordynacja podatkowa), the Act of 15 February 1992 on Corporate Income Tax (Ustawa o podatku dochodowym od osób prawnych)
Retention period	5 years counted from the end of the calendar year in which the tax payment deadline expired (Article 86 § 1 of the Tax Ordinance and Article 74(2) of the Accounting Act); in the case of invoices relating to real estate - 10 years

5.3. Commercial communication and handling of enquiries

Element	Description
Purpose	Responses to enquiries submitted via the contact form, e-mail or telephone; conducting commercial correspondence, including the preparation of offers
Categories of data	first name, surname, e-mail, phone, job title, company, content of correspondence
Legal basis	Article 6(1)(f) GDPR - legitimate interest of the Data Controller consisting in handling the enquiry and conducting commercial communication
Retention period	for the period necessary to handle the enquiry, and in the case of correspondence leading to the conclusion of an agreement - for the period relevant to point 5.1; in other cases for a maximum of 24 months from the last contact

5.4. Marketing of own products and services (B2B)

Element	Description
Purpose	Sending the B2B newsletter, product materials, invitations to trade fairs/webinars, partner satisfaction surveys
Categories of data	first name, business e-mail, company, job title, interaction history (opens, clicks)
Legal basis	Article 6(1)(f) GDPR - legitimate interest of the Data Controller consisting in direct marketing of own products (recital 47 of the GDPR preamble), carried out in compliance with the obligations arising from Article 398 PKE (consent to use telecommunications terminal equipment - e-mail, telephone - for direct marketing purposes); this consent is collected together with newsletter subscription or earlier
Objection	the data subject has the right at any time to lodge an unconditional objection to direct marketing (Article 21(2)-(3) GDPR) - the unsubscribe link is included in the footer of every marketing message
Retention period	until withdrawal of consent to electronic communications (Article 398 PKE) or filing of an objection to marketing (Article 21(2) GDPR) - whichever comes first

5.5. Pursuit and defence against claims

Element	Description
Purpose	Establishment, pursuit or defence of claims arising from commercial agreements, consumer disputes, inspection proceedings
Categories of data	all categories of data previously processed for other purposes - to the extent necessary to conduct the case
Legal basis	Article 6(1)(f) GDPR - legitimate interest of the Data Controller consisting in pursuing and defending against claims
Retention period	for the limitation period for claims (generally 6 years pursuant to Article 118 of the Civil Code, counted to the end of the calendar year) and for the duration of proceedings - judicial, administrative, mediation - until their final conclusion

5.6. Ensuring the security and proper operation of the website

Element	Description
Purpose	Ensuring cybersecurity of the B2B section of the website, detecting abuse, maintaining access logs
Categories of data	IP address, browser identifier, timestamps, device type, operating system
Legal basis	Article 6(1)(f) GDPR - legitimate interest of the Data Controller consisting in ensuring network and information security (recital 49 of the GDPR preamble)
Retention period	server logs - maximum 12 months from the date of event registration

5.7. Analytics and improvement of website quality

Element	Description
Purpose	Analysis of website traffic, optimisation of content, measurement of marketing campaign effectiveness
Categories of data	analytical data (most often in pseudonymised form): cookie identifier, traffic source, navigation path, country/city (at regional level), device
Legal basis	consent - Article 6(1)(a) GDPR and Article 398 PKE for the storage and reading of information on the terminal device (analytical and marketing cookies)
Retention period	in accordance with the lifespan of individual cookies - see Chapter 11 of the Policy

6. Sources of data

We obtain personal data:

Directly from the data subject - in the contact form, in e-mail correspondence, during a phone call, during a business meeting, at trade fairs or industry conferences;
From the Counterparty - in relation to data of its Representatives - in such a case the Data Controller fulfils the information obligation in accordance with Article 14 GDPR, in particular by making this Policy available for inspection to the data subjects.

7. Data recipients

Personal data may be disclosed to the following categories of recipients - solely to the extent and for the purpose to which it is necessary:

7.1. Processors (data processors) - Article 28 GDPR

The Data Controller's B2B website is informational in nature - it is not a transactional platform, it does not allow online ordering or payment processing. As a result, the catalogue of processors is limited to entities providing the website's technical infrastructure and statistical measurement:

Category of processor	Purpose of entrustment	Provider	Country
Tag management service provider	technical embedding and management of measurement and marketing scripts on the website	Google Ireland Limited (Google Tag Manager)	Ireland / EEA, possible access from the USA
Web analytics service provider	measurement of website traffic, analysis of user behaviour, optimisation of content	Google Ireland Limited (Google Analytics 4)	Ireland / EEA, possible access from the USA
Website hosting provider	maintenance of the server infrastructure on which the website operates	home.pl S.A. (with registered office in Szczecin, Poland)	Poland / EEA

Note: Google Ireland Limited acts in relation to data collected by GTM and GA4 as a processor on the basis of Google's standard data processing terms. To the extent that Google transfers data to its parent company Google LLC in the United States, the transfer is carried out on the basis of Google LLC's certification under the EU-U.S. Data Privacy Framework and, in addition, the Standard Contractual Clauses (see Chapter 8 of the Policy).

Notwithstanding the above - beyond the website layer - the Data Controller uses in its business activity the services of an accounting office (bookkeeping and tax records) and an e-mail service operator (handling of commercial correspondence and correspondence directed to rodo@alohafungi.pl). These entities process data exclusively on the basis of concluded data processing entrustment agreements (Article 28 GDPR). The Data Controller makes the current list of these processors available upon request sent to rodo@alohafungi.pl.

7.2. Independent controllers

Independent data controllers include, in particular:

public authorities - entitled to receive data under provisions of law (e.g. tax offices, ZUS (Polish Social Insurance Institution), GIS (Polish Chief Sanitary Inspectorate), UOKiK (Polish Office of Competition and Consumer Protection), courts, law enforcement authorities) - to the extent arising from regulations;
postal operators - to the extent that they act as separate controllers of the address data of the sender and recipient of correspondence.

7.3. Minimisation principle

Each disclosure of data is carried out to the minimum extent necessary to achieve the purpose (Article 5(1)(c) GDPR - data minimisation principle).

8. Data transfer outside the European Economic Area (EEA)

Providers of analytical tools (Google) may process data outside the European Economic Area, in particular in the United States. The transfer takes place on the basis of mechanisms provided for in Chapter V GDPR:

EU-U.S. Data Privacy Framework (DPF) - European Commission Decision (EU) 2023/1795, in relation to entities certified in the USA;
Standard Contractual Clauses (SCC) - European Commission Decision (EU) 2021/914 - in addition.

Upon request sent to rodo@alohafungi.pl, we provide information on the mechanism applied to a specific processor.

9. Rights of data subjects

Under GDPR you have the following rights:

Right of access to data (Article 15 GDPR) - to obtain information whether and how we process your data and to obtain a copy of such data;
Right to rectification (Article 16 GDPR) - to request correction of inaccurate data or completion of incomplete data;
Right to erasure - the "right to be forgotten" (Article 17 GDPR) - in cases provided for by the regulation;
Right to restrict processing (Article 18 GDPR);
Right to data portability (Article 20 GDPR) - in relation to data processed on the basis of consent or agreement and by automated means;
Right to object (Article 21 GDPR):
- unconditionally - against processing for direct marketing purposes (Article 21(2)-(3) GDPR),
- with justification based on a particular situation - against processing based on Article 6(1)(f) GDPR (legitimate interest of the Data Controller);
Right to withdraw consent (Article 7(3) GDPR) - at any time, without affecting the lawfulness of processing carried out before its withdrawal;
Right not to be subject to a decision based solely on automated processing (Article 22 GDPR) - see Chapter 10 of the Policy;
Right to lodge a complaint with a supervisory authority:

President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych)
ul. Stawki 2, 00-193 Warsaw, Poland
https://uodo.gov.pl

The right to lodge a complaint is available without prejudice to other administrative or judicial remedies.

Exercise of rights - deadline and form

To exercise any of the above rights, please contact rodo@alohafungi.pl. We will respond without undue delay, no later than 1 month after receipt of the request. In the event of a complex nature of the request or the number of requests, the deadline may be extended by a further 2 months, of which we will inform you within one month of receipt of the request (Article 12(3) GDPR).

In the event of reasonable doubts as to the identity of the person submitting the request, we may ask for additional information necessary to confirm identity (Article 12(6) GDPR).

10. Automated decision-making and profiling

The Data Controller does not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR).

11. Cookies and similar technologies

11.1. Legal basis

Cookies and similar technologies (e.g. local storage, tags, pixels) are used by the Data Controller on the basis of:

Article 6(1)(f) GDPR (legitimate interest - for technically necessary cookies);
Article 6(1)(a) GDPR and Article 398(1) PKE (consent - for analytical, marketing, functional cookies other than technically necessary).

Consent is collected before cookies are stored on the terminal device, in the form of an active action by the user ("active consent") - clicking the appropriate button on the cookie banner. Inaction, continued browsing, closing the banner or "pre-ticked" boxes do not constitute consent within the meaning of GDPR and EDPB Guidelines 5/2020.

The user has the option at any time to manage consents in the cookie panel available on the website (the "Cookie Settings" link in the website footer) and to change browser settings.

11.2. Categories of cookies

Category	Purpose	Basis	Requires consent?
Necessary	Ensuring basic website functionality (session, language preferences, cookie banner mechanism)	Article 6(1)(f) GDPR, Article 398(4)(1) and (2) PKE	no
Functional	Remembering user preferences (e.g. delivery region, recently viewed products)	consent - Article 6(1)(a) GDPR, Article 398 PKE	yes
Analytical / statistical	Measuring website traffic, analysing behaviour to improve content (e.g. Google Analytics 4)	consent - Article 6(1)(a) GDPR, Article 398 PKE	yes
Marketing / advertising	Personalising advertising content, remarketing, measuring campaign effectiveness (e.g. Meta Pixel, LinkedIn Insight Tag, Google Ads)	consent - Article 6(1)(a) GDPR, Article 398 PKE	yes

11.3. Detailed cookie list

The full list of cookies used on the website - together with the name, provider, purpose and lifespan - is available in the cookie panel accessible from the website (the "Cookie Settings" link in the footer). Each user can also independently manage cookies in their browser settings. Disabling necessary cookies may cause some website functions to stop working correctly.

12. Data security

The Data Controller applies technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR, in particular:

encryption of transmission (TLS/HTTPS) in communication with the website;
access control - only authorised persons have access to the data;
data processing entrustment agreements (Article 28 GDPR) with each processor;
breach notification procedure - in the event of a breach that may result in a risk to natural persons, notification to the President of UODO within 72 hours (Article 33 GDPR).

13. Policy updates

This Policy may be periodically updated - in particular in the event of changes in the law, the introduction of new data processing tools or to improve the transparency of communication.

Each material change will be announced on the Data Controller's website together with the assignment of a new version number and effective date. Previous versions of the Policy are available upon request sent to rodo@alohafungi.pl.

Change history

Version	Effective date	Scope of changes
1.0	25.05.2026	Initial version - replaces previous rules of processing in the B2B segment

14. Contact

For all matters concerning the Policy and the processing of personal data, please contact us:

ALOHA WEALTH AND WELLNESS Sp. z o.o.
ul. Solec 81B/73A, 00-382 Warsaw, Poland
e-mail: rodo@alohafungi.pl

www: https://alohafungi.pl

This Privacy Policy was drawn up in the Polish language version. If a translation is provided, the Polish version shall prevail in case of any discrepancy.