TABLE OF CONTENTS

GENERAL PROVISIONS
BASIS FOR DATA PROCESSING
PURPOSE, LEGAL BASIS AND PERIOD OF DATA PROCESSING IN THE ONLINE STORE
RECIPIENTS OF DATA IN THE ONLINE STORE
PROFILING IN THE ONLINE STORE
RIGHTS OF THE DATA SUBJECT
COOKIES IN THE ONLINE STORE AND ANALYTICS
FINAL PROVISIONS


1. GENERAL PROVISIONS

1.1. This Privacy Policy of the Online Store is for informational purposes only, which means it is not a source of obligations for Users or Clients of the Online Store. The Privacy Policy primarily contains rules regarding the processing of personal data by the Controller in the Online Store, including the basis, purposes and period of personal data processing as well as the rights of the data subjects, and information about the use of Cookies and analytical tools in the Online Store.

1.2. The controller of personal data collected via the Online Store is DI_SHOP Limited Liability Company, with its registered office in Wrocław (registered office and correspondence address: ul. Św. Jerzego 1A, 50-518 Wrocław); entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000949182; registry court storing the company’s documentation: District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register; share capital: PLN 5,000; NIP: 8992916455; REGON: 521096577; e-mail address: [email protected], contact phone number: +48 504 537 566 – hereinafter referred to as the “Controller,” also acting as the Service Provider of the Online Store and the Seller.

1.3. Personal data in the Online Store are processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or the “GDPR Regulation.” Official text of the GDPR: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

1.4. Use of the Online Store, including making purchases, is voluntary. Likewise, the provision of personal data by a User or Client of the Online Store is voluntary, with two exceptions:
(1) entering into agreements with the Controller – failure to provide personal data required as indicated on the Online Store website, in the Store Terms and Conditions and in this Privacy Policy, necessary for concluding and performing a Sales Agreement or an Electronic Services Agreement with the Controller, will result in the inability to conclude such an agreement. Providing personal data in such a case is a contractual requirement, and if the data subject wishes to conclude a given agreement with the Controller, they are obliged to provide the required data. The scope of data required to conclude the agreement is always specified in advance on the Online Store website and in the Store Terms and Conditions;
(2) statutory obligations of the Controller – providing personal data is a statutory requirement resulting from generally applicable law obliging the Controller to process personal data (e.g., for bookkeeping or accounting purposes), and failure to provide them will prevent the Controller from fulfilling these obligations.

1.5. The Controller exercises particular care to protect the interests of the data subjects, and in particular is responsible for ensuring that the data collected are: (1) processed lawfully; (2) collected for specified, lawful purposes and not further processed in a way incompatible with those purposes; (3) factually correct and adequate in relation to the purposes for which they are processed; (4) stored in a form allowing the identification of data subjects no longer than necessary to achieve the purpose of processing; and (5) processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

1.6. Considering the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights or freedoms of natural persons, the Controller implements appropriate technical and organizational measures to ensure that processing complies with this Regulation and to be able to demonstrate such compliance. These measures are reviewed and updated where necessary. The Controller applies technical safeguards preventing unauthorized access to and modification of personal data transmitted electronically.

1.7. Any terms, expressions, and acronyms appearing in this Privacy Policy and beginning with a capital letter (e.g., Seller, Online Store, Electronic Service) shall be understood in accordance with their definition contained in the Terms and Conditions of the Online Store available on the Online Store website.


2. BASIS FOR DATA PROCESSING

2.1. The Controller is entitled to process personal data when – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular when the data subject is a child.

2.2. Processing of personal data by the Controller always requires at least one of the legal bases indicated in point 2.1 of this Privacy Policy. The specific basis for processing the personal data of Users and Clients of the Online Store by the Controller is indicated in the next section of this Privacy Policy – with regard to the specific purpose of personal data processing by the Controller.

3. PURPOSE, LEGAL BASIS AND PERIOD OF DATA PROCESSING IN THE ONLINE STORE

3.1. The purpose, legal basis, period, and recipients of personal data processed by the Controller always depend on the actions undertaken by the given Service Recipient or Client in the Online Store or by the Controller. For example, if a Client decides to make a purchase in the Online Store and chooses personal pickup of the purchased Product instead of courier delivery, their personal data will be processed for the purpose of performing the concluded Sales Agreement, but will not be provided to the carrier executing shipments on behalf of the Controller.

3.2. The Controller may process personal data in the Online Store for the following purposes, on the following legal bases, and for the following periods:

Purpose of Data Processing Legal Basis Storage Period
Performance of a Sales Agreement or Electronic Services Agreement, or taking steps at the request of the data subject prior to entering into such agreements Article 6(1)(b) GDPR (performance of a contract) – processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract Data are stored for the period necessary to perform, terminate, or otherwise expire the Sales Agreement or Electronic Services Agreement.
Direct marketing Article 6(1)(f) GDPR (legitimate interests of the controller) – the processing is necessary for purposes arising from the legitimate interests of the Controller, consisting of taking care of the interests and good image of the Controller, the Online Store, and striving to sell Products Data are stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims of the Controller against the data subject in connection with the Controller’s business activity. The limitation period is defined by law, in particular the Civil Code (basic limitation period for claims related to business activity is three years, and for a Sales Agreement – two years). The Controller may not process data for direct marketing purposes if an effective objection is raised by the data subject.
Marketing Article 6(1)(a) GDPR (consent) – the data subject has given consent to the processing of their personal data for marketing purposes by the Controller Data are stored until consent is withdrawn by the data subject.
Providing feedback on the concluded Sales Agreement Article 6(1)(a) GDPR (consent) – the data subject has given consent to the processing of their personal data for the purpose of giving feedback Data are stored until consent is withdrawn by the data subject.
Keeping accounting records Article 6(1)(c) GDPR in connection with Article 74(2) of the Accounting Act of 30 January 2018 (Journal of Laws 2018, item 395, as amended) – processing is necessary for compliance with a legal obligation to which the Controller is subject Data are stored for the period required by law, obliging the Controller to retain accounting books (5 years, counting from the beginning of the year following the financial year to which the data relate).
Establishing, pursuing or defending claims by or against the Controller Article 6(1)(f) GDPR (legitimate interests of the controller) – the processing is necessary for purposes arising from the legitimate interests of the Controller, consisting of establishing, pursuing or defending claims Data are stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the Controller (basic limitation period is six years).
Use of the Online Store website and ensuring its proper functioning Article 6(1)(f) GDPR (legitimate interests of the controller) – the processing is necessary for purposes arising from the legitimate interests of the Controller, consisting of running and maintaining the Online Store website Data are stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims of the Controller against the data subject.
Statistics and analysis of traffic in the Online Store Article 6(1)(f) GDPR (legitimate interests of the controller) – the processing is necessary for purposes arising from the legitimate interests of the Controller, consisting of statistics and analysis of Online Store traffic to improve its functioning and increase sales Data are stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims of the Controller against the data subject.

4. RECIPIENTS OF DATA IN THE ONLINE STORE

4.1. For the proper functioning of the Online Store, including execution of concluded Sales Agreements, the Controller must use the services of external entities (e.g. software providers, couriers, or payment operators). The Controller only uses processors that provide sufficient guarantees of implementing appropriate technical and organizational measures so that processing meets the requirements of GDPR and protects the rights of data subjects.

4.2. Personal data may be transferred by the Controller to a third country, but only if the country ensures an adequate level of protection – consistent with GDPR – or, in the case of other countries, if the transfer is based on standard data protection clauses. The Controller ensures that the data subject can obtain a copy of their data. Personal data are transferred only if and to the extent necessary to achieve the processing purpose consistent with this Privacy Policy.

4.3. Data transfers by the Controller do not occur in every case and not to all recipients or categories of recipients indicated in this Privacy Policy – the Controller transfers data only when it is necessary for achieving the given purpose of processing and only to the extent required. For example, if a Client chooses personal pickup, their data will not be transferred to a carrier cooperating with the Controller.

4.4. Personal data of Service Recipients and Clients of the Online Store may be transferred to the following recipients or categories of recipients:

  • Carriers / freight forwarders / courier brokers / warehouse and/or shipping service providers – for Clients using shipping, data are shared with the chosen carrier, forwarder, or intermediary, and if shipping is from an external warehouse – with the warehouse/shipping operator.

  • Payment operators – for Clients using electronic or card payments, data are shared with the chosen operator.

  • Survey system providers – for Clients who consent to provide feedback, data are shared with the provider of the opinion survey system.

  • Technical, IT, and organizational solution providers – e.g. Online Store software providers, email/hosting providers, company management software, technical support.

  • Accounting, legal, and consulting service providers – e.g. accounting office, law firm, debt collection company.

  • Social plugin providers – e.g. Meta Platforms Ireland Ltd. (Facebook “Like”, “Share”, login plugins). When using such plugins, data about activities on the Online Store site (device info, visited sites, purchases, ads viewed, usage data) may be collected and shared with Meta, regardless of whether the user has a Facebook account or is logged in. Privacy rules: https://www.facebook.com/about/privacy/


5. PROFILING IN THE ONLINE STORE

5.1. GDPR requires the Controller to inform about automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR, and – at least in such cases – relevant information about the rules for such processing, as well as the significance and envisaged consequences for the data subject.

5.2. The Controller may use profiling in the Online Store for direct marketing purposes, but decisions based on it do not concern entering into or refusing a Sales Agreement, nor access to Electronic Services. Profiling may result, for example, in granting a discount, sending a discount code, reminding about abandoned purchases, sending product suggestions, or offering better conditions. The data subject remains free to decide whether to use the offer.

5.3. Profiling in the Online Store consists of automated analysis or prediction of a person’s behavior on the website (e.g. adding products to the cart, browsing product pages, analyzing purchase history). Profiling requires that the Controller has personal data of the person, in order to later send, for example, a discount code.

5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.


6. RIGHTS OF THE DATA SUBJECT

6.1. Right of access, rectification, restriction, erasure, or portability – the data subject has the right to request access to their data, rectification, erasure (“right to be forgotten”), restriction of processing, objection to processing, and portability of their data. Details are set out in Articles 15–21 GDPR.

6.2. Right to withdraw consent at any time – if processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR), the data subject may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6.3. Right to lodge a complaint with a supervisory authority – the data subject may lodge a complaint in the manner specified by GDPR and Polish law, in particular the Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.

6.4. Right to object – the data subject may object at any time, on grounds relating to their particular situation, to processing based on Art. 6(1)(e) or (f) GDPR (public interest or legitimate interest of the controller), including profiling. The Controller may then no longer process such data unless they demonstrate compelling legitimate grounds overriding the interests, rights, and freedoms of the data subject, or for the establishment, exercise or defense of claims.

6.5. Right to object to direct marketing – if data are processed for direct marketing, the data subject has the right to object at any time, including profiling related to direct marketing.

6.6. To exercise the above rights, contact the Controller by sending a written or email message to the address indicated at the beginning of this Privacy Policy, or via the contact form on the Online Store website.


7. COOKIES IN THE ONLINE STORE AND ANALYTICS

7.1. Cookies are small text information in the form of text files, sent by a server and stored on the device of a visitor (e.g. computer, laptop, smartphone memory card). More information: https://en.wikipedia.org/wiki/HTTP_cookie

7.2. The Controller may provide a tool on the Online Store site to manage Cookies (first displayed upon entry, later available at the bottom of the page). It allows reviewing, selecting, and changing the scope of Cookie use.

7.3. Below the Controller provides information on Cookies used in the Online Store, their types, purposes, and management options (browser settings or the site’s Cookie management tool).

7.4. Cookies can be divided by:

  • Provider: (1) own (set by the Controller’s website) or (2) third-party

  • Storage period: (1) session (until logout/closing browser) or (2) persistent (for a defined time or until manual deletion)

  • Purpose: (1) necessary, (2) functional/preferential, (3) analytical/performance, (4) marketing/advertising/social

7.5. The Controller may process Cookie data for purposes such as:

  • identifying logged-in users (necessary)

  • remembering products in cart (necessary)

  • saving order form data, surveys, login details (necessary/functional)

  • personalizing site display (functional)

  • statistics on site usage (analytical)

  • displaying and measuring ads, personalizing ads, creating user profiles (marketing, including Google Ireland Ltd. and Meta Platforms Ireland Ltd.).

7.6. Cookie activity can be checked using tools like https://www.cookiemetrix.com or https://www.cookie-checker.com.

7.7. By default, most browsers allow Cookies. Users can change settings (restrict/disable), but disabling may limit site functionality (e.g. cart not working).

7.8. Browser settings are important for consent to Cookies – consent may be expressed via browser settings. Instructions for popular browsers: Chrome, Firefox, Internet Explorer, Opera, Safari, Microsoft Edge.

7.9. The Controller may use Google Analytics / Universal Analytics (Google Ireland Ltd.) for statistics and traffic analysis. Collected data are aggregated (e.g. source, behavior, devices, IP, geography, demographics, interests).

7.10. Users can block Google Analytics tracking by installing a browser add-on: https://tools.google.com/dlpage/gaoptout?hl=en

7.11. As the Controller may use Google Ireland Ltd. advertising and analytics services, full details of data processing are in Google’s Privacy Policy: https://policies.google.com/technologies/partner-sites


8. FINAL PROVISIONS

8.1. The Online Store may contain links to other websites. The Controller recommends reviewing their privacy policies upon visiting. This Privacy Policy applies only to the Controller’s Online Store.