Privacy Policy

Privacy Policy, Cookies & GDPR

 

This document sets out the rules for processing personal data and the use of cookies and similar technologies in connection with the use of the online store available at [https://papstomahawks.com/] (the “Store” or “Service”), operated on WooCommerce. The document complies with the EU General Data Protection Regulation (GDPR) and applicable Polish laws complementing GDPR.

Using the Store means you accept this Policy. Consents for analytics/marketing cookies are collected and managed via the CookieYes consent banner — you can change or withdraw your choices at any time in the banner settings.

1) Data Controller

The controller of your personal data is: PAPS CUSTOM TOOLS PAWEŁ SURDEL, ul. Gajowa 19, 44-145 Leboszowice, NIP (Tax ID): 9691547472, REGON: [REGON], operating as a sole proprietorship (the “Controller”).

Contact: e-mail [papstomahawks@gmail.com], phone: [Phone], website: [https://papstomahawks.com/].

The Controller has not appointed a Data Protection Officer (DPO). For all privacy matters please use the above e‑mail address.

2) Scope, sources and categories of data

We process data necessary to conclude and perform a contract, communicate with you, settle accounts, ensure the Service’s security and conduct marketing — in particular:

  • identification data (first and last name, company name, VAT ID/NIP),
    • contact data (e‑mail, phone, delivery/correspondence address),
    • order data (products, amounts, status, transaction references),
    • payment data (payment status, transaction identifiers — no full card data is stored),
    • logistics data (carrier selection, tracking/waybill number),
    • account data (login, order history),
    • communications (correspondence, complaints, withdrawals),
    • technical/telemetry data (IP, device/browser identifiers, events in the Store),
    • marketing preferences (consents, objections),
    • cookies and similar technologies, including for analytics and ads (upon consent).

Sources: we obtain data directly from you (registration, orders, contact) and from tools integrated with the Store (e.g., payment providers, shipping systems, analytics tools — after you consent where required).

3) Purposes and legal bases (Art. 6 GDPR)

  • Contract performance (account registration, orders, payments, delivery) — Art. 6(1)(b) GDPR.
    • Complaints, withdrawals, statutory warranty — Art. 6(1)(b) and/or 6(1)(c) GDPR.
    • Accounting, tax and bookkeeping — Art. 6(1)(c) GDPR.
    • Communication and correspondence handling — Art. 6(1)(f) GDPR (legitimate interest: customer support).
    • Archiving and defence against claims — Art. 6(1)(f) GDPR.
    • Own direct marketing to existing customers — Art. 6(1)(f) GDPR (right to object).
    • Newsletter/e‑mail marketing — Art. 6(1)(a) GDPR (consent) and Art. 10 Polish UŚUDE.
    • Phone/SMS marketing — Art. 6(1)(a) GDPR + Art. 172 Polish Telecommunications Law/[PKE] (separate consent).
    • Analytics (GA4) and behavioural advertising/remarketing — Art. 6(1)(a) GDPR (consent via the cookie banner; Consent Mode v2).
    • Security and fraud prevention — Art. 6(1)(f) GDPR.

4) Is providing data voluntary?

Providing data is voluntary, yet necessary to achieve the above purposes. Without certain data we may be unable to fulfil your order.

5) Data recipients and processors

We disclose data to entities processing it on our behalf (processors under data processing agreements) and to independent recipients, where necessary. In particular:

  • Hosting & infrastructure: HOSTIDO.PL GAŁĄZKA SPÓŁKA JAWNA, ul. Kartuska 5, 80‑103 Gdańsk, NIP: 5833413237, KRS: 0000872620 — server hosting.
    • Cloud/backup: [provider name, e.g., Dropbox Inc./other], [address], [IDs] — backups.
    • Payments: [operator name, e.g., Przelewy24/PayU/Stripe], [address], [IDs] — payment processing.
    • Carriers/logistics: [e.g., InPost/DPD/GLS], [address], [IDs] — delivery of orders.
    • Marketing/analytics tools: Google Ireland/Google LLC (GA4, Tag), Meta Platforms Ireland/Meta Platforms Inc. (Pixel), and other tools used upon consent.
    • Legal/accounting advisors: [name of the law firm/accounting office].
    • Public authorities (e.g., Tax Office, PUODO, Police, courts) — where required by law.

6) Transfers outside the EEA

Due to the use of cloud and analytics solutions, data may be transferred outside the EEA (in particular to the USA). For providers such as Google LLC and [Dropbox Inc./other] we rely on mechanisms provided by GDPR, including the European Commission’s EU‑U.S. Data Privacy Framework (DPF) decision and/or Standard Contractual Clauses (SCC) with supplementary safeguards. Please see each provider’s privacy documentation for details.

7) Data retention periods

  • Orders & settlements: for the time necessary to perform the contract and for 5 years for tax and bookkeeping (counted from the end of the tax year).
    • Complaints/withdrawals/statutory warranty: for the duration of the procedure and until claims become time‑barred.
    • Customer account: until the account is deleted; selected data may be stored longer to defend against claims (until limitation).
    • Newsletter/marketing consents: until consent is withdrawn.
    • Analytics/marketing cookies: according to the retention set in the tool (e.g., GA4 14/26 months) or until consent is withdrawn.
    • Correspondence: generally up to 3 years unless longer storage is justified by defence or pursuit of claims.

8) Your rights

You have the right to: access your data, rectify it, erase it, restrict processing, data portability, object to processing based on Art. 6(1)(f) GDPR, and withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) (ul. St. Moniuszki 1A, 00‑014 Warsaw, e‑mail: kancelaria@uodo.gov.pl, tel. +48 22 531 03 00).

9) Cookies and similar technologies

We use essential cookies (necessary for the Service to function) and — only upon consent — analytics and advertising cookies. Consents are collected and managed via the CookieYes banner (Google‑compatible — Consent Mode v2).

Cookie categories:
• Essential — core functions (login, cart, payments, security).
• Functional — remembering preferences (language, region, UI) [if applicable].
• Analytics — measuring traffic and events (GA4/Tag) — launched only after consent.
• Advertising — ad personalisation/remarketing (e.g., Meta Pixel/Google Ads) — only after consent.

You can change/withdraw your choices at any time in the CookieYes banner. Limiting cookies may affect some Store features.

10) Google Consent Mode v2

Within the EEA, Switzerland and the UK we use Google Consent Mode v2. This means Google tags adapt to the user’s choices made in the consent banner (separately for analytics and ads). Until consent is given, tools operate in a limited mode or are not launched.

11) Social plugins and joint controllership

Regarding the collection and transmission of data via social plugins/buttons (e.g., Facebook/Instagram), we may act as a joint controller with Meta Platforms Ireland Limited at the stage of event collection and transmission. For details on Meta’s processing, please see Meta’s privacy policy. You can withdraw marketing consents in the banner and exercise your right to object to processing based on legitimate interests.

12) Profiling and automated decisions

We do not make decisions producing legal effects based solely on automated processing. We may conduct basic marketing profiling (e.g., segmentation by purchase history or Store events) — only after you consent to marketing cookies or subscribe to the newsletter. You can withdraw consent or object at any time.

13) Security measures

We apply TLS/HTTPS encryption, access and permission controls, regular software updates and backups. We select vendors meeting security standards and execute data processing agreements with them.

14) Changes to this Policy

We reserve the right to amend this Policy, in particular if laws or Store functionality change. We will inform about material changes via the Service. The current version is always available at [https://papstomahawks.com/privacy-policy/].

Appendix: Template register of tools and cookies (to be completed)

Below is an example table — complete it with the tools you actually use and the correct retention periods.

Tool / Provider Purpose / Category Legal basis Retention Transfer outside EEA
CookieYes CMP Consent management (essential) Art. 6(1)(c)/(f) GDPR Up to [__] months No / N/A
Google Analytics 4 (Google) Analytics — analytics cookies Art. 6(1)(a) GDPR (consent) [14/26 months] DPF/SCC
Google Ads / Tag Advertising — ad cookies Art. 6(1)(a) GDPR (consent) [per tool] DPF/SCC
Meta Pixel (Meta) Advertising/remarketing Art. 6(1)(a) GDPR (consent) [per tool] SCC/appropriate mechanisms
[Payment operator] Online payments (not cookies) Art. 6(1)(b)/(c) [per law] per provider policy
[Carrier] Delivery (not cookies) Art. 6(1)(b) [per law]

If you have questions, please contact: [papstomahawks@gmail.com]