Privacy Policy

§1. General provisions

1. This Privacy Policy sets out the rules for processing the personal data of users of the service available at gk-handmade.com.
2. The controller of personal data is Katarzyna Kowalczyk – GK Handmade, with its registered office at: Antenowa 18, 93-304 Łódź (Poland), NIP: 7292408035, REGON: 100270297 (hereinafter: the “Controller”).
3. To contact the Controller on matters related to personal data protection, you may use:
   • E-mail: hello@gk-handmade.com
   • Contact form available on the website
4. The Controller ensures the security of personal data in accordance with applicable laws, including Regulation (EU) 2016/679 (GDPR).

---

§2. Scope and purpose of processing personal data

1. The Controller processes users’ personal data for the following purposes:
   • Order fulfilment – we process the data necessary to conclude and perform the sales contract, including first name, last name, address, e-mail address, telephone number.
   • Customer support – responding to questions and requests via e-mail or the contact form.
   • Payment processing – data is provided to payment operators to complete transactions.
   • Marketing and newsletter – if the user gives consent, we process their data to send promotional offers.
   • Statistics and traffic analysis – to improve the functionality of the service and the user experience.
   • Creation and management of a user account – if the user creates an account in the shop (WooCommerce), we process the data necessary to operate the account (e.g. e-mail address, identification data).
   • Product availability notifications – if the user signs up for a back-in-stock notification (Notifima), we process their e-mail address to send availability information.
   • Sending system messages and handling correspondence – messages regarding orders, the account, forms and customer communication may be sent using SMTP configuration (WP Mail SMTP), and copies of messages may be saved in technical logs for diagnostic purposes and to ensure proper operation (WP Mail Logging).
   • Google tools – depending on the service configuration, we use Google tools for statistics and promoting the offer (Google Site Kit, Google for WooCommerce / Google Listings & Ads), which may involve the use of cookies and processing of technical data (e.g. cookie identifiers, device and browser data).
2. Personal data is processed only to the extent necessary to achieve the above purposes and is stored for a period consistent with applicable laws.

---

§2a. Requirement to provide data

Providing personal data is voluntary; however, in some cases it is necessary to use the services of the website. Providing the data marked as required during the order process (including first name, last name, address, e-mail address, telephone number) is necessary to conclude and perform the sales contract. Providing invoicing data is required by tax law. Failure to provide the necessary data may make it impossible to fulfil the order or issue a sales document.

---

§3. Legal bases for processing data

1. The Controller processes personal data on the basis of:
   • Sales contract (Article 6(1)(b) GDPR) – processing necessary to fulfil an order.
   • Legal obligations (Article 6(1)(c) GDPR) – e.g. the obligation to store accounting data.
   • Legitimate interests (Article 6(1)(f) GDPR) – in particular: ensuring the security of the website and services (including keeping logs), pursuing and defending against claims, keeping statistics and analysing how the website operates in order to improve it, and marketing of the Controller’s own products and services (where it is not based on consent).
   • Providing a service at the user’s request (Article 6(1)(b) GDPR) – e.g. account support, product availability notifications.
   • User consent (Article 6(1)(a) GDPR) – in particular for analytical/marketing cookies and advertising and measurement activities carried out using external tools (e.g. Google).

---

§4. Recipients of personal data

1. Personal data may be shared with external entities only to the extent necessary to provide services, in particular:
   • Courier and postal service providers – to deliver orders (e.g. InPost – parcel lockers and courier delivery).
   • Payment operators – to process payment for an order (e.g. PayU).
   • Google tool providers – depending on configuration: analytics and traffic measurement, as well as promotion of the offer and synchronisation of product data (Google Site Kit, Google for WooCommerce / Google Listings & Ads, Google Merchant Center, Google Ads).
   • Providers of services related to WooCommerce/Automattic – depending on configuration: security, performance, statistics and other modules (Jetpack), as well as tax services (WooCommerce Tax).
   • IT service providers – including hosting, website maintenance, backups, administration and technical support.
   • E-mail/SMTP providers – to send system messages and correspondence (e.g. SMTP configuration).
   • Public authorities – if the obligation to share data arises from provisions of law.
2. Due to the use of external providers’ services (e.g. Google and Automattic/Jetpack/WooCommerce), data may be transferred to countries outside the EEA (in particular to the USA) if this is related to the operation of those services. In such cases, the Controller applies legally required transfer safeguards (e.g. standard contractual clauses) or relies on another legal basis provided for by law.

---

§5. User rights

1. Each user whose data is processed has the right to:
   • Access their data – you can check what information we hold about you.
   • Rectification – if the data is incorrect or out of date.
   • Erasure (“right to be forgotten”) – if there are no grounds for further processing.
   • Restriction of processing – in specific situations.
   • Data portability – to another data controller.
   • Objection to processing – e.g. for marketing purposes.
   • Withdrawal of consent – if processing is based on consent.
2. To exercise any of these rights, simply send a message to hello@gk-handmade.com or use the contact form.
3. If you believe that your data is being processed unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO). You may also lodge a complaint with the competent supervisory authority in the country of your habitual residence, place of work, or the place of the alleged infringement.

---

§5a. Automated decision-making and profiling

The Controller does not make decisions concerning users based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them. However, depending on the consents given and the configuration of tools (e.g. Google), the Controller may use analytics and marketing activities involving measuring advertising effectiveness and matching advertising content to the user’s interests (marketing profiling). The user can withdraw consent at any time in the cookie settings.

---

§6. Cookies and tracking technologies

The website uses cookies and similar technologies. Necessary cookies are used for the proper operation of the website. Analytical and marketing cookies (and external scripts, e.g. Google tools) are used only after the user has given consent via the cookie banner/panel (Complianz). Consent is voluntary and can be withdrawn or changed at any time in the cookie settings panel available on the website. The use of cookies can also be controlled through browser settings; however, changing these settings may affect the operation of certain website functions.

---

§7. Data retention period

1. We store personal data for the period:
   • necessary to fulfil an order,
   • resulting from provisions of law (e.g. storing accounting documentation for 5 years),
   • until consent is withdrawn in the case of marketing activities.
2. Data from correspondence and contact forms is stored for the time necessary to handle the request and, where applicable, to pursue or defend against claims. Technical logs related to sending e-mails (WP Mail Logging) and website security may be stored for the time necessary for diagnostics and to ensure security, no longer than 12 months, unless a longer period is required to pursue or defend claims. Data processed for the newsletter is stored until consent is withdrawn, and data for availability notifications is stored until the notification is sent or the user opts out.
3. After this period, the data is deleted or anonymised.

---

§8. Changes to the Privacy Policy

1. The Controller reserves the right to amend the Privacy Policy if required by law or due to technological changes.
2. The new version of the policy will be published on the shop’s website.

---

Any questions?

Contact us by e-mail: hello@gk-handmade.com or use the contact form.