Privacy Policy

TABLE OF CONTENT

§1 Personal Data Administration

§2 Definitions

§3 Security

§4 Purposes and Legal Bases for Data Processing

§5 Profiling

§6 Period of Personal Data Processing

§7 User Rights

§8 Recipients of Personal Data

§9 Personal Data Security

§10 Changes to the Privacy Policy

§1 Personal Data Administration

1. The Administrator of personal data is Tomasz Piotrowski, conducting business activity under the name Tomasz Piotrowski, ul. Reymonta 12, 45-065 Opole. The business activity is registered in the Central Registration and Information on Business Activity under NIP: 7551834727, REGON 525305799.

2. Contact with the person supervising personal data processing in the organization is possible electronically at the e-mail address: , in writing to the Administrator’s address or by phone at 728 206 045.

3. This Policy contains the rules regarding the processing of personal data by the Administrator in the Online Service, including the grounds, purposes, and scope of personal data processing, as well as the rights of data subjects.

4. Personal data is processed by the Administrator in accordance with applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A32016R0679.

5. The User’s rights are not absolute and do not apply to all personal data processing activities.

§2 Definitions

1. Administrator – Tomasz Piotrowski, conducting business activity under the name Tomasz Piotrowski, ul. Reymonta 12, 45-065 Opole. The business activity is registered in the Central Registration and Information on Business Activity under NIP: 7551834727, REGON 525305799.

2. Personal Data – information about an identified or identifiable natural person by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including the device’s IP address, internet identifier and information collected via cookies and other similar technologies.

3. Policy – this Privacy Policy.

4. Cookie Policy – a document defining the rules for the use of cookies in the Service, available at: piekarniawolna.pl/polityka-cookies/.

5. Profiling – any form of automated processing of personal data consisting of the analysis and prediction of user behavior.

6. GDPR / GDPR Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

7. Service – the online service operated by the Administrator at piekarniawolna.pl. 8. User – any natural person visiting the Service or using one or more services or functionalities described in the Policy.

§3 Security

1. The Administrator has implemented appropriate technical and organizational measures to ensure the security of personal data processing. In particular, the Administrator is responsible for and ensures that the data collected by them are:

  • processed lawfully;

  • collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes;

  • factually correct and adequate in relation to the purposes for which they are processed;

  • stored in a form that allows identification of the data subjects for no longer than is necessary to achieve the purpose of processing; and

  • processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

§4 Purposes and Legal Bases for Data Processing

1. On the basis of Article 6(1)(a) of the GDPR Regulation (consent), personal data maynbe processed for the following purposes:

  • Retargeting and behavioral advertising, including the display of personalized ads based on the user’s activity history in the Service and other websites. Processing of data for these purposes takes place solely on the basis of the User’s consent expressed in the cookie banner. Data may be collected via cookies and similar technologies, in accordance with the Cookie Policy.

  • Publication of opinions.

  • Saving data in cookies in accordance with the Cookie Policy available at: piekarniawolna.pl/polityka-cookies/.

  • Handling and maintaining a user account in the Service.

  • Contact via remote communication tools, in particular: telephone, e-mail or applications.

  • Content moderation.

  • Content personalization.

  • Marketing of the Administrator’s and the Administrator’s partners’ products and services.

  • Participation in a webinar or online training.

  • Participation in competitions and loyalty programs.

  • Inviting to participate in surveys and market research.

2. On the basis of Article 6(1)(b) of the GDPR Regulation (performance of a contract), personal data may be processed for the following purposes:

  • Managing a user account.

  • Performance of a sales contract or a contract for the provision of a Service or taking actions at the request of the data subject prior to concluding the said

    contract or after its conclusion, in particular: warranty rights, complaint handling.

  • Complaints or withdrawal from a distance contract.

3. On the basis of Article 6(1)(c) of the GDPR Regulation (legal obligation of the Administrator), personal data may be processed for the following purposes:

  • Issuing and storing invoices, receipts or fulfilling other obligations arising from tax and accounting regulations (archival obligation regarding accounting documents).

  • Cooperation with law enforcement agencies and public institutions.

  • Creating registers and other documentation required by GDPR regulations.

4. On the basis of Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator), personal data may be processed for the following purposes:

  • Operation of the piekarniawolna.pl Service.

  • Saving data necessary for the proper functioning of the Service in cookies in accordance with the Cookie Policy.

  • Managing accounts on Facebook, Instagram and interacting with Users of these portals.

  • Ensuring the security of the Service, managing the Service and its proper functioning.

  • Conducting statistics and analyses of traffic in the Online Service.

  • Direct marketing.

  • Establishing claims raised by or against the Administrator.

  • Contact with the User.

5. Personal data may also be processed for other purposes if the Administrator has an appropriate legal basis for doing so, in particular resulting from Art.

6 of the GDPR, provided that such purpose does not violate the rights and freedoms of the User. In such a case, the User will be informed about the new purpose of processing before processing begins for that purpose.

§5 Profiling

1. The Administrator uses profiling for marketing purposes, which involves analyzing the User’s activity in the Service using cookies and similar technologies.

2. Profiling may include:

  • personalization of advertisements based on browsing history,

  • analysis of the User’s interactions with content in the Service, adjustment of displayed advertising content on external services (e.g. Google Ads, Facebook).

3. Profiling takes place solely on the basis of the User’s consent.

4. The User may withdraw consent to profiling at any time by changing settings or contacting the Administrator at the e-mail address: .

§6 Period of Personal Data Processing

1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Administrator.

2. The period of data processing may be extended if the processing is necessary to establish and pursue possible claims or defend against claims, and after that time only in cases and to the extent required by law. After the processing period expires, the data is irreversibly deleted or anonymized.

3. Detailed data retention periods depending on the purpose, e.g.:

  • Data related to contract performance – stored for the duration of the contract and then until the expiry of the limitation period for claims (3 or 6 years).

  • Accounting and tax data – stored for the period required by tax law (currently 5 years).

  • Data obtained on the basis of consent – stored until consent is withdrawn.

  • Data related to user inquiries – stored for up to 12 months after the end of correspondence.

§7 User Rights

1. The User has the following rights in relation to their personal data:

  • access to their personal data,

  • rectification of personal data at any time,

  • erasure of their personal data at any time,

  • receipt of a copy of their data,

  • restriction of personal data processing,

  • objection to the processing of personal data,

  • data portability,

  • withdrawal of consent; withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal,

  • objection to the processing of personal data on the basis of the Administrator’s legitimate interest for marketing purposes, direct marketing and for purposes other than marketing,

  • lodging a complaint with the supervisory authority.

2. In order to exercise the above rights, the User may contact the Administrator by sending a message to the e-mail address or correspondence to the Administrator’s registered office address. The Administrator undertakes to consider the request within 30 days of its receipt.

3. In some cases, the Administrator may refuse to fulfill the User’s request if legal provisions impose an obligation for further data processing.

§8 Recipients of Personal Data

1. In order to properly operate the Service, the Administrator transfers the User’s personal data to other external entities, in particular: hosting company, courier companies, payment operators, postal operator, law and debt collection firms, accounting offices, insurers, banks, marketing companies, business partners and suppliers, price comparison websites, dropshipping suppliers, mailing system, cloud service providers, CRM and ERP systems.

2. The Administrator reserves the right to disclose personal data in situations where it results from applicable legal provisions, including the obligation to provide information to the relevant administrative authorities or law enforcement agencies.

§9 Personal Data Security

1. The Administrator continuously conducts risk analysis to ensure that Personal Data is processed by them in a secure manner. Through its actions, the Administrator primarily ensures that only authorized persons have access to the data and only to the extent necessary for the tasks they perform.

2. The Administrator is obliged to take all actions permitted by law to ensure that all operations on Personal Data are recorded and carried out only by authorized entities.

3. The Administrator is also obliged to ensure that other entities cooperating with the Administrator provide guarantees of the application of appropriate security measures in every case when they process Personal Data on behalf of the Administrator.

4. The Administrator applies technical safeguards such as data transmission encryption (SSL/TLS), access restrictions to systems, and procedures to protect against unauthorized access to data.

§10 Changes to the Privacy Policy

1. The Policy is regularly reviewed and updated. 2. The current version of the Policy was adopted and is effective as of 2026-06-20.

Legal compliance of this document is guaranteed by lawyers from KZ Law Firm.