Privacy policy

Last updated: June 29, 2025

This Privacy Policy sets out the rules for the processing and protection of personal data provided by Users in connection with their use of the online store available at www.kozin.store (hereinafter: "the Store" or "the Website"), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – "GDPR").

§ 1 Personal Data Controller

The controller of your personal data processed within the scope of the Store's activity is (hereinafter: "the Controller"):

  • Company: SCULPTOM Tomasz Kozioł
  • Address: Wola Mędrzechowska 57, 33-221 Mędrzechów, Poland
  • NIP (Tax Identification Number): 8711782892
  • REGON (National Business Registry Number): 527631764
  • Contact:
    • e-mail: info@kozin.store
    • tel.: +48 724 556 452

§ 2 Purposes, Legal Bases, and Scope of Personal Data Processing

The Controller processes your personal data for the following purposes and on the following legal bases:

1. Conclusion and performance of a Sales Agreement or taking action before its conclusion

  • Legal basis: Art. 6(1)(b) of the GDPR.
  • Scope of data: First and last name, delivery address, e-mail address, phone number, and optionally company data (NIP, name – if an invoice is required), order history. This data is necessary for order fulfillment, delivery, and contact.

2. Maintaining a Customer Account in the Store (if the Customer decides to create one)

  • Legal basis: Art. 6(1)(b) of the GDPR (performance of an agreement for the provision of electronic services).
  • Scope of data: E-mail address, password (encrypted), data voluntarily provided in the profile (e.g., first name, last name, delivery addresses).

3. Processing payments

  • Legal basis: Art. 6(1)(b) of the GDPR (performance of an agreement) and Art. 6(1)(c) of the GDPR (legal obligation related to accounting).
  • Scope of data: Data necessary to process the payment by the operator (e.g., amount, transaction identifier). The Controller does not process full payment card details.

4. Handling complaints, contract withdrawals (returns), or warranty claims

  • Legal basis: Art. 6(1)(b), (c), and (f) of the GDPR (performance of an agreement, legal obligations, and the Controller's legitimate interest – pursuing or defending against claims).
  • Scope of data: First and last name, contact details, order number, description of the request, bank account number for the refund.

5. Contact and responding to inquiries (e.g., via contact form, e-mail)

  • Legal basis: Art. 6(1)(f) of the GDPR (Controller's legitimate interest – communication with users).
  • Scope of data: Data provided in the form or message (e.g., name, e-mail address, content of the inquiry).

6. Marketing – sending newsletters or commercial information

  • Legal basis: Art. 6(1)(a) of the GDPR (User's voluntary consent).
  • Scope of data: E-mail address, possibly first name. The Controller does not currently conduct marketing activities that require consent. If such activities are undertaken, processing will only occur after you have given separate consent.

7. Analytical and statistical purposes – to improve the quality of services and the functioning of the Store

  • Legal basis: Art. 6(1)(f) of the GDPR (Controller's legitimate interest in analyzing website traffic and optimizing its performance).
  • Scope of data: IP address, location data, browser and operating system data, pages visited, data collected via cookies (details in § 5). This data is often processed in an anonymized or aggregated form.

8. Fulfillment of legal obligations incumbent on the Controller (e.g., tax and accounting obligations)

  • Legal basis: Art. 6(1)(c) of the GDPR.
  • Scope of data: Data necessary to issue an invoice, transaction data.

Providing data marked as mandatory is voluntary but necessary for the conclusion and performance of the Sales Agreement or the provision of other services by the Controller.

§ 3 Recipients of Personal Data

Your personal data may be shared with the following categories of entities:

  • Technical and IT service providers that support the operation of the Store, in particular:
    • Shopify Inc.
  • Electronic payment operators:
    • PayPro S.A. (Przelewy24).
    • PayPal (Europe) S.à r.l. et Cie, S.C.A.
    • Operators processing card payments (Visa, Mastercard), Apple Pay, Google Pay.
  • Courier and logistics companies:
    • InPost S.A.
    • DPD Polska sp. z o.o.
    • DHL eCommerce Polska sp. z o. o.
  • Analytics service providers (internal tools of the Shopify platform).
  • Accounting offices and law firms (if necessary).
  • Public authorities authorized to receive data by law.

The Controller requires data processors to whom data is entrusted to ensure an appropriate level of security and to process data in accordance with the GDPR.

§ 4 Data Transfer Outside the European Economic Area (EEA)

In connection with the use of services provided by Shopify Inc., your personal data may be transferred to third countries (outside the EEA), mainly to Canada and the United States. The Controller ensures that such transfer is carried out based on appropriate legal mechanisms, such as an adequacy decision by the European Commission (for Canada) and standard contractual clauses approved by the European Commission (for transfers to the US and other countries). You have the right to obtain a copy of these safeguards by contacting the Controller.

§ 5 Cookies and Tracking Technologies

1. Purpose of using cookies:

  • Necessary (technical): Ensure the proper functioning of the Website, support the shopping cart, orders, and security. Their use does not require your consent.
  • Functional (preference): Remember choices and preferences (e.g., language, payment settings). Their use may require your voluntary consent.
  • Analytical (statistical): Collect anonymous information about how the Website is used to create statistics and analyze traffic. Their use requires your voluntary consent.

2. Managing cookie consents:

  • During your first visit to the Website, an information banner is displayed, allowing you to consent to the use of cookies.
  • You can change your preferences or withdraw your consent at any time by clicking the "cookie" icon in the bottom left corner of the page.
  • You can also manage cookies through your web browser settings.

3. Cookies used (as of June 29, 2025):

  • Necessary Cookies: _shopify_essential, _tracking_consent, _pandectes_gdpr, cart_currency, secure_customer_sig, storefront_digest, keep_alive, checkout_..., auth_state_...
  • Functional Cookies: localization, shop_pay_accelerated, skip_shop_pay
  • Analytical Cookies (Shopify): _landing_page, _orig_referrer, _s, _shopify_s, _shopify_sa_p, _shopify_sa_t, _y, _shopify_y

§ 6 Personal Data Retention Period

Your personal data will be stored for the period necessary to achieve the purposes:

  • Data related to a Sales Agreement: for the duration of the agreement and, after its termination, for the period required by law (e.g., for tax purposes - 5 years) or until the statute of limitations for claims expires.
  • Customer Account data: until the Account is deleted.
  • Data processed based on consent: until the consent is withdrawn.
  • Data processed based on a legitimate interest: until an objection is raised or the purpose ceases.

After the processing period has expired, the data is deleted or anonymized.

§ 7 Rights of Data Subjects

You have the following rights related to the processing of your personal data:

  • The right to access your data.
  • The right to rectify your data.
  • The right to erasure of your data ("the right to be forgotten").
  • The right to restrict processing.
  • The right to data portability.
  • The right to object to processing.
  • The right to withdraw consent at any time.
  • The right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland).

To exercise your rights, please contact the Controller (details in § 1). A response will be provided within one month.

§ 8 Contact Regarding Personal Data Protection

For matters concerning the processing of your personal data, please contact us:

  • by e-mail: info@kozin.store
  • in writing: SCULPTOM Tomasz Kozioł, Wola Mędrzechowska 57, 33-221 Mędrzechów, Poland.

§ 9 Changes to the Privacy Policy

The Controller may make changes to the Privacy Policy. The new version will be published on the Store's website with the effective date indicated.