Privacy Policy

  1. GENERAL PROVISIONS
    1.1. This Privacy Policy sets out the rules for the processing of personal data and the use of cookies and similar technologies in connection with the use of the online store (“Store”).
    1.2. The Data Controller is: Tomasz Cyrbus conducting business activity under the name PAPS Tomasz Cyrbus, with its registered office in Gdynia (81-198), ul. Ketlinga 12H/1, registered in CEIDG, NIP: 586-194-51-18, REGON: 221080433 (“Controller”, “Seller”).
    1.3. Contact regarding data protection: zamowienia@mypaps.eu. The Controller has not appointed a Data Protection Officer.
    1.4. The main legal acts: Regulation (EU) 2016/679 (GDPR), the Polish Act on the Protection of Personal Data, the Act on the Provision of Electronic Services, laws on electronic communications (including cookies regulations), tax and accounting laws, and consumer protection regulations.
  2. SCOPE AND PURPOSES OF DATA PROCESSING
    2.1. Data scope. Depending on the activity, the Controller may process the following categories of data:
    a) identification data: name, surname, company name (for B2B), VAT number, business registration numbers, position;
    b) contact data: e-mail, phone, delivery/correspondence address, registered office address;
    c) transaction data: order number, subject and value of the order, chosen payment and delivery method, payment status, shipment number;
    d) registration data: login, password (encrypted), purchase history, account settings;
    e) communication data: content of correspondence, complaints and returns, call recordings (only if expressly informed about recording);
    f) technical and marketing data: IP address, cookie/device identifiers, server logs, browsing activity, marketing preferences, consents;
    g) payment data (excluding full card details): payment tokens, masked card numbers, transaction identifiers – full card details are not processed by the Controller.
    2.2. Purposes and legal bases:
    a) conclusion and performance of a sales contract/provision of electronic services (account management, order handling, payments, delivery, complaints) – Art. 6(1)(b) GDPR;
    b) compliance with legal obligations (accounting, taxation, warranty, responses to authorities) – Art. 6(1)(c) GDPR;
    c) establishment or defense of claims, ensuring service security, fraud prevention (including payment verification), analytics, internal administration – Art. 6(1)(f) GDPR (legitimate interest);
    d) direct marketing of own products/services (including limited profiling) – Art. 6(1)(f) GDPR; sending by e-mail/SMS/phone requires additional consents under relevant regulations;
    e) sending newsletters and other communications based on consent – Art. 6(1)(a) GDPR;
    f) publishing reviews/testimonials with consent – Art. 6(1)(a) GDPR.
    2.3. Data sources. Data are collected directly from the User/Customer, and – when necessary – from payment operators, couriers, IT/marketing partners, or public registers (e.g. CEIDG, KRS in B2B relations).
  3. ELECTRONIC PAYMENTS AND ANTI-FRAUD VERIFICATION
    3.1. The Store may provide online payment methods, including Paynow (operator: mBank S.A.) and other payment gateways chosen by the Customer (e.g. fast transfers, BLIK, cards).
    3.2. For payment processing, necessary transaction and identification data are transferred to the relevant payment operator selected at checkout. The operator acts as a separate controller of personal data and processes data in line with its own privacy policy and legal obligations (e.g. anti-money laundering, card scheme regulations).
    3.3. Payment operators may use automated fraud detection mechanisms that can affect the availability of certain payment methods. The Controller does not make decisions producing legal effects on the Customer based solely on automated processing, except for processes performed by payment operators under their legal obligations.
    3.4. Data transferred may include: identification and contact data, order details and amount, IP/device data, transaction identifiers, and where required – additional verification data requested by the operator.
  4. DATA RECIPIENTS
    4.1. Data may be disclosed to:
    a) payment operators (including mBank S.A. – Paynow and other selected operators);
    b) courier and logistics companies;
    c) IT, hosting, cloud, e-mail/SMS, CRM, accounting and billing service providers;
    d) legal, tax, debt collection and audit service providers;
    e) analytics and advertising providers (e.g. statistics, remarketing tools) – only within legal boundaries;
    f) public authorities and institutions as required by law.
    4.2. In B2B relations, representatives’/contact persons’ data may be shared with contracting partners to the extent necessary to perform the contract.
  5. TRANSFER OF DATA OUTSIDE THE EEA
    5.1. As a rule, data are processed within the European Economic Area. If tools (e.g. analytics or advertising) involve transfer outside the EEA, it takes place only where adequate safeguards exist, in particular adequacy decisions or Standard Contractual Clauses approved by the European Commission, possibly with additional safeguards.
  6. DATA RETENTION
    6.1. Contract/order-related data – until contract execution and thereafter until claim limitation periods expire and for periods required under tax/accounting law (generally 5 years, effectively up to 6 years).
    6.2. Customer account – until deleted/deactivated.
    6.3. Complaints and after-sales support – for the period necessary for handling and liability.
    6.4. Marketing (legitimate interest) – until objection is raised; marketing based on consent – until withdrawal.
    6.5. Technical data (logs, cookies) – according to their lifecycle or security/evidence requirements.
  7. DATA SUBJECT RIGHTS
    7.1. You have the right to: access, rectify, erase, restrict processing, portability, object to processing based on legitimate interest (including objection to direct marketing), withdraw consent at any time (without affecting processing before withdrawal).
    7.2. Exercise of rights: by contacting zamowienia@mypaps.eu.
    7.3. You may lodge a complaint with the President of the Personal Data Protection Office (UODO, Warsaw).
  8. VOLUNTARY DATA PROVISION
    8.1. Providing data is voluntary but necessary for contract execution, account setup, payments, delivery, complaints handling, or receiving newsletters. Without data, certain Store functionalities may be unavailable.
  9. SECURITY MEASURES
    9.1. The Controller applies technical and organizational measures adequate to risks, including TLS/SSL encryption, password encryption, system updates, access controls, and data minimization.
    9.2. Card data are not stored by the Controller – they are processed by payment operators in compliance with industry standards (e.g. PCI DSS).
  10. PROFILING AND AUTOMATED DECISION-MAKING
    10.1. The Store may use basic marketing profiling (e.g. purchase history, viewed products) to tailor communications. Legal basis: legitimate interest or consent (depending on communication channel).
    10.2. No decisions with legal effects are made solely based on automated processing by the Controller. Payment operators may carry out automated fraud/risk assessments on their own legal basis.
  11. STORE ACCOUNT, ORDERS, COMPLAINTS AND RETURNS
    11.1. Creating an account is voluntary; data are processed to provide electronic services.
    11.2. Order-related data are processed for contract conclusion, execution, settlement, delivery, and handling of complaints/returns.
    11.3. For refunds/withdrawals, data are processed for settlements and legal compliance.
  12. NEWSLETTER AND MARKETING COMMUNICATIONS
    12.1. Newsletters are sent only with consent. Consent may be withdrawn anytime via the unsubscribe link or by contacting the Controller.
    12.2. Marketing by phone/SMS or e-mail requires separate statutory consents – without them, such communication cannot be provided.
  13. SOCIAL MEDIA
    13.1. The Controller maintains profiles in social media. Data are processed in connection with following, interactions, messages – under the terms of each platform. The platform providers act as separate controllers.
  14. COOKIES AND SIMILAR TECHNOLOGIES
    14.1. The Store uses cookies and similar technologies (local storage, pixels, tags) for:
    a) necessary purposes – Store operation, login, security, shopping cart, orders;
    b) preferences/functionality – saving user settings;
    c) analytics/statistics – measuring traffic, usage analysis, service improvements;
    d) marketing – personalization, remarketing.
    14.2. Legal basis: necessary cookies – legitimate interest; others – User consent (via browser settings, banners, or consent panel).
    14.3. Users can withdraw consent or manage cookies anytime in browser settings or consent panel. Limiting cookies may affect Store functionalities.
    14.4. External tools. The Store may use third-party analytics/advertising tools, which may involve cookie sharing and, exceptionally, data transfers outside the EEA as described in Section 5.
  15. B2B RELATIONS AND REPRESENTATIVE DATA
    15.1. For B2B contracts, the Controller processes representatives’/agents’ data for communication and contract execution under Art. 6(1)(f) GDPR (legitimate interest).
    15.2. Data may come from business cards, correspondence, public registers, or directly from the contracting party.
  16. MINORS
    16.1. The Store is addressed to adults. If data of a minor are collected without proper authorization, the Controller will delete them.
  17. POLICY CHANGES
    17.1. This Policy may be updated, especially due to changes in law, Store functionalities, or tools. Significant changes will be communicated via the Store or e-mail (for registered/newsletter users).
    17.2. The current version is always available in the Store.
  18. CONTROLLER DETAILS AND CONTACT
    18.1. Controller: PAPS Tomasz Cyrbus, ul. Ketlinga 12H/1, 81-198 Gdynia, Poland, NIP 586-194-51-18, REGON 221080433.
    18.2. Contact: zamowienia@mypaps.eu.
  19. INFORMATION REQUIRED BY PAYMENT OPERATORS (INCLUDING PAYNOW BY MBANK)
    19.1. The Controller informs that:
    a) personal data are processed in connection with online payment services; data transfer to the operator is necessary for initiating and settling the transaction;
    b) the payment operator (e.g. Paynow – mBank S.A.) acts as a separate controller for payment processing and AML/CFT compliance, including risk assessments;
    c) the operator may require identity verification or source of funds checks – failure may result in rejection of the transaction;
    d) the Controller receives only transaction status and identifiers, not full card details;
    e) in deferred payment or installment cases, the operator may assess creditworthiness under its own legal basis – details in the operator’s privacy policy.
  20. EVIDENCE AND LOGS
    20.1. To demonstrate compliance, the Controller may store system logs, consent records, history of requests, and relevant correspondence for evidence and claims defense purposes.
  21. CONTACT AND RIGHTS HANDLING
    21.1. Requests related to data subject rights may be sent to: zamowienia@mypaps.eu. For security, identity verification may be required. Responses are usually provided within one month (extendable per GDPR).
  22. ENTRY INTO FORCE
    22.1. This Policy is effective as of 1 September 2025 and replaces all previous versions.