PRIVACY POLICY OF THE ONLINE STORE STAYCLAYSTUDIO.COM
1.1. This privacy policy of the Online Store is for informational purposes only, which means that it does not create obligations for the Service Recipients or Customers of the Online Store. The Privacy Policy primarily contains rules regarding the processing of personal data by the Administrator in the Online Store, including the legal basis, purposes, and scope of personal data processing, as well as the rights of data subjects, and information regarding the use of cookies and analytical tools in the Online Store.
1.2. The administrator of personal data collected via the Online Store is Svitlana Tolkachova, conducting business under the name Svitlana Tolkachova, entered into the Central Register and Information on Economic Activity of the Republic of Poland maintained by the minister competent for economic affairs, with the following address for business operations and correspondence: ul. Jarocińska 32/L.U.1, 04-156 Warsaw, NIP 1133092585, REGON 524968925, email address: sklepstayclay@gmail.com, contact phone number: +48 515 282 463 – hereinafter referred to as the “Administrator”, who is also the Service Provider of the Online Store and the Seller.
1.3. Personal data in the Online Store is processed by the Administrator in accordance with applicable law, particularly in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the “GDPR” or “GDPR Regulation”. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
1.4. The use of the Online Store, including making purchases, is voluntary. Similarly, the provision of personal data by the Service Recipient or Customer using the Online Store is voluntary, with two exceptions: (1) concluding contracts with the Administrator – failure to provide personal data in cases and to the extent indicated on the Online Store website and in the Online Store Regulations and this privacy policy, which is necessary for concluding and performing the Sales Agreement or the Electronic Services agreement with the Administrator, will result in the inability to conclude such a contract. In such cases, the provision of personal data is a contractual requirement and if the data subject wishes to conclude the contract, they are required to provide the necessary data. The scope of data required for contract conclusion is always indicated beforehand on the Online Store website and in the Online Store Regulations; (2) legal obligations of the Administrator – the provision of personal data is a statutory requirement resulting from generally applicable laws that impose an obligation on the Administrator to process personal data (e.g., for tax or accounting records), and failure to provide them will prevent the Administrator from fulfilling these obligations.
1.5. The Administrator takes special care to protect the interests of data subjects whose personal data is processed, and in particular is responsible for ensuring that the data collected: (1) is processed lawfully; (2) is collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes; (3) is substantively correct and adequate in relation to the purposes for which it is processed; (4) is stored in a form that allows identification of the data subjects for no longer than is necessary for the purposes of the processing; and (5) is processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
1.6. Taking into account the nature, scope, context, and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying probability and severity, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the GDPR and that this can be demonstrated. These measures are reviewed and updated when necessary. The Administrator uses technical measures to prevent unauthorized persons from acquiring and modifying personal data transmitted electronically.
1.7. All terms, expressions, and acronyms used in this privacy policy and starting with a capital letter (e.g., Seller, Online Store, Electronic Service) should be understood in accordance with their definitions in the Terms and Conditions of the Online Store available on the Online Store website.
2. LEGAL BASIS FOR DATA PROCESSING
2.1. The Administrator is authorized to process personal data if – and to the extent that – at least one of the following conditions is met:
(1) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(2) the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
(3) the processing is necessary for compliance with a legal obligation to which the Administrator is subject; or
(4) the processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly if the data subject is a child.
2.2. The processing of personal data by the Administrator requires the existence of at least one of the legal bases listed in section 2.1. The specific legal bases for the processing of personal data of the Service Recipients and Customers of the Online Store by the Administrator are indicated in the next section of the privacy policy – in relation to the specific purpose of the data processing.
3. PURPOSE, BASIS AND DURATION OF DATA PROCESSING IN THE ONLINE STORE
3.1. The purpose, basis, duration, and recipients of the personal data processed by the Administrator each time depend on the actions taken by the given Service Recipient or Customer in the Online Store or by the Administrator. For example, if a Customer decides to make a purchase in the Online Store and chooses personal pickup instead of courier delivery, their personal data will be processed to perform the concluded Sales Agreement, but will not be shared with the courier company.
3.2. The Administrator may process personal data in the Online Store for the following purposes, on the following bases, and for the periods indicated in the table below:
| Purpose of Data Processing | Legal Basis for Data Processing | Data Retention Period |
|---|---|---|
| Performance of a Sales Agreement or Electronic Service Agreement, or taking actions at the request of the data subject prior to entering into such agreements | Article 6(1)(b) of the GDPR (contract performance) – processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract | Data is stored for the period necessary to perform, terminate, or otherwise expire the concluded Sales Agreement or Electronic Service Agreement. |
| Direct marketing | Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, namely to maintain the interests and good image of the Controller, the Online Store, and for the purpose of selling Products |
Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period of the Controller’s claims against the data subject arising from the Controller’s business activity. The limitation period is defined by applicable law, in particular the Civil Code (standard limitation period is three years for business-related claims and two years for sales agreements). The Controller may not process data for marketing purposes after this time. |
| Marketing | Article 6(1)(a) of the GDPR (consent) – the data subject has given consent to the processing of their personal data for marketing purposes by the Controller | Data is stored until the data subject withdraws their consent for further processing of their data for this purpose. |
| Customer feedback on the concluded Sales Agreement | Article 6(1)(a) of the GDPR – the data subject has given consent to the processing of their personal data for the purpose of giving a review | Data is stored until the data subject withdraws their consent for further processing of their data for this purpose. |
| Keeping tax records | Article 6(1)(c) of the GDPR in connection with Article 86 §1 of the Tax Ordinance Act of January 17, 2017 (Journal of Laws 2017, item 201) – processing is necessary to comply with a legal obligation to which the Controller is subject | Data is stored for the period required by law that obliges the Controller to retain tax records (until the expiration of the tax liability limitation period, unless tax law states otherwise) |
| Establishing, exercising or defending claims that may be raised against the Controller | Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, namely to establish, exercise or defend legal claims | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims that may be raised against the Controller (the standard limitation period is six years). |
| Use of the Online Store website and ensuring its proper operation | Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, namely operating and maintaining the Online Store website | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the Controller (the standard limitation period is six years). |
| Conducting statistics and analyzing traffic in the Online Store | Article 6(1)(f) of the GDPR (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller, namely maintaining statistics and analyzing traffic in the Online Store to optimize its functioning | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims against the Controller (the standard limitation period is six years). |
4.1. For the proper functioning of the Online Store, including the execution of Sales Agreements, the Controller must use the services of external entities (e.g., software providers, couriers, payment processors). The Controller uses only those processors who provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing complies with GDPR and protects the rights of data subjects.
4.2. Data is not transferred in every case and not to all recipients listed in this Privacy Policy. The Controller shares data only when it is necessary for the specific purpose of personal data processing and only to the extent necessary. For example, if the Client chooses personal pickup, their data will not be shared with the courier.
4.3. Personal data of Users and Clients of the Online Store may be disclosed to the following recipients or categories of recipients:
4.3.1. Carriers / forwarders / courier brokers / warehouse and shipping service providers – if the Client uses postal or courier delivery, the Controller shares the Client’s data with the relevant shipping entity and, if the shipment is made from an external warehouse, with the warehouse operator – to the extent necessary to deliver the Product.
4.3.2. Payment processors – if the Client uses electronic or card payment, the Controller shares the Client’s data with the payment provider to the extent necessary for payment processing.
4.3.3. Credit providers / leasing companies – if the Client uses installment or leasing payments, data is shared with the relevant provider to the extent necessary.
4.3.4. Opinion survey providers – if the Client consents to review a Sales Agreement, data is shared with a survey provider to allow the Client to leave feedback.
4.3.5. IT and business service providers – such as software, email, hosting, and customer support providers, only to the extent needed for the processing purpose.
4.3.6. Accounting, legal, and advisory service providers – including law firms, accounting firms, and debt collection agencies, only as necessary.
4.3.7. Providers of social media plugins, scripts, and similar tools – enabling the visitor’s browser to retrieve content from these providers and send them personal data, including:
4.3.7.1. Meta Platforms Ireland Ltd. – The Controller uses Facebook plugins (e.g., Like, Share, or Facebook Login) and may share personal data with Meta, as per their privacy policy: https://www.facebook.com/about/privacy/
5. PROFILING IN THE ONLINE STORE
5.1. Under the GDPR, the Controller must inform about automated decision-making, including profiling, per Article 22(1) and (4). This section explains such activities.
5.2. The Controller may use profiling for direct marketing. However, decisions made based on profiling do not concern the conclusion or refusal of a Sales Agreement or use of Electronic Services. Profiling may result in personalized offers like discounts, product recommendations, or reminders about abandoned carts. The user remains free to decide whether to take advantage of such offers.
5.3. Profiling is based on automated analysis or prediction of behavior, e.g., adding a Product to the cart, browsing a Product page, or analyzing purchase history. Profiling requires the Controller to have the person’s data, e.g., to send them a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, if it significantly affects them legally or similarly.
6. DATA SUBJECT RIGHTS
6.1. Right of access, rectification, restriction, deletion, and portability – The data subject has the right to request access, rectification, deletion (“right to be forgotten”), restriction, objection, and data portability under Articles 15–21 GDPR.
6.2. Right to withdraw consent at any time – If data is processed based on consent (Article 6(1)(a) or Article 9(2)(a)), the subject may withdraw it at any time without affecting the lawfulness of processing done before withdrawal.
6.3. Right to lodge a complaint – The data subject has the right to lodge a complaint with a supervisory authority, especially the President of the Personal Data Protection Office in Poland.
6.4. Right to object – The data subject may object at any time to data processing based on Article 6(1)(e) or (f), including profiling. The Controller may no longer process such data unless it demonstrates compelling legitimate grounds or for the establishment, exercise, or defense of legal claims.
6.5. Right to object to direct marketing – If data is processed for direct marketing purposes, including profiling, the data subject can object at any time.
To exercise any of these rights, contact the Controller via written message, email (as listed in the Privacy Policy), or the contact form on the Online Store website.
7. COOKIES AND ANALYTICS
7.1. Cookies are small text files sent by the server and stored on the user’s device (e.g., hard drive, smartphone memory) depending on the device used. More info: https://en.wikipedia.org/wiki/HTTP_cookie
7.2. Cookies used by the Online Store can be categorized based on:
| By provider | By storage duration on the user's device | By purpose |
|---|---|---|
|
|
|
| Purpose of Using Cookies | Description |
|---|---|
| User Identification | Identification of users as logged into the Online Store and showing that they are logged in (necessary cookies) |
| Products in Cart | Remembering products added to the cart for order placement (necessary cookies) |
| Form Data | Remembering data from filled Order Forms, surveys, or login data (necessary and/or functional/preference cookies) |
| Website Customization | Customizing the content of the Online Store website to the individual preferences of the user (e.g., colors, fonts, page layout) and optimizing usage (functional/preference cookies) |
| Anonymous Statistics | Conducting anonymous statistics presenting how the website is used (statistical cookies) |
| Remarketing and Analytics | Studying visitor behavior through anonymous analysis (e.g., visits, keywords) to create profiles and match advertisements on other websites (marketing cookies) |
Necessary Cookies:
These cookies are essential for the proper functioning of our website, e.g., for managing the shopping cart and login.Analytical Cookies:
Used to monitor website traffic and analyze user behavior:
_ga – used by Google Analytics to distinguish users (validity: 2 years).
_gid – used by Google Analytics to distinguish users (validity: 24 hours).
_gat – used by Google Analytics to limit the number of requests (validity: 1 minute).
Advertising Cookies:
Used to personalize ads and measure their effectiveness:
_gcl_au – used by Google Ads for ad performance experiments (validity: 90 days).
7.4. Checking in the most popular web browsers which cookies (including their lifespan and provider) are currently sent by the Online Store website is possible in the following way:
| In Chrome browser: (1) Click the padlock icon on the left side of the address bar, (2) go to the "Cookies" tab. | In Firefox browser: (1) Click the shield icon on the left side of the address bar, (2) go to the "Allowed" or "Blocked" tab, (3) click the "Cross-site tracking cookies," "Social media trackers," or "Content with trackers" section. | In Internet Explorer browser: (1) Click the "Tools" menu, (2) go to the "Internet Options" tab, (3) go to the "General" tab, (4) click the "Settings" button, (5) click "View files". |
| In Opera browser: (1) Click the padlock icon on the left side of the address bar, (2) go to the "Cookies" tab. | In Safari browser: (1) Click the "Preferences" menu, (2) go to the "Privacy" tab, (3) click "Manage Website Data". |
Regardless of the browser, you can use tools available at, for example: https://www.cookiemetrix.com/ or https://www.cookie-checker.com/ |
7.5. By default, most internet browsers available on the market accept Cookies storage. Everyone has the option to set their own conditions for using Cookies through their browser settings. This means it is possible, for example, to partially restrict (e.g., temporarily) or completely disable the ability to save Cookies — however, in the latter case, this may affect some functionalities of the Online Store (for example, it may become impossible to complete the Order process via the Order Form due to the failure to remember Products in the cart during subsequent steps of placing the Order).
7.6. Browser settings regarding Cookies are important in terms of consent to the use of Cookies by our Online Store — according to regulations, such consent may also be expressed through browser settings. Detailed information about changing Cookie settings and deleting Cookies independently in the most popular internet browsers can be found in the browser’s help section and at the following pages (just click the link):
in Chrome browser
in Firefox browser
in Internet Explorer browser
in Opera browser
in Safari browser
in Microsoft Edge browser
7.7. The Administrator may use Google Analytics and Universal Analytics services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) in the Online Store. These services help the Administrator generate statistics and analyze traffic in the Online Store. The collected data are processed within these services to generate aggregated statistics useful for managing the Online Store and analyzing its traffic. This data is aggregated. Using these services, the Administrator collects data such as the source and medium of visitors coming to the Online Store, their behavior on the Online Store’s website, information about devices and browsers used to visit the site, IP addresses and domains, geographic data, demographic data (age, gender), and interests.
7.8. It is possible for individuals to easily block the sharing of their activity data on the Online Store website with Google Analytics — for example, by installing a browser add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=en.
7.9. Due to the possibility of the Administrator using advertising and analytics services provided by Google Ireland Ltd. in the Online Store, the Administrator indicates that full information about the data processing principles of visitors to the Online Store (including information stored in Cookies) by Google Ireland Ltd. can be found in Google’s privacy policy at the following website: https://policies.google.com/technologies/partner-sites.
7.10. The Administrator may use the Facebook Pixel service provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) in the Online Store. This service helps the Administrator measure the effectiveness of advertisements and learn what actions visitors take on the Online Store, as well as display personalized ads to those visitors. Detailed information about how the Facebook Pixel works can be found at: https://www.facebook.com/business/help/742478679120153?helpref=page_content.
7.11. Managing Facebook Pixel activity is possible through ad settings in your Facebook.com account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
8. FINAL PROVISIONS
8.1. The Online Store may contain links to other websites. The Administrator encourages you to review the privacy policies of those other sites after visiting them. This privacy policy applies only to the Administrator’s Online Store.