Privacy Policy
1. BASIC CONCEPTS AND DEFINITIONS
1.1 The FleeCozy Store is operated by GEX STORE sp. z o.o., with its registered office at pl. gen. Walerego Wróblewskiego 3A/7, 50-413 Wrocław, Poland, entered in the register of entrepreneurs of the National Court Register maintained by the District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register, under KRS number 0001018317, NIP: 7011128517, REGON: 524426242, hereinafter referred to as the “Controller”.
1.2 Personal Data means information about an identified or identifiable natural person based on one or more specific factors defining their physical, physiological, genetic, mental, economic, cultural or social identity, including the device IP address, location data, online identifier and information collected through cookies and other similar technologies.
1.3 Policy - this Privacy Policy, which sets out the rules for processing Personal Data and using cookies and similar tracking technologies within the Website.
1.4 GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5 Website - the website launched by the Controller under the domain https://fleecozy.pl/, accessible via web browsers.
1.6 Store - the FleeCozy online store, available through the Website, through which Gex Store conducts distance sales of goods.
1.7 User - any person visiting the Website or using one or more services or functions described in the Policy.
1.8 Device - an electronic device through which the User gains access to the Website.
2. GENERAL INFORMATION
2.1 In connection with your use of the Website, we collect data necessary to provide the services offered, as well as information about your activity on the Website. We are the Controller of your Personal Data and attach great importance to its proper protection. We ensure that our data processing processes comply with applicable law, in particular the GDPR. Our aim is to provide full information on how we process your Personal Data and to make available tools that allow you to exercise your rights. Below we present information on how we process your Personal Data.
2.2 We process your Personal Data lawfully, taking care to keep it up to date and accurate. Therefore, we may remind you to update it if this is necessary for the provision of services or required by law, by sending a message to the email address you provided or by publishing a notification on the Website after you log in to your account.
3. HOW TO CONTACT THE DATA CONTROLLER?
3.1 If you have questions concerning the processing of your Personal Data or wish to exercise your rights, you may contact the Controller:
a) by email: info@fleecozy.com;
b) in writing at: GEX STORE sp. z o.o., pl. gen. Walerego Wróblewskiego 3A/7, 50-413 Wrocław, Poland;
c) via the contact form available on the Website.
3.2 The Controller has not appointed a Data Protection Officer because it is not obliged to do so under Article 37 of the GDPR.
4. HOW DO WE COLLECT YOUR PERSONAL DATA?
4.1 We collect your Personal Data directly from you, as well as automatically through the technologies used on the Website, in order to properly provide our services and ensure the efficient functioning of our Website. You provide us with your data primarily through dedicated forms when making purchases in our Store, which operates under the Store Terms of Use. You may subscribe to our newsletter or contact us, for example via the contact form. We also receive your data when you use other services available on the Website, for example when browsing products in the Store.
5. IS PROVIDING PERSONAL DATA MANDATORY?
5.1 You decide whether you wish to provide us with Personal Data whose provision is optional. However, please note that in some cases providing Personal Data is necessary for the proper performance of the services we offer or for the conclusion and performance of a contract, as described below.
6. HOW DO WE PROCESS YOUR PERSONAL DATA?
USE OF THE WEBSITE
6.1. If you use the Website but are not a registered user, meaning that you do not have an account on the Website, we process your Personal Data, including your IP address or other identifiers and information collected through cookies or other similar technologies:
6.1.1 for the purpose of providing electronic services consisting in displaying to you the content made available on the Website - the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR);
6.1.2 for basic analytical and statistical purposes related to the functioning of the Website, within the scope of technical and aggregated data, if this does not require the use of cookies or similar technologies requiring consent - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in analysing Users’ activity and improving the operation of the Website;
6.1.2a within the scope of analytics conducted using cookies or similar technologies that require the User’s consent - the legal basis for processing is the User’s consent (Article 6(1)(a) GDPR).
6.1.3 for the purpose of possible establishment and pursuit of claims or defence against claims - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of its rights and property interests;
6.1.4 for marketing purposes of the Controller and other entities, in particular related to displaying behavioural advertising - the rules for processing Personal Data for marketing purposes are described in the MARKETING section.
6.2 Your activity on the Website, including your Personal Data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide our services). Information collected in logs is processed primarily for purposes related to the provision of services. We also process it for technical and administrative purposes, to ensure the security and management of the IT system, as well as for analytical and statistical purposes. In this case, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).
REGISTRATION AND MAINTENANCE OF THE ACCOUNT
6.3 When registering on the Website, we ask you to provide the data necessary to create and maintain an account. If you decide to provide additional data to improve service, it will be processed on the basis of your consent. You may delete this data at any time. Providing data marked as mandatory is necessary to create and maintain the account; failure to provide it prevents the creation of an account. Providing other data is voluntary.
6.4 Your Personal Data is processed:
6.4.1 for the purpose of providing services related to operating and maintaining the account on the Website - the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR), and within the scope of data provided optionally, the legal basis for processing is consent (Article 6(1)(a) GDPR);
6.4.2 for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in conducting analyses of Users’ activity on the Website and the way they use their account, as well as analysing Users’ preferences in order to improve the functionalities used;
6.4.3 for the purpose of possible establishment and pursuit of claims or defence against claims - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of its rights and property interests;
6.4.4 for marketing purposes of the Controller and other entities - the rules for processing Personal Data for marketing purposes are described in the MARKETING section.
6.5 If the User places Personal Data of other persons on the Website, including their name and surname, address, telephone number or email address, the User may do so only on the condition that it does not violate the law or the personal rights of those persons.
PLACING ORDERS
6.6 If you place an order for goods or services offered by us, your Personal Data will be processed. Providing data marked as mandatory is necessary to accept and fulfil the order, and failure to provide it will prevent the order from being fulfilled. Providing other data is optional.
6.7 Your Personal Data is processed:
6.7.1 for the purpose of fulfilling the order placed - the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR), and within the scope of data provided optionally, the legal basis for processing is your consent (Article 6(1)(a) GDPR);
6.7.2 for the purpose of fulfilling legal obligations incumbent on the Controller, resulting in particular from tax regulations and the Accounting Act - the legal basis for processing is a legal obligation (Article 6(1)(c) GDPR);
6.7.3 for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in conducting analyses of Users’ activity on the Website, as well as the way the account is used, where applicable, and Users’ shopping preferences in order to improve the functionalities used;
6.7.4 for the purpose of possible establishment and pursuit of claims or defence against claims - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of its rights and property interests.
You may withdraw your consent at any time.
COMPLAINTS AND RETURNS
6.8 If you submit a complaint, report a return or withdraw from the contract, we process your Personal Data to the extent necessary to handle the request, identify the order, contact you, examine the matter and process any refund.
Providing data in the return form, contact form or email message is voluntary, but failure to provide data necessary to identify the order or handle the request may make it impossible or significantly more difficult to properly examine the return, complaint or withdrawal from the contract.
6.9 Your Personal Data is processed:
6.9.1 for the purpose of examining a complaint concerning the Goods, including a complaint related to the lack of conformity of the Goods with the contract - the legal basis for processing is the legal obligation incumbent on the Controller (Article 6(1)(c) GDPR) and, to the necessary extent, the performance of the sales contract (Article 6(1)(b) GDPR);
6.9.2 for the purpose of handling withdrawal from the contract, return of the Goods and refund of payment - the legal basis for processing is the legal obligation incumbent on the Controller arising from consumer rights regulations (Article 6(1)(c) GDPR), as well as the performance of the sales contract to the extent necessary to settle the return (Article 6(1)(b) GDPR);
6.9.3 for the purpose of fulfilling other legal obligations incumbent on the Controller, resulting in particular from tax regulations and the Accounting Act - the legal basis for processing is a legal obligation (Article 6(1)(c) GDPR);
6.9.4 for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in conducting analyses of Users’ activity on the Website, as well as the way the account is used and Users’ shopping preferences in order to improve the functionalities used;
6.9.5 for the purpose of possible establishment and pursuit of claims or defence against claims - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of its rights and property interests.
CONTACT FORM
6.10 We enable you to contact us through a contact form. Using this form requires you to provide Personal Data necessary to contact you and respond to your inquiry. Providing data marked as mandatory is necessary to accept and process your inquiry; failure to provide this data will make it impossible to process your inquiry. Providing other data, for example in the content of the inquiry, is voluntary. Please do not submit special categories of data referred to in Article 9 GDPR in the content of your message.
6.11 Your Personal Data is processed:
6.11.1 for the purpose of identifying and handling your inquiry sent via the available form - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the need to resolve the matter reported by you and conduct correspondence addressed to the Controller in connection with its business activity;
6.11.2 for analytical and statistical purposes - the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in keeping statistics on requests submitted by Users through the Website in order to improve its functionality.
COUNTERACTING ABUSE
6.12 To ensure the proper functioning of our Store and prevent abuse, we monitor whether Users undertake actions that could hinder other customers from using the Store. This applies in particular to placing orders of unusual or excessive value, indicating a lack of intention to keep the goods, as well as placing orders in quantities suggesting purchase for further resale while declaring consumer status.
The analysis is based on order, payment and return history and serves solely to detect potential abuse.
The indicated analysis may involve automated data processing, but a decision to block or delete an account is not made solely by automated means. Any decision is preceded by an assessment carried out by an authorised employee of the Controller, who verifies the results of the analysis and takes additional circumstances into account.
Before making a final decision, we send a warning message to the email address assigned to the account, enabling the User to explain the situation.
You have the right to present your position, challenge the result of the analysis, request re-verification of the data by the Controller’s staff and appeal against the decision. To do so, please contact us in the manner described in section 3.
The described activities do not lead to decisions producing legal effects concerning the User or similarly significantly affecting the User within the meaning of Article 22 GDPR.
GEOLOCATION
6.13 Your Personal Data, including location information, is processed in order to enable you to find the nearest physical pickup points. Use of this function is optional and is not required for the proper use of the Website.
The legal basis for processing this data is your consent (Article 6(1)(a) GDPR), expressed in the form of consent to use location services on your mobile device by allowing the browser or application to access location services.
We process your location data only with your consent. Consent may be withdrawn at any time by revoking access permissions to location information on your mobile device. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
Location data may include: approximate location based on IP address or precise GPS data, depending on the permissions granted to the device.
We do not store location data.
7. MARKETING
7.1 After you give the relevant consent (Article 6(1)(a) GDPR), which you may withdraw at any time, we process your Personal Data for marketing purposes, which may include:
7.1.1 displaying marketing content matching your interests (behavioural advertising);
7.1.2 carrying out activities related to direct marketing of goods and services, including sending commercial information electronically and telemarketing activities. Sending commercial information and conducting telemarketing activities requires separate consents in accordance with national regulations.
7.2 For marketing purposes, we sometimes use profiling. This means that through automated data processing we assess certain factors concerning you in order to analyse your behaviour or make predictions for the future. This allows us to better match the displayed content to your individual tastes and interests.
REMARKETING (BEHAVIOURAL ADVERTISING)
7.3 Together with our trusted partners, we process your Personal Data, including Personal Data collected through cookies and other similar technologies (data about activity on the Website, viewed products, clicks, device information and approximate location), for marketing purposes related to directing behavioural advertising to you, meaning advertising matched to your preferences. In this case, the processing of Personal Data also includes profiling, the result of which is only the display of personalised advertisements based on your Personal Data obtained by us and our partners.
Processing takes place solely on the basis of your consent (Article 6(1)(a)).
You may withdraw your consent at any time, without affecting the lawfulness of earlier processing.
7.4 You can find the list of the Controller’s trusted partners below in the “Information on the use of cookies” section, under “Our partners”.
DIRECT MARKETING
7.5 If you give your consent, we may use your Personal Data to send you marketing content concerning the goods and services we offer via means of electronic communication, in particular:
-
email (newsletter),
-
MMS/SMS messages,
-
telephone calls.
The legal basis for processing your Personal Data for this purpose is your consent (Article 6(1)(a) GDPR) in connection with specific regulations governing the sending of commercial information and conducting direct marketing.
You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before its withdrawal, by clicking the unsubscribe link included in each email, contacting us at info@fleecozy.com or via the contact form.
7.6 We may also conduct direct marketing by traditional mail, sending marketing materials to the correspondence address provided during account registration or when placing an order.
The legal basis for processing Personal Data for this purpose is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the marketing of its own goods and services.
You have the right to object at any time to the processing of your Personal Data for this purpose. Lodging an objection results in the cessation of data processing for direct marketing purposes. You may submit an objection by contacting us at info@fleecozy.com or via the contact form.
GOOGLE ADS CUSTOMER MATCH
7.7 Marketing of the products and services we offer may be conducted using the Google Ads Customer Match tool. Data processing within Google Ads Customer Match takes place solely on the basis of your consent (Article 6(1)(a) GDPR). The recipients of the data are Google Ireland Limited and Google LLC.
Google Ads Customer Match allows the Controller to upload a hashed database of email addresses (customer list) to Google tools in order to check whether user accounts with the same email addresses have been created in Google services, for example YouTube, Gmail and similar services. If the email addresses are confirmed, users of Google services may be shown the Controller’s advertisements after logging in. Information on displaying advertisements based on a created customer list is available at the following link:https://support.google.com/google-ads/answer/7474263.
In connection with the use of Google Ads Customer Match, data may be transferred to third countries, in particular the USA, in accordance with applicable safeguards such as the EU-US Data Privacy Framework or standard contractual clauses.
You may withdraw your consent at any time, without affecting the lawfulness of processing before its withdrawal.
7.8 To improve the accuracy of measuring the effectiveness of our marketing activities through the Google Ads Customer Match function described above, we will also use a Google tool called “enhanced conversion tracking”. This tool allows the Controller to improve the accuracy of conversion measurement, meaning the purchase of a product on the store website as a result of redirection from another website. To use this tool, we collect conversion data from the store website in encrypted form, including email address data, in a privacy-protecting manner, meaning using a one-way encryption algorithm. Information on enhanced conversions is available at the following link: https://support.google.com/google-ads/answer/9888656.
FACEBOOK CUSTOM AUDIENCE
7.9 Marketing of the products and services we offer may be conducted using the Facebook Custom Audience tool. Data processing within Facebook Custom Audience takes place solely on the basis of your consent (Article 6(1)(a) GDPR).
Facebook Custom Audience is a tool that enables the Controller to upload a hashed database of email addresses to Facebook in order to verify whether user accounts have been created on Facebook using the same email addresses. If the email addresses match, the Controller’s advertisements may be shown to Facebook users after they log in.
Within the scope of using Facebook Custom Audience, we are a joint controller of data with Meta Platforms Ireland Limited. The rules of joint controllership are set out by Meta in the Joint Controller Addendum, available on Meta’s website.
In connection with the use of Facebook Custom Audience, data may be transferred to third countries, in particular the USA, in accordance with mechanisms such as the EU-US Data Privacy Framework or standard contractual clauses.
You may withdraw your consent at any time, without affecting the lawfulness of processing before its withdrawal.
More information on custom audiences can be found here:https://pl-pl.facebook.com/business/help/341425252616329?id=2469097953376494
8. PROCESSING OF DATA OF PERSONS VISITING THE CONTROLLER’S SOCIAL MEDIA PROFILES
8.1 The Controller maintains public profiles on the social media services Facebook, Instagram and Pinterest. Therefore, the Controller processes data left by persons visiting these profiles, including comments, preferences and online identifiers.
Data is processed in parallel by Meta Platforms Ireland (Facebook, Instagram) and Pinterest Europe in accordance with their own privacy policies.
Within the scope of data processed in connection with the Page Insights function, we are a joint controller with Meta Platforms Ireland Ltd. The rules of joint controllership are set out in the Page Insights Controller Addendum.
8.2 Personal Data of such persons is processed:
8.2.1 to enable interaction, including commenting, liking and sending messages;
8.2.2 to effectively manage profiles by providing users of social networks with information about the Controller’s initiatives and other activities, as well as in connection with promoting various events, services and products;
8.2.3 for statistical and analytical purposes;
8.2.4 Data may be processed for the purpose of pursuing or defending against possible legal claims.
8.3 The legal basis for processing Personal Data is the legitimate interest of the Controller (Article 6(1)(f) GDPR), which consists in:
8.3.1 promoting its own brand and improving the quality of the services provided,
8.3.2 conducting activity and preference analysis,
8.3.3 where necessary, in the event of claims being brought or defence against claims.
NOTE: The above information does not concern the processing of Personal Data by the administrators of social media services.
9. INFORMATION ON THE USE OF COOKIES
WHAT ARE COOKIES?
9.1 Cookies, also called “ciasteczka” in Polish, are small text files saved on the device you use when visiting the Website. Cookies enable the Website to function properly, make it easier to use its functions, for example remembering visits or User settings, and help adjust the Website to your needs. By themselves, they cannot transmit viruses or malware because they are ordinary text files. Some cookies may provide us with information about the type of browser used or device settings, which allows us to correctly display content and functionalities. In the following parts of the Policy, we explain what types of cookies we use on the Website and when their use requires your consent.
TYPES OF COOKIES USED BY THE CONTROLLER
9.2 We use the following types of cookies:
9.2.1 Necessary cookies are required for the proper functioning of the Website. These cookies allow the Controller to ensure the secure performance of activities such as fulfilling the User’s order, remembering the logged-in User on the Website after moving to another page, or automatically filling in address data during purchases. Blocking these cookies in the User’s browser may cause the Website to function incorrectly. These cookies are necessary for the operation of the Website and can only be disabled by changing browser settings, which may cause the Website to function incorrectly.
Specific purposes of using technical cookies:
a) ensuring the security and reliability of the Website;
b) carrying out processes necessary to ensure the full functionality of the Website, including in particular:
- adapting the Website content in order to enable the User to fully use the available functionalities and optimise the use of the Website. In particular, these files allow the basic parameters of the User’s Device to be recognised and the Website to be displayed accordingly;
- supporting basic Store functions such as the cart, order placement process, remembering the User session, login security and the proper operation of forms available on the Website.
- enabling the use of the Wishlist and Cart functions on the Website.
9.2.2 Analytical cookies are used by the Controller both to analyse Users’ behaviour on the Website for business purposes and to understand how Users use the Website. This allows the Controller to determine which functions require improvement or updating. Information collected through analytical cookies is collected in a manner that allows statistics to be created, but the Controller does not use it to identify Users; on its basis, the Controller is not able to identify the User from whom it originates.
Analytical cookies are used only after you have given your consent.
9.2.3 Personalisation cookies allow us to analyse Users’ behaviour on the Website and their shopping preferences, which enables us to provide Users with personalised product offers, modify Website functionality and publish sponsored content. We use this data to match the Website content and functionalities to your preferences. It may also be used to test and improve our services and is not used to directly identify the user.
9.2.4 Advertising cookies allow the Controller to match displayed advertisements to Users’ preferences and interests, meaning to direct so-called behavioural advertising to Users. They allow entities cooperating with the Controller, such as advertising network operators including Google, Facebook or Instagram, to match displayed advertising content to the User’s preferences. Advertising cookies are used only after consent has been given.
COOKIE STORAGE PERIOD
9.3 The cookies described above can be divided into two types according to their storage period:
9.3.1 Session cookies - stored on the Device only until the browser session ends. When the browser is closed, these files are automatically deleted.
9.3.2 Persistent cookies - remain on the Device after the browser session ends. They may be stored for the period indicated in their parameters, which varies depending on the type of file and the provider, unless the User deletes them manually earlier.
Some persistent cookies are set by our partners, for example Google or Meta, who define their own storage periods in accordance with their privacy policies.
If the User withdraws consent, the use of cookies that required such consent is stopped.
MANAGING COOKIES ON THE WEBSITE
9.4 Only necessary cookies are required for the proper functioning of the Website. Other types of cookies, analytical, personalisation and advertising cookies, are used only after you give your consent. You may grant, restrict or withdraw consent to the use of these cookies at any time using the control panel available on our Website under the “Your cookies” tab, located at the bottom of the Website.
Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
Independently of this, you may also manage cookies directly through your browser settings, where you can block, restrict or delete them.
PARTNERS
9.5 Some cookies used on our Website are placed by external partners with whom we cooperate in the areas of analytics, personalisation and marketing.
These partners use their own cookies and process data in accordance with their privacy policies.
Depending on the tool, data may also be transferred to third countries, for example the USA, on the basis of appropriate legal mechanisms, such as the EU-US Data Privacy Framework or standard contractual clauses.
Current list of partners:
|
Partner |
Legal name |
Privacy Policy |
Category |
Storage period |
|
Google Ads / Google Marketing Platform |
Google Ireland Ltd |
marketing |
Depends on the cookie type (usually 30-400 days) |
|
|
Meta (Facebook, Instagram) |
Meta Platforms Ireland Ltd |
marketing |
Depends on the cookie type (usually up to 90 days) |
|
|
Google Analytics (GA4) |
Google Ireland Ltd |
analytics |
Set by Google (e.g. 2-14 months) |
|
|
|
Pinterest Europe Ltd |
marketing |
Depends on the cookie type (e.g. 30-180 days) |
10. WHO WILL WE SHARE YOUR PERSONAL DATA WITH?
10.1 We may transfer your Personal Data to entities cooperating with us in the provision of services, to the extent necessary to perform specific activities. Depending on the type of service, these entities may act as separate data controllers or as processors processing data on our behalf under a data processing agreement (Article 28 GDPR).
10.2 Depending on the selected delivery method, your data, including name, surname, delivery address and telephone number, may be transferred to the carrier or logistics operator, which acts as an independent data controller and processes the data for the purpose of delivery.
If you use geolocation services, location data may be transferred to providers of map services or pickup point operators - only to the extent necessary to indicate the nearest pickup point.
10.3 If you choose a specific payment method, your data may be transferred to the payment operator, for example a bank or payment system, which acts as an independent data controller and processes the data for the purpose of handling the transaction.
10.4 Your data may also be transferred to entities providing accounting, legal, advisory, IT, server, marketing, analytical or logistics services to us. These entities process data only on our instructions and on the basis of a data processing agreement.
10.4a In operating the Store, we use the Shopify platform and related technical services used to operate the online store, orders, payments, security, customer communication and administrative functions. Therefore, Personal Data may be transferred to the provider of the Shopify platform and entities affiliated with that provider to the extent necessary for the proper functioning of the Store and provision of services.
10.5 We may disclose your data to competent public authorities or third parties if there is an appropriate legal basis for doing so, in particular arising from mandatory provisions of law or legally binding requests from such authorities.
10.6 In the case of transferring Personal Data to third countries or international organisations, the Controller applies appropriate safeguards required by the GDPR, in particular European Commission adequacy decisions, standard contractual clauses or other mechanisms provided for by applicable law.
11. HOW LONG WILL WE PROCESS YOUR PERSONAL DATA?
11.1 The period of processing your data depends on the type of service provided and the purpose for which the data is processed. As a rule, we store data for the period of service provision, order fulfilment or until consent is withdrawn, if consent is the basis for processing. Where processing is based on the Controller’s legitimate interest, data is processed until an objection is lodged. Withdrawal of consent or lodging an objection does not affect the lawfulness of processing that took place before that moment.
In addition, some data must be stored for the period required by law, in particular tax and accounting regulations.
11.2 The data processing period may be extended for the time necessary to establish, pursue or defend against claims, but no longer than their limitation period under applicable law. After the periods necessary for processing have elapsed, the data will be permanently deleted or anonymised.
12. HOW DO WE PROTECT YOUR DATA?
12.1 We apply appropriate technical and organisational measures aimed at ensuring the security of your data and limiting the risk of its loss, unauthorised access, unauthorised alteration or disclosure.
These measures may include in particular: access control to systems, HTTPS/SSL connection encryption, administrative account security, limiting access to data only to authorised persons, using security tools provided by technical service providers, and procedures concerning backup creation and incident response.
12.2 Use of the Internet involves a certain unavoidable risk of security incidents. We regularly monitor our infrastructure, update systems and carry out internal checks in order to limit this risk as much as possible.
If a personal data breach occurs that would result in a high risk to your rights or freedoms, we will inform you in accordance with applicable law.
13. WHAT ARE YOUR RIGHTS IN CONNECTION WITH THE PROCESSING OF YOUR PERSONAL DATA?
13.1 In connection with the processing of your Personal Data, you have the following rights:
13.1.1 Right of access to data - you have the right to obtain information as to whether we process your data and, if so, to access it and receive information about the purposes, legal bases, processing period, data recipients and your rights.
13.1.2 Right to receive a copy of data - you have the right to receive a copy of the data processed by the Controller.
13.1.3 Right to rectification of data - you may request correction of incorrect data and completion of incomplete data.
13.1.4 Right to erasure of data (“right to be forgotten”) - you may request deletion of data if it is no longer necessary for the purposes for which it was collected, was processed unlawfully or you have withdrawn consent.
13.1.5 Right to restriction of processing - in the cases provided for in Article 18 GDPR, you may request restriction of processing. In such a case, the data will only be stored, unless further processing is necessary for legal reasons.
13.1.6 Right to data portability - to the extent that data is processed on the basis of consent or a contract and in an automated manner, you have the right to receive the data in a machine-readable format or request that it be sent to another controller.
13.1.7 Right to object to the processing of data for marketing purposes - you may object at any time, and we must take it into account.
13.1.8 Right to object to processing based on legitimate interest - you may lodge an objection for reasons related to your situation. The objection will be honoured unless we demonstrate the existence of important, overriding legally justified grounds for processing.
13.1.9 Right to withdraw consent - if processing is based on consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing before its withdrawal.
13.1.10 Right to lodge a complaint - if you believe that the processing violates data protection regulations, you may lodge a complaint with the supervisory authority competent for your place of residence.
In Poland, the supervisory authority is the President of the Personal Data Protection Office.
13.1.11 Right to human intervention in the case of a decision based solely on automated processing - you have the right to challenge the decision and obtain its reassessment by a human.
SUBMITTING A REQUEST RELATED TO THE EXERCISE OF RIGHTS
13.2 You may exercise some rights yourself, in particular by editing data in the user panel if you have an account in the Store. For other rights, it is necessary to submit a request.
13.3 You may submit a statement or request concerning the exercise of rights arising from the GDPR by contacting the Data Controller at the email address: info@fleecozy.com, in writing to our registered office address (PL. GEN. WALEREGO WRÓBLEWSKIEGO 3A/7, 50-413 Wrocław) or via the contact form available on the Website.
13.4 We will respond to your request without undue delay, no later than within 30 days of receiving it. If, due to the complexity of the request or the large number of requests received, we are unable to meet this deadline, we will inform you about the extension of the response period, by a maximum of another 60 days, together with the reason.
13.5 To ensure data security, we may ask for additional information necessary to confirm your identity. If we are unable to identify you, we may not be able to fulfil your request in accordance with Article 12(6) GDPR.
13.6 You may submit the request personally or through a representative. If acting through a representative, we may ask you to present a power of attorney. Written form will make it easier to verify the representative’s authorisation.
13.7 If the request was sent electronically, we will also respond in that form, unless you request another form. In other cases, the response will be provided in writing or electronically, provided that this is safe and technically possible.
13.8 We store information concerning submitted requests and their handling to the extent necessary to demonstrate compliance with GDPR provisions and for the purpose of establishing, pursuing or defending against claims. This data is stored for the period resulting from legal provisions and limitation periods for claims. The register is kept with due confidentiality and data integrity.
14. CHANGES TO THE PRIVACY POLICY
14.1 The Policy is reviewed and updated on an ongoing basis where necessary.
Language version: This document is a translation from the main language version of the Store, Polish. In the event of discrepancies between language versions, the Polish version shall prevail, to the extent permitted by applicable law.
Last updated: 24 May 2026
