Privacy Policy
Date of publication: 14.08.2025
PRIVACY POLICY
This Privacy Policy outlines the most important information regarding the processing of your personal data. We explain the purposes for which we process your data, the legal basis for doing so, and how long we retain it. We also inform you of your rights related to the processing of your personal data.
PART I. GENERAL PRINCIPLES OF DATA PROCESSING
1. Data controller and data security
The controller of your personal data is Zofia Chylak-Widmańska, doing business under the name Zofia Chylak-Widmańska, ul. Mokotowska 46a m. 23, 00-543 Warsaw, Poland, EU VAT number PL 118 159 70 53, Polish Statistical Identification Number REGON 146974571 (referred to in this document as “we” or “the Data Controller”).
If you have any questions or concerns regarding the protection of your data, please contact us at the address above or by email at: help@chylak.com.
All personal data we collect about you is processed by us as the data controller in accordance with the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
We implement appropriate technical and organisational measures required by data protection law to prevent unauthorised access to or modification of your personal data.
2. Voluntary provision of data
Providing your personal data is voluntary. However, without the necessary data, we may be unable to carry out certain actions you request. Providing your data is necessary to conclude a sale contract with us or receive our newsletter.
3. Data recipients
In certain situations, we may share your personal data with third parties, such as:
- External service providers: We engage other companies and individuals to perform tasks on our behalf. These may include entities and individuals providing administrative support, fulfilling orders, offering advisory, accounting, marketing, or legal services, as well as partners supporting us in handling shipments and returns. These external service providers have access to your data only to the extent necessary to perform their duties. They are not allowed to use the data for any other purposes and must process it in accordance with our data processing agreements and applicable data protection regulations.
- Public authorities: If required, we may share your data with public institutions in connection with legal proceedings or regulatory obligations.
4. Transfers of data outside the European Union / European Economic Area
We use various IT tools that may involve servers located in countries outside the European Economic Area (EEA). In particular, when sending newsletters, handling purchases and managing orders, we use tools provided by foreign entities that are covered by decisions of the European Commission on ensuring an adequate level of personal data protection.
This means that the level of protection for your data when transferred abroad is considered equivalent to the protection provided within the European Union (Article 45(3) GDPR).
5. Your rights
In connection with our processing of your personal data, you have a number of rights, including:
- The right to request access to your data, as well as the right to rectify or delete it (“right to be forgotten”);
- The right to withdraw your consent at any time, where the processing is based on your consent. However, withdrawal of consent does not affect the lawfulness of our processing of your data that has been carried out by us prior to the withdrawal;
- The right to object, where your data is processed based on our legitimate interests;
- The right to data portability or restricting the processing of your data when it is processed in connection with the performance of a contract or based on your consent. If you believe that we are processing your data unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Office. More information about submitting a complaint can be found on the Personal Data Protection Office’s website: https://uodo.gov.pl/pl/83/155.
6. Automated decision-making and profiling
Your data is not subject to profiling or automated decision-making.
7. Current version of the Privacy Policy
The current principles on how we process your data are described in this Privacy Policy. This Policy may be updated if we change the way we process your personal data.
PART II. DETAILED INFORMATION ON DATA PROCESSING
1. Sales, returns, and complaints
We obtain the data provided by you that is necessary to conclude a sale contract with you and to fulfill your purchase-related requests.
| Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
|---|---|---|
| Performance of a sale contract or post-sale services | Article 6(1)(b) GDPR – processing is necessary for the performance of a contract Article 6(1)(c) GDPR – compliance with a legal obligation (e.g. storing accounting records) | Your data will be retained for 5 years, calculated from the end of the calendar year in which the sale or post-sale service took place. |
| Responding to warranty-related requests (statutory warranty for non-conforming goods) | Article 6(1)(b) GDPR – performance of a contract in the context of warranty claims Article 6(1)(c) GDPR – compliance with a legal obligation (handling claims under a statutory warranty) | Until the end of the statutory warranty period. |
| Notification of product availability | Article 6(1)(a) GDPR – consent of the data subject | Until the consent is withdrawn or the product is permanently removed from the collection. |
2. Newsletter
If you have subscribed to our newsletter, we process your personal data to the extent you have provided it to us.
| Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
|---|---|---|
| Sending the Data Controller’s marketing newsletter | Article 6(1)(a) GDPR – consent of the data subject | Until the consent is withdrawn. |
3. Social media and other forms of contact
When you interact with one of our social media profiles (e.g. by commenting on or liking a post), we may access data you have made publicly available on that platform. This may include, for example, your name and surname, username, profile picture or avatar, the content of your message or comment, and your reaction to a specific post.
If you contact us, depending on the communication channel used, we may process the following data:
- phone number;
- email address;
- name and/or surname;
- other data included in your message;
- information available from your social media profile;
- any other information you may provide.
| Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
|---|---|---|
| Enabling communication through various channels and promoting our business online | Article 6(1)(f) GDPR – the data controller’s legitimate interest in communicating with you and promoting our business | Your data is processed until you object to such processing, and in any case for no longer than 3 years. |
4. Protection of rights and pursuit of claims
We may also process your personal data for the purpose of protecting our rights and pursuing claims. Such data may originate from various sources, particularly from documents created or obtained in the course of concluding a contract.
| Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
|---|---|---|
| Protection of the Data Controller’s rights and facilitation of the enforcement of its claims | Article 6(1)(f) GDPR – – the data controller’s legitimate in the protection and enforcement of its rights and claims. | Until the expiration of the applicable limitation period |
5. Contact with B2B partners
As part of our cooperation with business partners, we may receive personal data from an entity we work with (e.g. based on an agreement) or from an entity with which we are negotiating an agreement (“Contractor”). If you act on behalf of a Contractor, they may provide us with your personal data to facilitate our cooperation or to sign an agreement. We may also obtain additional information from publicly available sources, such as the National Court Register (KRS) and the Central Register and Information on Economic Activity (CEIDG), to the extent limited to the data disclosed therein.
| Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
|---|---|---|
| Enabling communication, cooperation, and signing an agreement with Contractors | Where necessary to perform an agreement with you or to take steps at your request prior to entering into it, Article 6(1)(b) GDPR – if you are our Contractor; - On the basis of a legitimate interest, which is: verification of the identity of persons representing Contractors, performance of the agreement, including maintaining ongoing contact, Article 6(1)(f) GDPR – if you are a representative or contact person of a Contractor. | Until the expiration of the limitation period for claims. |
6. Legal compliance
The law requires us to retain data from invoices or other documents related to the performance of contracts for a specified period.
We may receive such data directly from you, but we may also obtain additional information from publicly available sources, such as the National Court Register (KRS) and the Central Register and Information on Economic Activity (CEIDG), limited to the data disclosed therein.
| Purpose of Data Processing | Legal Basis for Processing | Data Retention Period |
|---|---|---|
| Compliance with the Data Controller’s legal obligations | - Article 6(1)(c) GDPR – compliance with the data controller’s legal obligation, in particular under the Tax Ordinance Act of 29 August 1997 (consolidated text: Journal of Laws of 2025, item 111), and the Accounting Act of 29 September 1994 (consolidated text: Journal of Laws of 2023, item 120, as amended). | Until the legal obligation to retain the data expires. |
PART III. COOKIES POLICY
1. Data collected automatically – cookies
Our website collects certain data automatically. We may obtain information through automated means, such as browser cookies, pixels, web server logs, web beacons, and other technologies. These technologies may be used, for example, to ensure the proper functioning of the website by remembering information about the visitor so it does not need to be re-entered, or to tailor the site to the visitor’s preferences. We also use cookies for analytical or advertising purposes, such as to manage and measure the website’s usability or otherwise improve its performance.
The types of information we collect automatically include:
- Information about your device, including your MAC address, IP address, log information, device model, hardware model, IMEI number, serial number, subscription information, device settings, connections with other devices, mobile network operator, browser characteristics, app usage data, sales code, access code, current software version, MNC, subscription details, and random, non-persistent, and resettable device identifiers such as Personalised Service Identifier (PSID) or advertising identifiers (including the Google advertising ID);
- Information about your use of the website, such as clickstream data, your interactions with our web pages (such as the websites you visit, search terms, and applications and features you use), referring and exit pages, as well as the date and time of website usage, and your interactions with third-party websites, apps, and features associated with our services;
- Information on your use of third-party websites, applications, and features linked to us.
2. Source
As part of our use of cookies, we may obtain data automatically from the following entities:
- Google Ads, Google Analytics (Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland),
- Facebook Ads (Meta Platforms Ireland Ltd., 6 Serpentine Ave, Dublin, D04 H0C9, Ireland).
3. Purposes and legal basis for data processing
When we use cookies, we may process your data for the purposes, on the legal basis, and for the retention periods indicated in the table below: Purpose of Data Processing Legal Basis for Processing Data Retention Period Website analysis and personalisation, as well as online marketing. We use the data to personalise content and to analyse website traffic and user activity.
- Article 6(1)(f) GDPR – the data controller’s legitimate interest. This consists in analysing visitor activity on the website in order to optimise the services provided and to market our own goods or services. Data collected via cookies is automatically deleted after the period indicated in the cookie banner, unless you object to such processing earlier.
4. Cookies used
Cookies (except for those necessary for the operation of the website) are installed with your consent. You can withdraw your consent at any time by changing the cookie settings in the cookie banner or by adjusting your browser settings.
We use cookies such as:
Essential cookies
they must be present on the website to ensure its basic functions and to allow access to site functionalities such as logging in and electronic payments.
Cookies created by:
- PayPal
- Braintree Payments
- Cardinal Commerce
- Shopify
Analytics cookies
they are used primarily to collect data on how users use the website and whether error messages appear on web pages. These cookies only monitor site performance during user interaction and do not collect information that could identify visitors.
Cookies created by:
- Google Analytics
Advertising cookies
they allow for sending advertisements or analysing user behaviour on this and other websites for marketing purposes. These cookies allow access to personalised ads based on the user’s interests.
Cookies created by:
- Meta