Privacy Policy

Personal Data Controller

The controller of your personal data is Studio Konstrukcji Waldemar Szypelt with its registered office at ul. Przemysłowa 9, 84-241 Gościcino, NIP: PL5881074075, REGON: 191662483. You can contact the Controller at the e-mail address biuro.studiokonstrukcji@gmail.com or by phone at +48 509-982-551.

The Controller has not appointed a Data Protection Officer (DPO), as it is not required under the provisions of the GDPR. All data protection responsibilities are handled directly by the Controller.

This Privacy Policy applies to the website operated by the Controller. The offer of Studio Konstrukcji Waldemar Szypelt is addressed to customers in Poland and in the European Union, therefore the processing of personal data is carried out in accordance with the legislation in force in the territory of Poland and the EU, including Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR).

Scope of Collected Personal Data

The Controller collects only the personal data necessary to achieve the purposes listed below. Through the contact form on the website, the following data may be collected:

  • Full name – to address you properly and identify the sender of the inquiry;
  • Email address - to respond to your inquiry or send a reply;
  • Phone number - if you prefer to be contacted by phone or if it is required for order fulfillment (e.g., by a courier company);
  • Shipping address - necessary when fulfilling an order that requires product delivery to the customer;
  • Tax Identification Number (NIP) - required for issuing an invoice (mainly for business clients).

Providing the above data is voluntary but necessary if you wish to use specific features of the website (e.g., sending an inquiry via the form or placing an order). Without the required information, we will not be able to respond to your message or fulfill an order.

Additionally, when using the website, certain technical information may be automatically collected (such as your device's IP address, browser type, session data, and on-site activity) via cookies and other technologies – details on this can be found in the Cookies section below.

Purposes of Personal Data Processing

The Controller processes your personal data solely for specific purposes and only to the extent necessary to achieve those purposes. The purposes of data processing include:

  • Contact and handling inquiries – to respond to questions sent via the contact form, email, or phone. The processing includes the data provided in the inquiry (e.g., name, email address, phone number) and serves to handle your matter. The legal basis for such processing is Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller in responding to inquiries and maintaining contact with potential customers.
  • Order and service fulfillment – to enter into and perform a contract with the customer, process an order, deliver ordered goods or services to the specified address, and handle billing (issuing invoices, confirming payments). This includes processing the necessary data for contract performance (e.g., name, delivery address, phone number, tax identification number for invoicing). The legal basis is Article 6(1)(b) of the GDPR (performance of a contract to which the data subject is a party). Additionally, for fulfilling accounting and tax obligations (e.g., storing sales documentation, booking invoices containing personal data), the legal basis is Article 6(1)(c) of the GDPR, i.e. compliance with a legal obligation imposed on the Controller.
  • Marketing of own products and services – to inform you (as our client or someone interested in our offer) about our products, services, promotions, or company news. This may involve contacting you via email or phone with marketing or commercial information. The legal basis is Article 6(1)(f) of the GDPR – the Controller’s legitimate interest in direct marketing of its own products and services. However, if applicable laws require your prior consent for such contact (e.g., for receiving commercial emails when you are not yet our customer), the legal basis will be Article 6(1)(a) of the GDPR (voluntary consent of the data subject).
  • Newsletter – if we launch a newsletter service in the future, your contact details (e.g., email address, name) may be used to send periodic messages containing information about our offer, updates, or other marketing content related to our business. Such a newsletter will be sent only after receiving your explicit consent (legal basis: Article 6(1)(a) of the GDPR). You will be able to withdraw this consent at any time, which will stop the newsletter delivery.
  • Statistical analysis and website improvement – to conduct website traffic statistics and analyze how users interact with our website. This helps us improve the website’s structure and content, our offer, and the overall quality of our services. We use analytical tools such as Google Analytics, which collect data about user activity (e.g., number of visits, time spent on the site, traffic sources). The legal basis is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) in optimizing the website and business operations. To the extent that the use of cookies for analytical purposes requires consent (under the so-called Cookie Directive and Polish Telecommunications Law), we rely on your consent expressed through the cookie settings on the website (Article 6(1)(a) of the GDPR).
  • Remembering user preferences – to tailor the website’s operation to your individual needs and convenience. This may include remembering your choices and settings on the website (e.g., preferred language, accepted consents, cart content), so future visits are easier and more personalized. The legal basis is Article 6(1)(f) of the GDPR – the Controller’s legitimate interest in ensuring the website’s functionality and user-friendliness.
  • Website security – for technical and administrative purposes, to secure our website and IT infrastructure against unauthorized activities (e.g., hacking, fraud attempts, spam), and to ensure data security. As part of these activities, certain technical data may be automatically processed, such as visitors’ IP addresses, device and browser information, access times, and server logs. The legal basis is Article 6(1)(f) of the GDPR – the Controller’s legitimate interest in protecting the integrity of the website, preventing abuse, and ensuring information security.

Cookies

The Administrator's website uses cookies and similar technologies. Cookies are small text files sent by the website and stored on the user’s end device (such as a computer or smartphone) during website browsing. We use cookies for the following purposes:

  • Essential and functional cookies – these ensure the proper functioning of the website and its basic features. Such cookies allow, for example, the use of a contact form, a shopping cart (if applicable), or other site mechanisms, as well as maintaining the user session after login (if the site offers login functionality). They also remember your settings (e.g., preferred language, consent preferences) to facilitate your experience on future visits;
  • Analytical cookies – these allow the collection of anonymous statistical information about how users interact with our website. They help us understand which pages are most visited, how long users stay on the site, what actions they take, etc. For this purpose, we use tools such as Google Analytics, which also sets its own cookies. Information collected via analytical cookies is aggregated and used solely for statistical analysis and website performance improvement. These data are anonymized (e.g., user IP addresses may be truncated to prevent direct identification) and do not allow us to determine your identity;
  • Marketing cookies – these are used for marketing and advertising purposes, allowing us to show you personalized advertising content and measure the effectiveness of our marketing efforts. Our website may integrate marketing tools and social media plugins provided by external partners such as Google Google (e.g., Google Ads) ,Facebook (Meta Pixel, also used for Instagram), LinkedIn (LinkedIn Insight Tag), Pinterest or TikTok (TikTok Pixel). These tools may use their own cookies or similar tracking technologies. As a result, information about your activity on our website—such as visiting a specific page or performing a certain action—may be shared with these third parties. This information may then be used to target you with our ads on those platforms or to analyze the performance of our campaigns. The use of marketing cookies is generally based on your voluntary consent.

Cookies used on our website are not intended to identify your personal identity. We do not combine cookie data with information provided via the contact form or during the ordering process.

Please note that you can manage cookie settings through your web browser. Most browsers accept cookies by default, but you can change these settings yourself – for example, you can block cookies entirely or partially (e.g., only for third-party sites) or receive a notification each time a cookie is being sent to your device. However, restricting or disabling cookies may affect some functionalities of our website – such as proper operation of the contact form, the ordering process, or remembering language preferences.

Information on how to manage cookie settings in the most popular web browsers can be found in their respective help sections. If you do not change your browser settings and continue to use our website, we will assume that you consent to the use of cookies in accordance with this Privacy Policy.

Data Recipients

In connection with the purposes of data processing outlined above, the following categories of recipients — i.e., entities to whom the Controller discloses or entrusts personal data to the extent necessary — may have access to your personal data:

  • Hosting and IT service providers - entities responsible for hosting the website and maintaining IT infrastructure (such as servers, email services, etc.). Entrusting data to these entities (e.g., a hosting company) is necessary for the proper functioning of the website and storing data (including content submitted via the contact form). These entities process data solely on behalf of the Controller and on the basis of appropriate agreements ensuring confidentiality and data security (data processing agreements).
  • Accounting office – an entity responsible for the Controller’s accounting services. To the extent necessary to fulfill accounting and tax obligations, the accounting office may access personal data contained in financial documents (e.g., invoices with name, address, VAT number). The accounting office processes data on behalf of the Controller strictly for settlement purposes, based on a contract and in accordance with data protection regulations.
  • Courier and shipping companies – in cases where we send goods or materials to you, the data necessary for delivery (such as recipient name, delivery address, and contact phone number) will be provided to the courier or transportation company handling the shipment. Such entities become independent data controllers for the purpose of delivery, using the data only to complete the delivery and contact you if necessary (e.g., by phone).
  • Providers of analytical and marketing tools companies whose tools we use for analyzing traffic on the website and conducting marketing activities (as mentioned above, including Google, Meta/Facebook/Instagram, LinkedIn, Pinterest, TikTok). In practice, this means that, for example Google (via Google Analytics) may receive certain user information (such as cookie data, approximate location, or device details) in order to generate statistics, while Meta Platforms Ireland Ltd. may receive data from the Facebook/Instagram pixel to help us target advertisements on those platforms. These entities usually act as independent data controllers for the information they receive (using it in accordance with their own policies and terms), but we use their services only through legally compliant mechanisms (e.g., by concluding relevant contracts or accepting terms that ensure GDPR-compliant data protection).
  • Other subcontractors and business partners – to whom the Controller outsources specific services or cooperates with in the course of business operations. These may include IT service providers, marketing agencies, legal advisors, or consultants. If access to personal data is necessary in such cooperation (e.g., forwarding a legal case that contains your personal data or using an external CRM system), the Controller ensures that a proper agreement is in place with such entities (data processing agreement or confidentiality clause) and that data is used strictly for the intended purpose.

The Controller guarantees that your personal data is not disclosed or sold to unauthorized entities. Each of the above-mentioned recipients receives only the information necessary to perform a specific task (for example, a courier does not receive information about purchased products, only the data required to deliver the package). All entities processing data on behalf of the Controller operate based on agreements that ensure data protection and comply with the requirements of the GDPR.

It should also be noted that, in exceptional cases, the Controller may be legally obliged to disclose your personal data to public authorities authorized under the law (e.g., the police, public prosecutor’s office, courts, or administrative bodies). Such disclosure may occur only if there is an appropriate legal basis (e.g., a court order) and within the limits of applicable regulations.

Data Transfers Outside the EU

As a rule, the Controller seeks to store and process your personal data within the territory of the European Economic Area (EEA). However, the use of certain tools and services provided by external vendors may involve transferring data to countries outside the EEA (so-called third countries), particularly the United States of America (USA). For example, providers such as Google, Meta (Facebook/Instagram), LinkedIn, Pinterest, or TikTok may process collected data on servers located outside the EU.

In each case of transferring personal data outside the EEA, the Controller ensures the application of appropriate safeguards required by law to protect the privacy and rights of the data subjects. Such safeguards may include, among others: standard contractual clauses approved by the European Commission in agreements with data recipients, certification mechanisms confirming compliance with data protection standards (where applicable), or requiring recipients to apply binding corporate rules in line with the GDPR.

You have the right to obtain a copy of the safeguards related to the transfer of your data to a third country—please contact us for this purpose (contact details can be found in the Contact section below). The service providers we currently use (Google, Meta, etc.) declare compliance with data protection standards consistent with European requirements, which enables us to use their solutions while maintaining a high level of protection for your privacy.

User Rights

Individuals whose personal data is processed—i.e., you, as users of our website or customers—are entitled to specific rights regarding the processing of their personal data. In accordance with the GDPR, you have the right to:

  • Access your data – to obtain confirmation of whether we process your personal data, and if so, to receive information such as the purposes and methods of processing and a copy of the data being processed;
  • Rectify your data – to request immediate correction of inaccurate personal data concerning you, or to complete incomplete data;
  • Erase your data – żądania usunięcia dotyczących Państwa danych osobowych w przypadkach przewidzianych prawem (tzw. the "right to be forgotten"). You may request erasure, for example, when the data is no longer necessary for the purposes for which it was collected, or if you have withdrawn your consent and there is no other legal basis for processing;
  • Restrict processing – to request a restriction of the processing of your personal data (typically temporarily or within a specific scope), e.g., if you contest the accuracy of the data (for a period allowing us to verify it) or if you have objected to processing—then, until the objection is resolved, we may limit processing operations to storage only;
  • Data portability – to receive the personal data you provided to us in a structured, commonly used, machine-readable format and, where technically feasible, to transmit this data to another data controller. This right applies to data processed based on your consent or contract and by automated means;
  • Object to processing – to object at any time, for reasons related to your particular situationto the processing of your personal data where it is based on our legitimate interest (Art. 6(1)(f) GDPR). Once an objection is submitted, we will no longer process your data for that purpose unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims. Regardless of the above, you always have the right to object to processing for direct marketing purposes —if you do, we will immediately stop processing your data for such marketing;
  • Withdraw your consent – if the processing is based on your consent, you have the right to withdraw it at any time. The withdrawal will apply going forward (it does not affect the legality of processing carried out before the withdrawal). This means that from the moment consent is withdrawn, we will no longer process your data for the purposes previously consented to;
  • Lodge a complaint with a supervisory authority – if you believe that our processing of your personal data violates applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (PUODO), address: ul. Stawki 2, 00-193 Warsaw.

You may contact the Data Controller in any convenient way (e.g., by email or in writing – contact details are provided below). We will respond to your request to exercise your rights without undue delay – no later than within one month of receiving your request. In the case of particularly complex requests or a large number of requests, this period may be extended to two months, of which you will be informed. The exercise of most rights is free of charge; only in the case of excessive or repetitive requests may we charge an administrative fee in accordance with the GDPR.

Data Security

The Data Controller takes special care to ensure the security of processed personal data. To this end, appropriate organizational and technical measures are implemented in accordance with applicable data protection regulations. Our website uses encrypted connections via HTTPS/SSL protocol, which means that any data transmitted by users (e.g., when completing and submitting a contact form) is encrypted and protected against unauthorized access or modification.

Personal data stored electronically is secured on the hosting provider’s servers, which implement physical protection measures (such as access control to data centers) and software solutions that prevent attacks and data loss (firewalls, intrusion detection systems, regular backups, etc.). Access to systems where data is processed is password-protected and granted only to authorized personnel.

The Data Controller and any authorized collaborators have received training in data protection and are obligated to maintain confidentiality. Access to your data is granted only to authorized individualsfor whom such access is necessary to perform their duties (principle of data access minimization). Ongoing monitoring of operations on personal data is conducted to minimize the risk of unauthorized use.

If a personal data breach occurs (e.g., data leak or loss) that could pose a high risk to your rights or freedoms, you will be informed in accordance with GDPR requirements, and the Data Controller will take all necessary actions to minimize any potential negative consequences of such an incident.

Data Retention Period

Your personal data will be retained only for as long as necessary to achieve the purposes for which it was collected and will then be deleted or anonymized unless further retention is required by law. In practice, this means that we retain data:

  • For the duration of the business relationship/service provision – data obtained in connection with the conclusion of a contract or submission of an inquiry is stored for the duration of that agreement/order, and also after its completion – for the period necessary for after-sales service (e.g., handling complaints, returns) and ensuring the possibility of further cooperation;
  • For the duration of the Data Controller's business activity – with regard to customer data and correspondence stored in our databases (e.g., communication history, business contact database). This means we will generally store your data in our customer database as long as we conduct business and the data remains up to date and necessary to achieve the purposes set out in this policy, unless you exercise your rights earlier (e.g., request data deletion, object to further processing for marketing purposes, etc.);
  • For the period required by law – data that we must retain in accordance with applicable legal provisions will be stored for the period specified by those laws. For example, accounting documents (invoices, sales records) containing your personal data must be stored for 5 years from the end of the fiscal year they pertain to, in accordance with accounting and tax regulations. Similarly, data related to warranty or guarantee claims may be retained for the duration of the liability period;
  • Until the expiration of potential claims – for the purposes of establishing, pursuing, or defending against any claims that may arise from our relationship (e.g., non-performance or improper performance of a contract). Data necessary for these purposes may be stored until the limitation period for potential claims has expired (which, in most cases, is up to 6 years for financial claims, according to the Civil Code);

Data processed for the purpose of direct marketing of our products/services, based on our legitimate interest (Article 6(1)(f) of the GDPR), will be stored until you submit an effective objection to such processing. If the processing is based on your consent (e.g., newsletter subscriber data), we will process this data until you withdraw your consent.

After the above periods expire, your data will be permanently deleted or anonymized (irreversibly anonymized, making identification impossible), unless another legal basis for further processing exists. For example, if you have provided separate consent for longer storage of specific data, or there is a statutory obligation to retain it longer, we may keep the data beyond the aforementioned periods – but only to the extent and for the time permitted by applicable law.

Contact

If you have any questions, concerns, or wish to exercise your rights regarding personal data, we encourage you to contact the Data Controller. Please direct correspondence via your preferred method:

  • Adres e-mail: Please write to biuro.studiokonstrukcji@gmail.com – this is the fastest contact method;
  • Phone: You can call +48 509-982-551 we will answer your questions directly or arrange a convenient time to talk;
  • Postal Address: Studio Konstrukcji Waldemar Szypelt, ul. Przemysłowa 9, 84-241 Gościcino, POLSKA.

The Data Controller makes every effort to respond to all inquiries promptly – no later than 30 days from receipt. In response, we will provide information or confirm the execution of the requested personal data action.

Thank you for reading our Privacy Policy. We are committed to protecting the security and confidentiality of your data and regularly update this information. Any changes to the Privacy Policy will be published on this page. We recommend checking this document periodically for updates. If you have any further questions regarding the Privacy Policy, feel free to contact us using the details provided above.