PRIVACY POLICY

Last Updated: January 13, 2026

1. INTRODUCTION AND GENERAL INFORMATION

This Privacy Policy describes how Chinczyk.com (hereinafter: "Shop", "We", "Us", "Our") collects, uses, stores, discloses, and protects personal data of users ("User", "Customer") of our e-commerce platform.

This Policy has been prepared in compliance with applicable legal regulations, in particular:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
• Law on Protection of Personal Data of May 10, 2018
• Law on Protection of Competition and Consumers
• Directive 2000/31/EC on Electronic Commerce
• Law on Electronic Commerce

We care about your privacy and want you to feel secure when using our services. Below, we present you with the most important information about how we process your personal data and use cookies.

2. CONTROLLER OF PERSONAL DATA

The controller of personal data is:

Element	Information
Name	"FIRMA HANDLOWA - MEBLE" SYLWIA NIEMCZYK
Legal Form	Business Operator (Sole Proprietor)
Business Address	ul. Leśna 10A, 74-105 Pniewo
Tax ID (NIP)	8581079288
REGON	810547668
Email	shop@chinczyk.com

3. YOUR RIGHTS - QUICK OVERVIEW

As a data subject, you have the following rights:

• Right of Access – you can request a copy of your data from us (Art. 15 GDPR)
• Right to Rectification – you can correct inaccuracies in your data (Art. 16 GDPR)
• Right to Erasure ("Right to be Forgotten") – you can request the deletion of your data (Art. 17 GDPR)
• Right to Restrict Processing – you can limit how we use your data (Art. 18 GDPR)
• Right to Data Portability – you can receive your data in electronic format (Art. 20 GDPR)
• Right to Object – you can object to the processing of your data (Art. 21 GDPR)
• Right to Withdraw Consent – you can withdraw your consent at any time (Art. 7(3) GDPR)

To exercise your rights, contact us by email or send a letter to our business address. We will respond within 30 days of receiving your request.

If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Authority (UODO):

Personal Data Protection Authority
ul. Stawki 2, 00-193 Warsaw
www.uodo.gov.pl
skargi@uodo.gov.pl
Tel. +48 22 531 03 00

4. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

The following table shows for what purposes we process your data, on what legal basis, and how long we retain it:

4.1 Processing Related to Order Placement

Aspect	Description
Purpose	Fulfilling the sales contract, preparing goods, shipping, handling complaints
Legal Basis	Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(c) GDPR (legal obligation – tax and accounting regulations)
Data Categories	First and last name, email address, phone number, delivery and billing address, invoice data
Recipients	Courier companies (DHL, InPost, Pocztex, FedEx), payment providers (Autopay, STRIPE), accounting office
Retention Period	Duration of contract + 6 years
Required to Provide	Yes – without this data, placing an order is not possible

4.2 Processing Related to User Account Creation

Aspect	Description
Purpose	Account management, order tracking, purchase history storage
Legal Basis	Art. 6(1)(b) GDPR (service provision contract)
Data Categories	Username, password (encrypted), first and last name, email address
Recipients	None – data stored internally
Retention Period	Until account deletion by user + 2 years (statute of limitations)
Required to Provide	No – account is optional

4.3 Processing Related to Communication with You

Aspect	Description
Purpose	Answering questions, handling complaints, managing business inquiries
Legal Basis	Art. 6(1)(b) GDPR (pre-contractual measures); Art. 6(1)(f) GDPR (legitimate interest – communication)
Data Categories	First and last name, email address, phone number, message content
Recipients	Customer service staff; if required, third parties specializing in dispute resolution
Retention Period	Duration of processing + 3 years (claims limitation period)
Required to Provide	Yes – without this data we cannot respond

4.4 Processing for Direct Marketing

Aspect	Description
Purpose	Sending marketing information, special offers, promotional materials via email
Legal Basis	Art. 6(1)(a) GDPR (your explicit consent)
Data Categories	Email address
Recipients	Email platforms, marketing service providers
Retention Period	Until you withdraw your consent
Required to Provide	No – consent is voluntary
Right to Object	You can unsubscribe at any time by clicking the link in the email

4.5 Processing for Analytical Purposes

Aspect	Description
Purpose	Analysis of website usage, interface improvement, user research
Legal Basis	Art. 6(1)(f) GDPR (legitimate interest – business operations)
Data Categories	Anonymous behavioral data (pages visited, time spent, clicks), IP address, device information
Recipients	Google Analytics, Hotjar, other analytical tools
Retention Period	Until cookies are deleted or consent is withdrawn
Required to Provide	No – analytics is optional

4.6 Processing for Profiling and Personalization

Aspect	Description
Purpose	Automatic assessment of preferences, display of personalized recommendations, content adaptation
Legal Basis	Art. 6(1)(f) GDPR (legitimate interest); Art. 6(1)(a) GDPR (if consent is given)
Data Categories	Product browsing history, purchase history, preferences
Recipients	Internally, marketing platforms
Retention Period	Until cookies are deleted or consent is withdrawn
Required to Provide	No
Limitation	We do not make decisions with significant legal consequences based solely on profiling

4.7 Processing for Establishing, Pursuing, or Defending Claims

Aspect	Description
Purpose	Protection of our rights, fraud prevention, claims enforcement
Legal Basis	Art. 6(1)(f) GDPR (legitimate interest – legal protection)
Data Categories	Order data, correspondence, payment data, incident information
Recipients	Law firms, courts, law enforcement (if required)
Retention Period	Until expiration of statute of limitations – 3-6 years (depending on claim type)
Required to Provide	No

5. CATEGORIES OF DATA COLLECTED

We collect the following categories of personal data:

5.1 Directly Collected Data (Voluntarily)

• Identification Data: first and last name
• Contact Data: email address, phone number, delivery and billing address
• Financial Data: financing source information (e.g., credit card – processed by external payment providers in accordance with PCI DSS)
• Purchase History: list of ordered products, dates, amounts
• Profile Data: product preferences, language preferences, notification settings
• Communication Data: message content, attachments, inquiries

5.2 Automatically Collected Data

• Device Data: browser type, operating system, browser version, device identifier
• Technical Data: IP address, connection information (WiFi/mobile network)
• Behavioral Data: pages visited, time spent on site, clicked elements, search history
• Geolocation: approximate location based on IP address (without precise accuracy)
• Cookies and Tracking Pixels: session identifiers, marketing parameters (details below)

6. COOKIES AND TRACKING TECHNOLOGIES

6.1 What are Cookies?

Cookies are small text files stored on your device (computer, phone, tablet). They do not cause changes to your device settings. We use them to:

• Remember your settings
• Ensure security
• Analyze how you use our website
• Display personalized ads

6.2 Types of Cookies

A) Essential (Technical) Cookies

Cookie	Description	Duration	Legal Basis
PHPSESSID	Maintaining user session	Session duration (until browser closes)	Art. 6(1)(b) GDPR
language_preference	Remembering selected language	1 year	Art. 6(1)(b) GDPR
cart_items	Shopping cart contents	Session duration	Art. 6(1)(b) GDPR
auth_token	Login and authentication	Until logout	Art. 6(1)(b) GDPR
security_token	Security (CSRF protection)	Session duration	Art. 6(1)(b) GDPR

These cookies are necessary for website operation and can be used without your consent.

B) Analytical Cookies

Tool	Description	Data Categories	Duration	Legal Basis
Google Analytics (Google Ireland Limited)	Website traffic analysis, visitor count, conversions	Client ID, Session ID, Page Views, Event data	Up to 24 months	Art. 6(1)(a) GDPR (consent)
Hotjar	Session recordings, heatmaps, surveys	Session recordings, scroll behavior, form interactions	Up to 365 days	Art. 6(1)(a) GDPR (consent)

Consent is required for these cookies, which you can provide or withdraw at any time.

C) Marketing and Advertising Cookies

Tool	Description	Provider	Duration	Legal Basis
Meta Pixel (Facebook)	Conversion tracking, retargeting, audience building	Meta Platforms Ireland Ltd.	Up to 90 days	Art. 6(1)(a) GDPR (consent)
Google Ads Conversion Tracking	Google Ads campaign conversion tracking, remarketing	Google Ireland Limited	Up to 540 days	Art. 6(1)(a) GDPR (consent)
LinkedIn Insight Tag	Conversion tracking, audience building	LinkedIn Ireland Unlimited Company	Up to 90 days	Art. 6(1)(a) GDPR (consent)
Remarketing Google Display Network	Product ads display on other websites	Google Ireland Limited	Up to 540 days	Art. 6(1)(a) GDPR (consent)

Your explicit consent is required for these cookies.

D) Third-Party Cookies

Cookies may also be placed by:

• Payment Providers (Autopay, Stripe, PayPal, GPay, ApplePay) – for secure payment processing
• Logistics Providers (DHL, InPost, Pocztex, FedEx) – for shipment tracking
• Email Marketing Providers – for campaign effectiveness measurement

6.3 Web Beacons (1x1 Pixels) and Tracking Pixels

In addition to cookies, our Shop may contain invisible pixels (1x1 pixels) placed by:

• Facebook Conversion Pixel – for measuring purchase conversions
• Google Analytics Event Tracking – for registering page events
• LinkedIn Insight Tag – for tracking user interactions
• Microsoft Advertising Universal Event Tracking – for tracking Bing/Microsoft campaigns

These pixels work similarly to cookies – they store information about your behavior on our website to display more relevant ads to you.

6.4 How to Manage Cookies?

You can at any time:

1. Change cookie settings in your browser:

• Google Chrome – Menu → Settings → Privacy and security → Cookies and other site data → Block third-party cookies
• Firefox – Menu → Settings → Privacy & Security → Cookies and Site Data
• Safari – Preferences → Privacy → Manage Website Data
• Microsoft Edge – Settings → Privacy, search, and services → Cookies and other site data

Delete cookies:

• Press F1 in your browser to open help
• In most browsers: CTRL+SHIFT+Delete (Windows) or Command+Shift+Delete (Mac)

Use opt-out tools:

• Google Analytics Opt-Out Browser Add-on
• Digital Advertising Alliance Opt-Out
• Your Online Choices

Note: Disabling technical cookies may prevent proper website functionality (e.g., login, adding products to cart, order completion).

7. PROFILING

Within our Shop, we may perform profiling – automatic assessment of your preferences based on:

• Product browsing history
• Purchase history
• Analytics data
• Behavioral data from cookies

Purpose: Display personalized product recommendations and tailored ads.

Important: The profiling we conduct does not result in decisions with significant legal consequences for you (e.g., credit denial, service denial). In such cases, you have the right to human intervention and the ability to obtain an explanation of the decision.

8. SECURITY AND DATA PROTECTION

When processing your personal data, we apply technical and organizational measures in accordance with applicable GDPR regulations:

8.1 Encryption

• Transmission: HTTPS/TLS 1.3 – encrypts all data transmitted between your browser and our servers
• At Rest: AES-256 – encryption of data stored on servers
• Passwords: Hashing using bcrypt or Argon2 – passwords are never stored in plain text
• Payment Data: PCI DSS 3.2.1 – compliance with industry standards

8.2 Infrastructure Security Measures

• Firewall – control of all incoming and outgoing connections
• Intrusion Detection/Prevention Systems (IDS/IPS) – monitoring of anomalies in network traffic
• Load Balancing and Redundancy – distribution of load across multiple servers
• Regular Backups – data is archived daily at secure locations
• 24/7 Monitoring – continuous monitoring of servers and systems
• Network Segmentation (VLAN) – isolation of data traffic to reduce risk

8.3 Audits and Testing

• Penetration Testing – minimum every 5 years
• Vulnerability Scanning – use of tools such as Nessus, OpenVAS

8.4 Access Control

• Multi-Factor Authentication (MFA) – for administrators and staff with data access
• Role-Based Access Control (RBAC) – each employee has access only to data necessary for their duties
• Access Auditing – logging of all operations on personal data
• Password Rotation – regular change of access keys
• Immediate Access Removal – for former employees without delay

8.5 Incident Response Procedures

In case of a data security breach:

1. We will notify you within 72 hours (without undue delay)
2. We will report to UODO (if required by regulations)
3. We will conduct a root cause analysis (RCA) – to prevent similar incidents in the future
4. We will develop a corrective action plan – indicating actions to increase security

9. DATA TRANSFER OUTSIDE THE EUROPEAN UNION

9.1 Data Storage Location

Personal data is stored on servers located within the European Union, ensuring an adequate level of protection in accordance with Art. 44-49 GDPR.

9.2 Transfer to Other Countries

Transfer outside the EU to countries for which no adequacy decision exists is possible only on the basis of your explicit consent and using standard contractual clauses.

9.3 Purpose of Data Transfer

Data may be transferred outside the European Union if the customer uses the section of the Shop labeled "dropshipping". Data necessary for order placement is necessarily transmitted directly to the product manufacturer. Placing orders in this business section is equivalent to consenting to the sharing of your customer data with the product manufacturer.

10. DATA RECIPIENTS AND DATA PROCESSORS

We process your data in consultation with the following data recipients:

10.1 Technical Service Providers (Hosting, Infrastructure)

Provider	Location	Scope
Hostinger	Lithuania	Data storage, backup, monitoring
Hostinger	Lithuania	Content caching, distribution

10.2 Payment Service Providers

Provider	Location	Scope
Stripe	Ireland	Card payment processing, fraud detection
PayPal	Ireland	PayPal and Apple Pay payment handling
Autopay	Poland	Bank transfer, BLIK, and other methods

10.3 Analytics Service Providers

Provider	Location	Scope
Google Analytics (Google Ireland Limited)	Ireland	Traffic analysis, conversions, artificial intelligence
Hotjar	Malta	Session recordings, heatmaps, surveys

10.4 Logistics and Shipping Providers

Provider	Location	Scope
DHL	Germany/Poland	Domestic and international shipments
FedEx	Poland	Domestic and international shipments
InPost	Poland	Shipments to parcel lockers and courier services
Poczta Polska	Poland	Domestic and international shipments

Note: Logistics providers receive the delivery address and contact data necessary for shipment fulfillment. They are responsible for processing this data in accordance with GDPR guidelines.

10.5 Communication and Marketing Service Providers

Provider	Location	Scope
Hostinger	Lithuania	Email sending, open tracking
Meta (Facebook)	Ireland	Pixels, retargeting, audience building
Google Ads	Ireland	SERP campaigns, conversion tracking, remarketing
LinkedIn	Ireland	Conversion tracking, audience segmentation

10.6 CRM and Customer Service Providers

Provider	Location	Scope
[CRM Tool]	[Location]	Customer relationship management
[Ticketing System]	[Location]	Question and complaint handling

10.7 Accounting and Legal Service Providers

Provider	Location	Scope
Accounting Office	Poland	Business records, taxes

10.8 Additional Data Recipients

Data may be disclosed to the following entities in specific situations:

• Public Authorities (e.g., tax authority, police) – based on legal regulations or court order
• Security Service Providers – for fraud prevention or cybercrime prevention
• Courts and Third Parties – based on court judgment in disputes

11. DATA RETENTION PERIODS

The following table specifies how long we retain your data in various scenarios:

Data Type	Purpose	Retention Period	Legal Basis
Order data	Contract fulfillment, invoices, returns	6 years from end of year of order	Art. 6(1)(c) GDPR (tax obligation)
User account data	Account management	Until account deletion + 2 years	Statute of limitations
Contact/inquiry data	Inquiry handling	1 year from last contact	Statute of limitations
Email address (marketing consent)	Marketing campaigns	Until consent withdrawal	Art. 6(1)(a) GDPR
Analytical cookies	Data analysis	Up to 24 months (Google Analytics)	Tool settings
Advertising cookies	Direct marketing	Up to 540 days (Google Ads)	Tool settings
Access logs (IP, User-Agent)	Security, audit	90 days	Security regulations
Contact form data	Matter handling	3 years (statute of limitations)	Art. 6(1)(f) GDPR
Session recordings (Hotjar)	UX analysis	12 months or until consent withdrawal	Provider agreement
Payment data	Financial audit, detection	5-6 years (banking and tax requirements)	Art. 6(1)(c) GDPR

11.1 Data Deletion Procedure

After the retention period expires, your data will be:

• Permanently deleted – using secure encryption methods (to prevent recovery)
• Anonymized – converted to a form from which a person cannot be identified
• Archived – in certain cases (tax archives) stored in a safe, isolated location

12. YOUR RIGHTS - DETAILED DESCRIPTION

12.1 Right of Access to Data (Art. 15 GDPR)

You have the right to request confirmation from us whether we are processing your data and to receive a copy of your personal data.

How to Exercise Your Right:

• Send an email to: shop@chinczyk.com with the subject "Request for Access to Personal Data"
• Include a copy of your identity document (for verification purposes)
• You can request data in CSV, JSON, or other electronic format

Response Timeframe: 30 days from receipt of your request (may be extended by 2 months in case of complexity)

No Fee: Providing access is free (a fee may be charged for additional copies)

12.2 Right to Rectification (Art. 16 GDPR)

If your data is inaccurate or incomplete, you can request that we correct it.

How to Exercise Your Right:

• Log in to your account and edit your data
• Or send an email describing the errors

Timeframe: Immediately, no later than 30 days

12.3 Right to Erasure – "Right to be Forgotten" (Art. 17 GDPR)

In certain cases, you can request deletion of your data.

We can delete your data if:

• They are no longer needed for the purposes we collected them
• You have withdrawn the consent on which processing was based
• You object to processing without a justified reason
• The data were processed unlawfully

We cannot delete your data if:

• They are needed to perform a contract (e.g., invoice must be retained)
• They are required by law (taxes, commercial law)
• They are needed to establish, pursue, or defend claims or protect third parties' rights

How to Exercise Your Right:

• Send an email to: shop@chinczyk.com with the subject "Request for Data Deletion"
• Clearly specify which data you wish to delete

12.4 Right to Restrict Processing (Art. 18 GDPR)

You can request a restriction on how we process your data.

Possible Reasons:

• Contesting the accuracy of data (we will have time to verify)
• Processing is unlawful (but you do not want the data to be deleted)
• We no longer need the data, but you wish to retain them for establishing, pursuing, or defending claims
• You object to processing based on Art. 21 GDPR

Effect:

• Data will be stored but not processed until the matter is resolved
• You will be notified before the restriction is lifted

12.5 Right to Data Portability (Art. 20 GDPR)

You can request to receive your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON, XML).

How to Exercise Your Right:

• Send a request to: shop@chinczyk.com
• You will receive data in the format you specify

Timeframe: 30 days

Effect: You can transfer your data to another controller (e.g., another shop)

12.6 Right to Object (Art. 21 GDPR)

A) Objection to Processing Based on Art. 6(1)(f) GDPR

You can object to the processing of data based on our legitimate interests.

Examples:

• Behavioral analysis for security purposes
• Sending information about changes to our services
• Profiling for fraud prevention

Effect: After considering your objection, we must demonstrate that we have overriding reasons to continue processing (e.g., claims enforcement).

B) Objection to Direct Marketing

You have the right to object to receiving marketing information.

How to Exercise Your Right:

• Click the "Unsubscribe" link in each marketing email
• Send a request to: shop@chinczyk.com

Effect: We will immediately stop sending you marketing emails

Important: Your objection is immediately effective – we cannot send you ads after you unsubscribe.

12.7 Right to Withdraw Consent (Art. 7(3) GDPR)

If you have given consent for data processing, you can withdraw it at any time.

How to Exercise Your Right:

• Click "Unsubscribe" in your marketing email
• Log in to your account and change notification settings
• Send a message to: shop@chinczyk.com

Effect: Processing will be stopped immediately. Processing that occurred before withdrawal remains lawful.

12.8 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing that have legal consequences for you or similarly significantly affect you.

Examples of Decisions That Would Violate This:

• Automatic credit denial
• Automatic service suspension without human involvement
• Automatic exposure to risk

What We Do:

• Our profiling systems (e.g., product recommendations) do not result in decisions with legal consequences
• If we must make an automated decision, we always provide the possibility of human intervention and explanation

13. DISPUTE RESOLUTION AND COMPLAINTS

13.1 Internal Procedure

If you have requests regarding the processing of your personal data:

1. Contact Us:

• Email: shop@chinczyk.com
• Address: ul. Leśna 10A, 74-105 Pniewo

Describe in Detail:

• What your request concerns (access, rectification, erasure, etc.)
• What data it affects
• Include a copy of your identity document

Response:

• We will respond within 30 days
• If the matter is complex, we may request an extension up to 2 months
• If we deny your request, we will provide a reason and information about complaint procedures

14. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update this Privacy Policy to reflect changes in legislation, technology, or business practices.

14.1 How Will We Notify You of Changes?

• Minor Changes (technical, clarifying) – will be published without notice
• Significant Changes (increasing our control, reducing your rights) – we will inform you at least 30 days before they take effect

14.2 Form of Notification

• Email to the address in our records
• Notice on the website
• Notification in the mobile app (if applicable)

14.3 Your Acceptance

If you continue to use our services after changes are published, it means you accept the new terms.

If you disagree with the changes, you can:

• Withdraw from the services
• Request account deletion
• Withdraw consent to data processing

15. INFORMATION ABOUT CHILDREN

15.1 Minimum Age

Our Shop is not directed to persons under 13 years of age (or the age specified by law in your country).

15.2 Knowing Collection of Data from Children

We do not knowingly collect personal data from children under 13 years of age without parental/guardian consent.

If we discover that we have collected data from a child without appropriate consent, we will delete it immediately.

15.3 Consent for Teenagers (13-18 Years)

For persons aged 13-18 years:

• We offer the possibility for them to provide consent independently (if the law allows)
• We recommend discussing the use of our services with parents

16. CONTACT INFORMATION - SUMMARY

General Contact

• Email: shop@chinczyk.com
• Address: ul. Leśna 10A, 74-105 Pniewo
• Contact Form: https://chinczyk.com/pl/kontakt

Contact for Data Processing and Privacy Matters

• Email: shop@chinczyk.com
• Mailing Address: ul. Leśna 10A, 74-105 Pniewo

Regulatory Authorities

• UODO: skargi@uodo.gov.pl, +48 22 531 03 00

17. OTHER IMPORTANT INFORMATION

17.1 Legal Compliance

This Privacy Policy complies with:

• GDPR (Regulation (EU) 2016/679)
• Law on Protection of Personal Data (UODO) of May 10, 2018
• eCommerce Directive (2000/31/EC)
• PECR (Privacy and Electronic Communications Regulations) – for cookies
• Law on Protection of Competition and Consumers
• Law on Electronic Commerce
• Other applicable legal regulations

17.2 Inspectors and Independent Organizations

You can contact the following independent organizations regarding data protection matters:

• European Data Protection Supervisor (EDPS) – www.edps.europa.eu
• Ombudsman for Citizens' Rights – www.rpo.gov.pl
• Digital Center – www.centrumcyfrowe.pl
• ePomocnij się Foundation – www.epomocnijsie.pl

17.3 Archiving and Storage

Archived data is retained in secure, encrypted storage independently from production systems in accordance with archival law requirements.

18. APPROVAL

This Privacy Policy was developed with consideration of the highest legal standards for personal data protection and privacy in electronic commerce.

The document protects both user interests and those of the company, ensuring complete transparency, honesty, and compliance with applicable regulations.

Effective Date: January 13, 2026

Last Updated: January 13, 2026

APPENDIX A: GLOSSARY OF TERMS

Term	Explanation
Controller	The business owner or organization that determines the processing of personal data
Data Processing	Any action with data (collection, storage, analysis, deletion)
Personal Data	Information relating to an identified or identifiable natural person
Cookies	Small files stored on the user's device
Profiling	Automated analysis of data to assess preferences
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council
DPA	Data Processing Agreement
UODO	Personal Data Protection Authority
Consent	Explicit, voluntary, conscious expression of will
Objection	Right to object to processing
Data Transfer	Transmission of data to another country

End of Document