Privacy Policy

1. Who is my data processed by?

The controller of your personal data (hereinafter referred to also as the Controller), within the meaning of the Personal Data Protection Act, provided voluntarily, in particular in the scope of:

  1. placing orders,
  2. giving consent to the marketing or promotional campaign,
  3. registration,
  4. opening an account on the website,
  5. corresponding with the Controller,
  6. subscribing to mailing services (newsletter),

or as part of the performance of other electronic services by the Controller, is:

Rafał Zyskowski, operating a business under Chaperone Royale Rafał Zyskowski, with its registered office at Emaus 55Y/103, 30-213 Kraków, phone number: 536522600, email address:,

The representatives of the Controller are:

Rafał Zyskowski, contact details:, 536522600.

The Controller has not appointed a data protection officer.

2. For what purpose is personal data processed?

​Data is processed by the Controller for the purpose of:

  1. performance of the agreement by and between the Parties,
  2. performance of electronic services by the Controller,
  3. correspondence with Users who have subscribed to the newsletter or have used the function of sending messages to the Controller,
  4. administration of surveys,
  5. verification of User’s identity,
  6. correspondence with the User in other legitimate matters, in particular, notifying the User of amendments to rules and regulations, privacy policy and cookies policy, informing the User about payments made,
  7. handling of transactions between the Controller and the User,
  8. post-sales service,
  9. improvement of services rendered and their personalisation for User’s needs,
  10. management and protection of Controller’s own IT systems,
  11. making it possible for the User to log on to websites administered by the Controller if they are equipped with this functionality,
  12. examination and lodging of claims arising out of a potential agreement by and between the parties,
  13. compliance with legitimate interests of the Controller, provided that processing poses no risk to the rights and freedoms of the data subject,
  14. collection, analysis and transfer of information in the scope of the functioning of Controller’s products and websites,
  15. sending Controller’s own and foreign marketing, advertising, or commercial information using means of electronic communication, including via e-mail, text messages or via telephone communication (if the User has given his/her express, separate consent to this), including supply of marketing content adapted individually to a given User,
  16. statistics,
  17. analysis of User movements on the Controller’s websites,
  18. analysis of User behaviour on social media platforms,
  19. potential supplies of products, services, correspondence sent to User’s postal address, e-mail or telephone number.

3. What is the legal basis of the processing of my personal data?

The Controller processes personal data only based on and within the limits of applicable law. The legal basis of personal data processing is:

  1. consent to personal data processing or
  2. request of the data subject to take certain steps prior to entering into a contract (e.g. a request for proposal authorises the Controller to use personal data to send the proposal),
  3. performance of a contract if it requires data processing,
  4. compliance with a legal obligation to which the Controller is subject.

Furthermore, personal data may be processed when:

  1. it is necessary in order to protect the vital interests of the data subject or
  2. it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
  3. it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

​​Legitimate interest should be understood, for example, as:

  1. protection of Controller’s IT systems,
  2. protection of personal data processed by the Controller and information carriers with this data,
  3. protection of Controller’s property,
  4. recording of the data of users who transfer information (posts on a blog/comments) for the purpose of identifying the author of the given content in case a third party pursues claims on these grounds,
  5. direct marketing.

4. Who is the recipient of my personal data?

As at the date of providing information, the recipients of the furnished personal data are or may be the entities which render Web analytics services (Google Analytics), entities handling payments (PayPal,, PayU, DotPay, etc.), hosting entities (,, operators of social media (Facebook Inc, Google LLc, etc.).

If the method of payment for goods or services provided by the Controller chosen by the data subject providing personal data entails the use of services of an entity providing direct money transfers (, PayU, PayPal, etc), personal data will be transferred in the scope necessary for the processing of payments to entities which provide services of this type:

  1. PayU service – PayU, ul. Grunwaldzka 182, 60-166 Poznań, KRS (National Court Register No.): 274399,
  2. service – PayPro S.A. Agent Rozliczeniowy (Billing Agent), ul. Kancelarska 15, 60-327 Poznań, KRS (National Court Register No.): 347935,
  3. DotPay service – Dotpay S.A., ul. Wielicka 72, 30-552 Kraków, KRS (National Court Register No.): 296790,
  4. PayPal – PayPal (Europe) S.a r.l. et Cie, S.C.A. 22-24 Boulevard Royal L-2449, Luxembourg.

The data may also be transferred in the scope necessary and justified by the nature of the contract or Web service to entities providing services to the Controller: accounting, IT, auditing, archiving, HR, and legal services, and to employees, attorneys and authorised signatories. Access to data may also be obtained by the Controller’s potential legal successor, in particular, in the case of merger or acquisition. The data may be used only for purposes for which it has been handed to the Controller. Personal data may also be transferred to entitled authorities, entities or institutions in cases when this results from applicable provisions of law.

5. Will the data be transferred to a third country?

The Controller informs that it may be necessary to transfer personal data to a third country in a way and upon the terms specified in the relevant provisions. The above may happen, for example, when a given service is provided via electronic means, using servers in a third country, e.g. when it is necessary for the performance of a contract by and between the Parties, and when the data subject has given his/her consent to this in writing. The transfer will occur only when the target country ensures the appropriate level of personal data protection in its territory. In the course of ongoing operations of the Controller, the provided data may also be transferred to the United States of America (USA) as part of file transfer using Dropbox software provided by Dropbox International Unlimited Company or Dropbox Inc., 333 Brannan Street, San Francisco CA 94107. The data may be stored on servers of the aforementioned companies. Dropbox uses the appropriate protection of the collected data, in accordance with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks as part of which the following is stipulated: e.g. procedure of pursuing claims (JAMS) Dropbox also has a certificate of compliance with ISO 27018 standard, a globally recognised standard of privacy practices in the computing cloud and data protection. The User may request a data copy from the Controller.

6. How long will my data be processed?

Your personal data will be processed as long as:

  1. the user uses services offered by the Controller, i.e. in particular, as long as the user has an account on the Controller’s website,
  2. the Parties are bound by a contract for the performance of which personal data processing is necessary,
  3. it is necessary for proving the proper performance of a contract by the Controller,
  4. it is necessary for securing Controller’s legitimate interests such as protection of Controller’s IT system or exercise of claims.

7. Does the Controller apply profiling to my data and what are the consequences of profiling?

The Controller uses user profiling by the address of residence or address of principal office, geolocation and status as a businessIconsumer, but only for the purpose of applying the relevant rate of VAT in case of offered services or establishing whether the supply of given goods/services to a given country is permitted. This applies especially in case of an extra-community supply of goods or services, or supply of digital products.The consequence of the aforementioned profiling is the offering by the Controller of products at a price different by a VAT rate, which depends, for example, on the place of performance of a service/supply (and whether goods or services are exported) and buyer’s status (if it is a consumer or a business). The above data (geolocation) may also be used for automatic change of the language in which website content is displayed.

8. Am I obliged to provide my personal data?

Personal data is given voluntarily. Failure to provide the Controller with personal data which is marked by the Controller as necessary for the conclusion of a contract or use of a given functionality of the Controller’s website (e.g. sending messages, posting comments) will make it impossible to enter into a contract or use a given functionality, respectively.

9. What are my rights?

Data subjects have a range of rights, including:

  1. the right to be informed who the data controller is,
  2. the right to request access to their data,
  3. the right to complete, update and rectify the data,
  4. the right to restrict processing,
  5. the right to temporarily or permanently hold back processing or to have data deleted if it is incomplete, outdated, false or has been collected with the breach of legal acts or is redundant for the purpose for which it has been collected,
  6. the right to object to processing;
  7. the right not to be subject to automated-decision making,
  8. the right to transfer data.

In order to exercise any of these rights, contact the Controller: or use the appropriate function available in account settings on the website.

10. Is it possible to obtain or transfer my personal data?

The data subject who has furnished his or her personal data to the Controller has a right to obtain the data in a structured, commonly used, machine-readable and interoperable format. The data subject also has a right to request that the data be sent to another controller. If processing is based on consent, these rights inure to the benefit of the user or contract.

11. Is it possible to object to personal data processing?

Yes. The data subject whose data is processed has a right to object to further processing of personal data. To do so, please send us an e-mail to or call us at 536522600.

12. Can I withdraw my consent to personal data processing?

Yes. The person whose data is processed has a right to withdraw his/her consent to personal data processing at any time. The withdrawal of consent will not affect the lawfulness of processing performed based on the consent prior to its withdrawal.

13. Is it possible to object to personal data processing for the purposes of marketing or profiling?

You have a right to object, for free and at any time, to the processing of personal data for the purposes of direct marketing, original or further, including profiling, if it is related to direct marketing.

14. Can I complain to a supervisory authority?

In accordance with applicable provisions, the supervisory authority for personal data is the Personal Data Protection Office (Urząd Ochrony Danych Osobowych). Details concerning the methods of filing complaints are available at: