Privacy Policy

ONLINE SHOP PRIVACY POLICY

TABLE OF CONTENTS

1. GENERAL PROVISIONS
2. BASIS FOR THE PROCESSING OF DATA
3. PURPOSE, BASIS AND PERIOD OF PROCESSING DATA IN THE ONLINE SHOP
4. DATA RECIPIENTS IN THE ONLINE SHOP
5. PROFILING IN THE ONLINE SHOP
6. THE RIGHTS OF THE DATA SUBJECT
7. COOKIES IN THE ONLINE SHOP AND ANALYTICS
8. FINAL PROVISIONS

1. GENERAL PROVISIONS

• This Online Shop Privacy Policy is for information purposes only and is not a source of obligations for the Service Recipients or Customers of the Online Shop. It explains how the Controller processes personal data in the Online Shop, including the legal basis, purpose, scope, and retention period of data, as well as data subjects’ rights and details about cookies and analytical tools.

• The Controller of personal data collected via the Online Shop is Paweł Cebulak, doing business as GMOTO. PAWEŁ CEBULAK, registered in the Central Registration and Information on Business of the Republic of Poland. The business and delivery address is Tadeusza Kościuszki 78, 37-100 Łańcut, Poland. Tax Identification Number (NIP): 8151750134, National Economy Register Number (REGON): 180440676. Email: [email protected], phone: +48 17-247-22-20. Referred to hereinafter as the “Controller,” also the Service Provider of the Online Shop and the Seller.

• The Controller processes personal data in compliance with all relevant legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). The official text of the GDPR is available at:
  http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

• Using the Online Shop (including making purchases) is voluntary, as is providing personal data—subject to two exceptions:

  1. Contract requirements: Failure to provide personal data necessary to conclude and perform a Sales Contract or an Electronic Service contract may make it impossible to finalize that contract. The scope of required data is always indicated beforehand (e.g., on the Online Shop website, in the Terms and Conditions, or in this Privacy Policy).
  2. Statutory obligations: In certain cases, the Controller is legally obliged to collect personal data (e.g., for tax records). Failure to provide such data prevents the Controller from meeting legal obligations.

• The Controller exercises due diligence to protect data subjects’ interests. In particular, the Controller ensures that data are:

  1. Processed lawfully, fairly, and transparently.
  2. Collected for specified, legitimate purposes and not processed further in a manner incompatible with those purposes.
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes.
  5. Processed in a way that ensures appropriate security of personal data against unauthorized or unlawful processing or accidental loss, destruction, or damage, using suitable technical and organizational measures.

• Taking into account the nature, scope, context, and purposes of processing—as well as risks to the rights and freedoms of natural persons—the Controller implements relevant technical and organizational measures to ensure processing complies with GDPR. These measures are regularly reviewed and updated as necessary. Technical measures prevent unauthorized persons from accessing or modifying personal data transmitted electronically.

• Words, expressions, and abbreviations used in this Privacy Policy (such as “Seller,” “Online Shop,” “Electronic Service”) follow the definitions used in the Terms and Conditions of the Online Shop, which are available on the Online Shop website.

2. BASIS FOR THE PROCESSING OF DATA

• The Controller is authorized to process personal data if at least one of the following conditions is met:

  1. The data subject has given consent to the processing of their personal data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at their request prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which the Controller is subject.
  4. Processing is necessary for the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (especially if the data subject is a child).

• The Controller processes personal data only if at least one legal basis from above applies. Specific grounds for processing personal data of Service Recipients or Customers are presented in Section 3 of this Privacy Policy, according to the specific purpose of processing.

3. PURPOSE, BASIS AND PERIOD OF PROCESSING DATA IN THE ONLINE SHOP

• The precise purpose, legal basis, retention period, and recipients of personal data depend on actions taken by each Service Recipient or Customer in the Online Shop. For example, if a Customer decides to purchase a Product and chooses personal pickup instead of delivery, their data will be processed to fulfill the Sales Contract but not shared with a courier.

• The Controller may process personal data in the Online Shop for the following purposes, under the following legal bases, and for the corresponding retention periods (summarized textually below, instead of a table):

  A. Performing a Sales Contract or Electronic Service Contract (or taking steps prior to contract conclusion)

  • Legal basis: Article 6(1)(b) GDPR (contract performance).
  • Retention period: Data are stored for the period necessary to perform, terminate, or expire the concluded Sales Contract or Electronic Services contract.

  B. Direct Marketing

  • Legal basis: Article 6(1)(f) GDPR (legitimate interests of the Controller). The legitimate interest is to grow the Controller’s business, strengthen reputation, and increase Product sales.
  • Retention period: Data are stored for as long as the Controller has a legitimate interest, but no longer than the limitation period for claims arising from the Controller’s business (typically 3 years; for Sales Contracts, 2 years). The Controller ceases direct marketing processing if the data subject objects.

  C. Marketing (Based on Consent)

  • Legal basis: Article 6(1)(a) GDPR (consent).
  • Retention period: Until the data subject withdraws consent for this purpose.

  D. Expressing an Opinion on a Concluded Sales Contract

  • Legal basis: Article 6(1)(a) GDPR (consent).
  • Retention period: Until the data subject withdraws consent.

  E. Keeping Ledgers (Accounting)

  • Legal basis: Article 6(1)(c) GDPR in connection with Article 74(2) of the Polish Accounting Act.
  • Retention period: For the legally required duration, typically 5 years from the beginning of the year following the financial year in question.

  F. Determining, Pursuing, or Defending Claims

  • Legal basis: Article 6(1)(f) GDPR (legitimate interests of the Controller).
  • Retention period: For as long as there is a legitimate interest, but no longer than the limitation period for potential claims (generally 6 years for claims against the Controller).

  G. Use of the Online Shop Website and Ensuring Its Proper Functioning

  • Legal basis: Article 6(1)(f) GDPR (legitimate interests of the Controller related to operating and maintaining the Online Shop).
  • Retention period: For as long as there is a legitimate interest, but no longer than the limitation period for business-related claims (usually 3 years; for Sales Contracts, 2 years).

  H. Preparing Statistics and Analyzing Visitor Behavior on the Online Shop Website

  • Legal basis: Article 6(1)(f) GDPR (legitimate interests of the Controller in improving the Online Shop’s functionality and increasing Product sales).
  • Retention period: For as long as there is a legitimate interest, but no longer than the limitation period for claims (generally 3 years; 2 years for Sales Contracts).

4. DATA RECIPIENTS IN THE ONLINE SHOP

• For the Online Shop to function effectively—including fulfilling Sales Contracts—the Controller may rely on services of external providers (e.g., software vendors, couriers, payment operators). Only entities guaranteeing compliance with GDPR requirements are used.

• Data are not shared in every situation or with all entities. Data are shared only if required to fulfill a specific purpose and only to the extent necessary.

• Personal data of Online Shop users may be shared with:

  • Carriers / Forwarders / Couriers / Warehouse Operators: If a Customer chooses delivery, data are shared to the extent necessary to deliver the Product.
  • Electronic / Card Payment Providers: If a Customer chooses electronic payment, data are shared to the extent necessary for transaction processing.
  • Loan Providers / Lessors: In case of installment or leasing options, data are shared to the financing entity as needed for payment servicing.
  • Technical / IT / Organizational Service Providers: Entities providing solutions enabling the Controller to run the Online Shop (e.g., hosting, e-mail, software). Data are shared only if and when necessary to achieve a given processing purpose.
  • Accounting, Legal, and Consulting Services: E.g., law firms or debt collection agencies, but only to the extent needed.
  • Social Media Plugin Providers: If the Online Shop uses social media login methods or integrates social plugins from Alphabet Inc. (YouTube), Meta Platforms Ireland Ltd. (Facebook, Instagram), TikTok Technology Limited, etc., user data may be transferred to these providers according to their respective privacy policies.

5. PROFILING IN THE ONLINE SHOP

• GDPR requires the Controller to inform about automated decision-making, including profiling (Article 22(1) and 22(4) GDPR). The Controller may use profiling for direct marketing, but it does not determine whether a Sales Contract can be concluded. Profiling might result in special offers or discounts, but the Customer is free to decide whether to use them.

• Profiling involves automated analysis or prediction of a person’s behavior on the Online Shop website (e.g., which Product pages they view, whether they add something to their cart, or their purchase history).

• The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects for them.

6. THE RIGHTS OF THE DATA SUBJECT

• Right of Access, Rectification, Restriction, Erasure, and Portability: Data subjects can request access to their data, correct inaccuracies, restrict processing, erase data, or transfer data (Articles 15–22 GDPR).

• Right to Withdraw Consent: If processing is based on consent (Article 6(1)(a) or Article 9(2)(a) GDPR), a data subject can withdraw that consent at any time, without affecting processing done before the withdrawal.

• Right to Lodge a Complaint: Data subjects can lodge a complaint with a supervisory authority (in Poland, the President of the Personal Data Protection Office).

• Right to Object: A data subject can object, at any time and for reasons related to their particular situation, to the processing of their data based on Article 6(1)(e) or Article 6(1)(f) GDPR (including profiling). The Controller will stop processing unless they demonstrate compelling legitimate grounds overriding the data subject’s interests or rights, or for establishing or defending legal claims.

• Right to Object for Direct Marketing Purposes: Data subjects can object to personal data processing for direct marketing (including profiling).

• To exercise these rights, contact the Controller by mail or email at the addresses provided in this Privacy Policy or use the contact form in the Online Shop.

7. COOKIES IN THE ONLINE SHOP AND ANALYTICS

• Cookies are small text files sent by a server and stored on a visitor’s device (e.g., computer, smartphone). They can be used for various purposes, such as remembering login status or analyzing website traffic. More details on cookies: https://en.wikipedia.org/wiki/HTTP_cookie

• Cookies on the Online Shop can be categorized by their provider (first-party or third-party), lifespan (session or persistent), and purpose (necessary, functional/preferential, analytical, targeting/advertising/social).

• The Controller may process information stored in cookies for:

  • Identifying logged-in users and showing they are logged in (necessary cookies).
  • Saving Products in the cart (necessary cookies).
  • Saving data from filled-out forms (necessary and/or functional cookies).
  • Customizing the Online Shop website (functional/preferential cookies).
  • Collecting anonymous statistics (analytical cookies).
  • Remarketing and evaluating user behavior to create a profile for targeted ads (marketing cookies).

• You can view and manage which cookies are currently set in various browsers (Chrome, Firefox, Internet Explorer, Opera, Safari, etc.). By default, most browsers accept cookies, but users can modify their settings to limit or block them. Blocking cookies entirely may impede certain Online Shop functions (e.g., retaining cart contents).

• Consent to use cookies may be managed through browser settings. Detailed instructions for changing cookie settings in popular browsers are found in each browser’s help section or on dedicated websites.

• The Controller may use Google Analytics or Universal Analytics, provided by Google Ireland Limited, to analyze Online Shop usage. This helps produce aggregated statistics for administrative purposes. The data are generally of a collective, anonymized nature.

• You can block Google Analytics by installing an opt-out add-on (https://tools.google.com/dlpage/gaoptout?hl=pl).

• For more information on how Google processes data from the Online Shop (including cookies), see: https://policies.google.com/technologies/partner-sites

8. FINAL PROVISIONS

• The Online Shop may contain links to other websites. The Controller encourages users to read those websites’ privacy policies, as this Privacy Policy applies only to the Controller’s Online Shop.