Privacy policy

Lacyer Studio Privacy Policy

 

§ 1 PERSONAL DATA CONTROLLER

1. The controller of your personal data is Lacyer Studio Laura Lewandowska i Ignacy Koper spółka cywilna, with its registered office at ul. Melanii 24, 05-500 Chyliczki, NIP 1231573127, REGON 540689265. Contact: lacyerstudio@gmail.com.

2. The Controller processes the personal data of customers of the www.lacyerstudio.com store in the following situations:

  1. Account creation – for the purpose of creating and maintaining an individual customer account on the website.
    Legal basis: Article 6(1)(b) GDPR – necessity for the performance of a contract for the provision of services by electronic means.
  2. Order placement – for the purpose of performing the sales contract for Products.
    Legal basis: Article 6(1)(b) GDPR – performance of a contract.
  3. Newsletter subscription – for the purpose of sending marketing messages to the email address.
    Legal basis: Article 6(1)(a) GDPR – the data subject’s consent.
  4. Personal data may also be processed for the purpose of handling complaints, order cancellations, processing returns – including partial returns – and in the case of email or phone contact concerning the agreed method of handling a submission. The legal basis is Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (the Controller’s legitimate interest – sales support and contact with the Customer).

3. Our priority is to ensure that the privacy of the Store’s Users is protected in a manner at least equivalent to the standards arising from applicable law – in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), the Act of 18 July 2002 on the Provision of Services by Electronic Means (Journal of Laws 2002 No. 144, item 1204, as amended), as well as the Act of 12 July 2024 – Electronic Communications Law.

4. Providing personal data by the User of the Service is voluntary. These data are processed primarily for purposes related to the creation and servicing of an account in the online Store, and also – upon obtaining appropriate consent – for marketing activities carried out by the Controller, including via the newsletter. Processing may also take place on the basis of the Controller’s legitimate interest, which is the promotion of its products and services.

5. In the case of concluding a sales contract, personal data are necessary for its proper performance – including, in particular, for processing and handling the order and dispatching the shipment with the purchased goods. Failure to provide the data required to fulfill the order makes it impossible to conclude the sales contract.

6. Additionally, personal data may be used to conduct analyses regarding user behavior and their activity in the Store. This may also include making decisions in a partially automated manner, i.e., profiling.

7. The legal basis for the processing of personal data for marketing purposes, including within the framework of newsletter subscription and activities based on profiling, is the Customer’s or User’s consent (Article 6(1)(a) GDPR) and the Controller’s legitimate interest (Article 6(1)(f) GDPR) consisting in carrying out direct marketing of its own products and services.

8. In the case of registering an account or placing an order – the processing of personal data is necessary to conclude and perform the contract, which follows from Article 6(1)(b) GDPR.

§ 2 YOUR RIGHTS

1. You have the right to:

  • access the data (Article 15 GDPR),
  • rectification (Article 16 GDPR),
  • erasure (Article 17 GDPR),
  • restriction of processing (Article 18 GDPR),
  • data portability (Article 20 GDPR),
  • object (Article 21 GDPR),
  • withdraw consent.

You also have the right to lodge a complaint with the President of the UODO.

§ 3 SCOPE AND PURPOSES OF PROCESSING

  1. Orders – Article 6(1)(b) and (c) GDPR: performance and legal obligations (accounting, security).
  2. Account – Article 6(1)(b) GDPR: performance of the account maintenance contract.
  3. Contact – Article 6(1)(b)/(f) GDPR: providing responses, communication.
  4. Analytical activities – Article 6(1)(f) GDPR: improving the Store.
  5. Newsletter – Article 6(1)(a)/(f) GDPR: sending and effectiveness analysis.
  6. Pursuing claims – Article 6(1)(f) GDPR.
  7. Returns, order cancellations and complaints – Article 6(1)(b), (c) and (f) GDPR: performance of the sales contract, legal obligation arising from warranty or withdrawal, and the Controller’s legitimate interest consisting in ensuring efficient after‑sales service.
  8. Personal data will be stored: until the User withdraws the consent given or objects to further processing, and in the case of data related to order fulfillment – for a maximum period of 5 years counted from the date of its performance (e.g., for tax obligations or defense against claims).

§ 4 DATA RETENTION PERIOD

Data are processed for the duration of contracts and until the expiry of the limitation period for claims. In the case of data processed on the basis of consent – until it is withdrawn.

For data concerning the handling of returns or complaints, the retention period may be extended until the expiry of the limitation period for any claims related to the sales contract.

§ 5 DATA SECURITY

We apply organizational and technical measures in accordance with the GDPR, including SSL/TLS encryption, backup systems, access control, and other security procedures.

Personal data may be processed with consent for the purpose of sending marketing content by email or phone.

Legal bases: Article 6(1)(a) GDPR, Article 10(2) of the Act on the Provision of Services by Electronic Means (UŚUDE), Article 172(1) of the Telecommunications Law.

§ 6 COOKIES AND TRACKING TECHNOLOGIES

The Store’s website uses “cookies”, i.e., small text files saved on the User’s end device (computer, tablet, smartphone). The installation of cookies is necessary for the proper functioning of the website and enables the improvement of service quality, including the adjustment of content and offers to the User’s preferences.

Cookies are used for the following purposes:

  • ensuring the proper operation and security of the website (technical cookies),
  • remembering the User’s preferences (e.g., cart settings, language),
  • keeping visit statistics and analyzing traffic (analytical cookies),
  • carrying out advertising and remarketing campaigns in advertising networks (Google Ads, Meta/Facebook/Instagram, Pinterest, TikTok),
  • personalizing marketing content, including within automation in the Omnisend system (email, SMS, social media campaigns).

Two basic types of cookies are used on the website:

  • “session cookies” – temporary files stored on the User’s device until leaving the website or closing the browser,
  • “persistent cookies” – stored on the User’s device for the time specified in the file parameters (e.g., 30 days, 6 months or up to 24 months) or until they are manually deleted.

The Controller also uses third‑party cookies from:

  • Google LLC (USA) – for analytical (Google Analytics) and advertising purposes (Google Ads),
  • Meta Platforms Ireland Ltd. (Ireland) and Meta Platforms, Inc. (USA) – for advertising and remarketing (Facebook Pixel, Instagram),
  • Pinterest Europe Ltd. (Ireland) – for advertising purposes,
  • TikTok Technology Ltd. (Ireland) and TikTok Inc. (USA) – for advertising and analytical purposes,
  • UAB Omnisend (Lithuania) – for marketing automation (email, SMS, social media).

Third‑party cookies may be used to:

  • display advertisements tailored to the User’s preferences,
  • measure the effectiveness of advertising campaigns,
  • create so‑called “lookalike audiences” on social networks.

Data from cookies do not personally identify the User, but may be combined with other data if the User has consented to marketing communications (e.g., via the newsletter).

The User may decide on the scope of consent to the use of cookies:

  • by choosing the appropriate settings in the cookie banner that appears upon the first visit to the website,
  • by changing browser settings at any time – detailed information is available in the browser’s help resources.

The Controller may record information about users’ activity (clicks, pages visited, selected links).

Cookies may be deleted automatically after a specified period – e.g., after 15 minutes of inactivity or after closing the browser – or may be stored longer, depending on their type and purpose, for up to 24 months.

Legal basis: Article 6(1)(f) GDPR – legitimate interest consisting in improving the functionality of the Store.

§ 7 ANALYTICAL ACTIVITIES

We may analyze how our Store is used, e.g., clicks, time spent on the site, newsletter effectiveness. We undertake these activities when you give consent through browser settings or the cookie banner.

Data may be transferred to entities cooperating with the Controller in the scope of: IT and technical support of the Service, legal and accounting services, provision of marketing services, order delivery and logistics support.

§ 8 DATA RECIPIENTS

As part of promotional activities, the Controller uses the support of external advertising platforms such as Facebook or Google. Thanks to this cooperation, it is possible to display the Store’s advertisements on social networks or in internet search engines. The Controller may also transfer data to providers handling return forms, complaint submission systems, and partners enabling the technical processing of contact data for after‑sales support purposes.

For this purpose, the Controller may share collected personal data – e.g., email addresses of users who have consented to receive commercial communications – with selected advertising partners. These data are then compared with the database of the given service (e.g., Facebook). If there is a match (e.g., the same email address), the user may see our ads on social media or in search engines.

Additionally, the provided data may be used to create so‑called lookalike audiences. The legal basis for such operations is the Controller’s legitimate interest in carrying out direct marketing of its own products and services (Article 6(1)(f) GDPR).

We transfer data, among others, to:

  • hosting providers,
  • e‑commerce system providers (Shopify),
  • payment operators,
  • courier companies,
  • accounting firms,
  • mailing tools (Omnisend),
  • analytical tools (Google Analytics, Microsoft Clarity).

Some data are transferred to countries outside the EEA – Canada and the USA – in accordance with the principles of the Data Privacy Framework.

§ 9 TRANSFERS OF DATA OUTSIDE THE EEA

1. Data may be transferred to:

  • Canada – European Commission Decision 2002/2/WE,
  • USA – if the entity participates in the Data Privacy Framework program.

§ 10 EXTERNAL SERVICES AND PLUGINS

  1. On the website we use or may use:
    • online chat,
    • social plugins (Facebook, Instagram, TikTok, Pinterest),
    • contact forms.
  2. These tools may transfer personal data to external services.
  3. The Store uses so‑called social plugins (“plugins”) of social networks. When viewing the website www.lacyerstudio.com containing such a plugin, the Service Recipient’s browser establishes a direct connection to the servers of Instagram, Pinterest and Google.
  4. The content of the plugin is transmitted by the given provider directly to the Service Recipient’s browser and integrated with the website. Thanks to this integration, providers receive information that the Service Recipient’s browser has displayed the www.lacyerstudio.com website, even if the Service Recipient does not have a profile with the given provider or is not currently logged in. Such information (together with the Service Recipient’s IP address) is sent by the browser directly to the provider’s server (some servers are located in the USA) and stored there.
  5. If the Service Recipient logs into one of the above social networks, the provider will be able to directly assign the visit to www.lacyerstudio.com to the Service Recipient’s profile in the given social network.
  6. The purpose and scope of data collection and their further processing and use by the providers, as well as the possibility of contact and the Service Recipient’s rights in this respect and the possibility of making settings ensuring the protection of the Service Recipient’s privacy are described in the providers’ privacy policies:

https://help.instagram.com/519522125107875?helpref=page_content
https://policy.pinterest.com/pl/privacy-policy
https://policies.google.com/privacy?hl=pl&gl=ZZ
https://www.tiktok.com/legal/page/eea/privacy-policy/pl
https://www.facebook.com/policy.php

  1. If the Service Recipient does not want social networks to assign data collected during visits to the www.lacyerstudio.com website directly to their profile in the given service, they must log out of that service before visiting www.lacyerstudio.com. The Service Recipient may also completely prevent the loading of plugins on the website by using appropriate browser extensions, e.g., blocking scripts with “NoScript”.
  2. The Controller uses remarketing tools on its website, i.e., Google Ads. Their use involves the use of cookies by Google LLC relating to the Google Ads service. Within the cookie settings management mechanism, the Service Recipient may decide whether the Service Provider will be able to use Google Ads (external cookie controller: Google LLC, USA) in relation to them.
  3. The return form available on the Store’s website (the “Returns” tab) allows Customers to send data regarding withdrawal from the contract for the purpose of exercising the right of withdrawal, in accordance with Article 6(1)(c) GDPR.

§ 11 FINAL PROVISIONS

For matters not regulated, the GDPR and Polish law apply.

The Policy may be amended – we will inform you in advance on the Store’s website.