Privacy policy

Privacy Policy of the Online Store

www.evamats.store

§ 1 General Provisions

  1. The controller of personal data collected via the online store available at www.evamats.store is:
    EVAMATS Spółka z ograniczoną odpowiedzialnością (limited liability company)
    registered in the Register of Entrepreneurs of the Polish National Court Register (KRS) under number 0000960954
    registered office and correspondence address: ul. Strzelca 42, 80-299 Gdańsk, Poland
    NIP (Polish Tax ID): 5862378667, REGON: 521519084
    e-mail: info@evamats.store
    telephone: +48 732 082 512
    hereinafter referred to as the "Controller", who is also the Service Provider.
  2. Personal data collected by the Controller via the website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR).
  3. Any capitalized terms used in this Privacy Policy shall have the meaning assigned to them in the Terms and Conditions of the Online Store www.evamats.store, unless otherwise stated herein.
  4. Customers outside the European Economic Area: Where the User is located outside the EU/EEA, the Controller still applies GDPR-level protection as a baseline standard. However, additional or alternative privacy laws may apply to such Users:
    • United States – California: Users in California have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete, the right to correct, and the right to opt-out of the "sale" or "sharing" of personal information.
    • United Kingdom: Users in the UK have rights under the UK Data Protection Act 2018 and UK GDPR, which mirror EU GDPR rights.
    • Switzerland: Users in Switzerland have rights under the Federal Act on Data Protection (FADP/nFADP).
    • Other jurisdictions: Users may have rights under their local data protection laws and can contact the Controller via info@evamats.store to exercise such rights.

§ 2 Type of Personal Data Processed, Purpose and Scope of Data Collection

1. Purposes of processing and legal basis

The Controller processes Users' personal data in the following cases:

  • Placing an order in the Online Store – for the purpose of performance of a sales contract, pursuant to Article 6(1)(b) GDPR (performance of a contract),
  • Using the Price Quotation Form – for the purpose of responding to an inquiry, pursuant to Article 6(1)(f) GDPR (legitimate interest of the Controller),
  • Subscribing to the Newsletter – for the purpose of sending commercial information by electronic means, based on the User's consent, pursuant to Article 6(1)(a) GDPR,
  • Using the Review System – for the purpose of enabling the Customer to express an opinion about the purchased Product and the concluded sales contract, pursuant to Article 6(1)(f) GDPR (legitimate interest of the Controller),
  • Using the Contact Form – for the purpose of handling inquiries submitted by Users, pursuant to Article 6(1)(f) GDPR (legitimate interest of the Controller).

2. Types of personal data processed

Depending on the service used, the User may be requested to provide the following data:

  • Order: full name, address, VAT number (if applicable), e-mail address, telephone number,
  • Price Quotation Form: full name, e-mail address, telephone number,
  • Newsletter: full name, e-mail address,
  • Review System: full name, e-mail address,
  • Contact Form: full name, e-mail address, telephone number.

3. Data retention period

Personal data are stored by the Controller:

  • where the legal basis is performance of a contract – for the duration necessary to perform the contract, and thereafter for the period required by applicable limitation periods for claims,
  • where the legal basis is consent – until such consent is withdrawn, and thereafter for the period required by applicable limitation periods for claims.

4. Additional data

When using the Online Store, additional information may be collected automatically, in particular:

  • IP address,
  • domain name,
  • browser type,
  • access time,
  • operating system type.

Such data are processed for security, statistical and functional purposes based on the legitimate interest of the Controller (Article 6(1)(f) GDPR).

Providing personal data is voluntary, but may be necessary to conclude a contract or use specific services offered by the Online Store.

5. Due diligence

The Controller exercises due diligence to protect the interests of data subjects and ensures that personal data are:

  • processed lawfully, fairly and transparently,
  • collected for specified, explicit and legitimate purposes,
  • adequate, relevant and limited to what is necessary,
  • accurate and kept up to date,
  • stored in a form permitting identification of data subjects for no longer than necessary.

§ 3 Disclosure of Personal Data

  1. The personal data of Users may be disclosed to external service providers used by the Controller in connection with the operation of the Online Store, in particular to:
    • entities responsible for the delivery of Products (couriers),
    • payment service providers (Stripe, PayPal, Przelewy24, BLIK, Shopify Payments),
    • providers of review and opinion systems,
    • accounting and bookkeeping service providers,
    • hosting and infrastructure service providers (Shopify Inc.),
    • software providers enabling the operation of the business,
    • mailing system providers (e.g. Klaviyo, Mailchimp),
    • CRM system providers,
    • providers of software necessary for operating the online store, IP telephony service providers.
  2. Depending on contractual arrangements and circumstances, the above-mentioned service providers process personal data either:
    • on behalf of the Controller and in accordance with its instructions (data processors), or
    • as independent data controllers who determine the purposes and means of processing.
  3. As a rule, Users' personal data are stored within the European Economic Area (EEA). Where personal data are transferred outside the EEA (e.g., to the United States or Canada for services such as Shopify, Google Analytics, Meta/Facebook, or other US-based vendors), this shall take place only in compliance with GDPR, in particular on the basis of:
    • Standard Contractual Clauses (SCCs) approved by the European Commission,
    • Adequacy decisions (e.g., EU-US Data Privacy Framework),
    • Or other appropriate safeguards.
  4. Users have the right to request information about the specific safeguards in place for international data transfers by contacting info@evamats.store.

§ 4 Rights of Data Subjects

  1. Any person whose personal data are processed by the Controller has the right to:
    • access their personal data,
    • rectification of inaccurate or incomplete data,
    • erasure of data ("right to be forgotten"),
    • restriction of processing,
    • data portability,
    • object to the processing of personal data,
    • withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal,
    • not to be subject to automated decision-making, including profiling, in accordance with Article 22 GDPR.
  2. The legal basis for exercising the above rights arises from the following provisions of GDPR:
    • right of access – Article 15 GDPR,
    • right to rectification – Article 16 GDPR,
    • right to erasure – Article 17 GDPR,
    • right to restriction of processing – Article 18 GDPR,
    • right to data portability – Article 20 GDPR,
    • right to object – Article 21 GDPR,
    • right to withdraw consent – Article 7(3) GDPR,
    • right not to be subject to automated decision-making – Article 22 GDPR.
  3. In order to exercise the above rights, the data subject may submit a request by e-mail to: info@evamats.store.
  4. The Controller shall respond to the request without undue delay and in any event within one month of receipt of the request. Where necessary, due to the complexity or number of requests, this period may be extended by a further two months, of which the data subject shall be informed within one month of receipt of the request, together with the reasons for the delay.
  5. If a data subject considers that the processing of personal data violates the provisions of GDPR, they have the right to lodge a complaint with a competent supervisory authority in a Member State of the European Union, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. The lead supervisory authority for the Controller is the Polish UODO (Urząd Ochrony Danych Osobowych, www.uodo.gov.pl).

For California Residents (CCPA)

California residents may exercise the following rights under the California Consumer Privacy Act:

  • The right to know what personal information is collected, used, shared, or sold;
  • The right to delete personal information;
  • The right to correct inaccurate personal information;
  • The right to opt-out of the "sale" or "sharing" of personal information for cross-context behavioral advertising;
  • The right to non-discrimination for exercising your CCPA rights.

To exercise these rights, please contact info@evamats.store with "CCPA Request" in the subject line.

§ 5 Cookies

  1. The Controller's website available at www.evamats.store uses cookies.
  2. Cookies are IT data, in particular text files, which are stored on the User's end device and are intended for use of the Online Store website. Cookies usually contain the name of the website from which they originate, the time of storage on the end device and a unique number.
  3. Cookies are used in order to:
    • ensure the proper functioning of the Online Store,
    • adapt the content of the website to the User's preferences,
    • optimize the use of the website,
    • generate anonymous statistics helping to understand how Users interact with the website.
  4. The Online Store uses the following types of cookies:
    • Session cookies – temporary files stored on the User's device until logging out, leaving the website or closing the browser,
    • Persistent cookies – files stored on the User's device for a period specified in the cookie parameters or until deleted by the User.
  5. The Controller uses its own cookies to analyze Users' interactions with the website. These cookies collect information such as: the way the website is used, the type of page from which the User was redirected, the number of visits and duration of visits. These data do not allow for direct identification of the User and are used solely for statistical purposes.
  6. The Controller may also use third-party cookies, in particular for analytical and marketing purposes, including: Google Analytics (cookie administrator: Google LLC, USA), advertising and remarketing tools (e.g. Google Ads, Meta Platforms, TikTok, Pinterest).
  7. Third-party cookies may be used to display advertisements tailored to the User's interests based on their activity on the Online Store, including information about navigation paths or time spent on specific pages.
  8. The use of non-essential cookies (analytical and marketing cookies) takes place only after obtaining the User's consent, expressed via the cookie consent banner displayed upon entering the website, in accordance with GDPR and the ePrivacy Directive.
  9. The User has the right to manage cookies by:
    • selecting the categories of cookies they consent to via the cookie consent mechanism displayed on the website,
    • changing cookie settings in their web browser at any time,
    • using the "Cookie Settings" link in the footer of our website to update preferences at any time.
  10. Detailed information on managing cookies is available in the settings of the web browser used by the User.

§ 6 Additional Services Related to User Activity in the Online Store

  1. The Online Store uses so-called social media plugins ("plugins") provided by social networking services. By visiting the website www.evamats.store containing such a plugin, the User's browser establishes a direct connection with the servers of the following service providers: Facebook / Meta, TikTok, Pinterest, YouTube, Instagram.
  2. The content of the plugin is transmitted directly by the respective service provider to the User's browser and integrated into the website. As a result, the service providers receive information that the User's browser has accessed the website www.evamats.store, even if the User does not have an account with the respective provider or is not logged in at that time.
  3. Such information, together with the User's IP address, is transmitted directly to the servers of the respective service provider (some of which may be located outside the European Union, including the United States) and stored there.
  4. If the User is logged in to one of the above social networking platforms, the service provider may directly associate the visit to www.evamats.store with the User's profile on that platform.
  5. If the User uses the Online Store www.evamats.store, relevant information may also be transmitted directly to the servers of the service providers whose plugins are embedded on the website and stored there.
  6. The purpose, scope and methods of data collection, further processing and use of data by the service providers, as well as the User's rights and options for protecting privacy, are described in the privacy policies of the respective providers:
  7. The User may prevent the loading of social media plugins by using appropriate browser extensions, such as script-blocking tools (e.g. NoScript).
  8. The Controller uses remarketing and advertising tools, including: Google Ads, Meta (Facebook, Instagram), Pinterest, TikTok.
  9. The use of remarketing tools involves the use of cookies administered by third-party providers. Such tools are used only with the User's consent, granted via the cookie consent mechanism available on the website, in accordance with GDPR and the ePrivacy Directive.
  10. The User may manage or withdraw consent for marketing and remarketing cookies at any time via the cookie settings available on the website.

§ 7 Final Provisions

  1. The Controller applies appropriate technical and organizational measures to ensure the protection of processed personal data, appropriate to the risks and categories of data concerned, and in particular protects the data against:
    • unauthorized access,
    • unlawful acquisition,
    • processing in violation of applicable laws,
    • alteration, loss, damage or destruction.
  2. The Controller uses appropriate technical safeguards to prevent unauthorized access to and modification of personal data transmitted electronically.
  3. In matters not regulated by this Privacy Policy, the provisions of Regulation (EU) 2016/679 (GDPR) and other applicable provisions of European Union law and the laws of the Republic of Poland shall apply.