Adatvédelmi szabályzat

Privacy Policy

Last updated: November 3, 2025

§1. Data Controller

The data controller is KOCHI Spółka z ograniczoną odpowiedzialnością, ul. Kukułcza 16, 65-472 Zielona Góra, Poland,
Company Registration Number (KRS): 0001060312, VAT ID (NIP): 9292079584, REGON: 526472878,
Share capital: PLN 5,000,
Email: pomoc@latwadziara.pl.
The Controller operates the online store under the brand Łatwa Dziara / SafeTatt (hereinafter referred to as the “Store”, “we”).
No Data Protection Officer (DPO) has been appointed. For data protection matters, please contact us directly at the above email.

§2. Scope and Sources of Data

We process the following types of personal data:

  • Identification and contact details (name, surname, email address, phone number, billing and shipping address);
  • Business data (if applicable);
  • Transaction data (amount, payment method, payment status);
  • Technical data (IP address, device ID, browser and operating system type);
  • Activity data (cookies, pixels, clicks, visits, shopping cart history).

Data sources: information provided directly by you (forms, orders, newsletters), cookies and pixels (after your consent), and limited aggregated data from advertising partners (e.g., after clicking our ads).

Advertising partners: Meta, Google, and TikTok may also collect information about your activity outside our Store (such as viewed ads or interests) to personalize ads. See their privacy policies for more details.

§3. Purposes and Legal Bases for Processing

Purpose Legal Basis Description
Order fulfillment and contracts Art. 6(1)(b) GDPR Processing necessary to complete payments, delivery, and order communication.
Accounting and taxation Art. 6(1)(c) GDPR Fulfilling legal obligations (e.g., invoicing, accounting).
Customer service and complaints Art. 6(1)(f) GDPR Legitimate interest – responding to inquiries.
Customer account Art. 6(1)(b) GDPR Maintaining your profile and order history.
Analytics (Google Analytics 4) Art. 6(1)(a) GDPR Only with your consent; no statistics are collected before consent.
Marketing/remarketing (Meta, Google Ads, TikTok, newsletter) Art. 6(1)(a) GDPR Only with your granular consent.
Security and fraud prevention Art. 6(1)(f) GDPR Ensuring website integrity and preventing misuse.

§4. Data Recipients

  • Shopify International Ltd. (EU) / Shopify Inc. (CA/US) – e-commerce platform and hosting provider,
  • Payment providers (Przelewy24, PayPal, Stripe, Klarna),
  • Courier and logistics companies,
  • Accounting office,
  • Meta Platforms Ireland Ltd. / Meta Platforms Inc.,
  • Google Ireland Ltd. / Google LLC,
  • TikTok Technology Ltd. / TikTok Inc.,
  • Klaviyo Inc. (USA) – email marketing and automations,
  • IT and hosting service providers.

All entities process data under Data Processing Agreements (DPAs) and apply GDPR-compliant safeguards.

§5. Data Transfers Outside the EEA

Shopify: Data is primarily processed by Shopify International Ltd. (EU). It may be transferred to Shopify Inc. (Canada)—a country recognized as adequate by the European Commission—and to subprocessors in the USA under SCC (Standard Contractual Clauses) with additional safeguards (encryption, pseudonymization, limited access).

Meta / Google: EU-based entities may transfer data to their US counterparts. By consenting to analytical or marketing cookies, you agree to this transfer. Data is processed under the EU–US Data Privacy Framework (DPF) or, where not covered, under SCC + technical measures.

Klaviyo Inc. (USA): As of this date, Klaviyo is not certified under DPF. Processing relies on SCC with additional safeguards (encryption and pseudonymization).

You may refuse consent for analytical or marketing cookies; in that case, no such data transfer occurs.

§6. Cookies and Similar Technologies

Categories of cookies:

  1. Essential – site operation (session, cart, login, checkout); no consent required.
  2. Analytical (GA4) – measure traffic and campaign performance; consent required.
  3. Marketing – ad personalization (Meta Pixel, TikTok Pixel, Google Ads); consent required.
  4. Preference – save language or UI settings; consent required.

Examples of essential cookies: session ID, cart contents, login token.

Cart history: stored in session cookies and deleted when the browser closes, unless linked to a customer account (then stored until account deletion).

Consent Management (CMP): When visiting our site for the first time, you can accept, reject, or customize cookie categories. Consent can be withdrawn at any time using the “Cookie Settings” link.

Retention:

  • Session cookies – until the session ends;
  • Analytical cookies – up to 26 months;
  • Marketing cookies – 3–24 months;
  • Preference cookies – up to 12 months.

§7. Analytical and Marketing Tools

Google Analytics 4 (GA4)

Activated only after analytical consent. No data is collected before consent. IP anonymization is enabled.

Meta Pixel / Google Ads / TikTok Pixel

Activated only after marketing consent. Example: after viewing a semi-permanent tattoo in our store, you may see related ads on Facebook, Instagram, or TikTok.

Meta, Google, and TikTok may share data within their advertising networks (Audience Network, Google Marketing Partners) as described in their privacy policies:

§8. Newsletter and Marketing Communication

Newsletter subscriptions follow a Double Opt-In process. Each email contains an “Unsubscribe” link, which immediately removes you from the list. Legal basis: Art. 6(1)(a) GDPR (consent).

§9. Profiling and Automated Decisions

We use marketing profiling to tailor ads based on your activity (e.g., products viewed, interactions). No decisions with legal effects are made without human involvement.

You have the right to:

  • object to profiling (Art. 21 GDPR);
  • request an explanation of the profiling logic;
  • withdraw your marketing consent at any time.

§10. Data Retention

  • Orders and invoices – 6 years;
  • Customer account – until account deletion;
  • Marketing data – until consent withdrawal;
  • Analytics (GA4) – up to 26 months;
  • Technical logs and IP – up to 90 days (longer if needed for security).

§11. Your Rights

You have the right to access, rectify, erase, restrict, port your data, object, and withdraw consent at any time. You may also lodge a complaint with your national data protection authority (in Poland: the President of UODO).

Right to object: you can object to processing for marketing or legitimate interests by emailing pomoc@latwadziara.pl.

Right to erasure: does not apply to data required for legal obligations (e.g., tax invoices) or defense of claims.

§12. Data Security

We apply technical and organizational safeguards: SSL/TLS encryption, pseudonymization, access controls, backups, security testing, and incident response procedures.

§13. Shopify – Data Transfers

Main processing occurs at Shopify International Ltd. (EU). Data may be transferred to Shopify Inc. (Canada) or subprocessors in the USA under SCC + additional safeguards.

References:
Shopify Privacy Policy
Shopify Data Processing Addendum (DPA)

§14. Data Sharing by Advertising Partners

Meta, Google, and TikTok may share data with other companies in their advertising ecosystems (e.g., Audience Network, Google Marketing Partners) for ad delivery and performance measurement. You can prevent this by rejecting marketing cookies in our CMP banner.

§15. Data Protection Impact Assessment (DPIA)

We conduct DPIAs for high-risk processing (profiling, cross-border data transfers, ad integrations) and apply mitigating measures: encryption, pseudonymization, access limitation (RBAC), opt-in processing, and regular audits of providers.

§16. Withdrawal of Consent

You can withdraw consent at any time via:

  • the “Cookie Settings” link (CMP),
  • the “Unsubscribe” link in any email,
  • or by emailing pomoc@latwadziara.pl.

§17. Policy Updates

This Policy may change due to legal or technological updates. Last updated: November 3, 2025. The new version takes effect upon publication.

§18. Contact

KOCHI Sp. z o.o.
ul. Kukułcza 16, 65-472 Zielona Góra, Poland
📧 pomoc@latwadziara.pl