Intro

This space is dedicated to providing comprehensive information on legal matters related to your interaction with our website and services. Its purpose is to ensure transparency, compliance with applicable laws, and the protection of your rights and understanding as a user.

Table of Contents:

1. Identity of the Data Controller
2. Definitions
3. Purposes of Personal Data Processing
4. Methods of Collecting Personal Data
5. Scope of Personal Data Processed
6. Personal Data Processing Period
7. Recipients of Personal Data
8. Transfer of Data Outside the European Economic Area (EEA)
9. Data Controller’s Social Media Fan Pages
10. Rights of Data Subjects
11. Final Provisions

§1

Identity of the Data Controller

1. The controller of personal data provided during the use of the Website and/or Online Store operated under the name Marek Matysiak Design is MMXX S.C., ul. Chmielna 2/31, 00-020 Warsaw, Poland, Tax Identification Number (NIP): 5252820923.
   
   The Data Controller may be contacted:
   – by e-mail: contact@marekmatysiak.com
   – via the contact form available at contact@marekmatysiak.com/contact
   – by post: MMXX S.C., ul. Chmielna 2/31, 00-020 Warsaw, Poland
2. Data is processed in accordance with the currently applicable legal provisions, i.e., Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), the Act of 10 May 2018 on the Protection of Personal Data, and the Act of 12 July 2024 — Electronic Communications Law.
3. This Privacy Policy covers the rules governing the processing of data of Website and/or Store Users, as well as individuals entering into agreements with the Data Controller, including those related to the performance of an Order and/or contract, data collected through contact with the Data Controller (e-mail address, telephone, traditional correspondence), and individuals who like and/or follow the Data Controller’s fan pages on social media, if applicable.

§2

Definitions

1. The following definitions apply in this Privacy Policy:
   • Data Controller — the entity that determines the purposes and means of processing personal data; in this policy, this refers to: MMXX S.C., ul. Chmielna 2/31, 00-020 Warsaw.
   • Personal Data — any information that, without disproportionate time and cost, may lead to the identification of a natural person, including their identification, address, and contact data.
   • Third Country — a country outside the European Economic Area (EEA).
   • Website — the website available at marekmatysiak.com, through which the User may browse the website content, subscribe to the newsletter, or contact the Data Controller via the contact details or contact forms available on the website.
   • Store — the online store available at marekmatysiak.com/store, through which the Buyer may purchase specified Goods and/or Digital Products.
   • User/Data Subject — a natural person whose data is processed and who uses the services available on the Website/Store.

§3

Purposes of Personal Data Processing

1. The Data Controller processes personal data only when permitted by the currently applicable legal provisions, including for the following purposes:
   • Preparation and performance of a concluded sales contract, including the conclusion of a distance contract through the online store (Order), to which the individual is a party, as well as the exercise of rights arising therefrom (non-conformity with contract, withdrawal from contract, etc.) — processing is carried out on the basis of Article 6(1)(b) GDPR;
   • Documentation of the performance of concluded contracts, including the issuance of a receipt or invoice, maintaining accounting and tax records — on the basis of Article 6(1)(c) GDPR, i.e., for the purpose of fulfilling legal obligations incumbent upon the Data Controller, pursuant to Article 70 of the Act of 29 August 1997 — Tax Ordinance;
   • Taking action at the request of the data subject, including providing answers to questions submitted via electronic means of communication or processing traditional correspondence — on the basis of Article 6(1)(b) GDPR;
   • Sending requested marketing information by electronic means (newsletter) to the e-mail address provided by the User for that purpose — on the basis of the User’s consent, in accordance with Article 6(1)(a) GDPR and Article 398 of the Act of 12 July 2024 — Electronic Communications Law;
   • Registration and creation of an Account in the Store — on the basis of Article 6(1)(a) GDPR, i.e., the consent of the data subject;
   • Marketing of the Data Controller’s own products and services by traditional means — on the basis of Article 6(1)(f) GDPR, i.e., for the purposes of the legitimate interests of the Data Controller or the data subject;
   • Sending an e-mail requesting a review of the Store and/or Goods/Product — on the basis of Article 6(1)(f) GDPR; this processing is carried out in pursuit of the legitimate interest of the Data Controller (Seller), which is the improvement of the offer and/or Goods/Product and/or Store through the collection of reliable reviews by the Store owner;
   • Sending a request for a review of the Data Controller’s services and Goods/Products through external satisfaction survey services — with the consent of the data subject, i.e., on the basis of Article 6(1)(a) GDPR;
   • Pursuing rights and claims by the Data Controller or the data subject — on the basis of Article 6(1)(f) GDPR, carried out in pursuit of a legitimate interest.
2. Providing personal data is necessary for the performance of a distance contract, including the shipment of Goods or the provision of access to a Digital Product, and/or the issuance of an accounting document, the pursuit of claims, and the provision of answers to the User’s questions. Providing personal data for other purposes is voluntary.
3. Failure to provide the required data renders it impossible to perform the distance contract (Order), issue a receipt or invoice, or establish contact at the request of the data subject.

§4

Methods of Collecting Personal Data

1. The User’s personal data is collected directly from the data subjects, i.e., through:
   • completing the contact form with contact details when submitting an inquiry via the website form,
   • completing the newsletter subscription form,
   • completing the order form in the Store,
   • registering an account on the Website and/or Store,
   • providing data for the preparation, conclusion, and performance of a contract (Order) via available contact channels,
   • direct contact with the Data Controller using the contact details available on the website or in person at the place of business.

§5

Scope of Personal Data Processed

1. The scope of personal data processed has been limited to the minimum necessary for the provision of services with respect to:
   • submitting an inquiry via the contact form or using the contact details available on the Website: e-mail address, telephone number, first name, and any other data voluntarily provided by the data subject;
   • subscribing to the newsletter: first name, e-mail address;
   • placing an Order in the Store: first and last name, e-mail address, telephone number, delivery address, and optionally the address of a pick-up point;
   • registering an account on the Website and/or Store: first and last name, e-mail address, password, login;
   • issuing a receipt, invoice, or other accounting document: first and last name or entity name, registered address, Tax Identification Number (NIP);
   • preparation, conclusion, and performance of a contract: first and last name, address, etc.
   • przygotowania, zawarcia umowy i realizacji umowy: imię i nazwisko, adres, etc.

§6

Personal Data Processing Period

1. The processing period depends on the purpose for which the data was collected and is as follows:
   • Conclusion and performance of a sales contract, including distance sales (Order) — for the period necessary to document the performance of the contract, including the issuance of a receipt or invoice — 5 years from the end of the calendar year in which the tax payment deadline expired, pursuant to Article 112 of the Act of 11 March 2004 on the Tax on Goods and Services, in conjunction with Article 70 of the Act of 29 August 1997 — Tax Ordinance;
   • Sending commercial information by electronic means (newsletter) and/or creation of a Store Account / sending review requests through external satisfaction survey services — until the consent is withdrawn, without affecting the lawfulness of processing carried out prior to the withdrawal;
   • Responding to questions submitted via the contact form or by telephone — for the period necessary to provide a response, but no longer than 6 months, unless the individual decides to enter into a contract with the Data Controller;
   • Pursuing claims — pursuant to Article 118 of the Act of 23 April 1964 — Civil Code. Unless a specific provision provides otherwise, the limitation period is six years, and for periodic performance claims and claims related to the conduct of business activity — three years.

§7

Recipients of Personal Data

1. The User’s personal data may be entrusted to other entities for the purpose of performing services on behalf of the Data Controller, in particular entities supporting the business operations of the Data Controller with respect to:
   • hosting of the website and/or Store,
   • e-mail hosting,
   • maintenance and support of IT systems in which data is processed, including for the purposes of newsletter automation, issuance of accounting documents, order processing, etc.,
   • accounting services (accounting office),
   • courier service brokerage (websites and platforms enabling the shipment of Goods through selected couriers, typically without the need to enter into a permanent agreement with the courier).
2. The User’s personal data may also be disclosed to entities providing courier and/or postal services, banks and/or electronic payment operators on the Website and/or Store, as referred to in the Store Terms and Conditions.

§8

Transfer of Data Outside the European Economic Area (EEA)

1. The User’s personal data will be processed by providers whose registered offices and/or servers are located in the United States of America. The transfer of data to the USA is carried out on the basis of the European Commission’s adequacy decision of 10 July 2023, establishing an adequate level of protection of personal data ensured by the EU-US Data Privacy Framework with respect to providers listed by the U.S. Department of Commerce, such as: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Meta Platforms, Inc., Menlo Park, California, USA.

§9

Data Controller’s Social Media Fan Pages

1. The Data Controller also acts as a joint controller of the data of its followers on social media — particularly individuals who use electronic means of communication on the fan pages — Facebook “@marekmatysiak” and/or Instagram under the account name “@marekmatysiak_,” operated by the Data Controller on these social media platforms.
2. In all other respects, the controller of the data of users of these social media platforms is Meta Platforms, Inc., Menlo Park, California / Meta Platforms Ireland Limited (formerly: Facebook Inc., with its registered office at 1 Hacker Way, Menlo Park, CA 94025, USA), and the processing of such data is governed by the terms and privacy policies of these platforms, including: https://www.facebook.com/privacy
3. The User’s personal data will be processed in the United States of America (USA). The transfer of data to the USA is carried out on the basis of the European Commission’s adequacy decision of 10 July 2023, establishing an adequate level of protection of personal data ensured by the EU-US Data Privacy Framework with respect to providers listed by the U.S. Department of Commerce, such as: Meta Platforms, Inc., Menlo Park, California, USA.

§10

Rights of Data Subjects

1. Data subjects have the right to:
   • access their personal data, including the right to receive the first copy of their personal data free of charge;
   • rectification of data that is inaccurate or has been changed;
   • erasure of data, unless other legal provisions require the Data Controller to archive the data for a specified period;
   • data portability, provided that the basis for processing is a contract or the consent of the data subject, and the processing is carried out by automated means;
   • withdraw consent to the processing of personal data — if the basis for processing was the consent of the data subject. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal;
   • object to the processing of data — on grounds relating to the data subject’s particular situation, with respect to the processing of personal data based on Article 6(1)(e) or (f) GDPR, as well as the right to restriction of processing;
   • not be subject to automated profiling, if the Data Controller were to make decisions based solely on automated profiling that produce legal effects concerning the data subject or similarly significantly affect them;
   • control of data processing and information about the identity of the Data Controller, as well as information about the purpose, scope, and manner of data processing, the content of such data, the source of the data, and the manner of disclosure, including the recipients or categories of recipients of the data.
2. In order to exercise the right to information, access to data content, rectification, and other rights, the data subject may contact the Data Controller.
3. The data subject also has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if the processing of data violates the provisions of the General Data Protection Regulation (GDPR). A complaint may be filed electronically or by traditional post to the following address: Personal Data Protection Office (Urząd Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland.

§11

Final Provisions

In the event of a change to the applicable privacy policy, in particular when required by the technical solutions implemented or changes in legislation concerning the privacy of data subjects, appropriate amendments shall be introduced to this Privacy Policy (GDPR), which shall take effect within 14 days of their publication on the Website and/or Store.