Effective Date: May 1, 2025
This Privacy Policy explains how ArtH & Co. ("we", "us", or "our"), based in Poland, collects, uses, and protects your personal data when you visit our website or purchase from our shop. We comply with the EU General Data Protection Regulation (GDPR), the Polish Act on Personal Data Protection, and other applicable data protection laws.
1. Data Controller
Controller:
ArtH & Co.
2. What Data We Collect
- Account & Purchase Data: Name, billing and shipping address, email, phone number, payment details (handled securely by third-party processors), and order history.
- Marketing Preferences: Your communication preferences and newsletter sign-ups.
- Customer Support: Email records, support chats, or submitted inquiries.
3. How We Use Your Data
- To process and deliver your orders
- To manage your account and preferences
- To respond to support queries
- To send updates, promotions, and newsletters (with your consent)
- To comply with legal obligations (e.g. tax records, fraud prevention)
4. Legal Bases for Processing
We process your personal data under the following lawful bases:
- Contractual necessity – for fulfilling orders and providing services.
- Consent – for sending marketing emails or newsletters (can be withdrawn at any time).
- Legal obligations – for accounting and regulatory compliance.
- Legitimate interests – such as website analytics and service improvement, provided these interests do not override your rights.
5. Data Sharing and Third Parties
We only share your personal data with trusted service providers who are GDPR-compliant. These include:
- Payment processors (e.g. Stripe, PayPal)
- Email platforms (e.g. Mailchimp)
- Website hosting and analytics (e.g. Cloudflare, Google Analytics)
- Delivery and logistics companies
These third parties only process data as instructed and do not use it for their own purposes.
6. Data Transfers Outside the EEA
If we transfer your data outside the European Economic Area (EEA), we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions approved by the European Commission.
7. Data Retention
We retain your data only as long as necessary:
- Order and purchase data: up to 6 years (for tax and accounting)
- Marketing preferences: until you unsubscribe
- User account: until deleted or inactive for 36 months
- Analytics data: up to 26 months (anonymized where possible)
8. Your Rights
Under the GDPR, you have the right to:
- Access your personal data
- Correct or update inaccurate information
- Request deletion of your data ("right to be forgotten")
- Restrict or object to data processing
- Withdraw consent at any time
To exercise these rights, email us at: [email protected]
9. Data Security
We take data protection seriously and use appropriate measures such as:
- SSL encryption for all data in transit
- Firewall and anti-malware protection
- Role-based access controls
- Secure payment processing (no card data stored on our servers)
10. Children's Privacy
Our site is not intended for children under 16. We do not knowingly collect personal data from minors. If we discover such data has been collected, we will delete it immediately.
11. Changes to This Policy
We may update this policy from time to time. Updates will be posted on this page with the "Effective Date" revised accordingly. We encourage you to review this policy regularly.