Privacy Policy

1. General information

This Privacy Policy outlines the principles for processing and protecting personal data provided by Users in connection with their use of Crazyshapes.pl services through the Website.

2. Data controller

The controller of personal data contained in the website is Onee Sp. z o.o. based in Kraków, Tax ID (NIP) 678 315 75 53, REGON 363209440, KRS 0000591488.

3. Glossary

• Cookie– a small piece of information saved by the server on the User's computer, which the server can read upon reconnecting from that computer.
• IP address– an individual number that is generally assigned to every computer connected to the Internet. The IP number can be permanently associated with a given computer (static) or assigned for a specific connection (dynamic).
• SSL protocol– a special standard for transmitting data on the Internet in which the transmission is encrypted, as opposed to regular transmission where data is sent in plain text.

4. Data security

To protect the entrusted data, internal procedures and recommendations have been developed to prevent the disclosure of data to unauthorized persons. Constant monitoring of their execution prevents errors. Their compliance with relevant legal acts – the Personal Data Protection Act, the Act on Providing Services by Electronic Means, as well as all types of implementing regulations and Community law acts – is continuously verified.

5. Legal basis for processing

Personal Data is processed on the basis of consent given by the User (Art. 6(1)(a) GDPR), for the performance of a contract concluded between the parties (Art. 6(1)(b) GDPR), in cases where the law authorizes the Controller to process personal data (Art. 6(1)(c) GDPR), and on the basis of the legitimate interest of the Controller (Art. 6(1)(f) GDPR), in particular for the purpose of operating post-purchase review and opinion programmes.

6. Information collection

The Website collects information about users and their behaviour in the following ways:

• through information voluntarily entered in forms,
• through the collection of "cookies".

7. Cookies

The Website, in accordance with Art. 173 of the Telecommunications Act of 16 July 2004, uses Cookies which constitute IT data, in particular text files, stored on the User's end device. Cookies typically contain the name of the website from which they originate, the duration of their storage on the end device, and a unique number.

Cookies are used for the purpose of:

• facilitating the User's use of the Website while browsing,
• subsequent recognition of the User when the Website reconnects with the device on which they were stored,
• creating statistics that help understand how Website users use web pages, which enables improving their structure and content,
• adapting the content of the Website pages to the User's specific preferences and optimizing the use of web pages tailored to the User's individual needs.

8. Managing cookies

Web browsing software, i.e. the web browser, usually allows by default the storage of Cookies on the User's end device. Website Users can change the settings in this regard. The web browser allows for the deletion of Cookies. It is also possible to automatically block Cookies. Detailed information on this subject can be found in the help or documentation of the User's web browser.

If the User does not wish to receive Cookies, they can change their browser settings. However, disabling Cookies necessary for authentication, security, or maintaining User preferences may hinder, and in extreme cases also prevent the use of the Website.

9. Voluntary data provision

The Website collects information voluntarily provided by the user.

10. Purpose of form data processing

Data provided in the form is processed for the purpose resulting from the function of the specific form, e.g. for the purpose of handling an informational contact request.

11. Data sharing

Personal data left on the website will not be sold. In order to properly provide our services, data may be shared with the following entities:

• mElements S.A. (PayNow)– online payment processing. Data transferred: data necessary for the execution of a payment transaction (name, surname, email address, transaction amount).
• Ceneo Sp. z o.o.– Trusted Reviews programme: transfer of email address, order ID and product identifiers for the purpose of verifying the authenticity of reviews and collecting post-purchase feedback. Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).
• Resend Inc.– sending transactional emails (order confirmation, notifications). Data processed in accordance with Resend DPA.
• Upstash Inc.– order data storage in the database. Data processed in accordance with Upstash DPA.
• Google Ireland Limited– web analytics (Google Analytics 4) and online advertising (Google Ads). Data collected: anonymous data about visits, on-site behaviour, purchase conversions, and ad performance. Data may be transferred to Google LLC in the USA based on Standard Contractual Clauses (SCC).
• Microsoft Corporation (Clarity)– user behaviour analysis on the website (session recordings, heatmaps). Collected data is anonymised and does not contain personal data. Data processed in accordance with Microsoft DPA.
• Tawk.to Inc.– live chat / customer support. As part of operating the widget, Tawk may process IP address, device and browser technical data, chat content, and data stored in cookies, localStorage, and sessionStorage. According to Tawk documentation, data is hosted in the USA, and information about transfers and processing is described in Tawk documentation: personal data and cookies.

12. Data retention period

Personal data of Users is stored for the period necessary to fulfill the purposes for which it was collected, in particular: data related to order processing – for a period of 5 years from the end of the calendar year in which the transaction was made (in accordance with tax regulations); data processed on the basis of consent – until its withdrawal; data processed on the basis of the legitimate interest of the Administrator – until an effective objection is raised. After the retention period expires, data is deleted or anonymized.

13. User rights

The natural person who entered data in the form has the right to access that data. This person also has the right to modify and cease the processing of their data at any time.

14. Changes to the privacy policy

We reserve the right to change the privacy policy of the website, which may be influenced by the development of Internet technology, possible changes in the law regarding the protection of personal data, and the development of our website. We will inform about any changes in a visible and understandable manner.

If you have any doubts about any provision of this privacy policy, we are at your disposal – our contact details can be found in the CONTACT section.

Last updated: March 2026