# Privacy Policy

## 1. General information

This Privacy Policy outlines the principles for processing and protecting personal data
provided by Users in connection with their use of Crazyshapes.pl services through the
Website.

## 2. Data controller

The controller of personal data contained in the website is Onee Sp. z o.o. based in
Krakow, Tax ID (NIP) 678 315 75 53, REGON 363209440, KRS 0000591488.

## 3. Glossary

- **Cookie** - a small piece of information saved by the server on the User's computer, which the server can read upon reconnecting from that computer.
- **IP address** - an individual number that is generally assigned to every computer connected to the Internet. The IP number can be permanently associated with a given computer (static) or assigned for a specific connection (dynamic).
- **SSL protocol** - a special standard for transmitting data on the Internet in which the transmission is encrypted, as opposed to regular transmission where data is sent in plain text.

## 4. Data security

To protect the entrusted data, internal procedures and recommendations have been
developed to prevent the disclosure of data to unauthorized persons. Constant monitoring
of their execution prevents errors. Their compliance with relevant legal acts - the
Personal Data Protection Act, the Act on Providing Services by Electronic Means, as well
as all types of implementing regulations and Community law acts - is continuously
verified.

## 5. Legal basis for processing

Personal Data is processed on the basis of consent given by the User (Art. 6(1)(a)
GDPR), for the performance of a contract concluded between the parties (Art. 6(1)(b)
GDPR), in cases where the law authorizes the Controller to process personal data (Art.
6(1)(c) GDPR), and on the basis of the legitimate interest of the Controller (Art.
6(1)(f) GDPR), in particular for the purpose of operating post-purchase review and
opinion programmes.

## 6. Information collection

The Website collects information about users and their behaviour in the following ways:

- through information voluntarily entered in forms,
- through the collection of "cookies".

## 7. Cookies

The Website, in accordance with Art. 173 of the Telecommunications Act of 16 July 2004,
uses Cookies which constitute IT data, in particular text files, stored on the User's
end device. Cookies typically contain the name of the website from which they originate,
the duration of their storage on the end device, and a unique number.

Cookies are used for the purpose of:

- facilitating the User's use of the Website while browsing,
- subsequent recognition of the User when the Website reconnects with the device on which they were stored,
- creating statistics that help understand how Website users use web pages, which enables improving their structure and content,
- adapting the content of the Website pages to the User's specific preferences and optimizing the use of web pages tailored to the User's individual needs.

## 8. Managing cookies

Web browsing software, i.e. the web browser, usually allows by default the storage of
Cookies on the User's end device. Website Users can change the settings in this
regard. The web browser allows for the deletion of Cookies. It is also possible to
automatically block Cookies. Detailed information on this subject can be found in the
help or documentation of the User's web browser.

If the User does not wish to receive Cookies, they can change their browser settings.
However, disabling Cookies necessary for authentication, security, or maintaining User
preferences may hinder, and in extreme cases also prevent the use of the Website.

## 9. Voluntary data provision

The Website collects information voluntarily provided by the user.

## 10. Purpose of form data processing

Data provided in the form is processed for the purpose resulting from the function of
the specific form, e.g. for the purpose of handling an informational contact request.

## 11. Data sharing

Personal data left on the website will not be sold. In order to properly provide our
services, data may be shared with the following entities:

- **mElements S.A. (PayNow)** - online payment processing. Data transferred: data necessary for the execution of a payment transaction (name, surname, email address, transaction amount).
- **Ceneo Sp. z o.o.** - Trusted Reviews programme: transfer of email address, order ID and product identifiers for the purpose of verifying the authenticity of reviews and collecting post-purchase feedback. Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).
- **Resend Inc.** - sending transactional emails (order confirmation, notifications). Data processed in accordance with Resend DPA.
- **Upstash Inc.** - order data storage in the database. Data processed in accordance with Upstash DPA.
- **Google Ireland Limited** - web analytics (Google Analytics 4) and online advertising (Google Ads). Data collected: anonymous data about visits, on-site behaviour, purchase conversions, and ad performance. Data may be transferred to Google LLC in the USA based on Standard Contractual Clauses (SCC).
- **Microsoft Corporation (Clarity)** - user behaviour analysis on the website (session recordings, heatmaps). Collected data is anonymised and does not contain personal data. Data processed in accordance with Microsoft DPA.
- **Tawk.to Inc.** - live chat / customer support. As part of operating the widget, Tawk may process IP address, device and browser technical data, chat content, and data stored in cookies, localStorage, and sessionStorage. According to Tawk documentation, data is hosted in the USA, and information about transfers and processing is described in Tawk documentation:{' '} [personal data](https://help.tawk.to/article/why-do-you-need-my-personal-data) {' '}and{' '} [cookies](https://help.tawk.to/article/what-are-tawkto-cookies-and-what-do-they-do).

## 12. Data retention period

Personal data of Users is stored for the period necessary to fulfill the purposes for which
it was collected, in particular: data related to order processing - for a period of
5 years from the end of the calendar year in which the transaction was made (in accordance
with tax regulations); data processed on the basis of consent - until its withdrawal;
data processed on the basis of the legitimate interest of the Administrator - until
an effective objection is raised. After the retention period expires, data is deleted or
anonymized.

## 13. User rights

The natural person who entered data in the form has the right to access that data. This
person also has the right to modify and cease the processing of their data at any time.

## 14. Changes to the privacy policy

We reserve the right to change the privacy policy of the website, which may be
influenced by the development of Internet technology, possible changes in the law
regarding the protection of personal data, and the development of our website. We will
inform about any changes in a visible and understandable manner.

If you have any doubts about any provision of this privacy policy, we are at your
disposal - our contact details can be found in the CONTACT section.

Last updated: March 2026

---
Zrodlo: https://crazyshapes.pl/en/privacy-policy
Sklep: https://crazyshapes.pl