Privacy Policy

Effective from April 24, 2026

§ 1. Data controller

The controller of your personal data within the meaning of art. 4(7) GDPR is Jakub Ambrożkiewicz, 25 Czerwca 60, 26-610 Radom, Poland (the "Controller").
Contact regarding personal data matters: email kontakt@punktologia.com, phone +48 505 651 480.
The Controller has not appointed a Data Protection Officer — there is no such obligation under art. 37 GDPR given the scale of processing.

In connection with the use of the online store punktologia.com, we process the following categories of personal data:

identification data: first and last name,
contact data: email address, phone number,
delivery data: parcel locker address or delivery address (street, postal code, city),
company data (optional, for business purchases): company name, VAT ID, registered address,
transactional data: payment session identifier, amount, order date, purchased products, receipt number,
technical data: IP address, approximate location (country, region), browser information — to the extent required for security and anonymous analytics (see § 8).

We do not process special categories of data (art. 9 GDPR). We do not store payment card data — it is handled exclusively by the payment operator.

Conclusion and performance of the sales contract (order fulfilment, delivery, order-related communication) — art. 6(1)(b) GDPR.
Issuing proof of purchase and keeping accounting records — art. 6(1)(c) GDPR in conjunction with tax law.
Handling complaints and withdrawals — art. 6(1)(c) GDPR in conjunction with the Consumer Rights Act.
Establishing, exercising, or defending legal claims — art. 6(1)(f) GDPR (legitimate interest of the Controller).
Ensuring the security of the service (protection against abuse, spam, attacks) — art. 6(1)(f) GDPR.
Anonymous traffic analytics — art. 6(1)(f) GDPR (see § 8).

order data and receipts — 5 years from the end of the year in which the tax payment deadline expired (obligation under the Polish Tax Ordinance),
data necessary to defend or pursue claims — up to 6 years from the end of the contract (statutory limitation period),
correspondence data (emails, complaints) — for the period necessary to handle the case, no longer than 6 years from the end of the correspondence,
analytics data — aggregated, without the possibility of identifying an individual; raw logs are deleted in accordance with the analytics provider's policy.

Your data may be transferred to the following categories of recipients, only to the extent necessary to achieve the stated purposes:

Stripe Payments Europe, Ltd. (Ireland) — payment operator,
InPost S.A. (Poland) — courier and parcel locker services provider,
Resend, Inc. (USA) — transactional email service provider,
Vercel Inc. (USA) — serverless hosting provider for the website,
Cloudflare, Inc. (USA) — DNS, CDN, attack mitigation, and anonymous analytics provider,
accounting and legal advisory service providers — to the extent necessary to fulfil legal obligations,
state authorities — where required by law.

Some of our providers (including Resend, Vercel, Cloudflare) are based in or have infrastructure in the United States, which means your data may be transferred outside the European Economic Area.
Transfers take place on the basis of appropriate legal safeguards, in particular: the European Commission's Data Privacy Framework decision (EU–US) or Standard Contractual Clauses approved by the European Commission (SCC, art. 46 GDPR).
Detailed information on the safeguards can be found in the privacy policies of the respective providers.

In connection with the processing of your personal data, you have the following rights:

right of access (art. 15 GDPR),
right to rectification (art. 16 GDPR),
right to erasure (art. 17 GDPR) — unless the data is still necessary for the Controller to fulfil legal obligations,
right to restriction of processing (art. 18 GDPR),
right to data portability (art. 20 GDPR) — for data processed on the basis of a contract,
right to object to processing based on legitimate interest (art. 21 GDPR),
right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, Poland.

To exercise any of the above rights, please contact us at kontakt@punktologia.com. We respond within one month of receiving the request.

The service does not use cookies that require user consent — we do not use marketing, advertising, or profiling cookies.
To remember the cart contents, we use only the browser's localStorage mechanism. This is technical data necessary for the store to function, stored locally on your device and not transferred to our servers.
For traffic analytics, we use Cloudflare Web Analytics — a tool that does not use cookies, does not create user profiles, and does not use fingerprinting. Data is collected in an aggregated and anonymous way (number of visits, country, device type), without the possibility of identifying a specific person.
The payment operator (Stripe) may use its own cookies on its payment page. Their privacy policy is available at https://stripe.com/privacy.

All communication with the store is encrypted with HTTPS (TLS).
Payment data is handled directly by Stripe (PCI DSS Level 1 certified) — we do not store or see full payment card details.
Access to personal data is granted only to authorised persons, to the extent necessary to perform their tasks.
We regularly update our software and apply technical safeguards appropriate to the risk (firewall, DDoS protection via Cloudflare, secure storage of passwords and API keys).

This Policy may be updated in the event of changes in legislation, introduction of new services, or changes at data processors.
The current version is always available at punktologia.com/en/privacy. We signal significant changes by posting information on the website or by email (if we have your address).
This version is effective from April 24, 2026.