We process your personal data under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Polish Personal Data Protection Act of 10 May 2018. You have full control — at any time you can request access, rectification, erasure, restriction, portability, object to processing, or lodge a complaint.
1. Data controller
The controller of your personal data is: Digital Soft Distribution Sp. z o.o. ul. Hoża 86/410, 00-682 Warszawa, Poland VAT ID PL7011079724, REGON 521497508, KRS 0000960920
Privacy contact: [email protected] (or the general support address shown in the footer of this site).
We have not appointed a Data Protection Officer; the scale and nature of processing do not require one under Article 37 GDPR.
2. Purposes and legal bases
We process your data for these purposes:
a) Performing your order and the contract — Art. 6(1)(b) GDPR. Data: name, email, billing address, VAT ID (B2B), order ID, payment metadata.
b) Issuing VAT invoices and tax compliance — Art. 6(1)(c) GDPR (statutory retention).
c) Handling complaints, refunds and right-of-withdrawal requests — Art. 6(1)(b) and (c) GDPR.
d) Direct marketing (newsletter, product updates) — Art. 6(1)(a) GDPR (explicit consent) or Art. 6(1)(f) (legitimate interest in customer relationship).
e) Anonymous analytics and product improvement — Art. 6(1)(f) GDPR. Loaded only after you accept the analytics cookie banner.
f) Fraud prevention and platform security — Art. 6(1)(f) GDPR. Includes IP, browser fingerprint, account activity logs.
g) Establishing, exercising or defending legal claims — Art. 6(1)(f) GDPR, for the duration of statutory limitation periods.
3. Recipients of your data
Your data may be shared with these categories of recipients, only to the extent necessary:
- Payment processors: PayPro S.A. (Przelewy24), Stripe Inc., PayPal (Europe) S.à r.l., Klarna Bank AB.
- Hosting and CDN: Hetzner Online GmbH (Germany), Cloudflare Inc. (USA — DPF + SCCs).
- Transactional email: Resend, Inc.
- Invoice provider: Fakturownia Sp. z o.o.
- Software publishers (Microsoft, Adobe, Norton, etc.) — only the licence key is exchanged during activation, not your personal data.
- Accounting and legal counsel — for bookkeeping and defending legal claims.
- Public authorities (courts, prosecutors, tax authority, social security) — only on lawful request.
All recipients are bound by confidentiality and process data solely for the purpose for which it was disclosed.
4. International data transfers
Some service providers are based outside the European Economic Area (Stripe, Cloudflare, Resend — USA). Each transfer is performed under one of: - a European Commission adequacy decision (EU-US Data Privacy Framework, decision of 10 July 2023); - Standard Contractual Clauses approved by the European Commission; - additional technical safeguards (TLS 1.3 in transit, AES-256 at rest).
A full list of providers and transfer bases is available on request at [email protected].
5. Retention periods
We retain data for these periods:
- Customer account data: until the account is deleted, or 3 years after the last activity, whichever comes first.
- VAT invoices and accounting records: 5 years after the end of the relevant tax year (Polish Tax Ordinance art. 86 § 1).
- Complaint and litigation files: until the limitation period expires (3 years B2C, 6 years B2B from the end of the contract).
- Activity logs and analytics cookies: 13 months.
- Marketing data (newsletter): until consent is withdrawn.
6. Your rights
Under the GDPR you have the right to:
- access your data (Art. 15) — downloadable from your account;
- have inaccurate data rectified (Art. 16);
- have your data erased — “the right to be forgotten” (Art. 17), subject to our statutory obligations (e.g. invoice archiving);
- request restriction of processing (Art. 18);
- request data portability in a structured format (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw consent at any time, without affecting the lawfulness of processing performed before withdrawal (Art. 7(3));
- lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (uodo.gov.pl), Stawki 2, 00-193 Warszawa.
Email [email protected] to exercise any right. We respond within 30 days (Art. 12(3) GDPR).
7. Cookies and similar technologies
We use cookies in four categories:
- necessary (session, cart, language and currency preferences) — required for the site to function, basis Art. 6(1)(f);
- functional (saved filters, recently viewed) — basis: consent;
- analytical (anonymous statistics — GA4 with IP anonymisation, PostHog) — basis: consent;
- marketing (remarketing, conversion tracking — Meta/Google Ads) — basis: consent.
Manage your consent through the cookie banner shown on first visit, or via the cookies page linked in the footer.
8. Profiling and automated decisions
We do not subject you to automated decisions producing legal or similarly significant effects within the meaning of Art. 22 GDPR.
We do apply limited profiling solely for payment-fraud detection (analysis of purchase patterns, IP, device). The final block decision is always made by a human (a customer-service agent). You can challenge any such decision by emailing [email protected].
9. Security
We apply technical and organisational measures to protect your data, including: - TLS 1.3 in transit; - bcrypt password hashing; - AES-256 encryption at rest; - 2FA on staff access; - abuse monitoring and audit logs; - regular backups; - ISO 27001-certified infrastructure providers (Cloudflare, Hetzner).
10. Children
The store is not directed to people under 16 years of age. We do not knowingly collect data from children. If we learn we have collected data from a person under 16 without parental consent, we will delete it promptly. Parents and guardians can contact [email protected].
11. Changes to this policy
We may update this policy when laws, technology or our business model change. We will give 14 days' notice of material changes by email and via a banner on the home page. The current version is always available at the privacy URL of this site.
12. Governing law
This policy is governed by Polish law and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). Supervisory authority: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa, [email protected], +48 22 531 03 00.
Digital Soft Distribution Sp. z o.o. · VAT PL7011079724 · KRS 0000960920 · Effective from 29 April 2026.