Privacy Policy for the BALAGAN Online Store pursuant to Article 13 GDPR
1. General Information
1.1.
This Privacy Policy of the Online Store (hereinafter: the “Policy”) is for informational purposes only, which means it does not create any obligations for Customers of the Online Store and does not constitute a contract or terms and conditions.
1.2.
Any terms, expressions, and abbreviations used in this document and capitalized (e.g. Seller, Online Store, Electronic Service) shall be understood in accordance with their definitions contained in the Online Store Terms & Conditions available at https://balaganpol.sbs/en/
1.3.
In case of doubts or inconsistencies between this Policy and any consents granted by a data subject, regardless of the provisions of this Policy, the basis for the Controller’s actions shall always be the voluntarily granted consents or applicable legal provisions.
2. Data Controller
2.1.
In accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (“GDPR”), we inform you that the controller of your personal data is BALAGAN sp. z o.o. with its registered office in Warsaw, address: ul. Stępińska 22/30, building 1A, unit 222, 00-739 Warsaw, registered in the National Court Register maintained by the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register, KRS: 0000782251, NIP: 5213863874, hereinafter referred to as the “Controller”.
2.2.
You may contact the Controller regarding personal data protection and the exercise of your rights via email at: contact@balaganpol.sbs or in writing at the registered office address or correspondence address: ul. Stępińska 22/30, building 1A, unit 222, 00-739 Warsaw.
2.3.
If you consent to analytical or marketing cookies or use third-party tools embedded in the Store, data regarding your activity may also be processed by providers of these tools acting as separate controllers or joint controllers. Information about these entities, their roles, and technologies used is provided in section 3.6 and in the cookies settings/table.
3. Purposes and Legal Basis for Data Processing
3.1.
The Controller processes the following personal data:
a) data provided in the registration or order forms, in particular: first and last name, email address, phone number, address (street, house number, apartment number, postal code, city, country), billing/shipping address (if different), bank account number, and for non-consumers also company name and tax ID (NIP), as well as other data collected while using the Store;
b) data provided via contact forms or during complaint submissions;
c) other data, including data obtained based on user activity online or in mobile applications, including via cookies and similar technologies.
3.2.
Your personal data is processed for the following purposes and legal bases:
a) account creation and management – Art. 6(1)(b) GDPR;
b) order placement, fulfillment, and settlement – Art. 6(1)(b) GDPR;
c) handling complaints, returns, and withdrawal from contracts – Art. 6(1)(c) and Art. 6(1)(b) GDPR;
d) accounting and tax obligations – Art. 6(1)(c) GDPR;
e) communication and responding to inquiries – Art. 6(1)(f) GDPR (legitimate interest: communication and fraud prevention), or Art. 6(1)(b) if related to a contract;
f) establishing, pursuing, or defending legal claims – Art. 6(1)(f) GDPR;
g) newsletter and marketing communications – Art. 6(1)(a) GDPR;
h) statistical and analytical processing and marketing personalization via cookies – Art. 6(1)(a) GDPR;
i) automated decision-making, including profiling – Art. 6(1)(a) and Art. 22(2)(c) GDPR.
3.3. Data Recipients
Personal data may be shared with:
a) hosting and IT providers;
b) payment operators, banks, and settlement providers;
c) courier, postal, and logistics companies;
d) email, CRM, and communication providers;
e) accounting, legal, tax, and advisory services;
f) analytics and marketing tools providers (only with consent);
g) public authorities where required by law.
3.4.
The Controller uses processors acting on its behalf under appropriate agreements. Data may also be shared with independent controllers depending on payment methods, delivery, consent, or legal obligations.
3.5. Data Retention
a) Customer account data – for the duration of the account and limitation periods;
b) order and contract data – for contract performance and limitation periods;
c) accounting data – typically 5 years from the end of the calendar year;
d) consent-based data (newsletter/marketing) – until consent is withdrawn;
e) legitimate interest data – until objection or purpose ceases;
f) cookies data – according to cookie lifetime or until consent withdrawal.
3.6. External Providers
Key third-party providers include:
a) CookieFirst – cookie consent management (necessary tool);
b) Cloudflare – security and bot protection (necessary tool);
c) Global-e – international order processing (necessary);
d) Klarna – payment services (necessary);
e) Google Tag Manager – script management and consent handling (necessary);
f) Google Analytics – analytics (after consent full functionality enabled);
g) Meta Pixel – marketing and analytics (after consent);
h) Luigi’s Box – search and recommendations (after consent full functionality);
i) Trusted Shops – reviews and buyer protection.
The list may change and is always updated in cookie settings.
4. Data Subject Rights
You have the right to:
access your data
rectify your data
erase your data
restrict processing
data portability
object to processing
withdraw consent at any time
lodge a complaint with a supervisory authority (President of the Personal Data Protection Office – UODO)
request human intervention in automated decision-making cases
5. Transfers Outside the EEA
5.1.
As a rule, data is processed within the European Economic Area. However, some providers may process data outside the EEA.
5.2.
Transfers occur only under GDPR Chapter V safeguards, such as adequacy decisions or Standard Contractual Clauses. For US-based providers, transfers may rely on the EU–U.S. Data Privacy Framework if applicable.
5.3.
Information about transfer mechanisms can be obtained by contacting the Controller.
6. Voluntary Provision of Data
Providing data is voluntary but may be necessary to conclude or perform contracts, comply with legal obligations, or respond to inquiries. Failure to provide required data may prevent account creation, order processing, or other services. Marketing data is optional.
7. Profiling
The Controller may analyze user behavior to personalize offers and content. This may include automated systems that tailor promotions based on user activity and purchase history. In some cases, this may significantly influence the offers shown to the user.
8. Cookies Policy
8.1. Who does it apply to?
This Policy applies to all visitors of the Store (“Visitors”), regardless of whether they are customers.
8.2. Technology used
The Store uses cookies and similar technologies to store and access information on user devices for statistical, functional, and marketing purposes.
8.3. What are cookies?
Cookies are small text files stored on the user’s device that help the Store function properly and collect statistical data.
8.4. Do cookies collect personal data?
Cookies usually do not identify users directly, but may become personal data if linked to other information.
8.5. Legal basis
- Necessary cookies – legitimate interest (Art. 6(1)(f) GDPR)
- Other cookies – consent (Art. 6(1)(a) GDPR)
8.6. Purpose of cookies
Cookies are used to:
- improve functionality and user experience
- personalize content and ads
- analyze user behavior
- support marketing activities
8.7. Objection
Users may withdraw consent at any time or object to processing.
8.8. Types of cookies
The Store uses session and persistent cookies. They are not harmful but disabling them may affect functionality.
8.9. Retention period
Cookies are stored for their defined lifetime or until consent is withdrawn.
8.10. Third-party cookies
Third-party providers may place cookies for analytics, marketing, and social features.
8.11. Managing cookies
Users can manage cookies via browser settings or the Store’s cookie panel.
8.12. Consequences of disabling cookies
Disabling cookies may limit Store functionality, including login sessions.
9. Additional Information
9.1. Contact
You may contact the Controller via email or post. Communication may be stored for administrative and legal purposes.
9.2. Data security
The Controller uses appropriate technical and organizational measures, including SSL encryption, access controls, and secure authentication.
9.3. Changes to the Policy
The Policy may be updated due to legal changes, technological developments, or service improvements. Updates will be published in the Store.
10. Effective Date
This version of the Policy is effective as of 02.07.2026.