PRIVACY STATEMENT

1. GENERAL PROVISIONS

The Data Controller for the processing of data collected through the icedstuff.com online Shop is Karol Słuszniak trading as KAROL SŁUSZNIAK ICED STUFF, entered into the Central Registration and Information on Business (CEIDG) kept by the minister in charge of economy, place of business and address for service: Smolna 13/62, 00-375 Warszawa, Poland, tax identification number NIP: 7773357334, statistical number REGON: 385261334, email address: support@icedstuff.com, telephone number: +48 518 350 078, hereinafter referred to as the “Data Controller” or “Service Provider”.

Personal data collected by the Data Controller via the website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR).

Capitalised terms used in this Privacy Policy shall have the meaning set forth in the “Definitions” section of the icedstuff.com Terms and Conditions.

2. TYPE OF PERSONAL DATA PROCESSED, PURPOSE AND SCOPE OF DATA COLLECTION

PURPOSE AND LEGAL BASIS OF PROCESSING

The Data Controller processes personal data in the following cases:

• Account registration in the Shop – for the purpose of creating and managing a user account (Article 6(1)(b) GDPR – performance of a contract),

• Placing an order via icedstuff.com – for the purpose of performing the Sales Agreement (Article 6(1)(b) GDPR),

• Newsletter subscription – for sending marketing communications, based on prior consent (Article 6(1)(a) GDPR),

• Contact via contact form – for handling inquiries (Article 6(1)(f) GDPR – legitimate interest consisting in responding to inquiries and communication with users).

TYPE OF PERSONAL DATA PROCESSED

The User provides the following data:

• Account: e-mail address

• Orders: name and surname, address, tax identification number (if applicable), e-mail address, telephone number

• Newsletter: name and surname, e-mail address

• Contact form: name and surname, e-mail address, telephone number

Additionally, the Data Controller may collect technical data such as IP address, browser type, operating system, domain name, and duration of visit.

PERSONAL DATA STORAGE PERIOD

Personal data are stored:

• for the duration of contract performance and thereafter for the period required by law (generally up to 6 years, or 3 years for business-related claims),

• in the case of consent – until consent is withdrawn and thereafter for the limitation period of potential claims.

Providing personal data is voluntary, however it may be necessary to conclude or perform a contract.

The Data Controller ensures that data are:

• processed lawfully,

• collected for specified and legitimate purposes,

• adequate and relevant,

• stored no longer than necessary.

MARKETING AND PROFILING

If the User has given separate consent, personal data may be used for marketing purposes, including sending newsletters or personalised (profiled) advertisements.

Profiling may involve analysing user behaviour (e.g. browsing activity) in order to tailor marketing content. This does not produce legal effects or similarly significant impact on the User.

3. THIRD PARTY ACCESS TO PERSONAL DATA

Personal data may be shared with service providers necessary for operating the Shop, including:

• delivery and logistics providers,

• payment service providers,

• accounting services,

• hosting providers,

• IT and software providers,

• email and marketing system providers.

These entities process data either:

• on behalf of the Data Controller (as processors), or

• as independent controllers, depending on their role.

Personal data are stored within the European Economic Area (EEA). In cases where data are transferred outside the EEA (e.g. to providers such as Google), appropriate safeguards are applied, including Standard Contractual Clauses (SCC) or participation in the EU-US Data Privacy Framework.

4. RIGHTS OF THE DATA SUBJECT

The User has the right to:

• access personal data (Art. 15 GDPR),

• rectify data (Art. 16 GDPR),

• erase data (Art. 17 GDPR),

• restrict processing (Art. 18 GDPR),

• data portability (Art. 20 GDPR),

• object to processing (Art. 21 GDPR),

• withdraw consent at any time (Art. 7(3) GDPR).

To exercise these rights, contact: support@icedstuff.com

The Data Controller will respond within one month, with a possible extension of two months for complex requests.

The User has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO).

5. COOKIE POLICY

The website uses cookies.

Cookies are used to ensure proper functioning of the website, analyse traffic, and support marketing activities.

Types of cookies used:

• Essential cookies – necessary for website operation (legal basis: legitimate interest – Art. 6(1)(f) GDPR),

• Analytical cookies – used to analyse traffic (legal basis: consent – Art. 6(1)(a) GDPR),

• Marketing cookies – used for advertising and remarketing (legal basis: consent – Art. 6(1)(a) GDPR).

Cookies may be stored for different periods depending on their type (session or persistent).

The website uses third-party tools such as Google Analytics and Google Ads, provided by Google LLC (USA). These tools may involve data transfers outside the EEA, safeguarded by appropriate legal mechanisms.

The User can manage cookie preferences:

• via the cookie banner when entering the website,

• via browser settings.

The User may withdraw consent at any time.

6. SOCIAL MEDIA PLUGINS AND ADDITIONAL SERVICES

The website uses social media plugins (e.g. Facebook, Instagram, Google, YouTube). When visiting the website, the User’s browser may connect directly to the servers of these providers.

If the User is logged into a social network, this information may be linked to their profile.

Use of such plugins may result in data transfer outside the EEA (e.g. to the USA).

Details on data processing are available in the privacy policies of respective providers:

• https://www.facebook.com/policy.php

• https://help.instagram.com/519522125107875

• https://policies.google.com/privacy

The legal basis for such processing is the User’s consent.

The website also uses remarketing tools (Google Ads).

7. FINAL PROVISIONS

The Data Controller implements appropriate technical and organisational measures to ensure the security of personal data, including protection against unauthorised access, loss, destruction or alteration.

In matters not regulated by this Privacy Policy, the provisions of the GDPR and applicable Polish law shall apply.