Privacy Policy

Effective from August 1, 2024

§ 1. Personal Data Administrator

1. The administrator of personal data within the meaning of Article 4(7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is: VF SHOP LIMITED LIABILITY COMPANY, NIP: 8961639227, REGON: 52856370500000, KRS: 0001103952, UL. JAGODOWA 3, 55-002 DOBRZYKOWICE, Wrocław County, Czernica Municipality, Lower Silesian Voivodeship.
The email address of the data administrator: info@vintagefreak.eu.
2. The administrator, in accordance with Article 32(1) of the GDPR, adheres to the principles of personal data protection and uses appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data processed in connection with its operations.
3. Providing personal data by the customer is voluntary but necessary to conclude a contract with the data administrator.
4. The data administrator processes personal data to the extent necessary for the performance of a contract or the provision of services to the data subject.

§ 2. Purpose and Basis for Processing Personal Data

1. The administrator processes personal data for the following purposes:
1. Preparation of a commercial offer in response to customer interest, which is the legitimate interest of the data administrator (Article 6(1)(f) of the GDPR);
2. Conclusion and performance of sales contracts with customers, based on the concluded contract (Article 6(1)(b) of the GDPR);
3. Provision of electronic services via the Online Store, based on the concluded contract (Article 6(1)(b) of the GDPR);
4. Handling the complaint process, based on the data administrator’s obligation under applicable law (Article 6(1)(c) of the GDPR);
5. Accounting related to issuing and receiving accounting documents, based on tax law (Article 6(1)(c) of the GDPR);
6. Archiving data for possible determination, pursuit, or defense of claims or to prove facts, which is the legitimate interest of the data administrator (Article 6(1)(f) of the GDPR);
7. Telephone or email contact, particularly in response to inquiries directed to the data administrator, which is the legitimate interest of the data administrator (Article 6(1)(f) of the GDPR);
8. Sending technical information regarding the operation of the Online Store and services used by the customer, which is the legitimate interest of the data administrator (Article 6(1)(f) of the GDPR);
9. Marketing, which is its legitimate interest (Article 6(1)(f) of the GDPR) or is based on previously given consent (Article 6(1)(a) of the GDPR).

§ 3. Data Recipients. Transfer of Data to Third Countries

1. The recipients of personal data processed by the data administrator may be entities cooperating with the data administrator when it is necessary to perform the contract concluded with the data subject.
2. The recipients of personal data processed by the data administrator may also be subcontractors – entities whose services the data administrator uses in data processing, e.g., accounting offices, law firms, IT service providers (including hosting services).
3. The data administrator may be required to disclose personal data based on applicable law, in particular to disclose personal data to authorized authorities or state institutions.
4. Personal data will not be transferred to an entity located outside the European Economic Area.

§ 4. Period of Personal Data Storage

1. The data administrator stores personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the pursuit of claims related to the contract, performance of obligations under applicable law, but for no longer than the limitation period specified by the Civil Code.
2. The data administrator stores personal data on accounting documents for the period specified by the Value Added Tax Act and the Accounting Act.
3. The data administrator stores personal data processed for marketing purposes for a period of 10 years, but no longer than until consent to data processing is withdrawn or an objection to data processing is lodged.
4. The data administrator stores personal data for purposes other than those specified in §§4.1-3 for a period of one year unless consent to data processing is withdrawn earlier and data processing cannot be continued on another basis than the data subject’s consent.

§ 5. Rights of the Data Subject

1. Each data subject has the right to:
1. Access – obtain confirmation from the administrator whether their personal data is being processed. If personal data is processed, the data subject is entitled to access it and obtain the following information: the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data has been or will be disclosed, the period of data storage or criteria for determining it, the right to request rectification, erasure, or restriction of personal data processing to the data subject, and to object to such processing (Article 15 of the GDPR);
2. Obtain a copy of the data – obtain a copy of the data being processed, with the first copy being free, and for subsequent copies, the administrator may charge a reasonable fee based on administrative costs (Article 15(3) of the GDPR);
3. Rectification – request the rectification of inaccurate personal data concerning them or the completion of incomplete data (Article 16 of the GDPR);
4. Erasure of data – request the erasure of their personal data if the administrator no longer has a legal basis to process it or the data is no longer necessary for the purposes of processing (Article 17 of the GDPR);
5. Restriction of processing – request the restriction of personal data processing (Article 18 of the GDPR), when:
■ The data subject contests the accuracy of personal data – for a period allowing the administrator to verify the accuracy of the data;
■ The processing is unlawful, and the data subject opposes the erasure of the data, requesting the restriction of its use instead;
■ The administrator no longer needs the data, but it is required by the data subject for the establishment, exercise, or defense of legal claims;
■ The data subject has objected to processing – pending the verification whether the legitimate grounds of the administrator override those of the data subject;
6. Data portability – receive in a structured, commonly used, and machine-readable format the personal data concerning them, which they have provided to the administrator, and request the transmission of this data to another administrator if the data is processed based on the data subject’s consent or a contract with them and if the data is processed by automated means (Article 20 of the GDPR);
7. Objection – object to the processing of their personal data for legitimate purposes of the administrator, on grounds relating to their particular situation, including profiling. The administrator will then assess whether there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. If, according to the assessment, the interests of the data subject prevail over the interests of the administrator, the administrator will be obliged to cease processing data for these purposes (Article 21 of the GDPR).
2. To exercise the above rights, the data subject should contact the administrator using the provided contact details and inform them which right and to what extent they wish to exercise.
3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office in Warsaw.

§ 6. Profiling

1. Personal data obtained by the data administrator may be processed automatically, including in the form of profiling. Profiling of personal data conducted by the data administrator involves assessing selected information about the data subject for the purpose of analyzing and forecasting personal preferences and interests, particularly to provide the data subject with personalized offers.
2. Automatic data processing conducted by the data administrator does not produce any legal effects for the data subject. The data subject may at any time object to the automated processing of their data.