Home Sell Account

PRIVACY AND COOKIES POLICY

for the website luxurylove.pl

I. Definitions

For the purposes of this document, the following definitions apply:

Personal Data Controller / Administrator– – Kamila Cierniak, conducting business under the name Luxury Love Kamila Cierniak, registered in the Central Registration and Information on Business (CEIDG) maintained by the Minister of Economic Development, at the following address: ul. Wojska Polskiego 16 A, 42 – 240 Rudniki, NIP: 9492086519, REGON: 368674549;

Personal Data – information relating to an individual that identifies or makes it possible to identify that person, meaning that based on such information, the identity of the individual to whom the data relates can be determined, directly or indirectly;

Processing – any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, retrieval, consultation, or erasure;

Privacy and Cookies Policy / Privacy Policy – this document outlining the principles of processing personal data via the Store, in accordance with and based on the GDPR;

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation);

Online Store / Store – the website operated by the Administrator under the domain luxurylove.pl;

User – a User or Customer as defined in the Store’s Terms and Conditions, whose Personal Data is processed through the Store and in connection with agreements concluded via the Store.

II. General Information

  1. This Privacy Policy has been prepared in accordance with all requirements of the GDPR. In particular, it contains all the necessary information that the Administrator is obliged to provide to the individual whose Personal Data is being processed and from whom the Data was collected – pursuant to Article 13 of the GDPR, i.e., information necessary to ensure fair and transparent processing of Personal Data by the Administrator.
  2. Terms capitalized but not defined in this Privacy Policy shall have the meanings assigned to them in the Store’s Terms and Conditions, available on the Store’s website.
  3. This Privacy Policy addresses matters related to the Processing of Personal Data solely through the Store, including contracts concluded remotely based on the information provided on the Store’s website.
  4. The Store's website uses encrypted data transmission, meaning it is secured with an SSL certificate (Secure Sockets Layer) – a network protocol used for secure network connections.
  5. This version of the Privacy Policy is effective as of July 15, 2025.

III. Personal Data Controller

  1. The Personal Data Controller of the User is Kamila Cierniak, conducting business under the name Luxury Love Kamila Cierniak, registered in the Central Registration and Information on Business (CEIDG) maintained by the Minister of Economic Development, at the following address: ul. Wojska Polskiego 16 A, 42 – 240 Rudniki, NIP: 9492086519, REGON: 368674549.
  2. The User may contact the Controller regarding their Personal Data using the following contact methods:
    1. by post, at the address: ul. Wojska Polskiego 16 A, 42 – 240 Rudniki;
    2. by email, at: sklep@luxurylove.pl;
    3. by phone, at: +48 798 777 653.
  3. The Controller has not appointed a Data Protection Officer, as the limited scope and scale of the Personal Data Processing does not, in the Controller’s assessment, require such an appointment, nor is it legally mandatory.

IV. Scope of Processed Personal Data

  1. Through the Store, the Controller may process Personal Data via:
    1. the contact form;
    2. the newsletter;
    3. the User Account;
    4. placing Orders and concluding distance contracts;
    5. ensuring continuity of communication and enabling contact with the Controller regarding business operations;
    6. the analytical tool Google Analytics;
    7. the marketing tools Google Ads and Klaviyo;
    8. fulfilling legal obligations arising from applicable laws, in particular accounting, tax regulations, and the General Product Safety Regulation (GPSR).
  2. The Controller may also process Personal Data in the event of establishing, pursuing, or defending claims, including during legal proceedings or proceedings before other authorities.
  3. All Personal Data that may be processed by the Controller via the Store is provided voluntarily by the User.
  4. The User is not obliged to provide their Personal Data to the Controller, whether directly (e.g., by registering an account) or indirectly (data collected via third-party cookies such as Google Analytics). However, failure to provide certain Personal Data may result in the inability to provide a given service or achieve a specific purpose.
  5. If the User does provide their Personal Data, the Controller will process it lawfully, within the limits of applicable regulations, and in a manner that is adequate under the meaning of the GDPR—i.e., relevant and limited to what is necessary for the purposes for which it is processed, in line with the principle of data minimization.
  6. The specific legal bases for the processing of Personal Data are outlined in the following sections of this Privacy Policy.

V. Personal Data Processed via the Contact Form

  1. Through the contact form available on the Store’s website, the Controller processes the Personal Data you provide by filling out the form—primarily the Personal Data required to send a message through the form, such as your email address.
  2. The legal basis for processing this Personal Data is Article 6(1)(a) of the GDPR, i.e., processing based on the data subject’s consent, for the purpose of receiving a message from the User and providing a response.
  3. The Personal Data provided by the User through the contact form is processed until the User withdraws their consent to the processing of their Data.
  4. The User may withdraw their consent to the processing of their Personal Data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out by the Controller based on consent prior to its withdrawal.
  5. If the User wishes to withdraw their consent for the processing of Personal Data for the purposes of using the contact form service, they may send an email to the Seller stating their intention to withdraw consent.

VI. Personal Data Processed via the Newsletter

  1. Through the newsletter, which the User may subscribe to via the newsletter subscription form, the Controller processes the Personal Data provided by the User when filling out and submitting the subscription form—specifically, the email address.
  2. The legal basis for processing this Personal Data is Article 6(1)(a) of the GDPR, i.e., processing based on the data subject’s consent, for the purpose of sending newsletters by the Seller.
  3. The Personal Data provided by the User in connection with the newsletter is processed until the User withdraws their consent to the processing of their Data.
  4. The User may withdraw their consent to the processing of their Personal Data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out by the Controller based on the consent given before its withdrawal.
  5. If the User wishes to withdraw their consent to the processing of Personal Data for the purpose of receiving the newsletter service, they may unsubscribe by clicking the unsubscribe link included in each email sent as part of the newsletter.

VII. Personal Data Processed via the User Account

  1. Through the account registration form and the operation of the Account on the Store’s website, the Controller processes the Personal Data provided by the User when filling out the form or updating their Account information—particularly the data required to register an account, such as: email address, first name, last name, gender, and mailing address.
  2. The legal basis for processing Personal Data in connection with the account registration form is Article 6(1)(b) of the GDPR, i.e., processing necessary to take steps at the request of the User prior to entering into a contract, and processing necessary for the performance of a contract to which the User is a party.
  3. Personal Data processed in connection with the Account is processed until the expiration of the limitation period for claims related to the performance of the contract.

VIII. Personal Data Processed to Ensure Continuity of Communication and Contact with the Controller Regarding Business Operations

  1. To enable contact with the Controller regarding matters related to their business operations, the Controller processes Personal Data provided by the User or Client, such as: first and last name, company name, email address, phone number, and any other Data voluntarily included by the User or Client in the message content.
  2. The legal basis for processing Personal Data in this context is Article 6(1)(f) of the GDPR, i.e., processing for the purposes of the legitimate interests pursued by the Controller, which in this case means ensuring continuity of communication and enabling Users or Clients of the Store to contact the Controller regarding business-related matters.
  3. Personal Data processed to enable contact with the Controller will be stored for the period necessary to conduct the correspondence and fulfill the purpose for which the data was provided. After achieving that purpose, the data may continue to be processed for a period justified by the Controller’s legitimate interests.
  4. The User has the right to object at any time to the processing of their Personal Data for this purpose, which may result in the termination of further correspondence and deletion of the Data, unless another legal basis exists for its continued processing.

IX. Personal Data Processed Within the Framework of a Sales Agreement

  1. In connection with concluding a distance Sales Agreement via the Store’s website, the Controller processes Personal Data necessary to place an Order and conclude the Agreement, i.e.: first name, last name, email address, contact phone number, mailing address, bank or business account number, tax identification number (NIP), and company name.
  2. The legal basis for Processing Personal Data in relation to placing an Order and concluding a Sales Agreement is Article 6(1)(b) of the GDPR, i.e., processing is necessary to take steps at the request of the User prior to entering into a contract and for the performance of the contract to which the User is a party.
  3. The User’s Personal Data processed as part of the Order and concluded Agreement is stored until the expiry of the limitation period for claims related to the Agreement, as defined by the applicable laws.

X. Personal Data Processed via Google Analytics

  1. The Controller uses Google Analytics on the Store’s website, which processes the following types of Data: IP address, approximate location limited to the city level, gender, and age.
  2. The purpose of Processing Personal Data via Google Analytics is to perform statistical analysis of User traffic on the Store’s website and User interaction with the Store’s site. This enables the Controller to optimize the Store’s operations and thus conduct business more effectively.
  3. The legal basis for the Processing of Personal Data as described in this section is Article 6(1)(a) of the GDPR, i.e., Processing based on the consent of the data subject for the purpose served by Google Analytics.
  4. Consent to the Processing of Personal Data via Google Analytics can be given by the User through the cookie notification (so-called cookie banner) that appears when the User visits the Store’s website for the first time.
  5. The User also has the right to withdraw their previously given consent to the Processing of their Personal Data at any time. The withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal.
  6. To withdraw consent, the User can disable the cookies described in this section at any time in the cookie settings.
  7. Under Google Analytics, your Data is processed for up to 2 years, i.e., until the cookie expires or until the User withdraws their consent, as described in the points above.

XI. Personal Data Processed via Marketing Tools

  1. The Controller uses marketing tools on the Store’s website, including Google Ads and Klaviyo.
  2. Within the scope of each marketing tool, the Controller may process various categories of the User’s Personal Data, such as:
    1. for Google Ads: IP address, approximate location limited to the city, gender;
    2. for Klaviyo: email address, IP address, location, on-site interactions, transaction details of purchased Products.
  3. The purposes of Processing Personal Data via:
    1. Google Ads – primarily to conduct advertising campaigns aimed at promoting the Controller’s business on the Internet and, consequently, promoting their commercial activity;
    2. Klaviyo – primarily for marketing analysis, user segmentation, content personalization, and conducting email campaigns.
  4. The legal basis for Processing Personal Data referred to in this section is Article 6(1)(a) of the GDPR, i.e., Processing based on the data subject’s consent for the purposes served by the marketing tools mentioned herein.
  5. Consent to the Processing of Personal Data via the aforementioned tools may be given by the User through the cookie notification (so-called cookie banner) displayed when the User first visits the Store’s website.
  6. The User also has the right to withdraw the granted consent for Processing their Personal Data at any time, without affecting the lawfulness of Processing carried out on the basis of that consent prior to its withdrawal.
  7. To withdraw consent, you may disable the cookies described in this section at any time using the cookie settings.
  8. Your Personal Data is processed for varying durations depending on the specific tool, namely:
    1. Google Ads – Data is processed for the time specified by the Controller in the relevant cookie settings or until you withdraw your consent to the Processing of such Data, as described above;
    2. Klaviyo – Data is processed for the duration of the newsletter subscription or until you withdraw your consent to the Processing of such Data, as described above.

XII. Processing of Personal Data for the Fulfillment of Legal Obligations

  1. In the event of a need to establish, pursue, or enforce claims arising from the Agreement or to defend against such claims in court proceedings or before other authorities, the Controller will process the Personal Data necessary for this purpose in accordance with applicable law.
  2. The Personal Data referred to in point 1 above may include: name, mailing address, email address, phone number, bank account number, and possibly also tax identification number (NIP) or business registration number (REGON), and company name.
  3. The legal basis for the Processing of Personal Data in the situation described in this section is Article 6(1)(f) of the GDPR, i.e., processing necessary for the purposes of the legitimate interests pursued by the Controller, which may involve the establishment, pursuit, or enforcement of claims or defense against potential claims in court or before other authorities.
  4. The User’s Personal Data that may be processed for the purposes of potential claims or disputes will be processed until the expiration of the limitation period for claims related to the concluded Agreement.

XIII. Processing of Personal Data in the event of possible determination, investigation and enforcement of claims arising from the Agreement

  1. In the event of a need to establish, pursue, or enforce claims arising from the Agreement or to defend against such claims in court proceedings or before other authorities, the Controller will process the Personal Data necessary for this purpose in accordance with applicable law.
  2. The Personal Data referred to in point 1 above may include: name, mailing address, email address, phone number, bank account number, and possibly also tax identification number (NIP) or business registration number (REGON), and company name.
  3. The legal basis for the Processing of Personal Data in the situation described in this section is Article 6(1)(f) of the GDPR, i.e., processing necessary for the purposes of the legitimate interests pursued by the Controller, which may involve the establishment, pursuit, or enforcement of claims or defense against potential claims in court or before other authorities.
  4. The User’s Personal Data that may be processed for the purposes of potential claims or disputes will be processed until the expiration of the limitation period for claims related to the concluded Agreement.

XIV. Processing of Personal Data by Other Entities

In order to use tools that allow the Controller to operate the Shop website, conduct analytical and marketing activities that support the Controller's business, as well as for the purpose of concluding and performing the Agreement, the User’s Personal Data may also be processed by the following entities:

a. The hosting provider of the Shop’s website, which stores Personal Data on the server and therefore processes it as a data processor;

b. Entities providing IT and software development services related to the Shop’s website, as data processors;

c. Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA – for the purpose of using the Google Analytics and Ads tools by the Controller, where Google acts as an independent controller of this Personal Data;

d. The entity providing accounting services, as a data processor;

e. The entity operating the invoicing software, as a data processor;

f. Klaviyo Inc., based in Boston, Massachusetts, USA. Entity identification number: #001290605 – for the use of a marketing tool;

g. Entities providing electronic payment services, as independent and separate controllers of Personal Data;

h. Entities providing delivery services for Products, either as independent and separate controllers of Personal Data or as data processors.

XV. Transfer of Personal Data to Third Countries or International Organizations

  1. The Controller does not directly transfer the User's Personal Data to third countries or international organizations.
  2. However, the User’s Personal Data may be transferred to third countries by Google LLC, whose tools the Controller uses (Google Analytics and Google Ads), and which, in the course of such activities, acts as a separate controller of the User’s Personal Data.
  3. Google LLC is listed among the entities participating in the Data Privacy Framework and, pursuant to the European Commission’s Implementing Decision (EU) C(2023) 4745 of July 10, 2023, on the adequacy of the protection provided by the EU-U.S. Data Privacy Framework, the protection of Personal Data meets the standards of regulations applicable in the European Union.
  4. Klaviyo Inc. may transfer Data outside the EEA, in particular to the United States. Klaviyo uses several safeguards when transferring personal data outside the European Economic Area (EEA). One of the key safeguards is the implementation of Standard Contractual Clauses (SCCs) in accordance with GDPR requirements, which set out provisions governing data protection in the case of transfers outside the EEA. These clauses specify the conditions that must be met to ensure that personal data is adequately secured and protected, even in countries where privacy laws may differ from EU standards.

XVI. Information on Automated Decision-Making, Including Profiling

The User's Personal Data is not used by the Controller for the purpose of making decisions concerning the User based on automated processing of Personal Data, including profiling.

XVII. Rights of the User in Connection with the Processing of Their Personal Data

  1. Pursuant to Articles 16–21 of the GDPR, the User is granted the following rights related to their Personal Data processed by the Controller.
  2. Under the above-mentioned legal provisions, the User has the right to exercise the following rights regarding their Personal Data processed by the Controller, namely, the User has the right to:
    a. access their Personal Data, pursuant to Article 15 of the GDPR;
    b. rectify their Personal Data, pursuant to Article 16 of the GDPR;
    c. erase their Personal Data, pursuant to Article 17 of the GDPR;
    d. restrict the processing of their Personal Data, pursuant to Article 18 of the GDPR;
    e. data portability, pursuant to Article 20 of the GDPR;
    f. object to the processing of their Personal Data, pursuant to Article 21 of the GDPR.
  3. More detailed information about the User’s rights can be found in Articles 16–21 of the GDPR.
  4. If the processing of the User’s Personal Data is based on consent given by the User, the User also has the right to withdraw their consent at any time, without affecting the lawfulness of processing carried out on the basis of that consent before its withdrawal.
  5. The User also has the right to lodge a complaint with the competent supervisory authority if they believe that their Personal Data is not being processed correctly or in accordance with legal provisions.
  6. The competent supervisory authority may be the authority appropriate for the User’s place of permanent residence in a Member State, their workplace, or the place of the alleged violation of data protection laws.
  7. In Poland, the competent supervisory authority for Personal Data is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
  8. Before filing a complaint, however, the Controller encourages the User to first contact them at one of the email addresses indicated in this Privacy Policy, in order to clarify the matter or resolve any concerns the User may have regarding the processing of Personal Data via the Store or the concluded Agreement.

XVIII. Cookies – General Information

  1. The Store’s website uses cookies.
  2. Cookies are small text files stored on the User’s end device used to access the Store’s website, such as a computer or mobile phone.
  3. Cookies may be read by the Controller’s IT system (so-called first-party cookies) or by third-party IT systems (so-called third-party cookies).

XIX. Cookies and the Processing of Personal Data

  1. By reading the User's cookies through the Controller’s IT system, the Controller may access information that constitutes Personal Data. Therefore, such actions involve the Processing of Personal Data by the Controller.
  2. Some information, including Personal Data contained in cookies from Google Analytics and Ads, may also be read by third-party IT systems.
  3. Some of the cookies used by the Controller are necessary for the proper provision of electronic services to the User, as defined by the Act of 18 July 2002 on Providing Services by Electronic Means. However, the use of some cookies by the Controller is not essential, as it serves purposes that are not required for the User to properly use the Store.
  4. Cookies that are not necessary for the proper provision of electronic services to the User are blocked until the User consents to their use, thereby also consenting to the Processing of Personal Data.
  5. The consent referred to above may be given by the User via the cookie banner displayed on the Store’s website during the User’s first visit.
  6. The legal basis for the Processing of Personal Data through the cookies referred to above is Article 6(1)(a) of the GDPR – the User’s consent, as explained further in the sections above on the rules for processing data via analytical and marketing tools.
  7. Additionally, within their web browser, the User may manage cookie settings at any time, including blocking or re-enabling their use.

XX. Cookies Used via the Store's Website

  1. Through the Store's website, the Controller uses both first-party cookies and third-party cookies.
  2. First-party cookies are used to ensure the proper functioning of specific mechanisms on the website.
  3. Third-party cookies are used for the purposes described in the previous sections concerning the rules for processing Data, including the use of analytical and marketing tools. These include cookies from:
    a. Google Analytics and Google Ads, owned by Google LLC;
    b. Klaviyo, owned by Klaviyo Inc.;
    c. Facebook and Instagram, administered by Meta Inc.

XXI. Final Provisions

  1. In matters not regulated in the Privacy Policy, the applicable provisions of Polish law and the GDPR shall apply.
  2. The Administrator reserves the right to amend the Privacy Policy, especially when required by changes related to the processing of personal data on the Store’s website, technological changes, or changes in the applicable law concerning the issues described in this document.