Who processes your data and how to contact us

What data we process and where we get it from

Depending on which service you use, we may process:

• A. Identification and contact details
  • full name,
  • email address,
  • phone number,
  • address (delivery / correspondence / invoicing),
  • company invoicing details (e.g., company name, VAT ID) – where applicable.
• B. Account / profile data (if you create an account)
  • login/email, password (stored in encrypted form),
  • order history and service/repair history, fulfilment statuses.
• C. Order and service handling data
  • order/service request number,
  • scope of services/purchased products, prices, statuses,
  • communications about an order/service (e.g., complaints, returns, arrangements).
• D. Payment data (limited scope)
  • selected payment method,
  • payment status, transaction/settlement identifier, confirmation from the payment operator.

  We do not store full payment card details – these are handled by payment operators.

• E. Technical data and cookies
  • IP address, cookie identifiers,
  • device and browser information,
  • server logs, technical events (e.g., errors).

In most cases, you are the source of the data (forms, purchase, contact). Some technical data is generated automatically while you use the website (e.g., logs/cookies).

Is providing data mandatory

Providing data is voluntary, however:

• without certain data we cannot fulfil an order/delivery or provide a service/repair (e.g., without an address we cannot ship a parcel),
• without an email/phone number we may not be able to inform you about fulfilment,
• without invoicing data we cannot issue a VAT invoice to a company.

Purposes and legal bases for processing

We process personal data for the following purposes:

• Order fulfilment and service/repair services, customer account management
  Legal basis: Art. 6(1)(b) GDPR (contract / steps prior to entering into a contract).
• Contact and handling enquiries (online, email, phone, in person)
  Legal basis: Art. 6(1)(f) GDPR (legitimate interests – communication and customer support).
• Settlements, accounting, tax obligations
  Legal basis: Art. 6(1)(c) GDPR (legal obligation).
• Complaints, returns, statutory warranty, pursuing and defending claims
  Legal basis: Art. 6(1)(c) GDPR (legal obligation – where applicable) and/or Art. 6(1)(f) GDPR (legitimate interests – defence/pursuit of claims). Limitation periods are determined by applicable law.
• Our own marketing (e.g., information on new products/promotions)
  • newsletter / email marketing – only with consent
    Legal basis: Art. 6(1)(a) GDPR (consent).
  • marketing within a reasonable scope (e.g., information about our services/products)
    Legal basis: Art. 6(1)(f) GDPR (legitimate interests). You can object to marketing at any time.
• Analytics and statistics (“we look at website traffic”), improving the website, security
  • essential logs/security – Art. 6(1)(f) GDPR,
  • cookie-based analytics/marketing – as described in the cookies section (usually after cookie consent).

Automated decisions: Xzone does not make decisions producing legal effects concerning you solely by automated means (within the meaning of Art. 22 GDPR). We may use simple content/offer matching (marketing profiling) if you provide relevant cookie/marketing consents.

Social media and messengers

Xzone uses communication channels and profiles on social media: Facebook, Instagram, TikTok and communicates via WhatsApp.

If you contact us through these channels:

• we process the data you provide to us (e.g., name/nickname, message content),
• platform operators process data under their own rules (separate controllers) – we recommend reviewing their privacy policies,
• we may use statistics available to profile administrators (e.g., reach, interactions) for communication and marketing purposes.

Cookies and similar technologies (“tracking”, pixels)

The website may use cookies and similar technologies for:

• essential purposes (website operation, login, cart, security) – these cookies may be used without consent because they are necessary to provide the service you request,
• analytics/statistics (traffic measurement, website improvement),
• marketing (e.g., remarketing, personalised ads).

Analytics and marketing cookies should generally be activated only after your consent provided via the cookie banner / privacy settings. Consent must not be default or pre-ticked.

You can:

• change cookie settings in your browser,
• withdraw cookie consent (if the website provides a consent panel),
• delete cookies in your browser.

Restricting cookies may affect the functioning of certain features (e.g., login/cart).

Newsletter

If you subscribe to the newsletter:

• we send it only after you give your consent,
• you can unsubscribe at any time (unsubscribe link or a message to [email protected]),
• we may use subscription confirmation mechanisms (e.g., double opt-in), if implemented.

Who we share data with

We share data only when necessary and lawful – most often with parties that help us provide the service:

• Delivery / logistics: DPD, InPost (scope: address/contact details required for delivery).
• Accounting: Kancelaria Podatkowo-Rachunkowa Parkitny Jabłońska Sp. z o.o. (scope: settlement data, sales documents).
• Technical support / IT: Draftstudio, hosting: cyber_Folks.
• Payments: PayPal (Europe) S.à r.l. et Cie, S.C.A., PayPro S.A. (Przelewy24) (scope: data necessary to process the payment and confirm the transaction).
• Marketing/content production (if applicable): Mobilne usługi wideo filmowania.
• Drop-off/pick-up points (if you choose to use them): to the extent necessary to handle drop-off/pick-up.
• Public authorities: where required by law (e.g., upon request of an authorised authority).

As a rule, these entities act as processors on our behalf (Art. 28 GDPR) or as independent controllers (e.g., payment operators).

How long we keep data

We keep data only as long as necessary:

• customer account – until the account is deleted or the service is discontinued,
• orders/service requests – for the duration of fulfilment and settlements and until limitation periods for claims expire,
• accounting/tax documents – for the period required by law (usually counted from the end of the tax year),
• newsletter – until consent is withdrawn,
• technical data/logs – for a period justified by security and system administration purposes.

Your rights (Arts. 15–22 GDPR)

You have the right to:

• access, rectification, erasure, restriction,
• data portability (where provided by law),
• object to processing based on legitimate interests (including marketing),
• withdraw consent at any time (without affecting the lawfulness of processing before withdrawal),
• lodge a complaint with the President of the Polish Personal Data Protection Office (UODO).

We handle requests after verifying identity (to avoid disclosure to an unauthorised person). Contact: [email protected].

Security

We apply technical and organisational measures appropriate to the risk, including encrypted connections (SSL/TLS), access control and system security. Please note, however, that no method of data transmission can guarantee 100% security.

Changes to this statement

This statement may be updated due to legal, technological or organisational changes. We recommend checking it periodically.