Privacy Policy

This Privacy Policy sets out the rules for processing personal data of users of the Trichovita online store (hereinafter: "Store") and the use of cookies and other similar technologies. We care about the security of personal data and process it in accordance with applicable law -- in particular with the GDPR (EU Regulation 2016/679), the Act on the Provision of Electronic Services, the Electronic Communications Law, and the Telecommunications Law, as well as other relevant regulations. This Policy is addressed to all Store customers, both consumers (B2C) and businesses (B2B), using the Store's services within Poland.

The data controller (hereinafter: "Controller" or "we") is TRICHOVITA Spolka z ograniczona odpowiedzialnoscia with its registered office in Poznan (address: Os. Stefana Batorego 79/U4, 60-687 Poznan). The company is registered in the National Court Register (KRS) under number 0000223026 (NIP: 7792234940, REGON: 634598564). The Controller operates the online Store at www.trichovita.pl.

For matters relating to the protection of personal data, you may contact the Controller in writing at the above address or via the contact form available on the Store's website (the "Contact" section).

We process users' personal data for specific purposes, to the minimum extent necessary to achieve those purposes. Below we describe what data we collect, in what circumstances, for what purpose we process it, and on what legal basis:

• Placing orders (purchasing goods) -- when placing an order, we ask you to provide the data necessary to perform the sales contract: first and last name, delivery address (street, postal code, city), email address, and contact phone number. For business customers, we may additionally collect the company name and NIP (tax identification number) for invoicing purposes. This data is processed for the purpose of fulfilling the order, i.e. concluding and performing the distance sales contract (accepting the order, payment, delivery of goods, handling any complaints). The legal basis is the necessity to perform the contract (Article 6(1)(b) GDPR) -- without this data, we would not be able to complete the sale. Furthermore, certain data (e.g. invoicing data) is processed in order to fulfill our legal obligations as a seller, such as tax and accounting obligations (issuing and storing invoices and receipts) -- the legal basis is Article 6(1)(c) GDPR. We may also process this data on the basis of our legitimate interest (Article 6(1)(f) GDPR) to the extent necessary for the establishment, exercise, or defense of legal claims (e.g. storing order information until the expiry of the limitation period for claims under the contract).
• User account registration -- when creating an account in our Store, the user provides data such as: first name, last name, email address, and password (and optionally, e.g. a phone number). This data is processed for the purpose of creating and maintaining a user account and enabling the use of account functionalities (viewing order history, quick ordering, editing data, etc.). The legal basis for processing is the necessity to perform a contract for the provision of electronic services -- creating and maintaining an account (Article 6(1)(b) GDPR). Account data is stored until the account is deleted by the user or by the Controller (e.g. at the user's request). Deleting an account does not result in the deletion of data relating to completed orders, which we may continue to store, e.g. for tax or legal purposes (in accordance with the principles described in this Policy).
• Newsletter (commercial information via email) -- when subscribing to the newsletter, the user provides their email address (and possibly their first name, if they wish to receive personalized greetings). We use this data for the purpose of sending the newsletter, i.e. information about new products, promotions, offers, and articles related to the Store. The newsletter is sent only after obtaining the user's explicit consent to receive commercial information from us electronically (in accordance with the requirements of electronic communications law). The legal basis for processing the data (email address) is the data subject's consent (Article 6(1)(a) GDPR). The user may withdraw their consent at any time -- e.g. by clicking the "unsubscribe" link in the footer of each newsletter or by contacting us in any manner. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. After the withdrawal of consent, we will no longer send the newsletter to the relevant email address.
• Contact form -- when using the contact form or sending us a message (e.g. via email), the user provides data such as: first name, last name, email address, phone number (optional), and the content of the inquiry. This data is processed for the purpose of handling the inquiry -- providing a response, resolving the matter at hand, and making return contact. The legal basis for processing may be our legitimate interest (Article 6(1)(f) GDPR) consisting in communicating with persons inquiring about our services and maintaining customer relationships. If the inquiry relates, for example, to an offer prior to entering into a contract, the legal basis may also be taking steps at the data subject's request prior to entering into a contract (Article 6(1)(b) GDPR). Correspondence data will be processed for the time needed to handle the inquiry and, where appropriate, for a longer period -- in the event of pursuing or defending against claims (which constitutes our legitimate interest). For example, we may archive correspondence for a period of up to 3 years from the conclusion of the matter, where this is necessary for evidentiary purposes (e.g. the history of arrangements with a customer).
• Reviews and ratings -- our Store allows users to leave reviews about products or the Store's activities (e.g. in the form of reviews or ratings). If the user chooses to publish a review, we process the data provided in the review form: the content of the review, the product rating, and the author's data (such as their name/username, and possibly basic account data if the review is published by a logged-in user). Processing takes place for the purpose of publishing the user's review on the Store's website and, where applicable, moderating such content. The legal basis is the user's consent expressed through voluntarily posting the review (Article 6(1)(a) GDPR) -- the user decides to make their data public as part of the review. We reserve the right to moderate or remove reviews that violate the law or good practices (in accordance with the Store's terms and conditions). The user may at any time request the removal of their published review -- in which case we will cease processing the data associated with it (unless further storage is required for other purposes, e.g. defense against claims). An alternative legal basis for processing data in the context of reviews may be our legitimate interest (Article 6(1)(f) GDPR), consisting in providing reliable product information and information about the quality of our service to other customers -- however, we always respect the user's wishes regarding the posting or removal of their review.
• Loyalty program -- if we implement a loyalty program (loyalty club) for regular customers, participation will be voluntary, based on separate terms and conditions. As part of the program, we may process data such as: customer account data (first name, last name, email), purchase information (transaction history, purchase value, awarded points, discounts, etc.), and possibly additional data provided by the program participant. We process this data for the purpose of managing the loyalty program, i.e. accruing points, awarding discounts, informing participants of the benefits available to them, and of special offers within the program. The legal basis for processing is the necessity to perform the loyalty program participation agreement (Article 6(1)(b) GDPR) -- by joining the program, the user enters into an agreement with us setting out the program rules. Additionally, to the extent that we carry out marketing activities within the program (e.g. sending information about promotions to club members), we rely either on the participant's consent (e.g. consent to email/SMS communication within the program) or on our legitimate interest in providing participants with information about program benefits (the participant may opt out of such communications at any time). We will process a loyalty program participant's data for as long as they remain a member of the program, and after the end of participation -- for the period necessary to settle any awarded benefits and for the duration of the limitation period for any claims.

Geolocation data (parcel locker / pickup-point map)

During checkout (on the cart page, in the step where you choose a parcel locker or pickup point) we show an interactive map that helps you find the nearest carrier points. If you knowingly click the “Use my location” button, your browser will ask for your consent to share approximate geographic coordinates (latitude and longitude) with us. We use those coordinates once only -- solely to ask the mapping provider (BLPaczka / InPost / DPD / DHL / Orlen) for a list of pickup points closest to that location, and to let an external geocoding provider (OpenStreetMap / Nominatim) translate the coordinates into a readable street address. We do not store the coordinates in any database, we do not link them to a customer account, and we do not use them for any other purpose (analytics, marketing, or profiling). If you do not grant consent, the map still works -- you can search for a parcel locker manually by city name or postal code. The legal basis for processing is the user’s consent (Article 6(1)(a) GDPR), expressed by deliberately clicking the location icon and confirming the browser pop-up; consent can be withdrawn at any time in browser settings (Safari / Chrome / Firefox → Site Settings → Location).

Our Store's website uses cookies and similar technologies to ensure its proper functioning, improve its features, and conduct analytics and marketing. Cookies are small text files that the website saves on the user's device (computer, smartphone, etc.) while browsing the site.

• Technically necessary cookies -- these are cookies essential for the proper functioning of the Store and the provision of basic services. We use them, among other things, to maintain the session after login, remember the contents of the shopping cart, and store preference settings (e.g. language). These cookies do not collect data for marketing or analytical purposes; they only ensure the functionality of the Store. Due to their essential nature, we do not require separate consent for their use -- their use is based on Article 173 of the Telecommunications Law (ensuring the transmission of a communication in a network) and our legitimate interest in providing services requested by the user.
• Analytical cookies -- these are files used to collect information about how users use our Store (e.g. which pages they visit, how long they spend on them, which features they click). We use analytical tools such as Google Analytics (provided by Google Ireland Ltd.), which use cookies to collect anonymous statistical data (e.g. anonymized IP addresses, device identifiers) for the purpose of analyzing website traffic and improving our Store. The use of analytical cookies takes place only with the user's consent -- we request consent for this type of cookies upon the first visit. Not providing consent does not affect the ability to use the Store, but will prevent us from obtaining data about your visit for statistical purposes. The legal basis for processing data from analytical cookies is the user's consent (Article 6(1)(a) GDPR) in conjunction with the requirements of the Telecommunications Law and the GDPR. Information collected by Google Analytics may be transferred to Google servers outside Europe (e.g. in the USA) -- however, we use these tools in accordance with the compliance mechanisms provided for by law (e.g. standard contractual clauses approved by the European Commission). Details regarding Google's privacy policy can be found on Google's website.
• Marketing (advertising) cookies -- these are files used for marketing and advertising purposes, including remarketing and the personalization of advertising content. Our Store does not currently use marketing cookies, but we reserve the right to enable them in the future (e.g. advertising pixels of platforms such as Meta/Facebook). If we do, the user will be informed separately and their explicit consent will be required. Such cookies are also installed only with the user's consent. As with analytical cookies, refusing consent means that we will not be able to display personalized advertisements to the user, but it will not block access to the Store's functionality. Data collected by marketing tools (e.g. cookie identifiers) may be transferred to the providers of these tools, including to countries outside the EEA (e.g. the USA, in the case of Facebook/Meta) -- however, this is done on the basis of appropriate legal safeguards (e.g. standard contractual clauses).

First-party page-view statistics (cookie-free)

Independently of the analytical cookies described above, we keep our own anonymous page-view statistics for the Store's pages, which do not use cookies or any other form of storing data on the user's device. When a page is opened, we record only aggregated data: the address of the visited subpage and its type (e.g. a blog article, a product page), the language, the source of the visit (the referring website's domain), the country, and the device type (phone, tablet, computer). We do not store the user's IP address -- we use it only momentarily, without retaining it, to compute an irreversible, daily-rotating hash used to approximate the number of unique visits; this hash does not allow us to identify a specific person or to track them across days. We do not link this data to a customer account, orders, or any other information; visits from bots and search engines, as well as the checkout, return, and shipment-tracking pages, are excluded from these statistics. We use the statistics solely to understand which content is read and to improve the Store (including the blog). Given the anonymous and cookie-free nature of this measurement, it does not require your consent -- the legal basis is our legitimate interest (Article 6(1)(f) GDPR) in keeping visit statistics and developing the Store. We process this data on our own infrastructure within the European Economic Area and do not transfer it outside the EEA.

Managing cookies: Upon the first visit to the Store, we display a message (cookie banner) with information about the use of cookies and a request for consent to non-essential cookies (analytical, marketing). The user has the option to accept all cookies, reject non-essential cookies, or select specific categories to which they consent. This decision can be changed at any time -- e.g. by changing the cookie settings in your browser (you can delete stored files or block future cookies) or by re-accessing the privacy settings on our website (if such a feature is provided). Instructions for managing cookies in the most popular browsers can usually be found in the "Help" section of the relevant browser. Please note that blocking essential cookies may make it difficult to use the Store -- e.g. the shopping cart and checkout process may not function properly without session cookies.

In connection with operating the Store, we may share collected personal data with selected third parties where this is necessary for the provision of services or required by applicable regulations. We ensure that each such entity guarantees an appropriate level of data protection. Data may be shared with the following categories of recipients:

• Courier companies and postal operators -- in order to deliver ordered products, we share the customer's address and contact data with companies handling shipments (e.g. courier companies such as DHL, DPD, InPost, UPS, or Poczta Polska). Only the data necessary for parcel delivery is shared (e.g. first and last name, delivery address, phone number for courier contact).
• Electronic payment operators -- our Store uses external payment systems to enable secure online order payments. Data necessary to process the payment (e.g. the amount, order number, email, and the payer's first and last name) is transmitted to the payment operator. An example of such an entity is PayPro S.A. (ul. Pastelowa 8, 60-198 Poznan) -- the operator of the Przelewy24 system. The payment operator becomes a separate controller of the data received to the extent of processing the transaction -- it processes the data in accordance with its own privacy policy and legal requirements (e.g. anti-money laundering legislation, KNF requirements, etc.).
• IT and technical service providers -- we work with entities that provide us with hosting services, website maintenance and development, email services, and software providers (e.g. the e-commerce system, CRM system, or newsletter mailing system). Personal data may be entrusted to these entities to the extent necessary for the provision of a given service (e.g. the hosting provider stores data on servers; an IT company may occasionally have access to the database for troubleshooting, etc.). We enter into a data processing agreement with each such company, which obliges it to protect users' data.
• Accounting firm / tax advisors -- we use external accounting services to maintain our financial records. Our customers' data (e.g. information on sales invoices: first name, last name/company name, address, NIP for businesses, and the transaction value) may be shared with the accounting firm servicing our company to the extent necessary for bookkeeping and fulfilling tax obligations. Such an entity processes data on the basis of a data processing agreement and in accordance with applicable regulations (e.g. the Accounting Act).
• Law firms, debt collectors -- if necessary, we may share personal data with our legal advisors or debt collection companies where this is needed to pursue claims arising from a contract concluded with the customer (e.g. an unpaid order, a breach of the terms and conditions) or to defend against potential claims. The basis for such sharing is our legitimate interest in protecting our rights (Article 6(1)(f) GDPR).
• Public authorities -- at the request of authorized state bodies (e.g. the police, public prosecutor's office, courts, or the President of the Personal Data Protection Office), we are obliged to share personal data where required by law. We will share data with public authorities only where there is an appropriate legal basis and to the extent required by those authorities.

In every case of data sharing, we ensure that only the minimum necessary scope of data is transferred. Entities that process data on our behalf (e.g. IT service providers, courier companies) are required to secure the data and use it only for the purposes for which it was shared.

Transfer of data outside the EEA: As a rule, we do not transfer users' personal data to third countries (outside the European Economic Area). An exception may occur when we use the services of providers with offices or servers outside the EEA, e.g. Google or Meta (Facebook) in the USA, in the context of analytical and marketing cookies. In such cases, we ensure compliance with Chapter V of the GDPR -- we apply the standard contractual clauses approved by the EU or use other mechanisms to legitimize data transfers. By consenting to analytical/marketing cookies, the user is informed about the possible transfer of data to third countries. If you have questions about data transfers outside the EEA, please contact us -- we will provide additional information.

We retain personal data only for as long as is necessary to achieve the purposes for which it was collected, or for as long as required by applicable law. Retention periods have been adjusted to the nature of the data and applicable regulations. Below we set out the main data retention principles:

• Data related to order fulfillment (sales) -- we will retain data relating to orders placed for as long as is necessary to perform the contract and provide after-sales service (e.g. settlements, handling returns and complaints). After an order has been fulfilled, basic transaction data (invoices, receipts, proof of sale) is retained for the period required by tax and accounting regulations, i.e. 5 years from the end of the calendar year in which the tax payment deadline for a given transaction fell. In practice, this means that, for example, sales invoices for a given year may be stored for up to 6 years from the time of purchase (in accordance with the Tax Ordinance). Additionally, for the purposes of legal defense, we may retain order-related data until the expiry of the limitation period for claims under the contract -- which in most cases is a maximum of 6 years (under the Civil Code, for periodic claims or claims related to business activity, this may be 3 years, but for consumer transactions we adopt the longer, safer period).
• User account data -- we retain data provided during account registration for as long as the user has an active account in our Store. After an account is deleted (at the user's request or at the Controller's initiative, e.g. due to a prolonged period of inactivity), the data will be deleted or anonymized, with the exception of information that we must continue to retain for other reasons (e.g. order history -- retained in accordance with the order-related principles above, and accounting records -- for the required 5-year period). In other words, deleting an account does not always mean the immediate deletion of all data if the law requires its longer retention (however, we will limit the processing of such data exclusively to those purposes).
• Newsletter data -- the email address (and possibly the first name) provided for the newsletter subscription will be processed until the subscriber withdraws their consent. After unsubscribing from the newsletter, we will stop sending messages to that address. However, we may retain the email address for a certain period on our internal "suppression list" in order to document the withdrawal of consent and to protect against accidentally resending the newsletter (which constitutes our legitimate interest -- Article 6(1)(f) GDPR). Such a list is maintained solely for evidentiary and anti-spam purposes and contains a minimum scope of data (email address, unsubscription date).
• Correspondence data (contact form, emails) -- we retain this data for the period necessary to handle the matter from which it arose, and subsequently (where appropriate) for a period of up to 2-3 years for archival (evidentiary) purposes arising from our legitimate interest. If the correspondence relates to the performance of a contract or a complaint, longer periods may apply (e.g. 1 year for retaining responses to consumer complaints, in accordance with consumer rights legislation). In any event, we regularly review stored correspondence and delete any for which continued retention is not justified.
• Reviews/ratings -- user reviews published on the website will remain publicly available until we decide to remove them (e.g. at the author's request or because the relevant product is no longer listed) or until the website/Store is discontinued. If reviews are linked to a user account, deleting the account does not necessarily mean the automatic removal of previously posted reviews -- if you also wish to have your reviews removed, please contact us separately. We reserve the right to anonymize the author of a review after an account is closed (e.g. displaying the review as "Anonymous User").
• Loyalty program data -- if the loyalty program is active, we will retain participants' data (transactions, points, etc.) for the duration of their participation in the program. After resignation or the end of the program, the data will be deleted or anonymized, with the exception of information that we must retain, e.g. for tax purposes (e.g. if rewards of a value requiring tax settlement were awarded under the program) or for legal purposes. Any transaction data associated with the program may be subject to the same retention rules as order data (described above).

After the expiry of the stated periods, data is deleted or permanently anonymized so that it is no longer possible to identify a specific individual on its basis. Please note that in certain situations (e.g. ongoing proceedings, litigation), we may retain some data for longer -- until the final resolution of the matter -- where there is a legal basis for doing so.

Every individual whose personal data we process has the following rights under the GDPR:

• Right of access to data -- you have the right to obtain confirmation from us as to whether we process your personal data, and if so, the right to access that data. Upon request, we will provide you with information including the purposes of processing, categories of data, recipients of data, and the planned retention period. You also have the right to receive a copy of your data undergoing processing.
• Right to rectification -- you have the right to request that we promptly rectify any of your personal data that is inaccurate, and to have incomplete data completed (including by providing a supplementary statement). We strive to keep your data up-to-date and accurate, and we encourage you to exercise this right whenever the need arises.
• Right to erasure ("right to be forgotten") -- you have the right to request the erasure of your personal data, and we are obliged to erase it where one of the grounds set out in Article 17 of the GDPR applies. You may request erasure of your data where, among other things: the data is no longer necessary for the purposes for which it was collected, you have withdrawn your consent and there is no other legal basis for processing, you have objected to processing and there are no overriding legitimate grounds for processing, the data has been processed unlawfully, or the data must be erased for compliance with a legal obligation. Please note, however, that in certain situations we cannot erase your data upon request -- this applies in particular where processing is still necessary due to a legal obligation (e.g. we cannot delete transaction data before the expiry of the required period for retaining accounting records) or for the establishment, exercise, or defense of legal claims. In our response to your request, we will inform you of any reasons why we are unable to fully comply with the request (if applicable).
• Right to restriction of processing -- you have the right to request that we temporarily restrict the processing of your personal data in the following cases: where you contest the accuracy of the data (for a period allowing us to verify its correctness), where processing is unlawful but you oppose erasure and instead request restriction of use, where we no longer need the data for processing purposes but you need it for the establishment, exercise, or defense of legal claims, or where you have objected to processing -- pending determination as to whether our legitimate grounds override yours. Restriction of processing means that, apart from storage, we may process the data only with your consent or for the establishment, exercise, or defense of legal claims, the protection of the rights of another natural or legal person, or for reasons of important public interest.
• Right to data portability -- to the extent that we process your data on the basis of your consent (Article 6(1)(a)) or on the basis of a contract (Article 6(1)(b)) -- and the processing is carried out by automated means -- you have the right to receive your personal data from us in a structured, commonly used, machine-readable format (e.g. CSV, JSON). You also have the right to transmit that data to another controller without hindrance from us. At your request, where technically feasible, we may transmit the data directly to another controller designated by you (this applies primarily to data that we hold in electronic form). This right applies to data that you have provided to us yourself (e.g. account data, information provided when placing an order, or in a form).
• Right to object -- you have the right at any time to object to the processing of your personal data where such processing is based on our legitimate interest (Article 6(1)(f) GDPR). The objection should be justified by your particular situation which, in your view, means that we should cease the processing in question. Upon receipt of the objection, we will cease processing the data for those purposes, unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or grounds for the establishment, exercise, or defense of legal claims. However, if we process data for direct marketing purposes, you have an absolute right to object -- this means that in the event of an objection to the processing of data for direct marketing purposes (e.g. marketing profiling, sending newsletters on the basis of legitimate interest), we will immediately cease such processing. No justification is required for an objection related to marketing.
• Right to withdraw consent -- where we process your data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. You may withdraw consent as easily as you gave it -- e.g. if you subscribed to the newsletter by ticking a checkbox on the website, you may unsubscribe by clicking the appropriate link in the email or by contacting us. After the withdrawal of consent, we will cease processing the data for the purpose to which the consent related.
• Right not to be subject to automated decision-making (including profiling) -- we currently do not make decisions about users based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them. This means that we do not apply profiling within the meaning of Article 22 of the GDPR in a manner that could negatively impact the user's rights (e.g. we do not refuse to provide services based on an automated analysis of the customer profile). Should we plan to introduce such practices in the future, you will be informed in advance, and you will have the right to obtain human intervention in the decision-making process. At present, any profiling (e.g. for marketing purposes) is carried out on the basis of your consent or within the framework of legitimate interest and does not produce effects that significantly affect your situation.
• Right to lodge a complaint with the supervisory authority -- if you believe that we process your data unlawfully or in a manner that infringes your rights, you have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO). This authority performs a supervisory function in respect of compliance with personal data protection regulations in Poland. A complaint may be submitted in writing to the address of the Personal Data Protection Office: ul. Stawki 2, 00-193 Warszawa or electronically (detailed information is available on the UODO website). However, we encourage you to contact us directly before lodging a complaint -- we will endeavor to clarify the situation and resolve the issue amicably. Exercising the right to lodge a complaint does not suspend or limit your other rights described above.

To exercise your rights, you may contact us in any manner -- e.g. by sending a request to our mailing address or via email/contact form (if provided). We respond to rights-related requests without undue delay -- generally within one month of receipt. If necessary, this period may be extended by a further two months (we will inform you of the reasons for the delay). The exercise of rights is free of charge as a rule; however, if your requests are manifestly unfounded or excessive (e.g. repeatedly submitted), we may charge a reasonable fee for their fulfillment or refuse to act (in accordance with Article 12(5) of the GDPR).

The Store's services are not intended for persons under 16 years of age. We do not knowingly collect or process the personal data of children who have not reached 16 years of age. In particular, it is not possible for persons under 16 to register an account or place orders -- when creating an account, we require confirmation that the user meets this condition. This is based on the provisions of the GDPR, which provide for the special protection of children's data -- the processing of data of a child under 16 is lawful only where consent is given by the child's legal guardian. Therefore, we ask persons under 16 not to provide us with their personal data. If it transpires that we are processing the data of a child under 16 without appropriate consent, we will delete it without delay. We ask parents or guardians to supervise whether their children are registering on the Store without permission.

Providing your personal data is, as a rule, voluntary, but in some cases necessary in order for you to use certain Store services or functionalities. In each case, we inform you which data is required (e.g. by marking it with an * symbol or a message in the form). Refusing to provide the required data or providing it incompletely may have the following consequences:

• If you do not provide the data necessary to place an order (such as address, contact, or payment information), we will not be able to accept and fulfill your order. Placing an order is equivalent to entering into a contract -- certain data (such as first name, last name, delivery address) is a contractual requirement; its absence prevents us from performing the sales contract.
• If you do not provide the data required for account registration, you will not be able to create a user account in the Store. Registration is voluntary -- you may browse the range of products and (sometimes) place orders as a guest, but having an account requires providing a minimum set of data (e.g. an email address for login). Not having an account means no access to functionalities reserved for registered users (e.g. viewing purchase history, participating in the loyalty program, etc.).
• If you do not provide data in the contact form or do not provide contact details, this may make it impossible or difficult for us to respond to your inquiry. For example, if you do not enter your email address, we will not know where to send the response. Providing data in the inquiry is voluntary, but without at least basic contact information, we will not be able to communicate with you effectively.
• Consent for the newsletter -- is entirely voluntary. If you do not provide it, you will not receive our newsletter or marketing information via email. This will not, however, affect your ability to use the Store or place orders in any way -- it simply means that you will not be subscribed to the mailing list. Similarly, refusing consent to analytical or marketing cookies will limit our ability to analyze and personalize our offering, but will not block access to the Store itself.

In summary: providing data is voluntary, but sometimes necessary for entering into a contract or providing a service. In such cases, the absence of data means the inability to provide the relevant service. We always strive to minimize the scope of required data -- we only ask for information that is genuinely needed for a given purpose.

We assure you that we make every effort to ensure that your personal data is adequately protected. We have implemented appropriate technical and organizational measures designed to protect data against unauthorized access, loss, alteration, or destruction. Our website uses the HTTPS (SSL) protocol, meaning that communication between your device and our server is encrypted. We store data on secure servers, and access is limited to authorized individuals who have been trained in data protection and have committed to maintaining confidentiality. We regularly monitor our IT systems for vulnerabilities and apply security updates. Furthermore, in the case of third-party entities processing data on our behalf, we require them to apply at least equivalent security measures.

In the unlikely event of a personal data breach (e.g. a database intrusion), we have procedures in place to respond immediately -- to identify the incident, mitigate its effects, and notify affected individuals and the relevant authorities where necessary (in accordance with Articles 33-34 of the GDPR).

We reserve the right to make changes to this Privacy Policy in the future -- primarily in order to adapt it to changes in the law (e.g. when new regulations on personal data protection, electronic services, or cookies come into force) or to changes in our data processing practices (e.g. the introduction of new Store functionalities, tools, or services). In the event of material changes that affect the scope of your rights or obligations, we will notify you of such changes in a visible manner (e.g. via a notice on the Store's website or an email, in the case of newsletter subscribers).

The current version of the Policy is always available on our website (the "Privacy Policy" link in the footer). We encourage you to review its content periodically. Date of last update: June 4, 2026.

If you have any questions or concerns regarding this Policy or the processing of your personal data by TRICHOVITA Sp. z o.o. in general, we are at your disposal -- please contact us, and we will provide you with all the information you need.