Privacy Policy

Updated: May 19, 2026

1) GENERAL PROVISIONS

  • 1. This Privacy Policy of the Online Service is for informational purposes only, which means that it does not constitute a source of obligations for Service Users of the Online Service. This Privacy Policy sets out, in particular, the principles governing the processing of personal data by the Controller within the Online Service, including the legal bases, purposes, and scope of personal data processing, as well as the rights of data subjects and information regarding the use of Cookies and analytical tools within the Online Service.
  • 2. The controller of personal data collected through the Online Service is PATRYK RUMIŃSKI conducting business activity under the business name WEB ROOM STUDIO PATRYK RUMIŃSKI, with its place of business in Gdańsk, entered into the Central Registration and Information on Business of the Republic of Poland (CEIDG) maintained by the minister responsible for economy matters, having a business address and address for service at: ul. Śląska 15A/9, 80-384 Gdańsk, Poland, VAT ID (NIP): PL7431817809, REGON: 220981298, e-mail address: [email protected] — hereinafter referred to as the “Controller”, who is also the Service Provider of the Online Service.
  • 3. Personal data processed within the Online Service are processed by the Controller in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) — hereinafter referred to as the “GDPR” or the “GDPR Regulation”.
    Official text of the GDPR Regulation:
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
  • 4. Use of the Online Service is voluntary. Likewise, the provision of personal data by the Service User using the Online Service is voluntary, subject to two exceptions:

    (1) entering into agreements with the Controller — failure to provide, in the cases and to the extent indicated on the Online Service website, in the Terms and Conditions of the Online Service, and in this Privacy Policy, the personal data necessary to conclude and perform an agreement for the provision of Electronic Services with the Controller results in the inability to conclude such agreement. In such a case, providing personal data constitutes a contractual requirement and if the data subject wishes to conclude a given agreement with the Controller, they are obliged to provide the required data. Each time, the scope of data required to conclude the agreement is indicated in advance on the website of the Online Service and in the Terms and Conditions of the Online Service;

    (2) statutory obligations of the Controller — providing personal data constitutes a statutory requirement arising from generally applicable provisions of law imposing on the Controller the obligation to process personal data (e.g. processing data for tax or accounting purposes), and failure to provide such data will prevent the Controller from fulfilling those obligations.
  • 5. The Controller exercises particular care in order to protect the interests of persons whose personal data is processed by the Controller and, in particular, is responsible for and ensures that the data collected by the Controller is:

    (1) processed lawfully;
    (2) collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes;
    (3) factually accurate and adequate in relation to the purposes for which it is processed;
    (4) stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed; and
    (5) processed in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • 6. Taking into account the nature, scope, context, and purposes of processing as well as the risk of infringement of the rights or freedoms of natural persons of varying likelihood and severity, the Controller implements appropriate technical and organizational measures to ensure that processing is performed in accordance with the GDPR Regulation and to be able to demonstrate such compliance. These measures are reviewed and updated where necessary. The Controller applies technical measures preventing unauthorized persons from obtaining or modifying personal data transmitted electronically.
  • 7. Any words, expressions, and acronyms appearing in this Privacy Policy and beginning with a capital letter (e.g. Service Provider, Online Service, Electronic Service) shall be understood in accordance with their definitions contained in the Terms and Conditions of the Online Service available on the website of the Online Service.

2) LEGAL BASIS FOR DATA PROCESSING

  • 1. The Controller is entitled to process personal data where — and to the extent that — at least one of the following conditions is met:

    (1) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or
    (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, in particular where the data subject is a child.
  • 2. Processing of personal data by the Controller requires, in each case, the existence of at least one of the legal bases indicated in clause 2.1 of this Privacy Policy. The specific legal bases for processing personal data of Service Users of the Online Service by the Controller are indicated in the following section of this Privacy Policy — in relation to the specific purpose of processing personal data by the Controller.

3) PURPOSE, LEGAL BASIS, AND PERIOD OF DATA PROCESSING IN THE ONLINE SERVICE

  • 1. The Controller may process personal data within the Online Service for the purposes, on the legal bases, and for the periods indicated in the table below.
  • 2. The Controller does not collect or process sensitive data (special categories of personal data referred to in Article 9 of the GDPR Regulation).
  • 3. In each case, the purpose, legal basis, period, and recipients of personal data processed by the Controller result from the actions undertaken by a given Service User within the Online Service or by the Controller.
  • Purpose of Data Processing Legal Basis for Data Processing Data Retention Period
    Performance of the agreement for the provision of Electronic Services or taking action at the request of the data subject prior to entering into the above-mentioned agreements Article 6(1)(b) of the GDPR Regulation (performance of a contract) — processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Data is retained for the period necessary to perform, terminate, or otherwise expire the concluded Sales Agreement or agreement for the provision of Electronic Services.
    Keeping tax records Article 6(1)(c) of the GDPR Regulation in conjunction with Article 86 § 1 of the Polish Tax Ordinance Act of 17 January 2017 (Journal of Laws of 2017, item 201) — processing is necessary for compliance with a legal obligation to which the Controller is subject. Data is retained for the period required by law obliging the Controller to retain tax records (until the expiry of the limitation period for tax liabilities, unless tax laws provide otherwise).
    Expressing opinions by the Client regarding the Controller’s services Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) — processing is necessary for the purposes arising from the legitimate interests pursued by the Controller consisting in protecting the interests and good reputation of the Controller, its Online Service, and seeking to increase the sale of Products. Data is retained for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years).
    Establishing, pursuing, or defending claims which may be raised by the Controller or against the Controller Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) — processing is necessary for the purposes arising from the legitimate interests pursued by the Controller consisting in establishing, pursuing, or defending claims which may be raised by or against the Controller. Data is retained for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years).
    Use of the Online Service website and ensuring its proper operation Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) — processing is necessary for the purposes arising from the legitimate interests pursued by the Controller consisting in operating and maintaining the website of the Online Service. Data is retained for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims of the Controller against the data subject arising from the Controller’s business activity. The limitation period is specified by applicable law, in particular the Polish Civil Code (the basic limitation period for claims related to business activity is three years).
    Statistics and traffic analysis within the Online Service Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) — processing is necessary for the purposes arising from the legitimate interests pursued by the Controller consisting in maintaining statistics and analyzing traffic within the Online Service in order to improve the functioning of the Online Service and increase the sale of Products. Data is retained for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims of the Controller against the data subject arising from the Controller’s business activity. The limitation period is specified by applicable law, in particular the Polish Civil Code (the basic limitation period for claims related to business activity is three years).

4) RECIPIENTS OF DATA IN THE ONLINE SERVICE

  • 1. For the proper functioning of the Online Service, including the performance of concluded agreements, it is necessary for the Controller to use the services of external entities (such as software providers). The Controller uses only the services of such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.
  • 2. Personal data may be transferred by the Controller to a third country, provided that the Controller ensures that in such a case the transfer takes place to a country ensuring an adequate level of protection in accordance with the GDPR Regulation, and in the case of other countries, that the transfer takes place on the basis of standard contractual clauses for data protection. The Controller ensures that the data subject has the possibility to obtain a copy of their data. The Controller transfers collected personal data only where and to the extent necessary to achieve a given purpose of processing in accordance with this Privacy Policy.
  • 3. Transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in this Privacy Policy — the Controller transfers data only where it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve that purpose.
  • 4. Personal data of Service Users of the Online Service may be transferred to the following recipients or categories of recipients:
  • a. providers supplying the Controller with technical, IT, and organizational solutions enabling the Controller to conduct business activity, including the Online Service and Electronic Services provided through it (in particular providers of software for operating the Online Service, e-mail providers, and hosting providers) — the Controller discloses collected personal data of the Service User to a selected provider acting on its behalf only where and to the extent necessary to achieve a given purpose of processing in accordance with this Privacy Policy.
  • b. providers of electronic payment or payment card services — in the case of a Service User using electronic payment methods or payment cards within the Online Service, the Controller discloses collected personal data of the Service User to the selected payment service provider acting on behalf of the Controller to the extent necessary to process the payment made by the Service User.
  • c. providers of social plugins, scripts, and other similar tools placed on the website of the Online Service enabling the browser of the person visiting the website of the Online Service to retrieve content from the providers of such plugins (e.g. publishing links within social media services directly from the website) and for this purpose transmitting personal data of the visitor to such providers, including:
  • i. Meta Platforms Ltd. — the Controller uses social plugins of the Facebook service (e.g. the Share button) on the website of the Online Service and therefore collects and transfers personal data of Service Users using the website of the Online Service to Meta Platforms Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) to the extent and in accordance with the privacy policy available at: https://www.facebook.com/about/privacy/ (data includes information regarding activities on the website of the Online Service — including information about the device, visited websites, purchases, displayed advertisements, and the manner of using services — regardless of whether the Service User has a Facebook account or is logged into Facebook).
  • ii. Twitter International Company — the Controller uses social plugins of the X service (formerly Twitter), such as the Share button, on the website of the Online Service and therefore collects and transfers personal data of Service Users using the website of the Online Service to Twitter International Company (One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland) to the extent and in accordance with the privacy policy available at: https://twitter.com/en/privacy (data includes information regarding activities on the website of the Online Service — including information about the device, visited websites, purchases, displayed advertisements, and the manner of using services — regardless of whether the Service User has an account within X and whether they are logged into X).

5) PROFILING IN THE ONLINE SERVICE

  • 1. The GDPR Regulation imposes an obligation on the Controller to inform about automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR Regulation, and — at least in such cases — to provide meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. Taking this into account, the Controller provides information in this section of the Privacy Policy regarding possible profiling.
  • 2. The Controller may use profiling within the Online Service for direct marketing purposes; however, decisions made on this basis by the Controller do not concern the conclusion or refusal to conclude agreements for the provision of Electronic Services within the Online Service.
  • 3. Profiling within the Online Service consists in the automatic analysis or prediction of a person’s behavior on the website of the Online Service, for example by analyzing previous activities undertaken within the Online Service. The condition for such profiling is that the Controller possesses personal data of a given person in order to subsequently send them, for example, marketing information.
  • 4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

6) RIGHTS OF THE DATA SUBJECT

  • 1. Right of access, rectification, restriction, erasure, or portability — the data subject has the right to request access to their personal data from the Controller, rectification, erasure (“right to be forgotten”), restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above rights are indicated in Articles 15–21 of the GDPR Regulation.
  • 2. Right to withdraw consent at any time — a person whose data is processed by the Controller on the basis of consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
  • 3. Right to lodge a complaint with a supervisory authority — a person whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and mode specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
  • 4. Right to object — the data subject has the right to object at any time — on grounds relating to their particular situation — to processing of personal data concerning them based on Article 6(1)(e) (public interest or exercise of official authority) or Article 6(1)(f) (legitimate interest of the Controller), including profiling based on those provisions. In such a case, the Controller may no longer process such personal data unless the Controller demonstrates compelling legitimate grounds for processing overriding the interests, rights, and freedoms of the data subject, or grounds for the establishment, exercise, or defense of legal claims.
  • 5. Right to object to direct marketing — where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
  • 6. In order to exercise the rights referred to in this section of the Privacy Policy, the Controller may be contacted in writing or electronically using the contact details of the Controller indicated at the beginning of this Privacy Policy or by using the contact form available within the Online Service.
  • 7. Additional rights for residents of the State of California (CCPA/CPRA).

    Residents of the State of California have the following additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

    (1) Right to know — the data subject may request information regarding the categories of personal data collected, used, disclosed, and retained by the Controller.

    (2) Right to delete — the data subject may request deletion of their personal data. The data subject may also delete their Account together with all associated data directly through the Account settings.

    (3) Right to access and data portability — the data subject may download a copy of their personal data directly through the Account settings available at: https://cutt.ly/edit.

    (4) Right to opt out of the sale or sharing of personal data — the Controller does not sell personal data to third parties or share personal data for cross-context behavioral advertising purposes within the meaning of the CCPA/CPRA.

    In order to exercise the rights described above, the data subject may use the Account settings and the “Edit Account” section available after logging into the Account or contact the Controller using the contact details indicated in this Privacy Policy.

7) COOKIES IN THE ONLINE SERVICE AND ANALYTICAL, SECURITY, AND PERFORMANCE TOOLS

  • 1. Cookies are small text files sent by a server and stored on the device of a person visiting the website of the Online Service (e.g. on the hard drive of a computer, laptop, or on the memory card of a smartphone — depending on the device used by the visitor of the Online Service). Detailed information regarding Cookies, as well as the history of their creation, is available, among others, here: https://en.wikipedia.org/wiki/HTTP_cookie.
  • 2. Cookies used within the Online Service may be divided into the following categories:
    By provider: By storage duration: By purpose:
    1) first-party Cookies (created by the Controller), and

    2) third-party Cookies (created by entities other than the Controller)     		1) session Cookies (stored until logging out or closing the browser), and

    2) persistent Cookies (stored for a specified period defined in the parameters of the Cookie file or until manually deleted)     		1) necessary Cookies (enabling proper functioning of the Online Service),

    2) functional/preference Cookies (enabling customization of the Online Service to user preferences),

    3) analytical and performance Cookies (collecting information regarding the use of the Online Service),

    4) marketing, advertising, and social media Cookies (collecting information about the visitor to the Online Service in order to display personalized advertisements and conduct marketing activities, including on third-party websites such as social media platforms)
  • 3. The Controller may process data contained in Cookies when visitors use the website of the Online Service for the following purposes:
    Purposes of using Cookies within the Online Service
    Identifying Service Users as logged into the Online Service and showing that they are logged in (necessary Cookies) Customizing the content of the Online Service to the individual preferences of the Service User (e.g. concerning colors, font size, page layout) and optimizing the use of the Online Service (functional/preference Cookies) Creating anonymous statistics showing how the website of the Online Service is used (analytical Cookies) Displaying and rendering advertisements, limiting the number of times advertisements are displayed, measuring the effectiveness of advertising campaigns, and personalizing advertisements. This may include analyzing behavioral characteristics of persons visiting the Online Service through anonymous analysis of their activities (e.g. repeated visits to specific pages or keywords) in order to provide advertisements tailored to their anticipated interests, including when visiting third-party websites and social media platforms (marketing, advertising, and social media Cookies).
  • 4. Checking which Cookies are currently sent by the website of the Online Service is possible, regardless of the web browser used, by using tools available, for example, at: https://www.cookiemetrix.com/ or https://www.cookie-checker.com/.
  • 5. By default, most web browsers available on the market accept the storage of Cookies. Everyone may independently define the conditions for using Cookies through browser settings. This means it is possible, for example, to partially limit (e.g. temporarily) or completely disable the storage of Cookies — however, in the latter case this may affect certain functionalities of the Online Service.
  • 6. Browser settings regarding Cookies are relevant from the perspective of consent to the use of Cookies within the Online Service — in accordance with applicable law such consent may also be expressed through browser settings. Detailed information on changing Cookie settings and deleting Cookies in the most popular web browsers is available in the help section of the respective browser and on the following websites:

  • 7. The Controller may use Google Analytics, Google Analytics 4 (GA4), and Google Tag Manager services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) within the Online Service. These services help the Controller maintain statistics and analyze traffic within the Online Service. The collected data is processed as part of the above services for the purpose of generating statistics helpful in administering the Online Service and analyzing traffic within the Online Service. Such data is aggregated in nature. By using the above-mentioned services within the Online Service, the Controller collects data such as the sources and medium of acquiring visitors to the Online Service and the manner of their behavior on the website of the Online Service, information regarding devices and browsers used to visit the website, domains, geographic data, demographic data (age, gender), and interests.

    In the case of Google Analytics 4 (GA4), IP addresses are anonymized automatically by Google and are not logged or stored in full.

    More information regarding Google Tag Manager is available at: https://support.google.com/tagmanager/answer/6102821
  • 8. It is possible to easily block the sharing of information regarding activity on the website of the Online Service with Google Analytics — for this purpose, for example, a browser add-on provided by Google Ireland Ltd. may be installed and available at: https://tools.google.com/dlpage/gaoptout.
  • 9. In connection with the possibility of the Controller using advertising and analytical services provided by Google Ireland Ltd. within the Online Service, the Controller indicates that complete information regarding the principles of processing data of persons visiting the Online Service (including information stored in Cookies) by Google Ireland Ltd. is available in the privacy policy of Google services at: https://policies.google.com/technologies/partner-sites.
  • 10. The Controller may use the Meta Pixel service provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), TikTok Pixel provided by TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland), LinkedIn Insight Tag provided by LinkedIn Ireland Unlimited Company (Gardner House, 2 Wilton Pl, Saint Peter's, Dublin 2, Ireland), Pinterest Pixel provided by Pinterest Europe Limited (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland), Quora Pixel provided by Quora Inc. (605 Castro Street, Mountain View, CA 94041, USA), Segment Pixel provided by Twilio Ireland Limited (3 Dublin Landings, North Wall Quay, Dublin 1, Ireland), Twitter/X Pixel provided by Twitter International Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland), and Google Ads and Google Ads Conversion Tracking services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) within the Online Service.

    These services help the Controller measure the effectiveness of advertising campaigns, analyze actions undertaken by visitors within the Online Service, and display advertisements tailored to those visitors.

    Detailed information regarding these services is available at:

    Meta Pixel: https://www.facebook.com/business/help/742478679120153?helpref=page_content

    TikTok Pixel: https://ads.tiktok.com/help/article/tiktok-pixel

    LinkedIn Insight Tag: https://www.linkedin.com/help/lms/answer/a418880/add-the-linkedin-insight-tag-to-your-website?lang=en

    Pinterest Pixel: https://help.pinterest.com/en/business/article/install-the-pinterest-tag

    Quora Pixel: https://business.quora.com/advertising/quora-pixel/

    Segment Pixel: https://segment.com/docs/connections/sources/catalog/libraries/server/pixel-tracking-api/

    Twitter/X Pixel: https://business.x.com/en/help/campaign-measurement-and-analytics/conversion-tracking-for-websites.html

    Google Ads: https://support.google.com/google-ads/answer/1722022
  • 11. Management of the operation of the tools referred to in clause 7.10 above is possible through advertisement settings available within user accounts on the respective platforms, including Facebook, Google, TikTok, LinkedIn, Pinterest, Quora, X (formerly Twitter), and other relevant services.
  • 12. The Controller uses services provided by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) within the Online Service for the purpose of protecting and optimizing the operation of the Online Service. The principal Cloudflare services used by the Controller include Web Application Firewall (WAF) protection against network attacks, DDoS Protection against distributed denial-of-service attacks, Cloudflare Turnstile anti-bot and anti-spam verification mechanisms, and caching services improving the speed of loading content within the Online Service. Cloudflare may also provide additional services related to the security and performance of the Online Service, which may also be used by the Controller as necessary.

    These services are used in order to ensure the stability, security, and speed of operation of the Online Service.

    Cloudflare, Inc. processes data in accordance with the privacy policy available at: https://www.cloudflare.com/privacypolicy/.

    Cloudflare may also use Cookies in order to ensure security and optimize the performance of the Online Service. More information regarding Cookies used by Cloudflare and their functions is available at: https://www.cloudflare.com/cookie-policy/.
  • 13. The Controller may enable Service Users to create tracking pixels (including Meta/Facebook Pixel, Twitter/X Pixel, Pinterest Pixel, Segment Pixel, Quora Pixel, LinkedIn Insight Tag, and Google Pixel), which may be triggered when Internet users display or click shortened links created by the Service User. Tracking pixels are loaded only after a shortened link is clicked and before the user is redirected to the target landing page. These services help the Service User measure the effectiveness of advertising campaigns, analyze visitor activity, and display advertisements tailored to those visitors.

8) NEVADA PRIVACY RIGHTS

  • 1. Information for Residents of Nevada
    • a. Nevada law permits residents of Nevada to opt out of the sale of certain categories of personal information. Subject to various exceptions, Nevada law defines “sale” as the exchange of certain categories of personal information for monetary consideration with another person.

      The Controller does not currently sell personal information within the meaning of Nevada law. However, if you are a resident of Nevada, you may submit a verified opt-out request regarding the future sale of personal information, and the Controller will record and honor such instructions in the future if its practices change.

      Requests regarding Nevada privacy rights may be submitted using the contact details indicated in this Privacy Policy.

9) FINAL PROVISIONS

  • 1. The Online Service may contain links to other websites. The Controller encourages users, after leaving the website of the Online Service, to review the privacy policies applicable to such websites. This Privacy Policy applies exclusively to the Online Service of the Controller.