• Free shipping on orders over 80€

Privacy Policy

Last updated: 18 September 2025

1. Controller and contact

1.1. The controller is Weronika Stachulska XYZ Studio (sole proprietorship, Poland), operating the Cruxed store.
1.2. Address: ul. Olszewskiego 3/82, 24-100 Puławy, Poland.
1.3. NIP (tax no.): 8993011590, REGON: 540408935.
1.4. Contact: support@cruxed.shop.
1.5. No Data Protection Officer (DPO) appointed.
1.6. You may lodge a complaint with the Polish DPA (UODO) or your local EU authority.

The store targets adults; minors may purchase only with guardian consent (as per the Store Terms).

2. Data scope, sources and categories

2.1. Data you provide: name, e-mail, shipping/billing address, phone (optional), messages, account data (if you create one).
2.2. Transactional data: order number, items, amounts, payment status (we do not store full card details).
2.3. Technical/usage data: IP address, cookie IDs, event logs, device/browser type, language/region.
2.4. Marketing data: consent records, newsletter preferences, campaign interactions (with consent).
2.5. Additional sources: address corrections from carriers; anti-fraud signals from payment providers; your social messages if you contact us there.

3. Purposes and legal bases (Art. 6 GDPR)

3.1. Contract performance (orders, payments, delivery, after-sales support) – Article 6(1)(b) GDPR.
3.2. Customer support/communications – Article 6(1)(f) GDPR (legitimate interests).
3.3. User account – Article 6(1)(b) GDPR.
3.4. Legal obligations (tax/accounting, consumer claims handling) – Article 6(1)(c) GDPR.
3.5. Claims handling, fraud prevention and security – Article 6(1)(f) GDPR (legitimate interests).
3.6. Direct marketing (newsletter), analytics/remarketing – Article 6(1)(a) GDPR (consent).
3.7. Newsletter personalisation (e.g., based on purchase history) – Article 6(1)(a) GDPR (consent; subscribers only).

Required data is necessary to conclude and perform the contract; optional data is voluntary.

4. Recipients (categories)

4.1. Payment providers/processors (e.g., PayPal, Przelewy24/BLIK, cards, Google Pay, Apple Pay).
4.2. Carriers/logistics (e.g., InPost, DPD, FedEx, GLS).
4.3. IT providers (hosting, e-mail, store platform, security/anti-bot).
4.4. Analytics/marketing and newsletter platform – enabled only with consent.
4.5. Legal/accounting advisors where necessary.

5. Transfers outside the EEA

Where transfers occur (e.g., analytics/e-mail tools hosted in the US), we rely on Standard Contractual Clauses (SCCs) and, where necessary, supplementary measures (encryption, minimisation). You can request information about the safeguards.

6. Cookies and similar technologies

6.1. We use strictly necessary cookies for core site operation. Analytics and marketing cookies are used only with your consent via the cookie banner.
6.2. The banner offers “Accept / Decline / Preferences”; analytics/marketing are off by default. You can adjust settings anytime via the persistent “Privacy settings” icon.
6.3. Details (categories, lifetimes, vendors) are available in our Cookie Policy.

7. Retention

7.1. Transactional/accounting – 5 years from the end of the fiscal year.
7.2. Accounts – until deletion or up to 5 years from last activity (unless law requires longer).
7.3. Claims/defence – until the statute of limitations (generally up to 6 years).
7.4. Marketing (newsletter) – until consent withdrawal or up to 3 years from last interaction.
7.5. Logs/analytics – typically up to 26 months (if used).
After expiry, data is deleted or anonymised.

8. Your rights

You have the rights to access, rectification, erasure, restriction, portability, object (to processing based on legitimate interests or direct marketing), and to withdraw consent at any time (without affecting prior processing).
Contact support@cruxed.shop to exercise rights. We respond within one month (extendable for complex cases). Identity verification may be required. You also have the right to complain to a supervisory authority (see 1.6).

9. Marketing profiling and segmentation (newsletter)

9.1. If you subscribe, we may segment communications (e.g., delivery country, product categories, purchase history) and personalise content/offers. We do not make decisions producing legal effects – this is marketing tailoring only.
9.2. Legal basis: your consent to the newsletter. Every e-mail contains an unsubscribe link.
9.3. Data sources: your e-mail and preferences, your Cruxed purchase history, currency/country; if you consent to analytics/marketing cookies – your on-site activity.
9.4. E-mail tracking: our provider may use an open-tracking pixel and link tracking for statistics/personalisation. You can opt out by unsubscribing or changing preferences (link in the footer).
9.5. Retention: segmentation data is stored until consent withdrawal or up to 3 years from your last interaction with our e-mails.

10. Automated decision-making

We do not conduct automated decision-making producing legal effects. Payment providers may run anti-fraud as independent controllers (see their policies).

11. Data security

We apply appropriate organisational and technical measures: TLS/HTTPS, access controls, minimisation, retention limits, encryption with cloud providers, and audit logging.

12. Changes and language

We publish updates in a form enabling download and retention (PDF); for material changes we notify you by e-mail (durable medium). In case of discrepancies, the Polish version prevails (without prejudice to mandatory consumer protection).