1. Personal data administrator

The administrator of your personal data is:
HOTBOX SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
ul. Kielecka 9 / 21, 31-526 Kraków, Poland
NIP: 6751782437

2. What data do we process?

In connection with placing an order or contacting us, we may process the following personal data:

first and last name
email address
delivery address
phone number (optional)

Providing data is voluntary, but necessary to complete the order.

3. Purposes and legal basis for data processing

We process your personal data for the following purposes:

Order fulfillment and service – Article 6(1)(b) of the GDPR
Issuing invoices and tax obligations – Article 6(1)(c) of the GDPR
Contact regarding the order – Article 6(1)(f) of the GDPR
Website traffic analysis (e.g. Google Analytics) – Article 6(1)(f) of the GDPR

4. Data recipients

Your personal data may be transferred to the following entities:
courier companies and suppliers (for the purpose of delivering your order),
accounting office (for accounting services),
hosting companies and IT service providers,
analytics tool operators (e.g. Google).

5. Data retention period

Your data will be processed for the period necessary to complete the order and for the time required by tax and accounting regulations (usually up to 5 years from the end of the year in which the transaction was made).

6. Rights of the data subject

You have the right to:

access your personal data,
rectify it,
delete it (“right to be forgotten”),
restrict processing,
transfer data,
object to processing,
lodge a complaint with the President of the Personal Data Protection Office (UODO).

7. Cookies and analytical tools

The website uses cookies to ensure proper functioning, as well as analytical tools such as Google Analytics, which enable the analysis of statistics and user behavior on the website.

During your first visit to the website, a banner informing you about the use of cookies is displayed – you can give your consent or manage it.

8. Transfer of data outside the European Economic Area (EEA)

We do not transfer your personal data outside the European Economic Area unless it is necessary in connection with the operation of external tools (e.g. Google) that may store data on servers outside the EEA. In such cases, appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission.

9. Changes to the privacy policy

The privacy policy may be updated. The new version will be published on the website along with the date of entry into force.

Last updated: August 5, 2025.