Política de privacidad

PRIVACY POLICY

Privacy Policy — 21.01.2026

§ 1. Controller

The controller of personal data within the meaning of Article 4(7) of the GDPR is UNIVERSITY OF ECOM SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Gryfice, at ul. Marszałka Józefa Piłsudskiego 31A/15, 72-300 Gryfice, entered in the register of entrepreneurs of the National Court Register under KRS number 0001151152, with a share capital of PLN 5,000.00, holding Tax Identification Number (NIP) 8571941295 and Statistical Number (REGON) 540707684, being the owner of the Website and the provider of services offered through it.

The Controller may be contacted by email at: contact@woobbrands.com

The address provided IS NOT a return address. Sending a parcel to this address may result in it being lost or undelivered. Details: https://vorman.pl/policies/refund-policy

Personal data is collected and processed by the Controller in the manner and on the terms set out in this document.

§ 2. General Provisions

The Controller places particular importance on protecting the privacy of customers, contractors, employees, and collaborators, and ensures that personal data is processed in accordance with the provisions of the General Data Protection Regulation 2016/679/EU (hereinafter: "GDPR"), the Personal Data Protection Act, and specific regulations governing the obligations of data controllers based on principles arising from the particular nature of certain personal data (including those set out in the Accounting Act).

This document is informational in nature and its purpose is to inform users of the website www.vorman.pl about what personal data concerning them is collected and processed by the Controller in connection with the use of the Website, how such data is used and protected, and what rights users have in relation to the processing of their personal data.

Wherever in this document the Controller uses the term Personal Data, it refers to:

  • personal data provided by the Website user, i.e. data entered when completing contact forms or order forms, such as first name, last name, email address, residential address or delivery address, phone number, payment card details, Tax Identification Number (NIP), business name, as well as any other data not requested by the Controller but voluntarily provided by the user;
  • the user's IP address, associated with the device they are using.

The provision of Personal Data by the user through the completion of a contact form or order form is voluntary but necessary to use the services available on the Website, namely sending a contact form or purchasing products offered through the Website. Failure to provide such data will prevent the user from using these services. The provision of any other Personal Data by the user is voluntary and is not necessary to use the Website.

The Controller may also obtain users' Personal Data through information provided directly by users in messages sent to the Controller, including in connection with complaints. The scope of Personal Data shared with the Controller is determined in each case by the user to whom it relates, and its provision is voluntary and does not affect the ability to use the Website.

§ 3. Principles, Purpose, and Legal Basis for Processing Personal Data

The Controller exercises due diligence to protect the interests of the individuals whose Personal Data is processed, and in particular ensures that such data is:

  • processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, where necessary, kept up to date. The Controller takes steps to ensure that Personal Data that is inaccurate in light of the purposes of its processing is erased or rectified without delay;
  • stored in a form which permits identification of the data subject for no longer than is necessary for the purposes of processing;
  • processed in a manner that ensures appropriate security of Personal Data, including protection against unauthorised or unlawful processing and against accidental loss or destruction.

The Controller also takes all necessary steps to ensure that employees and all entities with which it cooperates provide guarantees of implementing appropriate security measures whenever Personal Data is processed on the Controller's behalf. The Controller also ensures that every person acting under its authority and having access to Personal Data processes it solely on the Controller's instructions, unless otherwise required by applicable law.

In order to meet legal requirements, the Controller has developed detailed procedures covering matters such as:

  • data protection by design and by default;
  • data protection impact assessments;
  • breach notification;
  • maintenance of records of processing activities;
  • data retention;
  • fulfilment of data subjects' rights.

The Controller regularly reviews and updates the documentation required by law in order to demonstrate compliance, in accordance with the accountability principle set out in the GDPR.

Data may be processed by the Controller for the following purposes:

  • the conclusion, performance, or termination of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract — pursuant to Article 6(1)(b) of the GDPR;
  • processing necessary to fulfil legal obligations incumbent on the Controller, in particular those arising from the Anti-Money Laundering and Counter-Terrorism Financing Act, the Accounting Act, and other legal acts — pursuant to Article 6(1)(c) of the GDPR;
  • purposes arising from the legitimate interests pursued by the Controller or a third party, including in particular but not limited to: pursuing or defending against claims, handling complaints, as well as for archiving, security, handling potential complaints or requests, ensuring the IT security of the Website, detecting cases of unauthorised use of services, financial analysis, and compliance with the accountability principle referred to in Article 5(2) of the GDPR — pursuant to Article 6(1)(c) and (f) of the GDPR;
  • one or more specified purposes for which the data subject has given consent to the processing of their personal data — pursuant to Article 6(1)(a) of the GDPR. Such consent may be withdrawn at any time;
  • direct marketing purposes, where the user has given appropriate consent — pursuant to Article 6(1)(a) of the GDPR.

§ 4. Duration of Personal Data Processing

Personal data will be processed for the period necessary to achieve the given purpose for which it is processed, or until the consent of the data subject is withdrawn, if processed on the basis of such consent. Personal data will be processed only for the duration, scope, and purposes permitted by law. The Controller determines the data retention period primarily on the basis of legal provisions (e.g. the retention period for accounting documents) as well as the Controller's legitimate interests (e.g. protection of claims). The retention policy covers both data processed in paper and electronic form.

After such a period, the Controller anonymises Personal Data (strips it of features that allow identification of the individual) or deletes it. In its retention policy, the Controller ensures that the storage period for Personal Data is limited to a strict minimum. Taking into account applicable regulations, the maximum period for which the Controller may process certain categories of Personal Data is 10 years, calculated from the end of the calendar year in which the electronic services agreement ceases to apply.

§ 5. Entities Processing Personal Data on Behalf of the Controller

While maintaining the necessary security standards, the Controller may transfer some users' data to third parties authorised to process Personal Data on its behalf. Such transfer may take place with the consent of the data subject, when the Controller is required to do so by law, or when it is necessary for the proper provision of services.

Where the Controller works with entities that process personal data on its behalf, it uses only the services of processors that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure that processing meets the requirements of the GDPR and protects the rights of data subjects.

The Controller carefully vets the entities to which it entrusts the processing of users' data, concludes detailed agreements with them, and conducts periodic reviews of processing operations for compliance with those agreements and applicable law.

Recipients of Personal Data may include external entities processing data on behalf of the Controller and participating in the activities it carries out, namely:

  • entities and authorities authorised to process personal data under applicable law;
  • product suppliers;
  • banks, where payment processing is required;
  • couriers and postal operators;
  • providers of IT and hosting services, as well as those maintaining the Controller's IT systems or providing IT tools;
  • providers of legal, tax, and accounting services;
  • online payment providers.

Entities falling within the above categories are predominantly based within the European Union. Where possible, the Controller endeavours not to transfer users' data outside the EU; however, where the quality of services provided by subcontractors justifies it, transfer of Personal Data outside the EU may occur. Currently, such transfers take place in relation to:

  • Google LLC and Meta Platforms Inc., headquartered in the United States of America, for which an adequacy decision has been issued by the European Commission — Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, adopted pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, finding an adequate level of protection of personal data under the EU–US Data Privacy Framework;
  • Product suppliers who fulfil the shipment of products ordered by users. These suppliers are based in China. The transfer of data to entities based in China is carried out on the basis of Article 46(1) of the GDPR. The agreements concluded by the Controller with service providers, under which transfers of users' Personal Data may take place, are based on standard contractual clauses referred to in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

The Controller does not transfer users' Personal Data to any international organisation.

§ 6. Automated Processing of Personal Data and Profiling

The Controller does not subject Personal Data to automated processing, including profiling.

§ 7. Users' Rights

Every individual whose Personal Data is processed by the Controller has the following rights:

  • the right to information provided by the Controller when collecting Personal Data (fulfilled by the Controller through this document);
  • the right to information provided upon request — regarding whether data is being processed and other matters specified in Article 15 of the GDPR;
  • the right to restriction of processing of Personal Data by the Controller;
  • the right to obtain a copy of Personal Data;
  • the right to rectification and completion of Personal Data;
  • the right to erasure of Personal Data;
  • the right to data portability;
  • the right to object to the processing of Personal Data for marketing or other purposes;
  • the right not to be subject to a decision based solely on automated processing (including profiling), the right to obtain human intervention by the Controller in the case of such processing, as well as the right to express one's own view and to contest a decision made on the basis of automated processing;
  • the right to be informed of a Personal Data breach;
  • the right to withdraw consent to the processing of Personal Data at any time (withdrawal of consent to processing shall not affect the lawfulness of processing carried out prior to its withdrawal);
  • the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (address: ul. Stanisława Moniuszki 1A, 00-014 Warsaw).

To exercise any of the above rights, users may contact the Controller using the following contact details:

Email address: contact@woobbrands.com

Correspondence address: UL. MARSZAŁKA JÓZEFA PIŁSUDSKIEGO 31A/15, 72-300 GRYFICE

The address provided IS NOT a return address. Sending a parcel to this address may result in it being lost or undelivered. Details: https://vorman.pl/policies/refund-policy

Where a user contacts the Controller in connection with the above rights, the Controller will respond in the same form in which the individual exercising their rights made contact — in particular in writing or by electronic means. If the entitled individual so requests, the Controller may provide information orally, provided that the identity of the individual is confirmed by other means.

The Controller endeavours to provide information without undue delay — and in any case no later than one month from receipt of the request. Where necessary, this period may be extended by a further two months due to the complexity of the request. In all cases, however, within one month of receiving the request, the user will be informed of the actions taken and, where applicable, of the extension of the deadline, with an explanation of the reason for the delay.

§ 8. Changes to the Privacy Policy

In order to ensure that the Privacy Policy continues to meet the current requirements imposed on the Controller by applicable law, the Controller reserves the right to make changes to it at any time. This also applies where the Privacy Policy requires amendments to cover new or modified products or services, or where other important reasons arise, such as a change of Controller or its details.

COOKIE POLICY

Cookies are data files, in particular text files, which are stored on the mobile device of a Website user and are intended for use with the Website's functionalities. Cookies typically contain the name of the website they originate from, the length of time they are stored on the mobile device, and a unique identifier.

The entity placing cookies on the mobile device of a Website user and accessing them is UNIVERSITY OF ECOM SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office at ul. Marszałka Józefa Piłsudskiego 31A/15, 72-300 Gryfice, entered in the register of entrepreneurs of the National Court Register under KRS number 0001151152, NIP 8571941295, REGON 540707684, being the owner of the Website and the provider of services offered through it. The Controller may be contacted by email at: contact@woobbrands.com (or any other contact address provided by you).

The address provided IS NOT a return address. Sending a parcel to this address may result in it being lost or undelivered. Details: https://vorman.pl/policies/refund-policy

The cookie mechanism is not used to collect any information about Website users or to track their browsing behaviour. Cookies used on the Website are primarily used for statistical purposes.

By default, the software used to browse the Website (the web browser) allows cookies to be handled on the user's mobile device on which the Website is running. In most cases, this software can be configured independently, including by enforcing automatic blocking of cookies. Cookie handling settings can be found in the software settings (web browsers). Please note that restricting cookie settings may affect the functioning of certain Website features, in particular the correct display of content.

Cookies are used to tailor the content of the Website to user preferences and to optimise the use of the Website. In particular, these files allow the Website to:

  • recognise the user's device and display the Website in a manner tailored to their individual needs;
  • generate statistics that help understand how Website users interact with the site, enabling improvements to its structure and content;
  • maintain the Website user's session, allowing the user to browse the Website's content without losing information such as products saved in the shopping cart.

The Website uses two main types of cookies: "session" cookies and "persistent" cookies:

  • "session" cookies are temporary files stored on the user's mobile device until they log out, leave the website, or close the software (web browser);
  • "persistent" cookies are stored on the user's mobile device for the period specified in the cookie parameters or until they are deleted by the user.

In addition to the above distinction, the following types of cookies are used on the Website:

  • "required" cookies, enabling the use of services available on the Website, such as authentication cookies used for services requiring authentication on the Website;
  • "personalisation" cookies, enabling the retention of settings selected by the user and personalisation of the user interface, e.g. with respect to the selected language, font size, Website appearance, etc.;
  • "marketing" cookies, enabling the display of advertisements aligned with users' purchasing interests;
  • "analytical" cookies, containing information about user activity on the Website, collected for statistical purposes.

Beyond "required" cookies, which are necessary for the proper functioning of the Website, the user may — according to their own preferences — choose which cookies they consent to. The user may change their cookie preferences at any time through the Website.

"Session" cookies are deleted no later than when the browser used by the user to access the Website is closed. In the case of "persistent" cookies, the length of time they are stored on the device depends on the specific type of cookie and is no longer than 2 years.