Table of Contents
Definitions
General Provisions
Data Processing in the Course of Purchases (Online Store Orders)
Newsletter (Marketing Emails)
Contact and Correspondence
Blog and Affiliate Content
Data Recipients – Who May Receive Your Data
Transfer of Data Outside the EEA
Data Retention Periods
Your Rights as a Data Subject
Cookies and Similar Technologies
Final Provisions
Additional Notice for California Residents (CCPA/CPRA)
1. Definitions
Administrator / Data Controller: The owner of the MircoItaliano online store and website is Mirosław Kaźmierczyk, conducting business under the name GSP Mirosław Kaźmierczyk. Business address: ul. Lisia 14/2, 65-093 Zielona Góra, Poland. NIP (Tax ID): 9291742017, REGON: 383906399. The Administrator is the seller of digital products on the Site and is responsible for processing Users’ personal data. You can contact the Administrator regarding privacy matters at shop@mircoitaliano.com or by mail at the above address.
Website (Site): The website operated by the Administrator at www.mircoitaliano.com. It includes the online store (for purchasing digital products like e-books) and an informational blog with articles. This Privacy Policy applies to all areas of the Site.
Digital Product: An electronic file or piece of digital content (such as an e-book in PDF, ePub, MOBI format, etc.) offered for sale in the Store. It is considered “digital content” as defined by applicable law (e.g., EU law) because it is provided in digital form, not on a physical medium.
User (You): Any natural person who uses the Site, whether by browsing pages, reading the blog, contacting the Administrator, signing up for the newsletter, or purchasing a product (becoming a Customer). This Privacy Policy concerns the personal data of all Users.
Customer: A User who places an order in the online store and purchases a Digital Product. Customers provide certain personal data during the purchase process (see Section 3). A Customer can be a consumer or a business client.
Newsletter: An email newsletter service provided by the Administrator to Users who subscribe (opt-in). The Newsletter contains marketing and commercial information related to the Site, such as updates on new e-books, promotions, or new blog posts. Subscription is voluntary and requires consent (see Section 4).
GDPR: The European Union’s General Data Protection Regulation (EU) 2016/679 of April 27, 2016. This law governs personal data protection and the rights of individuals within the EU. It imposes obligations on us as a controller when we process personal data of Users in the EU/EEA. We reference GDPR often in this Policy because many of our Users may be in the EU, and we strive to comply with its requirements globally. If you are outside the EU, know that we aim to respect your privacy similarly, even if local laws differ.
Personal Data: Any information relating to an identified or identifiable natural person. For example, your name, email address, IP address (if it can identify you), etc., are personal data. In this Policy, when we refer to “data,” we usually mean personal data.
Policy: This Privacy Policy document, which details the rules and purposes of processing personal data of Users by the Administrator, as well as Users’ rights and how we use cookies and similar technologies.
2. General Provisions
2.1. Purpose of the Policy: This Privacy Policy explains how we collect, use, and protect the personal data of Users of MircoItaliano.com. We want you to have full knowledge of what happens with your personal information when you use our Site – whether you are just browsing, buying an e-book, subscribing to our newsletter, or contacting us. We also include here the information that we are required to provide under laws like the GDPR and relevant national laws on electronic services and telecommunications (for example, regarding cookies).
2.2. Legal Compliance: The Administrator is committed to processing personal data in accordance with applicable laws:
For Users in the EU/EEA (and similarly in the UK via UK-GDPR), we adhere to the GDPR and national data protection laws (such as Poland’s Data Protection Act of 10 May 2018 implementing GDPR, and the Electronic Services Act of 18 July 2002, and Telecommunication Law regarding cookies).
For Users in other jurisdictions, we aim to comply with relevant privacy regulations (for example, the California Consumer Privacy Act for California residents, to the extent it may apply – see Section 13).
In any case, we process data lawfully, fairly, and in a transparent manner. We collect data for specified, explicit, and legitimate purposes as outlined in this Policy, and not further processed in a manner incompatible with those purposes (purpose limitation). We ensure data is adequate, relevant, and limited to what is necessary (data minimization), accurate and kept up to date, kept only for as long as needed (storage limitation), and secured (integrity and confidentiality principle).
2.3. Voluntary Provision of Data: Providing personal data on our Site is generally voluntary. You can browse most of our blog content without directly giving us personal info (aside from cookies, which we discuss later). However, certain features require personal data:
If you wish to purchase a Digital Product, we will need some data to process the transaction (it’s not possible to fulfill an order without, for example, an email address to send you the product).
If you subscribe to the Newsletter, we obviously need an email address to send you emails, and we require your consent.
If you contact us via email or a form, you provide data like your email address by the very nature of that communication.
In each case, if required data is not provided, we may not be able to provide the corresponding service. We clarify these situations in the relevant sections of this Policy (e.g., Section 3 for purchases, Section 4 for newsletter).
2.4. No Selling or Unauthorized Sharing: We do not sell your personal data to third parties. We also do not share it with third parties for their own independent marketing purposes without your consent. Any sharing of data with third parties is only as described in this Policy (Section 7) or required by law. Your data might be shared with service providers who work on our behalf (processors) or with authorities if lawfully demanded, but always with respect to your privacy and within legal bounds.
2.5. Data Security: The Administrator takes appropriate technical and organizational measures to secure your personal data and protect it from unauthorized access, alteration, disclosure, or destruction. For example:
Our Site uses SSL/TLS encryption. This means that data you send via forms (like checkout or contact forms) is encrypted in transit, which protects it from eavesdropping.
We maintain up-to-date security on our servers and restrict access to personal data to only those who need it to operate our services (for example, the Administrator and any authorized personnel or contractors, all of whom are bound by confidentiality).
We regularly update our software and employ security measures such as firewalls, secure authentication, and backups.
However, remember that no method of transmission over the Internet or method of electronic storage is 100% secure. We strive to protect your data, but we cannot guarantee absolute security. In the unlikely event of a data breach that poses a risk to your rights (as defined by GDPR or similar laws), we will notify you and the appropriate authorities as required.
2.6. Data Controller Details: For the purposes of data protection law, the Administrator (Mirosław Kaźmierczyk, GSP Mirosław Kaźmierczyk) is the “data controller” of your personal data collected via the Site. This means we determine the purposes and means of processing that data. Our contact details are given in Section 1. You can contact us with any questions or requests regarding your personal data.
2.7. Applicable Data Protection Authority: As the Administrator is established in Poland, our lead supervisory authority for data protection is the Polish President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych – PUODO). If you believe your data has been handled improperly, you have the right to file a complaint with PUODO or potentially with your local data protection authority if you reside in another country (see Section 10.8).
3. Data Processing in the Course of Purchases (Online Store Orders)
When you place an order for a Digital Product on our Site, we collect certain personal data from you to process the order, fulfill the contract (deliver your e-book), and comply with legal obligations (like bookkeeping and taxes). Below we outline the data involved and how it’s handled.
3.1. Data Collected at Checkout: During the purchase process, you will be asked to provide the following information (required unless marked as optional):
First Name and Last Name: We need your name to issue a receipt or invoice for the purchase. If you are buying as a business or sole proprietor and need an invoice in your company’s name, you may provide your company name and tax identification number (e.g., VAT number) as well. We consider those also personal data if it can identify a person (for example, a one-person company).
Billing Address: This includes street, building number (and unit number if applicable), postal code, city, and country. We require the billing address for invoicing and accounting records, especially for tax purposes (the country is used to determine VAT and to include required information on the invoice). In some cases, the billing country may also be used to apply the correct tax rate (for EU VAT OSS compliance). Even for digital products, in many jurisdictions sellers must collect location information for tax.
Email Address: We use your email to send order confirmations, receipts/invoices, and the download link for your digital product. We also use it to communicate with you about your order (e.g., if there is an issue or update regarding your purchase).
Phone Number (Optional): We may provide a field for a contact phone number. This is not mandatory. If you do give a phone number, we might use it to quickly resolve any issues with your order (for instance, if emails aren’t reaching you or if there’s a urgent issue with payment). Otherwise, you will not receive calls or texts from us beyond order-related matters. If you don’t provide a number, it’s fine – we will stick to email communications.
Payment Information: We do not directly collect or store your sensitive payment details (like full credit card numbers). Those are handled by our third-party payment processors (such as Stripe, PayPal, or others as integrated on the Site). We might receive limited payment information back from the processor (for instance, confirmation of payment, last four digits of your card, payment ID) which we keep for record and reconciliation, but we never see your full card number or payment credentials.
All these data fields are necessary to conclude and perform the sales contract. Without them, we cannot process your order. For example, without an email, we have no way to deliver the product to you; without a name, we cannot issue a valid invoice; without a country, we might not know how to handle VAT.
3.2. Purpose and Legal Basis of Processing (Orders):
Order Fulfillment: We use the provided data to process and fulfill your order. This includes verifying and accepting payment, delivering the digital product, and providing you with customer support related to the purchase. The legal basis under GDPR for this is Article 6(1)(b) – processing is necessary for the performance of a contract (the sales agreement to which you are party) or to take steps at your request prior to entering into a contract. In other words, we need to use your data to give you what you purchased.
Communication: We may send you service emails related to your order (confirmation, notifications of any issues, etc.). This is also part of performing the contract (ensuring you are informed about your purchase).
Invoicing & Legal Obligations: We process and store your data to comply with our legal obligations, particularly:
Tax and Accounting: Under Polish and EU law, we must issue accounting documents (invoices or receipts) and keep records of sales for a certain period (e.g., for VAT settlement and income tax). These documents contain personal data (your name, address, purchase details). The legal basis is Article 6(1)(c) GDPR – compliance with a legal obligation to which we are subject. For instance, tax laws require retention of records; we cannot delete invoice data earlier even if you request erasure, due to this obligation.
Consumer Protection Laws: In some cases, laws require that we maintain data related to transactions (e.g., to handle any withdrawal requests or warranty claims – see Terms & Conditions). This overlaps with both legal obligation and contract performance basis.
Claims and Dispute Resolution: We keep order data also to handle any potential claims, refunds, disputes or legal actions related to the purchase. For example, if you were to claim a chargeback or dispute a transaction, we have to provide evidence. Or if you claim the product was faulty, we need to have your purchase info to address it. The basis for this (after the contract is fulfilled) is our legitimate interest (Article 6(1)(f) GDPR) in establishing, exercising, or defending legal claims. We consider it a legitimate interest to protect our business and respond to any customer service issues or legal disputes. We will not use order data for this purpose longer than necessary (see retention in Section 9).
3.3. Order Processing by Third Parties: When you make a payment, the payment is processed by an external payment gateway (like Stripe or PayPal). That means some of your data is transmitted to them (e.g., name, address, email, payment amount) and of course the payment info you input on their form. They process it under their own privacy policy as a data controller or sometimes as a processor for us. We have agreements in place as needed (for instance, a Data Processing Addendum with Stripe for EU data). See Section 7 for categories of recipients. We only work with trusted providers that ensure data security.
3.4. Emails and Transactional Messages: As part of your order, you will receive certain transactional emails from us (or from our store system). These may include:
Order confirmation email (with details of your purchase and download link).
Payment receipt or invoice.
Possibly a follow-up email if there’s an issue (e.g., “Your payment is under review” or “Download problem? Here’s help”).
These emails are not promotional in nature; they are necessary for providing you the service. They are sent based on the contract performance and our legitimate interest to ensure you have everything needed for your purchase. You cannot opt-out of transactional emails as long as you have an active order, because they are integral to the service (except by not providing an email, which would mean you cannot order).
3.5. Order History: We maintain a history of your purchases (what you bought and when). This helps with customer support (for example, if you lose a file and request a new download link, we need to verify you purchased it). It also helps you, if you inquire “What did I buy last year?” we could tell you. The order history is kept as part of our business records (and thus falls under similar legal basis as above: contract performance, legal obligation for records, and legitimate interest for customer service).
4. Newsletter (Marketing Emails)
We offer a newsletter to Users who want to receive updates, promotions, and news about MircoItaliano (new e-books, special offers, blog highlights, language learning tips, etc.). Subscribing is entirely voluntary and requires your consent.
4.1. Subscription and Consent: You can subscribe to our Newsletter by providing your email address in the newsletter sign-up form available on our Site (for example, in the footer, sidebar, or a pop-up). During sign-up:
We will ask for your email address (the only mandatory detail to send emails).
We might also ask for your name (optional), so we can personalize emails (e.g., “Hello John!”). If you provide your name, we will use it solely to personalize communications.
Importantly, you will be required to consent to receiving marketing emails from us. Typically, this is done by ticking a checkbox that clearly states you agree to receive our newsletter or marketing communications.
After submitting your email (and name if provided) and ticking the consent box, we use a double opt-in system: This means you will receive an email asking you to confirm your subscription. You need to click the confirmation link in that email to verify that the email address is yours and that you indeed want to subscribe. Only after this confirmation will your email be added to our mailing list. Double opt-in is a best practice to prevent others from signing you up without permission and to have record of your consent.
We log the time and date of consent and perhaps the IP address used for subscribing, as proof of consent as required by law (GDPR’s accountability principle).
4.2. What We Send: If you subscribe, we will send you emails periodically (for example, it could be weekly, bi-weekly, or monthly – depending on our schedule, but we aim not to overwhelm your inbox). Newsletter content may include:
Announcements of new e-books or products available in our store.
Promotions or discount codes (e.g., holiday sale, subscriber-exclusive coupon).
News and updates about our site or services (like new features on the website).
Content highlights: such as “new blog articles you might enjoy” or useful tips related to Italian language learning or culture.
Occasionally, market research or feedback requests (like a survey) – but participation in those would be optional.
These emails may sometimes include information about products or services from our partners or affiliates, but if so, they will be relevant to our theme (e.g., a language learning app we think is good) and the email will still come from us. We do not share your email with third parties for their independent mailings.
4.3. Legal Basis: The legal basis for sending newsletters is your consent (GDPR Article 6(1)(a)). By signing up and confirming, you explicitly agree to receive such content. Additionally, sending our own marketing to you as our customer can sometimes be based on a concept of “legitimate interest” (in some jurisdictions, there is the idea that if you bought something there’s a soft opt-in to related marketing). However, we choose to rely on explicit consent for clarity and compliance, especially for email marketing across jurisdictions like the EU e-Privacy Directive requirements.
4.4. Unsubscribing (Withdrawing Consent): You have the right to withdraw your consent at any time. Every newsletter email we send will contain an unsubscribe link at the bottom. By clicking that link, you can remove yourself from the list (usually it either instantly unsubscribes you or takes you to a confirmation page). You can also unsubscribe by contacting us directly (for example, email us at shop@mircoitaliano.com and say you want to unsubscribe, and we can do it for you). Once you unsubscribe, we will stop sending you the newsletter. Note: Unsubscribing from the newsletter does not affect transactional emails for purchases or responses to inquiries – those are separate.
4.5. Managing Preferences: If we have an account system for the newsletter (or if you provided a name), you might be able to update your info or preferences via a profile link. But given we don’t have user accounts, typically unsubscribing and resubscribing is the way to change your email or such.
4.6. Third-Party Newsletter Service: We may use an email marketing service (like Mailchimp, Sendinblue, ConvertKit, etc.) to manage our mailing list and send emails. This means your email address (and any name provided) is stored on their platform. They act as a data processor on our behalf, sending out emails to our subscriber list. We ensure that any such provider is reputable and compliant with privacy laws (for instance, many providers store data in the U.S. but have EU-compliant terms, or even EU data centers; we would have a Data Processing Agreement in place as needed). See Section 7 (e.g., “providers of email distribution service”).
4.7. Analytics in Newsletters: We may track overall engagement with our newsletters to help improve our content. For instance, we might see aggregate statistics like how many subscribers opened a particular email, or which links in the email were clicked and how often. This is typically done via the newsletter service (they embed small tracking pixels or unique links). These analytics are generally generic – we use them to gauge interest levels (e.g., “Wow, 60% of recipients opened our last email about pronunciation tips, that’s good” or “Only a few people clicked the culture article link, maybe it was less interesting”). This helps us adjust what we send. We do not use this information to profile individual users in any way that would result in some automated decision affecting you. We don’t, for example, single out that you personally never open emails and then do something negative to you; at most, if someone hasn’t opened any emails for a long time, we might remove them from the list to reduce sending to uninterested parties – but that’s generally a good practice and it’s not a “decision producing legal effects.” It’s also something you can opt out of by simply staying on or resubscribing if you were interested.
4.8. No Third-Party Ads in Emails: Our newsletter content pertains to our own offerings or content. We do not send third-party advertisements by email unrelated to MircoItaliano. If we ever include a sponsored message, it will be clearly indicated, but normally any promotion in our emails benefits our subscribers (discounts on our products, etc.) or partners with similar audience interests (and even then, we’d likely mention it in context of our content, not just spammy ads).
Remember, you are in control: If you love our newsletter, great! If at any time you don’t, use the unsubscribe option and we will respect that immediately.
5. Contact and Correspondence
If you contact us for any reason (for example, through email, a contact form on the Site, or by traditional mail), we will receive and process the personal data you provide in that communication.
5.1. Data Collected via Contact: When you send us a message or inquiry, you might provide:
Email Communication: Your email address (since you’re emailing us, we see the sender address), and whatever is in your email signature or the content of the message (which could include your name, phone number if you included it, and any other personal info you choose to share in the message).
Contact Form: If our Site has a contact form, it will typically ask for your name, email, and the message content. It might optionally ask for other info like a subject or phone number, but we generally keep it minimal.
Postal Mail: If you send us a physical letter, it would include whatever return address or contact you provide, and of course the content of your letter.
Social Media or Messaging: If you contact us via a social media page or direct message, we will see your profile name and any info tied to your account that is visible or you provide.
In summary, the data involved is basically the contact details (like name, email) and the content of your communication, which may contain other personal data if you included any (e.g., an order number, etc.).
5.2. Purpose of Processing Contact Data: We will use the information you provide solely to respond to and manage your inquiry or request. This means:
We process your contact details to be able to reply to you (e.g., use your email to send a response).
We process whatever information is in your message to address your inquiry. For example, if you ask a question about an order, we may look up your order in our system (thereby processing that order’s data as well in context).
If your message is a request (like exercising a data subject right under GDPR, or asking for technical support with a product), we will use the data to fulfill that request (e.g., change your data or give you support).
5.3. Legal Basis: The legal basis for processing personal data in correspondence depends on context:
If you’re contacting us with regard to a contract or purchase (e.g., “I lost my download link, can you resend it?”), the basis could be contractual (Article 6(1)(b) GDPR) because it’s related to fulfilling our contract or providing customer service for it.
In most other cases, it’s our legitimate interest (Article 6(1)(f) GDPR) to communicate with Users who reach out to us. We have a legitimate interest in answering questions, providing information, building good relations, and resolving any issues presented by Users. We consider this interest not to override your rights because you are the one initiating contact (so presumably you want a response).
If you contact us to, say, inquire about our products before deciding to buy, it can be seen as pre-contractual (similar to asking a question at a store) – also arguably under 6(1)(b) if it directly precedes a contract.
If you are contacting to exercise a legal right (like a privacy right), then the basis is fulfilling that legal obligation as well.
5.4. Voluntary: Reaching out to us is voluntary on your part. However, if you do, certain info is inherently needed to reply (e.g., we need a return address or email). If you don’t provide contact details, we might not be able to respond.
5.5. Retention of Correspondence: We may keep the correspondence for a certain period:
If it’s a general inquiry, we might retain the email or record of it for future reference so we have context if you contact us again, or to improve our service (e.g., if multiple people ask the same question, we might create an FAQ).
If it’s a complaint or any legal-related query, we will retain it as long as needed to demonstrate how we handled it (this could be important for legal defense or compliance).
Our typical approach is to archive email correspondence. That means we might not delete every inbound email, and it could remain in our mail archives or helpdesk system (if we use one) for several years. We do this in line with our legitimate interest in having a record of communications. However, we won’t use your contact emails for marketing or unrelated purposes.
If you want an email thread deleted and there’s no legal need for us to keep it, you can request deletion (and we will comply if possible – see your rights in Section 10). Sometimes, we might have to refuse immediate deletion of correspondence if it pertains to a transaction we need to keep a record of, or if it’s needed for a legal reason.
5.6. Confidentiality: Communications you send us will be kept confidential within our organization. We won’t publish your messages or share them externally, except as needed to respond (for instance, if we needed to ask a service provider about an issue you have, we might share relevant info with them, but we would minimize personal data). Also, if you leave a public comment (e.g., on a blog post), that’s public by design, not a private correspondence – different scenario.
5.7. Platform Communications: If you contact us through a specific platform (say, Facebook Messenger or Instagram DM), note that those communications are also governed by that platform’s privacy policy. We will still treat the content confidentially on our end, but the platform processes some data (like your user ID, etc.). Keep that in mind. For truly sensitive matters, email or direct contact might be more private.
In summary: We use your contact data only to talk with you and help you with whatever you reached out about, and we keep those communications stored safely for the necessary time.
6. Blog and Affiliate Content
Our Site features a blog where we post articles, guides, and reviews, which might include affiliate links or sponsored content. Generally, browsing the blog does not require you to provide personal data, but certain information may be collected through cookies or automatically. Also, we want to be transparent about commercial content on the blog.
6.1. Browsing the Blog – Data Collection:
No Registration: You do not need to create an account or provide personal details to read blog posts. The blog is open to all visitors.
No Commenting (if applicable): Currently, we do not have a public commenting system enabled on the blog (assuming that’s the case; if we do, and if it requires data like name/email, we would have a separate note about that). If in the future we enable comments, we will update this Policy accordingly.
Passive Data: When you load pages (including blog pages), certain data is collected automatically by our website (as with any website). This might include your IP address, browser type and version, device information, operating system, referring site, date/time of visit, etc. These are typically captured in server logs and via cookies (see Section 11 on Cookies for more detail). We use such data for technical purposes (to ensure the site displays correctly and securely) and statistical purposes (to see things like what posts are popular, from which countries our readers come, etc.). This data isn’t used to identify you as a named individual, and if we only store it in aggregate or anonymized form, it might not be considered personal data. However, IP addresses can be personal data under GDPR, so we treat them with care (log data is mostly used for security and diagnostics).
Analytics: We likely use analytics tools (like Google Analytics) on the blog to get insights on page views and user behavior (how long readers spend, etc.). These tools might collect data such as your IP (anonymized if possible), device identifiers, etc. Again, see Cookies (Section 11) for more on that. We configure analytics in a privacy-friendly way (for example, Google Analytics IP anonymization feature) to avoid collecting more data than necessary.
6.2. No Personal Data Profile: We do not create personal profiles of blog readers by name or email or such, because typically we don’t have that info if you’re just reading. We simply see user patterns in aggregate (e.g., “1000 people read this article this week”). We do not know that “Person X” read it unless you tell us or log in (and there’s no login for reading).
6.3. Affiliate Links: The blog may contain affiliate links to third-party websites (for example, Amazon, other book sellers, courses, or products related to language learning). If you click on an affiliate link:
Tracking: That external site may drop a cookie or use other tracking to note that you came from our referral. They use that to credit our account if you make a purchase. The data collected by affiliate programs is generally not personally identifying to us – we might see that “someone bought Product Y and we got a commission” but not your name. However, be aware those third-party sites have their own privacy practices. When you click, you effectively leave our site and are subject to the external site’s terms.
No Extra Cost: As stated in our Terms, affiliate programs do not increase the price you pay. It’s a commission paid by the seller out of their pocket.
Disclosure: We clearly mark or disclose the presence of affiliate links in our content, in accordance with legal requirements and ethical guidelines. You might see text like “(affiliate link)” or a general disclosure at the start or end of a post saying it contains affiliate links. We do this so you’re informed of the potential commercial aspect.
Examples: If we review a book and provide a link to purchase it, that link might be affiliate. If we mention a product and provide a link with a referral code, that’s affiliate. We value transparency in these cases.
6.4. Sponsored Content: If any blog post or content is sponsored (meaning we were paid or received a benefit to post it or include a product mention), we will explicitly label that content – e.g., “Sponsored:” in the title or a note in the article that it’s an advertisement or includes paid promotion. We comply with advertising regulations that require such transparency. Sponsored content will still reflect our honest opinions and experiences, but readers should know we had a collaboration.
6.5. Affiliate Earnings and Independence: The presence of affiliate links or sponsored content does not affect our editorial independence. We choose our content topics based on what we think will benefit our Users. If we recommend something via an affiliate link, it’s because we genuinely think it could be useful or relevant. We do receive a commission, but we will not promote things we don’t believe in just for commission. That said, it’s still your responsibility as a consumer to evaluate any third-party product or service – we do not guarantee those external products’ quality or suitability.
6.6. External Sites and Transactions: When you follow external links (affiliate or not):
Any personal data you provide to the external site (like if you buy something there or sign up for their service) is governed by that site’s privacy policy and terms. We do not get details of that, except possibly aggregated reports if it’s an affiliate sale.
The Administrator is not responsible for how external sites handle your data or any transaction you undertake there. For example, if you click an affiliate link to a bookstore and buy an item, any issue you have with that purchase (delivery, returns, etc.) must be resolved with that bookstore. We aren’t part of that contract.
We advise you to read the privacy and cookie policies of any site you visit by clicking our links, especially if it’s your first time visiting them.
6.7. Content Accuracy and Liability: We strive to make our blog content accurate and up-to-date. However, the blog content is provided “as is” for general information. We do not guarantee that every detail is correct or that it remains accurate over time (language learning methods may evolve, links might become outdated, etc.). As mentioned in Terms, we are not liable for any action you take based solely on blog information without further verifying or seeking professional advice where appropriate. Use your own judgment. If you spot an error in our content, feel free to let us know – we appreciate corrections and feedback.
6.8. Copyright of Blog Content: All original content on the blog (text, graphics, etc.) is protected by copyright. The Administrator (or any co-authors we identify) holds the rights. As described in Terms:
You may use the content for personal use (e.g., save a page for later, print an article for personal reference).
For any reuse (like quoting it in your own blog, sharing beyond brief excerpts, etc.), please get permission unless an exception under law applies. Sometimes we might license specific content under Creative Commons or similar (if so, we’ll state it clearly). Otherwise, default copyright applies – “all rights reserved.”
If you’re unsure about using our content, contact us. Often, we’re happy to allow certain uses with credit, but we want to manage it to protect our rights and ensure quality.
6.9. No Personal Data in Blog Content: We don’t publish personal data of Users on our blog. If we ever mention someone (like a success story of a student), we would do so only with consent or by anonymizing them. If you find your personal data somehow appears on our blog and you don’t want it there, contact us for removal. Typically, it shouldn’t happen.
6.10. Automated Decision-Making: There is no automated decision-making or profiling done solely through blog browsing data that has legal or significant effects on you. We might use cookies to show you relevant content (like “related posts” suggestions) but that’s about enhancing your experience, not making any decision about you.
In short, enjoy our blog knowing that we respect your privacy while you do so. We monetize some links but we aim to do it responsibly and transparently.
7. Data Recipients – Who May Receive Your Data
We treat your personal data with care and do not share it indiscriminately. However, to run a functional online business, we rely on certain third-party services and have legal obligations that might involve disclosing data to others. Below we list the categories of recipients who may receive some of your personal data, and why.
7.1. Payment Processors: When you complete a purchase, the payment information and related personal data (name, billing info, purchase amount, etc.) are handled by payment service providers. Examples include:
Stripe, PayPal, or other Payment Gateways: They process the financial transaction. They will receive billing details and payment details. We only share what is necessary, and the transaction is typically encrypted and secure. These providers may be based outside your country (e.g., PayPal is a global company). They are responsible for their compliance (and in many cases are GDPR-compliant as they operate in the EU too). We have agreements in place as needed and trust their security measures.
Bank(s): If you pay via a direct bank transfer or card, your and our banks will of course process certain data. This is normal banking operation and they have their own legal basis (performing the transaction as per your request).
7.2. Hosting and IT Infrastructure: Our website is hosted on servers or cloud services. This means that our hosting provider technically stores and transmits the data on our behalf (all the data in our databases, files, etc., including personal data, is on their servers). We choose reputable hosting companies that implement strong security. They act as a data processor for us, meaning they shouldn’t access your data except for maintaining the server (e.g., for backup, troubleshooting). Examples could be companies like OVH, AWS, DigitalOcean, etc. (We’ll specify if asked, but basically, they are our web host).
Additionally, we might use IT support or developers who have access to the server or code. If so, they are bound by confidentiality and data protection obligations.
7.3. Email Service Providers: We use email to communicate (for orders, support, newsletters). Our email accounts might be through services like e.g. Gmail (Google Workspace) or other email hosting.
If we send you email, it passes through email servers and those providers see meta-data (like your email address, time sent, etc.) and content in transit. We ensure our email provider is secure and trustworthy (Google, for instance, is Privacy Shield (now Data Privacy Framework) certified and has EU Model Clauses for data transfer).
If we use a specific newsletter mailing service (like Mailchimp, etc. as mentioned in Section 4), they get the subscriber list (your email, name if given).
Transactional email services: We might also use services that specialize in sending order emails (like Sendgrid, Mailgun). They would similarly handle your email for sending confirmation or download links.
7.4. Digital Product Delivery/Storage Providers: If our e-books are delivered via a third-party platform or stored in a cloud storage (for example, if we use Amazon S3 or Google Cloud to host the downloadable files), then when you download, that service processes the request. They might log your IP and serve the file. They generally don’t get more info than necessary (just that an authorized user downloaded file X). We ensure such services are compliant (often these are major companies with robust security).
If we ever integrated with a third-party library or DRM (digital rights management) provider (currently we do not use DRM, but if we did), they might receive identifiers or info to allow access.
7.5. Accounting and Bookkeeping Services: The Administrator may use an external accounting firm or bookkeeping software to manage invoices, taxes, and financial records. In doing so:
The accounting firm may see documents that contain personal data (e.g., your name on an invoice).
This is done under a contractual relationship, and such firms are usually either controllers by law (accountants have their own legal obligations) or bound as processors to confidentiality.
We share only necessary information (for example, a list of sales invoices).
These records are needed by law for tax and compliance.
7.6. Professional Advisors: If necessary, we may share information with legal advisors (lawyers) or consultants in the context of obtaining advice or defending/exercising legal claims. For instance, if there’s a dispute with a customer, we might show an attorney the communications or transaction details. They are obliged to keep it confidential.
Similarly, if our business is audited or we consult privacy experts, they might see some data under NDA.
7.7. Authorities and Public Bodies: We may disclose personal data to government or public authorities if required by law or a lawful request, such as:
Tax Offices: For example, Polish tax authorities might require us to report our sales and provide invoices (with your name if on the invoice) during a tax inspection.
Law Enforcement: If we receive a valid court order or subpoena, or a lawful request (e.g., for investigation of fraud), we might need to provide data we have. We will verify the legitimacy of any such request carefully.
Data Protection Authorities: If you lodge a complaint and a data protection authority asks us for details, we might share relevant info with them.
7.8. Partners for Marketing (with consent): At the moment, we do not share data with third parties for their marketing. We would only do so if you explicitly consented. For example, if in future we ran a joint webinar with a partner and asked if you want to share your email with them, only then would we share. That scenario would be clearly communicated and opt-in.
Without such consent, your data stays with us and our service providers only.
7.9. Data Processors: Many of the above categories (hosting, email service, etc.) are technically processors under GDPR, meaning they process data on our instructions. We ensure we have proper data processing agreements with them (or they have suitable terms). They are not allowed to use your data for their own purposes.
We carefully select vendors who provide sufficient guarantees to implement appropriate data protection measures (as GDPR requires).
7.10. No Unauthorized Access: Aside from these intended recipients, we do not allow others to access your data. Our team (including any assistants or employees if we have them) will have access on a “need-to-know” basis (for example, our customer support person can see order details to help you, but not everyone in the team would necessarily have access to all data).
We train and inform anyone handling personal data about confidentiality and security.
7.11. International Aspects: Some recipients may be outside your country:
If you’re in the EU, note that some processors might be outside the EEA (like a U.S. newsletter service). We address that in Section 8 (Transfers outside EEA).
If you’re outside EU, your data might go to EU (since our base is Poland) and possibly to other countries for services. We always ensure compliance standards for such transfers.
In summary, we share data only with those who need it to provide our services or as required by law, and we always aim to minimize what is shared (only what’s necessary) and protect it through agreements and security measures.
8. Transfer of Data Outside the EEA
We are based in Poland (which is in the European Economic Area, EEA), and we primarily process data on servers located in the EEA. However, in today’s interconnected world, some of the services we use or some data recipients might be located outside the EEA or your personal data might be transferred outside the EEA. This section addresses how we handle such international data transfers.
8.1. No Routine Transfers Outside EEA: By default, we do not intentionally send your personal data to countries outside the EEA unless it’s necessary for the services we use. We don’t maintain offices or servers outside the EEA ourselves. However, some of our third-party providers are international companies (e.g., an email service or payment gateway might be based in the US or another country). Also, if you are a user outside the EEA, obviously data flows across borders (for example, from your device to our European server, which is a transfer in the other direction).
8.2. Common Situations Involving Transfers:
Payment Processors Outside EEA: If you choose a payment method provided by an entity outside the EEA (say a U.S.-based company like PayPal or Stripe), your data required for payment will be transferred to the US (or another country where they process it). These companies usually participate in frameworks or have standard safeguards (Stripe, for instance, uses Standard Contractual Clauses and, as of 2023, might be certified under the new EU-US Data Privacy Framework).
Newsletter or Email Services: Many popular email marketing or cloud email services are based in the US (Mailchimp, Google, etc.). If we use those, your email and content may be stored or processed on US servers.
Analytics and Tracking Tools: Google Analytics, if used, involves data being sent to Google’s servers (which might be globally distributed, often in the US). We have IP anonymization on, but still cookies and data could go out of EEA. Similarly, if we implement Facebook Pixel or similar advertising cookies, some data goes to those companies (often US-based) for processing (like your unique cookie ID, IP, etc., so they can provide analytics or advertising services).
Cloud Hosting or Storage: If any of our site or backups are stored in a cloud that spans regions (like AWS or Cloudflare), data might transit through or be stored in non-EEA data centers depending on configurations, though we try to select EU region storage when possible.
8.3. Safeguards for International Transfers: Whenever personal data is transferred outside the EEA to a country that the European Commission has not deemed to provide an adequate level of data protection, we ensure that one of the GDPR-approved transfer mechanisms is in place. These include:
Standard Contractual Clauses (SCCs): We sign or adhere to contracts based on the standard clauses adopted by the European Commission. Many service providers incorporate SCCs in their terms or Data Processing Addendums (DPAs) for EU data. These clauses contractually oblige the recipient to protect your data to EU standards.
EU-US Data Privacy Framework Certification: If data goes to the US, we check if the recipient is certified under the new Data Privacy Framework (as of 2025, this is a mechanism to comply after the invalidation of Privacy Shield). If a recipient is certified, it means they have committed to GDPR-like principles for data received from the EU.
Binding Corporate Rules (BCRs): This could apply if we were part of a corporate group with internal data transfers. Not relevant for our small business.
Explicit Consent or Necessity Exceptions: In very rare cases, we might rely on your explicit consent for a specific transfer (e.g., if you request we forward something to a party abroad), or if the transfer is necessary for our contract with you (like connecting you to a foreign service you asked for). These are last-resort exceptions.
8.4. Examples of Safeguards in Practice:
Our mailing list provider includes the SCCs in their data processing terms, ensuring lawful transfer.
Google (for Analytics, if used) has SCCs and other measures (and now is likely under the Data Privacy Framework).
Payment providers like PayPal operate under their binding rules or SCCs and are highly regulated financial entities which provide some level of protection.
We monitor the legal landscape. If, for instance, the SCCs are updated or additional measures are required by authorities (like some encryption or so), we adjust accordingly.
8.5. Right to Information on Transfers: You have the right to ask us about transfers of your data outside the EEA and what safeguards we apply. We will provide you information as needed. We can provide copies of relevant contractual clauses (though some parts may be redacted for confidentiality) or at least an overview of the measures.
8.6. Risks: Despite safeguards, when data is in another jurisdiction, it could theoretically be subject to local laws (like government surveillance). We evaluate our providers in light of such concerns. We mainly use widely-used providers who have challenged or managed government data requests in privacy-friendly ways. For extremely sensitive data, we avoid sending it abroad. Most of what we handle (names, emails for a newsletter, order details for e-books) is relatively low-risk. Still, we mention this for transparency: no measure is 100% foolproof, but we take what steps we can.
In conclusion, if your data leaves Europe, we promise to protect it with appropriate legal and technical shields so it remains as safe as if it stayed with us. If you have specific questions about an outside-EU service we use, contact us.
9. Data Retention Periods
We do not keep personal data forever; we retain it only as long as necessary for the purposes for which it was collected, or as required by law. This section explains how long we typically hold different categories of data.
9.1. Order and Transaction Data:
We keep data related to your purchases (personal details provided during order, invoice records, payment history) for as long as needed to fulfill the contract and then as long as required or justified thereafter.
During Contract: We need to retain this data at least until your order is fully delivered and any withdrawal period or initial support period has passed.
Accounting Records: Laws (like tax laws) mandate that we keep invoice and sales records for a certain duration. In Poland, financial documents (invoices) must be kept for 5 years counting from the end of the tax year in which the sale took place. In practice, that can be almost 6 years for early-year sales. For example, if you bought an e-book in July 2025, we must keep that invoice until end of 2030 (5 years after end of 2025).
Legal Claims: We may keep order data until the expiration of the statute of limitations for any potential claims arising from the contract. In Poland, for consumer contracts, this is generally 6 years (after recent changes, previously 10 for some, but currently 6, with consumer claims not expiring earlier than 1 year from when consumer became aware of claim). We won’t dive into legal nuance here – but essentially, if you had a right to sue or we had a right to sue related to the transaction, we’ll keep data until that right expires, in case it’s needed as evidence.
So effectively, order data is kept at least 5-6 years. We may archive it afterward rather than delete, if not compelled, but we periodically review old data.
9.2. Newsletter Data:
Your email (and any name) on the newsletter list is kept until you unsubscribe (withdraw consent). Once you unsubscribe, we generally remove you from the active mailing list promptly.
However, we might keep a record of the fact that you were subscribed and that you unsubscribed, for a short period or in suppression list, to make sure we honor your opt-out (so we don’t accidentally re-add you, and to show proof of consent if questioned).
If you never open our emails for a very long time, we might prune inactive subscribers and delete them from the list (this might happen, say, after 1-2 years of no engagement, to maintain list health). We would treat those as unsubscribed and stop emailing them.
In short: actively, we hold and use your email for newsletter until you opt-out or become really inactive; beyond that, maybe a secure archive record of consent for a couple of years (since GDPR requires us to prove past consent in case of audit).
9.3. Contact Emails:
Emails or messages you send us are typically archived indefinitely in our email system, but we try not to keep unnecessary personal data longer than needed:
If an email is purely support-related, we might keep it for a couple of years for reference, then delete if space or relevance dictates. We don’t have an automated purge, but we may do manual clean-ups.
If it’s a complaint or important correspondence, we keep as long as needed (at least until the issue is fully resolved, then likely a few years more in case of follow-up).
Under Polish civil law, general claims expire after 6 years – we might align retention with that to be safe for any communication that could be relevant to a claim.
If you request deletion of a specific correspondence and there’s no overriding need to keep it, we can delete it earlier (see rights section).
9.4. Log Files and Technical Data:
Server logs (IP addresses, etc.) are usually kept for a short period for security and analysis – often overwritten or deleted within 30 days to 1 year depending on the sensitivity. Many hosts auto-delete logs after 3 months or so.
Analytics data in tools like Google Analytics: we have control over retention of user-level data. We might set it to a standard period (e.g., 14 months) after which Google deletes it. Aggregate data might be kept by us in reports without personal identifiers.
If logs are needed for security (e.g., to investigate hacking attempts), we might keep relevant logs longer until resolved.
9.5. Data Processed on Basis of Consent:
For any processing based on consent (e.g., newsletter), we stop processing once consent is withdrawn. We might keep a minimal record as proof of past consent (as mentioned).
If we had any other consents (like for cookies preferences), we follow those durations (cookie lifetimes are explained in Section 11).
9.6. Data Processed on Legitimate Interest:
If you object to processing that we do on legitimate interest (and we have no overriding grounds to continue), we will cease that processing and likely delete the data (or anonymize) related to it. For example, if you object to being in some internal analysis database, we’d remove you, unless we need it for legal reasons.
9.7. Anonymization vs Deletion:
Instead of outright deletion, sometimes we may anonymize data after the retention period. For instance, we might remove personal identifiers from a dataset but keep aggregate info (“We sold X e-books in 2025” without individual details). Anonymized data is no longer personal data and may be kept indefinitely for statistics.
For example, after 5 years, we might anonymize older orders: remove name/email but keep product and price for internal statistics.
9.8. No Infinite Retention:
We explicitly do not keep data perpetually without cause. If data is no longer needed and no law requires keeping it, we will delete or anonymize it.
We have internal schedules or triggers: e.g., we know to purge particular data sets yearly if they exceed retention time.
9.9. Example Timeline:
To illustrate, suppose you made a purchase on July 1, 2025:
We will keep your order details at least until end of 2030 (for tax) and possibly until mid 2031 (for claims).
If you also subscribed to the newsletter, and stay subscribed, we keep that data until you unsubscribe. If you unsubscribed in Dec 2025, we’d stop sending then and remove you likely by Dec 2025, keeping maybe a note of it till 2027 or so.
If you emailed us in Aug 2025 asking about the e-book, that email might sit in our support mailbox until say 2027-2031 depending on content, unless removed earlier.
Cookies from your browsing might expire within months, unless you revisit (renewing them) – see cookie details later.
9.10. Legal Holds:
If a legal dispute or investigation is underway, we may retain relevant data beyond the normal retention period until that issue is resolved (because deletion during a dispute could be prohibited or imprudent). This would be an exception to ensure compliance or defense in litigation.
In summary, our approach is to keep data only as long as necessary for the purpose it was given or collected, plus any additional period mandated by law or justified by our legitimate interest (like legal defense). After that, we remove or anonymize it.
If you have specific questions about how long a certain piece of your data is kept, feel free to contact us.
10. Your Rights as a Data Subject
If we hold your personal data, you have certain rights regarding that data. We are committed to respecting these rights and facilitating you in exercising them. Below we outline your rights under the GDPR (General Data Protection Regulation), which are quite comprehensive. Even if you are outside the EU, we will endeavor to honor these rights where feasible (and note some may not apply exactly the same outside the GDPR context, but we believe in transparency and fairness).
10.1. Right of Access (Article 15 GDPR): You have the right to obtain confirmation from us as to whether or not we are processing personal data concerning you. If we are, you have the right to access that data and to receive additional information about it, such as:
The purposes of processing,
The categories of personal data processed,
The recipients or categories of recipients to whom the data have been or will be disclosed (especially if they are abroad or international organizations),
The envisioned period for which the data will be stored (or the criteria to determine that period),
Your rights regarding this data,
The source of the data (if we didn’t get it directly from you),
Whether we use automated decision-making (we don’t for anything significant, as noted).
We will provide you a copy of your personal data undergoing processing (the first copy is free; for additional copies, we may charge a reasonable fee based on administrative costs). If you request access electronically, and unless you request otherwise, we’ll provide the information in a commonly used electronic form (likely via email in a PDF or similar).
10.2. Right to Rectification (Article 16 GDPR): You have the right to ask us to correct any personal data we hold about you that is inaccurate. You also have the right to have incomplete personal data completed (taking into account the purposes of processing). For example, if you notice we have misspelled your name or have an outdated email, you can request an update. We strive to keep data accurate, but we appreciate your help in keeping your info up to date.
10.3. Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR): You have the right to request that we delete your personal data in certain circumstances, such as:
The data is no longer necessary for the purposes for which it was collected or processed.
You initially consented to processing, but have now withdrawn consent, and we have no other legal basis to continue processing.
You have objected to processing based on legitimate interests (or processing for direct marketing) and we have no overriding legitimate grounds to continue.
We processed your data unlawfully (in breach of GDPR).
The data must be erased to comply with a legal obligation.
The data was collected in relation to offering online services to children (under some specific provisions).
If one of these grounds applies and no exception in law holds (there are exceptions – see below), we will erase your data.
However, the right to erasure is not absolute. Notably, we may refuse or postpone deletion if processing is necessary:
To exercise the right of freedom of expression and information (for example, if deletion would hamper journalistic or academic freedom – likely not relevant here).
To comply with a legal obligation or to perform a task carried out in the public interest or exercise of official authority (for instance, we cannot delete data we are legally required to keep, like those tax records, until the period lapses).
For reasons of public interest in the area of public health.
For archiving in the public interest, scientific or historical research, or statistical purposes, if erasure would seriously impair that processing (unlikely relevant for us).
For the establishment, exercise, or defense of legal claims. For example, if you asked to delete data and we know it’s needed because of a dispute or legal requirement, we may have to keep it (we would inform you of that).
In practice, that means: If you request deletion, we will remove what we can, but might retain certain info (like invoice records until they expire as discussed) under legal obligation. We will inform you what we have erased and what we cannot (and why).
10.4. Right to Restriction of Processing (Article 18 GDPR): This means you can ask us to “freeze” the use of your data in certain cases. When processing is restricted, we can still store the data, but not use or share it except for limited reasons (like with your consent or for legal claims). You can request restriction if:
You contest the accuracy of the data – for a period enabling us to verify its accuracy.
The processing is unlawful, but you oppose erasure and prefer restriction instead (for instance, you want us to keep the data but not use it, perhaps to have it for a legal claim).
We no longer need the data, but you need it for establishment, exercise, or defense of legal claims (for example, we might be ready to delete something but you need it preserved for a court case).
You have objected to processing (see 10.6 below) and we are considering whether our legitimate grounds override yours. During that deliberation, you can request the data be restricted (so we don’t use it in the meantime).
If processing is restricted, we will inform you before lifting that restriction.
10.5. Right to Data Portability (Article 20 GDPR): This allows you to receive from us the personal data that you provided to us, in a structured, commonly used, and machine-readable format (like CSV, JSON, etc.), and you have the right to transmit that data to another controller (for example, another service provider) without hindrance, where:
The processing is based on your consent or on a contract (so typically the data you gave us for the purchase, which is contract, or newsletter which is consent), and
The processing is carried out by automated means (so in our computers, not on paper only).
Additionally, you can ask, if technically feasible, that we transfer the data directly to another controller (this is called “data portability” as well). We will do so if possible (it implies both systems have some compatibility).
Note: This right is mainly to help you re-use your data across services. Not all data qualifies (only what you provided and which is processed by consent/contract; derived data or our notes may not be included). But typically, your account data, order details, etc., can be ported.
10.6. Right to Object (Article 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data that is based on our legitimate interests (Article 6(1)(f)). If you object:
We will stop processing that personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if we need to continue processing for the establishment, exercise, or defense of legal claims. Essentially, if you object, we have to either give up processing or prove that we have a very strong reason to continue that outweighs your reasons.
You also have an absolute right to object to any processing of your data for direct marketing purposes. If you object to marketing, we will cease processing your data for that purpose immediately. (E.g., if we were sending you newsletter or ads based on legitimate interest, but in our case we rely on consent for newsletters. Still, if you object to any incidental marketing, we will honor it.)
To object, you just need to contact us and explain which processing you object to. It’s helpful if you give reasons (especially for non-marketing objections, to clarify your situation).
10.7. Right to Withdraw Consent: If we are processing any of your data based on consent, you have the right to withdraw that consent at any time. This withdrawal will not affect the lawfulness of processing that occurred before you withdrew consent, but it means we’ll stop the consent-based processing going forward. For example:
You can unsubscribe from the newsletter (withdraw consent to marketing emails) – see Section 4.4. We then stop sending you.
If we ever asked consent for cookies (marketing cookies, for instance) and you gave it, you can revoke via our cookie settings or browser (see Section 11 for cookies).
If there’s any other consent (perhaps consent for a testimonial or something), you can let us know you change your mind.
Withdrawing consent is as easy as giving it – if it was an online form, there’s an online method (like unsub link); otherwise email us.
10.8. Right to Lodge a Complaint with a Supervisory Authority: Regardless of any of the above rights you exercise with us, if you believe we have infringed data protection laws in processing your personal data, you have the right to file a complaint with a supervisory authority (a data protection regulator).
In Poland, that is the President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych – UODO/PUODO). Address: ul. Stawki 2, 00-193 Warsaw, Poland. Telephone: +48 22 531 03 00. Website: uodo.gov.pl (which has info in English too).
If you are in another EU country, you can complain to your country’s Data Protection Authority (DPA). You can find a list of DPAs on the European Data Protection Board website. For example, in Germany there are state DPAs; in France, CNIL; etc. You can choose to lodge a complaint with the Polish authority or your local one. Under GDPR, you can go to either.
If you’re in the UK, the authority is the Information Commissioner’s Office (ICO).
If you’re in a country outside EU, you might have a similar right with your local authority (like in Canada, OPC; in Australia, OAIC; etc.), though it depends on local law.
We would appreciate if you try to resolve any concerns with us first by contacting us, but you absolutely have the right to go to the authorities at any time.
10.9. How to Exercise Your Rights:
You can contact us via email at shop@mircoitaliano.com or by mail (see our address in Section 1) to make any request regarding your rights. Please state clearly what you ask for (e.g., “I’d like a copy of my data” or “Please delete my account data” or “I object to processing of X, here’s why…”).
We may need to verify your identity before acting on a request, to ensure we don’t give your data to the wrong person or delete the wrong account. Typically, if you email from the same address we have on file, that helps verify. We might ask for additional confirmation if needed.
We will respond as soon as possible, and at the latest within one month of receiving your request. If the request is complex or we have a high volume of requests, we can extend this by another two months, but if so we’ll inform you of the extension within the first month and explain why it’s needed.
If we decide not to act on your request (which could happen if it’s unfounded or excessive, etc.), we will inform you of the reasons and of your right to complain to the authority.
10.10. Limitations: As mentioned, some rights are not absolute:
For example, you cannot demand deletion of data we absolutely must keep by law, but we’ll delete what we can.
Portability doesn’t apply to data we have on legal basis other than consent/contract (like things we have by legal obligation).
Also, GDPR rights mainly apply to personal data. If data is truly anonymized (not linked to you), these rights don’t apply to that anonymized data.
10.11. No Fee in General: We will not charge you for exercising your rights. The only exception is if a request is manifestly unfounded or excessive (especially if repetitive), in which case we might charge a reasonable fee or refuse. But we aim to be helpful, so that would be rare.
We are committed to enabling you to exercise these rights and will assist in every reasonable way. Privacy is important, and we want you to have control over your data.
(For California/US residents: see Section 13 below for additional rights that may apply.)
11. Cookies and Similar Technologies
MircoItaliano.com uses cookies and similar tracking technologies to ensure the website functions correctly, to improve User experience, and for analytics and advertising purposes. This section explains what cookies are, which types we use, and how you can manage them.
11.1. What Are Cookies: Cookies are small text files that are stored on your device (computer, smartphone, etc.) when you visit a website. They allow the website to recognize your device and remember certain information about your session or your preferences. Cookies are widely used for things like keeping you logged in, remembering what’s in your cart, gathering analytics, and personalizing content. In this Policy, when we refer to “cookies,” it also encompasses similar technologies that achieve similar purposes (like local storage, web beacons, pixels, etc.), although cookies specifically are the main technology we use.
11.2. Why We Use Cookies: We use cookies on MircoItaliano.com for several reasons:
To ensure the website functions properly and securely (without cookies, some parts of the site may not work).
To remember your preferences (like if the site is multi-language or if you have items in a cart).
To collect analytics data about how users navigate the site, so we can improve content and layout.
Potentially to facilitate marketing or advertising (like retargeting ads on platforms such as Facebook, if we choose to do so).
To integrate with external services (for example, if we embed a YouTube video, YouTube might set cookies).
11.3. Types of Cookies We Use:
We can categorize the cookies into a few types:
Essential (Necessary) Cookies: These are cookies without which the site simply cannot operate properly. They are usually set in response to your actions on the site, like logging in or adding items to a cart. They might maintain session state as you navigate pages, or remember privacy preferences. For example, if our site has a shopping cart, an essential cookie remembers the products you put in it. These cookies do not store personal data beyond what’s needed for functionality and are typically first-party (set by our domain).
Can you opt out? Because these are essential, the site may not allow you to opt out of them via the cookie consent, aside from blocking them in your browser (which might break functionality).
Functional (Preferences) Cookies: These cookies enable enhanced functionality and personalization, like remembering your chosen language, region, or other customizations. They are not strictly necessary, but they improve your experience. For example, if you choose “English” vs “Italian” if we had language switch, a cookie might store that preference so next visit it’s remembered.
Opt-out: Often, these can be turned off if you don’t want the site to remember stuff, but then you might have to re-enter preferences each time.
Analytics (Statistics) Cookies: These cookies collect information about how visitors use our site – which pages are visited most often, how users move around, errors encountered, etc. We use this data to improve the site’s performance and content. We may use third-party analytics services (like Google Analytics) which set their own cookies to track user interactions in an aggregated way.
Data collected typically includes IP address (we anonymize it if possible), device type, browser, pages visited, time spent, and so on, but not your name or email. The data is aggregated and used for statistical analysis. For example, cookies might tell us that 100 users visited the blog page today.
Opt-out: We will ask for your consent for analytics cookies (depending on legal requirement). If you decline, we won’t set them. You can also block via browser or opt out using tools (like Google’s opt-out plugin). We try to respect “Do Not Track” signals for analytics (if configured) where feasible.
Marketing (Advertising) Cookies: Currently, our site does not serve third-party banner ads or heavily use marketing cookies. We do not have our own ad network. However, we do use Facebook Pixel (Meta Pixel) and possibly Google Ads tags for remarketing. These are considered marketing cookies because they track your visit to help us show you targeted advertisements on those platforms later. For example, if we launch a Facebook ad campaign, the Pixel cookie helps us show the ad to people who visited our site.
Marketing cookies might track things like which pages you visited and actions (like “user visited e-book page but didn’t purchase”), and then we could later show an ad about that e-book on Facebook.
They may also measure the effectiveness of our ads (conversions, etc.).
If we implement such cookies, we will definitely obtain your consent before dropping them, because under most laws (EU ePrivacy) non-essential cookies like these require opt-in.
Opt-out: If you do not consent, we will not set these. If you do consent but change your mind, you can adjust preferences or clear cookies. Also, on platforms like Facebook or Google, you can adjust ad preferences to limit targeted ads from specific sources.
Third-Party Cookies and Embedded Content: Sometimes, we might incorporate content from other sites (e.g., a YouTube video, a Twitter feed, etc.). These external services might set cookies. For instance, YouTube might set cookies to track video views or remember your preferences (if you’re logged into Google on your browser, it might link to your account). Similarly, our social media sharing buttons might set cookies.
We do not have full control over these cookies since they are set by third-parties when their content is loaded. However, we try to minimize this. We will disclose in our cookie notice which third-party cookies might be present.
Opt-out: Usually, you can block third-party cookies via your browser settings if desired. Or not clicking embedded content avoids calling those resources. Some browsers have options like “block third-party cookies” which helps.
11.4. Consent to Cookies (Cookie Banner):
When you first visit our site (from certain regions like the EU), you will see a cookie notice or banner. This banner will inform you that we use cookies and will give you options: e.g., “Accept All Cookies,” “Reject non-essential cookies,” or “Customize settings.”
Essential cookies might be set regardless, but analytics/marketing will be set only if you accept. If you choose to customize, you can typically toggle categories on or off.
By clicking “Accept,” you consent to our use of cookies as described. If you click “Reject” or similar, we will not set any cookies except those strictly necessary.
Your choice will be remembered (we store it in a cookie ironically, or in local storage) so we don’t nag you every time. But after some time (e.g., a year) or if policies change, we might ask again.
11.5. Managing Cookies via Browser:
In addition to our site controls, you can control cookies through your web browser settings. Most browsers allow you to:
See what cookies are stored on your device and delete them on a one-by-one or batch basis.
Block third-party cookies or all cookies from certain sites.
Set the browser to clear cookies when it’s closed.
Use “private” or “incognito” mode which limits cookie persistence.
Bear in mind: if you block all cookies from our site, the site might not function fully (like the cart might break). If you block third-party cookies, generally the site will still work, but external integrations might not (like YouTube videos might not remember where you left off, or social share counts may not show).
We suggest you at least allow essential cookies for smooth experience.
For guidance on how to adjust settings, you can check documentation for each browser (Chrome, Firefox, Safari, Edge, etc.). There are also general resources online – e.g., the UK Information Commissioner’s Office or other data protection sites often provide how-to guides.
11.6. Cookies we specifically use (for transparency): (Note: these are examples; actual cookies may vary)
Essential: e.g.,
PHPSESSID(session cookie to remember your session ID until you close browser), cookieConsent (to save your consent preferences), cart_id (to remember what’s in your cart).Analytics: e.g.,
_ga,_gid(Google Analytics cookies, which identify your device with a random ID to track visits, with IP anonymization).Marketing: e.g.,
_fbp(Facebook Pixel cookie), which identifies browsers for providing advertising and site analytics services.If we use Google Analytics, we might have configured it to not use third-party tracking beyond itself (GA uses first-party cookies).
We ensure Google Analytics is configured in compliance mode (data retention limited, no unnecessary tracking).
At the time of writing, we do not have custom advertising cookies beyond possibly Pixel for our use.
11.7. Third-Party Analytics/Ads:
Google Analytics: Data collected might be shared with Google. We have turned on IP anonymization, meaning Google truncates your IP address within the EU before storing it (this helps privacy). Google Analytics cookies last from the session up to 2 years (e.g.,
_galasts 2 years). We use it to get reports on site usage.Facebook Pixel: If used, it connects to Facebook servers when you visit our site and we have consent, allowing us to later create “Custom Audiences” for ads on Facebook. Facebook may use the data per their privacy policy to improve their ad system. We don’t get personal info from FB Pixel, just aggregated ad stats.
If we embed a YouTube video: YouTube (Google) might set cookies like
VISITOR_INFO1_LIVE(to estimate bandwidth) orYSC(to keep stats of views). If we use privacy-enhanced mode, that reduces cookies.
11.8. Log Files: Related to cookies, we also want to mention server logs (though not cookies, but relevant to web tracking):
Our web server automatically logs each page request. This log typically includes your IP address, the date and time, the page requested (URL), the HTTP status, the bytes served, and user-agent string (which tells browser type and OS).
These logs are used primarily for technical and security purposes — e.g., to detect malicious activity (like DDoS attacks or hacking attempts) and to generate aggregate usage reports.
Log data is generally not combined with other data to identify individuals, and we do not use it to profile you. We also typically rotate or delete logs regularly (as mentioned in Section 9).
However, IP addresses in logs could be personal data. We treat logs confidentially; only server admins or our IT provider can see them. We do not share raw logs with outsiders except maybe if required to investigate an incident with law enforcement or cybersecurity experts.
Example: If there’s an error on the site, we might check the log to see what happened at that time for your IP. Or if someone tries to spam our site, we might block that IP based on logs.
11.9. Consent Exemption for Essential Cookies: Under EU laws, strictly necessary cookies do not require prior consent. That’s why we might set those immediately. Others (functional, analytics, marketing) ideally require consent (especially marketing). We follow that regime.
11.10. Where to find more info on cookies:
You can learn more about cookies and how to manage or disable them on informational websites like AllAboutCookies.org.
Many modern browsers also include a “Privacy” or “Do Not Track” setting – note that Do Not Track is just a signal and our site currently doesn’t have a special interpretation for it except not to use tracking if you opted out anyway via our banner.
By using our Site and (depending on jurisdiction) by acknowledging via the cookie banner, you agree to our use of cookies as explained here. If you have any questions or concerns about our use of cookies, you can contact us for clarification.
12. Final Provisions
12.1. Applicability and Acceptance: This Privacy Policy is effective as of May 9, 2025 (09.05.2025) and applies to all personal data processing activities conducted by the Administrator on or after that date on the MircoItaliano.com Site. By using the Site, you acknowledge that you have reviewed this Policy. We encourage all users (especially customers) to familiarize themselves with this document to understand how their data is handled.
12.2. Relationship to Terms of Service: This Privacy Policy is an informational document fulfilling our obligations to inform data subjects under GDPR (Articles 13 and 14) and other relevant laws. It is not a contract between us and Users, and it does not directly govern the terms of your purchases or use of the Site – those are set out in our Terms and Conditions (Terms of Service) separately. However, if you are using our site or services, we will assume you have read and agree to the practices described in this Policy to the extent they require your cooperation (for example, how we handle cookies, or that we will email you for transactional purposes).
12.3. Policy Changes: We reserve the right to update or modify this Privacy Policy as needed, particularly in response to changing legal requirements, the introduction of new services or features, or changes in our data processing practices. If we make significant changes to the Policy, we will notify users in a manner that is appropriate:
We may post a prominent notice on the Site (such as a banner or pop-up) indicating the Policy has been updated, especially if the changes are material.
For substantial changes, we might also notify registered users or newsletter subscribers via email, where feasible.
The “effective date” at the top will always indicate when the last changes were made. We may also keep an archive of previous versions of the Policy for reference.
Continued use of the Site after the effective date of a revised Policy signifies acceptance of the updated terms, to the extent permitted by law.
12.4. Contact and Queries: If you have any questions, concerns, or feedback regarding this Privacy Policy or the handling of your personal data, please do not hesitate to contact the Administrator:
Email: shop@mircoitaliano.com
Mail: Mirosław Kaźmierczyk (GSP), ul. Lisia 14/2, 65-093 Zielona Góra, Poland
We will do our best to respond promptly and address your inquiry. If you need to exercise any of your rights (as outlined in Section 10), contacting us through the above channels is the way to do so.
12.5. Governing Law: Issues not regulated by this Privacy Policy shall be governed by the applicable laws of Poland, as well as applicable EU regulations like the GDPR, and other relevant international laws. This Policy is intended to comply with those laws. If any provision of this Policy is found to be inconsistent with mandatory legal requirements, that provision will be interpreted in a way to closely reflect the intention while complying with the law, and other provisions will remain in effect.
12.6. Severability: If any section or clause in this Privacy Policy is deemed invalid or unenforceable by a competent authority or court, that part shall be severed to the extent of the invalidity, and the remainder of the Policy shall remain in full force and effect.
12.7. Language: This Privacy Policy is provided in English for the English version of the Site. If we provide translations in other languages and there is any ambiguity or conflict between versions, we intend the English version to prevail for interpreting our practices for the .com site (for the Polish site, the Polish Privacy Policy governs there).
12.8. Final Note: We value your privacy and strive to process personal data in a way that is transparent, fair, and lawful. We appreciate you taking the time to read this Policy. By being informed, you help us foster trust and accountability. Thank you for being a user of MircoItaliano.com, and we hope you enjoy our content and products with confidence in how we handle your data.
13. Additional Notice for California Residents (CCPA/CPRA)
(This section provides additional information to comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), effective 2023, and is only applicable to California residents. If you are not a California resident, this section may not apply to you.)
California law provides California residents with specific rights regarding their personal information. If you are a California resident, you have the following rights with respect to your personal information (as defined under California law):
13.1. Categories of Personal Information Collected: In the preceding sections of this Privacy Policy, we have described the categories of personal information we collect (for example: identifiers like name, email, IP address; commercial information like purchase records; internet activity like browsing on our site; etc.). All of these fall under categories defined in the CCPA such as:
Identifiers (real name, email address, IP address, etc.).
Customer records information (billing address, for example).
Commercial information (products purchased, transaction amounts).
Internet or other electronic network activity information (cookies, interactions with our site).
Inferences drawn from the above (e.g., preferences or interests inferred from site usage, though we do minimal profiling).
We do not collect sensitive personal information as defined under CPRA (like social security numbers, driver’s license, financial account passwords, precise geolocation, etc.), except maybe email credentials if that’s considered sensitive (and even that we only have hashed or not stored at all in case of payments).
13.2. Purposes for Collecting: As described, we use personal info for operating our business (fulfilling orders, providing services), marketing (with consent), analytics, and compliance with law. We do not use it for purposes outside what is outlined.
13.3. Sources of Personal Information: We collect personal info directly from you (when you provide it in forms), and indirectly from your interaction with our site (through cookies, etc.), and from payment processors regarding transactions. We do not collect from third-party data brokers or public databases.
13.4. Sharing/Selling of Personal Information: Under CCPA:
“Selling” personal information is defined broadly as disclosing it to another company for monetary or other valuable consideration.
“Sharing” (in CPRA terms) refers to disclosing for cross-context behavioral advertising.
We want to clarify:
We do NOT sell your personal information for money. We don’t provide your data to data brokers or other companies to market to you.
We do “share” certain personal identifiers (like cookie IDs or IP) with third parties for the purpose of targeted advertising, specifically through the use of analytics and advertising cookies (like Facebook Pixel, Google Analytics/Ads). This could be considered “sharing” under CPRA’s definition (disclosure for behavioral advertising)legal.thomsonreuters.com.
For example, if the Facebook Pixel on our site collects your cookie identifier and browsing behavior to help us show you ads on Facebook, that is a form of sharing your info with Facebook for advertising.
All such sharing is only done with your consent (via our cookie management). If you have opted out of marketing cookies, we do not share for that purpose.
We also disclose personal info to our service providers (as listed in Section 7) for business purposes (like to process a payment or send an email). These service providers are bound by contracts and are not allowed to use your data for their own purposes. Such disclosures for business purposes are not considered “sales” under CCPA.
13.5. California Consumer Rights:
California residents have the following rightslegal.thomsonreuters.com:
Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell/share about you. This includes the specific pieces of personal information, the categories of information, the categories of sources, the purposes, and the categories of third parties to whom information was disclosed or sold. Essentially, you can ask for a report of your data and our data practices regarding your info (very similar to the Access right described in Section 10.1, but CCPA frames it slightly differently).
Right to Delete: You can request that we delete personal information we have collected from you (with some exceptions as per law, e.g., if we need to keep it for a transaction, legal obligation, security, etc. – similar to the GDPR deletion scenario).
Right to Correct: Under CPRA, you have the right to request correction of inaccurate personal information that we maintain about you, taking into account the nature of the information and purposes of processing (which overlaps with GDPR rectification).
Right to Opt-Out of Sale/Sharing: You have the right to opt out of the sale of your personal information or the sharing of it for cross-context behavioral advertising. Since we don’t sell data for money, this mainly means you can opt out of any tracking that shares info with third parties for advertising. On our site, you can do this by rejecting marketing cookies (via the cookie banner or settings). Additionally, we provide a “Do Not Sell or Share My Personal Information” link in the footer (or a clear mechanism) for California residents, which allows you to opt out. If you use an online tool or send us a request to opt-out, we will honor it. If we ever had broader “sales,” we’d have that mechanism too.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we won’t deny you goods or services, charge you different prices, or provide a different level of quality just because you exercised your rights. (However, note that if you opt out of certain data uses, some functionalities might be limited – e.g., if you opted out of cookies, the site might not remember preferences; but that’s a consequence of less data, not an intentional penalty).
Right to Limit Use of Sensitive Personal Information: CPRA introduced this right if a business uses or discloses sensitive personal info beyond certain purposes. We do not use sensitive info in ways that would trigger this right (since we hardly collect any sensitive info). Therefore, this probably isn’t applicable; but if it were, you could ask us to limit those uses.
13.6. Submitting CCPA Requests:
To Know/Delete/Correct: You (or an authorized agent) can submit a verifiable request to us. It’s best to email us at shop@mircoitaliano.com with “CCPA Request” in the subject, specifying what you want (access, deletion, etc.). You can also mail us at our business address (see Section 1) or use any designated form we might offer on the site.
Verification: For your security, we will need to verify your identity when you make a request. If you have an account (though on our .com site you likely do not, since no registration), we could verify via that login. Otherwise, we might ask for some information that we have on file (like confirming your email, last purchase, etc.). We’ll try to minimize data collection in this verification.
Authorized Agent: You can designate an authorized agent (e.g., an attorney or someone with written permission) to make requests on your behalf. If you do that, we will need proof that the agent is authorized (like a signed permission from you or power of attorney) and we may still verify directly with you if it’s an access or deletion request (unless the agent has a power of attorney).
Response Timing: We will respond within 45 days of receiving your verifiable request. If necessary, we may take an additional 45 days (totalling 90 days), but if so, we’ll inform you of the extension and the reason within the first 45-day period.
Contents of Response: For access requests, we will provide the requested information covering the 12 months preceding our receipt of your request (in general, CCPA requires disclosure for up to 12 months back, unless you ask for beyond and regulations allow it). For deletion, we’ll confirm and either delete or explain the reason we cannot (such as an exception). For opt-outs, we will comply and confirm.
We do not charge a fee for these requests unless they are excessive or unfounded (similar to GDPR scenario).
13.7. Categories Disclosed for Business Purposes: In the last 12 months, we may have disclosed (to service providers) categories of personal info such as:
Identifiers (to payment processors, email providers),
Commercial info (to our accountant or payment processor),
Internet activity (to analytics providers).
This was done for the business purposes as described (processing transactions, site functionality, etc.). These disclosures are not a sale, they are service-related.
13.8. No Sale of Minors’ Data: We do not knowingly collect or sell/share info of minors under 16. Our site is not intended for children under 13 anyway (and if under 18, see Terms – need guardian’s consent to purchase). If we ever found a user under 16 had data collected, we’d handle per COPPA (for under 13, verifiable parental consent needed, etc.) and under CCPA for minors 13-16 (opt-in required for sale, but since we don’t sell, not applicable).
13.9. Shine the Light (CA Civil Code § 1798.83): California’s “Shine the Light” law allows customers to ask for certain info about what personal information is shared with third parties for those third parties’ direct marketing purposes. We do not share personal info with third parties for their own direct marketing (without consent). Thus, we believe we have no obligations under Shine the Light beyond saying we don’t do that kind of sharing. If you want to inquire about this, you can contact us.
13.10. Do Not Track: Some browsers have “Do Not Track” signals. CCPA requires us to state how we respond to those. Currently, there is no uniform standard for DNT signals. Our site’s systems may not recognize or respond to DNT headers. Instead, we rely on cookie consent management for opting out of tracking (which is essentially an explicit do not track on our site). We will update this if standards emerge.
13.11. Data Retention (California): We’ve already detailed retention in Section 9. Just to be clear for California context: We retain personal info as long as reasonably necessary for each purpose (e.g., order info as explained for tax/records ~5-6 years, newsletter until opt-out, etc.). If you request deletion, we’ll consider those retention needs against the request.
By including this section, we aim to ensure compliance with CCPA/CPRA and to provide California consumers with the information they are entitled to. If you are a California resident and have any questions or want to exercise your rights, please use the contact info provided. We are here to assist you.
Thank you for reading our Privacy Policy. We are dedicated to protecting your personal data and privacy rights. If anything is unclear, feel free to reach out to us for clarification.