PRIVACY POLICY

Last updated: January 2026

1. Data Controller

Greta Front, sole proprietorship registered in CEIDG (Poland)
NIP: 6772534704
REGON: 543518222
Address: ul. Królowej Jadwigi 7a/5, 30-202 Kraków, Poland
Email: [email protected]

We are responsible for determining the purposes, scope, and legal basis of processing your personal data.

2. Personal Data We Collect

2.1. Information You Provide

  • Full name
  • Email address
  • Phone number (optional)
  • Shipping address
  • VAT/NIP number (optional)
  • Message content
  • Language preference

2.2. Information Collected Automatically

  • IP address
  • Browser type and operating system
  • Device type and screen resolution
  • Pages visited and navigation patterns
  • localStorage data (not traditional cookies)

3. How We Use Your Data

We process your personal data for the following purposes:

  • Responding to inquiries - To answer questions about artworks and services
  • Processing orders - To fulfill purchases and manage shipping
  • Communication - To send order updates and respond to your requests
  • Legal compliance - To maintain records for tax and accounting purposes
  • Website functionality - To remember your language preference and maintain your shopping cart

3.1. Email Verification

During the checkout process, we require email verification to:

  • Confirm your identity and prevent fraud
  • Ensure order communications reach the correct recipient
  • Maintain security for high-value transactions
How it works:
  • When you provide your email during checkout, we send a verification code to that address
  • You enter the code to confirm ownership of the email address
  • Once verified, your email is stored securely for future transactions (auto-verification)
  • Previously verified emails are automatically confirmed for convenience
Data processed:
  • Email address
  • Verification codes (temporary, deleted after verification)
  • Verification timestamps
  • Session identifiers

This verification is necessary for contract performance and fraud prevention (GDPR Art. 6(1)(b) and (f)).

4. Payments and Billing

  • Payments are processed securely by Stripe
  • We do not store your card or banking information
  • Stripe may process data outside the EEA. Standard Contractual Clauses (SCC) are used to ensure GDPR compliance
  • For more information, see Stripe's Privacy Policy

5. Legal Basis for Processing (GDPR)

We process your data based on:

  • Art. 6(1)(b) — Performance of a contract or pre-contract steps (processing orders, responding to inquiries)
  • Art. 6(1)(c) — Legal obligation (tax and accounting records)
  • Art. 6(1)(f) — Legitimate interests (website optimization, security, fraud prevention, language preference)
  • Art. 6(1)(a) — Consent (optional cookies, marketing if used)

6. Data Sharing

We may share your data with:

  • Stripe - Payment processing
  • Shipping providers - Order fulfillment
  • Hosting and IT services - Website operation
  • Accounting services - Legal compliance

All third parties operate under data processing agreements and follow GDPR requirements.

Third-Party Websites: We are not responsible for the privacy practices or content of third-party websites linked on our site.

7. Cookies and Local Storage

7.1. localStorage vs. Traditional Cookies

Important: This website primarily uses localStorage (a browser storage mechanism), not traditional HTTP cookies. The key differences:
  • localStorage: Data stored locally in your browser, not sent with every HTTP request
  • Traditional cookies: Small files sent to the server with each request
  • Our approach: We use localStorage for better privacy and performance

Both technologies serve similar purposes (storing preferences and session data), but localStorage offers:

  • Better privacy (data stays in your browser)
  • No automatic transmission to servers
  • More control for users

7.2. What We Use

This website uses localStorage (not traditional cookies) for:

Essential (Always Active - No Consent Required)

  • Cookie consent preferences
  • Shopping cart session
  • Security features

Functional (Requires Consent)

  • Language preference
  • User interface preferences

Analytics & Marketing (Not Currently Used)

  • Reserved for future use
  • Will require consent if implemented

7.3. Managing Storage Preferences

  • You can manage your preferences via the cookie banner on first visit
  • You can change settings anytime via the "Cookie Settings" link in the footer
  • Disabling functional storage may limit some features
  • You can clear localStorage data at any time through your browser settings

For complete technical details, storage items list, and third-party services, see our Cookie Policy (accessible via the footer link).

8. Data Retention

We retain your data for the following periods:

  • Contact inquiries: 12 months
  • Orders and invoices: 5 years from the end of the fiscal year in which the transaction occurred (Polish Accounting Act requirement)
  • Email verification records: 24 months
  • localStorage/cookies: Up to 24 months
  • Legal claims: Until expiration of limitation periods

After the retention period, data is securely deleted or anonymized.

9. Your Rights (GDPR)

You have the right to:

  • Access - Request a copy of your personal data
  • Correction - Correct inaccurate or incomplete data
  • Deletion - Request deletion of your data ("right to be forgotten")
  • Restriction - Limit how we process your data
  • Objection - Object to processing based on legitimate interests
  • Data portability - Receive your data in a structured format
  • Withdrawal of consent - Withdraw consent at any time
To exercise your rights, contact us at: [email protected]

You also have the right to lodge a complaint with the Polish data protection authority (UODO).

10. Security Measures

We implement comprehensive security measures to protect your personal data:

10.1. Data Transmission Security

  • HTTPS/SSL encryption - All data transmitted between your browser and our servers is encrypted using industry-standard TLS/SSL protocols
  • Secure communication channels for all sensitive operations
  • Encrypted payment processing through Stripe

10.2. Access Controls

  • Access to personal data is restricted to authorized personnel only
  • Role-based access controls ensure employees only access data necessary for their duties
  • Regular access reviews and monitoring
  • Secure authentication requirements for all systems handling personal data

10.3. Technical Safeguards

  • Industry-standard security measures and best practices
  • Regular security audits and vulnerability assessments
  • System updates and security patches applied promptly
  • Secure data storage with encryption at rest where applicable
  • Firewall protection and intrusion detection systems

10.4. Operational Security

  • Employee training on data protection and security
  • Incident response procedures
  • Regular backups with secure storage
  • Secure disposal of data when retention periods expire
Note: While we implement robust security measures, no system can guarantee absolute protection. We continuously work to improve our security posture and respond to emerging threats.

11. International Data Transfers

11.1. Data Location

Your personal data is primarily stored and processed within the European Economic Area (EEA), ensuring strong data protection under GDPR.

11.2. Third-Party Transfers

Some third-party services may process your data outside the EEA:

Stripe (Payment Processing):
  • Stripe may process payment data in the United States and other countries outside the EEA
  • We use Standard Contractual Clauses (SCC) approved by the European Commission to ensure GDPR-compliant transfers
  • SCCs are legally binding agreements that guarantee your data receives equivalent protection to EU standards
  • Stripe is certified under various data protection frameworks and maintains high security standards

11.3. Transfer Safeguards

All international data transfers comply with GDPR requirements through:

  • Standard Contractual Clauses (SCC) - EU-approved contractual safeguards
  • Adequacy decisions where applicable
  • Appropriate technical and organizational measures
  • Regular assessments of third-party data protection practices

For more information about Stripe's data processing, see Stripe's Privacy Policy and Stripe's Data Processing Agreement.

12. Children's Privacy

12.1. Age Restriction

This website and our services are not intended for children under 18 years of age. We do not knowingly collect, use, or disclose personal information from individuals under 18.

Under GDPR Article 8(1), member states may set a lower age of consent for information society services (Poland has set 16). We apply a stricter threshold of 18 years for added protection, especially for high-value art transactions.

12.2. Parental Consent

If you are under 18:

  • You must obtain parental or guardian consent before using this website
  • You must have parental or guardian consent to make purchases
  • A parent or guardian must review and accept our Privacy Policy and Terms of Service on your behalf

12.3. If We Discover Minor Data

If we become aware that we have collected personal information from a child under 18 without proper consent, we will:

  • Immediately delete the information from our systems
  • Refuse to process any orders or transactions
  • Take steps to prevent future collection

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].

13. Updates to This Policy

This Privacy Policy may be updated periodically. Continued use of the website after updates means acceptance of the revised policy. We will notify users of significant changes via email or website notice.

14. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Email: [email protected]
Address: ul. Królowej Jadwigi 7a/5, 30-202 Kraków, Poland
Version: 1.0
Effective Date: January 1, 2026