Privacy policy
Last updated: 18 June 2026
1. Data controller
The controller of your personal data is [FULL LEGAL NAME — e.g. Krzysztof Burchat, sole trader operating under the business name Frolo, or Frolo Sp. z o.o.], registered office at ul. Obozowa 20D/100, [01-161] Warsaw, Poland, Polish tax number (NIP): [NIP — 10 digits], statistical number (REGON): [REGON — 9 or 14 digits] (hereinafter: the "Controller" or "Frolo").
Contact for data protection matters: e-mail prywatnosc@frolo.pl, phone [+48 phone number — add or remove this line].
Data Protection Officer (DPO): The Controller has not appointed a Data Protection Officer. For all matters relating to the processing of personal data, please contact us at the address above.
2. Legal bases and purposes of processing
We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") and Polish law. We assign an appropriate legal basis to each purpose of processing:
- Order fulfilment and performance of the sales contract — Art. 6(1)(b) GDPR (performance of a contract);
- Issuing and storing invoices, accounting and tax obligations — Art. 6(1)(c) GDPR (legal obligation, including the Polish Accounting Act and VAT Act);
- E-mail / SMS marketing (newsletter, information about new collections) — Art. 6(1)(a) GDPR (consent), which you may withdraw at any time;
- Handling complaints and returns — Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR;
- Security of the Services, prevention of abuse, analytics and statistics — Art. 6(1)(f) GDPR (legitimate interests of the Controller);
- Establishment, exercise or defence of legal claims — Art. 6(1)(f) GDPR (legitimate interests of the Controller).
3. Categories of data processed
Depending on the purpose and legal basis, we may process the following data:
- identification data (first name, last name),
- contact data (e-mail address, phone number, delivery and billing address),
- order data (order number, products, amounts, delivery and payment methods),
- billing data (where an invoice is issued — company data, tax number),
- technical data (IP address, browser type, device identifiers, cookie data — see the "Cookies" section),
- content of correspondence (from contact forms, e-mails, complaint requests).
4. Retention periods
- Order, invoice and accounting data — for the period required by tax and accounting regulations (generally 5 years counted from the end of the calendar year in which the tax obligation arose).
- Data processed for marketing purposes — until consent is withdrawn.
- Customer account data — until the account is deleted.
- Data needed for the establishment or defence of claims — for the limitation period of those claims (generally up to 6 years).
- Correspondence data — for the period necessary to respond and to defend against possible claims.
5. Recipients of data
Your data may be disclosed to entities we work with in order to provide the Services, in particular:
- payment service providers,
- courier companies and postal operators,
- the store platform provider (Shopify Inc. and its affiliates),
- our accounting / bookkeeping office,
- IT, hosting, e-mail and analytics service providers,
- entities authorised on the basis of applicable law (e.g. public authorities).
6. Transfers outside the European Economic Area (EEA)
Some of our providers (including Shopify) may process data outside the EEA. In such cases the transfer is carried out with the required safeguards — in particular on the basis of Standard Contractual Clauses approved by the European Commission or other mechanisms compliant with Art. 46 GDPR.
7. Your rights
In connection with the processing of your personal data, you have the following rights:
- the right of access to your data and to receive a copy of it (Art. 15 GDPR),
- the right to rectification of data (Art. 16 GDPR),
- the right to erasure — the "right to be forgotten" (Art. 17 GDPR),
- the right to restriction of processing (Art. 18 GDPR),
- the right to data portability (Art. 20 GDPR),
- the right to object to processing based on legitimate interests (Art. 21 GDPR),
- the right to withdraw consent at any time — withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal (Art. 7(3) GDPR),
- the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).
To exercise your rights please contact us at prywatnosc@frolo.pl.
8. Right to lodge a complaint with the supervisory authority
If you believe that your data is being processed unlawfully, you have the right to lodge a complaint with the supervisory authority:
President of the Personal Data Protection Office (PUODO)
ul. Stawki 2
00-193 Warsaw, Poland
www.uodo.gov.pl
9. Cookies and similar technologies
We use cookies and similar technologies, for the following purposes:
- to ensure the store works correctly (strictly necessary cookies — no consent required),
- to analyse traffic and measure the performance of content (analytics cookies — consent-based),
- for personalisation and marketing, including remarketing (marketing cookies — consent-based).
You can withdraw your consent to analytics and marketing cookies at any time by clicking the consent management icon in the site footer or by changing your browser settings. [Optional: add a link to a separate Cookies Policy once published.]
10. Profiling and automated marketing
Your data may be subject to profiling for marketing purposes (e.g. tailoring marketing communications to your interests). Profiling is carried out on the basis of consent and does not produce legal effects concerning you and does not similarly significantly affect you. You can object to such processing or withdraw your consent at any time.
11. Data security
We apply technical and organisational measures to ensure the security of your data, in particular encryption of the connection (HTTPS/TLS), restricting access to data to authorised persons only and regular updates of our systems. Should a personal data breach occur that is likely to result in a high risk to the rights or freedoms of natural persons — we will notify you without undue delay.
12. Voluntariness of providing data
Providing data is voluntary, but in certain cases it is necessary to provide the Services (e.g. to fulfil an order, to issue an invoice). Failure to provide the required data means that you will not be able to use the relevant Service.
13. Changes to this Privacy Policy
We may update this Privacy Policy. Any material change will be announced on this page together with the date of the last update. We encourage you to check the Privacy Policy regularly.
14. Contact
For questions about the processing of personal data please contact us:
- e-mail: prywatnosc@frolo.pl
- address: ul. Obozowa 20D/100, [01-161] Warsaw, Poland
- phone: [+48 phone number — add or remove this line]
This Privacy Policy is effective as of 18 June 2026.