Privacy Policy – Information on the Processing of Personal Data (EU/EEA)

Effective date: 16 September 2025

1) Who we are (Controller)

Controller: P.P.U.H. SOWOSZ sp. z o.o.
Registered office: ul. Wadowicka 86, 32‑551 Jankowice, Poland
E‑mail (privacy): biuro@sowosz.pl
Customer e‑mail: stairs@sowosz.com
Website: www.sowosz.com
Phone: +48 33 841 25 59
Data Protection Officer (DPO): Kamil Sowa, biuro@sowosz.pl

We are a Polish manufacturer. We have no branches outside Poland. We sell across the EU/EEA via our website and e‑mail. This Policy applies to our online sales and related services throughout the EU/EEA.

2) Scope and key principles

We process personal data in line with Regulation (EU) 2016/679 (GDPR) and applicable EU/national laws. We:

  • collect only what is necessary for stated purposes;
  • keep data accurate and up to date, correcting without undue delay;
  • ensure transparency and enable you to exercise your rights;
  • retain data no longer than needed or as required by law;
  • apply appropriate technical and organisational measures (access controls, encryption of selected transmissions, backups, logging, confidentiality and processor contracts).

Territorial scope (Art. 3(2) GDPR): we process data in Poland while offering goods across the EU/EEA. Lead supervisory authority is typically the Polish DPA (UODO). You may, however, lodge a complaint with any supervisory authority in the EU (Art. 77 GDPR).

3) What data we process and from where

Categories of data:

  • Identification & contact: name, e‑mail, phone, billing/delivery address, company details (if applicable).
  • Order & payment: items ordered, configuration/specifications, prices, payment status, transaction identifiers (processed via providers – see Section 7).
  • Technical/usage: IP address (in shortened/hashed form where feasible), device/browser information, cookie IDs, events, server logs.
  • Communications: content of e‑mails/forms/calls, support history.
  • Preferences/consents: newsletter and cookie choices.

Sources:

  • directly from you (web forms, e‑mails, order portal system.sowosz.pl),
  • generated by our systems (logs/analytics),
  • from service providers (payment/anti‑fraud, analytics, marketing), where lawful.

4) Purposes and legal bases (Art. 6 GDPR)

  1. Pre‑contract communication & offers (contact forms/e‑mail) – Art. 6(1)(b) or Art. 6(1)(f) (legitimate interest in responding).
  2. Contract conclusion & performance; deliveryArt. 6(1)(b).
  3. Customer service, complaints, warranty/guaranteeArt. 6(1)(b) and (c) (legal obligations).
  4. Invoicing & accountingArt. 6(1)(c) (legal obligation).
  5. Direct marketing of our own products (e‑mail/newsletter, promotions) – Art. 6(1)(a) (consent) or Art. 6(1)(f) (legitimate interest) in line with e‑privacy rules.
  6. Statistics & analytics; site improvement (e.g., GA4) – consent via the cookie banner.
  7. Security & fraud prevention (logs, abuse detection) – Art. 6(1)(f) legitimate interest.
  8. Legal claims & defenceArt. 6(1)(f) legitimate interest.

Note on profiling/automated decisions: we do not conduct automated decisions producing legal effects. We use profiling only for marketing/remarketing based on your cookie consent.

5) Cookies and similar technologies

  • Necessary (technical): required for the site, security, login, cart – always active.
  • Functional/personalisation: remember preferences (language/region) – active with consent where not strictly necessary.
  • Analytics: traffic/usage measurement (e.g., Google Analytics 4) – consent required.
  • Marketing/behavioural: ads personalisation/remarketing (e.g., Google Ads/YouTube, Meta Pixel, Pinterest Tag, Calltracker for call attribution) – consent required.

You can manage or withdraw cookie consent at any time via our cookie banner or your browser. Blocking necessary cookies may impair the site.

6) Who receives your data (recipients)

  • IT/hosting & maintenance (e.g., OVH),
  • Payment services (e.g., Montonio) – payment processing,
  • Logistics & couriers – delivery of goods,
  • Accounting/tax & legal advisers,
  • Marketing/analytics partners: Google (Analytics/Ads/Tag Manager/YouTube), Meta (Facebook Pixel), Pinterest (Pinterest Tag), Calltracker (call‑tracking),
  • Public authorities when required by law.

All processors operate under written contracts and only on our instructions.

7) International transfers (outside the EEA)

Some services may transfer data to the USA or other non‑EEA countries (e.g., Google, Meta, Pinterest). We rely on one or more of the following:

  • recipients certified under the EU–U.S. Data Privacy Framework (DPF);
  • Standard Contractual Clauses (SCCs) with supplementary measures;
  • applicable GDPR derogations.

Details are available in our cookie consent tool and in processor agreements.

8) Retention periods

  • Contracts & orders: for the contract term and related limitation periods,
  • Accounting/tax records: as required by law (commonly 5–10 years),
  • Complaints/warranty: for handling and limitation periods,
  • Marketing: until consent is withdrawn or an objection is upheld, or after a reasonable period of inactivity,
  • Server logs: typically a few months unless security needs longer.

9) Your rights (Arts. 15–22 GDPR)

You may request access, rectification, erasure, restriction, data portability, and you may object to processing based on legitimate interests (including direct marketing). Where processing is based on consent, you may withdraw it at any time (withdrawal does not affect earlier processing).

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Polish DPA (UODO), but you may complain to any EU supervisory authority in your country of residence or work.

We respond without undue delay, within 1 month (extendable by up to 2 months for complex requests). We may reasonably verify your identity.

10) Security

We apply appropriate technical and organisational measures to protect personal data against loss, unauthorised access, disclosure, alteration or destruction – including access management, regular software updates, backups, encryption of selected transmissions, logging, and confidentiality/security commitments by processors.

11) Children’s data

Our website and products are not directed to children. We do not knowingly collect children’s data. If you believe a child provided data to us, contact us and we will take appropriate steps.

12) Changes to this Policy

We may update this Policy (e.g., due to legal changes or our processes). The current version is always available on www.sowosz.com; for material changes we will provide an appropriate notice (e.g., website banner or e‑mail where appropriate).

13) How to contact us

For privacy requests or questions, write to biuro@sowosz.pl (or by post to the address in Section 1). When exercising your rights, we may ask you to verify your identity.