§ 1


  1. The Data Controller for the processing of data collected through the online site is HEXJA COMPOSITES SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ SPÓŁKA KOMANDYTOWA entered in the Register of Entrepreneurs kept by the District Court for Kraków Śródmieście in Kraków, XII Commercial Division of the National Court Register under the number KRS: 0000616771, tax identification number NIP: 5492444299, statistical number REGON: 364421892, business addresses and address for service: ul. Gospodarcza 24, 32-600 Oświęcim, Poland, email address:, telephone number: + 48 530 000 636, hereinafter referred to as “Data Controller” or Service Provider.

  2. Personal data collected by the Data Controller via the website are processed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (General Data Protection Regulation), hereinafter referred to as the GDPR.

  3. Capitalised terms used in this Privacy Policy shall have the meaning set forth in the “Definitions” section of the Terms and Conditions.

§ 2


  1. PURPOSE AND LEGAL BASIS OF PROCESSING. The Data Controller processes the personal data of the Customers of in the event of using the Contact Form in order to send a message to the Data Controller, pursuant to art. 6 sec. 1 lit. f) GDPR (legitimate interest of the entrepreneur).

  2. TYPE OF THE PERSONALL DATA PROCESSED. User submits in the case of the Contact Form: name, e-mail address, telephone number.

  3. PERSONAL DATA STORAGE PERIOD. Personal data submitted by Users are retained by the Data Controller for the following retention periods:

    1. If the lawful basis is agreement performance: personal data are stored for as long as necessary for the performance of an agreement, and thereafter until the expiry of any statutory period of prescription or limitation. Unless a specific regulation provides otherwise the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity – three years.

    2. If the lawful basis is consent: personal data are stored until withdrawal of consent, and thereafter until the expiry of any statutory period of prescription or limitation for claims that may be raised by the Data Controller or that may be brought against the Data Controller. Unless a specific regulation provides otherwise the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity – three years.

  4. The Data Controller may collect additional User information, including, in particular: a User’s computer IP address, the IP address of the internet provider, domain name, browser type, duration of a visit, operating system.

  5. If the Data Subject has given a separate consent to such processing (Article 6 (1) (a) GDPR) their personal data may be processed for the purpose of sending electronic marketing messages or for direct marketing via telephone – in accordance with Article 10 section 2 of the Act on the Provision of Electronic Services of 18 July 2002 or Article 172, section 1 of the Telecommunications Law Act of 16 July 2004, including profiled marketing communications if the Data Subject has consented to receive such communications.

  6. Navigation Users may also collect navigation data, including information about links and links in which they decide to click or other activities undertaken in the Store. The legal basis for this type of activity is the Administrator's legitimate interest (Article 6 (1) (f) of the GDPR), consisting in facilitating the use of electronic services and improving the functionality of these services.

  7. Submitting personal data to is voluntary.

  8. The Data Controller shall take all reasonable steps to protect the interests of data subjects and ensure that all data is:

    1. lawfully processed,

    2. obtained only for specified, lawful purposes, and not further processed in any manner incompatible with those purposes,

    3. factually correct, adequate and relevant in relation to the purposes for which it is processed; stored in a form that permits identification of the data subject, for no longer than is necessary for those purposes.

§ 3


  1. The personal data of the Service Users are provided to service providers used by the Administrator when running the website, and in particular to:

    1. hosting providers,

    2. entities providing the mailing system.

  2. The service providers referred to in point 1 of this paragraph to which personal data are transferred, depending on contractual arrangements and circumstances, or are subject to the Administrator's instructions as to the purposes and methods of processing this data (processors) or independently define the purposes and methods their processing (administrators).

  3. The personal data of the Customers are stored only in the European Economic Area (EEA), subject to §5 point 5 of the Privacy Policy.

§ 4


  1. Every User has a right to access and/or rectify his personal data as well as the right to erasure, the right to restrict processing, the right to data portability, the right to object to processing and the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

  2. Legal basis for data subjects’ rights:

  1. Access to personal data – Article 15 of the GDPR

  2. Rectification of personal data – Article 16 of the GDPR,

  3. Erasure of personal data (right to be forgotten) - Article 17 of the GDPR,

  4. Restriction of data processing – Article 18 of the GDPR,

  5. Data portability – Article 20 of the GDPR,

  6. Objection to processing – Article 21 of the GDPR,

  7. Withdrawal of consent to processing – Article 7 (3) of the GDPR.

  1. The User may exercise his rights under point 2 by sending an email message to:

  2. If any request is received in relation to a data subject’s rights, the Data Controller must comply with or refuse to act on a User’s request without delay but not later than within a month of receiving the request. However, if a request is complex or if the Data Controller receives more requests, the Data Controller may extend the time to respond by a further two months. If this is the case the Data Controller shall inform the User within one month of receiving their request and explain why the extension is necessary.

  3. If the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR, the data subject may make a complaint to the President of the Personal Data Protection Office.

§ 5


  1. uses cookies.

  2. Cookies are essential for the provision of electronic services via the website Cookies, contain information that is necessary for the proper functioning of the website and for the statistical analysis of website traffic.

  3. The website uses two types of cookies: “session” cookies and “persistent” cookies.

    1. Session” cookies are temporary files which are stored on the User’s end-device until they log out (leave the website).

    2. Persistent” cookies remain stored on the User’s device until deleted manually or automatically after a set period of time.

  1. The Data Controller uses their own cookies to provide information on how individual Users interact with the Website. These files collect information about how Users use the website, what type of website referred the User to, the frequency of visits and the time of each visit. This information does not register the Users’ personal data and is used solely for statistical analysis of website traffic.

  2. The Data Controller uses third party cookies for the purpose of collecting general and anonymous static data by means of Google Analytics, a web analysis tool (Data controller for third party cookies: Google Inc. based in USA).

  3. The User can adjust cookie permissions via options in their browser settings. More detailed information about cookie management with specific web browsers can be found in the browsers’ respective settings.

§ 6


  1. The Data Controller shall implement all necessary technical and organisational security measures to safeguard the data during processing ensuring a level of security appropriate to the nature of the data to be protected and, in particular, protect the data against unauthorised access, takeover, processing in violation of law, alteration, loss, damage or destruction.

  2. The Service Provider shall take appropriate technical measures to safeguard the electronic personal data against unauthorised interception or modification.

  3. In cases not provided for in this Privacy Policy the relevant provisions of the GDPR shall apply as well as applicable provisions of Polish law.