This Privacy Policy specifies the rules for processing personal data of Customers and Users of the AS VINTAGE online store available at asvintage.com and asvintage.pl. Definitions of terms used in the Privacy Policy correspond to the definitions contained in the Store's Terms and Conditions.

1. PERSONAL DATA CONTROLLER

The controller of personal data processed in connection with the use of the Store is Adam Krenski conducting business activity under the business name Cheap Store Adam Krenski with its registered office in Rytel, operating at the address: ul. Nowa Wieś 17a, 89-632 Rytel, delivery address: ul. Truskawkowa 22, 89-600 Chojnice, NIP: 5552127497 (hereinafter: the "Controller").

Contact with the Controller in matters regarding personal data protection is possible:

• via e-mail to: asvnthelp@gmail.com,
• by mail to the address: ul. Truskawkowa 22, 89-600 Chojnice.

2. PURPOSES AND BASES FOR PROCESSING PERSONAL DATA

The Controller processes personal data for the following purposes:

• Conclusion and execution of the Sales Contract – Customers' data provided in the Order form (first and last name, delivery address, e-mail address, invoice data) are processed in order to execute the Order, deliver the Item, handle payments via Stripe, and issue accounting documents. Legal basis: necessity for the performance of a contract (Art. 6 sec. 1 lit. b of the GDPR); and in the scope of accounting and tax obligations – a legal obligation (Art. 6 sec. 1 lit. c of the GDPR).
• Handling complaints – Customers' data provided in the complaint submission are processed in order to consider the complaint. Legal basis: a legal obligation (Art. 6 sec. 1 lit. c of the GDPR).
• Handling returns – Customers' data provided in the withdrawal from the contract are processed in order to consider the return. Legal basis: necessity for the performance of a contract (Art. 6 sec. 1 lit. b of the GDPR).
• Maintaining a User Account – data provided during registration (first name, last name, e-mail address, password) are processed in order to execute the agreement for the provision of the Account service. Legal basis: necessity for the performance of a contract (Art. 6 sec. 1 lit. b of the GDPR).
• Sending commercial information (newsletter) – User's e-mail address is processed in order to send commercial information with the prior consent of the User. Legal basis: consent (Art. 6 sec. 1 lit. a of the GDPR) in connection with the regulations on the provision of electronic services.
• Analytics and optimization of the Store – data of website users (including IP address, browser type, visit time, viewed subpages) are processed for analytical and statistical purposes, in order to improve the functioning of the Store. Legal basis: legitimate interest of the Controller (Art. 6 sec. 1 lit. f of the GDPR), consisting in the analysis and optimization of the Store's operation.
• Running profiles in social media – data of active Users on the Store's profiles in social media (https://www.instagram.com/asvntg) are processed in order to communicate with Users and deliver informational content. Legal basis: legitimate interest of the Controller (Art. 6 sec. 1 lit. f of the GDPR).
• Investigation and defense against claims – data of Customers and Users may be processed in order to establish, investigate, or defend against legal claims. Legal basis: legitimate interest of the Controller (Art. 6 sec. 1 lit. f of the GDPR).
• Presentation of reviews and promotional materials (User Generated Content) – data in the form of an image, profile name, and other content published by Users on Instagram, in which the Store's profile was tagged, are processed in order to promote products and market the Store on the website and in social channels. Legal basis: legitimate interest of the Controller (Art. 6 sec. 1 lit. f of the GDPR) consisting in marketing products using content generated by customers, within the limits of the granted license.

3. VOLUNTARY NATURE OF DATA PROVISION

Providing personal data is voluntary, however, providing data marked as required is necessary to:

• place and execute an Order,
• register and use an Account,
• consider a complaint or return,
• provide an answer to an inquiry.
• Failure to provide the required data makes it impossible to carry out the above actions.

4. PERIOD OF PERSONAL DATA PROCESSING

The Controller processes personal data for the following time:

• data of Customers provided in connection with the concluded Sales Contract – for the period necessary for the proper performance of the contract, not shorter than 5 years counted from the end of the calendar year in which the tax payment deadline related to the order expired (in accordance with tax and accounting law regulations),
• data processed on the basis of consent – until the consent is withdrawn,
• data processed on the basis of the legitimate interest of the Controller – for the duration of this interest, but no longer than until a successful objection is lodged by the data subject,
• data processed in connection with social media – for the time of running the profile or until an objection is lodged,
• the processing period may be extended until the prescription of potential claims related to data processing or the relationship with the Controller.

5. RECIPIENTS OF PERSONAL DATA

The Controller may entrust the processing of personal data to trusted third parties (processors) exclusively to the extent necessary for the performance of services. Data recipients may be:

• Stripe (payment operator) – in the scope of data necessary to process transactions,
• courier companies and delivery providers – in the scope of address details necessary to carry out delivery,
• hosting and technical infrastructure providers of the Store,
• software providers for managing the Store and orders,
• analytical tools providers,
• software providers for handling e-mail and communication with the Customer,
• accounting office / law firm – to the extent necessary for legal and accounting services,
• Trustpilot – in the scope of data transferred in connection with the publication of reviews on this platform; data processing by Trustpilot takes place in accordance with the privacy policy of Trustpilot available at trustpilot.com.
• Personal data may be shared with state authorities at their request, on the basis of mandatory provisions of law.

6. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

Due to the Controller's use of services of entities with a global reach, personal data may be transferred to third countries outside the EEA. Every such transfer takes place with the application of appropriate safeguards required by the GDPR. Data transfer may take place, among others, to:

Stripe Inc. based in San Francisco, USA – in connection with payment processing. The transfer is based on the European Commission's adequacy decision (Data Privacy Framework), and Standard Contractual Clauses (SCCs) constitute a supplementary safeguard. Information about Stripe's privacy standards is available at: stripe.com/privacy.

Google LLC, based in the United States – the transfer is based on the European Commission's adequacy decision (Data Privacy Framework), and Standard Contractual Clauses (SCCs) constitute a supplementary safeguard; information about Google's privacy standards is available at: policies.google.com/privacy.

Trustpilot A/S based in Copenhagen, Denmark (EEA) – transferring data within the EEA does not require additional safeguards.

Detailed information about the applied safeguards is available upon request, at the Controller's e-mail address.

7. RIGHTS OF DATA SUBJECTS

Every person whose data is processed by the Controller has the right to:

• access their personal data and receive a copy thereof,
• rectify incorrect data or complete incomplete data,
• erase personal data ("the right to be forgotten") when the data are no longer necessary for the purposes for which they were collected, or when consent has been withdrawn,
• restrict processing of data in cases provided for by the GDPR,
• data portability – to receive data in a structured, commonly used, and machine-readable format,
• object at any time to the processing of data for direct marketing purposes, including profiling, if the processing takes place on the basis of the legitimate interest of the Controller,
• object to the processing of data for reasons related to the specific situation of the person, in the case of processing based on the legitimate interest of the Controller,
• withdraw consent to data processing at any time, without affecting the lawfulness of processing that took place before its withdrawal,
• lodge a complaint with a supervisory authority – in Poland it is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl; Customers from other EU countries may lodge a complaint with the supervisory authority competent for their country of residence.

To exercise the above rights, please contact the Controller via e-mail at: asvnthelp@gmail.com or by mail to the address: ul. Truskawkowa 22, 89-600 Chojnice.

8. SOCIAL MEDIA

The Controller runs the Store's profile on the social network Instagram, at the address https://www.instagram.com/asvntg.

In connection with running profiles, the Controller may be a joint controller of the data of Users of these networks together with the operator of a given network. Details result from the privacy policies of individual platforms: Instagram platform – https://privacycenter.instagram.com/policy.

The Controller processes Users' data publicly available on social networks (such as name, image, content of comments or messages) in order to communicate and answer messages as well as for statistical purposes.

9. COOKIES AND TRACKING TECHNOLOGIES

The Store uses cookies technology – packets of information saved on the Customer's or User's device, enabling the proper functioning of the Store and improving the quality of services.

Two types of cookies are used:

• session cookies – permanently deleted after the end of a browser session,
• persistent cookies – remain on the User's device after the end of a session, until they are deleted or their validity period expires.

The Controller uses the following categories of cookies:

• necessary – required for the proper functioning of the Store, Customer authentication, and session maintenance,
• functional – remembering the Customer's settings and preferences,
• analytical – used to analyze website traffic and improve its functioning,
• marketing – used to personalize advertisements and marketing messages.

The Customer and User can independently manage cookies settings through their web browser settings or via the consent management panel (cookies banner) available on the Store's website. Restricting the use of cookies may affect the availability of certain functions of the Store.

The Store may store server logs containing the IP address of the device, the date and time of the visit, the browser type, and other technical information. These data serve administrative and statistical purposes only and are not combined with Customers' personal data.

10. PROFILING

The Controller may process Customers' and Users' data in an automated manner, including through profiling, in order to adjust the presented offers, promotions, and advertising content to the User's preferences. Profiling does not produce legal effects concerning Customers nor does it significantly affect them in a similar manner. The User has the right to object to such processing by sending an appropriate request to the Controller's e-mail address.

11. FINAL PROVISIONS

The Controller reserves the right to introduce changes to the Privacy Policy in connection with changes in legal regulations or the method of processing personal data. The Controller will inform Users about significant changes via e-mail or through an appropriate message on the Store's website.

The Privacy Policy is effective from June 16, 2026.