PRIVACY POLICY OF THE ONLINE STORE LABORATORY ANDRE ZAGOZDA

effective as of: 09.03.2026

Table of Contents

• 1. General provisions
• 2. Personal data
• 3. Legal basis for data processing
• 4. Data recipients
• 5. Data retention period
• 6. Rights of data subjects
• 7. Cookies and similar technologies
• 8. Analytical and marketing tools
• 9. Data security
• 10. User account
• 11. Changes to the Privacy Policy
• 12. Contact with the data controller

1. General provisions

This Privacy Policy defines the rules for processing personal data and the use of cookies in the online store LABORATORY ANDRE ZAGOZDA, available at:

https://store.andrezagozda.com

The controller of personal data is:

LABORATORY ANDRE ZAGOZDA PL SP. Z O.O.
Migdałowa 6
05-410 Józefów
Poland
VAT ID (NIP): 9522118219
REGON: 145993477
KRS: 0000410177

registered in the Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register.

The controller makes every effort to ensure an adequate level of protection for the privacy of users of the store, in accordance with applicable legal regulations, in particular:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
• the Polish Personal Data Protection Act of 10 May 2018

The store sells physical products, including cosmetics.

2. Personal data

The controller processes customers' personal data for the purpose of:

• concluding and performing the sales agreement
• processing orders, payments and delivery
• customer service communication
• handling complaints and returns
• fulfilling tax and accounting obligations
• maintaining a user account (if the customer creates an account)
• sales analysis and internal statistics
• ensuring the security of the store and preventing abuse
• establishing, pursuing or defending legal claims

Providing personal data is voluntary, however it is necessary in order to conclude and perform the sales agreement.

If the required data are not provided, it may not be possible to process the order.

3. Legal basis for data processing

Personal data are processed on the basis of:

Article 6(1)(b) GDPR – processing necessary for the performance of a contract or for taking steps prior to entering into a contract.

Article 6(1)(c) GDPR – processing necessary for compliance with a legal obligation (e.g. accounting obligations).

Article 6(1)(f) GDPR – processing necessary for the purposes of the legitimate interests pursued by the controller, in particular:

• handling customer inquiries
• website traffic analysis
• ensuring the security of the store
• establishing or defending legal claims

Article 6(1)(a) GDPR – the user's consent in the case of marketing activities or newsletter subscription.

4. Data recipients

Personal data may be transferred only to the extent necessary to perform services, in particular to:

• electronic payment operators (e.g. Przelewy24, PayU)
• courier and transport companies
• IT service providers supporting the store
• hosting service providers
• accounting offices
• law firms (in justified cases)

These entities process data on the basis of data processing agreements.

Personal data are not transferred outside the European Economic Area unless this results from the use of global technology providers that ensure appropriate safeguards in accordance with GDPR.

5. Data retention period

Personal data are stored for the period:

• necessary for the performance of the sales agreement and order fulfillment
• required by law (e.g. accounting documentation – up to 5 years)
• until the expiration of claims arising from the contract
• in the case of data processed on the basis of consent – until the consent is withdrawn

After these periods, the data are deleted or anonymized.

6. Rights of data subjects

Each person has the right to:

• access their personal data
• rectify personal data
• erase personal data
• restrict processing
• data portability
• object to data processing
• withdraw consent to data processing
• lodge a complaint with the President of the Personal Data Protection Office

7. Cookies and similar technologies

The store uses cookies and similar technologies in order to:

• ensure the proper functioning of the website
• operate the shopping cart and ordering process
• remember user preferences
• perform statistical analysis

The following types of cookies may be used:

• essential cookies
• analytical cookies
• marketing cookies

The user may change cookie settings in their web browser at any time.

Limiting the use of cookies may affect the proper functioning of the store.

The store may also use the following technologies:

• local storage
• session storage

8. Analytical and marketing tools

The store uses analytical and marketing tools such as:

• Google Analytics
• Google Tag Manager
• Google Ads

These tools may collect anonymous information regarding user activity on the website.

The store uses Google Consent Mode v2, which means that the operation of analytical and marketing tools depends on the user's consent provided through the cookie banner.

The user may change or withdraw consent at any time through the cookie settings available on the store website.

9. Data security

The controller applies appropriate technical and organizational measures ensuring the security of personal data, including:

• protection of IT systems against unauthorized access
• encrypted connections using SSL certificates
• regular backups
• access control to personal data

Personal data are not subject to automated decision-making producing legal effects concerning the customer.

10. User account

The customer may create a user account in the store in which the following information may be stored:

• address details
• order history
• shopping preferences

The customer may delete their account at any time by contacting the controller.

Deleting the account does not affect the legality of data processing carried out before its deletion.

11. Changes to the Privacy Policy

The controller may introduce changes to the Privacy Policy in the event of:

• changes in legal regulations
• introduction of new services or technologies
• introduction of new analytical or marketing tools
• the need to adapt the document to security requirements

The current version of the Privacy Policy is always available in the online store.

Changes take effect on the date of their publication.

12. Contact with the data controller

For matters related to personal data protection, the controller can be contacted at:

LABORATORY ANDRE ZAGOZDA PL SP. Z O.O.
Migdałowa 6
05-410 Józefów
Poland

or via e-mail:

office@andrezagozda.com

Józefów, 09.03.2026

LABORATORY ANDRE ZAGOZDA PL SP. Z O.O.
Controller of the LABORATORY ANDRE ZAGOZDA online store