1. Data controller

The controller of your personal data is:

The Controller has not appointed a Data Protection Officer. For matters relating to personal data protection, please contact the Controller directly.

2. What personal data do we process?

The scope of data depends on how you use the store. In particular, we may process:

• identification and contact data — first name, last name, email address, phone number, delivery address and billing address,
• order data — order number, purchased products, size, variant, price, payment method, order status and order history,
• payment data — payment status, transaction identifiers and information needed to process and settle payments; we do not store full payment card details,
• delivery data — data needed to ship the order, selected delivery method, tracking number and information provided by the carrier,
• returns and exchanges data — order number, request number, selected product, reason for return or exchange, preferred settlement method, data needed to issue a refund, bank account number for bank transfer refunds and return shipment tracking number,
• complaint data — order number, description of the reported issue, date when the issue was noticed, product photos submitted as part of the report, complaint correspondence and information needed to assess the case,
• customer account data — login data, order history, saved addresses and account preferences, if the customer has an account in the store,
• communication data — content of email messages, contact forms, chat messages, social media messages or other communications with the store,
• technical and analytical data — IP address, cookie identifiers, device information, browser, operating system, store activity, traffic source and information about how the store is used,
• marketing data — email address, marketing consents, newsletter subscription information, email activity and data used for analytics or remarketing, where appropriate consent has been given or where permitted by law.

3. Where do we obtain data from?

• directly from you — when you place an order, create an account, contact us, subscribe to the newsletter, request a return, exchange or complaint,
• automatically — when you use the store and the website stores cookies or similar technologies,
• from entities supporting the store — from payment operators, carriers, return tools, store technology providers and technical service providers, only to the extent necessary to handle orders, payments, delivery, returns, exchanges, complaints or store operations.

4. Purposes and legal bases for processing

We process your personal data for the following purposes and on the following legal bases:

Order

placing and fulfilling an order — Article 6(1)(b) GDPR, meaning performance of the sales contract.

Payments

payment processing — Article 6(1)(b) GDPR and Article 6(1)(c) GDPR where processing is required by accounting or tax obligations.

Delivery

order delivery — Article 6(1)(b) GDPR.

Returns and exchanges

handling returns and exchanges — Article 6(1)(b) GDPR and Article 6(1)(f) GDPR, meaning our legitimate interest in properly handling requests and preventing abuse.

Complaints

handling complaints — Article 6(1)(c) GDPR where processing results from the seller’s legal obligations, and Article 6(1)(f) GDPR for establishing, pursuing or defending claims.

Contact

customer contact and handling inquiries — Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, depending on the nature of the matter.

Customer account

maintaining a customer account — Article 6(1)(b) GDPR.

Accounting

issuing invoices, keeping accounting records and fulfilling tax obligations — Article 6(1)(c) GDPR.

Security

ensuring store security, preventing abuse and protecting claims — Article 6(1)(f) GDPR.

Marketing

sending newsletters and marketing communications — Article 6(1)(a) GDPR, where you have given consent.

Analytics and remarketing

analytics, statistics, improving store performance and remarketing — Article 6(1)(f) GDPR or Article 6(1)(a) GDPR, where a specific technology requires consent via the cookie banner.

5. Orders and payments

The karolshoes.com store operates on the Shopify e-commerce platform. In order to process an order, we process personal data necessary to conclude and perform the sales contract, including customer identification data, contact details, billing details, delivery details, ordered products, product size, payment method, order status and order history.

The store may offer different payment methods depending on the customer’s country, currency and checkout availability. These may include, in particular: payment card, American Express, Visa, Mastercard, Maestro, Union Pay, Apple Pay, Google Pay, Shop Pay, PayPal, Klarna, Bancontact, BLIK, iDEAL/Wero and other payment methods displayed at checkout.

Payment data is processed by Shopify and by the relevant payment service providers only to the extent necessary to complete, secure, confirm and settle the transaction. We do not store full payment card details on our own systems.

Some payment providers may act as independent controllers of personal data for their own legal, regulatory, anti-fraud, accounting or payment processing purposes. In such cases, the processing of personal data may also be governed by the privacy policies of those providers.

6. Order delivery

To deliver your order, we provide the data necessary for shipment to the selected carrier, courier company or logistics operator.

Delivery data may include your first and last name, address, phone number, email address, order number, shipment details and tracking number.

For international orders, data may also be processed by customs authorities, postal operators or logistics partners where this is necessary for delivery, customs clearance or compliance with legal requirements.

7. Returns and exchanges

Returns and exchanges in the KarolShoes store may be handled through the returns and exchanges portal available at:

https://karolshoes.com/apps/returns-exchanges

As part of handling a return or exchange, we may process the order number, email address, phone number, selected product, reason for the request, preferred settlement method, return shipment tracking number, bank account number for bank transfer refunds and additional information provided by the customer.

The customer arranges and pays for return shipping unless otherwise agreed or required by applicable law. We recommend using a tracked shipping method and keeping the tracking number until the return or exchange is completed.

8. Complaints

Complaints are handled by email at:

info@karolshoes.com

As part of a complaint, we may process the order number, contact details, description of the issue, date when the issue was noticed, product photos, correspondence with the customer and information needed to assess the case and potentially repair, replace, reduce the price or refund the product.

Complaint data is processed to fulfil the seller’s obligations, handle the request and protect possible claims.

9. Contact with the store

If you contact us by email, phone, contact form, chat or social media, we process the data needed to handle your message and provide a response.

This data may include your first and last name, email address, phone number, message content, order data and other information that you voluntarily provide in correspondence.

10. Newsletter, marketing communication and advertising tools

If you subscribe to our newsletter, consent to marketing communication, interact with our advertisements or use our store, we may process data for marketing, analytics and advertising purposes, where permitted by law or where you have given the required consent.

For these purposes, we may use tools such as Shopify marketing and customer communication tools, Google Tag Manager, Google Analytics 4, Google Ads conversion tracking, Google Ads remarketing and Meta advertising technologies, including Meta Pixel. These tools may help us measure store traffic, understand customer behaviour, analyse sales performance, measure advertising effectiveness, prevent duplicated tracking and display more relevant advertising content.

The data processed for marketing and analytics purposes may include cookie identifiers, device and browser information, IP address, approximate location, source of visit, viewed products, cart activity, checkout activity, purchase events, transaction value, currency, product identifiers, email interaction data and consent status.

We do not use this data to make decisions based solely on automated processing that would produce legal effects concerning you or similarly significantly affect you. Marketing and analytics data may, however, be used to create audience groups, measure conversions, optimise campaigns and display remarketing ads.

You can withdraw your consent to newsletter or marketing communication at any time by clicking the unsubscribe link in an email message or by contacting us at info@karolshoes.com. You can also manage cookie and tracking preferences through the cookie preferences tool available in the store, where applicable.

Withdrawal of consent does not affect the lawfulness of processing carried out before the consent was withdrawn.

11. Who may receive your personal data?

We share personal data only where it is necessary to operate the store, fulfil orders, process payments, deliver products, handle returns, exchanges and complaints, provide customer support, perform accounting and tax obligations, maintain store security, measure performance, conduct marketing activities or comply with legal obligations.

We do not sell customers’ personal data. We only share personal data with service providers, partners or authorities where this is necessary for the purposes described in this Privacy Policy or required by applicable law.

12. Transfers outside the European Economic Area

Because the karolshoes.com store uses international technology, payment, analytics, advertising, logistics and customer support providers, personal data may be transferred outside the European Economic Area, including in particular to Canada, the United States or other countries where our service providers or their subprocessors operate.

Such transfers may occur in connection with the use of Shopify, payment providers, analytics tools, advertising platforms, email services, customer support tools, logistics providers, security systems or other technical providers necessary to operate the store.

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards required by applicable data protection laws, including adequacy decisions, standard contractual clauses, data processing agreements or other legal transfer mechanisms provided under the GDPR.

Some third-party providers may also process personal data as independent controllers for their own purposes, for example payment processing, fraud prevention, advertising measurement, platform security or legal compliance. In such cases, their own privacy policies may also apply.

13. How long do we store data?

We store data only for the period necessary to fulfil the purpose for which it was collected, and then for the period required by law or needed to protect claims.

• order, payment, invoice and accounting data — for the period required by tax and accounting laws and until the limitation period for claims expires, generally up to 6 years,
• returns, exchanges and complaint data — for the period necessary to handle the request and until the limitation period for possible claims expires,
• customer account data — for the period during which the account is maintained, and after deletion only to the extent necessary for settlements, legal obligations or claim protection,
• correspondence data — for the period needed to handle the case, and then for the period required to protect possible claims,
• marketing data — until consent is withdrawn, the user unsubscribes from the newsletter or objects to processing,
• cookie and analytics data — according to the lifespan of the specific cookie, tool settings or until consent is withdrawn, where consent is required.

14. Cookies and similar technologies

The store uses cookies and similar technologies, including pixels, tags, local storage and event tracking technologies. These technologies may be used by us and by selected third-party providers.

Cookies and similar technologies may be used in particular to:

• ensure the proper operation of the store, cart, checkout, customer account and language or currency settings,
• remember user preferences such as country, language, currency and cookie choices,
• measure traffic, store performance, product views, cart activity, checkout activity and completed purchases,
• analyse customer behaviour and improve the structure, content and performance of the store,
• measure the effectiveness of Google Ads, Meta Ads and other advertising campaigns,
• support conversion tracking, remarketing and advertising audience creation,
• detect errors, prevent abuse, improve security and protect the store from fraud.

Some cookies are strictly necessary for the technical operation of the store and cannot be disabled through our systems. These include cookies required for the shopping cart, checkout, payment process, security, customer account login, language, region and cookie preference management.

Analytical and marketing cookies, including technologies related to Google Analytics 4, Google Ads, Google Tag Manager and Meta advertising tools, are used according to your cookie consent settings, where such consent is required by applicable law.

You can manage your cookie preferences through the cookie preferences tool available in the store or through your browser settings. Blocking certain cookies may affect the functionality of the store, including checkout, language, currency or personalization features.

15. Profiling and automated decisions

We do not make decisions about customers based solely on automated data processing that would produce legal effects or similarly significantly affect the customer.

However, we may use profiling to a limited extent, for example to analyse interest in products, remind users about abandoned carts, tailor marketing communication or run remarketing. Such activities are carried out based on the Controller’s legitimate interest or consent, where consent is required.

16. Is providing data mandatory?

Providing data necessary to place and fulfil an order is voluntary, but necessary to conclude and perform the sales contract.

Providing data for returns, exchanges or complaints is voluntary, but may be necessary to properly handle the request.

Providing data for the newsletter or marketing activities is voluntary.

17. Your rights

In connection with the processing of personal data, you have the following rights:

• the right to access your data,
• the right to rectify your data,
• the right to erase your data,
• the right to restrict processing,
• the right to data portability,
• the right to object to data processing,
• the right to object to direct marketing,
• the right to withdraw consent where processing is based on consent,
• the right to lodge a complaint with the President of the Personal Data Protection Office.

You can send requests concerning your rights to: info@karolshoes.com.

For security reasons, we may ask for additional information to confirm the identity of the person making the request.

18. Complaint to the supervisory authority

If you believe that we process your personal data unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Office in Poland.

19. Data security

We use technical and organisational measures appropriate to the risks associated with personal data processing, including system access safeguards, transmission encryption, permission control and verified technology providers.

However, please remember that no IT system or data transmission over the Internet can guarantee complete security.

20. Children’s data, external links and policy changes

Children’s data

The karolshoes.com store is not directed at children. We do not knowingly collect personal data of minors without the consent of a legal guardian.

If we learn that we have received a child’s data without the required consent, we will take steps to delete it unless further storage is required by law.

Links to external websites

The store may contain links to external websites, for example payment operators, carriers, social media platforms or Google Maps.

After visiting an external website, data processing may take place according to the privacy policy of that entity. We recommend reviewing the privacy rules of those services.

Changes to this Privacy Policy

We may update this Privacy Policy, in particular in the event of changes in law, technology, tools used in the store or the way we handle orders, returns, exchanges and complaints.

The current version of the Privacy Policy is always published on the store website.

21. Contact regarding privacy matters

For matters concerning personal data, contact us: