Privacy policy

Effective date: March 11, 2026.

§ 1. General provisions

This Privacy Policy sets out the rules for processing and protecting the personal data of Customers using the online store available at www.santamadre.pl (hereinafter the "Online Store").
The Privacy Policy fulfils the information obligation of the data controller in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

§ 2. Data controller

The data controller of the Online Store Customers' personal data is:

Sottio Sp. z o.o.
ul. Jana i Jędrzeja Śniadeckich 20D/7, 35-006 Rzeszów
E-mail: hello@santamadre.pl
Phone: +48 22 398 43 32

Sottio Sp. z o.o. is the exclusive and official distributor of Santa Madre products in Poland.

§ 3. Contact details

You can contact the Data Controller via:

  • e-mail: hello@santamadre.pl

  • in writing: ul. Jana i Jędrzeja Śniadeckich 20D/7, 35-006 Rzeszów

For returns and complaints, the Customer may also send products to the address:

SANTAMADRE – Returns
Łętownia 454, 37-312 Łętownia

§ 4. Principles of personal data processing

  1. The Controller processes personal data in accordance with legal provisions, including the GDPR.

  2. The Controller implements technical and organizational measures to ensure the protection of data against unauthorized access, loss, alteration or destruction.

  3. Providing data marked in the Store as required is voluntary but necessary to use the Store's functionalities, including creating an account and placing orders.

  4. The Customer may consent to receive commercial information from the Controller; this is voluntary and not a condition for order fulfillment.

§ 5. Purposes and legal bases for processing personal data

Customers' personal data are processed for the following purposes:

  1. Managing the Customer account in the Online Store (Art. 6(1)(b) GDPR)

  2. Order fulfillment and payment processing (Art. 6(1)(b) GDPR)

  3. Marketing of own products and services, as the Controller's legitimate interest (Art. 6(1)(f) GDPR)

  4. Responding to Customer inquiries submitted via the contact form (Art. 6(1)(a) GDPR)

  5. Processing returns and complaints (Art. 6(1)(c) GDPR)

  6. Running a newsletter, based on the Customer's consent (Art. 6(1)(a) GDPR)

  7. Traffic analysis and statistical research of the store, as the Controller's legitimate interest (Art. 6(1)(f) GDPR)

  8. Archival and evidential purposes, including for asserting or defending claims (Art. 6(1)(f) GDPR)

§ 6. Retention period of personal data

  1. Customer account data – for the period the account is maintained in the store and no longer than until deletion is requested.

  2. Data related to order fulfillment – for 5 years from the end of the year in which the sale was made, in accordance with tax regulations and the limitation period for claims.

  3. Marketing data – until consent is withdrawn.

  4. Data related to responses to inquiries – until consent is withdrawn or the processing purpose is achieved.

  5. Data relating to returns and complaints – for 5 years from the end of the year in which the matter was resolved.

  6. Statistical and analytical data – until an objection is raised, no longer than 26 months from the last activity.

§ 7. Categories of personal data

The Controller collects and processes, among others:

  • Personal data related to account and order: first name, last name, email address, phone number, delivery address; in the case of companies, also company name and tax identification number (NIP).

  • Newsletter data: email address.

  • Contact form data: name and email.

  • Automatically collected data: IP address, browser type, language, device, screen resolution, time spent on the site, request URL and other telemetry data.

§ 8. Cookies

  1. The Store uses cookies to:

    • maintain the Customer's session,

    • personalize content,

    • carry out statistics and traffic analysis,

    • remarketing via Google Ads and Facebook Pixel.

  2. The Customer can change browser cookie settings or delete them entirely.

  3. Detailed information about cookies and how to block them is available in the browser documentation.

§ 9. Data sharing

Customers' personal data may be disclosed to:

  • entities providing logistics, courier and postal services,

  • electronic payment operators (including Shopify Payments),

  • providers of accounting, hosting, analytics, marketing and design services,

  • other entities authorized under legal provisions.

§ 10. Customers' rights

The Customer has the right to:

  1. Access their data, rectification, erasure or restriction of processing.

  2. Object to the processing of data based on the Controller's legitimate interest.

  3. Withdraw consent to data processing at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

  4. Data portability, including receiving data in a machine-readable format.

  5. Lodge a complaint with the supervisory authority for personal data protection.