Privacy Policy
IN THE VERSION EFFECTIVE FROM JANUARY 13, 2026
1. GENERAL PROVISIONS
- This Privacy Policy defines the rules for privacy protection (i.e., the rules for collecting, using, processing, and protecting) personal data of users ("Users") of the online store available at www.riskmadeinwarsaw.com (hereinafter referred to as: "Service"), owned by "RISK" S.A. with its registered office in Warsaw.
- The administrator of personal data of the Service users, within the meaning of Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), is "RISK" S.A. with its registered office in Warsaw, address: ul. Szpitalna 6A/11, 00-031 Warsaw, entered into the register of entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0000953550, NIP: 1132855615, REGON: 146129025, share capital: PLN 100,000.00, e-mail address: customercare@riskmadeinwarsaw.com, phone number: +48 22 490 20 51, owner of the Service, hereinafter referred to as the "Administrator".
- The Service Users are its clients, i.e., individuals using services provided by the Administrator through the Service, as defined in the Service Regulations ("Regulations"). This Privacy Policy is an integral part of the Regulations.
- All terms written with capital letters shall have the meanings assigned to them in the content of the privacy policy or relevant legal provisions, in particular the GDPR.
2. SCOPE OF COLLECTED DATA
- The Administrator collects and processes Users' personal data to the extent necessary to handle the order process, fulfill orders placed through the Service, register on the Service, or provide other electronic services specified in the Regulations, as well as to fulfill the Administrator's obligations arising from legal provisions.
- The scope of collected data includes: first name and last name, e-mail address, phone number, bank account number, delivery address comprising: street, postal code, city, country, IP address, date of birth. The scope of processed data depends on the type of service selected by the User and the scope of consents expressed by the User.
- If you are not older than 16 years of age, or if issues related to the technology used, in particular cookies, are unclear to you, you should not consent to their use.
3. PURPOSE AND LEGAL BASIS FOR DATA PROCESSING
-
The Administrator collects, uses, and processes Users' personal data for the following purposes and on the basis of the following legal grounds:
- for the purpose of registering and maintaining (including technical support for) the User's account on the Service based on Article 6(1)(b) of the GDPR – processing is necessary for the performance of a contract for the provision of electronic services in the form of maintaining a Customer Account in the Store, and personal data in the form of an email address will be processed for an indefinite period, but no longer than until the User's Account is deleted;
- for the purpose of fulfilling orders placed on the Service and handling any complaint procedures based on Article 6(1)(b) of the GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, and personal data in the form of first name and last name, delivery address, e-mail address, phone number will be processed for the time necessary to fulfill the order and conduct any complaint procedures;
- for the purpose of asserting claims and defending against claims based on Article 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Administrator, which is the defense of the Administrator's interests against claims from Users and third parties, and personal data in the form of first name and last name, delivery address will be processed until the claims become time-barred according to the limitation period provided by law;
- in order to comply with legal obligations incumbent on the Administrator, based on Article 6(1)(c) of the GDPR in conjunction with Article 74 of the Accounting Act and other tax-related provisions, whereby personal data in the form of first name, last name, and delivery address will be processed for a period of five calendar years from the end of the calendar year in which the order was placed;
- with respect to Users' IP addresses, in order to comply with legal obligations incumbent on the Administrator, based on Article 6(1)(c) of the GDPR in conjunction with Article 24(2) of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for digital services and amending Directive 2000/31/EC (Digital Services Act), whereby personal data will be processed only for a period of 6 full calendar months from their collection;
- for the purpose of sending information about offers regarding the Administrator's products and services via email or to a phone number via SMS messages, solely based on Article 6(1)(a) of the GDPR, i.e., solely based on explicit consent, in connection with Article 398(1) of the Act of 12 July 2024, Electronic Communications Law, whereby personal data in the form of an email address or phone number will be processed until consent is withdrawn;
- for the purpose of providing the Newsletter service via email, solely based on Article 6(1)(a) of the GDPR, i.e., solely based on explicit consent, in connection with Article 398(1) of the Act of 12 July 2024, Electronic Communications Law, whereby personal data in the form of an email address will be processed until consent is withdrawn;
- for the purpose of sending birthday wishes along with personalized offers via email or to a phone number via SMS messages, solely based on Article 6(1)(a) of the GDPR, i.e., solely based on explicit consent, in connection with Article 398(1) of the Act of 12 July 2024, Electronic Communications Law, whereby personal data in the form of an email address or phone number and date of birth will be processed until consent is withdrawn;
- for the purpose of sending location-based personalized invitations to Administrator's events, solely based on Article 6(1)(a) of the GDPR, i.e., solely based on explicit consent, in connection with Article 398(1) of the Act of 12 July 2024, Electronic Communications Law, whereby personal data in the form of an email address or phone number and delivery address will be processed until consent is withdrawn;
- for the purpose of documenting expressed consent to data processing for the purposes described in points f - g above, based on Article 6(1)(c) - legal provision, and Article 6(1)(f) of the GDPR - legitimate interest pursued by the Data Administrator.
- The Administrator processes Users' personal data only for the purposes indicated above. In the case of processing data for purposes other than those described above, the Administrator will independently fulfill the information obligation based on Article 13 of the GDPR.
- Users' personal data will not be transferred to countries outside the European Economic Area (to countries other than European Union countries and Iceland, Norway, and Liechtenstein).
- The Administrator does not use automated decision-making mechanisms, including profiling.
- Providing data is voluntary, but necessary for the Administrator to provide services through the Service.
- We inform that personal data may be disclosed to third parties to the following extent:
- disclosed to data recipients providing services to the Data Administrator based on Article 28 of the GDPR – entrustment of personal data processing. Depending on the purpose of personal data processing, the categories of data recipients may include: IT infrastructure providers at the software and hardware level, website hosting providers;
- disclosed to data recipients cooperating with the Data Administrator. Depending on the purpose of personal data processing, the categories of recipients to whom personal data may be disclosed include entities operating in the areas of audits, postal services, courier services, law firms. We inform that after the disclosure of personal data, the recipient of the data to whom the data was disclosed becomes its Administrator;
- disclosed to data recipients who are public/state authorities. Depending on the purpose of personal data processing, the categories of data recipients may include such authorities as the Tax Office, Police, courts, the Personal Data Protection Office or other entities to whom the Data Administrator discloses personal data under applicable law. We inform that after the disclosure of personal data, the recipient of the data to whom the data was disclosed becomes its Administrator.
A list of entities to whom the Data Administrator discloses personal data is available upon request of the data subject.
- In the case of processing based on granted consent, the data subject has the right to withdraw the granted consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. Withdrawal of granted consent should be notified to the e-mail address: customercare@riskmadeinwarsaw.com.
- We inform that, in order to protect privacy and personal data, the Data Administrator has implemented appropriate technical and organizational measures to ensure the security of personal data processing.
4. USER RIGHTS
- Users' personal data is collected at the Administrator's registered office, i.e., at: "RISK" S.A., ul. Szpitalna 6A/11, 00-031 Warsaw.
- The User has the right to:
- access their personal data stored by the Administrator;
- request the rectification of personal data if they believe that the personal data stored by the Administrator is outdated, incomplete or untrue;
- request restriction of personal data processing;
- request erasure of personal data;
- object to the processing of personal data in cases specified in Article 21 of the GDPR;
- request the transfer of personal data to another personal data administrator, if technically possible;
- withdraw consent at any time if personal data is processed based on consent (without affecting the lawfulness of processing carried out based on consent before its withdrawal).
- The User may exercise the rights referred to in point 4 section 2 above by submitting an appropriate declaration of intent to the Administrator:
- personally at the Administrator's registered office ("RISK" S.A., ul. Szpitalna 6A/11, 00-031 Warsaw);
- by post to the above-mentioned address of the Administrator's registered office;
- by e-mail to the address: customercare@riskmadeinwarsaw.com;
- via the account panel held on the Service.
- The User also has the right to lodge a complaint with the supervisory authority for personal data protection, i.e., the President of the Personal Data Protection Office (PUODO).
- The Administrator has not appointed a Data Protection Officer.
5. TRANSFER OF DATA OUTSIDE THE EEA
- We inform that personal data may be transferred to a third country, i.e., outside the EEA. In the event of personal data transfer outside the European Economic Area, such transfer may only take place under the conditions set out in Chapter V of the GDPR:
- on the basis of Article 45 of the GDPR - transfers on the basis of an adequacy decision;
- on the basis of Article 46 of the GDPR - transfers subject to appropriate safeguards, including the use of standard data protection clauses adopted by the European Commission.
- We inform that the transfer of personal data outside the EEA may entail a risk of not ensuring sufficient security of personal data. In the event of a risk associated with the transfer of personal data outside the EEA, the data administrator provides such information in this Privacy Policy.
- We inform that the list of entities outside the EEA to whom the Data Administrator discloses personal data is available upon request of the data subject.
6. COOKIE MECHANISM
- The Service website uses text files called Cookies.
- Cookies are stored by the server on the User's computer.
- To use the Service, it is necessary to allow Cookies to be stored on the User's computer. Failure to permit may mean inability or difficulty in using the Service.
- Cookies are not used to collect User's personal data.
- Cookies do not change the configuration of the User's computer, are not used to install or uninstall any computer program, and do not interfere with the integrity of the User's system or data.
- The Administrator reserves the right to use the services of third parties to compile statistics on the use of the Service website. The Administrator declares that in such a case, no data identifying Users will be made available to such entities.
- External administrators ("Third-Party Partners") may also process your personal data if you grant appropriate consent to transfer your personal data to them via the cookie banner - therefore, before granting consent, please read their personal data processing rules under "fourth category – Marketing Cookies".
- The Service uses four types of cookies: (1) strictly necessary "session" (session cookies); (2) "analytical" (performance cookies); (3) "functional" (functional cookies); (4) marketing cookies (marketing cookies). Strictly necessary "session" cookies are temporary files stored on the User's end device until logging out (leaving the page). "Analytical" cookies allow for a better understanding of how the User interacts with the content of the Service website. They collect information about how the website is used, the type of page from which the User was redirected, and the number of visits and the duration of the User's visit to the Service. This information does not record specific personal data of the User but is used to compile statistics on the use of the Service website. "Functional" cookies are stored on the User's end device for a period specified in the cookie parameters or until they are deleted by the User.
- Marketing cookies are processed based on consent, which can be withdrawn at any time.
- Detailed rules for processing individual 4 (four) categories of cookies are presented below:
| Category | Name | Basis for Processing | Management | Purpose of processing |
|
Category One Objection to their processing will result in the inability to ensure the functioning of the Administrator's Service. |
Strictly Necessary – Session Cookies |
Necessity of processing for the performance of a contract or to take action at the Client's request – Article 6(1)(b) GDPR | Administrator | They are necessary for the Administrator's Service to function correctly. They are used to maintain the User's session while visiting the Service. They ensure proper display of the Service. They are used to identify the User's http session. They are common in all web applications to identify User requests during a session. They allow identification of the User's navigation status on the Service. |
|
Category Two The Service will function correctly, but the Administrator will lose the ability to optimize its services provided on the Service. |
Analytical Cookies | Legitimate interest of the Administrator – Article 6(1)(f) GDPR. |
Google Analytics – Third Party Administrator – in other respects |
The Administrator uses them to measure website traffic, evaluate the effectiveness of activities, and improve the functioning of the Service, as well as to prevent undesirable actions (e.g., bot traffic, threats to users with unwanted content). Regarding Google Analytics - they enable monitoring of the Service using Google Analytics, a service provided by Google Ireland Limited, with its registered office in Dublin, Ireland. They are used to obtain information about the User's access to the Service, e.g., to determine the number of visits to the website by the User, the date of the first and last visit, the duration of visits, the search engine the User used to access the Service, or the link that was used to redirect to the website. The Administrator has no control over the content and technical aspects of these files; they are determined and stored by Google Ireland Limited. Therefore, the Administrator recommends reviewing the Google Analytics privacy terms: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage. |
|
Category three The Service will function correctly, but the Administrator will lose the ability to optimize its services provided within the Service. |
Functional cookies | Legitimate interest of the Administrator – Art. 6(1)(f) GDPR. | Administrator. | These files remember your choices, providing more tailored services. Information collected by these types of cookies does not provide data about your activity on third-party partner websites. |
|
Category four Lack of consent to their processing will not prevent the Administrator and third-party partners from delivering personalized advertisements to the User. |
Marketing Cookies | Consent given by the User – Art. 6(1) and Art. 6(1)(a) GDPR. |
Google Ads – Third Party. Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland – Third Party. Criteo SA, Rue Blanche, 75009 Paris, France - Third Party. Administrator. Third party from the list of Third-Party Partners. |
The Administrator uses them to personalize advertisements displayed in the Service and on external websites, taking into account the User's actions and preferences within the Service, and to adapt the content of advertising messages to the Users' preferences. Regarding Google Ads - they enable monitoring of User activity in the Service using the Google Ads tool, which is a service provided by Google Ireland Limited, with its registered office in Dublin, Ireland. Regarding Meta Ads - they enable monitoring of User activity on the website and further analysis and measurements regarding offered products and provided services, as well as more effective outreach to people who may be interested in them. In the case of technologies based on tracking files, we are jointly responsible for the data collection and transfer process with Meta Platforms Ireland Limited (joint controllership). More information about how Meta Platforms Ireland Limited processes personal data, the legal basis, and ways to enforce the rights of data subjects against Meta can be found at: https://www.facebook.com/about/privacy. Regarding Criteo-Services - they enable monitoring of activity on the website and analyzing products the User is interested in. Criteo allows for matching advertisements to user preferences based on user activity within the service or third-party services, as well as the user's approximate location. The display of suggested advertisements is based on the Criteo algorithm. Based on your consent, the Administrator discloses data from this fourth category to a third party. The third party uses them to personalize advertisements displayed on the Service and external websites, taking into account the User's actions and preferences within the Service, and to adapt the content of advertising messages to Users' preferences. |
- 11. The User has the right to decide on the access of Cookies to their device by selecting them beforehand in the Cookies selection window on the Administrator's website. Editing Cookies consents is possible by: (1) using the "Cookie settings" function available on the Website, which allows editing expressed consents directly on the Administrator's Website; (2) by deleting Cookies or cache from the web browser, which results in the re-display of the Cookie banner and allows the User to re-select and change granted consents.
- 12. Additionally, Cookie management and settings can be adjusted in the web browser - check how to manage Cookies - instructions from web browser manufacturers:
7. IP ADDRESS
- The Administrator reserves the right to collect IP addresses of visitors to the Service website, which may be helpful in diagnosing technical problems with the server, creating statistical analyses (e.g., determining from which regions the most visits are recorded). Furthermore, they may be useful in administering and improving the Service's website.
- Users' IP addresses are also processed for the purpose referred to in point 3 section 1 lit. e above.
8. ACCESS TO THIRD-PARTY DATABASES
- Users' personal data will not be disclosed by the Administrator to other entities or third parties, except in cases where:
- The User consents to it (Art. 6(1)(a) GDPR);
- it is necessary for the provision of services by the Administrator through the Service, i.e., Users' personal data may be provided to entities such as Poczta Polska S.A. with its registered office in Warsaw, courier companies (DHL, DPD, In Post, Let’s Deliver), payment operators (PayU, PayPal). In this case, the Administrator only provides the personal data necessary for the provision of the aforementioned services. More information on how these entities use Users' personal data can be found in their privacy and cookie policies (Art. 6(1)(f) GDPR);
- it is necessary for fraud detection and prevention, as well as resolving other issues related to fraud, security, and technical matters (Art. 6(1)(f) GDPR);
- it is required by applicable law or a legitimate request from state institutions and judicial authorities (Art. 6(1)(c) GDPR).
- Additionally, the Administrator may share Users' personal data with entities it has authorized or entrusted with the processing of personal data, i.e.:
- providers of legal and advisory services in the event of the Administrator pursuing claims related to its business activities;
- providers of technical and organizational services enabling the Administrator to provide services through the Service;
- employees and collaborators.
9. SECURITY AND PROTECTION OF PERSONAL DATA
The Administrator declares that it processes Users' personal data in accordance with the requirements of the GDPR, the Act of 10 May 2018 on personal data protection (i.e., Journal of Laws of 2019, item 1781) and other applicable personal data protection regulations that supplement and/or implement the GDPR, including primarily that it applies technical and organizational measures ensuring the protection of processed data appropriate to the risks and categories of data covered by protection, and in particular protects Users' personal data against unauthorized disclosure, loss, or damage.
10. DISCLAIMER
This Privacy Policy does not cover any information regarding services or goods of entities other than the Administrator that have been placed on the Service's pages commercially, as guests, on a reciprocal basis, or not serving to achieve a commercial effect.
11. CONTACT US
Any additional questions related to the Privacy Policy should be directed to the Administrator's registered office (ul. Szpitalna 6A/11, 00-031 Warszawa) or to the email address: customercare@riskmadeinwarsaw.com.
12. CHANGES TO THE PRIVACY POLICY
- The Administrator reserves the right to make changes to the Privacy Policy if required by law or changes introduced in the Service. The Administrator will inform the User about the planned change and its effective date via the Service's website, Newsletter service, and for registered Users, information will also be placed through the Account.
- The User using the Service is bound by the current Privacy Policy.
- The date specified below is the effective date of the Privacy Policy in its latest version.
Date: 13.01.2026