Privacy Policy

Effective date: February 1, 2026

1. Introduction

This Privacy Policy explains how Maciej Włodarczak Komba (ul. Bławatkowa 11, 62-080 Tarnowo Podgórne, Poland) – hereinafter the "Controller" – collects, uses, and protects the personal data of users of the website https://komba.pl. We are committed to safeguarding your privacy and ensuring the security of your personal data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. This document provides the information required by Articles 13 and 14 of the GDPR, including the purposes and legal bases of processing, data recipients, data subject rights, data retention periods, as well as other relevant privacy information. Please read this Policy carefully. We may update its contents from time to time; any significant changes will be communicated through appropriate channels (e.g. a notice on our website or via email).

2. Data Controller

The Data Controller of your personal data is Maciej Włodarczak, conducting business under the name Maciej Włodarczak Komba (VAT ID (NIP): PL7772882191, Business Registration No. (REGON): 300831750), with the registered address at ul. Bławatkowa 11, 62-080 Tarnowo Podgórne, Poland. For any questions or requests regarding your personal data, you can contact the Controller via email at kontakt@komba.pl. (At this time, no Data Protection Officer has been appointed, so please direct any data protection inquiries to the Controller's contact information above.)

3. Purposes and Legal Bases for Processing

We process personal data only for specific purposes and in accordance with the legal grounds provided by the GDPR. Below we outline the contexts in which we collect personal data:

Contact Form

Data: name, email address, phone number (optional), and the content of your message.

Purpose: to allow you to contact us and for us to respond to your inquiry or request for information.

Legal Basis: the Controller's legitimate interest in responding to inquiries and maintaining business communication (Article 6(1)(f) GDPR).

Providing this data is voluntary, but necessary to initiate contact – without it we would not be able to respond to your message.

Newsletter (Mailing List)

Data: email address (and your name if you choose to provide it, for personalization).

Purpose: to send our email newsletter containing updates, news, offers or promotions related to our services (direct marketing of our own services).

Legal Basis: your consent (Article 6(1)(a) GDPR), given when you subscribe to the newsletter.

Providing an email for the newsletter is voluntary. You can withdraw your consent at any time (for example, via the "unsubscribe" link in each newsletter email), and we will stop sending you the newsletter.

Orders and Online Service Sales (B2C/B2B)

Data: first and last name; email address; billing address and/or delivery address; phone number; company details for invoices (company name, VAT number if applicable); and payment-related information (such as the chosen payment method and transaction ID – note: we do not collect or store full payment card numbers or bank account numbers; payments are processed securely by an external payment provider).

Purpose: to conclude and perform a contract for sale or provision of services, process payments, deliver the purchased service/product, provide customer service related to the order, and fulfill legal obligations such as issuing invoices and keeping accounting records.

Legal Bases: processing is necessary for the performance of a contract (Article 6(1)(b) GDPR); additionally, compliance with legal obligations (Article 6(1)(c) GDPR) – for example, our obligation to issue and store invoices, comply with tax and accounting laws.

Providing the personal data required to place an order is a contractual requirement – without this information, we cannot process your purchase or provide the service.

Data Collected Automatically (Cookies and Analytics)

Data: IP address, cookie identifiers, device and browser information (type, operating system), and usage data about your activity on our site (such as pages viewed, clicks, time spent on the site, etc.).

Purposes: to ensure the proper functioning and security of the website (essential technical cookies), to analyze site traffic and user behavior for statistical purposes (e.g. via Google Analytics), and to support our marketing efforts, including remarketing – showing you targeted ads for our services on other platforms (such as Google Ads or Facebook). We also use Google Tag Manager (GTM), a technical tool for managing analytics and marketing scripts. GTM itself does not collect personal data, but it enables the loading of other tools (e.g., Google Analytics, Google Ads) that may do so – in accordance with the consent given by the user.

Legal Bases: the Controller's legitimate interests (Article 6(1)(f) GDPR) for processing data that is essential for the operation and security of the site (e.g. necessary cookies, server logs, GTM as a technical container), and consent (Article 6(1)(a) GDPR) for using analytics and marketing cookies or similar technologies.

Online Chat (Live Chat) – Planned Feature

Data: the content of the chat conversation, any contact details you provide via chat (such as your name, email address or phone number), your IP address, and any technical identifiers needed to provide the chat service.

Purpose: to provide real-time communication with users for customer support, sales inquiries, or general questions.

Legal Basis: your consent (Article 6(1)(a) GDPR), inferred from initiating the chat and providing data in the chat window, or our legitimate interest (Article 6(1)(f) GDPR) in offering efficient customer service.

Chat conversations may be stored for a limited period (e.g. up to 3–6 months) for quality assurance and training purposes.

4. Data Recipients

In the course of operating our service and fulfilling orders, we may share your personal data with the following categories of recipients:

Payment Processor: PayU S.A. (ul. Grunwaldzka 186, 60-166 Poznań, Poland) – necessary data for processing the payment.
Hosting Provider: SEOHOST Sp. z o.o. (ul. Obornicka 330, 60-689 Poznań, Poland) – hosts our website and email servers.
Analytics and Advertising Partners: e.g. Google Ireland Ltd. (for Google Analytics and Google Ads), Meta Platforms Ireland Ltd. (for Facebook/Meta Pixel).
Marketing/IT Service Providers: trusted partners who assist us in our business operations, marketing, or technology support, e.g. Pineberry IT.
Professional Advisors: accountants, auditors, legal advisors if data is necessary for them to provide their services.
Public Authorities: if required by law, we may share data with government or regulatory bodies.

Each third-party that processes personal data on our behalf does so under a contract and is obligated to implement appropriate security measures. We do not sell personal data to third parties.

5. Data Transfers Outside the EEA

We primarily process data within the European Economic Area (EEA). However, some of our service providers may be located outside the EEA or may store data on servers outside the EEA (for example, the United States). This notably concerns providers like Google or Meta (Facebook).

When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place as required by GDPR to protect the data. Such safeguards may include:

Relying on countries that have been deemed adequate by the European Commission;
Using Standard Contractual Clauses (SCCs) adopted by the European Commission;
Implementing additional technical and organizational measures as needed.

You may contact us if you would like more information about data transfers outside the EEA or to obtain a copy of the relevant safeguards in place.

6. Data Retention Periods

We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected, or to comply with legal or contractual obligations:

Contact and Inquiry Data: up to 1 year after resolving the inquiry for record-keeping purposes.
Newsletter Subscription Data: until you unsubscribe or withdraw your consent.
Order and Customer Data:
- Transaction records and invoicing data: 5 years after the end of the financial year;
- Data for legal claims purposes: until the statute of limitations expires (generally 6 years).
Chat Transcripts: up to 6 months after the chat for quality assurance.
Analytics Data (Cookies): typically 26 months or until cookies are deleted by the user.
Server Logs: typically 30 days.

After the applicable retention period expires, personal data is either securely deleted or irreversibly anonymized.

7. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies:

Essential Cookies: necessary for the website to function correctly. They are used based on our legitimate interest and do not require consent.
Analytics Cookies: collect information about how visitors use our site (e.g. Google Analytics). Set only with your consent.
Marketing and Remarketing Cookies: used to track activity and deliver relevant ads (e.g. Facebook Pixel, Google Ads). Set only with your consent.

Upon your first visit to our site, you will see a cookie consent banner where you can choose which non-essential cookies to accept. You can always change or withdraw your consent later through your browser settings.

8. Automated Decision-Making and Profiling

We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you, as defined in Article 22 GDPR.

However, we may perform profiling in the context of our marketing activities to tailor marketing messages or offers you receive. Any profiling we do is solely for direct marketing purposes and does not result in any discriminatory outcomes.

You have the right to object at any time to the processing of your personal data for direct marketing, including any related profiling.

9. Your Rights as a Data Subject

Under the GDPR, you have various rights regarding your personal data:

Right of Access – obtain confirmation whether we are processing your personal data and receive a copy of the data (Article 15 GDPR).
Right to Rectification – have inaccurate personal data corrected (Article 16 GDPR).
Right to Erasure ("Right to be Forgotten") – request deletion of your personal data in certain circumstances (Article 17 GDPR).
Right to Restriction of Processing – request the restriction of your data processing in certain cases (Article 18 GDPR).
Right to Data Portability – receive your data in a structured, machine-readable format (Article 20 GDPR).
Right to Object – object to processing based on our legitimate interests or for direct marketing (Article 21 GDPR).
Right to Withdraw Consent – if processing is based on consent, you can withdraw it at any time (Article 7(3) GDPR).

To exercise any of your rights, you may contact us via email at kontakt@komba.pl or in writing to our postal address. We will respond to your request without undue delay, and in any event within one month of receipt.

10. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (PUODO).

Contact: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland; website: https://uodo.gov.pl

11. Final Provisions

This Privacy Policy is effective as of February 2026 and will remain in effect until superseded by a new version. We may modify this Policy from time to time, for example if there are changes in the law or in our practices. We will notify users of any material changes by appropriate means.

This Policy is drawn up in both Polish and English languages. In case of any discrepancies or inconsistencies between the two versions, the Polish version shall prevail.

If you have any questions or concerns about this Privacy Policy or how we handle your data, feel free to contact us at kontakt@komba.pl.