Black Friday Sale! Check Ebook for only 7$

Cozy Pixel Logo


Effective from: 21.11.2025

Last updated: 22.11.2025

INTRODUCTION

This Privacy Policy defines the rules for processing personal data of persons using the Online Shop available at cozypixel.shop (hereinafter: Shop), including persons purchasing E-books.

The Policy has been developed in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR), as well as other relevant laws of the Republic of Poland, in particular the Act on Competition and Consumer Protection and the Act on Providing Services by Electronic Means.

§ 1. PERSONAL DATA CONTROLLER

1.1. Controller's data

The controller of personal data, i.e., the entity responsible for processing your personal data, is:

Correspondence address: contact@cozypixel.shop

Email address: contact@cozypixel.shop

Status: Natural person conducting unregistered activity

1.2. Data Protection Officer

At present, the Controller has not appointed a Data Protection Officer (DPO). The duties usually performed by the DPO are performed directly by the Controller.

In case of questions regarding personal data processing or exercising your rights, please contact the Controller directly at the email address: contact@cozypixel.shop

§ 2. TYPES OF PROCESSED PERSONAL DATA

The Controller processes the following categories of personal data:

2.1. Identification and contact data

  • Name and surname
  • Email address
  • Phone number (optional)
  • Delivery address (in case of promotions or communication)
  • Country of origin

2.2. Purchase data

  • Transaction history
  • Purchases made
  • Date and time of purchase
  • Payer data (indirectly, through payment operators)
  • Expressed preferences regarding E-books

2.3. Technical data

  • IP address
  • Information about web browser and its version
  • Device operating system
  • Device information (brand, model)
  • Cookies
  • Data on clicks and navigation on the site
  • Time spent on individual subpages

2.4. Behavioral data

  • Product browsing history
  • Products stored in the cart
  • Preferences regarding E-book types
  • Interests and product categories

2.5. Marketing data

  • Consents to receive marketing messages
  • Marketing correspondence history
  • Information about opened emails
  • Clicks in messages (if tracking is enabled)

2.6. Communication data

  • Content of emails sent to the Controller
  • Content of conversations via contact form
  • Date and time of communication
  • Reason for contact

2.7. Complaint and return data

  • History of reported problems
  • Content of complaints
  • Attached evidence (screenshots, files)
  • Complaint handling history

Important: The Controller does not process sensitive data (Art. 9 GDPR) such as data revealing racial origin, political opinions, religious beliefs, trade union membership, or health data, unless the user voluntarily discloses them in communication with the Controller.

§ 3. LEGAL BASES FOR DATA PROCESSING

Personal data processing by the Controller is based on the following legal grounds:

3.1. Performance of contract (Art. 6(1)(b) GDPR)

Processed data is necessary for:

  • Concluding and performing the E-book Sales Contract
  • Order fulfillment and E-book delivery
  • Sending purchase confirmation
  • Payment processing
  • Handling complaints and returns

Entities receiving data on this basis: Payment operators (e.g., Przelewy24, PayU, Stripe, PayPal), email service providers

3.2. Legal obligation (Art. 6(1)(c) GDPR)

Processed data is necessary for:

  • Fulfilling tax obligations
  • Keeping sales records (if applicable)
  • Fulfilling consumer protection obligations
  • Storing documentation in accordance with legal requirements

Retention periods: Data is stored for the period required by law

3.3. Consent (Art. 6(1)(a) GDPR)

Data processing based on consent occurs in case of:

  • Subscribing to the newsletter
  • Consenting to receive promotions and marketing messages
  • Consenting to offer personalization
  • Other purposes for which the user has given explicit, voluntary, and informed consent

Features of valid consent:

  • Voluntary – no obligation to consent
  • Informed – the person knows what they are consenting to
  • Unambiguous – no pre-ticked boxes (checkboxes)
  • Documentable – the Controller can prove consent was given
  • Revocable – the person can withdraw consent at any time

3.4. Legitimate interest (Art. 6(1)(f) GDPR)

Data processing based on the Controller's legitimate interest occurs for the purpose of:

  • Preventing fraud and taking unfair actions
  • Monitoring Shop security
  • Analyzing and improving services
  • Keeping statistics and analyses
  • Personalizing user experience based on browsing history

Balancing Controller's interest with rights of data subjects:

  • The Controller always takes into account users' reasonable expectations
  • The Controller ensures transparency through this Privacy Policy
  • The user has the right to object to such processing

§ 4. DATA PROCESSING PURPOSES

4.1. Primary purpose: Sales contract execution

Data is processed mainly to:

  • Conclude the E-book Sales Contract
  • Perform Controller's obligations resulting from the concluded contract
  • Deliver the E-book to the indicated email address
  • Send purchase confirmation and invoice
  • Process payments

4.2. Customer service and communication

Data is processed to:

  • Respond to customer inquiries
  • Provide technical support
  • Handle complaints and claims
  • Send important information regarding the order
  • Inform about changes to the Privacy Policy or Regulations

4.3. Marketing and promotional communication

Data is processed to:

  • Send promotional materials (with consent)
  • Inform about new E-books
  • Offer special discounts for existing customers
  • Personalize offers based on purchase history
  • Conduct marketing campaigns

4.4. Security and fraud protection

Data is processed to:

  • Prevent fraud and unfair activities
  • Detect and prevent actions inconsistent with Regulations
  • Protect Controller's property rights
  • Monitor Shop security
  • Analyze transaction anomalies

4.5. Service improvement and analytics

Data is processed to:

  • Analyze user behavior
  • Improve Shop functionality
  • Conduct research and statistical analysis
  • Optimize user experience
  • Improve E-book quality and offer

4.6. Fulfilling legal obligations

Data is processed to:

  • Fulfill tax obligations
  • Keep sales records
  • Fulfill consumer protection requirements
  • Respond to public authority requests (if required by law)

§ 5. DATA RETENTION PERIOD

5.1. Transaction data

Data necessary for sales contract execution is stored for the contract performance period and for a period of:

6 years – due to tax obligations (if applicable)

After this period, data is deleted unless law requires longer retention

5.2. Complaint data

Complaint data is stored for a period of:

1 year from the complaint resolution date

After this period, data is deleted

5.3. Marketing data

Data for marketing purposes based on consent is stored until consent withdrawal.

After consent withdrawal, data is immediately removed from mailing lists.

Historical transaction data (necessary for contract execution) is stored in accordance with § 5.1

5.4. Technical data and cookies

Technical data (IP, browser information) is stored for a period of 12 months.

Cookies are stored for the period specified in cookie settings.

After this period, data is automatically deleted.

5.5. Data in case of dispute

In case of initiating court or administrative proceedings regarding the relationship between Controller and user, data is stored for the entire duration of proceedings and for a period of:

3 years from proceedings conclusion

5.6. Data deletion on request

If the basis for data processing was user consent, data may be deleted on request within 30 days from receiving the request (unless law requires further retention).

§ 6. DATA RECIPIENTS

Personal data may be shared with the following categories of recipients:

6.1. Technical service providers

  • E-commerce platforms (e.g., Ecomfly, Shopify, WooCommerce) – to provide hosting and shop management services
  • Payment operators (e.g., Przelewy24, PayU, Stripe, PayPal, iDEAL) – to process payments
  • Email service providers (e.g., Zoho Mail, Google Workspace, O2) – to send emails
  • Analytics service providers (e.g., Google Analytics) – to analyze site traffic

6.2. Public authorities

Data may be disclosed to public authorities (e.g., tax offices, competition protection authorities) if required by law.

6.3. Security entities

Providers of services protecting against fraud and cyber threats.

6.4. Subcontractors and partners

Entities providing services to the Controller (e.g., accounting firms, legal advisors) – based on data processing agreements.

6.5. International transfers

Some of the recipients listed above may be located outside the European Union. In such case, the Controller guarantees that data transfer takes place in accordance with GDPR requirements:

  • European Commission Decisions (Standard Contractual Clauses – SCCs)
  • Certified Privacy Shield (if available)
  • User consent
  • Other mechanisms approved by GDPR regulations

§ 7. DATA SECURITY

The Controller has implemented appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or destruction:

7.1. Technical measures

  • SSL/TLS encryption – all connections between user browser and server are encrypted
  • Firewall – server protection against unauthorized access
  • Antivirus and antimalware – regular system scanning
  • Backups – regular data backups performed
  • Security monitoring – 24-hour system monitoring
  • Software updates – regular updates of server software and applications
  • Payment data tokenization – if card data is processed, it is not stored on Controller's server

7.2. Organizational measures

  • Access control – only authorized persons have access to personal data
  • Confidentiality agreements – persons with data access are obliged to keep it confidential
  • Security training – personnel regularly trained in data security
  • Security policy – data security policy is implemented
  • Incident response procedures – Controller has procedures for responding to data security breaches

7.3. Security limitations

Despite implementing high security standards, no security is 100% foolproof. The Controller does not guarantee the security of data transmitted via Internet, nor that unauthorized persons will not be able to access data through unknown or uncontrollable means.

§ 8. RIGHTS OF DATA SUBJECTS

Every person whose personal data is processed by the Controller has the right to:

8.1. Right of access (Art. 15 GDPR)

You have the right to request access to your personal data. The Controller, upon request, will provide you with a copy of processed data in an understandable form.

How to exercise:

Send an email to: contact@cozypixel.shop

Subject: "Request for access to personal data"

Provide your identification data

Response time: Up to 30 days from receiving request

Cost: Free, unless requests are evidently unfounded or excessive

8.2. Right to rectification (Art. 16 GDPR)

You have the right to rectify inaccurate, incomplete, or incorrect personal data.

How to exercise:

Log in to your Account and change data

Or send an email requesting rectification

Response time: Immediately, no later than within 30 days

8.3. Right to erasure (Art. 17 GDPR – "Right to be forgotten")

You have the right to request erasure of your personal data if:

  • Data is no longer necessary for purposes for which it was processed
  • You withdrew consent on which processing was based
  • You object to data processing
  • Data was processed unlawfully
  • There is a legal obligation to erase data

Limitations:

Right to erasure does not apply if data is necessary for:

  • Fulfilling legal obligations
  • Establishing, exercising, or defending legal claims
  • Sales contract execution

How to exercise:

Send an email: contact@cozypixel.shop

Subject: "Request for personal data erasure"

Response time: Up to 30 days from receiving request

8.4. Right to restriction of processing (Art. 18 GDPR)

You have the right to request restriction of data processing if:

  • You question data accuracy (data will be stored but not processed)
  • Processing is unlawful but you do not want data erased
  • You no longer need data but need it to establish, exercise, or defend claims
  • You filed an objection to processing

How to exercise:

Send an email: contact@cozypixel.shop

8.5. Right to data portability (Art. 20 GDPR)

You have the right to request release of your personal data in a structured, commonly used format (e.g., CSV, JSON) and right to transfer this data to another controller.

How to exercise:

Send an email request: contact@cozypixel.shop

Format: Controller will provide data in human and machine-readable format

8.6. Right to object (Art. 21 GDPR)

You have the right to object to personal data processing if:

  • Processing is based on Controller's legitimate interest
  • Data is processed for marketing purposes

Objection to marketing:

After expressing objection, data will not be processed for marketing purposes.

You can unsubscribe from mailing list by clicking "Unsubscribe" link in every email.

Or send an email: contact@cozypixel.shop

How to exercise:

Send an email request: contact@cozypixel.shop

8.7. Right to withdraw consent (Art. 7 GDPR)

If data processing was based on your consent, you have the right to withdraw this consent at any time.

Consent withdrawal:

  • Does not affect lawfulness of processing before withdrawal
  • Withdrawn consent cannot be basis for further processing
  • After consent withdrawal, Controller immediately ceases processing

How to exercise:

Send an email: contact@cozypixel.shop

Subject: "Withdrawal of consent for data processing"

8.8. Right to lodge a complaint

If you believe the Controller violates your rights under GDPR, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO):

Personal Data Protection Office

Address: ul. Stawki 2, 00-193 Warsaw

Phone: (22) 531-03-00

Email: uodo@uodo.gov.pl

Website: www.uodo.gov.pl

§ 9. COOKIES

9.1. What are cookies

Cookies are small text files saved on user device (computer, tablet, smartphone). Cookies contain information that can be read by website server.

9.2. Types of cookies

The Controller uses the following types of cookies:

Essential Cookies

  • Without user consent
  • Necessary for Shop functioning
  • Contain: session identifier, user preference information
  • Retention period: up to 12 months

Analytical Cookies

  • Based on user consent
  • Used to analyze site traffic and user behavior
  • Provider: Google Analytics
  • Contain: visit count information, time spent on site, clicks
  • Retention period: up to 2 years

Marketing/Tracking Cookies

  • Based on user consent
  • Used to personalize offer and send ads
  • Providers: Facebook Pixel, Google Ads (if used)
  • Contain: user interest information
  • Retention period: up to 12 months

Social Media Cookies

  • Based on user consent
  • Allow sharing content on social media
  • Providers: Facebook, Instagram, Twitter (if integrated)
  • Retention period: according to provider policy

9.3. Cookie management

In browser:

Every web browser allows cookie management:

  • Chrome: Menu → Settings → Privacy and security → Cookies and site data
  • Firefox: Menu → Settings → Privacy and security → Cookies and site data
  • Safari: Preferences → Privacy → Cookies and site data
  • Edge: Settings → Privacy, search, and services → Cookies and site data

On Shop website:

User can accept or reject cookies through cookie banner displayed on first visit.

Cookie settings can be changed at any time.

9.4. No cookies without consent

The Controller does not install marketing or analytical cookies without prior user consent. Essential cookies are installed automatically due to their importance for Shop functioning.

§ 10. LINKS TO THIRD PARTY SITES

The Shop may contain links to third-party websites (e.g., social media, partner sites). The Controller is not responsible for:

  • Data processing practices on third-party sites
  • Content of third-party sites
  • Data security on third-party sites

We recommend reading the Privacy Policy of every third-party site before sharing your personal data there.

§ 11. CONTACT AND EXERCISING RIGHTS

11.1. Contact details

All requests regarding rights under GDPR and questions regarding personal data processing should be directed to:

Email: contact@cozypixel.shop

Postal address: Jaworowa, 12K, 82-300, Elbląg

Availability hours: Monday–Friday, 9:00–17:00 (Warsaw time)

11.2. Response time

The Controller will make efforts to respond to requests in the shortest possible time:

Average time: 7–14 business days

Maximum time: 30 days from receiving request (according to GDPR)

In case of complex requests, Controller may extend deadline to 90 days, informing user about it.

11.3. Request form

Request can also be submitted via form available on Shop website (if available).

§ 12. PRIVACY POLICY CHANGE

12.1. Right to change

The Controller reserves the right to change this Privacy Policy to:

  • Adapt to legal changes
  • Improve data security
  • Change data processing practices
  • Add new services or functionalities

12.2. Notification of changes

Users will be informed about Privacy Policy changes by:

  • Publication of new version on Shop website
  • Sending email notification (if change is significant)
  • Change effective date: at least 7 days from publication

12.3. Acceptance of changes

Continued use of Shop after Privacy Policy changes means acceptance of changes. If user does not accept changes, they should stop using Shop.

§ 13. FINAL PROVISIONS

13.1. Governing law

This Privacy Policy is governed by the law of the Republic of Poland. Interpretation and application of Policy are subject exclusively to Polish legal system.

13.2. Compliance with other documents

This Privacy Policy constitutes an integral part of Shop Regulations. In case of conflict between Privacy Policy and Regulations, data processing rules specified in Privacy Policy prevail.

13.3. Doubts and interpretation

Any doubts regarding interpretation of this Privacy Policy will be resolved in favor of user.

13.4. Effective date

This Privacy Policy is effective from: 21.11.2025

Previous version of Privacy Policy is available on request from Controller.

ANNEX – DATA PROCESSING INFORMATION (ART. 13 GDPR)

Processing purpose: Sales contract execution, customer service, marketing (with consent)

Legal basis:

  • Art. 6(1)(b) GDPR (contract)
  • Art. 6(1)(c) GDPR (legal obligation)
  • Art. 6(1)(a) GDPR (consent)
  • Data recipients: Payment operators, email service providers, public authorities (if required)
  • Retention period: 6 years from transaction date (or according to legal obligations)
  • Right to access: Yes – Art. 15 GDPR
  • Right to rectification: Yes – Art. 16 GDPR
  • Right to erasure: Yes, with limitations – Art. 17 GDPR
  • Right to restriction: Yes – Art. 18 GDPR
  • Right to lodge complaint: Yes, to UODO – www.uodo.gov.pl
  • Obligation to provide data: Data necessary for contract execution is mandatory; others – voluntary
  • Automated decision making: Controller does not make decisions based on automated processing

END OF PRIVACY POLICY

Last updated: 22.11.2025