Privacy Policy

Version: 17.03.2026
Applicable to the website: suknieestera.host923120.xce.pl (test environment) and, after deployment, suknieestera.pl

1. General Provisions

This Privacy and Cookie Policy sets out the rules for the processing of personal data and the use of cookies on the Suknie Ślubne Estera website, hereinafter referred to as the “Website”.

The controller of personal data is Estera. Pracownia sukien ślubnych i wizytowych. Pustelak-Wiech K., NIP 8131882223, REGON 690560434, operating under the brand name “Suknie Ślubne Estera”, hereinafter referred to as the “Controller”.

The Controller may be contacted regarding privacy matters via:

• e-mail: estera_styl@poczta.onet.pl
• phone: 603 928 465 / 577 102 007

If the Controller appoints a Data Protection Officer, their contact details will be published on the Website.

The Website is informational, promotional, and contact-oriented. In particular, it enables browsing collections, reviewing the offer, contacting the Controller, and sending a message in order to obtain information or arrange an appointment.

2. Scope of Data Covered by the Policy

The Controller may process, in particular:

• data provided by the User in the contact form or in correspondence, such as:
  • first and last name,
  • e-mail address,
  • message subject,
  • message content,
  • other data voluntarily provided by the User in the message content, such as a phone number, preferred appointment date, or information necessary to handle the enquiry;
• data related to telephone or e-mail contact;
• technical data concerning the use of the Website, including IP address, device identifiers, browser type, operating system, session data, server logs, and information stored in cookies or similar technologies.

3. Purposes and Legal Bases for Data Processing

Personal data may be processed for the following purposes:

• handling the contact form, providing a reply, conducting correspondence, and arranging an appointment or fitting,
  on the basis of Article 6(1)(b) GDPR — where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract,
  or on the basis of Article 6(1)(f) GDPR — where processing is necessary for the purposes of the Controller’s legitimate interests consisting of handling enquiries, organizing the Controller’s operations, and communicating with clients;
• taking steps aimed at entering into or performing a contract concluded outside the Website (e.g. an order, tailoring service, appointment reservation, or in-store customer service),
  on the basis of Article 6(1)(b) GDPR;
• fulfilling the Controller’s legal obligations, in particular tax, accounting, or complaint-handling obligations,
  on the basis of Article 6(1)(c) GDPR;
• establishing, pursuing, or defending claims and ensuring the security of the Website,
  on the basis of Article 6(1)(f) GDPR;
• carrying out direct marketing of the Controller’s own services by electronic means or by telephone,
  only where the User has given separate consent, where such consent is required by law, including electronic communications regulations and the GDPR.

4. Is Providing Data Mandatory?

Providing data is voluntary, but to the extent necessary to handle an enquiry or arrange an appointment, it may be required in order to provide a reply or follow-up contact.

Failure to provide the data required to handle the form may make it impossible to receive a reply or arrange an appointment.

The Controller does not expect the transfer of special categories of data (e.g. health data). Please do not send such information unless it is clearly necessary and lawful to do so.

5. Data Recipients

Data may be disclosed to entities cooperating with the Controller only to the extent necessary to achieve the purposes indicated above, in particular:

• hosting and IT infrastructure providers;
• entities providing website support, e-mail services, technical support, maintenance, or development of the Website;
• entities providing accounting, legal, debt collection, or advisory services — where necessary;
• providers of analytical, functional, or marketing tools — only where such tools are actually active and may lawfully operate to the relevant extent;
• authorized public authorities — where the obligation to disclose data arises from provisions of law.

6. Transfers of Data Outside the EEA

As a rule, the Controller seeks to use solutions provided by suppliers processing data within the European Economic Area.

If the Website implements tools of providers established outside the EEA or using infrastructure outside the EEA (e.g. selected analytics, advertising, cloud, or social media tools), data may be transferred outside the EEA on the basis of mechanisms permitted by law, in particular standard contractual clauses or an adequacy decision.

Clicking a link leading to an external service, including Facebook, Instagram, or a business partner’s website, causes the User to leave the Website. Any further processing of data is then carried out under the rules applicable to the relevant external entity.

7. Data Retention Period

Data are retained for no longer than is necessary to achieve the purpose of processing, and then for the period required by law or needed to protect the Controller’s rights, in particular:

• data from the contact form and correspondence — for the time needed to handle the matter, and then for the period necessary to demonstrate the course of the contact and until the expiry of the limitation period for any claims;
• data related to the conclusion and performance of a contract — for the duration of the contract, and then for the period resulting from tax, accounting, and civil law provisions;
• data processed on the basis of consent — until the consent is withdrawn or an objection is effectively raised, unless the purpose of processing ceases earlier;
• technical data and cookies — until the relevant cookie expires, is deleted by the User, or ceases to be useful for the purpose for which it was stored.

8. Rights of Data Subjects

Each data subject has — in cases provided for by law — the right to:

• access their data;
• rectify their data;
• erase their data;
• restrict processing;
• data portability;
• object to processing based on the Controller’s legitimate interest;
• withdraw consent at any time, where processing is based on consent; withdrawal of consent shall not affect the lawfulness of processing carried out before its withdrawal;
• lodge a complaint with the President of the Personal Data Protection Office.

In order to exercise these rights, you may contact the Controller using the contact details indicated above.

9. Automated Decision-Making and Profiling

Personal data are not used to make decisions concerning the User based solely on automated processing that would produce legal effects concerning the User or similarly significantly affect them.

The Controller does not carry out profiling within the meaning of the GDPR, unless the User is separately informed of this before such a process is launched.

10. Cookies and Similar Technologies

The Website may use cookies and similar technologies that store information on or gain access to information on the User’s end device.

The following categories of cookies may be used on the Website:

• necessary — required for the proper operation of the Website and for the provision of the service requested by the User;
• functional — allowing selected settings to be remembered or improving the use of the Website;
• analytical — used to measure traffic and analyze the way the Website is used;
• marketing — used for advertising or remarketing activities.

Cookies other than necessary cookies should be activated only after obtaining the User’s prior consent through a properly configured consent management mechanism.

The User may manage cookies:

• through the cookie banner settings, if such a banner has been implemented on the Website;
• through their web browser settings;
• by deleting stored cookies from their device.

Restricting the use of cookies may affect certain functionalities of the Website.

If specific analytical, advertising, map, media player, anti-spam, or reCAPTCHA-type tools are implemented on the Website, this Policy should be supplemented with the names of those providers and the purposes of processing.

11. Server Logs and Security

Using the Website involves sending requests to the server on which the Website is hosted.

Server logs may include, among other things, the IP address, the date and time of the request, information about the browser and operating system, and information about technical errors.

These data are used primarily to ensure the security of the Website, diagnose errors, and protect against abuse, and they constitute the Controller’s legitimate interest.

12. Changes to the Policy

The Controller may update this Policy where necessary due to changes in the law, the scope of services, the way the Website operates, or the tools used.

The current version of the Policy is published on the Website together with the effective date.

13. Effective Date

This Policy is effective as of 17.03.2026.