Privacy Policy
Last updated: October 21, 2025
1. Introduction
This Privacy Policy explains how Daria Sikora ("we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our website dariasikora.pl (the "Website") and purchase our handmade primitive dolls and related products.
We are committed to protecting your privacy and complying with applicable data protection laws, including:
- EU GDPR (General Data Protection Regulation 2016/679)
- UK GDPR (Data Protection Act 2018)
- US CCPA/CPRA (California Consumer Privacy Act and California Privacy Rights Act)
- Canadian PIPEDA (Personal Information Protection and Electronic Documents Act)
By using our Website, you consent to the collection and use of your information as described in this Privacy Policy.
2. Data Controller
The data controller responsible for your personal information is:
Daria Sikora
Stefana Starzyńskiego 2/83
35-508 Rzeszów, Podkarpackie, Poland
NIP (Tax ID): 8131627011
Email: dariasikora@yahoo.pl
Phone: +48 501 083 574
3. Information We Collect
We collect different types of information depending on how you interact with our Website:
3.1 Account Information
When you create an account on our Website, we collect:
- Name
- Email address
- Password (encrypted and stored securely)
- Account creation date
3.2 Order and Billing Information
When you place an order, we collect:
- Full name
- Billing address
- Shipping address
- Email address
- Phone number
- Order details (products, quantities, prices)
- Payment information (processed securely by Stripe - we do not store full card details)
3.3 Technical and Usage Information
We automatically collect certain technical information when you visit our Website:
- IP address (anonymized for analytics purposes)
- Browser type and version
- Device type and operating system
- Pages visited and time spent on pages
- Referral source (how you arrived at our Website)
- Cookies and similar tracking technologies (see our Cookie Policy)
3.4 Communications
If you contact us via email or through our contact forms, we collect:
- Name and email address
- Message content
- Any other information you choose to provide
4. How We Use Your Information
We use your personal information for the following purposes:
4.1 Order Processing and Fulfillment
To process your orders, arrange shipping, send order confirmations, and provide customer support.
Legal basis: Contract performance (GDPR Article 6(1)(b))
4.2 Payment Processing
To securely process payments through our payment processor, Stripe. Payment card information is handled directly by Stripe and never stored on our servers.
Legal basis: Contract performance (GDPR Article 6(1)(b))
4.3 Account Management
To create and manage your account, authenticate your identity, and allow you to access order history.
Legal basis: Contract performance (GDPR Article 6(1)(b))
4.4 Communications
To send you transactional emails (order confirmations, shipping notifications, account updates) and respond to your inquiries.
Legal basis: Contract performance and legitimate interest (GDPR Article 6(1)(b) and (f))
4.5 Website Analytics and Improvement
To analyze how visitors use our Website, identify technical issues, and improve our services. We use Cloudflare Analytics, Google Analytics (with IP anonymization), and Sentry for error tracking.
Legal basis: Consent (GDPR Article 6(1)(a)) - only with your explicit consent via cookie banner
4.6 Fraud Prevention and Security
To protect against fraudulent transactions, unauthorized access, and other security threats.
Legal basis: Legitimate interest (GDPR Article 6(1)(f))
4.7 Legal Compliance
To comply with applicable laws, regulations, tax requirements, and legal processes.
Legal basis: Legal obligation (GDPR Article 6(1)(c))
5. How We Share Your Information
We do not sell, rent, or trade your personal information. We only share your data with trusted third-party service providers necessary to operate our business:
| Service Provider | Purpose | Data Location | Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing | USA (EU-US DPF certified) | Link |
| Vercel | Website hosting | EU region | Link |
| NeonDB | Database hosting | EU region | Link |
| Cyberfolks.pl | WordPress backend hosting | Poland | Link |
| BaseLinker | Order management & fulfillment | Poland/EU | Link |
| SendGrid | Transactional emails | USA (with EU data centers) | Link |
| Sentry | Error tracking & monitoring | USA | Link |
| Google Analytics | Website analytics (planned) | USA (EU-US DPF certified) | Link |
| Cloudflare | CDN, security, analytics | Global network | Link |
| Google reCAPTCHA | Spam and bot protection | USA | Link |
| Vimeo | Video hosting | USA (GDPR compliant) | Link |
| YouTube | Video hosting (planned) | USA | Link |
We may also disclose your information if required by law, court order, or to protect our legal rights and interests.
6. International Data Transfers
Our primary infrastructure is located in the European Union (Vercel EU, NeonDB EU, WordPress hosting in Poland). However, some of our service providers are based in the United States or operate globally.
When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework (DPF): Stripe and Google are certified under the EU-US DPF, which provides adequate protection for data transfers to the USA.
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers not covered by the DPF.
- GDPR Compliance Commitments: All our service providers have committed to GDPR compliance and appropriate technical and organizational measures.
7. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:
Account Information:
Retained until you request account deletion. You can delete your account at any time from your account settings.
Order Information:
Retained indefinitely for accounting, tax compliance, and customer service purposes. This is required by Polish tax law, which mandates retention of business records for a minimum of 5 years.
Analytics Data:
Google Analytics data is automatically deleted after 26 months. Cloudflare Analytics data is anonymized and does not identify individuals.
Email Communications:
Retained for up to 3 years for customer service and legal compliance purposes.
Error Logs (Sentry):
Retained for 90 days for debugging and system improvement purposes.
8. Your Privacy Rights
Depending on your location, you have various rights regarding your personal information:
8.1 Rights Under EU GDPR and UK GDPR
If you are located in the European Union or United Kingdom, you have the following rights:
- Right to Access: Request a copy of your personal data we hold.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal obligations).
- Right to Restriction of Processing: Request that we limit how we use your data.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests or direct marketing.
- Right to Withdraw Consent: Withdraw consent for data processing at any time (where consent is the legal basis).
- Right to Lodge a Complaint: File a complaint with your local data protection authority.
8.2 Rights Under California CCPA/CPRA
If you are a California resident, you have the following rights:
- Right to Know: Request disclosure of personal information collected, used, or shared.
- Right to Delete: Request deletion of your personal information (subject to exceptions).
- Right to Opt-Out of Sale: We do not sell your personal information.
- Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary for our services.
Do Not Sell My Personal Information: We do not sell, share, or rent your personal information to third parties for monetary or other valuable consideration.
8.3 Rights Under Canadian PIPEDA
If you are a Canadian resident, you have the following rights:
- Right to Access: Request access to your personal information.
- Right to Correction: Request correction of inaccurate information.
- Right to Withdraw Consent: Withdraw consent for data collection and use.
- Right to File a Complaint: File a complaint with the Office of the Privacy Commissioner of Canada.
How to Exercise Your Rights
To exercise any of your privacy rights, please contact us at:
- Email: dariasikora@yahoo.pl
- Or use your account settings to update or delete your information
We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: All data transmitted between your browser and our Website is encrypted using TLS/SSL.
- Secure Authentication: Passwords are hashed and encrypted using industry-standard algorithms (Better-auth).
- Payment Security: Payment card information is processed securely by Stripe (PCI DSS Level 1 certified) and never stored on our servers.
- Access Controls: Access to personal data is restricted to authorized personnel only.
- Regular Security Audits: We regularly review and update our security practices.
- DDoS Protection: Cloudflare provides protection against distributed denial-of-service attacks.
- Error Monitoring: Sentry helps us identify and fix security vulnerabilities.
While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.
10. Children's Privacy
Our Website is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at dariasikora@yahoo.pl, and we will delete such information from our systems.
11. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience on our Website. For detailed information about the cookies we use and how to manage them, please read our Cookie Policy.
We operate on a strict opt-in consent model for non-essential cookies. Analytics and functional cookies are only activated after you provide explicit consent through our cookie banner.
12. Third-Party Links
Our Website may contain links to third-party websites (such as social media platforms or video hosting services). We are not responsible for the privacy practices of these external sites. We encourage you to read the privacy policies of any third-party websites you visit.
13. Marketing Communications
We currently do not send marketing emails. We only send transactional emails related to your orders and account (order confirmations, shipping notifications, password resets, etc.).
If we introduce marketing communications in the future, we will only send them with your explicit opt-in consent, and you will be able to unsubscribe at any time.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Daria Sikora
Stefana Starzyńskiego 2/83
35-508 Rzeszów, Podkarpackie, Poland
NIP (Tax ID): 8131627011
Email: dariasikora@yahoo.pl
Phone: +48 501 083 574
EU Data Protection Authority: If you are in the EU and have concerns about our data practices, you can contact the Polish data protection authority (UODO - Urząd Ochrony Danych Osobowych) or your local supervisory authority.
16. Supervisory Authorities
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the relevant supervisory authority:
EU/Poland (GDPR):
Urząd Ochrony Danych Osobowych (UODO)
https://uodo.gov.pl
UK (UK GDPR):
Information Commissioner's Office (ICO)
https://ico.org.uk
Canada (PIPEDA):
Office of the Privacy Commissioner of Canada
https://www.priv.gc.ca
California (CCPA):
California Attorney General - Privacy Enforcement
https://oag.ca.gov/privacy