Privacy Policy
Last updated: 8 March 2026
1. Data Controller
The controller of your personal data is Lenanto Spółka z Ograniczoną Odpowiedzialnością (Lenanto Ltd.) with its registered office in Mogilany, os. Parkowe Wzgórze 126, 32-031 Mogilany (Lesser Poland Voivodeship), Poland, KRS: 0001122004, NIP: 9442290063, REGON: 529412300 (hereinafter: the “Controller”). Contact for personal data matters: [email protected].
2. Scope and Purposes of Processing
We process your personal data for the following purposes:
- Order fulfilment (first name, last name, address, e-mail, telephone number, invoice data) — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
- Handling complaints and returns — legal basis: Art. 6(1)(b) and (c) GDPR (performance of a contract, legal obligation).
- Maintaining a customer account — legal basis: Art. 6(1)(b) GDPR.
- Accounting and tax obligations — legal basis: Art. 6(1)(c) GDPR (legal obligation). Retention period: 5 years from the end of the tax year.
- Direct marketing (newsletter) — legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.
- Analytics and service improvement (anonymised traffic data) — legal basis: Art. 6(1)(f) GDPR (legitimate interest).
3. Data Recipients
Your data may be disclosed to the following categories of recipients:
- Payment processor — Paynow (mBank S.A.) — solely to the extent necessary to process payments.
- Courier companies (InPost, DPD) — to the extent necessary to fulfil delivery.
- E-mail service provider (Resend) — to the extent necessary for sending transactional messages.
- Hosting provider (Railway) — to the extent necessary for data storage on servers.
Payment data (card numbers, BLIK details) are processed exclusively by the payment operator and are not stored by the Controller.
4. Data Retention Periods
- Order-related data: 5 years from the end of the tax year (accounting obligation).
- Customer account data: until the account is deleted by the user.
- Marketing data (newsletter): until consent is withdrawn.
- Analytics data (cookies): in accordance with the cookie’s validity period (max. 13 months for analytics cookies).
5. Cookies
The Store uses the following types of cookies:
- Essential — required for the Store to function: user session (auth-token), shopping cart, cookie consent preferences. No consent required.
- Analytics (Google Analytics) — collect anonymised traffic data about the website. Activated only after the user grants consent via the cookie banner.
You can manage cookies in your browser settings. Disabling essential cookies may prevent you from using the Store.
6. Your Rights (GDPR)
Under Regulation (EU) 2016/679 (GDPR), you have the following rights:
- Right of access — to obtain information about the data processed (Art. 15).
- Right to rectification — to correct inaccurate data (Art. 16).
- Right to erasure (“right to be forgotten”, Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability — to receive your data in a machine-readable format (Art. 20).
- Right to object — to processing based on legitimate interest (Art. 21).
- Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint with the President of the Personal Data Protection Office (UODO, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl). If you reside in another EU Member State, you may also lodge a complaint with your local supervisory authority.
To exercise the above rights, please contact us at: [email protected].
7. Data Security
The Controller applies appropriate technical and organisational measures to ensure the security of personal data, including: encrypted connections (TLS/SSL), authentication via secure cookies (HttpOnly), access controls, regular backups and security monitoring.
