Stocklist Customer Care VIP Privacy
Cart
Instagram --> https://www.instagram.com/lumpx_official

Privacy

§1. Data Controller

The Data Controller of personal data is
 LÜMP-X, with its registered office at Aleja Armii Ludowej 7, Warsaw, Poland,
 NIP (Tax ID): 1231590284,
 REGON: 543017514,
 e-mail: info@lump-x.com.

The Controller processes personal data in accordance with:

     Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),

     The Polish Act of 18 July 2002 on Providing Services by Electronic Means,

     The Polish Consumer Rights Act.

§2. Legal Basis for Data Processing

Personal data is processed in accordance with Article 6 of the GDPR on the following legal grounds:

1. Order fulfillment and sales contract execution

     Art. 6(1)(b) GDPR – processing is necessary to perform a contract,

     Art. 6(1)(a) GDPR – voluntary consent (e.g., creating a customer account).

Processed data: first name, last name, delivery address, e-mail address, phone number, invoicing details.

2. Legal obligations of the Controller

     Art. 6(1)(c) GDPR – compliance with legal obligations, including tax and accounting laws (Accounting Act, VAT Act).

3. Legitimate interests of the Controller

     Art. 6(1)(f) GDPR, including:

     statistical analysis,

     securing and defending legal claims,

     direct marketing of own products,

     ensuring proper functioning of the website,

     preventing abuse and fraud.

4. Marketing and newsletter

     Art. 6(1)(a) GDPR – voluntary consent,

     Art. 7 GDPR – conditions for obtaining valid consent,

     Art. 21 GDPR – right to object to direct marketing.

5. Contact forms

     Art. 6(1)(f) GDPR – legitimate interest consisting in responding to inquiries,

     Art. 6(1)(a) GDPR – optional consent where applicable.

§3. Scope of Processed Data

The Controller may process the following categories of personal data:

     identification data,

     contact data,

     delivery details,

     transaction data,

     IP address,

     cookies data,

     analytical data (if the user has consented).

§4. Data Recipients

In accordance with Art. 28 GDPR, personal data may be transferred to the following categories of recipients:

     Payment operators: PayU S.A.; PayPro S.A. (Przelewy24); Stripe Payments Europe Limited; PayPal (Europe) S.à r.l. et Cie, S.C.A.

     Courier companies: InPost Sp. z o.o.; DPD Polska Sp. z o.o.; DHL Express (Poland) Sp. z o.o.; Poczta Polska S.A.

     Accounting offices: Biuro Rachunkowe Mk3-Finanse Sp. z o.o.

      Hosting and IT infrastructure providers: OVH Sp. z o.o.

     Marketing and analytics providers: Google LLC, Meta Platforms Inc. — in accordance with Art. 46 GDPR (Standard Contractual Clauses).

All recipients process data solely on the basis of appropriate agreements and in compliance with GDPR requirements.

§5. Data Retention Period

The Controller retains personal data in accordance with:

     Art. 5(1)(e) GDPR – data minimization and storage limitation principle.

Retention periods:

     transaction data – for the period required by accounting laws (minimum 5 years),

     marketing data – until consent is withdrawn (Art. 7(3) GDPR),

     data processed on the basis of legitimate interests – until an objection is raised (Art. 21 GDPR),

     contact form data – until the correspondence is concluded.

§6. User Rights

In accordance with GDPR, the user has the following rights:

  1. Right of access to data – (Art. 15 GDPR)

  2. Right to rectification – (Art. 16 GDPR)

  3. Right to erasure (“right to be forgotten”) – (Art. 17 GDPR)

  4. Right to restriction of processing – (Art. 18 GDPR)

  5. Right to data portability – (Art. 20 GDPR)

  6. Right to object to processing – (Art. 21 GDPR)

  7. Right to withdraw consent at any time – (Art. 7(3) GDPR)

  8. Right to lodge a complaint with a supervisory authority – (Art. 77 GDPR)

The supervisory authority in Poland is the President of the Personal Data Protection Office (UODO).

§7. Cookies

The website uses cookies in accordance with:

     Art. 6 GDPR,

     Art. 173–174 of the Polish Telecommunications Law.

Types of cookies:

     Necessary cookies – basis: Art. 6(1)(f) GDPR,

     Analytical cookies – basis: Art. 6(1)(a) GDPR (consent),

     Marketing cookies – basis: Art. 6(1)(a) GDPR.

Consent for analytical and marketing cookies is collected in accordance with Art. 7 GDPR.

Users may manage cookies through browser settings or the cookie banner.

§8. Data Transfers Outside the EEA

If data is transferred outside the European Economic Area, it is done in accordance with:

     Art. 45 GDPR – adequacy decisions,

     Art. 46 GDPR – Standard Contractual Clauses (SCCs),

     Art. 49 GDPR – specific exceptions.

This typically applies to providers such as Google LLC and Meta Platforms Inc., if their marketing tools are used.

§9. Security Measures

The Controller implements technical and organizational measures in accordance with:

     Art. 24 GDPR – responsibility of the Controller,

     Art. 25 GDPR – privacy by design and by default,

     Art. 32 GDPR – security of processing (SSL encryption, access control, regular backups).

§10. Contact Regarding GDPR

All inquiries regarding personal data should be sent to: info@lump-x.com