PRIVACY POLICY OF THE UNDRESS CODE ONLINE STORE

GENERAL PROVISIONS

1.1. This Privacy Policy is for informational purposes and sets out the rules for processing personal data and the use of cookies and similar technologies in connection with the use of the UNDRESS CODE online store.

1.2. This Privacy Policy does not impose obligations on store customers and does not constitute a contract or terms and conditions.

1.3. Capitalized terms not defined in this Privacy Policy have the meanings assigned to them in the Terms and Conditions of the UNDRESS CODE online store.

DATA CONTROLLER

2.1. The controller of personal data is UNDRESS CODE spółka z ograniczoną odpowiedzialnością, with its registered office in Łódź, ul. Daniłowskiego 7/87, 94-208 Łódź, Poland, entered into the Register of Entrepreneurs of the National Court Register under number 0000583525, VAT ID (NIP): 5223043090, REGON: 362895605 (hereinafter: the “Controller”).

2.2. In matters concerning personal data, you may contact the Controller:
a) by email at: whatsupbabe@undress-code.com,
b) in writing to the correspondence address indicated in the Terms and Conditions or to the Controller’s registered office.

2.3. If the Controller appoints a Data Protection Officer, their contact details will be provided separately on the store’s website or in direct communication with data subjects.

SCOPE OF PROCESSED DATA

3.1. The Controller may process in particular the following personal data:
a) first and last name,
b) email address,
c) phone number,
d) delivery and billing address,
e) company data, including company name and VAT number (if provided for invoicing),
f) data related to Orders, payments, returns, and complaints,
g) data provided in correspondence with the Controller,
h) data related to activity in the online store, including technical data, device information, IP address, approximate location, traffic source, browsing history, purchase history, and data stored via cookies and similar technologies.

3.2. Providing personal data is generally voluntary but may be necessary for:
a) placing and fulfilling an Order,
b) creating and maintaining an Account,
c) receiving a response to an inquiry,
d) receiving the Newsletter,
e) handling complaints or returns,
f) issuing accounting documents.

PURPOSES AND LEGAL BASIS FOR DATA PROCESSING

4.1. The Controller processes personal data for the following purposes:

a) concluding and performing a sales Agreement, including Order handling, payment processing, delivery, returns, and related communication – pursuant to Article 6(1)(b) GDPR;

b) maintaining a customer Account and providing electronic services – pursuant to Article 6(1)(b) GDPR;

c) handling complaints, exercising rights related to non-conformity of Goods, withdrawal from the Agreement, and fulfilling obligations under consumer law – pursuant to Article 6(1)(c) GDPR;

d) fulfilling legal obligations, in particular tax, accounting, and data protection obligations – pursuant to Article 6(1)(c) GDPR;

e) handling correspondence, responding to inquiries, processing requests, and communication not directly related to Order execution – pursuant to Article 6(1)(f) GDPR (legitimate interest in communication and defense against claims); where applicable, also Article 6(1)(b) GDPR;

f) pursuing claims, defending against claims, preventing fraud, and ensuring store security – pursuant to Article 6(1)(f) GDPR;

g) conducting statistical analyses, analytics, and improving store functionality – pursuant to Article 6(1)(f) GDPR or, where required, based on consent;

h) conducting the Controller’s own marketing activities, including sending newsletters and commercial information electronically – pursuant to Article 6(1)(a) GDPR and applicable communication laws;

i) personalized marketing, remarketing, and profiling for tailoring content and offers – pursuant to Article 6(1)(a) GDPR (where consent is required) or Article 6(1)(f) GDPR where permitted.

4.2. Profiling may include analyzing user activity, purchase history, responses to marketing content, website usage, and cookie data to better tailor content, advertisements, or offers. Profiling does not generally produce legal effects or similarly significant impacts unless explicitly stated and consent is obtained.

DATA RECIPIENTS

5.1. Personal data may be shared with entities cooperating with the Controller where necessary, including:

a) payment service providers (Shopify Payments, Stripe, Tpay, Klarna),
b) carriers and logistics operators,
c) IT, hosting, e-commerce, mailing, analytics, and marketing service providers,
d) accounting, legal, advisory, and audit service providers,
e) customer support and communication service providers,
f) authorized public authorities where required by law.

5.2. Recipients process data either as processors under agreement or as independent controllers, depending on their role.

DATA RETENTION PERIOD

6.1. Personal data is retained for as long as necessary to fulfill the purpose for which it was collected.

6.2. In particular:
a) Order and accounting data – for periods required by tax and accounting law,
b) Account data – until Account deletion or purpose ceases,
c) complaint/claim data – for the duration of handling and limitation periods,
d) consent-based data – until consent is withdrawn,
e) marketing data based on legitimate interest – until objection is raised.

RIGHTS OF DATA SUBJECTS

7.1. Data subjects have the right to:
a) access data,
b) rectify data,
c) erase data,
d) restrict processing,
e) data portability,
f) object to processing based on legitimate interest,
g) withdraw consent at any time,
h) lodge a complaint with the President of the Personal Data Protection Office (UODO).

7.2. To exercise rights, contact the Controller using the details in section 2.

TRANSFERS OUTSIDE THE EEA

8.1. Data may be transferred outside the EEA due to use of external providers.

8.2. The Controller ensures adequate protection through:
a) adequacy decisions,
b) standard contractual clauses,
c) recognized frameworks such as the EU–US Data Privacy Framework.

8.3. More information can be obtained by contacting the Controller.

COOKIES AND SIMILAR TECHNOLOGIES

9.1. The store uses cookies to ensure proper operation, maintain sessions, remember preferences, perform analytics, and conduct marketing.

9.2. Types of cookies:
a) essential,
b) functional,
c) analytical,
d) marketing.

9.3. Non-essential cookies are used based on user consent.

9.4. Consent can be withdrawn or modified at any time.

9.5. Limiting cookies may affect functionality.

9.6. Third-party providers may also use cookies.

VOLUNTARY PROVISION OF DATA

10.1. Providing data is voluntary but often necessary to use store features.

10.2. Failure to provide data may prevent:
a) placing Orders,
b) creating Accounts,
c) receiving newsletters,
d) receiving responses,
e) handling complaints/returns.

DATA SECURITY

11.1. The Controller implements appropriate technical and organizational measures to protect data.

11.2. Measures are selected based on risk and processing context.

LINKS TO OTHER WEBSITES

12.1. The store may contain links to external websites. This Policy applies only to UNDRESS CODE.

12.2. Users should review external privacy policies.

CHANGES TO THE PRIVACY POLICY

13.1. The Controller may update this Policy due to:
a) legal changes,
b) functionality changes,
c) technological updates,
d) changes in data processing.

13.2. The current version is published in the store.

13.3. Users may be additionally notified of significant changes.

EFFECTIVE DATE

This Privacy Policy is effective as of April 13, 2026.