CRAFTWORKS PLATFORM PRIVACY POLICY
Last updated: 01.06.2026
Dear User,
we care about your privacy and want your use of the CraftWorks Platform to be as transparent, comfortable, and safe as possible. Personal data protection is very important to us, so we process personal data in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), national personal data protection laws, laws on the provision of electronic services and, to the extent applicable, laws on digital services.
This Privacy Policy explains what personal data may be processed in connection with the operation of the CraftWorks internet platform, available at https://mycraft.works/ and https://portal.mycraft.works/, and within related applications, interfaces, tools, modules, API environments, and digital functionalities (“Platform”). In particular, this document describes data processing in connection with Account registration, use of the marketplace, creation of product designs and visualizations, uploading photos, graphics, and other materials, using design tools and AI Tools, placing Orders, communication between Users, cooperation between Sellers and Manufacturers/Contractors, handling payments, orders, shipping data, complaints, infringement reports, and maintaining Platform security. Detailed rules for the provision of electronic services and use of the Platform are set out in the Terms and Conditions for the provision of electronic services and use of the Platform (“Terms”), available on the Platform.
The CraftWorks Platform may operate in B2C, B2B, and B2B2C models. This means that, depending on which functionality you use and in which role you act, various entities may participate in processing your data, including the Platform Operator, Sellers, Manufacturers, payment providers, AI tool providers, and other technology partners. If shipping data is needed to handle an Order, it may be processed through the Platform and shared with the entity responsible for fulfilling the Order or the relevant cooperation, in particular the Seller, Manufacturer/Contractor, or another professional User.
1. What the Privacy Policy Covers
This Privacy Policy applies to the processing of personal data by CRAFTWORKS spółka z ograniczoną odpowiedzialnością in connection with operating, maintaining, developing, and securing the CraftWorks Platform and providing electronic services through it.
The Policy applies in particular when:
- you visit the Platform website or use its publicly available parts;
- you create an Account or log in to an Account;
- you use an Account as a Consumer, Seller, Manufacturer/Contractor, Designer, Content Author, Entrepreneur, or other Platform User;
- you provide registration, identification, contact, billing, tax, or verification data;
- you upload photos, graphics, marks, logos, designs, files, descriptions, product materials, or other User Content to the Platform;
- you use the product configurator, design tools, graphic editors, quality improvement, cropping, scaling, combining, personalization, or production-preparation tools;
- you use AI Tools for generating, modifying, processing, improving, or supporting the creation of content, designs, graphics, visualizations, or descriptions;
- you publish Product Presentations, offers, catalogs, product materials, visualizations, or other content available to other Users;
- you place an Order, Request for Quotation, product inquiry, or cooperation inquiry;
- you participate in the conclusion or performance of a sales agreement, production agreement, performance agreement, personalization, printing, or other cooperation between Users conducted through the Platform;
- you use Platform communication tools or contact the Operator, Seller, Manufacturer/Contractor, or another User;
- you make or receive a payment, participate in settlements, use a subscription, paid plan, promotion, invoice, or another billing functionality;
- you use functionalities related to handling Orders, projects, personalization, production, or communication between Users;
- you submit a complaint, technical report, report concerning a violation of law, report concerning an intellectual property infringement, report concerning Prohibited Content, or another request;
- you contact us through a contact form, email, telephone, social media, or other communication channels;
- you use analytical, reporting, administrative, API, or integration functionalities;
- you use the Platform in a manner that requires security, abuse prevention, fraud detection, infrastructure protection, content moderation, or enforcement of the Terms.
The Policy concerns personal data, meaning information relating to an identified or identifiable natural person. The Policy does not concern anonymous data, aggregated data, or information relating to legal persons, unless that data contains data of a natural person, for example data of a person representing a company, employee, coworker, contact person, person authorized for a business Account, or person indicated in billing documents.
The Platform is not intended for persons who do not have full legal capacity, including children. As a rule, we do not knowingly collect data of minors. If we learn that an Account has been created by an unauthorized person or that data of a minor has been provided to us without a proper legal basis, we may take steps to restrict access, delete the Account, or delete such data, unless further storage is required by law or necessary to establish, pursue, or defend claims.
2. Personal Data Controller and Contact Details
The Controller of personal data processed in connection with operating and maintaining the Platform, within the scope described in this Privacy Policy, is:
CRAFTWORKS spółka z ograniczoną odpowiedzialnością with its registered office in Krakow, at ul. Długa 22/6, 31-146 Krakow, Poland, entered in the register of entrepreneurs of the National Court Register under KRS number 0001162316, with NIP 6762689670 and REGON 541196429, share capital PLN 10,000.00, fully paid up, referred to in this Policy interchangeably as (“Operator”, “Controller”, “We”, “Us”, “Our”).
You can contact the Controller:
- by post: ul. Długa 22/6, 31-146 Krakow, Poland;
- by email: [email protected]
- through the contact form available on the Platform;
- through other communication channels indicated on the Platform.
In matters concerning personal data, you can contact us at: [email protected]
The Controller has appointed a data protection officer (“DPO”). The DPO can be contacted in matters concerning personal data protection and the exercise of data subject rights:
- by email: [email protected].
3. Important Information About the Roles of Data Processing Entities
Due to the Platform operating model, different legal roles may occur in data processing. The same entity does not always decide on all purposes and means of data processing.
3.1. Operator as data controller
The Operator is the controller of personal data in particular when it decides on the purposes and means of processing data related to:
- operating and maintaining the Platform;
- registering and supporting User Accounts;
- ensuring Platform security;
- handling reports, complaints, and contact addressed to the Operator;
- verifying professional Users, if verification is carried out by the Operator for access to Platform functionalities;
- maintaining logs, technical data, and data concerning activity on the Platform;
- moderating content, handling infringement reports, preventing abuse, and enforcing the Terms;
- settling services provided by the Operator, for example subscriptions, fees for access to specific functionalities, or other Platform services;
- conducting the Operator's own marketing or informational communication;
- fulfilling legal obligations imposed on the Operator;
- establishing, pursuing, or defending the Operator's claims.
3.2. Professional Users as Platform Users
Sellers, Manufacturers/Contractors, and other professional Users also use the Platform as its Users. In this respect, the Operator is the controller of personal data of such Users and persons acting on their behalf, in particular data related to creating and maintaining an Account, the professional User profile, presenting its business, products, or services on the Platform, visibility in the search engine, catalog, or marketplace, communication with other Users, activity history, security, settlements, reports, and use of Platform functionalities. The Platform may enable Users to search for Sellers, Manufacturers/Contractors, or other professional Users, view their profile, offer, service scope, products, cooperation parameters, or other information made available through the Platform. Data of professional Users may, in this respect, be presented to other Platform Users in accordance with Platform functionalities, visibility settings, and information made available by the relevant professional User.
3.3. Seller as a separate data controller
A Seller, meaning a professional User making products or services available through the Platform, may act as a separate controller of personal data to the extent that it independently decides on the purposes and means of processing data related to its own business, offer, sales, customer service, performance of a sales agreement, complaints, settlements, tax obligations, or own marketing.
In particular, the Seller may be a separate controller of personal data of a User placing an Order if the data is made available to the Seller for the purpose of concluding or performing a sales agreement, contacting the customer, handling complaints, fulfilling legal obligations, or maintaining its own sales documentation.
If a User places an Order or Request for Quotation, sends a design, communicates, or gives another instruction to a Seller through the Platform, the data provided by the User is transmitted to the Seller through the Platform to the extent necessary to handle the given action. The Seller processes that data as a separate controller of personal data, within the scope and for purposes related to its own business, in particular handling the Order, performing the sales agreement, communication, settlements, complaints, tax obligations, and protection of its own claims.
3.4. Manufacturer/Contractor as a separate data controller or processor
A Manufacturer/Contractor, meaning a professional User participating in production, performance, printing, personalization, packing, completing, confectioning, preparation, or fulfillment of products, may, depending on the process, act:
- as a separate data controller - if it independently decides on the purposes and means of processing data in connection with its own production, performance, settlement, complaint, or documentation activities;
- as a processor processing data on behalf of a Seller or another data controller - if it processes data only in accordance with that controller's instructions and to the extent necessary to perform the commissioned activity, in particular producing, personalizing, or preparing a product;
- as an independent participant in a B2B relationship - if it concludes a direct agreement with a Seller or another User and, within that agreement, determines its own purposes and means of processing.
In particular, the Manufacturer/Contractor may receive data necessary to fulfill a product or personalization, such as design data, graphics, production files, order parameters, contact details of the responsible person on the Seller's side, data needed to produce or prepare a product, complaint data, or technical information necessary for the production process.
In its relationship with the Operator, the Manufacturer/Contractor may receive data to the extent necessary to use the Platform, handle the Account, communicate, settle fees, commissions, transaction statuses, reports, or other activities carried out through the Platform. This does not mean, however, that the Operator commissions the Manufacturer/Contractor to produce, perform, ship, or deliver products, unless separate arrangements expressly provide otherwise.
3.5. Use of the AI Assistant and external artificial intelligence tools
Within the Platform, the User may use functionalities based on artificial intelligence tools, in particular the AI Assistant. The AI Assistant may be used, among other things, to generate graphics, support order configuration, provide product information, and process, modify, or analyze content, photos, graphics, designs, product data, or other materials provided by the User.
Use of the AI Assistant and other artificial intelligence tools available through the Platform is voluntary. The User decides whether to use a given functionality and what content, data, files, graphics, photos, designs, prompts, instructions, product data, or other materials to provide when using that tool.
In connection with use of the AI Assistant, data may be processed by the Operator to the extent necessary to provide this functionality within the Platform, save the history of the conversation or actions performed using the AI Assistant, save generated results, link them to the User Account, project, product, or order, and ensure the proper operation, security, and accountability of services provided through the Platform.
Data provided in connection with use of the AI Assistant may include in particular the content of the User's prompts and instructions, photos, graphics, designs, files, product data, information concerning order configuration, technical data, and results generated by the artificial intelligence tool. If the User enters personal data into the AI Assistant, that data may be processed as part of the operation of this functionality.
At the same time, data provided in connection with use of the AI Assistant or other artificial intelligence tools may be processed by external providers of such tools. These providers act as separate controllers of personal data within the scope of the services they provide, and the rules for processing data by those providers are set out in their own privacy policies, terms, or service conditions.
The current list of external providers of artificial intelligence tools available through the Platform is Appendix 1 to the Policy, “List of artificial intelligence tool providers.” This list includes in particular the provider's name, description of the functionality, types of data that may be transferred to the provider in connection with use of the tool, and a reference to the privacy documents and service terms of the relevant provider.
Before using the AI Assistant or another artificial intelligence tool, the User should read the information in the List of AI providers and the relevant provider's documentation. The User should not provide, through artificial intelligence tools, data that is not necessary to use the given functionality, in particular special category data, confidential data, payment data, identity documents, or third-party data if the User does not have an appropriate legal basis for using it.
3.6. External service providers and other data recipients
In connection with operating and maintaining the Platform, the Operator may use services of external entities that support the provision of services through the Platform, ensure its proper operation, handle Accounts, communicate with Users, provide security, analytics, technical support, settlements, payments, report handling, and fulfillment of obligations arising from law.
Personal data may be transferred in particular to the following categories of recipients:
- hosting, cloud, and technical infrastructure providers - to maintain the Platform, store data, and ensure its availability, performance, and security;
- email, communication tool, ticketing system, and administrative tool providers - to handle communication with Users, send system messages, handle inquiries, complaints, technical reports, and other matters addressed to the Operator;
- analytics service and statistical tool providers - to analyze how the Platform is used, improve its operation, diagnose errors, develop functionalities, and compile statistics;
- security, anti-fraud, or verification service providers - to secure the Platform, detect abuse, prevent unauthorized access, counter fraud, verify professional Users, or protect the rights of the Operator, Users, and third parties;
- banks, payment operators, payment card operators, or other payment service providers - to handle payments, refunds, payouts, settlements, transaction identification, commissions or fees due to the Operator, and prevent payment abuse;
- accounting, tax, legal, audit, or advisory service providers - to keep settlements, issue or handle accounting documents, fulfill tax obligations, provide legal service, pursue claims, or defend against claims;
- public authorities, courts, prosecutors, supervisory authorities, or other entities authorized by law - if the obligation to transfer data results from law, a decision of a competent authority, or is necessary to protect the Operator's rights.
If a User places an Order or Request for Quotation, sends a design, personalization data, shipping data, communicates, or gives another instruction to a specific Seller, Manufacturer/Contractor, or other professional User through the Platform, the data provided by the User is made available to that entity through the Platform to the extent necessary to handle the given action, in particular to handle the Order, Request for Quotation, communication, product fulfillment, design preparation, personalization, production, settlements, complaints, or other activities related to the relationship. The Seller, Manufacturer/Contractor, or other professional User to whom the User directs an Order, Request for Quotation, design, message, or other instruction may process the received data as a separate controller of personal data within the scope and for purposes related to its own business, in particular handling the Order, performing a sales agreement or other agreement, fulfilling the product, conducting communication, settlements, tax obligations, handling complaints, and pursuing or defending its own claims. The Operator processes data related to such activities to the extent necessary to provide and handle the Platform, maintain the history of activities, ensure security, enable communication between Users, provide technical support, accountability, report handling, and pursue or defend claims. The Operator does not physically deliver products and does not decide on the delivery method or the entity performing delivery. The Seller, Manufacturer/Contractor, or another entity responsible for fulfilling the relevant Order or cooperation is responsible for organizing and performing delivery, unless separate arrangements expressly provide otherwise.
Entities to which the Operator transfers data or to which data is made available through the Platform may act as processors processing personal data on behalf of the Operator or as separate controllers of personal data. If an entity processes data only on the Operator's instructions and to provide services to the Operator, it acts as a processor. If, however, it independently determines the purposes and means of data processing, it acts as a separate controller of personal data.
In particular, banks, payment operators, payment card operators, some verification service providers, public authorities, Sellers, Manufacturers/Contractors, logistics operators, courier companies, fulfillment entities, and other professional Users may act as separate controllers of personal data to the extent that they process data for their own purposes arising from law, their own services, transactions performed, settlements, complaints, tax obligations, delivery organization, or protection of their own claims.
Current information about key external service providers used by the Operator is available in the List of key external service providers, which is Appendix 2 to the Privacy Policy.
4. Categories of Users Whose Data May Be Processed
Within the Platform, we may process data of the following categories of persons:
- persons visiting public parts of the Platform;
- persons creating an Account or using an Account;
- Consumers placing Orders or Requests for Quotation or using personalized products;
- Entrepreneurs using the Platform in connection with business activity;
- Sellers/Brands and persons acting on their behalf;
- Manufacturers/Contractors and persons acting on their behalf;
- Designers, Content Authors, and persons uploading or creating designs;
- employees, coworkers, representatives, proxies, and contact persons of professional Users;
- persons whose data may be included in content, files, or materials provided by Users through the Platform, in particular in photos, graphics, designs, visualizations, dedications, inscriptions, personalized materials, marks, descriptions, prompts, messages, or correspondence, where the Operator processes such data within the scope resulting from the technical provision and handling of the Platform, and the User providing the relevant content, file, or material decides to include that data;
- persons contacting the Operator;
- persons submitting complaints, technical reports, reports of violations of law, reports of intellectual property infringements, or personal data requests;
- persons whose data may be provided by Users as part of communication conducted through the Platform, in particular in messages, attachments, arrangements concerning Orders, Requests for Quotation, designs, personalization, production, complaints, or cooperation between Users, where the Operator processes such data within the scope resulting from the technical provision and handling of Platform communication tools;
- persons using the Operator's social media profiles;
- persons receiving marketing or informational communication;
- persons whose data is processed in connection with security, abuse prevention, moderation, or investigations.
5. General Categories of Personal Data Processed on the Platform
Depending on the User's role, scope of Platform use, and available functionalities, we may process in particular the following categories of data:
- Identification data: first name, last name, username, login, Account identifier, customer identifier, Seller identifier, Manufacturer/Contractor identifier, pseudonym, profile name, representative data, contact person data;
- Contact data: email address, telephone number, correspondence address, delivery address, registered office address, business location address, contact data for order or complaint handling;
- Registration and authentication data: password in secured form, session identifiers enabling logged-in status and proper use of the Platform, login information, data used to activate the Account, data related to multi-factor authentication, history of changes to security settings;
- Legal and business status data: company, business name, legal form, KRS, NIP, REGON, VAT ID, registration number, country of registration, tax status, information on authorization to act on behalf of an entity, documents confirming business activity;
- Billing and payment data: invoice data, billing address, order number, amount, currency, payment status, payment method, transaction identifier, payment operator payment identifier, refund data, settlement history;
- Data concerning Orders and Requests for Quotation: product, product parameters, quantity, variant, size, color, material, printing technology, delivery deadline, order status, change history, order messages, complaint data;
- Data concerning personalized products: design, graphic file, photo, logo, inscription, dedication, mark, image, graphic, production file, technical parameters, visualization, mockup, product preview, design version history;
- User Content: texts, comments, descriptions, messages, files, photos, graphics, designs, signs, marks, logos, product materials, marketing content, data in file metadata;
- AI data: prompts, instructions, input data, files provided to AI Tools, photos, graphics, designs, generation parameters, generation results, AI-generated content, information about the model used, technical logs related to generation, result assessments, operation history;
- Communication data: message content, conversation threads, attachments, date and time of contact, contact channel, sender and recipient data, message read information, report history;
- Technical data: IP address, device identifiers, cookie identifiers, session identifiers, browser data, operating system, device type, screen resolution, language, time zone, error data, server logs, connection information;
- Activity data: login history, viewed subpages, clicks, time using the Platform, functionalities used, project editing history, search history, in-app events, activity in communication tools;
- Analytical and reporting data: sales statistics, view statistics, conversions, order reports, aggregated and pseudonymized data concerning Platform use, quality data concerning functionality operation;
- Security data: information about unusual activity, login attempts, violations of the Terms, abuse reports, blocks, moderation decisions, fraud risk, data used to prevent abuse;
- Complaint and dispute data: problem description, complaint documentation, product photos, contact history, decisions, refunds, correspondence, data concerning claims;
- Data concerning data subject rights: request content, identification data of the person submitting the request, correspondence, method of fulfilling the request, accountability documentation;
- Social media data: profile name, publicly available profile data, image, comments, reactions, private messages, information voluntarily provided as part of interaction with the Operator's profile.
Content, files, and materials entered by Users into the Platform may in some cases contain personal data of third parties, including special category data or other sensitive data. Detailed information concerning such data is included in the section “Special Category Data and Sensitive Data.”
6. Detailed Data Processing Processes
Below we describe the most important data processing processes on the Platform. Due to the developing nature of the Platform, this list may be updated as new functionalities are implemented.
6.1. Visiting the Platform and using public parts of the website
Description of processing activity: When you visit the Platform without creating an Account, we process technical and statistical data necessary to display the website, ensure its proper operation, security, error diagnostics, and basic analytics.
Scope of data: IP address, visit date and time, browser information, operating system, device type, screen resolution, language, URLs, visited subpages, entry source, server logs, cookie identifiers, or similar technologies.
Purposes: displaying the Platform, ensuring stability and security, error diagnostics, protection against abuse, compiling statistics, improving service quality.
Legal basis: The legal basis for processing personal data in connection with use of public parts of the Platform is Article 6(1)(f) GDPR, i.e. the Controller's legitimate interest consisting in ensuring the proper operation of the Platform, its security, error diagnostics, counteracting abuse, and compiling basic statistics concerning Platform use. To the extent that cookies or similar technologies not required for the proper operation of the Platform are used in connection with Platform use, the rules for their use are described in the cookies section. Such technologies are used in accordance with applicable law, in particular after obtaining the User's consent if consent is required.
Storage period: Data processed in connection with use of public parts of the Platform is stored for the period necessary to achieve the purposes for which it was collected, in particular ensuring the proper operation of the Platform, security, error diagnostics, and counteracting abuse, but no longer than 1 month from collection, unless longer storage is necessary due to detection of a security incident, pursuit or defense of claims, fulfillment of legal obligations, or protection of the rights of the Operator, Users, or third parties. The storage period for information saved in cookies or similar technologies depends on the type of file or technology and is specified in the cookies section or in the settings of the consent management tool, if such a tool is used.
6.2. Account registration and maintenance of a User Account
Description of processing activity: To use certain Platform functionalities, the User may be required to create an Account. As part of this process, we process data needed for registration, activation, authentication, Account maintenance, and enabling use of the Platform.
Scope of data: first name, last name, email address, login, password in secured form, Account identifier, registration date, Account status, login history, IP address, session data, Account settings, consents and declarations, acceptance of the Terms, information about Account type and User role.
For business or professional Accounts, the scope of data may also include company name, NIP, VAT ID, KRS, REGON, registered office address, representative data, contact person data, position, telephone number, billing data, and information about internal user permissions.
Purposes: creating and maintaining an Account, providing electronic services, identifying the User, ensuring access to functionalities, managing permissions, handling security, communication concerning the Account.
Legal basis: Article 6(1)(b) GDPR - conclusion and performance of an agreement for the provision of electronic services; Article 6(1)(f) GDPR - security, pursuit of claims, and protection of the Controller's rights; Article 6(1)(c) GDPR - legal obligations, where applicable.
Storage period: for the period the Account is maintained, and after its deletion for the period necessary to settle services, handle complaints, pursue or defend claims, and fulfill legal obligations. Technical data and logs may be stored for shorter periods in accordance with the retention policy.
6.3. Verification of professional Users
Description of processing activity: Access to some functionalities, especially those intended for Sellers, Manufacturers/Contractors, or other professional Users, may require verification of identification, registration, tax, billing data, or authorization to act on behalf of the relevant entity.
Scope of data: company name, legal form, registered office address, NIP, VAT ID, KRS, REGON, other registration identifiers, representative data, authorized person data, registration documents, documents confirming authority to represent, contact data, bank account data, tax status, information from public registers.
Purposes: verifying identity and status of the professional User, ensuring Platform security, counteracting abuse, fulfilling legal obligations, enabling use of sales, production, settlement, administrative, or other functionalities intended for professional Users.
Legal basis: Article 6(1)(b) GDPR - actions related to concluding or performing an agreement; Article 6(1)(f) GDPR - the Controller's legitimate interest consisting in verifying professional users and securing the Platform; Article 6(1)(c) GDPR - legal obligations, if verification is required by law.
Storage period: for the period of using professional functionalities, and then for the period required by law or necessary to defend against claims, counteract abuse, or demonstrate compliance of the Operator's actions.
6.4. Managing a business Account and internal user access
Description of processing activity: If an Entrepreneur, Seller, Manufacturer/Contractor, or other professional User uses a business Account, it may designate persons authorized to use that Account on its behalf, for example employees, coworkers, representatives, or team members. In such a case, data of those persons is provided to the Operator through the Platform to create, handle, or revoke access to the business Account and enable use of the Platform on behalf of the relevant professional User.
Scope of data: In this respect, the Operator may process in particular first name, last name, email address, position or function, role in the organization, permission level within the Account, information about the Account invitation, access status, login history, access logs, activity history, and information about actions performed within the Account.
Purposes: The purpose of processing data is to create and handle access to the business Account, enable authorized persons to use the Platform on behalf of the professional User, manage permissions, ensure Account security, protect against unauthorized access, ensure accountability for actions performed within the Account, and handle reports, abuse, or claims.
Legal basis: The legal basis for processing data is Article 6(1)(b) GDPR - to the extent processing is necessary to provide electronic services to the professional User and handle the business Account, and Article 6(1)(f) GDPR - the Operator's legitimate interest consisting in ensuring Platform security, managing access, counteracting abuse, ensuring accountability for actions, and pursuing or defending claims.
Storage period: Data is stored for the period of access to the business Account, and after access is revoked or the Account is deleted - for the period necessary to ensure security, accountability for actions, report handling, investigation of possible abuse, and pursuit or defense of claims, unless a longer storage period results from law.
Additional information: The professional User is responsible for ensuring that persons whose data it provides to grant access to a business Account are authorized to act on its behalf and have been informed that their data is provided to the Operator in connection with use of the Platform.
6.5. Uploading, storing, and hosting User Content
Description of processing activity: The Platform enables Users to upload, store, edit, publish, share, and use User Content, including graphics, photos, logos, marks, designs, texts, descriptions, visualizations, production files, personalized materials, and other files or materials provided through the Platform. The Operator processes User Content within the scope resulting from the operation of the Platform and actions taken by the User, in particular to enable content storage, creation of designs, product personalization, publication of Product Presentations, placement or handling of Orders, communication between Users, use of design or AI tools, security, and enforcement of the Terms.
Scope of data: In this respect, the Operator may process in particular User Content, file metadata, data of the author or person uploading the file, date and time of addition, change history, file versions, technical parameters, content visibility information, and links between content and an Account, product, design, Order, Request for Quotation, or communication conducted through the Platform. User Content may contain personal data of the User or third parties, in particular image, first name, last name, pseudonym, signature, dedication, inscription, company data, contact data, logo or mark identifying the business of a natural person, data included in a design, photo, graphic, description, message, prompt, visualization, production file, or other material provided by the User. The Operator does not decide what personal data will be placed by the User in User Content. Personal data included in such content is provided to the Operator by the User through the Platform solely as a result of the User's independent and voluntary decision concerning the scope of content, files, or materials entered into the Platform. The User who places or provides such data is solely responsible for having an appropriate legal basis to transfer such data through the Platform, including third-party data.
User Content may in some cases contain special category data within the meaning of Article 9 GDPR or other sensitive data if the User independently includes such data in a photo, graphic, design, visualization, description, dedication, inscription, personalized material, prompt, message, attachment, or other file. The Platform is not intended for processing special category data or other sensitive data. The Operator does not require providing such data, does not encourage its provision, and does not request that it be entered into the Platform. The User should not enter special category data or other sensitive data into the Platform unless it is lawful, necessary to use the given functionality, and the User has an appropriate legal basis for providing and using it. If, despite the above, the User enters such data into the Platform, the User does so at the User's own responsibility and risk.
Purposes: The purpose of processing data is to enable use of Platform functionalities, store and host User Content, create and edit designs, personalize products, publish Product Presentations, place and handle Orders or Requests for Quotation, cooperate and communicate between Users, use design or AI tools, ensure Platform security, enforce the Terms, handle reports, complaints, and claims, and protect the rights of the Operator, Users, and third parties.
Legal basis: The legal basis for processing data is Article 6(1)(b) GDPR - to the extent processing is necessary to provide electronic services, make Platform functionalities available, and perform the agreement with the User, and Article 6(1)(f) GDPR - the Operator's legitimate interest consisting in maintaining and securing the Platform, ensuring accountability for actions, enforcing the Terms, handling reports, and pursuing or defending claims.
If User Content contains personal data of third parties, including special category data or other sensitive data, the User who places or provides such data is responsible for having the proper legal basis to provide and use it through the Platform.
Storage period: Data is stored for the period of maintaining the Account, design, content, product, Order, Request for Quotation, or other process to which it is linked, or until the content is deleted by the User, unless further storage is necessary for security, report handling, complaints, settlements, pursuit or defense of claims, fulfillment of legal obligations, preservation of evidence of a Terms violation, or protection of the rights of the Operator, Users, or third parties.
6.6. Design tools, product configurator, and preparing files for production
Description of processing activity: Users may use tools for creating, editing, personalizing, and preparing product designs, including personalized products. The tools may enable quality improvement, scaling, cropping, combining, modifying, visualization, and checking file parameters.
Scope of data: designs, photos, graphics, logos, inscriptions, dedications, production files, product parameters, technical file data, editing history, design versions, visualizations, mockups, previews, data linked to the Account and Order.
Purposes: creating a product design, personalization, preparing a file for production, generating a visualization, checking technical parameters, enabling Order placement or publication of a Product Presentation.
Legal basis: Article 6(1)(b) GDPR - performance of the Platform service; Article 6(1)(f) GDPR - quality improvement, security, accountability, and protection of rights.
Storage period: for the period of work on the design, order fulfillment, Account maintenance, or the period required to handle complaints, claims, settlements, or legal obligations.
6.7. Use of the AI Assistant and artificial intelligence tools
Description of processing activity: The Platform may provide the AI Assistant and other functionalities based on artificial intelligence tools. The AI Assistant may be used in particular to generate graphics, support order configuration, provide product information, analyze or process photos, graphics, designs, files, prompts, instructions, product data, and other materials provided by the User. Use of the AI Assistant is voluntary. The User decides whether to use this functionality and what data, content, files, or materials to provide when using the AI Assistant.
Scope of data: In connection with use of the AI Assistant, the Operator may process in particular: the content of the User's prompts and instructions, the content of the conversation with the AI Assistant, photos, graphics, designs, files, logos, descriptions, product data, information concerning order configuration, product parameters, results generated by the artificial intelligence tool, history of use of AI functionalities, date and time of tool use, technical data, and links between this data and the User Account, design, product, or order. If the User enters personal data into the AI Assistant, for example a person's image, first name, last name, identification data, contact data, data visible in a graphic or photo, or other information enabling identification of a natural person, such data may be processed as part of the operation of this functionality.
Purposes: providing the AI Assistant and artificial intelligence tools within the Platform, generating answers, graphics, designs, descriptions, recommendations, or configurations, saving the history of the conversation or actions taken using the AI Assistant, saving results generated by the tool, linking results to an Account, design, product, or order, further use of generated materials on the Platform, ensuring security, error diagnostics, handling reports, complaints, and claims, and ensuring accountability of Platform operation.
Legal basis:
Article 6(1)(b) GDPR - performance of an agreement for the provision of electronic services within the scope of making the AI Assistant functionality available and enabling the User to use it; Article 6(1)(f) GDPR - the Controller's legitimate interest consisting in ensuring security, proper operation of the Platform, accountability, report handling, and pursuit or defense of claims.
Data recipients: Data provided when using the AI Assistant may be transferred to external providers of artificial intelligence tools. These providers act as separate controllers of personal data within the scope of the services they provide. The current list of such providers, together with references to their privacy documents and service terms, is included in Appendix 1 to this Privacy Policy - “List of artificial intelligence tool providers.” Data may also be processed by hosting, cloud infrastructure, security, communication tool, helpdesk, or other technical service providers supporting the operation of the Platform, in accordance with the rules described in this Privacy Policy.
Storage period: The history of conversations with the AI Assistant, input data, product data, and results generated by the artificial intelligence tool may be stored for the period of maintaining the Account, design, product, or order to which they are linked, and then for the period necessary to handle reports, complaints, settlements, security, pursuit or defense of claims, or fulfillment of legal obligations. Detailed retention periods on the side of external AI providers are specified in those providers' documents. The current list of such providers, together with references to their privacy documents and service terms, is included in Appendix 1 to this Privacy Policy - “List of artificial intelligence tool providers.”
Warning for the User: The User should not provide to the AI Assistant data that is not necessary to use the given functionality, in particular special category data, confidential data, payment data, identity documents, or third-party data if the User does not have an appropriate legal basis for using it.
6.8. Publishing Product Presentations, offers, catalogs, and product materials
Description of processing activity: Sellers may publish Product Presentations, catalogs, descriptions, prices, visualizations, designs, parameters, and other information related to products or services on the Platform. Some materials may contain personal data, for example data of the design author, contact person, image of a person in a visualization, business name of a natural person, or data in graphic content.
Scope of data: Seller data, data of the person publishing, offer content, photos, graphics, visualizations, logos, descriptions, prices, parameters, publication and change history, visibility status, data concerning moderation and reports.
Purposes: enabling presentation of products and services, operating the marketplace, enabling Orders and Requests for Quotation, communication with potential customers, moderation, and security.
Legal basis: Article 6(1)(b) GDPR - performance of the Platform service; Article 6(1)(f) GDPR - legitimate interest in operating the marketplace and protecting rights.
Storage period: for the period of publication of the Product Presentation, maintenance of the Seller Account, or the period necessary to handle orders, complaints, settlements, reports, claims, and legal obligations.
6.9. Placing Orders and Requests for Quotation
Description of processing activity: The Platform may enable placing Orders for products, including personalized products, and sending Requests for Quotation to Sellers, Manufacturers/Contractors, or other professional Users.
Scope of data: first name, last name, contact data, Account data, Seller data, Manufacturer/Contractor data, product data, order parameters, design, files, graphics, photos, personalization data, delivery address, billing data, order status, change history, correspondence, payment data, complaint data.
Purposes: handling an Order or Request for Quotation, enabling conclusion and performance of an agreement between Users, communication, payment, production, personalization, handling shipping data, complaints, settlements, transaction documentation.
Legal basis: Article 6(1)(b) GDPR - conclusion or performance of an agreement or taking steps at the request of a person before entering into an agreement; Article 6(1)(f) GDPR - legitimate interest in handling transactions, security, and protection of claims; Article 6(1)(c) GDPR - legal obligations, for example tax or accounting obligations.
Data transfer through the Platform: If a User places an Order or Request for Quotation, provides a design, personalization data, shipping data, or another instruction to a Seller, Manufacturer/Contractor, or other professional User, that data is made available to that entity through the Platform to the extent necessary to handle the given action. The Operator processes this data to the extent necessary to provide and handle the Platform, maintain the history of actions, ensure security, communication, accountability, and handling of reports or claims. The Operator does not physically deliver products and does not decide on the delivery method or the entity performing delivery. Shipping data is processed by the Operator to the extent necessary to handle the Platform and is made available through the Platform to the Seller, Manufacturer/Contractor, or other professional User responsible for fulfilling the Order or relevant cooperation. The Seller, Manufacturer/Contractor, or other entity responsible for fulfilling the given Order or cooperation is responsible for organizing and carrying out delivery, including choosing the delivery method, courier company, logistics operator, warehouse entity, fulfillment entity, or other service provider. That entity may use service providers available through the Platform or providers selected outside the Platform. If shipping data is transferred to a courier, logistics operator, warehouse entity, fulfillment entity, or another entity participating in delivery, the transfer is made by the entity responsible for organizing delivery, not by the Operator, unless separate arrangements expressly provide otherwise.
Storage period: for the period of fulfilling the Order or Request, and then for the period required by law, the limitation period for claims, complaint handling period, settlements, or tax obligations.
6.10. Seller - Manufacturer/Contractor relationships and production processes
Description of processing activity: The Platform may enable Sellers, Manufacturers/Contractors, and other professional Users to establish and conduct cooperation through the Platform. This cooperation may concern in particular performance, production, printing, personalization, packing, completing, confectioning, product preparation, logistics services, delivery services, warehouse services, fulfillment, return handling, complaint handling, settlements, or other services offered by professional Users through the Platform.
The Operator provides tools enabling presentation of offers, searching for professional Users, sending inquiries, communication, transferring data, designs, order parameters, production files, or other information needed for cooperation. The Operator does not thereby become a party to agreements concluded between professional Users or an entity performing production, logistics, warehouse, delivery, or fulfillment services, unless separate arrangements expressly provide otherwise.
Scope of data: in this respect, the Operator may process in particular data of the Seller, Manufacturer/Contractor, or other professional User, data of persons acting on their behalf, contact data, profile data, offer data, service scope, cooperation terms, data concerning inquiries, orders, designs, production files, product parameters, fulfillment deadlines, process statuses, shipping data if necessary in the given cooperation model, complaint data, communication, and settlement documents.
Purposes: the purpose of processing data is to enable professional Users to present their services, search for business partners, send inquiries, communicate, agree cooperation terms, transfer information and materials needed to perform a given service, document arrangements, handle settlements conducted through the Platform, ensure security, accountability, and pursue or defend claims.
Legal basis: Article 6(1)(b) GDPR - performance of an agreement for the provision of electronic services within the scope of making Platform functionalities available and taking steps at the User's request before using a given functionality; Article 6(1)(f) GDPR - the Operator's legitimate interest consisting in providing B2B cooperation functionalities, Platform security, accountability for actions, report handling, and pursuit or defense of claims; Article 6(1)(c) GDPR - legal obligations, where applicable.
Roles: Professional Users, including Sellers, Manufacturers/Contractors, logistics operators, courier companies, fulfillment entities, warehouses, or other service providers offering their services through the Platform, may act as separate controllers of personal data to the extent that they independently decide on the purposes and means of processing data within their own business and services provided to other Users. In some processes, the Manufacturer/Contractor may act as a processor processing data on behalf of a Seller or another data controller if it processes data only in accordance with that controller's instructions and to the extent necessary to perform the commissioned service.
The Operator processes data related to such cooperation to the extent necessary to provide and handle the Platform, maintain the history of actions, ensure communication, security, accountability, report handling, and pursue or defend claims.
Storage period: data is stored for the period of using B2B cooperation functionalities, conducting an inquiry, performing a process, or maintaining an Account, and then for the period required by law or necessary to handle reports, complaints, settlements, and pursue or defend claims.
6.11. Payments, settlements, invoices, and subscriptions
Description of processing activity: The Platform may enable payments for products, services, subscriptions, paid functionalities, commissions, settlements between Users, or other amounts due.
Scope of data: identification data, contact data, billing data, invoice data, NIP, VAT ID, address, amount, currency, payment method, payment status, transaction identifier, payment history, refund data, payment complaint data. In the case of card payments, full card data is generally processed by an external payment provider, and the Operator may receive only limited information, for example payment status, transaction identifier, and partially masked payment instrument data.
Purposes: handling settlements conducted through the Platform, handling payments, refunds, payouts, commissions, or fees, and fulfilling the Operator's accounting and tax obligations, where applicable.
Legal basis: Article 6(1)(b) GDPR - performance of an agreement; Article 6(1)(c) GDPR - accounting and tax obligations; Article 6(1)(f) GDPR - pursuit of claims, security, and counteracting abuse.
Recipients: payment providers, banks, card operators, invoicing providers, accounting, tax advisors, public authorities, Sellers, or other professional Users to the extent necessary for settlements.
Storage period: for the period required by accounting and tax laws, and for the limitation period for claims.
6.12. Communication between Users
Description of processing activity: The Platform may provide communication tools enabling contact between Consumers, Sellers, Manufacturers/Contractors, Designers, and other Users, in particular regarding products, designs, orders, quotations, production, order fulfillment, shipping data, and complaints.
Scope of data: sender and recipient data, message content, attachments, date and time, message status, related order, design or product, correspondence history, technical data.
Purposes: enabling communication, fulfillment of orders and cooperation, documenting arrangements, security, dispute handling, moderation, and enforcement of the Terms.
Legal basis: Article 6(1)(b) GDPR - performance of the Platform service; Article 6(1)(f) GDPR - legitimate interest in ensuring communication, security, and protection of claims.
Storage period: for the period of maintaining the Account or carrying out the process to which the communication relates, and then for the period necessary to handle complaints, disputes, claims, or legal obligations.
6.13. Contact with the Operator and report handling
Description of processing activity: When you contact the Operator through a form, email, telephone, social media, or other channels, we process data needed to respond and handle the matter.
Scope of data: first name, last name, email address, telephone number, company name, message content, attachments, Account data, order data, contact history, contact date and channel.
Purposes: responding, handling a report, technical assistance, problem solving, documenting contact, protecting claims.
Legal basis: Article 6(1)(f) GDPR - the Controller's legitimate interest in communication and report handling; Article 6(1)(b) GDPR - if the contact concerns an agreement or pre-contractual steps; Article 6(1)(c) GDPR - if the contact concerns a legal obligation.
Storage period: for the period of handling the matter, and then generally up to 3 years or for the limitation period for claims if the nature of the matter requires it.
6.14. Complaints, returns, disputes, and claims handling
Description of processing activity: In connection with complaints, returns, disputes, claims, or other investigations, we may process data needed to establish the facts, make contact, examine the matter, and secure the interests of the parties.
Scope of data: identification and contact data, Account data, Order data, product data, design, files, complaint photos, problem description, correspondence, decisions, settlements, payment data, documents, history of actions.
Purposes: examining complaints, handling returns, explaining disputes, pursuing or defending claims, fulfilling legal obligations, protecting the rights of the Operator, Users, and third parties.
Legal basis: Article 6(1)(b) GDPR - performance of an agreement; Article 6(1)(c) GDPR - legal obligations; Article 6(1)(f) GDPR - legitimate interest in pursuing and defending claims.
Storage period: for the period of handling the complaint or dispute, and then for the limitation period for claims or the period required by law.
6.15. Reports of violations of law, intellectual property rights, and Prohibited Content
Description of processing activity: The Platform may enable reporting illegal content, Prohibited Content, infringements of intellectual property rights, violations of personal rights, impersonation, deepfakes, fraud, abuse, or other violations of the Terms.
Scope of data: reporter data, data of the person or entity to whom the report relates, report content, justification, attachments, links, content identifiers, Account data, correspondence, moderation decisions, history of actions, technical data.
Purposes: receiving and examining the report, verifying the infringement, content moderation, protecting third-party rights, fulfilling obligations under digital services laws, Platform security, documenting decisions.
Legal basis: Article 6(1)(c) GDPR - legal obligations, where applicable; Article 6(1)(f) GDPR - legitimate interest in protecting the Platform and the rights of the Operator, Users, and third parties.
Storage period: for the period of handling the report, and then for the period necessary to demonstrate the correctness of actions, defend against claims, or fulfill legal obligations.
6.16. Moderation, security, abuse prevention, and Platform protection
Description of processing activity: We process data to detect violations of the Terms, counter fraud, cyberattacks, abuse, spam, scraping, unauthorized access, manipulation, publication of prohibited content, and other actions that may violate Platform security.
Scope of data: Account data, technical data, IP address, logs, activity history, published or transmitted content, reports, moderation decisions, information about blocks, suspensions, Account deletion, unusual activity, attempts to bypass safeguards.
Purposes: security, Platform integrity, enforcement of the Terms, counteracting abuse, protecting Users, protecting third-party rights, detecting and preventing fraud.
Legal basis: Article 6(1)(f) GDPR - the Controller's legitimate interest; Article 6(1)(c) GDPR - legal obligations, where applicable.
Storage period: for the period necessary to ensure security, investigate an incident, take moderation actions, document decisions, and protect claims. Data concerning serious violations may be stored longer, including to prevent bypassing a block or re-registration after a serious violation.
6.17. Analytics, reporting, and Platform development
Description of processing activity: We may analyze how the Platform is used to improve its operation, measure functionality effectiveness, create reports, fix errors, and develop services.
Scope of data: technical data, activity data, usage statistics, in-app events, data concerning views, clicks, conversions, orders, errors, performance, sales and operational reports. Where possible, data is aggregated or pseudonymized.
Purposes: analyzing Platform operation, optimization, product development, quality improvement, reporting for professional Users, error diagnostics, planning functionalities.
Legal basis: Article 6(1)(f) GDPR - the Controller's legitimate interest; consent - in the case of analytics based on cookies or similar technologies, if required.
Storage period: for the period necessary for analytical purposes, no longer than 30 days, unless the data is anonymized.
6.18. Operator's own marketing and informational communication
Description of processing activity: The Operator may conduct informational communication concerning the Platform, changes to the Terms, security, new functionalities, plans, services, promotions, events, or educational content. Electronic marketing communication is conducted in accordance with legal requirements, including based on consent where needed.
Scope of data: first name, email address, telephone number, Account data, User role, consent history, communication preferences, marketing activity, unsubscribe information.
Purposes: providing information about the Platform, promoting the Operator's services, maintaining relationships with Users, informing about new functionalities.
Legal basis: Article 6(1)(f) GDPR - legitimate interest in own marketing; consent - if required for sending electronic or telecommunications communication.
Storage period: until objection, withdrawal of consent, unsubscribe from communication, or the end of the legitimate interest. Data concerning consents and objections may be stored for evidentiary purposes.
6.19. Social media
Description of processing activity: The Operator may maintain social media profiles. We process data of persons who follow profiles, comment, react, share content, send messages, or otherwise interact with the Operator's profile.
Scope of data: profile name, publicly available profile data, image, comments, reactions, messages, content provided voluntarily, statistics provided by the social media platform.
Purposes: communication, Platform promotion, inquiry handling, community building, analysis of communication effectiveness.
Legal basis: Article 6(1)(f) GDPR - legitimate interest in communication and promotion; consent - if it results from the functionality of the given service or laws.
Roles: Social media service operators act as separate data controllers in accordance with their own privacy policies.
Storage period: for the period the data is available in the given service, until the interaction is deleted by the user, an effective objection is raised, or handling of the matter ends.
6.20. Archiving, backups, and business continuity
Description of processing activity: To ensure security, continuity of operation, and the ability to restore data after a failure, we create backups and archive data to the necessary extent.
Scope of data: data covered by other processing processes, saved in production systems, backups, logs, archives, and security systems.
Purposes: security, business continuity, restoration of data after a failure, system resilience, implementation of the accountability principle.
Legal basis: Article 6(1)(f) GDPR - legitimate interest in securing data and systems; Article 6(1)(c) GDPR - legal obligations in the field of security and accountability, where applicable.
Storage period: in accordance with the backup retention cycle, no longer than necessary for security and business continuity purposes. Data deleted from the production system may remain for a limited time in backups until overwritten.
6.21. Exercising data subject rights
Description of processing activity: We process data to handle requests concerning rights under the GDPR, such as access to data, rectification, erasure, restriction, portability, objection, or withdrawal of consent.
Scope of data: identification data, contact data, request content, data covered by the request, correspondence, method of fulfilling the request, action documentation, information needed to verify identity.
Purposes: handling requests, fulfilling legal obligations, demonstrating GDPR compliance, protection against claims.
Legal basis: Article 6(1)(c) GDPR - legal obligation; Article 6(1)(f) GDPR - legitimate interest in documenting actions and protecting claims.
Storage period: for the period of handling the request and up to 3 years from completion of its fulfillment, unless a longer period results from law or is necessary to defend claims.
7. Voluntary Provision of Data
Providing personal data is generally voluntary, but in many cases it is necessary to use the Platform or specific functionalities.
Failure to provide data may make it impossible to:
- create an Account;
- log in to an Account;
- use design tools or AI;
- upload User Content;
- publish a Product Presentation;
- place an Order or Request for Quotation;
- handle payment, complaint, return, or other activities related to an Order;
- complete verification of a professional User;
- use B2B, production, administrative, or settlement functionalities;
- receive a response to a report or inquiry.
If processing is based on consent, providing data is voluntary, and consent may be withdrawn at any time without affecting the lawfulness of processing carried out before its withdrawal.
8. Automated Decision-Making, Profiling, Recommendation Systems, and AI
The Platform may use automated, algorithmic, recommendation, classification, ranking, matching, filtering, anti-fraud, security, moderation, or generative elements. Such mechanisms may be used in particular to:
- generate or modify content using AI Tools;
- propose design settings, product parameters, or file improvements;
- filter, sort, or present offers;
- detect abuse, spam, unauthorized access attempts, or unusual activity;
- support content moderation;
- protect against fraud;
- analyze Platform quality and performance;
- recommend functionalities or products.
As a rule, we do not make decisions about Users based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them within the meaning of Article 22 GDPR, unless this is expressly indicated for a specific functionality and an appropriate legal basis exists. Some technical, security, or moderation decisions may be supported automatically, but in material cases the User may be able to contact the Operator, provide explanations, or appeal, if this results from the Terms, law, or rules of the given functionality.
The Platform may use mechanisms for ordering, filtering, sorting, recommending, or presenting content, products, offers, designs, or functionalities. These mechanisms may take into account in particular product category, search parameters, User settings, functionality availability, product popularity, activity history on the Platform, technical data, data concerning interaction with the Platform, or other criteria related to Platform operation. The purpose of using such mechanisms is to facilitate use of the Platform, present the User with content or offers corresponding to the User's query or context of Platform use, improve service quality, and develop Platform functionalities. The use of ranking or recommendation mechanisms does not mean making decisions about the User based solely on automated processing that would produce legal effects concerning the User or similarly significantly affect the User within the meaning of Article 22 GDPR, unless expressly indicated otherwise for a specific functionality.
9. Cookies, Similar Technologies, and Server Logs
The Platform may use cookies, browser local storage, pixels, device identifiers, and similar technologies. Cookies may be used in particular to:
- ensure proper operation of the Platform;
- maintain session and login;
- remember User settings;
- ensure security;
- detect abuse;
- conduct analytics;
- improve performance;
- personalize functionalities;
- conduct marketing activities, if implemented.
Cookies may be the Operator's own cookies or third-party cookies, for example from analytics, security, marketing, communication, or integration providers.
Essential cookies may be used without consent if they are necessary to provide a service requested by the User or for the proper operation of the Platform. Analytical, marketing, or other technically unnecessary cookies may be used after consent is obtained, if such consent is required.
The User may manage cookies through browser settings and, if the mechanism is implemented, through the cookie consent panel available on the Platform.
Independently of cookies, the Platform may process server logs, including IP address, request date and time, error information, technical connection and activity data, only to the extent necessary to ensure security, stability, and diagnostics.
10. Recipients of Personal Data
Personal data may be transferred or made available through the Platform to the following categories of recipients, only to the extent necessary to achieve the purposes described in this Privacy Policy:
- persons authorized by the Operator, including employees and coworkers, to the extent necessary to perform their duties related to operating and supporting the Platform;
- hosting, cloud infrastructure, database, backup, technical maintenance, and security providers - to maintain the Platform, store data, and ensure its availability, performance, and security;
- IT tool, administrative system, CRM, helpdesk, email, and communication tool providers - to handle Accounts, communicate with Users, send system messages, and handle reports, inquiries, complaints, and other matters addressed to the Operator;
- providers of artificial intelligence tools available through the Platform - within the scope of data provided in connection with the User's use of the AI Assistant or other AI Tools; these providers act as separate controllers of personal data, and the current list of such providers is included in Appendix 1 to this Privacy Policy;
- banks, payment operators, payment card operators, and other payment or settlement service providers - to handle payments, refunds, payouts, settlements, transaction identification, commissions or fees, and counter payment abuse;
- invoicing, accounting, tax, financial, legal, audit, or advisory service providers - to keep settlements, fulfill accounting and tax obligations, provide legal service, audit, pursue claims, or defend against claims;
- Sellers - if the User places an Order or Request for Quotation, provides a design, communicates, or gives another instruction to a given Seller through the Platform, to the extent necessary to handle that activity, in particular sales, communication, settlements, complaints, or fulfillment of the Seller's obligations;
- Manufacturers/Contractors, logistics operators, courier companies, entities providing warehousing, packing, completing, fulfillment services, or other professional Users or providers participating in handling an Order or B2B cooperation - to the extent necessary to handle the given activity, in particular fulfillment of an Order, inquiry, design, personalization, product preparation, shipment, delivery, return, complaint, settlements, or performance of a service offered or handled through the Platform;
- verification, anti-fraud, and security service providers - to verify professional Users, secure the Platform, detect abuse, counter fraud, protect against unauthorized access, and protect the rights of the Operator, Users, and third parties;
- analytics and reporting providers - to analyze how the Platform is used, improve its operation, diagnose errors, develop functionalities, and create statistics and reports;
- social media operators - within the scope resulting from Users' use of the Operator's social media profiles or interaction with the Operator's content in those services;
- public authorities, courts, prosecutors, supervisory authorities, or other entities authorized by law - if the obligation to transfer data results from law, a decision of a competent authority, or is necessary to protect the Operator's rights;
- buyers or potential buyers of the Operator's enterprise, shares, organized part of the enterprise, or assets, if related to a reorganization, investment, sale, or similar process and lawful.
Entities to which data is made available through the Platform or transferred in connection with use of the Platform may act as processors processing personal data on behalf of the Operator or as separate controllers of personal data. This applies in particular to banks, payment operators, AI Tool providers, social media operators, public authorities, Sellers, Manufacturers/Contractors, logistics operators, courier companies, warehouse entities, entities providing packing, completing, or fulfillment services, and other professional Users or providers participating in handling an Order or B2B cooperation, who process data for their own purposes and according to rules specified in their own documents or arising from law.
The Platform may enable handling of shipping data and cooperation with entities participating in fulfilling an Order, such as Sellers, Manufacturers/Contractors, logistics operators, courier companies, warehouse entities, or entities providing packing, completing, or fulfillment services. Shipping data is processed by the Operator to the extent necessary to handle the Platform, Order, communication, accountability, and cooperation between Users.
The Seller, Manufacturer/Contractor, or other entity responsible for fulfilling the given Order or cooperation is responsible for choosing the delivery method, choosing the entity performing delivery, and organizing delivery. That entity may use service providers available through the Platform or providers selected outside the Platform.
If shipping data is transferred to a courier company, logistics operator, warehouse entity, fulfillment entity, or another entity participating in delivery, the transfer is made by the entity responsible for organizing delivery, not by the Operator, unless separate arrangements expressly provide otherwise.
Personal data is not sold to third parties. Data may be transferred or made available through the Platform only to the extent necessary to achieve the described purposes, in accordance with law and with appropriate safeguards.
11. Transfers of Data Outside the European Economic Area
As a rule, we strive for personal data to be processed within the European Economic Area. However, due to the use of technology, cloud, AI, analytics, payment, communication, or security providers, data may be transferred outside the EEA. If data is transferred outside the EEA, this takes place only in accordance with the GDPR, in particular based on:
- an adequacy decision of the European Commission;
- standard contractual clauses;
- additional safeguards, if required;
- other mechanisms provided for by the GDPR.
In connection with use of services of some providers, including AI Tool providers, personal data may be transferred outside the European Economic Area. If such transfer occurs, it takes place in accordance with Chapter V GDPR, in particular based on an adequacy decision of the European Commission or using standard contractual clauses and, if needed, additional safeguards. General information concerning transfers of data outside the EEA is set out in Appendix 3, “Information about Transfers of Data Outside the European Economic Area.”
12. Data Security
We use technical and organizational measures intended to ensure a level of security appropriate to the risk, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to data. These measures may include in particular:
- access control to systems;
- user authentication;
- encryption of data transmission;
- password protection;
- logging security events;
- backups;
- infrastructure monitoring;
- mechanisms for detecting unusual activity;
- limiting permissions of employees and coworkers;
- data processing agreements with providers;
- incident response procedures;
- security tests, audits, or reviews, if implemented.
The User is also responsible for the security of the User's Account, in particular for keeping the password confidential, not sharing login data, using secure devices, and promptly reporting suspected unauthorized access.
13. Data Subject Rights
Under the rules set out in the GDPR, you have the following rights:
- the right of access to data;
- the right to receive a copy of data;
- the right to rectify data;
- the right to erase data;
- the right to restrict processing;
- the right to data portability;
- the right to object to data processing;
- the right to withdraw consent at any time if processing is based on consent;
- the right to lodge a complaint with a supervisory authority.
The scope of exercising rights depends on the legal basis for processing, the nature of the data, and the role of the entity processing the data. If data is processed by a Seller, Manufacturer/Contractor, AI provider, payment provider, or another separate controller, exercising some rights may require contacting that entity directly. Where possible, we will help determine the proper entity if the request concerns a process carried out through the Platform.
13.1. Right of access to data
You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and obtain information concerning purposes, data categories, recipients, storage period, rights, and source of data.
13.2. Right to rectify data
You have the right to request rectification of inaccurate data and completion of incomplete data.
13.3. Right to erase data
You have the right to request erasure of data in cases provided for by the GDPR. This right is not absolute. We may refuse to erase data if further processing is necessary, for example to fulfill a legal obligation, pursue claims, defend against claims, ensure Platform security, or perform an agreement.
13.4. Right to restrict processing
You have the right to request restriction of data processing in cases specified in the GDPR, for example when you contest the accuracy of the data, object to its erasure, or need the data for claims.
13.5. Right to data portability
You have the right to receive data you provided to us in a structured, commonly used, machine-readable format if processing is based on consent or an agreement and is carried out by automated means.
13.6. Right to object
You have the right to object to data processing based on the Controller's legitimate interest for reasons related to your particular situation. You also have the right to object at any time to data processing for direct marketing purposes.
13.7. Right to withdraw consent
If processing is based on consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
13.8. Right to complain
You have the right to lodge a complaint with the competent supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
14. How to Exercise Rights
Personal data requests may be submitted:
- by email to: [email protected];
- through Account functionality, if made available;
- through a contact form, if made available.
We respond without undue delay, generally within one month of receiving the request. In the case of a complex request or a large number of requests, the deadline may be extended in accordance with the GDPR. We may ask for additional information necessary to confirm the identity of the person submitting the request if necessary for data security. Exercising rights is generally free of charge. We may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive.
15. Data of Third Parties Entered by Users
As part of using the Platform, the User may provide content, files, designs, graphics, photos, prompts, messages, order data, contact data, shipping data, or other materials that contain personal data of other persons. This may concern in particular the image of a person visible in a photo or graphic, the first and last name included in a dedication, data of a person indicated to receive a shipment, data of an employee, coworker, representative, contact person, customer, designer, content author, or another person whose data has been placed or provided through the Platform.
Personal data of third parties included in such content, files, data, or materials is provided to the Operator by the User through the Platform solely as a result of that User's decision concerning the scope of content, files, data, or materials entered into the Platform.
The Operator processes such data only within the scope resulting from the operation of the Platform and actions taken by the User who provided such data. The Operator does not decide to include or provide data of third parties in content, files, data, or materials provided through the Platform.
The User who places or provides such data is responsible for having an appropriate legal basis to provide third-party data, use it within the Platform, and, where applicable, fulfill information obligations toward those persons.
16. Special Category Data and Sensitive Data
The Platform is not intended for intentional processing of special category data within the meaning of Article 9 GDPR or other sensitive data. The Operator does not require providing such data, does not encourage its provision, and does not request that it be entered into the Platform.
Special category data includes in particular data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, sexuality, or sexual orientation.
The User should not enter such data into the Platform, including into prompts, the AI Assistant, designs, photos, graphics, visualizations, messages, product descriptions, dedications, personalized materials, attachments, reports, or other content provided through the Platform, unless it is lawful, necessary to use the given functionality, and the User has an appropriate legal basis for providing and using it.
If, despite the above, the User enters special category data or other sensitive data into the Platform, the User does so at the User's own responsibility and risk. The User who places or provides such data is responsible for the decision to enter such data into the Platform, for the lawfulness of its provision, and for having the proper legal basis.
The Operator processes such data only to the extent it has been provided by the User through the Platform and is necessary for the technical provision and handling of the Platform, including storing content or files, operation of design tools or the AI Assistant, handling Orders, communication, security, reports, complaints, accountability, pursuit or defense of claims, or fulfillment of legal obligations.
17. Account Deletion and Consequences for Data
The User may request deletion of the Account in accordance with the Terms or Platform functionalities. Account deletion does not always mean immediate deletion of all data. Some data may continue to be stored if necessary to:
- perform concluded agreements;
- fulfill Orders, payments, complaints, settlements, or other processes started before Account deletion;
- fulfill accounting, tax, or legal obligations;
- protect against claims;
- ensure Platform security;
- document violations of the Terms;
- handle legal or moderation reports;
- protect the rights of other Users or third parties.
Public content, Product Presentations, designs, comments, messages, or materials linked to transactions may be deleted, anonymized, restricted, or retained to the necessary extent, depending on their nature, the User's role, and applicable laws.
18. Changes to the Privacy Policy
We may amend this Privacy Policy in the event of changes in law, changes to Platform functionalities, implementation of new tools, including AI Tools, changes of providers, changes to the business model, changes in the scope of data processing, or the need to clarify information provided to Users.
The current version of the Privacy Policy is published on the Platform together with the last update date. In the event of material changes, we may additionally inform Users, for example through a notice on the Platform, an email message, or an Account notification.
19. Final Clause
This Privacy Policy is intended to provide transparent information about personal data processing on the CraftWorks Platform. If a specific functionality requires a more detailed description, we may provide additional information directly with that functionality, in special terms, a notice, appendix, consent panel, or separate policy.
20. Appendices to the Privacy Policy
Appendix 1 - List of Artificial Intelligence Tool Providers
The Platform enables the User to voluntarily use functionalities based on artificial intelligence tools provided by external providers. Information is provided to a given provider only when the User independently launches a functionality using that provider's service. If the User does not use a given functionality, information related to its operation is not provided to the provider. The Operator does not attach the User's registration, contact, or billing data, such as first name, last name, email address, telephone number, address, IP address, invoice data, or Account identifier, to information provided to AI providers. Information provided to perform the selected function may contain personal data only if the User independently includes it in the provided content or materials; detailed processing rules are set out in the relevant provider's documents indicated in the table and in the provisions of the Privacy Policy concerning transfers of data outside the EEA.
PROVIDER | FUNCTION IN THE PLATFORM | INFORMATION PROVIDED TO THE PROVIDER | PROVIDER DOCUMENTS |
OpenAI | AI Assistant and image generation, editing, and analysis | prompts, messages, images, files, and results of AI functions | |
Google Gemini API | image generation and editing, design classification, and prompt creation | instructions, images, design parameters, and generated results | |
Recraft | image generation and processing, including upscaling, vectorization, and background removal | prompts, images, processing parameters, and generated results | |
Replicate | image segmentation and creation of masks and cutout areas | images, segmentation parameters, and generated masks and cutout areas | |
Leonardo.Ai | image upscaling | after the function is launched, images, upscaling parameters, and generated results may be provided |
Appendix 2 - List of Key External Service Providers
In connection with operating and maintaining the Platform, the Operator uses services of external providers. Personal data is transferred to providers only to the extent necessary to provide the given service, ensure Platform operation and security, process payments, communicate with Users, and handle technical processes.
PROVIDER NAME | PROVIDER FUNCTION | DATA CATEGORIES | TRANSFER OF DATA OUTSIDE THE EEA |
Vercel Inc. | hosting, traffic handling, deployments, diagnostics, and technical analytics | IP address, device and browser data, URLs, technical logs, and data concerning Platform operation | possible |
Supabase Inc. | database, authentication, session handling, and file storage | Account data, contact data, User and session identifiers, Order data, designs, files, and technical logs | possible |
Redis Ltd. | Platform protection and abuse limitation | technical or hashed request, session, or IP address identifiers, usage counters, and timestamps | possible |
Stripe Payments Europe, Ltd./Stripe, Inc. | handling payments for AI credits, settlements, and transaction statuses | identification and billing data, address, amount, currency, and transaction identifiers and metadata | possible |
PayPro S.A./Przelewy24 | payment handling and transaction status verification | Order and payment identifier, amount, currency, transaction description and status, and data necessary to process payment | no |
Twilio Inc. | sending email messages and transactional notifications | email address, message content, basic Order data, and data concerning message sending and delivery | possible |
MapTiler AG | displaying maps and pickup point locations | IP address, browser technical data, map retrieval requests, and coordinates of the displayed location | possible |
Freepik Company, S.L. | importing graphic assets into designs | search queries, identifiers and previews of selected assets, and technical import data | possible |
Lunaweb GmbH | file conversion | files or file URLs intended for conversion, output files, and technical task information | possible |
Appendix 3 - Information about Transfers of Data Outside the European Economic Area
In connection with the Operator's use of services of some providers, personal data may be transferred outside the European Economic Area if this results from the location of the relevant recipient, the method of providing the service, or the infrastructure used.
If such transfer occurs, it takes place in accordance with Chapter V GDPR, in particular based on an adequacy decision of the European Commission or using standard contractual clauses and, if necessary, additional safeguards.
Information about safeguards used for a specific transfer and how to obtain a copy of them can be obtained by contacting the Controller at the details indicated in the Privacy Policy.