I. Data Controller The controller of Your personal data is Patrycja Foltyniak running an unregistered business activity in Gliwice, at Wrocławska 23/3, 44-100, consisting in the sale of goods via the website www.bajahmade.com (hereinafter referred to as "Controller”).

II. Contact details of the Controller You can contact the Controller using the e-mail address shop@bajahmade.com.

III. Purposes of data processing, legal basis The Controller processes Your data in order to:

1. to pursue the legitimate interest of the Controller (on the basis of Article 6(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as"GDPR")), which is::
   1. 1.1. contact with the Controller in connection with his/her activity, including communication and solving matters to which the contact relates (in particular, handling enquiries, complaints, etc.), as well as contact with the Controller in other matters;
   2. 1.2. the establishment, exercise or defence of claims;
   3. 1.3. promoting its goods with the help of social media portals (Facebook, Instagram) in order to inform visitors to the Controller's profiles about the Controller's products;
2. contact with regard to the conclusion or performance of a concluded sales agreement (in particular, the conclusion of a sales agreement for the goods offered on the website www.bajahmade.com) (Article 6(1)(b) of the GDPR);
3. to comply with legal obligations incumbent on the Controller (on the basis of Article 6(1)(c)), in particular tax obligations.

IV. Categories of recipients of the data Your personal data, may be shared with the following categories of entities:

1. to entities authorised by law (courts, state bodies, etc.);
2. entities providing services to the Controller, including in particular entities providing payment processing services;

in any case, the processing of Your personal data by the aforementioned recipients will be carried out on the basis of an appropriate authorisation, an agreement on the entrustment of the processing of personal data or on the basis of applicable legislation.

V. Transfers of data outside the European Economic Area The Controller will not transfer your personal data outside the European Economic Area or to an international organisation.

VI. Data retention period Your personal data will be processed by the Controller for:

1. to establish, assert or defend against claims related to the contact carried out - until these claims become time-barred;
2. contact with the Controller until the matter in relation to which the contact relates is concluded;
3. contractual contact - until the expiry of the contract or the statute of limitations for claims related thereto;
4. for tax purposes, for a period of 5 years from the beginning of the year following the year in which the tax liability arose.

VII. Your rights In accordance with the GDPR, you have the right to:

1. request access to Your data and receive a copy of Your data;
2. rectification (amendment) of your data;
3. erasure of data - where there is no legal basis for the data to be processed;
4. restriction of data processing - if the personal data processed by the Controller are incorrect or processed unfoundedly, or if their erasure is not possible due to the existence of a valid legal basis for the processing;
5. data portability - the right to receive, in a structured, commonly used and machine-readable format, personal data provided on the basis of consent or on the basis of a contract; you can also have this data sent directly to another entity;
6. lodge a complaint to the supervisory authority - if Your data are processed unlawfully, you may lodge a complaint with the President of the Personal Data Protection Office.

VIII. Right to object MYou may, at any time, object to the processing of your personal data processed by the Controller in order to pursue a legitimate interest (Article 6(1)(f) GDPR), through the means of communication indicated in point II.

IX. Information about the requirement or the voluntariness of the data and the consequences of failure to provide it The provision of personal data by You is voluntary, but necessary for the Controller to carry out the aforementioned purposes for which processing is carried out on the appropriate legal basis in each case.