1. GENERAL PROVISIONS

1.1. This privacy policy of the Online Store is informational, meaning that it does not impose any obligations on the Service Recipients or Customers of the Online Store. The privacy policy primarily outlines the principles of personal data processing by the Administrator in the Online Store, including the legal basis, purposes, and duration of data processing, as well as the rights of data subjects, and information regarding the use of Cookies and analytical tools in the Online Store.
1.2. The administrator of the personal data collected via the Online Store is PAWEŁ CEBULAK, conducting business under the name GMOTO. PAWEŁ CEBULAK is registered in the Central Register and Information on Business Activity of the Republic of Poland, maintained by the minister responsible for economic affairs, with the following details: business address and correspondence address: ul. Tadeusza Kościuszki 78, 37-100 Łańcut, NIP 8151750134, REGON 180440676, email address: contact@yakkexp.com – hereinafter referred to as the "Administrator," who is also the Service Provider of the Online Store and the Seller.
1.3. Personal data in the Online Store are processed by the Administrator in accordance with applicable laws, particularly in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the "GDPR" or "GDPR Regulation." The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.4. Using the Online Store, including making purchases, is voluntary. Similarly, providing personal data by the Service Recipient or Customer is voluntary, with two exceptions: (1) entering into agreements with the Administrator – failure to provide the necessary personal data in the cases and to the extent indicated on the Online Store's website and in the Online Store's Terms and Conditions and this privacy policy will prevent the conclusion of such an agreement. Providing personal data is a contractual requirement, and if the data subject wishes to enter into the agreement, they are required to provide the necessary data. The scope of data required to conclude an agreement is always indicated in advance on the Online Store's website and in the Online Store's Terms and Conditions; (2) statutory obligations of the Administrator – providing personal data is a legal requirement arising from applicable laws imposing obligations on the Administrator (e.g., processing data for the purposes of keeping tax or accounting records), and failure to provide such data will prevent the Administrator from fulfilling these obligations.
1.5. The Administrator takes particular care to protect the interests of data subjects whose personal data are processed, ensuring that the collected data are: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) accurate and adequate for the purposes for which they are processed; (4) stored in a form that allows identification of data subjects, no longer than necessary to achieve the processing purpose; and (5) processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, using appropriate technical or organizational measures.
1.6. Considering the nature, scope, context, and purposes of processing, as well as the risk of infringing the rights or freedoms of individuals, the Administrator implements appropriate technical and organizational measures to ensure that processing is in accordance with the GDPR and can demonstrate this. These measures are periodically reviewed and updated as necessary. The Administrator uses technical measures to prevent unauthorized persons from obtaining and modifying personal data transmitted electronically.
1.7. All words, expressions, and acronyms used in this privacy policy and starting with a capital letter (e.g., Seller, Online Store, Electronic Service) should be understood according to their definitions in the Online Store's Terms and Conditions available on the Online Store's website.

2. LEGAL BASIS FOR DATA PROCESSING

2.1. The Administrator is authorized to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract; (3) the processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) the processing is necessary for the purposes of the legitimate interests pursued by the Administrator or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.
2.2. The processing of personal data by the Administrator requires at least one of the bases specified in section 2.1 of this privacy policy. The specific bases for the processing of personal data of Service Recipients and Customers of the Online Store by the Administrator are provided in the next section of this privacy policy – with respect to the specific purpose of processing the personal data by the Administrator.
3. PURPOSE, LEGAL BASIS, AND PERIOD OF DATA PROCESSING IN THE ONLINE STORE

3.1. The purpose, legal basis, period, and recipients of personal data processed by the Administrator result from the actions taken by a given Service Recipient or Customer in the Online Store or by the Administrator. For example, if a Customer chooses to make a purchase in the Online Store and opts for in-store pickup of the purchased product instead of courier delivery, their personal data will be processed for the performance of the Sales Agreement but will not be shared with the courier delivering the shipment on behalf of the Administrator.
3.2. The Administrator may process personal data in the Online Store for the following purposes, on the legal bases, and for the periods indicated in the table below:
Purpose of data processing Legal basis for data processing Data retention period Performance of the Sales Agreement or the provision of Electronic Services, or taking actions at the request of the data subject prior to entering into such agreements Article 6(1)(b) of the GDPR (performance of the contract) – processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into the contract Data are retained for the period necessary to perform, resolve, or otherwise conclude the Sales Agreement or the Electronic Service agreement. Direct marketing Article 6(1)(f) of the GDPR (legitimate interest of the Administrator) – processing is necessary for the legitimate interests of the Administrator, which involve maintaining the interests and image of the Administrator, the Online Store, and promoting the sale of products Data are retained for the duration of the legitimate interest of the Administrator, but not longer than the statute of limitations for the Administrator's claims against the data subject in connection with the Administrator's business activities. The limitation period is determined by law, particularly the Civil Code (the basic limitation period for claims related to business activities is three years, and for the Sales Agreement, two years). Marketing Article 6(1)(a) of the GDPR (consent) – the data subject has given consent for the processing of their personal data for marketing purposes Data are retained until the data subject withdraws their consent to further processing of their data for this purpose. Providing feedback on the concluded Sales Agreement Article 6(1)(a) of the GDPR – the data subject has given consent for the processing of their personal data for providing feedback Data are retained until the data subject withdraws their consent to further processing of their data for this purpose. Maintaining accounting books Article 6(1)(c) of the GDPR in conjunction with Article 74(2) of the Accounting Act of 30 January 2018 (Journal of Laws of 2018, item 395, as amended) – processing is necessary to comply with a legal obligation to which the Administrator is subject Data are retained for the period required by law, which obliges the Administrator to keep accounting books (5 years, starting from the beginning of the year following the financial year to which the data pertains). Determining, pursuing, or defending claims that the Administrator may raise or that may be raised against the Administrator Article 6(1)(f) of the GDPR (legitimate interest of the Administrator) – processing is necessary for the legitimate interests of the Administrator, which involve determining, pursuing, or defending claims Data are retained for the duration of the legitimate interest pursued by the Administrator, but not longer than the limitation period for claims that may be raised against the Administrator (the basic limitation period for claims against the Administrator is six years). Using the Online Store and ensuring its proper operation Article 6(1)(f) of the GDPR (legitimate interest of the Administrator) – processing is necessary for the legitimate interests of the Administrator, which involve managing and maintaining the Online Store Data are retained for the duration of the legitimate interest pursued by the Administrator, but not longer than the limitation period for claims the Administrator may raise against the data subject in connection with the Administrator's business activities. The limitation period is determined by law, particularly the Civil Code (the basic limitation period for claims related to business activities is three years, and for the Sales Agreement, two years). Maintaining statistics and analyzing traffic in the Online Store Article 6(1)(f) of the GDPR (legitimate interest of the Administrator) – processing is necessary for the legitimate interests of the Administrator, which involve maintaining statistics and analyzing traffic to improve the functioning of the Online Store and increase product sales Data are retained for the duration of the legitimate interest pursued by the Administrator, but not longer than the limitation period for claims the Administrator may raise against the data subject in connection with the Administrator's business activities. The limitation period is determined by law, particularly the Civil Code (the basic limitation period for claims related to business activities is three years, and for the Sales Agreement, two years).

4. RECIPIENTS OF DATA IN THE ONLINE STORE

4.1. In order for the Online Store to function properly, including the execution of Sales Agreements, the Administrator must use services from external entities (such as software providers, couriers, or payment processors). The Administrator only cooperates with processing entities that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure that processing meets the requirements of the GDPR and protects the rights of data subjects.
4.2. Personal data may be transferred by the Administrator to a third country. However, the Administrator ensures that such transfer will only occur to a country that provides an adequate level of protection in accordance with the GDPR, and in the case of other countries, the transfer will be based on standard data protection clauses. The Administrator ensures that the data subject has the possibility to obtain a copy of their data. The Administrator only transfers personal data when necessary to fulfill a specific processing purpose in accordance with this privacy policy.
4.3. The transfer of data by the Administrator does not occur in every case, nor to all the recipients or categories of recipients specified in the privacy policy – the Administrator only transfers data when necessary for the processing purpose and only to the extent required to fulfill it. For example, if the Customer chooses in-store pickup, their data will not be shared with the courier cooperating with the Administrator.
4.4. The personal data of Service Recipients and Customers of the Online Store may be transferred to the following recipients or categories of recipients:
4.4.1. Couriers / carriers / shipping brokers / warehouse and/or shipping service providers – in the case of a Customer choosing postal or courier delivery, the Administrator will provide the collected personal data to the selected carrier, shipping broker, or intermediary executing shipments on behalf of the Administrator, and if shipping occurs from an external warehouse – to the entity handling the warehouse and/or shipping process – to the extent necessary for the product delivery.
4.4.2. Payment processors – if a Customer chooses electronic payment methods or credit card payment in the Online Store, the Administrator will provide the collected personal data to the selected payment processor to handle the payment on behalf of the Administrator, to the extent necessary for processing the payment.
4.4.3. Credit and leasing entities – if a Customer opts for installment or leasing payments in the Online Store, the Administrator will provide the collected personal data to the selected credit or leasing provider for processing the payment on behalf of the Administrator, to the extent necessary.
4.4.4. Service providers who supply the Administrator with technical, IT, and organizational solutions that enable the Administrator to conduct business, including the Online Store and the provision of Electronic Services through it (e.g., software providers for managing the Online Store, email, and hosting service providers, and software for business management and technical support) – the Administrator will share the collected personal data with the selected service provider acting on their behalf only when necessary to fulfill a specific processing purpose in accordance with this privacy policy.
4.4.5. Providers of accounting, legal, and consulting services who support the Administrator in accounting, legal, or consulting matters (e.g., accounting offices, law firms, or debt collection companies) – the Administrator will share the collected personal data with the selected provider acting on their behalf only when necessary to fulfill a specific processing purpose in accordance with this privacy policy.
4.4.6. Providers of social media plugins, scripts, and similar tools embedded on the Online Store’s website that enable users visiting the Online Store to retrieve content from these providers (e.g., logging in using social media credentials) and sharing personal data with these providers, including:
4.4.6.1. Alphabet Inc. – The Administrator uses YouTube plugins on the Online Store’s website, and in this regard, collects and shares personal data of the Service Recipient visiting the Online Store with Alphabet Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, United States) to the extent and according to the privacy rules available here: https://www.youtube.com/intl/ALL_pl/howyoutubeworks/user-settings/privacy/ (This data includes information about actions on the Online Store’s website, including device information, visited websites, purchases, viewed ads, and usage of services – regardless of whether the Service Recipient has a YouTube account or is logged into YouTube).
4.4.6.2. Meta Platforms Ireland Ltd. – The Administrator uses Facebook plugins (e.g., Like button, Share button, or login with Facebook credentials) and Instagram on the Online Store’s website, and in this regard, collects and shares personal data of the Service Recipient visiting the Online Store with Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) to the extent and according to the privacy rules available for Facebook here and for Instagram here (This data includes information about actions on the Online Store’s website, including device information, visited websites, purchases, viewed ads, and usage of services – regardless of whether the Service Recipient has a Facebook or Instagram account and is logged into Facebook or Instagram).
4.4.6.3. TikTok Technology Limited – The Administrator uses TikTok plugins on the Online Store’s website, and in this regard, collects and shares personal data of the Service Recipient visiting the Online Store with TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) to the extent and according to the privacy rules available here: https://www.tiktok.com/legal/privacy-policy?lang=pl (This data includes information about actions on the Online Store’s website, including device information, visited websites, purchases, viewed ads, and usage of services – regardless of whether the Service Recipient has a TikTok account and is logged into TikTok).

5. PROFILING IN THE ONLINE STORE

5.1. The GDPR requires the Administrator to inform about automated decision-making, including profiling as per Articles 22(1) and 22(4) of the GDPR, and to provide essential information about the principles of such decision-making, as well as the significance and anticipated consequences for the data subject. In this regard, the Administrator provides information about potential profiling.
5.2. The Administrator may use profiling for direct marketing purposes, but decisions made based on this profiling will not concern the conclusion or refusal of a Sales Agreement or the use of Electronic Services in the Online Store. Profiling may result in offering a discount, sending a discount code, reminding about unfinished purchases, suggesting a product that may match a customer’s interests, or offering better conditions than the standard offer of the Online Store. Despite profiling, the data subject freely decides whether to use the offered discount or better conditions.
5.3. Profiling in the Online Store involves automatically analyzing or predicting a person’s behavior on the Online Store’s website, for example, by adding a specific product to the cart, viewing a specific product page, or analyzing their past purchasing history. The condition for such profiling is that the Administrator has the person’s personal data in order to send them a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

6. RIGHTS OF THE DATA SUBJECT

6.1. Right of access, rectification, restriction, erasure, or portability – the data subject has the right to request from the Administrator access to their personal data, rectification, erasure ("right to be forgotten"), restriction of processing, and the right to object to processing, as well as the right to data portability. The detailed conditions for exercising these rights are provided in Articles 15-21 of the GDPR.
6.2. Right to withdraw consent at any time – the data subject has the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – the data subject has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR and Polish law, particularly the Personal Data Protection Act. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
6.4. Right to object – the data subject has the right to object at any time on grounds relating to their particular situation to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interest of the Administrator), including profiling based on these provisions. The Administrator may not continue processing these personal data unless they demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or the grounds for the establishment, exercise, or defense of legal claims.
6.5. Right to object to direct marketing – if personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent related to such direct marketing.
6.6. To exercise the rights mentioned in this section of the privacy policy, you can contact the Administrator by sending a relevant message in writing or by email to the Administrator’s address specified at the beginning of this privacy policy or using the contact form available on the Online Store’s website.

7. COOKIES IN THE ONLINE STORE AND ANALYTICS

7.1. Cookies are small text information sent by the server and saved on the device of the person visiting the Online Store (e.g., on the hard drive of a computer, laptop, or memory card of a smartphone – depending on the device used by the visitor). Detailed information about cookies and their history can be found, among other places, here: https://pl.wikipedia.org/wiki/HTTP_cookie.
7.2. Cookies that may be sent by the Online Store’s website can be divided into various types based on the following criteria:
By the provider: Own cookies (created by the Administrator's Online Store), Third-party cookies (other than the Administrator). By their duration on the visitor's device: Session cookies (stored until logging out or closing the browser), Persistent cookies (stored for a defined time or until manually deleted). By the purpose of their use: Essential (necessary for the proper functioning of the Online Store), Functional/preference (customize the website to the visitor's preferences), Analytical and performance (gather information on how the website is used), Marketing, advertising, and social (gather data to display ads, personalize them, measure effectiveness, and conduct other marketing activities, including on external websites).
7.3. The Administrator processes data contained in cookies while visitors use the Online Store’s website for the following specific purposes: Identifying logged-in users, Remembering order form data, Customizing the content of the website, Conducting anonymous statistics, Displaying and personalizing ads.
7.4. Checking the cookies sent by the Online Store’s website in the most popular browsers can be done in the following way: Chrome: Click the lock icon next to the URL. Firefox: Click the shield icon next to the URL. Internet Explorer: Click Tools > Internet Options > Settings > View Files. Opera: Click the lock icon next to the URL. Safari: Click Preferences > Privacy > Manage Website Data.
7.5. Most browsers accept cookies by default, but you can change the cookie settings in your browser. Disabling cookies may affect the functionality of the Online Store, such as preventing the order process.

8. FINAL PROVISIONS
8.1. The Online Store may contain links to other websites. The Administrator encourages reviewing the privacy policy of those websites once you leave the Online Store. This privacy policy applies only to the Administrator’s Online Store.