Skip to Content

Privacy Policy

1.  Data Controller and Definitions

  1. The controller of the personal data of Customers/Users of the Online Store, also referred to as the Seller, is: RYBA WOODEN Sp. z o.o., phone: +48 609 983 714, Tax ID (NIP): PL9930711964, National Business Registry Number (REGON): 543086320.   
  2. You can contact the Data Controller:
    1. by correspondence address: OŁPINY 66, 38-247 OŁPINY;
    2. by email: info@rybawooden.pl
  3. User – a natural person accessing the website(s) of the Online Store or using the services or functionalities described in this Privacy and Cookies Policy.
  4. Customer – a natural person with full legal capacity, a natural person acting as a Consumer, a legal person, or an organizational unit without legal personality to which the law grants legal capacity, who concludes a distance sales agreement with the Seller.
  5. Online Store – a website operated by the Seller, available at the following electronic address(es): https://rybawooden.pl, through which the Customer/User may obtain information about the Goods and their availability, as well as purchase Goods or order the provision of services.
  6. Newsletter – information, including commercial information within the meaning of the Act of 18 July 2002 on the provision of electronic services (Journal of Laws of 2020, item 344), sent by the Seller to the Customer/User by electronic means; its receipt is voluntary and requires the consent of the Customer/User.
  7. Account – a set of data stored in the Online Store and in the Seller’s ICT system concerning a given Customer/User, including their orders and concluded agreements, through which the Customer/User may place orders and conclude agreements.
  8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.  Purposes, Legal Bases and Data Retention Period

  1. For the purpose of performing a distance sales agreement, the Seller processes:
    1. information regarding the User’s device in order to ensure the proper functioning of services: the computer’s IP address, information contained in cookies or other similar technologies, session data, web browser data, device data, and data regarding activity on the Website, including on individual subpages;
    2. geolocation data, if the User has consented to the service provider’s access to geolocation. Geolocation data is used to provide more tailored offers of products and services;
    3. Users’ personal data: first name, last name, registered address, correspondence address, email address, telephone number, tax identification number (NIP), bank account number, or other personal data required to complete a purchase, the provision of which is required by the Controller during the purchasing process.
  2. This information does not include data directly identifying the User; however, when combined with other information, it may constitute personal data, and therefore the Controller affords it full protection under the GDPR.
  3. Such data is processed in accordance with Article 6(1)(b) of the GDPR for the purpose of performing the service, i.e., an agreement for the provision of electronic services in accordance with the Terms and Conditions, and in accordance with Article 6(1)(a) of the GDPR, in connection with the User’s consent to the use of specific cookies or similar technologies, expressed through the appropriate settings of the web browser in accordance with telecommunications law, or in connection with consent to geolocation. The data is processed until the Customer/User ceases to use the Online Store.
  4. The Controller undertakes to implement all measures required under Article 32 of the GDPR, i.e., taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

3.  Controller’s Marketing Activities

  1. On the Online Store website, the Data Controller may publish marketing information about its products or services. The display of such content is carried out by the Data Controller pursuant to Article 6(1)(f) of the GDPR, i.e., based on the legitimate interest of the Data Controller consisting in publishing content related to the services provided and promotional content concerning campaigns in which the Data Controller is involved. At the same time, such activities do not infringe the rights and freedoms of Customers/Users, as Customers/Users expect to receive content of a similar nature and may even expect it, or it may be the direct purpose of their visit to the Online Store website(s).

4.  Recipients of Users’ Data

  1. The Data Controller discloses Users’ personal data solely to entities processing such data under concluded data processing agreements, for the purpose of providing services to the Data Controller, e.g., hosting and website maintenance, IT services, and marketing and PR services.

5.  Transfer of Personal Data to Third Countries

  1. Personal data will not be processed in third countries.

6.  Rights of Data Subjects

  1. Each data subject has the right to:
    1. access (Article 15 GDPR) – to obtain from the Data Controller confirmation as to whether their personal data are being processed. If personal data concerning a person are being processed, they are entitled to access such data and obtain the following information: the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the data have been or will be disclosed, the envisaged storage period of the data or the criteria used to determine that period, the right to request rectification, erasure, or restriction of processing of personal data concerning the data subject, as well as the right to object to such processing; 
    2. to obtain a copy of data (Article 15(3) GDPR) – to obtain a copy of the personal data undergoing processing, whereby the first copy is provided free of charge, and for any subsequent copies the Data Controller may charge a reasonable fee based on administrative costs;
    3. rectification (Article 16 GDPR) – to request the rectification of personal data concerning them that are inaccurate, or the completion of incomplete personal data;
    4. erasure (Article 17 GDPR) – to request the erasure of their personal data if the Data Controller no longer has a legal basis for processing them or if the data are no longer necessary for the purposes of processing.
    5. restriction of processing (Article 18 GDPR) – to request the restriction of the processing of personal data where:
      1. the data subject contests the accuracy of the personal data — for a period enabling the Data Controller to verify the accuracy of the data,
      2. the processing is unlawful and the data subject opposes the erasure of the data, requesting instead the restriction of their use,
      3. the Data Controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise, or defence of legal claims,
      4. the data subject has objected to processing — pending verification whether the legitimate grounds on the part of the Controller override those of the data subject;
    6. data portability (Article 20 GDPR) – to receive their personal data, which they have provided to the Data Controller, in a structured, commonly used, machine-readable format, and to request that those data be transmitted to another Data Controller, where the processing is based on the data subject’s consent or on a contract with them, and where the processing is carried out by automated means;
    7. objection (Article 21 GDPR) – to object to the processing of their personal data on grounds relating to their particular situation, including profiling, where the processing is based on the legitimate interests of the Controller. In such a case, the Data Controller assesses whether there are compelling legitimate grounds for processing which override the interests, rights, and freedoms of the data subject, or grounds for establishing, exercising, or defending legal claims. If, according to the assessment, the interests of the data subject override those of the Controller, the Data Controller shall be obliged to cease processing the data for those purposes;
    8. to withdraw consent at any time and without providing any reason, while the processing of personal data carried out prior to the withdrawal of consent shall remain lawful. Withdrawal of consent will result in the Data Controller ceasing to process personal data for the purpose for which that consent was given.
  2. To exercise the above-mentioned rights, the data subject should contact the Data Controller using the provided contact details and inform the Controller which right they wish to exercise and to what extent.

7.  President of the Urząd Ochrony Danych Osobowych (Personal Data Protection Office)

  1. The data subject has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Urząd Ochrony Danych Osobowych, based in Warsaw at ul. Stawki 2. The authority can be contacted as follows:
  2. by post: ul. Stawki 2, 00-193 Warsaw;
  3. via the electronic submission inbox available at: https://www.uodo.gov.pl/pl/p/kontakt;
  4. helpline: 606-950-000.

8.  Data Protection Officer (DPO)

  1. In any case, the data subject may also contact the Data Controller’s Data Protection Officer directly by email or in writing at the Data Controller’s address provided in Section 1, point 2 of this Privacy and Cookies Policy.

9.  Changes to the Privacy Policy

  1. The Privacy and Cookies Policy may be supplemented or updated in accordance with the current needs of the Data Controller, in order to ensure that Customers/Users are provided with up-to-date and reliable information.

10. Cookies

  1. The Online Store performs functions of obtaining information about Customers, Users, and their behaviour in the following ways:
    1. through information voluntarily entered in forms for purposes arising from the function of a given form;
    2. through storing cookies (so-called “cookies”) on end-user devices;
    3. through the collection of web server logs by the Online Store’s hosting provider (necessary for the proper functioning of the website).
  2. Cookies are IT data, in particular text files, which are stored on the Customer’s/User’s end device and are intended for use of the Online Store website. Cookies typically contain the name of the website from which they originate, the duration of their storage on the end device, and a unique identifier.
  3. The Online Store uses cookies only after the Customer/User of the Store has given prior consent in this regard. Consent to the use of all cookies by the Online Store is given by clicking the “Close” button when the cookie information notice is displayed, or by closing that notice.
  4. If the Customer/User of the Online Store does not consent to the use of cookies by the Online Store, they may select the “I do not consent” option, also available in the cookie notice displayed by the Online Store, or modify the settings of the web browser they are currently using (however, this may result in the improper functioning of the Online Store website).
  5. To manage cookie settings, select your web browser/system from the list and follow the instructions: Internet Explorer, Chrome, Safari, Firefox, Opera, Android, Safari (iOS), Windows Phone.
  6. The legal basis for the processing of personal data derived from cookies is the legitimate interests of the Data Controller, consisting in ensuring high-quality services and maintaining the security of the services.
  7. Within the Online Store, two main types of cookies are used: “session” cookies and “persistent” cookies. “Session” cookies are temporary files stored on the User’s end device until they log out, leave the Online Store, or close the web browser. “Persistent” cookies are stored on the Customer’s/User’s end device for the period specified in the cookie parameters or until they are deleted by the Customer/User.

11.  Analytical cookies

Microsoft Clarity


Our website uses the Microsoft Clarity tool to record how you use and interact with our website through behavioural metrics, heatmaps, and session recordings, in order to improve the quality of the shopping experience. Website usage data is collected using first- and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity.


Conversion tracking identifier (Activity Tracking) – used to collect the history of sources preceding the placement of an order, as well as the source through which the order was placed, in accordance with the last-click attribution model.

Google Maps

SID: 3650 days, cookie

They contain digitally signed and encrypted records of the Google account identifier and the last login time. The combination of these cookies (SID, HSID) allows Google LLC to block various types of attacks, such as attempts to steal the contents of forms submitted through Google services.






  1. Cookies are used for the following purposes:
    1. to create statistics that help understand how Customers/Users of the Online Store use the website, enabling the improvement of its structure and content;
    2. to maintain the Customer/User session (after logging in), thanks to which the Customer/User does not have to re-enter their login and password on each subpage of the Online Store;
    3. to determine the profile of the Customer/User in order to display product recommendations and tailored content in advertising networks, in particular the Google LLC advertising network.
  2. Web browsing software (web browsers) typically allows the storage of cookies on the Customer’s/User’s end device by default. Customers/Users may change these settings. A web browser enables the deletion of cookies, and it is also possible to automatically block cookies.
  3. Restrictions on the use of cookies may affect some of the functionalities available on the Online Store’s website(s).
  4. Cookies placed on the Customer’s/User’s end device may also be used by advertisers and partners cooperating with the Online Store.
  5. Cookies may be used by the Google LLC network to display advertisements tailored to the way the Customer/User uses the Online Store. For this purpose, they may store information about the user’s navigation path or the time spent on a given page:  https://policies.google.com/technologies/partner-sites.
  6. We recommend that the Customer/User read the privacy policy of these companies in order to learn about the rules for the use of cookies used in analytics: the privacy policy of Google Analytics.
  7. With regard to information about the Customer’s/User’s preferences collected by the Google LLC advertising network, the Customer/User may view and edit the information resulting from cookies using the following tool:  https://www.google.com/ads/preferences/.
  8. The Online Store website contains plugins that may transmit Customers’/Users’ data to controllers such as, for example: Google Maps, PayPal, Google reCAPTCHA, IdoAccounts, IdoSell, IAI S.A., and Google LLC.
  9. In order to properly perform the distance sales agreement, the Data Controller may disclose Customers’/Users’ data to courier service providers. The currently available delivery methods in the Online Store are available at the following address: https://rybawooden.pl/pl/delivery.html.
  10. In order to properly perform the distance sales agreement, the Data Controller may disclose Customers’/Users’ data to online payment systems. The currently available prepayment methods in the Online Store are available at the following address:  https://rybawooden.pl/pl/payments.html.
  11. More information regarding the terms and privacy can also be found on the website:  Prywatność i warunki Google.


12.  Account

  1. The Customer/User may not post on the Online Store or provide to the Seller any unlawful content, including opinions and other data of an unlawful nature.
  2. The Customer/User gains access to the Account after completing the registration process.
  3. During registration, the Customer/User provides the type of account or gender, first name, last name, company name, tax identification number (NIP), invoicing details, shipping details, email address, and selects a password. The Customer/User warrants that the data provided in the registration form is true and accurate. Registration requires careful reading of the Terms and Conditions and confirming in the registration form that the Customer/User has read the Terms and Conditions and fully accepts all of its provisions.
  4. At the moment the Customer/User is granted access to the Account, an agreement for the provision of electronic services relating to the Account is concluded between the Seller and the Customer for an indefinite period. A Consumer may withdraw from this agreement in accordance with the terms specified in the Terms and Conditions.
  5. Registration of an Account on one of the Online Store’s websites simultaneously constitutes registration enabling access to the other websites under which the Online Store is available.
  6. The Customer/User may terminate the agreement for the provision of electronic services at any time with immediate effect by informing the Seller via email or in writing to the Data Controller’s address provided in Section 1, point 2 of this Privacy and Cookies Policy.
  7. The Seller has the right to terminate the agreement for the provision of services relating to the Account in the event of cessation of service provision or transfer of the Online Store service to a third party, a breach by the Customer/User of applicable law or the provisions of the Terms and Conditions, as well as in the event of inactivity of the Customer/User for a period of 6 months. Termination of the agreement shall take place with a seven-day notice period. The Seller may stipulate that re-registration of the Account will require the Seller’s consent.