Privacy Policy
This Privacy Policy describes how Hotbox sp. z o.o. collects, uses, and protects your personal data when you use our website and hosting services. It complies with Regulation (EU) 2016/679 (GDPR) and the Polish Act on Personal Data Protection (UODO).
1. Data Controller
The controller of your personal data is:
HOTBOX SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
ul. Marii i Bolesława Wysłouchów 13/LU1
30-611 Kraków, Poland
KRS: 0001036090
NIP (VAT ID): 6751782437
REGON: 525316633
For all privacy-related inquiries, please contact our Data Protection contact point:
Email: [email protected]
2. Personal Data We Collect
Depending on your interaction with our website and services, we may collect the following categories of personal data:
2.1 Account and Order Data
- Full name
- Email address
- Country of residence
- Company name and VAT ID (for business customers invoiced under the reverse-charge mechanism)
- Billing address
2.2 Payment Data
We accept payments via Stripe and PayPal. All payment card details are processed directly by these payment service providers using industry-standard encryption. We never store or have access to your full card number, CVV, or equivalent payment credentials. We retain only transaction identifiers, amounts, dates, and statuses necessary for accounting and dispute resolution.
2.3 Technical and Usage Data
- IP addresses (connection logs)
- Browser type and operating system
- Pages visited and time spent
- Referring URLs
- Error logs and system event logs related to your services
2.4 Communication Data
- Content of support tickets and emails
- Records of communications required for contractual or legal purposes
2.5 Cookie and Preference Data
See Section 9 (Cookie Policy) below.
3. Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Order processing, service delivery, invoicing, contract management | Art. 6(1)(b) — performance of a contract |
| Compliance with Polish accounting law (5-year retention of accounting records) | Art. 6(1)(c) — legal obligation |
| Security monitoring, abuse prevention, fraud detection, server log analysis | Art. 6(1)(f) — legitimate interests pursued by the controller |
| Sending service-related notifications and announcements | Art. 6(1)(f) — legitimate interests pursued by the controller |
| Analytics and performance cookies (where applicable) | Art. 6(1)(a) — consent |
| Language preference and session cookies | Art. 6(1)(f) — legitimate interests (essential website functionality) |
Where processing is based on your consent (Art. 6(1)(a)), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. Recipients of Personal Data
We share your personal data only where necessary and under appropriate safeguards:
4.1 Payment Processors
- Stripe, Inc. (United States) — card payments. Stripe is certified to PCI DSS Level 1 and operates under Standard Contractual Clauses (SCC) approved by the European Commission for transfers outside the EEA. See Stripe's Privacy Policy at stripe.com/privacy.
- PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — PayPal payments. PayPal Europe is an EEA-registered entity; transfers are subject to EEA data protection rules. See PayPal's Privacy Policy at paypal.com/privacy.
4.2 Email Infrastructure
- Mailcow — open-source email server software we self-host. Email processing occurs on our own infrastructure located within the EEA. No personal data related to email is shared with third-party cloud providers.
4.3 Legal and Regulatory Authorities
We may disclose personal data to Polish courts, law enforcement agencies, the UODO (Urząd Ochrony Danych Osobowych), or other public authorities when required by applicable law or a legally binding court order.
4.4 No Sale of Data
We do not sell, rent, or trade your personal data to third parties for marketing or any other purpose.
5. International Transfers Outside the EEA
Our primary infrastructure is located within the European Economic Area. The only transfer of personal data outside the EEA occurs in connection with Stripe, Inc. (United States), which acts as our payment processor. This transfer is governed by Standard Contractual Clauses (Commission Decision 2021/914) and Stripe's Binding Corporate Rules, providing an adequate level of protection pursuant to Art. 46 GDPR.
No other personal data is routinely transferred outside the EEA. Should this change, we will update this policy and implement appropriate safeguards before any such transfer.
6. Data Retention
| Category | Retention Period | Basis |
|---|---|---|
| Customer account and order data | Duration of contractual relationship + 5 years | Polish Accounting Act (Ustawa o rachunkowości) — Art. 74 |
| Invoice and billing records | 5 years from the end of the fiscal year | Polish Accounting Act — Art. 74(2) |
| Connection and access logs (IP, timestamps) | 12 months from the date of collection | Legitimate interest (security, abuse prevention) |
| Support ticket communications | 3 years from ticket closure | Legitimate interest (dispute resolution, service quality) |
| Consent records (cookies) | 2 years from consent date or until withdrawn | Legal obligation (GDPR Art. 7(1) — demonstrable consent) |
After the applicable retention period, personal data is securely deleted or anonymised.
7. Your Rights Under GDPR
As a data subject, you have the following rights under Chapter III of the GDPR:
- Right of access (Art. 15) — obtain confirmation of whether we process your data and receive a copy.
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten") where no overriding legal ground exists.
- Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller.
- Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent (Art. 7(3)) — withdraw any consent previously given, without affecting prior processing.
To exercise any of these rights, please contact us at [email protected]. We will respond within 30 calendar days. We may ask you to verify your identity before processing your request.
8. Right to Lodge a Complaint
You have the right to lodge a complaint with the Polish supervisory authority for personal data protection:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl
Email: [email protected]
Phone: +48 22 531 03 00
You may also lodge a complaint with the supervisory authority of your country of habitual residence or place of work within the EU/EEA.
9. Cookie Policy
Cookies are small text files stored on your device that help us deliver and improve our services. We use the following categories of cookies:
9.1 Strictly Necessary Cookies
These cookies are essential for the website to function. They enable session management, authentication, and shopping cart functionality. They cannot be disabled without significantly impairing the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interests — essential functionality).
| Cookie Name | Purpose | Duration |
|---|---|---|
| session_id | User session management | Session |
| cart | Shopping cart persistence | 7 days |
| lang | Preferred interface language | 1 year |
9.2 Preference Cookies
These cookies remember your preferences (language, display settings) to enhance your experience. Legal basis: Art. 6(1)(f) GDPR (legitimate interests — improved user experience).
9.3 Analytics Cookies
Where we use analytics tools to understand how visitors interact with our website, such cookies are only set with your prior consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by clearing your browser cookies or using our cookie preference centre.
We do not currently use third-party behavioural advertising cookies.
9.4 Managing Cookies
You can manage or delete cookies at any time through your browser settings. Please note that disabling necessary cookies may affect website functionality. For guidance on managing cookies in common browsers, visit aboutcookies.org.
10. Data Security
We implement technical and organisational measures appropriate to the risk, including:
- Encryption of data in transit using TLS 1.2 or higher
- Access controls and authentication requirements for administrative systems
- Regular security monitoring and intrusion detection
- Staff training on data protection obligations
- Contractual data processing agreements with all sub-processors
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the UODO within 72 hours and inform affected data subjects without undue delay, in accordance with GDPR Arts. 33–34.
11. Minors
Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from persons under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact us at [email protected] and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting a notice on our website or by email at least 14 days before the changes take effect. The date of the most recent revision is shown at the top of this page.
Contact: For any privacy-related questions, requests, or concerns, please write to [email protected].