Free delivery from 250 PLN
language.en

Privacy Policy

Effective from: 2026-05-04

1. General information

This policy applies to the Service: https://velmodo.com.
The operator of the Service and the controller of personal data is: Just Buy S.C. ul. Kalwaryjska 69/9 30-504 Kraków, Polska.
Contact: info@velmodo.com, phone + 48 666-671-631.
Data Protection Officer (if appointed): not appointed.

Controller identification data:

  • full company name and legal form: Just Buy S.C. (civil law partnership),
  • registered office and correspondence address: Just Buy S.C. ul. Kalwaryjska 69/9 30-504 Kraków, Polska,
  • NIP (tax ID): 6793285301,
  • REGON: 527146187,
  • KRS or CEIDG: not applicable to a civil law partnership.

The controller processes personal data in accordance with GDPR (Regulation (EU) 2016/679), Polish data protection law, the Act on provision of electronic services, and the Electronic Communications Law.

2. Scope and data sources

We obtain personal data:

  1. directly from you (e.g., forms, customer account, order, complaint, newsletter subscription);
  2. automatically while you use the Service (e.g., cookies, local storage, device identifiers, technical logs);
  3. to a limited extent from third parties involved in service delivery (e.g., payment status, delivery status);
  4. as a rule, we do not obtain personal data from marketplaces, sales platforms, price comparison websites, or affiliate partners.

If such channels are introduced, this Privacy Policy will be updated accordingly and the data sources will be expressly indicated.

As a rule, we do not collect special categories of personal data (Art. 9 GDPR). Please do not provide such data unless it is necessary and legally permissible.

3. Categories of processed data

Depending on the purpose, we may process:

  • identification data: first name, last name,
  • contact data: e-mail, phone number,
  • address data: delivery address, billing address,
  • purchase data: order history, returns, complaints,
  • billing/invoicing data: invoice data, NIP (for companies),
  • payment and transaction data (without full card details - handled by the payment operator),
  • customer account data,
  • contact form data,
  • newsletter and marketing data,
  • technical data: IP, user-agent, cookie identifiers, device identifiers,
  • analytics and advertising data,
  • product review data,
  • data submitted in complaints and returns, including defect descriptions and, if provided by the user, product photos,
  • currently, the Store does not process data for product personalization (e.g., embroidery/print content); if personalization is introduced, the policy will be updated with data scope, purposes, legal bases, and retention periods,
  • currently, the Store does not run a size quiz or body-fit recommendation tool; if such a feature is implemented, the policy will be updated with data categories, processing logic, and legal bases.

We process personal data only to the extent necessary for specific purposes:

  1. Creation and maintenance of a customer account: Art. 6(1)(b) GDPR (performance of an electronic services contract).
  2. Placing and fulfilling orders, delivery, payment handling: Art. 6(1)(b) GDPR.
  3. Issuing invoices and fulfilling accounting/tax obligations: Art. 6(1)(c) GDPR.
  4. Handling complaints, returns, and withdrawal from contract: Art. 6(1)(b) and (c) GDPR (depending on the legal obligation involved).
  5. Contact with customers regarding orders, complaints, returns, or inquiries: Art. 6(1)(b) or (f) GDPR.
  6. Pursuing claims, defending against claims, preventing abuse: Art. 6(1)(f) GDPR.
  7. Direct marketing of our own products/services, including basic segmentation: Art. 6(1)(f) GDPR; electronic marketing communication requires compliance with the Electronic Communications Law.
  8. Newsletter and marketing communication by e-mail/SMS/push (if provided): Art. 6(1)(a) GDPR (consent) and Electronic Communications Law provisions.
  9. Analytics and statistical measurement: Art. 6(1)(f) GDPR and, for technologies requiring consent, Art. 6(1)(a) GDPR and Electronic Communications Law provisions.
  10. Remarketing and tailored ads: Art. 6(1)(a) GDPR (for technologies requiring consent) and relevant Electronic Communications Law provisions.
  11. Publication and handling of product reviews: Art. 6(1)(f) GDPR; where publication includes image or additional personal data, Art. 6(1)(a) GDPR (consent), if required.
  12. Running social media profiles and communicating with users: Art. 6(1)(f) GDPR.
  13. Loyalty program: we process data to handle participation, calculate and deliver benefits, and communicate regarding the program; legal basis: Art. 6(1)(b) GDPR (performance of program terms), and for analytics/abuse prevention also Art. 6(1)(f) GDPR.
  14. Abandoned carts and marketing automation: we process data to remind users of incomplete orders, recover carts, and run marketing activities; legal basis: Art. 6(1)(f) GDPR (legitimate interest), while electronic communication is carried out in accordance with the Electronic Communications Law and, where required, on the basis of consent (Art. 6(1)(a) GDPR).
  15. Customer account security, including two-factor authentication (2FA), one-time codes, and recovery codes: Art. 6(1)(f) GDPR (legitimate interest of the controller in protecting accounts and preventing abuse).

5. Mandatory vs voluntary data provision

Providing data is generally voluntary, but may be necessary for:

  • concluding and performing a contract,
  • fulfilling the controller's legal obligations,
  • responding to a request.

Failure to provide data required for order fulfillment, payment, delivery, complaint, or return handling may make those activities impossible.

6. Data recipients / categories of recipients

Data may be shared with entities that process data on our behalf (processors) or act as separate controllers, to the extent necessary to achieve the purposes:

  • hosting and IT infrastructure: Azure,
  • IT support, e-mail, SMS, and technical tools: Azure,
  • payment operators: mElements S.A. (Paynow),
  • carriers and pickup points: DHL, DPD, FedEx, InPost, Poczta Polska, GLS,
  • analytics tools: Google Analytics 4,
  • marketing/advertising tools: Meta Ads, Google Ads,
  • public authorities - where required by law,
  • e-commerce platform: the controller's proprietary in-house solution (no external SaaS store platform provider),
  • accounting office / accounting system: external accounting office IDORA TAX Spolka z o.o. and accounting-invoicing system provider PodatkiPodatki.pl.

If an entity processes data on our behalf, processing is based on a data processing agreement compliant with Art. 28 GDPR.

7. Data retention periods

We store data for no longer than necessary for the purpose and legal obligations:

  • customer account: until account deletion or an effective erasure request (taking into account periods necessary for settlements and claim defense),
  • order fulfillment: for the duration of fulfillment and then for periods resulting from legal provisions and limitation periods,
  • accounting and tax records: for the period required by tax and accounting laws,
  • complaints and returns: for the period required by law and claim limitation periods,
  • claim pursuit/defense: until applicable limitation periods expire,
  • marketing data based on consent: until consent is withdrawn,
  • marketing data based on legitimate interest: until an effective objection is raised,
  • cookie and analytics data: according to the lifetime of a given cookie/identifier and tool settings,
  • customer correspondence: for the period necessary to handle the case and possible claim defense.

8. Your rights (Art. 15-22 GDPR)

You have the right to:

  • access data,
  • rectify data,
  • erase data,
  • restrict processing,
  • data portability,
  • object to processing based on Art. 6(1)(f) GDPR,
  • withdraw consent at any time (without affecting the lawfulness of processing before withdrawal),
  • not be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you (if applicable),
  • lodge a complaint with the President of UODO.

Requests regarding your rights may be sent to: info@velmodo.com.

9. Procedure for exercising data subject rights

  1. A request may be submitted by e-mail or in writing.
  2. To protect data, we may request identity verification.
  3. We respond without undue delay, generally within 1 month of receiving the request.
  4. In justified cases, the deadline may be extended by another 2 months, about which we will inform you.
  5. Exercising rights is generally free of charge, subject to cases provided for in Art. 12 GDPR.

10. Complaint to supervisory authority

Supervisory authority: President of the Polish Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.
Information: uodo.gov.pl/526.

11. Cookies, local storage, pixels, and similar technologies

The Service uses technologies such as cookies, local storage, device identifiers, pixels, and similar mechanisms.

Technology categories:

  • necessary - ensure Service operation,
  • functional - remember preferences,
  • analytics - measure statistics and performance,
  • marketing - tailor ads and campaign measurement.

Legal basis:

  • necessary technologies: legitimate interest of the controller (Art. 6(1)(f) GDPR),
  • analytics and marketing technologies requiring consent: Art. 6(1)(a) GDPR and relevant Electronic Communications Law provisions.

The Store uses local storage/session storage also beyond strictly necessary functions, in particular to remember user preferences, analytics, and marketing activities; where required by law, these technologies are used after obtaining user consent.
The Store uses server-side tracking for analytics, conversion measurement, and campaign effectiveness improvement; data are processed in accordance with data minimization, and where required by law, after obtaining appropriate consent.

Users can manage cookie consents and similar technologies:

  • in the consent panel (CMP) available in the Service,
  • in browser settings.

Consent management panel (CMP): /.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

13. Analytics and advertising tools

The Store may use analytics and advertising tools of external providers. Current list resulting from configuration: Google Analytics 4, Meta Ads, Google Ads.

Required factual confirmation:

  • the Store uses Google Analytics 4; privacy configuration includes, among others, data scope limitation mechanisms and retention settings according to the tool configuration,
  • the Store uses Google Ads, including remarketing and conversion measurement,
  • the Store uses Meta Pixel and Conversions API,
  • the Store uses TikTok Pixel,
  • the Store runs dynamic campaigns and abandoned-cart remarketing.

If these tools use cookies or similar technologies that are not required for Service operation, they are activated after obtaining the required user consent.

14. Newsletter and marketing communication

Newsletter and electronic marketing communication are carried out in accordance with GDPR and Electronic Communications Law provisions.

  • marketing consent is voluntary,
  • consent may be withdrawn at any time,
  • consent withdrawal is possible via unsubscribe link or contact at info@velmodo.com.

Mailing system and marketing automation: the controller's proprietary in-house solution (no external SaaS mailing platform provider).

15. Reviews, customer photos, social media

If a user publishes a review, photo, or other content, data are processed for review handling and publication, and for content moderation.

  • legal basis: Art. 6(1)(f) GDPR (legitimate interest of the controller),
  • if publication requires separate consent (e.g., additional promotional materials, use of image outside standard review publication) - legal basis: Art. 6(1)(a) GDPR.

The Store does not publish customer photos or styling content sourced from social media.

16. Complaints, returns, and size exchange

Within complaint, return, and potential size exchange handling, we may process identification, contact, and order data, and data concerning reported non-conformity/defect (including photos submitted by the customer).

Legal basis: Art. 6(1)(b) and (c) GDPR (contract performance and legal obligations), and Art. 6(1)(f) GDPR (claim defense).

17. Product personalization and size recommendations

If the Store offers product personalization (e.g., print/embroidery) or size/body-fit recommendation tools, data provided by the user are processed solely for providing that service.

18. Profiling and automated decision-making

We may apply marketing profiling (e.g., audience segmentation, ad-content matching) to the extent that it does not produce legal effects for the user and does not similarly significantly affect the user.

We do not make decisions concerning customers based solely on automated processing that produce legal effects or similarly significantly affect the user, unless explicitly indicated otherwise.

19. Transfers outside the EEA

Due to use of services of certain providers (e.g., analytics, advertising, cloud tools), data may be transferred outside the EEA.

Where transfers occur, we apply legally required mechanisms, in particular:

  • Standard Contractual Clauses of the European Commission (SCC),
  • additional safeguards adequate to the risk,
  • transfer impact assessment (TIA), where required.

Information on transfers and safeguards can be obtained by contacting: info@velmodo.com.

20. Data security (Art. 32 GDPR)

The controller implements appropriate technical and organizational measures, including:

  • encrypted transmission (TLS/SSL),
  • access control and data minimization principle,
  • account-authentication mechanisms, including 2FA (if enabled by the user), together with recovery-code handling,
  • backup and monitoring mechanisms,
  • incident-management procedures,
  • cooperation with processors under data processing agreements.

21. Personal data breaches (Art. 33 and 34 GDPR)

In the event of a personal data breach, the controller applies risk assessment procedures and, where required by law:

  • notifies the President of UODO without undue delay, no later than within 72 hours of becoming aware of the breach,
  • notifies affected data subjects if the breach is likely to result in a high risk to their rights or freedoms.

22. Children's data

The Service is not directed to persons under 16 years of age. If we become aware of processing a child's data without required legal grounds, we will take appropriate actions in accordance with the law.

23. Consistency of documents and consents

This Privacy Policy should be applied together with:

  • the Store Terms and Conditions,
  • complaint and return rules,
  • cookie banner communications and settings,
  • marketing consent forms.

24. Policy changes and versioning

The current version of this policy is published on this page. Changes are introduced in particular in the event of:

  • legal changes,
  • processing workflow changes,
  • tool and provider changes.

Archived versions are made available upon request or as part of the Service's legal document archive.

PDF document versionDownload PDF
Brands
Popular categories
Newsletter
newsletter
Join our community to receive updates on the latest promotions and products.
Contact
Shipping within 24h
Secure payments
Return
Legal information: Terms and Conditions, Privacy Policy, Complaints and Returns.
You can manage cookie settings in the consent banner/panel.
Contact: contact@example.com.
Copyright @ 2026
1780494769