PRIVACY POLICY

In connection with the entry into force and the need to apply Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter“the Regulation”), the Seller presents the following information on the rules for processing your personal data.

The protection of private information concerning Users of the website https://surf.inc/en/ (hereinafter“the Website”) is extremely important to us, therefore we make every effort to ensure that you are safe while visiting our Website.

Please read this document (hereinafter“Privacy Policy”) intended to explain the rules for handling your personal data when you visit the Website. Each time you use the Website you are subject to this Privacy Policy, therefore we kindly ask you to read its content at each entry.

This privacy policy presents, among others: rules of contact with Surf Inc Sp. z o.o., with its registered office in Kraków, address: ul. Ks. Stanisława Truszkowskiego 32a, 31-352 Kraków, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register under number KRS: 0000728287, NIP: 9592006709, REGON: 38001723300000 (hereinafter“the Seller”), rules for collecting, storing and processing personal data by the Seller, sources of obtaining personal data, scope and purpose of processing, the period for which personal data are processed, and the rights of the data subject.

Glossary

The following terms shall mean:

  • “Privacy Policy” – this document titled “Privacy Policy”;

  • “Seller” - Surf Inc Sp. z o.o., with its registered office in Kraków, address: ul. Ks. Stanisława Truszkowskiego 32a, 31-352 Kraków, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register, under number KRS: 0000728287, NIP: 9592006709, REGON: 38001723300000

  • “Online store” – the website available at https://surf.inc/en/

  • “Customer” – a natural person acting on their own behalf or on behalf of a legal person or an organizational unit without legal personality but with legal capacity under the law, who used the Website by browsing the website available at https://surf.inc/en/ or by submitting personal data to register an individual account in the Online Store or to place an order in the Online Store, or to subscribe to the Newsletter;

  • “Individual account” - a panel assigned individually to the Customer after registering data in the Online Store system, marked with an individual name (login) and password provided by the Customer in the Seller's ICT system, allowing the Customer to use additional functionalities of the Online Store;

  • “Order form” – a form by which the Customer orders goods offered by the Seller in the Online Store and specifies the delivery method, in which the Customer provides the following data: name, surname, country, delivery address, email address, phone number; 

  • “Registration of an Individual Account” – means a form used to register a Customer in the Online Store in order to create an Individual Account via the Online Store, through which the User provides the following personal data: name, surname, email address, password;

  • “Logging in to the Individual Account” – means a form used to log the Customer into the Individual Account in the Online Store – after prior Registration – through which the Customer provides the following personal data: email address, password;

  • “Services” – means the following actions by the Seller undertaken as a result of providing personal data by the Customer: sending the Newsletter by email if the Customer has consented to subscribe; or concluding a sales contract between the Seller and the Customer; or maintaining the Individual Account; or sending a return message containing detailed information about products, an order placed by the Customer, or technical problems on the Website;

  • “Newsletter” – an information bulletin about new products and promotions in the Online Store, to which the Customer has consented by providing their email address in the “Newsletter” field on the Online Store website together with selecting the “Sign up” option.


§ 1. Preliminary provisions

  1. This Online Store is operated by the Seller.

  2. This Privacy Policy is effective from01.02.2023 and defines, among others, the rules for contacting the Seller, the rules for collecting, storing and processing personal data by the Seller, including data that may be entered by you through the Online Store website by filling in the Order Form, during Account Registration or by subscribing to the Newsletter; sources of obtaining personal data, scope and purpose of processing, the period for which personal data are processed and the rights of data subjects.

  3. This Privacy Policy is not directed to persons under 16 years of age and we do not knowingly collect personal data of such persons.

  4. The Online Store may contain external links (hyperlinks) to websites, plugins or applications owned by other entities. Clicking such links or granting permission to connect will result in the transfer of your data (IP address and browser identifier) to the administrator of that website, who becomes a co‑controller of your personal data in that scope (pursuant to the CJEU judgment in case C-40/17). After leaving our Online Store website, we encourage you to read the privacy policy of each website visited in this way.

  5. By accepting this Privacy Policy, the Customer declares that they have read its content, accept its terms and undertake to comply with them.


§ 2. Cookies

  1. The Website uses “Cookies”. When the User enters the Website, a message appears informing about the use of Cookies by the Website. The message is visible to the User until they accept the message about the use of Cookies. Acceptance is made by pressing the appropriate button. 

  2. Detailed information about Cookies, indicating what Cookies are and how they are used by the Website, is available after the User clicks the field labeled: “Cookies policy” appearing simultaneously with the message about the use of Cookies by the Website and in the “Cookies Policy” tab located on the Website.


§ 3. Personal data

  1. Personal data are information about an identified or identifiable natural person. Anonymized data in such a way that the persons to whom the data relate cannot be identified at all or can no longer be identified are not personal data.

  2. The controller of personal data is Surf Inc Sp. z o.o., with its registered office in Kraków, address: ul. Ks. Stanisława Truszkowskiego 32a, 31-352 Kraków, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register, under number KRS: 0000728287, NIP: 9592006709, REGON: 38001723300000. Contact with the controller: info@surf.inc

  3. Personal data are processed lawfully and with the principles of fairness, transparency and adequacy.

  4. No personal data are collected or processed on the Online Store website for the purpose of transferring or selling them to external entities for marketing purposes. The Seller also does not send messages on behalf of third parties. 

  5. We may collect, process, store and transfer different kinds of your personal data, which we have grouped as follows:

Identity Data, including first name, last name, gender, username or similar identifier.

Contact Data, including billing address, delivery address, email address, phone number.

Transaction Data, including transactions and payments.

Technical Data, including IP address, login data, browser type and version, time zone setting and location, types and versions of browser plug‑ins, operating system and other technology on the devices you use to access the Website.

Account Data, including username and password and order history. 

Usage Data, information on how you use the Online Store website and which Services you use.

Marketing and Communications Data, including your preferences in receiving marketing information and communications from us.

  1. When you use our Online Store website, it may automatically collect your Technical Data regarding your devices or activities and behavior patterns online. We collect these personal data through Cookies and other technologies, in accordance with the “Cookies Policy” available on our Online Store website.


§ 4. Purpose and legal basis for processing your personal data

  1. If the User provides personal data, they will be used according to the purpose of providing them. Below we present a list of purposes/processing activities of your personal data by data category, assigned to legal bases for processing.

Purpose/processing activity 

Type of personal data

Legal basis for processing 

Creation of an individual customer account 

Identity Data

Contact Data

Necessity of processing for the performance of a contract

(Art. 6(1)(b) GDPR)

Order fulfillment

Identity Data

Contact Data

Account Data

Necessity of processing for the performance of a contract

(Art. 6(1)(b) GDPR)

Notification of product availability

Contact Data

Taking steps prior to entering into a contract

(Art. 6(1)(b) GDPR)

Enabling Newsletter subscription

Sending a request to rate the store 

Identity Data

Conclusion and performance of a contract

(Art. 6(1)(b) GDPR)  

Consent to receive commercial information by electronic means and consent to direct marketing performed using telecommunications terminal equipment.

(Art. 6(1)(a) GDPR)

Notifying about changes to regulations and policies

Identity Data

Contact Data

Account Data

Necessity of processing for the performance of a contract

(Art. 6(1)(b) GDPR) 

Legal obligation

(Art. 6(1)(c) GDPR)


Management and ensuring the security of the Seller and its Online Store (diagnostics and maintenance of the system, data analysis, testing, server management and hosting)

Identity Data

Contact Data

Technical Data

Legitimate interest of the controller (conducting business, managing IT processes, ensuring network security, preventing fraud)

(Art. 6(1)(f) GDPR)

Legal obligation

(Art. 6(1)(c) GDPR)

Providing appropriate content of the Online Store website and advertisements, as well as analyzing the effectiveness of advertising campaigns

Account Data

Usage Data

Marketing and Communications Data

Technical Data

Consent through acceptance of the Cookies message referred to in § 2(2) of this Policy

(Art. 6(1)(a) GDPR)

Providing the Customer with a response message containing detailed information about products, orders placed by the Customer or technical problems on the Website

Contact Data

Identity Data

Taking steps prior to entering into a contract

Necessity of processing for the performance of a contract

(Art. 6(1)(b) GDPR) 

Transfer of data to other entities operating websites, plugins or applications, to which external links are placed on our Website

Technical Data

Consent through acceptance of the Cookies message referred to in § 2(2) of this Policy

(Art. 6(1)(a) GDPR)


  1. Providing personal data is voluntary; however, failure to consent to processing of personal data prevents registration of an Individual Account and order fulfillment.

  2. One of the ways we process personal data is profiling. We may use your Identity, Contact, Technical, Usage and Account Data to create profiles of our Customers' preferences and thus, based on them, tailor our services and content to you. This way we can decide which of our Services may be appropriate for you.

§ 5. Sharing your personal data and international transfers

  1. For the purposes indicated in the preceding paragraph, we may disclose your personal data to external third parties such as courier, accounting and IT companies, providing services such as hosting, cloud computing, social media sites, as well as to the Tax Office and other public authorities in the Republic of Poland.

  2. If the Customer chooses payment through an external payment system, their data are transferred to the payment operator to the extent necessary to process the payment. 

  3. We require all third parties to maintain security measures regarding your personal data and to process them lawfully. We do not allow our suppliers to use Users' personal data for their own purposes and we only allow them to process them for specified purposes and in accordance with our instructions.

  4. Due to the fact that we use services of other providers, e.g. in the area of IT support, your personal data may be transferred outside the EEA. In addition, your personal data are transferred outside the EEA if you place an order with delivery to a country that is not a member of the European Economic Area. In such cases we ensure a similar degree of protection by ensuring at least one of the following safeguards:

  • transfer of personal data to countries recognized by the European Commission as providing adequate protection of personal data,

  • use of data protection clauses adopted by the European Commission, guaranteeing the same protection as in the European Union.


§ 6. Data security

  1. The Seller processes the Customer's personal data in accordance with all data security principles required by law. We have introduced necessary security measures to protect your data against accidental loss, unauthorized access, use, alteration or disclosure. We limit access to your data to employees, agents, service providers and other third parties for whom such access is necessary for our business. They will process your personal data only in accordance with the Seller's instructions and are obliged to keep them confidential.

  2. The Seller has adopted appropriate procedures to handle any suspected data breach. We will notify you and the relevant supervisory authority of a breach where we are legally required to do so.


§ 7. Data retention period

  1. Your personal data will be stored for no longer than necessary to fulfill the purpose for which they were collected (i.e. the time necessary to execute an order, maintain a Customer account), unless a longer period results from the need to comply with our legal, accounting or reporting obligations and for the period necessary to pursue claims resulting from the Civil Code. 

  2. Personal data processed for accounting and tax purposes are processed for 5 years counted from the end of the calendar year in which the tax obligation arose. 

  3. In certain circumstances you may request the deletion of your personal data in accordance with § 8.

  4. In certain circumstances we may anonymize your personal data (ensuring irreversible inability to identify the individual) for research and statistical purposes, in which case we may use this information indefinitely without further notice to you.


§ 8. Customers' rights related to personal data protection. Complaint to the supervisory authority

  1. In certain situations the Customer has the right to request the Seller to access, rectify, change, restrict or erase their personal data administered by the Seller and the right to object to the processing of their personal data by the Seller. To do so, please send an email to: karol@surfinc.co

  2. Please note that we will not always be able to comply with your request to delete personal data, in particular due to specific legal obligations or the pursuit of claims. In such cases, you will be informed after submitting such a request. If you wish to obtain more information about the specific rights set out in this section, please contact us using the Seller's contact details.

  3. The Customer has the right, at any time, to withdraw consent to the processing of personal data by sending an email to karol@surfinc.co or by clicking the deactivation link sent each time in a Newsletter or other marketing message. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. This means that withdrawal affects the future, not the processing of data that took place in the past between granting and withdrawing consent.

  4. The Customer has the right to request the Seller to transfer their personal data administered by the Seller to another controller, provided that technical and organizational requirements allow such transfer. 

  5. The Seller shall, without undue delay – in any event within one month of receipt of the request – inform the Customer who has made one of the requests listed in this section about actions taken, or about any extension of the deadline due to the nature of the request or the number of requests, or about the reasons for not taking action and about the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy. 

  6. Exercising the rights presented above is free of charge; however, the Seller may charge the Customer a reasonable fee if the request or requests are manifestly unfounded, repetitive or excessive. In such cases we may also refuse to comply with the request.

  7. To fulfill individual requests, the Seller may request specific information from the Customer in order to verify their identity and ensure the exercise of their rights. This is a security measure to ensure that personal data are not disclosed to unauthorized persons.

  8. A Customer whose personal data are administered by the Seller has the right to lodge a complaint with a supervisory authority, in particular in the Member State:

a. of their habitual residence,

b. of their place of work, or

c. of the place of the alleged infringement,

if they consider that the processing of personal data concerning them infringes the GDPR. The complaint may be sent by post to the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw or by email to kancelaria@uodo.gov.pl.

§ 9. Seller's liability and complaints

  1. The Seller, acting with due diligence, ensures the correct functioning of the Website, however it does not bear responsibility for technical limitations in using the Website resulting from the technical condition of the User's Equipment and resulting from data transmission failures (Internet connection) used by the User.

  2. The Seller asks to report any irregularities related to the operation of the Website to the following email address: karol@surfinc.co

  3. The Seller considers complaints referred to in the preceding paragraph within 7 days from the date of submission, informing the User about acceptance or rejection of the complaint and always providing the reasons for the decision.

  4. The User is also entitled to use out-of-court methods of handling complaints. In the event of a dispute involving a Consumer, its out-of-court resolution may also be provided by the ODR online platform available at: http://ec.europa.eu/consumers/odr/


§ 10. Final provisions, changes to the Privacy Policy, notification of changes 

  1. The Seller reserves the right to change this Privacy Policy, which change takes effect upon publication of the new Privacy Policy on the Online Store website. Any material changes to this Policy will be communicated by an appropriate notice on the Online Store website.

  2. The Seller's contact details are indicated in point 2 of the Glossary of this Privacy Policy.

  3. For any matters related to processing of your personal data by the Seller, please contact us at karol@surfinc.co or at the phone number indicated on the Website in the “Contact us” tab.