Privacy policy
Last updated: June 25, 2025
1. Data Controller Information
The controller of your personal data is:
NMM Sp. z o.o.
ul. Bocheńska 3/17
31-061 Kraków, Poland
KRS: 0000982292
NIP: 6762621979
REGON: 522588905
Operating the store and website under the name "Medpak" (hereinafter "we", "us", "our").
Contact for data protection matters: info@medpak.shop
2. Personal Information We Collect
When we use the term "personal information," we are referring to information that identifies or can reasonably be linked to you. Depending on how you interact with our Services, we may collect the following categories of personal information:
Categories of Personal Data:
- Contact details: name, address, billing address, shipping address, phone number, email address
- Financial information: credit card, debit card, and financial account numbers, payment card information, transaction details
- Account information: username, password, security questions, preferences and settings
- Transaction information: items you view, put in your cart, add to your wishlist, purchase, return, exchange or cancel
- Communications: information you include when contacting us
- Device information: device type, browser, network connection, IP address, unique identifiers
- Usage information: how and when you interact with our Services
- Information required for invoices: company name, tax identification number (NIP), company address
3. Legal Basis and Purposes of Processing
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis | Details |
|---|---|---|
| Provide Services & Process Orders | Art. 6(1)(b) GDPR - Contract performance | Processing payments, fulfilling orders, maintaining accounts, arranging shipping, facilitating returns |
| Marketing & Advertising | Art. 6(1)(f) GDPR - Legitimate interests | Sending promotional communications, showing targeted advertisements |
| Newsletter | Art. 6(1)(a) GDPR - Consent | Sending marketing emails upon subscription |
| Security & Fraud Prevention | Art. 6(1)(f) GDPR - Legitimate interests | Detecting fraudulent activity, securing services |
| Legal Obligations | Art. 6(1)(c) GDPR - Legal obligation | Tax reporting, accounting requirements, responding to legal requests |
| Customer Support | Art. 6(1)(b) GDPR - Contract performance | Responding to inquiries, providing assistance |
| Analytics | Art. 6(1)(f) GDPR - Legitimate interests | Improving services through anonymous data analysis |
4. Data Retention Periods
We retain your personal data for the following periods:
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Order data | Duration of contract performance + warranty/complaint period |
| Incomplete orders | 6 months from cart abandonment |
| Tax/accounting documents | 5 years from the end of the fiscal year |
| Newsletter data | Until consent withdrawal |
| Marketing data | Until consent withdrawal or successful objection |
| Customer service | Until matter resolution |
| Claims/disputes | Until statute of limitations expires |
| Security logs | As long as necessary for security purposes |
5. Required vs Optional Data
Required data for order processing:
- Name and surname
- Delivery address
- Email address
- Phone number (for delivery purposes)
Optional data:
- Account creation
- Company details (for invoices)
- Marketing preferences
Failure to provide required data will prevent us from processing your order.
6. Recipients of Personal Data
We may share your personal data with:
-
Shopify International Limited (Ireland) - our e-commerce platform provider for EMEA region
- Acts as the primary GDPR entity
- May share data with Shopify Inc. (Canada) and selected sub-processors
-
Service providers:
- Payment processors
- Delivery companies (for physical products)
- IT service providers
- Cloud storage providers
- Customer support tools
- Accounting services
-
Analytics and marketing partners:
- Google (Analytics, Ads, Tag Manager)
- Meta/Facebook (Pixel, Custom Audiences)
- Microsoft (Clarity)
- Omnisend (email marketing)
- Trustpilot (reviews)
- Legal authorities when required by law
- Business partners for joint marketing (with your consent)
7. Data Storage Location and International Transfers
Primary Data Storage
Your personal data is stored within the European Union. Shopify, our e-commerce platform provider, stores data in the following locations:
- Primary storage: European Union (EEA, United Kingdom, and/or Switzerland)
- Infrastructure: Google Cloud Platform with dynamic load balancing across multiple regions for reliability and scalability
As a European merchant, our store data, order data, and customer personal data are stored by default in Europe. Shopify may dynamically balance storage across European regions to ensure reliable and scalable infrastructure that can handle varying traffic volumes.
International Data Transfers
While your data is primarily stored in Europe, certain processing activities may involve transfers outside the EEA to:
- Canada - Shopify Inc. (parent company) - covered by EU adequacy decision
-
United States - for services like:
- Google Analytics, Google Ads, Google Tag Manager
- Facebook/Meta services (Pixel, Custom Audiences)
- Microsoft Clarity
- Omnisend (email marketing)
Safeguards for International Transfers
We ensure appropriate protection through:
- EU Adequacy Decisions (for Canada)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Shopify's comprehensive Data Processing Agreements (DPAs)
- Technical and organizational measures by all service providers
Shopify International Limited (Ireland) acts as the primary GDPR entity and has applied for Binding Corporate Rules with the Irish Data Protection Commission for additional safeguards.
8. Your Rights
Under GDPR, you have the following rights:
- Right to access - obtain confirmation and copies of your personal data
- Right to rectification - correct inaccurate personal data
- Right to erasure ("right to be forgotten") - request deletion of your data
- Right to restriction - limit processing in certain circumstances
- Right to data portability - receive your data in a structured format
- Right to object - object to processing based on legitimate interests
- Right to withdraw consent - where processing is based on consent
-
Right to lodge a complaint - with the Polish Data Protection Authority (PUODO): Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2
00-193 Warsaw, Poland
How to Exercise Your Rights
Contact us at: info@medpak.shop
We will respond within one month of receipt. We may request identity verification before processing your request.
For Shopify-processed data, you may also exercise rights at: https://privacy.shopify.com/en
9. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. While we may use analytics to improve our services and target advertising, these activities do not involve automated decisions about individuals.
10. Cookies and Tracking Technologies
Tools We Use:
| Tool | Purpose | Provider |
|---|---|---|
| Google Analytics | Website statistics and behavior analysis | Google LLC (USA) |
| Google Tag Manager | Managing website tags and scripts | Google LLC (USA) |
| Facebook Pixel | Advertising and remarketing | Meta Platforms Inc. (USA) |
| Microsoft Clarity | User experience analysis | Microsoft Corp. (USA) |
| Omnisend | Email marketing and analytics | Omnisend (USA) |
| Trustpilot | Customer reviews and ratings | Trustpilot (Denmark) |
Cookie Management
You can manage cookies through:
- Browser settings
- Our cookie consent banner (on first visit)
- Global Privacy Control signals (where supported)
Note: Disabling cookies may affect website functionality.
11. Children's Data
Our Services are not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of sensitive data
- Regular security assessments
- Access controls and authentication
- Staff training on data protection
However, no security measure is perfect. We cannot guarantee absolute security.
13. Links to Third-Party Sites
Our Services may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal data.
14. Updates to This Policy
We may update this Privacy Policy periodically. We will notify registered users and newsletter subscribers of material changes. The "Last updated" date shows when changes were last made.
15. Contact Information
For privacy-related questions or to exercise your rights:
Email: info@medpak.shop
Address: NMM Sp. z o.o., ul. Bocheńska 3/17, 31-061 Kraków, Poland
Appendix: Detailed Processing Activities
For transparency, here are additional details about specific processing activities:
Abandoned Cart Recovery: If you start but don't complete an order, we may send reminder emails (legal basis: Art. 6(1)(b) GDPR - steps prior to contract).
Product Reviews: When you submit a review, we process your name and email (legal basis: Art. 6(1)(b) GDPR - service provision).
Contest Participation: For contests, we process data according to specific contest rules (legal basis: Art. 6(1)(b) GDPR - contest terms).
B2B Partners: For business partners, we process company data and contact persons' information (legal basis: Art. 6(1)(b) GDPR - business relationship).