1. Information About the Data Controller

This Privacy Policy explains how PolandExportFlow Konrad Lesiak (“PolandExportFlow”, “we”, “us”) collects, uses, and protects personal data when you use our website, create an account, contact us, or use our logistics and forwarding services. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Polish data protection laws.

Company: PolandExportFlow Konrad Lesiak
Registered Address: ul. Przyjaciół 3, 42-400 in Poland
VAT ID: PL6492338422
REGON: 543021906
EORI: PL649233842200000

Email: [email protected]
Phone: +48 784 317 005

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Polish data protection laws.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us using the details provided above.

2. Who This Policy Applies To

This Privacy Policy sets out the principles for the processing of personal data of all individuals interacting with PolandExportFlow, including:

• Website Users: Anyone visiting polandexportflow.com or using our platform’s features without an account.
• Account Holders: Individuals and entities who have registered an account to manage their shipments and orders.
• B2C & B2B Clients: Individuals and business entities using our logistics, assisted purchase, and relocation services.
• Third-Party Recipients: Individuals whose delivery data (name, address, phone) is provided to us by the Client to execute international shipping.
• Sellers & Manufacturers: Private individuals or business representatives whom we contact on behalf of the Client to coordinate pickups or verify goods.

By using our services, you acknowledge that you have read and understood how we process data for these specific groups.

3. What Personal Data We Collect

We collect only the personal data strictly necessary to provide our services, ensure the security of our infrastructure, and comply with international trade laws.

3.1 Account & Contact Data

• Email Address: The sole identifier used for account creation, system notifications, and service-related communication.
• Authentication Data: Securely encrypted (hashed) passwords used to protect your account.

3.2 Google Authentication Data

If you choose "Login with Google", we receive specific identifiers from Google to facilitate account access:

• Unique Google user identifier (UID).
• Email address associated with the Google account.
• Public profile name and avatar.

3.3 Shipping & Recipient Data (Third-Party Data)

As a forwarding service, we process data of third-party recipients provided by the Client:

• Full name of the recipient.
• Complete delivery address (street, postal code, city, country).
• Recipient contact details (phone and/or email).
• Customs Details: Product descriptions, declared values, and purchase links for customs clearance.

CRITICAL: By providing third-party recipient data, the Client confirms they have the legal right to share such data with PolandExportFlow for service execution.',

3.4 Service & Operational Data

• Documentation: Photo and video records of items received at our warehouse (Real-Item Verification).
• Logistics Info: Shipping labels, tracking numbers, and consolidation details.
• History: Service quotations, invoices, and communication history.

3.5 Secure Financial Data

• No Storage of Cards: We DO NOT store payment card numbers. All payments are processed via Stripe, PayPal, or Revolut.
• Received Info: We only receive payment confirmations, transaction IDs, and billing details required by law.

3.6 Technical & Security Logs

• IP addresses and device fingerprints (processed via Cloudflare for DDoS and fraud protection).
• Timestamps, system logs, and approximate location data.
• Usage behavior collected via Google Analytics, Facebook Pixel, and Microsoft Clarity.

4. Purposes and Legal Bases for Processing

4.1 Performance of a Contract - Article 6(1)(b) GDPR

Personal data is processed to provide our core services, including:

• parcel forwarding and international shipping,
• receiving, consolidation, and secure repackaging of goods in our warehouse,
• assisted purchases performed as an agent on behalf of the Client,
• pickup services from sellers, manufacturers, or private individuals,
• business logistics support, including office relocations and bulk shipments,
• coordination of courier shipments via our logistics partners,
• customer support and order-related communication.

4.2 Legal Obligations - Article 6(1)(c) GDPR

• compliance with accounting and tax laws, including VAT invoicing and financial reporting,
• meeting regulatory obligations under Polish and EU trade and customs law.

4.3 Legitimate Interests - Article 6(1)(f) GDPR

We may process data based on our legitimate interests to:

• prevent fraud, abuse, and ensure transaction security,
• secure our physical warehouse and IT systems,
• handle complaints, disputes, and insurance claims with carriers,
• pursue or defend against legal claims,
• improve service quality and operational efficiency.

4.4 Consent - Article 6(1)(a) GDPR

Consent is used where required by law, primarily for the use of non-essential analytics and marketing cookies.

5. Sharing Personal Data

To fulfill our logistics and intermediary obligations, we share necessary personal data with specialized third-party providers. We adhere to the principle of data minimization-sharing only what is essential for the specific service.

• Logistics & Courier Partners: We share recipient details (name, address, phone) with carriers to execute delivery. This includes DHL, FedEx, UPS, DPD, GLS, InPost (Paczkomaty), Orlen Paczka, and Poczta Polska.
• Payment Processors: To handle secure transactions, data is processed by Stripe (Visa/Mastercard/Apple Pay), PayPal, and Revolut. We do not store full payment card details on our servers.
• Infrastructure & Security: Our platform operates using Hostinger (VPS hosting), Supabase (database management), and Cloudflare (DDoS protection and traffic optimization).
• Analytics & Optimization: We use tools to monitor site performance and marketing effectiveness, including Google Analytics, Google Ads, Meta (Facebook Pixel), and Microsoft Clarity.
• Legal & Regulatory Authorities: Data may be disclosed to legal advisors, insurers (for claims handling), or law enforcement if required by Polish or EU law.

6. International Data Transfers

Where data is transferred outside the European Economic Area (e.g., to the USA via Google or Stripe), appropriate safeguards such as Standard Contractual Clauses (SCC) or the Data Privacy Framework (DPF) are applied in accordance with GDPR.

7. Automated Decision Making & Fraud Prevention

To maintain the highest level of security and protect our platform from financial crime, we utilize automated processing for risk assessment.

• Risk Profiling: Our payment processors (Stripe, PayPal) analyze transactions in real-time based on IP location, card issuing country, proxy usage, and transaction history.
• Automatic Rejection: Transactions flagged as "High Risk" or suspicious may be automatically declined to prevent credit card fraud and unauthorized use.
• Consequences: An automated rejection means the service will not be initiated and funds will be returned or blocked according to the processor’s policy.
• Right to Human Intervention: If your transaction was rejected and you believe it was an error, you have the right to request a manual review by contacting us at [email protected].

8. Warehouse Processing & Visual Verification

To ensure the security of your goods and transparency of the process, we perform "Real-Item Verification" for incoming parcels. Our processing standards are as follows:

• Visual Inspection: Inspections are strictly visual and external. We check for obvious transport damage and verify that the items match the general description provided by the Client.
• No Technical Testing: We perform no technical, functional, or internal testing of electronics or machinery (e.g., turning on devices) unless a separate specialized service is explicitly agreed upon in writing.
• Authenticity Disclaimer: PolandExportFlow does not verify the authenticity of branded products or luxury goods. Verification of originality remains the sole responsibility of the Client.
• Documentation Value: All photo and video documentation is informational only and does not constitute a warranty or guarantee regarding the item’s hidden condition or longevity.
• Privacy on Labels: Documentation may capture personal data visible on shipping labels (names, addresses). This data is used strictly for service execution, insurance claims, and dispute resolution with sellers or carriers.
• Reporting Discrepancies: If we detect significant damage or a mismatch during verification, we will notify the Client before proceeding with the export.

9. Data Retention

We do not store your data longer than necessary. Retention periods are strictly defined:

• Tax & Financial Records: Stored for 5 years from the end of the fiscal year (strictly required by Polish tax law for invoices and transaction history).
• Operational Evidence (Photos/Logs): Photos of parcels, detailed scanning logs, and warehouse records are retained for 6 months (180 days). This covers the maximum window for payment chargebacks (e.g., PayPal disputes).
• Active Account Data: Retained for the duration of the service agreement. If an account remains inactive for 3 years, personal data will be permanently deleted or anonymized.
• Marketing Data: Processed only until you withdraw your consent or object to the processing.

10. Data Security

We apply appropriate technical measures including SSL/TLS encryption, database security (RLS), and access controls. Absolute security cannot be guaranteed, but industry-standard safeguards are used.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies strictly based on your consent. By default, only essential cookies (Security, Authentication) are active. Analytics and Marketing cookies remain blocked until you explicitly click "Accept" in our Consent Banner.

11.1 Types of Cookies We Use

• Strictly Necessary (Essential): These are required for the website to function securely and cannot be switched off. They include:
  • Security: Cloudflare (DDoS protection, bot detection).
  • Authentication: Supabase Auth (keeping you logged in securely).
  • Payments: Stripe/PayPal (fraud detection and secure checkout).
  • Consent Preferences: A cookie (zaraz-consent) to remember your privacy choices so the banner doesn't reappear.
• Analytical & Performance (Optional): Activated only after your consent. We use:
  • Google Analytics 4: To analyze user behavior and site performance (IP anonymization enabled).
  • Microsoft Clarity: To visualize how users navigate the site (heatmaps).
• Marketing & Targeting (Optional): Set by our advertising partners (e.g., Meta/Facebook Pixel, Google Ads). Used to build a profile of your interests and show relevant ads. Activated only after consent.

11.2 Managing Your Preferences

12. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right to Access: You can request a copy of the personal data we hold about you to verify how we process it.
• Right to Rectification: You can ask us to correct inaccurate or incomplete data (e.g., change of address).
• Right to Erasure ("Right to be Forgotten"): You can request the deletion of your data when it is no longer necessary for the purposes for which it was collected (subject to legal retention obligations like tax laws).
• Right to Restriction & Objection: You can object to the processing of your data for specific purposes (e.g., direct marketing) or ask us to restrict processing in contested legal scenarios.
• Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format (JSON/CSV) to transfer it to another provider.
• Withdraw Consent: Where processing is based on consent (e.g., marketing cookies), you may withdraw it at any time without affecting the lawfulness of processing before its withdrawal.

How to exercise these rights:

Requests should be sent to: [email protected]. We aim to respond to all legitimate requests within 30 days.

You also have the right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (UODO) in Poland (ul. Stawki 2, 00-193 Warsaw).

13. Marketing Communications

Service-related emails (order status, invoices) are mandatory for execution. Marketing communications, if any, are optional and may be opted out of at any time.

14. Third-Party Links

We are not responsible for the privacy practices of third-party websites linked from our platform.

15. Age Requirement

Our services are intended for users aged 18 years or older.

16. Changes to This Policy

This Privacy Policy may be updated periodically. The latest version will always be published on our website.

Last updated: January 1, 2026