Privacy Policy

Fluffo sp. z o.o.
Poprzeczna 15A, Wierzbin, 05-083 Stare Babice, Poland
KRS: 0001038195 | NIP: 1182262656 | REGON: 525395236

Last updated: February 2026

PRIVACY POLICY

and information on personal data processing (GDPR)

1. Data controller

The controller of your personal data is:

Fluffo spółka z ograniczoną odpowiedzialnością (Fluffo Ltd.)
ul. Poprzeczna 15A, Wierzbin, 05-083 Stare Babice, Poland
KRS: 0001038195 | NIP (VAT): 1182262656 | REGON: 525395236
Email: fluffo@fluffo.pl
Tel.: +48 502 552 392
Website: www.fluffo.pl

2. Contact for data protection matters

Fluffo sp. z o.o. has not appointed a Data Protection Officer. The obligation to do so does not arise from the GDPR in relation to the processing activities carried out by the Controller.

For all matters relating to the processing of personal data and the exercise of your rights, please contact the Controller directly:

Email: fluffo@fluffo.pl
Tel.: +48 502 552 392 (Mon–Fri, 8:00 AM – 4:00 PM CET)
Postal address: Fluffo sp. z o.o., ul. Poprzeczna 15A, Wierzbin, 05-083 Stare Babice, Poland

3. Purposes and legal bases for processing

3.1. Contact form, email and telephone enquiries

Personal data submitted through the contact form at www.fluffo.pl, by email or by telephone is processed for the purposes of:

  • responding to your questions and messages,
  • preparing a price quotation or panel composition project.

Legal basis: Art. 6(1)(f) GDPR – legitimate interests of the controller in communicating with persons interested in Fluffo’s offer. Where the telephone conversation relates to steps taken prior to entering into a contract, the legal basis may also be Art. 6(1)(b) GDPR. You have the right to object to this processing (see section 8).

Retention period: data is retained for the period necessary to handle the enquiry and until the expiry of any potential claims (generally 3 years from the date of enquiry).

3.2. Sales contract conclusion and performance

Personal data collected during the conclusion and performance of a sales contract (order for panel production) is processed for the purposes of:

  • concluding and performing the contract, including order fulfilment and post-contract settlement – legal basis: Art. 6(1)(b) GDPR,
  • fulfilling legal obligations, including issuing and retaining invoices and accounting documents, handling complaints – legal basis: Art. 6(1)(c) GDPR,
  • establishing, defending and asserting claims – legal basis: Art. 6(1)(f) GDPR.

Retention periods:

  • contract performance data – for the duration of the contract and after its termination for the limitation period (up to 6 years),
  • tax and accounting data – for 5 years from the end of the tax year to which they relate,
  • claims data – for the period during which claims may be brought or defended.

3.3. Direct marketing

Where you have given separate, voluntary consent, your personal data (email address and/or phone number) will be processed for the purposes of:

  • sending commercial and marketing communications by electronic means (email), including information about Fluffo’s new products, promotions and projects – legal basis: Art. 6(1)(a) GDPR,
  • conducting remarketing campaigns via Google and Meta (Facebook/Instagram) platforms – legal basis: Art. 6(1)(a) GDPR.

Retention period: data is processed until consent is withdrawn. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Fluffo sp. z o.o. reserves the right to introduce in the future a newsletter service or automated email notifications (e.g. information about new products, promotions or events). Any such service will be launched only after obtaining a separate, voluntary consent from interested individuals, in accordance with the requirements of the Polish Act on the Provision of Electronic Services and Art. 6(1)(a) GDPR. This Privacy Policy will be updated accordingly prior to the launch of any such service.

3.4. Bank transfer data

Upon payment by bank transfer, we receive information about the payer’s bank account number and financial institution. This data is processed solely to verify the correctness of payment and, where applicable, to process a refund – legal basis: Art. 6(1)(b) and (f) GDPR.

4. Cookies and analytics/marketing tools

4.1. What are cookies

Cookies are small text files stored on your device by your web browser when you visit www.fluffo.pl. While they do not contain personal data in the traditional sense, they may be linked to a specific user via device identifiers or social media accounts, making them personal data within the meaning of the GDPR.

4.2. Categories of cookies used

The website www.fluffo.pl uses four categories of cookies, corresponding to the options available in the consent management banner:

a) Essential (always active)

Cookies required for the safe and proper functioning of the website. These do not require user consent and cannot be disabled. They include anonymous data (browser name and version) and pseudonymised data (session authorisation key).

b) Personalisation

Upon consent, we save browsing preferences and create a user profile in order to deliver personalised content. Includes anonymous data (device type, model and operating system), pseudonymised data (browsing preferences on the website) and personal data (IP address and location).

Activated only upon consent.

c) Optimisation – Google Analytics

Upon consent, we monitor user behaviour in order to analyse and improve the website. We use Google Analytics (Google LLC) for this purpose. Includes anonymous data (URL of previously visited website – HTTP referrer), pseudonymised data (activity identifiers on the website) and personal data (browsing, search or order history on the website).

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Transfer to the USA: on the basis of the EU-US Data Privacy Framework (DPF). Google LLC is a certified DPF participant.
Google Privacy Policy: https://policies.google.com/privacy

Activated only upon consent.

d) Advertising – Google Ads and Meta Ads

Upon consent, we enable our advertising partners (Google LLC and Meta Platforms Ireland Ltd) to access data in order to build user profiles across multiple websites for the purpose of displaying personalised Fluffo advertisements (remarketing). Includes anonymous data (referral link addresses from partners), pseudonymised data (tracking and profiling identifiers) and personal data (age, gender, demographic information).

Google Ads:
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Transfer to the USA: on the basis of the EU-US Data Privacy Framework (DPF).
Google Privacy Policy: https://policies.google.com/privacy

Meta Ads (Facebook/Instagram):
Provider: Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland (for EEA users).
Transfer to the USA: Meta Inc. is a certified participant in the EU-US Data Privacy Framework.
Meta Privacy Policy: https://www.facebook.com/privacy/policy

Activated only upon consent.

4.3. Managing cookie consent

Upon your first visit to www.fluffo.pl, a cookie consent management banner is displayed. You may:

  • accept all cookie categories,
  • select individual categories (analytical, advertising, social media),
  • reject all non-essential cookies by selecting the “Private” mode.

Consent can be withdrawn or changed at any time by clicking the “Privacy Settings” link in the website footer. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

4.4. Google Search Console

We use Google Search Console solely to monitor the visibility of our website in Google search results. This tool operates server-side and does not install cookies on users’ devices.

5. Recipients of personal data

Your personal data may be shared with the following categories of recipients:

  • IT service providers, hosting and website maintenance providers,
  • accounting and tax firms engaged by Fluffo,
  • law firms (to the extent necessary for legal services),
  • courier and postal companies (for delivery purposes),
  • financial institutions (banks) for payment processing or refunds,
  • Google LLC – in connection with Google Analytics and Google Ads services (see section 4),
  • Meta Platforms Ireland Ltd – in connection with Meta Ads services (see section 4),
  • public authorities or courts – where disclosure is required by applicable law.

Your personal data is not transferred outside the European Economic Area (EEA), with the exception of transfers to Google LLC and Meta Inc. in the USA – carried out exclusively on the basis of the EU-US Data Privacy Framework, which ensures an adequate level of protection.

6. Data required to enter into a contract

To conclude and perform a sales contract for Fluffo panels, we require the following data:

Private individual:
first and last name, residential address, email address, phone number, delivery address.

Company / business entity:
company name, registered address, VAT number (NIP), contact person’s name, email address, phone number, delivery address.

Providing the above data is voluntary but necessary to conclude and perform the contract. Failure to provide this data will make it impossible to process your order.

7. Automated processing and profiling

Fluffo sp. z o.o. does not engage in automated decision-making within the meaning of Art. 22 GDPR that would produce legal effects or similarly significantly affect your situation.

Profiling for marketing (remarketing) purposes takes place exclusively through the Google and Meta platforms – only after you have given consent to remarketing cookies (see section 4). Fluffo does not build its own behavioural profiles of users.

8. Your rights in relation to personal data processing

Under the GDPR, you have the following rights:

  1. Right of access (Art. 15 GDPR) – the right to obtain information about the personal data we process about you and to receive a copy thereof.
  2. Right to rectification (Art. 16 GDPR) – the right to request the correction of inaccurate or incomplete data.
  3. Right to erasure (Art. 17 GDPR) – the right to request deletion of your data when it is no longer necessary for the purposes for which it was collected, or when consent has been withdrawn.
  4. Right to restriction of processing (Art. 18 GDPR) – the right to request restriction of processing in certain circumstances.
  5. Right to data portability (Art. 20 GDPR) – where processing is based on consent or contract and is carried out by automated means, you have the right to receive your data in a structured, commonly used format and to transmit it to another controller.
  6. Right to object (Art. 21 GDPR) – you have the right to object at any time to the processing of your data based on the legitimate interests of the controller (Art. 6(1)(f) GDPR), including direct marketing. Where you object to direct marketing, we will cease processing your data for that purpose without delay.
  7. Right to withdraw consent (Art. 7(3) GDPR) – where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  8. Right to lodge a complaint (Art. 77 GDPR) – you have the right to lodge a complaint with the President of the Polish Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, email: kancelaria@uodo.gov.pl, or with the supervisory authority in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

8.1. How to exercise your rights

To exercise any of the above rights, please contact us:

  • by email: fluffo@fluffo.pl (or via the DPO contact, if applicable),
  • in writing: ul. Poprzeczna 15A, Wierzbin, 05-083 Stare Babice, Poland,
  • by phone: +48 502 552 392 (Mon-Fri, 8:00 AM – 4:00 PM CET).

We will respond to your request without undue delay and no later than one month from receipt. In exceptional cases this period may be extended by a further two months, of which we will inform you with reasons. To verify your identity, we may request additional information.

9. Hosting – data processor

The website www.fluffo.pl is hosted (technically maintained) on servers provided by:

ADMIN.NET.PL Tomasz Rzepka Arkadiusz Nowara S.C.
ul. Bitwy pod Monte Cassino 5/198, 33-100 Tarnow, Poland
NIP (Tax ID): 8733250257 | REGON: 122662465
Website: www.mydevil.net | Email: admin@mydevil.net

The servers are physically located in Poland (ATMAN data centre, Warsaw), meaning that data stored in connection with the website does not leave the territory of the Republic of Poland or the European Economic Area.

The hosting company applies the following data protection measures, among others: daily backups retained for 14 days (local and remote copies in an independent location), the ZFS file system ensuring data integrity, SSL/TLS encrypted connections, user account isolation, and physical security of the data centre.

Fluffo sp. z o.o. has entered into a data processing agreement with the hosting provider as referred to in Art. 28 GDPR.

Further information about the data protection practices of the hosting provider is available at: https://www.mydevil.net/regulaminy-i-dokumenty

10. Data security

We implement appropriate technical and organisational measures to ensure the security of your personal data, including:

  • storage of data on secured servers with access controls,
  • SSL/TLS encryption for all connections on www.fluffo.pl,
  • pseudonymisation and data minimisation procedures where applicable,
  • regular security reviews and IT system updates,
  • access to personal data restricted to authorised Fluffo employees and collaborators only.

11. Changes to this Privacy Policy

This Privacy Policy may be updated in response to changes in applicable law, guidance from supervisory authorities, or changes in our business activities. We will notify you of material changes by publishing the updated version at www.fluffo.pl with the date of update. We recommend reviewing this document periodically.

Last updated: Februrary 2026

Fluffo sp. z o.o. | ul. Poprzeczna 15A, Wierzbin, 05-083 Stare Babice, Poland | fluffo@fluffo.pl | www.fluffo.pl