Privacy Policy
Last updated: 20 May 2026
This Privacy Policy explains how we collect, use and protect your personal data when you visit merchrepublic.eu or place an order with us. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Polish data protection law.
1. Who We Are
Data controller: Kostiuk Sp. z o.o. ("Merch Republic")
Address: Rybnicka 14, Gdynia 81-550, Poland
Email: hello@merchrepublic.eu
2. What Data We Collect
- Contact details: name, company name, email, phone number
- Order details: billing and shipping address, products ordered, order history
- Payment details: we do not store full card numbers — payments are processed by Stripe, PayU/Przelewy24 or via bank transfer
- Communications: messages you send through forms, email or chat
- Technical data: IP address, browser type, pages visited (via cookies — see Cookie Policy)
3. Why We Process Your Data and Legal Basis
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Process and deliver your orders | Performance of a contract (Art. 6(1)(b)) |
| Send transactional emails (order confirmation, shipping updates) | Performance of a contract (Art. 6(1)(b)) |
| Respond to your enquiries and quote requests | Legitimate interest / pre-contract steps (Art. 6(1)(b), (f)) |
| Accounting, invoicing and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Website analytics (Google Analytics) | Your consent (Art. 6(1)(a)) |
| Fraud prevention and site security | Legitimate interest (Art. 6(1)(f)) |
We do not send marketing newsletters. Emails you receive from us are transactional (related to your orders or enquiries).
4. How Long We Keep Your Data
- Order and accounting records: 5 years from the end of the fiscal year (required by Polish accounting and tax law)
- Contract-related correspondence: for the duration of the contract plus 3 years
- Quote enquiries that did not result in an order: up to 12 months
- Analytics data: as configured in Google Analytics (up to 14 months)
5. Who We Share Your Data With
We share personal data only with processors strictly necessary to deliver our service:
- Payment providers: Stripe, PayU / Przelewy24 (for payments and payment links), banks (for bank transfers)
- Shipping carriers: DPD, UPS, DHL, GLS, InPost and national postal services — they receive name, shipping address and phone for delivery
- Email infrastructure: our SMTP provider, for sending transactional emails
- Analytics: Google (Google Analytics)
- Hosting: our cloud hosting provider
- Public authorities: only when required by law (tax authority, court order)
We do not sell or rent your personal data to third parties.
6. International Data Transfers
Some of our processors (notably Stripe and Google) may transfer data outside the European Economic Area (EEA), primarily to the United States. Such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards.
7. Your Rights Under GDPR
You have the right to:
- Access your data and receive a copy
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten"), subject to legal retention obligations
- Restrict processing of your data
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on our legitimate interest
- Withdraw consent at any time, where processing is based on consent
To exercise any of these rights, email us at hello@merchrepublic.eu. We will respond within 30 days.
8. Right to Lodge a Complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Polish supervisory authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Website: uodo.gov.pl
9. Cookies
We use cookies and similar technologies. See our Cookie Policy for full details.
10. Security
We apply appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS), access controls and regular security reviews. No system is 100% secure, but we take reasonable steps to safeguard your data.
11. Changes to This Policy
We may update this policy. Material changes will be communicated via our website. The "Last updated" date above reflects the latest revision.
12. Contact
For privacy questions or to exercise your rights:
Email: hello@merchrepublic.eu
Address: Kostiuk Sp. z o.o., Rybnicka 14, Gdynia 81-550, Poland