5% off 2+ boxes
Back 2 The Roots

Personal data & GDPR

Privacy policy.

How we handle your personal data when you shop on back2theroots.pl, write to us, or browse the site. Written to be readable, with the legal references kept where they belong.

Last updated: 2026-05-12Last reviewed: 2026-05-12

1. Controller

The controller of your personal data is Kuba Lizakowski, sole proprietor trading as „shaggzclothing" (Back 2 The Roots), with registered address at Św. Ducha 63/65 mieszkanie 11, 80-834 Gdańsk, Polska, NIP 5833513631, REGON 529121228. You can reach us at b2trshots@gmail.com or +48 662 977 217.

We have not appointed a Data Protection Officer; our scale of processing does not require one under Art. 37 GDPR. The contact above is the data-subject point of contact.

2. What data we collect, why, and on what basis

PurposeDataLegal basis (GDPR)Retention
Conclude and perform the sales contract (orders, delivery, payments, after-sales service)Name, surname, delivery address, email, phone number, order details, payment confirmationArt. 6(1)(b) — contractUntil contract performance + statute of limitations on claims (default 6 years, Art. 118 Civil Code)
Issue invoices and meet tax/accounting obligationsInvoice data (name, address, NIP if requested), transaction dataArt. 6(1)(c) — legal obligation (Ordynacja podatkowa, Ustawa o rachunkowości)5 years from the end of the calendar year in which the tax obligation arose
Handle complaints, conformity claims, and withdrawalsOrder details, correspondence, return/refund dataArt. 6(1)(b) and Art. 6(1)(c)Until claim is settled + statute of limitations
Customer-account services (if you create an account)Email, hashed password, order history, addressesArt. 6(1)(b) — contract for account servicesUntil you delete the account or request deletion
Newsletter and marketing emailsEmail, optional first name, engagement metricsArt. 6(1)(a) — consent (and Art. 10 ŚwiadczUsługDrogąElektroniczną; Art. 172 PKE)Until you withdraw consent / unsubscribe
Analytics and advertising (if you accept those cookies)IP, device, browser, pageviews, referrer, marketing identifiersArt. 6(1)(a) — consent (cookies)See lifetimes in the Cookie Policy
Defending and pursuing claims, fraud prevention, securityOrder, log, and correspondence dataArt. 6(1)(f) — legitimate interestUntil the relevant claim is time-barred

3. Source of data

We collect personal data directly from you, when you place an order, contact us, or use the site. Cookies and analytics tools (after consent) collect technical and behavioural data automatically.

4. Recipients and processors

We share personal data only with processors who help us run the Store, and only to the extent needed:

  • Ecommerce platform / hosting: Shopify; Shopify Oxygen
  • Payment processors: Shopify Payments
  • Shipping carriers: InPost, DPD
  • Analytics / advertising (only after consent): Google Ads
  • Legal counsel and other professional advisers, when needed.

Each processor operates under a written data-processing agreement compliant with Art. 28 GDPR.

5. International transfers

Some processors are established in the United States (notably Google and Meta). Transfers rely on the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) and, where applicable, EU Standard Contractual Clauses (Decision 2021/914). You may request a copy of the safeguards by emailing us.

6. Your rights

Under Arts. 15–22 GDPR you have the right to:

  • access your personal data and obtain a copy,
  • have inaccurate data rectified and incomplete data completed,
  • have data erased ("right to be forgotten"), within the limits of Art. 17 GDPR,
  • restrict processing,
  • data portability (for data processed by automated means under contract or consent),
  • object to processing based on legitimate interests, including direct marketing,
  • withdraw consent at any time, without affecting the lawfulness of prior processing,
  • lodge a complaint with the supervisory authority — Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl.

To exercise any right, write to b2trshots@gmail.com. We respond within one month, with the option to extend by two further months for complex requests, in line with Art. 12(3) GDPR.

7. Automated decision-making

We do not subject you to decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).

8. Data security

We apply technical and organisational measures appropriate to the risk: TLS encryption in transit, access controls, principle of least privilege, encrypted backups, and processor due diligence. In the event of a personal-data breach affecting your rights and freedoms, we will notify the supervisory authority within 72 hours and inform you without undue delay where required by Art. 34 GDPR.

9. Cookies

For information on cookies and similar technologies, including how to manage your consent, see our Cookie Policy.

10. Changes to this policy

We may update this policy when our processing changes or the law evolves. The current version, with the effective date, is always available on this page.