arya.cards — MTG & One Piece TCG Singles Shop

arya.cards

Last updated: 24 March 2026

§1 DATA CONTROLLER

1. The controller of your personal data is Marcin Lis, operating under the business name Marcin Lis Sklep Internetowy Arya Cards, ul. Bema 6/1, 31-517 Kraków, Poland, NIP (Tax ID): 6762419841, REGON: 368705570 (hereinafter: the “Controller”).

2. For matters related to personal data, contact the Controller at: contact@arya.cards.

§2 DATA WE COLLECT

1. In connection with placing orders in the Shop, we collect the following data:

a) Full name — for order fulfilment and delivery,

b) Email address — for communication regarding the order,

c) Phone number — for delivery contact purposes,

d) Delivery address or pickup point details — for shipment,

e) IP address — automatically recorded by the server for security purposes.

2. Optionally, at the Customer’s request, we also collect:

a) NIP (Tax ID) — for issuing a VAT invoice,

b) Company name and address — for issuing a VAT invoice.

3. We do not collect sensitive data (e.g., data concerning health, religious beliefs, or sexual orientation).

§3 PURPOSE AND LEGAL BASIS FOR PROCESSING

We process your personal data for the following purposes:

a) Order fulfilment — processing is necessary for the performance of a contract to which you are a party (Art. 6(1)(b) GDPR).

b) Legal obligations — maintaining accounting records, issuing invoices (Art. 6(1)(c) GDPR).

c) Legitimate interests of the Controller — establishing and defending legal claims, ensuring IT system security (Art. 6(1)(f) GDPR).

§4 DATA RETENTION PERIOD

1. Data related to order fulfilment is retained for the period necessary to perform the contract, and subsequently for the period required by tax law (5 years from the end of the tax year in which the transaction took place).

2. Data processed on the basis of legitimate interest is retained until a successful objection is raised or the purpose of processing ceases, but no longer than 3 years from the Customer’s last activity.

§5 DATA RECIPIENTS

Your data may be shared with the following entities, solely to the extent necessary for service delivery:

a) Supabase Inc. (USA) — database hosting where order data is stored. Data transfers to the USA are based on Standard Contractual Clauses (SCCs) compliant with the GDPR.

b) Resend Inc. (USA) — transactional email service (order confirmations, shipping notifications). Data transfers based on SCCs.

c) Vercel Inc. (USA) — website hosting. Servers may process user IP addresses. Data transfers based on SCCs.

d) Cloudflare Inc. (USA) — DNS and website security services. Processes IP addresses for security purposes. Data transfers based on SCCs.

e) DPD Polska Sp. z o.o. (Poland) — courier company fulfilling deliveries. Data shared: full name, delivery address, phone number, email address.

f) mBank S.A. (Poland) — bank payment processing. The bank processes data to the extent required for payment transactions.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

§6 YOUR RIGHTS

In connection with the processing of your personal data, you have the following rights:

a) Right of access — you have the right to obtain confirmation as to whether your data is being processed, and if so, to access it (Art. 15 GDPR).

b) Right to rectification — you have the right to request correction of inaccurate or completion of incomplete data (Art. 16 GDPR).

c) Right to erasure — you have the right to request deletion of your data, unless there is a legal basis for continued processing (Art. 17 GDPR).

d) Right to restriction of processing — you have the right to request restriction of data processing in certain circumstances (Art. 18 GDPR).

e) Right to data portability — you have the right to receive your data in a structured, commonly used, machine-readable format (Art. 20 GDPR).

f) Right to object — you have the right to object to processing based on legitimate interest (Art. 21 GDPR).

g) Right to lodge a complaint — you have the right to file a complaint with the President of the Personal Data Protection Office (Prezes Urządu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl).

To exercise your rights, contact us at: contact@arya.cards.

§7 COOKIES

1. The Shop uses cookies essential for the proper functioning of the website.

2. Types of cookies used:

a) Essential cookies — provide basic website functions such as remembering cookie consent and shopping cart contents. The website cannot function properly without these cookies.

3. The Shop does not use marketing, analytics, or tracking cookies.

4. You can manage cookies through your web browser settings. Disabling essential cookies may cause the website to malfunction.

5. Detailed information on cookie management is available in your browser’s documentation.

§8 DATA SECURITY

1. We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure.

2. The connection to the Shop is encrypted using SSL/TLS (HTTPS).

3. Access to personal data is restricted to authorised persons who are bound by confidentiality obligations.

§9 CHANGES TO THIS PRIVACY POLICY

1. The Controller reserves the right to amend this Privacy Policy.

2. Customers will be informed of significant changes through a notice on the Shop’s website.

3. The current version of this Privacy Policy is always available at: arya.cards/en/privacy.