This document describes how personal data is processed within CraftLoop.
This policy is structured to align with GDPR (EU), electronic services regulations, and core international privacy expectations for cross-border users.
Data controller
The data controller is Przemysław Kula, conducting business under the trade name IZON - Kula Przemysław, tax ID (NIP) 113-217-95-22, REGON 015539240, address: Zwycięzców 33/12A, 03-936 Warsaw, PL. Contact e-mail: pkula@izon.pl.
1. Scope and purposes of processing
We process data required for account registration and operation, listing products, communication between users, platform security, and legal claims handling.
Data may also be used for service analytics and product improvement where legally justified and proportionate.
- Account data: e-mail, password credentials handled by auth provider, user identifier.
- Profile data: display name, avatar, bio, city, and optional contact details.
- Content data: product listings, media files, publication metadata.
- Technical data: security logs, session identifiers, IP address, browser/device information.
2. Legal bases (GDPR, Art. 6(1))
We rely on contract performance (b), legal obligation (c), legitimate interests (f), and consent (a) where required.
- Contract: account registration, authentication, and platform features.
- Legal obligation: compliance records and lawful authority requests.
- Legitimate interest: abuse prevention, claims defense, service reliability.
- Consent: optional cookies and any other consent-based processing.
3. Data recipients
Data may be processed by service providers acting on our behalf, including hosting/cloud infrastructure, authentication, and file storage providers.
We disclose data to authorized public authorities only when legally required.
4. Transfers outside the EEA
If data is transferred outside the EEA, we apply appropriate safeguards such as Standard Contractual Clauses (SCCs) or another valid GDPR transfer mechanism.
5. Retention periods
Account and profile data is retained for the duration of service use, then for as long as needed to handle legal obligations or claims.
Technical and security logs are retained only as long as necessary for security and system integrity.
6. Cookies and similar technologies
The service uses essential cookies for operation (session, security, language preferences). Optional cookies are enabled only after consent.
Consent preferences can be changed at any time via "Manage cookies" in the footer.
7. Profiling and automated decisions
We do not make solely automated decisions producing legal or similarly significant effects on users.
8. Data security
We apply risk-appropriate technical and organizational safeguards, including access controls, session protection, input validation, and abuse monitoring.
9. Policy updates
This policy may be updated as the service or legal framework evolves. Material changes will be communicated in the service.
Users may exercise GDPR rights including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
If you believe your data rights are violated, you may lodge a complaint with the competent supervisory authority (including the President of UODO) or your local EEA supervisory authority.