Privacy policy

Effective date / Last updated: 28 December 2025

Table of Contents

§1 General Information
§2 Personal data controller
§3 Data acquisition and purpose of data processing
§4 Categories of personal data
§5 Recipients of personal data
§6 Archiving of personal data
§7 Rights, accessing and updating personal data, complaints
§8 Processing of data by automated means, cookie policy
§9 Changes to the Privacy Policy


§1 GENERAL INFORMATION

  1. The Internet Shop’s Privacy Policy does not constitute a source of obligation for the Visitor and the Customer of the Internet Shop. It is for information purposes only and is not a contract or a regulation.

  2. All phrases and words written with a capital letter (e.g. Online Store, Customer, etc.) should be understood in accordance with the content of the Rules of the Online Store.

  3. In the event of any discrepancy, the legal basis for processing will be determined in accordance with applicable law (including GDPR), the concluded agreement (if any), and any valid consents given by the data subject.

  4. The Store is operated on the Shopify platform, which provides the infrastructure for hosting, checkout, payments and certain store functionalities. Some Shopify services may involve processing of personal data as described further in this Privacy Policy.


§2 PERSONAL DATA CONTROLLER

  1. The Administrator of your personal data is LAST Sp. z o.o. with its registered office in Warsaw (00-351) at ul. Zajęcza 7/1, entered in the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Department of the National Court Register under KRS number 0001010629, NIP 5252937588, REGON 524028033 (hereinafter: the Administrator).

  2. For all data protection issues, we encourage you to contact us at the above address or via email address: office(at)last-skincare.com.

  3. You can also send a request to this address for information on what personal data we hold about you and for what purposes we process it.

  4. The Administrator informs that it stores correspondence for the purposes of improving customer support, ensuring accountability, resolving complaints and handling requests. Addresses and data collected in this way will not be used for communication for any purpose other than the fulfilment of the request, in particular will not be used for marketing purposes and will not be passed on to third parties, unless this is necessary to handle the request (e.g. shipping provider, payment provider) or required by law.

  5. If the Administrator is contacted in order to perform a specific action (e.g. lodge a complaint, make a refund), the Administrator may ask the person concerned to provide data, including personal data, e.g. name, surname, address, e-mail address, in order to confirm his or her identity and enable the possibility of contacting the person concerned and performing the requested action. Providing such data is not obligatory, but it may be necessary to perform an action or to obtain information that is of interest to a given person.

  6. Where you consent to analytics and/or marketing cookies, certain partners (e.g. analytics, advertising and social media providers) may process personal data as separate controllers for their own purposes, as described in their respective privacy notices.

  7. Please note that Shopify is the platform provider for the Store. In most cases Shopify processes personal data on our behalf as a processor. However, in certain cases described in this Privacy Policy (e.g. Shopify enhanced features related to security, fraud prevention and personalization), Shopify may process personal data as an independent controller and may handle related requests directly via its privacy portal available through Shopify’s privacy pages.


§3 DATA ACQUISITION AND PURPOSE OF DATA PROCESSING

  1. We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: GDPR/RODO) and other data protection laws currently in force at the time of processing certain data.

  2. According to GDPR, personal data is information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

  3. We ensure that the data we obtain from you is confidential, secure and processed only when necessary. We process data lawfully, fairly and transparently. We process only such data that is necessary for the purposes described in this Privacy Policy. We use appropriate and adequate security measures and state of the art technology to protect personal data against accidental loss and unauthorized access, use, alteration, or disclosure. We store personal data in a manner that enables the identification of the data subject for no longer than is necessary for the purposes for which the data are processed.

  4. The Administrator obtains information about personal data, including through Shopify checkout and account functionalities and, where applicable, through Shopify apps installed in the Store (e.g. reviews, loyalty, email marketing tools), in the following ways:
    a) by making a purchase in the Store (online store) by the Customer;
    b) by registering a Customer Account;
    c) by voluntarily subscribing to a newsletter service;
    d) by posting an opinion in the Online Shop;
    e) by voluntarily entering information in an email message or contact form;
    f) by sending a complaint, request, inquiry or letter of any other nature;
    g) by voluntarily entering information in an email sent in connection with your desire to do business with us;
    h) by directing a message in a chat/messenger channel (if available);
    i) through cookies, pixels or similar Internet technologies.

  5. Please be informed that the purpose and scope of data processed by the Administrator results from the performance of a contract (e.g. order fulfillment or account services), compliance with legal obligations, the Administrator’s legitimate interests, and - where required - your consent.

  6. Providing personal data by the Visitor or the Customer is voluntary, but it may be necessary in order to use certain functionalities of the Store (e.g. placing an Order and its settlement, Customer Account registration, contact forms).

  7. Each time the scope of data required to conclude the relevant agreement is indicated in advance in the Online Shop (we mark the data whose submission is necessary to conclude the agreement/use a specific functionality), within other communication channels with the Visitor or the Customer or in the Regulations. The consequence of failing to provide personal data may be inability to effectively use the functionality of the Website, e.g. inability to place an order.

  8. Your personal information is obtained by the Administrator for the following purpose:
Purpose of processing Legal basis Legitimate purpose, if any
Keeping statistics / analytics necessary to improve the Store and business operations (in a privacy-respecting manner) Article 6(1)(f) GDPR To have information about the performance of our operations, which allows us to improve our business
Conducting marketing of our own products and services without the use of electronic communications Article 6(1)(f) GDPR To promote the business
Conducting marketing of our own products and services using electronic communications (e.g. email, SMS), including measurement and personalization where applicable Article 6(1)(a) GDPR (consent), and where applicable additional requirements under telecommunications and electronic services laws To send marketing communications and offers
Handling requests made using the contact form, email, complaints, returns, exchanges and other requests Article 6(1)(b) GDPR and/or Article 6(1)(c) GDPR and/or Article 6(1)(f) GDPR Responding to requests and inquiries; handling complaints and consumer rights; pursuing or defending claims; record-keeping
Posting an opinion in the Online Store Article 6(1)(a) GDPR Product feedback / review publication
Customer Account maintenance Article 6(1)(b) GDPR Providing the Customer Account service
Conclusion and execution of the Sales Agreement Article 6(1)(b) GDPR Order processing, fulfillment, returns, exchanges
Archiving of sales documents Article 6(1)(c) GDPR Fulfillment of legal obligations (tax and accounting)

  1. In the case of an adult Client or an adult Website Visitor, with his or her additional consent (where required), Personal Data may be processed to present and personalize advertisements, offers or promotions (discounts) related to the products or services of the Administrator and its partners (profiling), for example by showing product recommendations or reminding you about products you viewed. This profiling is used for marketing personalization and does not produce legal effects and does not similarly significantly affect you.

  2. Newsletter. If you wish to subscribe to our newsletter, it is mandatory to provide us with your e-mail address (and optionally your name) via the newsletter subscription form. Providing this data is voluntary, but necessary to use the newsletter service. Subscribing to the newsletter is also possible at the stage of creating a Customer Account and placing an order.

    The data provided to us when signing up for the newsletter is used to send you the newsletter, in which we inform you about company activities, products, promotions and discounts. The legal basis for processing in this situation is your voluntary consent given when signing up for the newsletter.

    Newsletter communications may be delivered using an external email service provider integrated with Shopify.

    Your data are processed in this case for the purpose of sending the newsletter periodically, and the basis for the processing is Article 6(1)(a) GDPR, i.e. your consent.

    The data will be processed for the duration of the newsletter, unless you unsubscribe earlier, which will result in removal of your data from the newsletter list. Furthermore, you can correct your data stored in the newsletter database at any time, as well as request their deletion by unsubscribing from the newsletter. You also have the right to data portability (Article 20 GDPR).

    The newsletter database is properly secured. In emails sent using the newsletter system there may be links to hidden images (the so-called tracking pixel) used to measure newsletter performance (e.g. open rate). Where required by law, tracking pixels and similar technologies used to measure newsletter performance are applied only where you have provided the relevant consent.

  3. Email contact. When you contact us by e-mail, you provide us with your e-mail address as the sender address of the message. In addition, you may also include other personal data in the body of the message. The provision of data is voluntary, but may be necessary in order to get in touch with us.

    Your data is processed for the purpose of responding to your inquiry and communicating with you. The legal basis is Article 6(1)(f) GDPR (legitimate interest – handling correspondence and customer support) or Article 6(1)(b) GDPR (where the inquiry relates to a contract or steps prior to entering into a contract). We may also retain correspondence for record-keeping and to establish, exercise or defend legal claims (Article 6(1)(f) GDPR).

    The contents of correspondence may be archived for a period not exceeding 5 years, unless a longer retention period is required to comply with legal obligations or to establish, exercise or defend legal claims. You have the right to request a history of your correspondence with us (if it is archived) as well as to request its deletion unless archiving it is justified by overriding legal obligations or legitimate interests (e.g. claims-related record keeping).

  4. Feedback / opinions. If you want to add your opinion about a product or our entry, you need to fill in the form.

    Your data is processed in this case for the purpose of enabling you to post opinions, and the basis for processing is Article 6(1)(a) GDPR, i.e. your consent resulting from your desire to post on our website.

    Data will be processed for the duration of the opinion on the website, unless you request earlier deletion of the opinion, which will delete your data related to the opinion from the database.

    You can correct your data in the feedback at any time, as well as request their deletion. You also have the right to data portability (Article 20 GDPR).

  5. Customer Account. When you create a Customer Account on our Website you provide us with your email address. This is voluntary but necessary for successful registration of the customer account. Then you can also enter your name and address data in the My Account section.

    Your data is processed in this case for the purpose of maintaining a Customer Account, and the basis for processing is Article 6(1)(b) GDPR (performance of a contract – providing the Customer Account service).

    Data will be processed for the duration of the Customer’s Account, unless you have previously requested its deletion, which will delete your data from the database, subject to retention obligations described in §6.

    You can correct your data assigned to your Customer Account at any time, as well as request their deletion. You also have the right to data portability (Article 20 GDPR).

    As part of creating a Customer Account you may, but are not required to, agree to subscribe to a newsletter service.


§4 CATEGORIES OF PERSONAL DATA

The controller may process the following categories of personal data:

  1. personal data provided in the form when registering Customer Account, placing Orders in the Online Store, in particular: e-mail address, telephone number, name and surname, address of residence;

  2. personal data completed by the user during the use of the Customer Account, in particular: name and surname; e-mail address; contact telephone number; address of residence [street, house number, apartment number, postal code, city, country], and in case of Customers who are not consumers, additionally company name and tax identification number [NIP];

  3. personal data necessary to place the order, in particular: name and surname; e-mail address; contact telephone number; address of residence [street, number of the house, number of the premise, postal code, town, country], and in case of Customers who are not consumers, additionally company name and tax identification number [NIP];

  4. personal data provided for the use of the newsletter, provided during the use of the contact form, sent by e-mail; or provided during the lodging of complaints, claims or requests, in particular: name and surname; e-mail address; contact telephone number; address [street, house number, apartment number, zip code, city, country], bank account number (where required for refunds);

  5. personal data provided in order to take part in competitions/promotional actions (if organized): name and surname; e-mail address; contact telephone number; address of residence [street, number of house, number of premises, postal code, town, country];

  6. personal data contained in the opinion, in particular name (or nickname) and the content of the opinion;

  7. technical and usage data related to your interaction with the Store, such as device and browser information, IP address, cookie identifiers, Shopify customer and order identifiers, and approximate location derived from IP address (where applicable);

  8. other data, in particular data obtained on the basis of the Customer’s activity on the Internet, including data obtained through the Internet Store or other channels of communication with the Customer, using cookies and similar technologies.


§5 RECIPIENTS OF PERSONAL DATA

  1. Your personal data may be processed by our partners and subcontractors, i.e. entities whose services we use to process data and provide services to you. To our knowledge, all entities to whom we entrust the processing of personal data guarantee the application of appropriate measures for the protection and security of personal data required by law.

  2. Shopify and Shopify-integrated apps. The Store is hosted on Shopify. Shopify processes personal data to provide the Store infrastructure, checkout, hosting, and security functionalities. We may also use Shopify-integrated apps (e.g. for reviews, customer communication, analytics, or marketing). Such apps may process personal data on our behalf as processors, or in certain cases as separate controllers, depending on the specific app and its privacy notice.

  3. Your personal information may be transferred by the Administrator:
    a) to state authorities or other entities authorized by law, in order to fulfill our obligations;
    b) to a limited extent, to partners involved in the processing of personal data, in particular those who technically support the proper functioning of the Internet Shop (e.g. support us in sending e-mails, and in the case of advertising activities – also in marketing campaigns), providers of hosting or data communication services, carriers or agents for Order deliveries, entities processing electronic payments or payment card payments in the Internet Shop (including payment service providers integrated with Shopify), companies servicing software, supporting the Administrator in marketing campaigns, as well as providers of legal and advisory services and external accountants;
    c) in addition, we may share fully anonymized data (data that cannot identify you) with entities that we work with.

  4. As part of marketing (advertising) activities, the Administrator may use services of third parties that use cookies, pixels or functions similar to cookies in the Internet Shop, where you have provided the relevant consent.

  5. Our providers are mainly based in Poland or in other countries of the European Economic Area (EEA). Some of our providers (e.g. Shopify, Google) may process data outside the EEA. Where required, we rely on recognized transfer mechanisms such as the European Commission’s Standard Contractual Clauses and implement supplementary measures where appropriate.


§6 ARCHIVING OF PERSONAL DATA

  1. The Administrator will retain personal data only for as long as necessary for the purposes set out in this Privacy Policy and/or to comply with legal and regulatory requirements, unless a longer retention period is required by law or for establishing, exercising, or defending legal claims. After this period, the Administrator will securely delete or anonymize personal data.

  2. We retain data for the periods indicated below:

  • Data associated with the sales procedure - 5 years

  • Data for marketing purposes - in the case of consent: until withdrawal; in the case of legitimate interest: until objection

  • Data submitted using the contact form, email - 3 years (to maintain accountability), unless longer retention is required for claims

  • Opinion data - in the case of consent: until withdrawal; in the case of legitimate interest: until objection

  • Personal information related to cookies and similar features - until you delete these files using your website/browser/device settings (note that deletion of files is not always the same as deletion of Personal Data obtained through these files; in such case Personal Data will be deleted upon your objection or in accordance with retention settings of the relevant tool)

  • Data provided during complaint and other procedures related to Customer’s claims - 5 years

  • Remaining category of data (with the exception of cookie data, which is covered more in our Cookies Policy) - 5 years

  1. In any case, personal data will be stored also when legal regulations (e.g. accounting or tax regulations) oblige the Administrator to process them; we will store personal data longer in case the Customer has any claims against the Administrator, in order to assert claims by the Administrator, or in order to assert or defend against third-party claims, for the period of their limitation specified by law, in particular the Civil Code.

  2. Depending on the scope of the personal data and the purposes for which they are processed, they may therefore be stored for different periods. In each case, the longer storage period for the personal data is decisive.


§7 RIGHTS, ACCESSING AND UPDATING PERSONAL DATA, COMPLAINTS

  1. Pursuant to Article 15 GDPR, you have the right to obtain information from the Data Controller as to whether your personal data are being processed.

  2. If the Administrator processes your personal data, then you have the right to:
    a) access to personal information;
    b) obtain information about the purposes of processing, the categories of personal data processed, the recipients or categories of recipients of such data, the intended period of storage of your data or the criteria for determining that period, your rights under GDPR and your right to lodge a complaint with the supervisory authority, the source of such data, automated decision-making (including profiling), and the safeguards applied in connection with the transfer of such data outside the European Union;
    c) obtain a copy of your personal information.

  3. In addition, you may request rectification of your personal data (Article 16 GDPR), erasure of your personal data (Article 17 GDPR), object to the processing of your personal data (Article 21 GDPR) and, where technically feasible, request the transfer of the personal data provided to another organization (Article 20 GDPR). You can object at any time to processing for direct marketing purposes.

  4. For certain processing carried out by Shopify as an independent controller, Shopify may handle your request directly via its privacy portal available through Shopify’s privacy pages.

  5. In relation to the right to be forgotten, the Controller will update or delete your data unless it has a legal obligation to retain it for business purposes or to comply with the law. In some cases, you have the right to request the restriction of the processing of your personal data (Article 18 GDPR). You may also contact the Controller if you have concerns about how we collect, store or use your personal data.

  6. The Administrator endeavours to deal with any requests concerning the above-mentioned operations on your personal data immediately, but no later than within 30 days of receiving the request. Due to the complexity of the request, the Administrator is entitled to consider your request within a period exceeding 30 days, of which it will inform you in advance.

  7. The Administrator strives to resolve complaints conclusively, but if you are still dissatisfied with the response you receive, you may file a complaint with the supervisory authority dealing with personal data protection at your local data protection authority. In Poland, the supervisory authority under GDPR is the President of the Office for Personal Data Protection.


§8 PROCESSING OF PERSONAL DATA BY AUTOMATED MEANS, COOKIE POLICY

  1. Our Website, like almost all other websites, uses cookies. The cookies policy applies to both the Customers of the Internet Shop and the Visitors of the Internet Shop, i.e. the users who browse the content of the Shop but do not make purchases.

  2. The Cookie Policy is a document that is an integral part of this Privacy Policy.

  3. The Website also uses functionalities similar to cookies. Therefore, individual provisions of the Cookie Policy should also refer to these technologies accordingly.

  4. Selected cookies process your personal data. The processing of personal data derived from cookies or similar technologies on our Website is carried out for the purposes of ensuring the functioning of the Website and adapting the Website to the Visitor’s and Customer’s preferences (based on our legitimate interest). Analytics and marketing cookies (including advertising and social media functionalities) are used only where you have provided the relevant consent expressed by making a selection during the cookie consent process.

  5. Shopify may set certain cookies that are necessary for the Store to function (e.g. checkout, security and fraud prevention).

  6. When a Visitor uses the Online Shop, cookies are used to identify his/her browser or device – cookies collect various types of information which, as a rule, do not constitute personal data. However, some information, depending on its content and use, may be associated with a specific person – the attribution of certain behaviours to a specific Visitor or Customer, e.g. by linking it to the data provided when registering an Account with the Online Shop or a specific e-mail address – and thus be considered personal data.

  7. In relation to information collected by cookies that can be linked to a specific person, the provisions of the Privacy Policy of the Internet Shop relating to personal data shall apply, in particular those relating to the rights of the data subject.

  8. The Website may use profiling. Thanks to cookies used in the Internet Shop it is possible for the Administrator to learn about Visitor’s/Customer’s preferences – e.g. by analyzing how often they visit the Internet Shop and if and what products they buy. Analyzing online behavior helps to better understand the habits and expectations of Customers and Visitors and to adapt to their needs and interests. This technology makes it possible to present Visitors with advertisements tailored to their needs and interests, and to provide better promotions and surprises to adult Visitors who have consented to receive them.


§9 CHANGES TO THE PRIVACY POLICY

  1. This Privacy Policy is effective as of 28 December 2025 (Last updated: 28 December 2025).

  2. The Administrator declares that it has the right to amend this document for important reasons, among others:
    a) changes in applicable regulations, in particular those concerning GDPR, telecommunication law, electronically delivered services and regulating consumer rights, affecting the rights and obligations of the Controller or the rights and obligations of the Data Subject;
    b) developments in electronic functionality or services due to advances in Internet technology, including the implementation of new IT, technological or technical solutions on the Website, affecting the scope of this Privacy Policy.

  3. The Administrator is obliged to inform the Users about any changes in advance in a manner allowing them to become familiar with the content of the changed document, e.g. by placing the uniform text of the Privacy Policy on the main page of the Website.

  4. In the case of users using the newsletter function, if the Administrator makes substantial changes to the content of the Privacy Policy, it will inform the Users about them via e-mail. In case of any objections to the change of the Policy, the User has the right to stop using the newsletter by unsubscribing or by requesting the deletion of his/her personal data.