Privacy policy

Privacy and Cookie Policy

Nat-Lab Sp. z o.o. | natlabstore.com

Last updated: 26 May 2026


1. Data Controller

The controller of your personal data is Nat-Lab Sp. z o.o., registered at ul. Prezydenta Gabriela Narutowicza, 20-016 Lublin, Poland (NIP: 9462750361, KRS: 0001156717, REGON: 540942735). Contact: hello@natlabstore.com.


2. Categories of Personal Data Collected

  • Identity data: first name, last name

  • Contact data: email address, shipping address, billing address, phone number

  • Transaction data: order history, products purchased, payment method type (not full card numbers)

  • Technical data: IP address, browser type, device type, operating system, cookie identifiers

  • Usage data: pages visited, time on site, referral source, clickstream data

  • Marketing data: newsletter subscription status, ad interaction data, consent records


3. Legal Bases for Processing (GDPR Art. 6)

  • Art. 6(1)(b) - Contract performance: processing necessary to fulfil your order, arrange delivery, manage returns and refunds.

  • Art. 6(1)(c) - Legal obligation: maintaining accounting records, tax documentation, and consumer rights compliance under Polish and EU law.

  • Art. 6(1)(a) - Consent: sending marketing emails via Omnisend; placing analytical and advertising cookies (GA4, Google Ads, Meta Pixel, TikTok, Pinterest).

  • Art. 6(1)(f) - Legitimate interests: fraud prevention, site security, and improving service quality, where such interests are not overridden by your rights.


4. How We Use Your Data

  • Processing and fulfilling your orders

  • Sending order confirmations, shipping notifications, and tracking information

  • Managing returns, refunds, and warranty claims

  • Sending marketing communications (only with your explicit consent)

  • Displaying personalized advertising across Google, Meta, TikTok, and Pinterest (only with your consent)

  • Analyzing website traffic and improving user experience via Google Analytics 4 (only with your consent)

  • Complying with legal obligations including tax and accounting requirements


5. Third-Party Data Processors and Recipients

We share your data only where necessary and on a documented legal basis. Current processors:


Processor

Purpose

Location

Legal Basis / Safeguard

Shopify Inc.

E-commerce platform, order processing, Shopify Payments

USA

DPA, Standard Contractual Clauses (SCCs)

Google LLC (GA4, Ads)

Analytics, advertising, conversion tracking

USA

Consent; SCCs

Meta Platforms Inc.

Facebook & Instagram advertising, Meta Pixel

USA

Consent; SCCs

TikTok Technology Ltd.

TikTok advertising and pixel tracking

USA / Singapore

Consent; SCCs

Pinterest Europe Ltd.

Pinterest advertising and tag

USA

Consent; SCCs

Omnisend

Email marketing automation and flows

USA

Consent; DPA; SCCs

InPost S.A.

Parcel locker and courier delivery (Poland)

Poland

Contract performance

DPD Polska Sp. z o.o.

Courier delivery (Poland and EU)

Poland / EU

Contract performance


We may integrate additional tools (e.g., review platforms, chat widgets, analytics tools) as our business develops. Any such tool that processes personal data will be added to this table prior to or upon activation. Where required by law, we will obtain your consent before the tool becomes active.


6. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, tags, local storage) on natlabstore.com. A cookie is a small text file stored on your device when you visit a website.


6.1 Strictly Necessary Cookies

Required for the website to function. They cannot be disabled without breaking core functionality. They do not require consent.

  • Examples: Shopify session cookies, cart state, login authentication


6.2 Functional Cookies

Enable enhanced functionality and personalization. Disabling them may affect some features but not core functionality.

  • Examples: language preference, currency display, previously viewed items


6.3 Analytics Cookies

Help us understand how visitors interact with the site. Set only with your consent.

  • Provider: Google Analytics 4 (Google LLC). Data may be transferred to the USA under SCCs.


6.4 Marketing and Advertising Cookies

Used to deliver targeted advertisements and measure campaign performance. Set only with your consent.

  • Google Ads: conversion tracking and remarketing

  • Meta Pixel (Facebook / Instagram): ad targeting and measurement

  • TikTok Pixel: ad targeting and measurement

  • Pinterest Tag: ad targeting and measurement


You can manage your cookie preferences at any time via the cookie consent banner displayed on your first visit, or through your browser's cookie settings. Withdrawing consent does not affect the lawfulness of prior processing.


7. Data Retention Periods

  • Order and transaction records: 5 years from the end of the calendar year of the transaction (Polish Accounting Act / Tax Ordinance)

  • Customer account data: for the duration of the account, then 5 years from account closure for tax and legal purposes

  • Marketing consent records and email data: until you withdraw consent or unsubscribe

  • Google Analytics data: 14 months (GA4 default retention, configurable)

  • Advertising pixel data: subject to each platform's data retention settings (typically 180 days - 2 years)


8. Your Rights Under GDPR

Under Regulation (EU) 2016/679 (GDPR), you have the following rights:

  • Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy

  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data

  • Right to erasure (Art. 17): request deletion where no lawful basis for processing applies

  • Right to restriction of processing (Art. 18): limit how we use your data in certain circumstances

  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format

  • Right to object (Art. 21): object to processing based on legitimate interests or direct marketing

  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting prior lawful processing


To exercise any right, contact us at hello@natlabstore.com. We will respond within 30 calendar days. If you consider that we have violated your rights, you may lodge a complaint with the Polish supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland — www.uodo.gov.pl.


9. International Data Transfers

Several processors listed in Section 5 are based in the United States or other third countries. Data transfers to these processors are conducted under Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, and/or other applicable transfer mechanisms, ensuring an equivalent level of data protection to that within the EEA.


10. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include: TLS/HTTPS encryption for all data in transit, access controls and authentication requirements, regular security reviews, and data minimization principles. Shopify Payments is certified PCI DSS Level 1 compliant; we do not store full payment card data.


11. Changes to This Policy

We may update this Privacy and Cookie Policy from time to time to reflect changes in our practices or legal requirements. We will post the revised policy on this page with an updated date. For material changes that affect how we use your personal data, we will provide additional notice (e.g., by email). Your continued use of natlabstore.com after the posting of changes constitutes acceptance of the updated policy.


12. Contact

Nat-Lab Sp. z o.o.

ul. Prezydenta Gabriela Narutowicza, 20-016 Lublin, Poland

Email: hello@natlabstore.com