Privacy policy

Privacy policy of the NAGO.COM e-shop

Who processes your personal data and how to contact them?

Personal data controller: 

CLTHS S.A., a joint stock company incorporated under the laws of Poland, with its seat in Warsaw (with a tax identification number (NIP): 1132976572, and a statistics register number (REGON): 380485129), registered in the register of entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw under the KRS number: 0000735885.

Contact via e-mail: shop@nago.com

How and for what purpose do we process your personal data?

The purpose of processing your personal data and the scope of it processed depends on what you do on our website.

1.1. You are a client of NAGO.COM

If you buy in our store, we ask you to provide your name and surname, e-mail address, telephone number and delivery address (mandatory data). Providing other data is optional. If you have an account on our website and you are logged in, the data will be completed automatically. Providing data marked as mandatory is required to perform the order.


Your personal data are processed:

  1. in order to perform the order - the legal basis for processing is the necessity of processing to perform the sales contract (Article 6 .1.b of the GDPR); in the scope of optional data, the legal basis for processing is consent (Article 6.1.a of the GDPR);
  2. in order to fulfill the statutory obligations incumbent on the Controller, resulting (in particular) from tax and accounting regulations - the legal basis for processing is the legal obligation (Article 6.1.c of the GDPR);
  3. for analytical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6.1.f of the GDPR) consisting in conducting analyzes of users' activity on the website, as well as their purchasing preferences in order to improve the functionalities used;
  4. in order to possibly  pursue claims or defend against them - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR) consisting in the protection of his rights;
  5. for the Controller's marketing purposes - the rules for the processing of personal data for marketing purposes are described in the section: "How do we use your data in marketing?"

Basic processing period: six years from the end of the year in which the order was delivered. For analytical and marketing purposes, until the objection is raised / consent is withdrawn.


1.2.You have an account on NAGO.COM

If registered an account on our website, we ask you to provide your e-mail address and set an access password (mandatory data). You can optionally provide other data such as name and surname. Providing data marked as mandatory is required to set up and operate an account, and failure to do so results in the inability to create an account. Providing other data is voluntary.

In addition, we process personal data regarding your activity in the online store, such as: the history of your orders and the contents of the basket.


Your personal data are processed:

  1. in order to provide an account maintenance service - the legal basis for processing is the necessity of processing to perform the sales contract (Article 6 .1.b of the GDPR); in the scope of optional data, the legal basis for processing is consent (Article 6.1.a of the GDPR);
  2. for analytical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6.1.f of the GDPR) consisting in conducting analyzes of users' activity on the website and the manner of using the account, as well as their preferences, in order to improve the functionalities used;
  3. in order to possibly  pursue claims or defend against them - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR) consisting in the protection of his rights;
  4. for the Controller's marketing purposes - the rules for the processing of personal data for marketing purposes are described in the section: "How do we use your data in marketing?"

Basic processing period: until the termination of the contract for an account maintenance (deletion of the Account).


1.3. You have subscribed to newsletter

If you have subscribed to the newsletter service, you will periodically receive e-mails with information about new products, promotions and discounts available on our website (commercial information). Commercial information may be tailored to your preferences, in particular based on your previous purchases and activity on our website. When subscribing to the newsletter service, you can provide additional information about yourself, e.g. your name. This will make it easier for us to personalize the e-mails sent to you. Providing data is voluntary, but failure to provide an e-mail address results in the inability to send the newsletter.


Personal data is processed:

  1. in order to provide the newsletter delivery service - the legal basis for processing is your consent (Article 6.1.a of the GDPR); You can revoke consent to receive the newsletter at any time;
  2. for the Controller's marketing purposes - the legal basis for processing, including profiling, is the Controller's legitimate interest (Article 6.1. f of the GDPR), in connection with the consent to receive the newsletter; more information can be found in the section: "How do we use your data in marketing?"
  3. for analytical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6.1.f of the GDPR) consisting in conducting analyzes of users' activity on the website and the manner of using the account, as well as their preferences, in order to improve the functionalities used;
  4. in order to possibly  pursue claims or defend against them - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR) consisting in the protection of his rights.

Basic processing period: until you unsubscribe from the newsletter.

1.4. You contact us by e-mail, chat services or as otherwise described on the NAGO.COM website

Depending on the purpose of the contact, you may be asked to provide personal data, e.g. your name, order number or other personal data necessary to contact you and answer your inquiry. Providing personal data is voluntary.


Personal data is processed:

  1. to identify the sender and handle his inquiry - the legal basis for processing is the necessity of processing to perform the service contract (Article 6.1.b of the GDPR);
  2. for analytical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6.1.f of the GDPR) consisting in keeping statistics of inquiries submitted by users via the website in order to improve its functionality;
  3. in order to possibly  pursue claims or defend against them - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR) consisting in the protection of his rights.

Basic processing period: one year from the end of the contact year. In the case of after-sales service, six years from the end of the year in which the order was delivered


1.5. You are participating in a competition or promotional campaign

We can organize contests and promotional campaigns via the website or our fan pages on social networks. From the terms of participation in the competition or promotional campaign, you will find out what personal data you need to provide in order to take part in this competition or promotional campaign


Personal data is processed:

  1. in order to conduct and settle a competition (including the issue of prizes) or a promotional campaign - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR) consisting in the implementation of a public promise made by the Controller);
  2. in order to fulfill the statutory obligations incumbent on the Controller, resulting (in particular) from tax and accounting regulations - the legal basis for processing is the legal obligation (Article 6.1.c of the GDPR);
  3. for analytical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6.1.f of the GDPR) consisting in conducting analyzes of users' activity on the website, as well as their purchasing preferences in order to improve the functionalities used;
  4. in order to possibly  pursue claims or defend against them - the legal basis for processing is the legitimate interest of the Controller (Article 6.1.f of the GDPR) consisting in the protection of his rights.

Basic processing period: until the contest is resolved and the prizes are issued or the promotional campaign is completed, and as regards the list of winners and the confirmation of issuing the prizes, six years from the end of the year in which the prizes were issued.


1.6. You visit our profiles on social media

We process personal data of users visiting our profiles on social networks (Facebook, Instagram, TikTok). These data are processed in connection with running a profile, organizing contests through it and promoting various types of events, services and products. The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6.1.f of the GDPR), consisting in promoting its own brand and products. In this case, we are the controllers of your data together with the entity running a given social networking site and we do not hide that it is this entity that has a decisive influence on how and why your data is processed on their social media platforms.


The basic period of processing: consent with the privacy policy of the entity running the social network - Facebook, Instagram, TikTok.

How do we use your personal data in marketing?

We process users' personal data in order to carry out marketing activities and adjust the content of our website, which may include:

  • displaying content (advertisements, messages, offers) corresponding to your interests;
  • sending e-mail notifications about interesting offers or content that contain commercial information can be tailored to your preferences (newsletter service).

In order to carry out marketing activities, we use profiling in some cases. This means that thanks to automatic processing, we evaluate selected factors relating to natural persons in order to analyze their behavior or to create a behavior forecast for the future. The basis for profiling is the data collected by cookies on our website and the history of your transactions.

Cookies what are they?

Cookies are small text files that are saved by your web browser on your device. The cookie file stores information supporting the functioning of the website and data about your activity on the website. In this Policy, information on cookies also applies to other similar technologies used on the website.

What types of cookies do we use?

We use:

  • technical cookies - necessary for the proper and safe functioning of the website
  • configuration cookies - storing your settings, eg the language of the site
  • statistical cookies - used to create network traffic statistics on our website
  • marketing cookies - used by our partners (Google, Facebook) to adjust the content displayed on our website and the advertisements displayed to you in social media or on websites.

Data from marketing cookies are used by us for the purpose of:

  • popularizing the website using the social networking site Facebook.com, the administrator of which is Facebook Ireland Ltd. based in Ireland, the Facebook Privacy Policy is available at the following link: https://www.facebook.com/help/cookies/;
  • popularizing the website using the Instagram.com social network, the administrator of which is Facebook Ireland Ltd. based in Ireland, the Instagram.com Privacy Policy is available at the following link: https://pl-pl.facebook.com/help/instagram / 155833707900388.

The indicated controllers (Google and Facebook) provide tools for managing personal data on their websites. Detailed information is available in the privacy policies of these controllers.

How to express or withdraw consent to the installation of cookies and the processing of data collected by them?

From the website:

At the first launch of our website and then at least every 12 months, we display a menu (popup) in which you can consent to the processing of personal data stored in cookies by us and our partners (statistical and marketing cookies). You can withdraw this consent by deleting cookies from your browser (find out below how).


From your browser settings:

Using the web browser settings, you can independently and at any time change the settings for all cookies, specifying the conditions for their storage and access by cookies to your device. You can change these settings so as to block the automatic handling of cookies in your web browser settings or inform about their every posting on your device. Detailed information on the possibilities and methods of handling cookies is available in the settings of your software (web browser). Instructions on how to do this can be found on the website of your browser manufacturer or, for example, on this website (http://jakwylaczyccookie.pl/jak-wylaczyc-pliki-cookies/).

How long do we process your personal data?

We provide the data processing period for the activities described in this policy as the "Basic processing period". The basic processing period, if the basis for processing is your consent, lasts until the consent is withdrawn. If the Basic processing period has not been provided, it is 3 years from the end of the year in which the data was collected.

The basic period of data processing may be extended by the period of limitation of claims (usually 6 years) if the processing is necessary to establish, investigate or defend against any claims.

Your rights

In connection with the processing of personal data, you are entitled to:

  • access to your personal data;
  • obtain a copy of personal data;
  • rectify or supplement your personal data; Remember that you can edit some personal data yourself via the account;
  • delete your personal data;
  • restrictions on the processing of personal data;
  • transfer of personal data.

You can exercise your rights by writing to us at the following address: shop@nago.com.


The personal data Controller will, without undue delay - and in any case within one month of receiving the request - provide you with information about the actions taken by him in connection with the request you have made. If necessary, the monthly period may be extended by another two months due to the complexity of the request or the number of requests.


1) Withdrawal of the consent

To the extent that the basis for the processing of your data is consent, the data will be processed until it is withdrawn. The consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out before its withdrawal.


2) Right to object

You have the right to object at any time to the processing of your data for direct marketing purposes, including profiling, if the processing takes place in connection with the legitimate interest of the Controller.

The user also has the right to object at any time to the processing of his data for reasons related to his particular situation in cases where the legal basis for data processing is the legitimate interest of the controller (e.g. in connection with the implementation of analytical and statistical purposes, including profiling).


3) Complaint to the supervisory authority


If you believe that the processing of your personal data violates the law, you have the right to lodge a complaint with the supervisory authority competent for the place of your stay. In Poland, the supervisory body within the meaning of the GDPR is the President of the Personal Data Protection Office (https://uodo.gov.pl/). Before submitting a complaint, we encourage you to contact us and exercise your rights described in this policy.

Who do we share your personal data with and why?

Personal data obtained by the Controller in connection with the provision of services on the website will be disclosed to external entities, such as:

  • brokers of courier services or courier companies,
  • operators of online payment systems,
  • suppliers responsible for the operation of IT systems, including the Shopify platform,
  • operators of platforms for sending mailings,
  • marketing agencies (in the scope of marketing services commissioned by the Controller),
  • accountants, lawyers and auditors,
  • other entities with which the Controller has concluded an agreement on entrusting the processing of personal data.

In the case of data collected via cookies provided by third parties (e.g. Facebook or Google), this data will be made available to the providers of these cookies.

Data transfering to third countries

The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily through the use of standard contractual clauses issued by the European Commission.


Policy changes

The privacy policy is verified on an ongoing basis and updated if necessary.

The current version of the privacy policy is valid from January 21, 2022.