Privacy Policy
Last updated: 8 January 2026
§ 1. Data controller
The data controllers are the partners of the civil law partnership, Marek Kiwer and Paweł Kordyś, operating within the civil law partnership under the name THE BIG THING S.C. M. KIWER, P. KORDYŚ, with its registered office in Kraków, ul. Oboźna 31/3, 30-011 Kraków, NIP: 6772435706, acting as joint controllers pursuant to Article 26 of the GDPR.
We have not appointed a Data Protection Officer.
This Privacy Policy forms an integral part of the terms and conditions of use for the website www.bigthing.pl. By using our services, you are entrusting us with your information. This document is intended to help you understand what data we collect, for what purpose, on what legal basis, and how we protect it.
We are committed to protecting your data and comply with Regulation (EU) 2016/679 of the European Parliament and of the Council (‘GDPR’), the Personal Data Protection Act and telecommunications legislation.
If you have any questions regarding this Policy or the protection of personal data, please contact us at: biuro@bigthing.pl.
§ 2. Privacy Policy
We respect your privacy and take the utmost care to ensure that your data is processed in a transparent, secure and compliant manner. We use your data only to the extent necessary to provide our services.
At the request of the data subject, we provide full information on how their data is processed, the purposes of processing, the recipients, the legal bases and the rights they are entitled to under the GDPR.
We must also inform you that, as the Data Controller, we may disclose your personal data to state authorities, courts, law enforcement agencies or other entities authorised to obtain such data under the law, to the extent necessary to fulfil the legal obligations incumbent on the Data Controller.
§ 3. Scope of data collection and processing
Personal data that you provide voluntarily when contacting us by email or during our collaboration:
- first name and surname,
- email address,
- telephone number,
- company name and tax registration number,
- other information provided voluntarily in correspondence.
Details of parcel recipients provided by customers for the purpose of processing shipments:
- the recipient’s first name and surname,
- the address or number of the parcel locker,
- telephone number.
Technical and operational data:
- IP address,
- browser and device information,
- server logs maintained by the hosting provider (for a period in accordance with the hosting provider’s retention policy).
Payment details:
- The data required to process online payments is processed by an external payment provider; Big Thing does not have access to payment card details.
Data collected in connection with event-related activities:
- lists of participants provided by the client,
- the information required to organise the event,
- photo and video material in accordance with the event regulations and the consents granted.
Email correspondence
- message content,
- the data sent in the attachments.
In addition, we collect data from analytics and marketing tools provided by third-party suppliers (only with your consent).
Providing personal data is voluntary, but necessary for us to contact you and provide our services.
§ 4. Purposes and legal basis for data processing
We process your data solely for legitimate purposes:
1. Contact and correspondence –
Article 6(1)(f) of the GDPR (the controller’s legitimate interests).
2. Provision of event services, parcel delivery and B2B projects –
Article 6(1)(b) of the GDPR (performance of a contract).
3. Accounting and tax
settlements – Article 6(1)(c) of the GDPR (legal obligation).
4. Relationship marketing aimed at existing B2B
customers, e.g. ongoing communication regarding the business relationship
– Article 6(1)(f) of the GDPR and Article 10(3) of the UŚUDE.
5. Website statistics and analytics (Google Analytics / GA4)
– Article 6(1)(a) of the GDPR (consent).
6. Remarketing and marketing activities (Meta Pixel)
– Article 6(1)(a) of the GDPR (consent).
§ 5. Data recipients
Your personal data may only be disclosed to organisations that help us provide our services, including:
- courier companies,
- manufacturers and distributors (when they dispatch goods on behalf of the customer),
- web hosting providers,
- online payment providers,
- accounting,
- providers of IT, analytics and marketing tools (Google, Meta),
The administrator specifies only the categories of recipients, not their full names.
§ 6. Transfer of data outside the EEA
When using Google and Meta services, data may be transferred outside the EEA.
This is carried out on the basis of Standard Contractual Clauses (SCCs), in accordance with the requirements of the GDPR.
§ 7. Data retention period
We retain data only for as long as is necessary to fulfil the purposes for which it was collected, in particular:
- contact details and correspondence – until the limitation period for claims arising from such contact has expired or until an objection is raised,
- recipients’ details – for the delivery of the last parcel, for a maximum of 30 days,
- accounting records – 5 years,
- server logs – in accordance with the hosting provider’s retention policy,
- data processed on the basis of consent – until such consent is withdrawn.
§ 8. Rights of data subjects
You have the right to:
- access to data,
- corrections,
- the right to erasure (‘the right to be forgotten’),
- restrictions on processing,
- data portability,
- to lodge an objection,
- to withdraw consent at any time,
- to lodge a complaint with the President of the Personal Data Protection Office.
If you require further information regarding the protection of personal data or wish to exercise your rights, please contact us by post at our correspondence address.
§ 9. Cookies and analytics tools
This website uses cookies for the following purposes:
- to ensure it functions properly (essential cookies),
- to ensure security, in particular for the purpose of detecting authentication fraud,
- collecting statistics (Google Analytics / GA4) — only with consent,
- to carry out marketing activities (Meta Pixel) — only with consent,
- displaying embedded content from external websites (YouTube, Facebook, Instagram, Google Maps).
YouTube videos are embedded in ‘youtube-nocookie’ mode, but they may load cookies once played — consent is required.
Users can manage their consent via the cookie banner or their browser settings.
Analytics and marketing tools are only activated once consent has been given via the cookie banner.
§ 10. Plugins and external content
The website may contain:
- YouTube videos,
- Facebook and Instagram content,
- social media plugins,
- Google Maps.
Displaying this content may involve the transfer of data to third-party service providers. It is only activated with the user’s consent.
§ 11. Data security
We implement appropriate technical and organisational measures to ensure the security of the personal data we process. These include, amongst other things, connection encryption (SSL), the use of server security measures, access control, authorisation for data processors, and the conclusion of data processing agreements with subcontractors processing data on behalf of the Controller.
§ 12 Policy changes
The policy is updated periodically to ensure it remains in line with the law and actual business processes.
Last updated: 8 January 2026
Come visit us
Kraków, ul. Oboźna 31/3

