Privacy Policy

Last updated: November 18, 2025

Read

1. Introduction

E:KO ᛟ HEIR ("E:KO HEIR", "we", "our", or "us") respects your privacy.

This Privacy Policy explains how we handle personal data when you:

  • visit our digital showroom at https://heir.se,

  • contact us,

  • or request / purchase our products.

We avoid unnecessary tracking and collect only what we need to communicate with you, fulfill your order, and keep the Website secure.

We do not use advertising trackers. We don't use tracking cookies – just memories.

This Policy is intended to comply with the General Data Protection Regulation (GDPR) and relevant Polish and EU data protection law.

2. Data Controller

The data controller responsible for your personal data is:

E:KO ᛟ HEIR
Nowogrodzka 50/515, 00-695 Warszawa, Poland
Email: eko@heir.se

If you have any questions about this Policy or your data, you can contact us at the email above.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

3.1. Information you provide directly

When you:

  • use our contact form,

  • send us an email,

  • request a quote or custom collaboration,

  • or place an order,

we may collect:

  • name and surname,

  • email address,

  • billing and shipping address,

  • phone number (if provided for delivery or contact),

  • order details (products, quantities, special requests),

  • messages and correspondence with us.

3.2. Order and payment information

For orders, we collect:

  • order history,

  • payment status and method (e.g. card, bank transfer),

  • limited payment information (for example: last digits of account or card, payment reference).

We do not store full card numbers on our own servers. Card data is processed directly by our payment service provider, if applicable.

3.3. Technical and log data

When you visit the Website, our hosting and security systems may automatically collect:

  • IP address (for security and anti-abuse purposes),

  • browser type and version,

  • operating system,

  • pages visited and basic request metadata,

  • date and time of access.

We currently do not use web analytics tools (such as Google Analytics) for behavioral tracking.

3.4. Marketing preferences

If you choose to join a newsletter or similar list, we may collect and store:

  • your email address,

  • your consent status,

  • the date and time when you opted in or unsubscribed.

4. Purposes and Legal Bases for Processing

We process personal data for the following purposes and legal bases:

  1. Responding to inquiries and messages

    • Purpose: to answer your questions, discuss collaborations, and provide support.

    • Legal basis: our legitimate interest in communicating with you (Art. 6(1)(f) GDPR) and, where clearly based on your choice to contact us, consent (Art. 6(1)(a)).

  2. Processing orders and delivering products

    • Purpose: to create and manage your order, handle payment, ship products, and provide after-sales support (including returns and statutory warranty).

    • Legal basis: performance of a contract or steps prior to entering into a contract (Art. 6(1)(b)) and legal obligation (e.g. tax and accounting) (Art. 6(1)(c)).

  3. Maintaining website security and preventing abuse

    • Purpose: to keep the Website stable and secure, detect and prevent fraud, hacking, or misuse.

    • Legal basis: our legitimate interest in protecting our services (Art. 6(1)(f)).

  4. Marketing communications (opt-in only)

    • Purpose: to send you carefully curated updates about limited runs, samples, or journal entries, if you explicitly choose to receive them.

    • Legal basis: your consent (Art. 6(1)(a)).

    • You can withdraw your consent at any time (see section 9).

  5. Legal, compliance, and dispute resolution

    • Purpose: to comply with legal obligations, respond to lawful requests from authorities, and establish or defend legal claims.

    • Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).

We do not use your personal data for automated decision-making or profiling in the sense of GDPR Article 22.

5. Cookies and Similar Technologies

We intend to keep tracking to an absolute minimum.

  • We do not use analytics cookies or third-party advertising pixels.

  • We may use strictly necessary technical cookies or similar mechanisms (such as session identifiers) if required for:

    • basic Website functionality,

    • security (e.g. protection against abuse or bots),

    • operation of any checkout or order form we implement.

These essential cookies, if any, are not used for tracking you across other sites.

You can usually disable cookies in your browser settings, but this may affect the functioning of certain features (for example, forms or checkout).

If we ever introduce analytics or other optional cookies, we will update this Policy and, where required, implement a consent banner so you can choose.

6. Data Storage and Retention

We retain personal data only for as long as necessary for the purposes described above, including:

  • Inquiry-only data (no order): kept for the time needed to respond and for a limited period afterward for our records, then deleted or anonymized.

  • Order and invoicing data: kept for the duration required by Polish and EU tax/accounting law (typically up to 5–6 years from the end of the financial year).

  • Email correspondence: kept as long as reasonably necessary for reference, dispute resolution, and quality improvement, unless you request deletion where possible.

  • Newsletter/marketing data: kept until you unsubscribe or withdraw consent.

We may retain minimal information after deletion (for example, your email in a "do not contact" list) where necessary to respect your request not to be contacted again.

7. Data Security

We take appropriate technical and organizational measures to protect your data, including:

  • secure hosting and encrypted connections (HTTPS),

  • limiting access to personal data to those who need it,

  • using reputable, privacy-aware service providers,

  • regular updates and basic security practices.

No system can be completely secure, but we aim to keep risk proportionate and reasonable given the size of our studio and the nature of the data.

8. Sharing of Personal Data

We do not sell your personal data.

We may share it with:

  1. Service providers (processors) who help us operate the Website and fulfill orders, such as:

    • web hosting and server providers,

    • email and newsletter services,

    • payment service providers,

    • shipping and logistics companies.

    These providers only receive the data necessary to perform their functions and are bound by contracts that require them to protect your data and comply with GDPR where applicable.

  2. Professional advisors, such as accountants or legal advisors, when necessary for compliance or defense of legal claims.

  3. Authorities, courts, or regulators when required by law or when necessary to protect our rights or the rights of others.

We do not share your data with third parties for their own independent marketing purposes.

9. Your Rights Under GDPR

You have the following rights in relation to your personal data, subject to certain conditions and exemptions:

  • Right of access: to obtain confirmation whether we process your data and to receive a copy of it.

  • Right to rectification: to correct inaccurate or incomplete data.

  • Right to erasure ("right to be forgotten"): to request deletion of your data when it is no longer needed or if processing is unlawful.

  • Right to restriction: to request that we limit processing under certain circumstances.

  • Right to data portability: to receive your data in a structured, commonly used format and to transmit it to another controller where technically feasible.

  • Right to object:

    • to processing based on our legitimate interests, for reasons relating to your particular situation,

    • to direct marketing at any time (including profiling related to such marketing, if any).

  • Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time; this will not affect processing that took place before withdrawal.

To exercise any of these rights, contact us at eko@heir.se. We may need to verify your identity before fulfilling your request.

We aim to respond within 30 days, as required by law.

10. Children’s Privacy

Our Website and products are not intended for children under 16.

We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us, and we will take steps to delete such data where required.

11. International Data Transfers

Our main operations are based in Poland and the EU. Some of our service providers may process data outside the European Economic Area (EEA).

Where personal data is transferred outside the EEA, we ensure that an appropriate level of protection is in place, for example through:

  • adequacy decisions by the European Commission, or

  • Standard Contractual Clauses (SCCs), or

  • other mechanisms compliant with GDPR.

You can contact us for more details about specific transfers related to your data.

12. Data Breach Notification

In the unlikely event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

  • assess the scope and impact,

  • notify relevant supervisory authorities as required,

  • inform affected individuals without undue delay when mandated by law,

  • take steps to mitigate and remediate the incident.

13. Marketing Communications

We prefer quiet, relevant communication.

  • We will only send you marketing emails (for example, about limited runs or samples) if you have explicitly opted in.

  • Each message will contain a simple way to unsubscribe (for example, a link or clear instructions).

  • If you unsubscribe, we will stop sending marketing messages, although we may still contact you about orders, legal obligations, or important service updates.

14. Supervisory Authority

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection authority.

In Poland, this is:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2
00-193 Warsaw, Poland
Website: https://uodo.gov.pl/en

We would, however, appreciate the chance to address your concerns first, so please consider contacting us at eko@heir.se.

15. Changes to This Privacy Policy

We may update this Policy from time to time, for example to reflect:

  • changes in our practices,

  • new legal requirements,

  • new tools or services we use,

  • feedback from our community.

The "Last updated" date at the top shows when it was last revised. Material changes will be highlighted on the Website where appropriate.

16. Language

This Privacy Policy may be made available in both Polish and English.

In case of any discrepancy, inconsistency, or doubt as to interpretation, including in any dispute or complaint, the Polish language version shall prevail for data subjects in Poland. The English version is provided for convenience only.

17. Contact

For any privacy questions, requests, or concerns, you can reach us at:

Email: eko@heir.se
Website: https://heir.se

We aim to respond within 30 days, often sooner.