RefSpace Privacy Policy

1. Personal Data Controller: The controller of your personal data is the operator of the RefSpace platform (hereinafter: “RefSpace” or “Controller”). The Controller operates within the European Union and the United Kingdom, which means that it is required to comply with the provisions of the GDPR (EU Regulation 2016/679) and the UK GDPR regarding the protection of personal data. In matters of privacy protection, you may contact the Controller (e.g. via the e-mail address provided on the platform) in order to exercise your rights or obtain information.

2. Purposes and Legal Bases for Data Processing: Your personal data is processed only for specific purposes and on appropriate legal bases. The main purposes include:

ยท          User account registration and service โ€“ to create an account and ensure the functionality of the RefSpace platform, such as profile management, Creator’s shop, and transaction history. The legal basis is the necessity to perform a service contract (Article 6(1)(b) of the GDPR).

ยท          Order fulfilment and sales (performance of the sales contract) โ€“ to enable the purchase of products from Suppliers via the platform and the delivery of those products. This includes the processing of data necessary to place an order, make a payment, transfer data to the Supplier for the purpose of shipping the goods, and handle returns. The basis is the performance of the sales contract between you and the Supplier, for which RefSpace is an intermediary (Article 6(1)(b) of the GDPR).

ยท          Payments and financial services โ€“ to enable payment for orders and disbursement of funds to sellers. Transaction data (e.g. amount, payment information) is transferred to the external payment operator Stripe, which processes transactions in accordance with its own terms and conditions and security standards (PCI-DSS). The legal basis is the performance of a contract (payment processing) and the fulfilment of legal obligations (e.g. prevention of financial fraud). It should be noted that Stripe, as a licensed financial institution, is required to verify the identity of users (Know Your Customer principle), which may require you to provide additional data and documents.

ยท          Verification and security โ€“ for the purpose of verifying users (e.g. confirming age, preventing the creation of fictitious accounts) and ensuring the security of services (e.g. detecting fraud, abuse, protection against attacks). The legal basis is the legitimate interest of the Administrator in ensuring the security of the website and other users (Article 6(1)(f) of the GDPR).

ยท          Communication and customer service โ€“ to contact you in connection with the provision of services, e.g. transaction confirmation, order status notifications, responses to support queries or complaint handling. The legal basis is the performance of a contract (if the contact concerns services) or the Administrator’s legitimate interest in providing proper service to the user (Article 6(1)(f) of the GDPR).

          Marketing and notifications (with consent) โ€“ to send marketing information about new products, promotions, additional services from RefSpace or partners, as well as to send push notifications in the application and e-mails with RefSpace news (e.g. newsletter). We carry out such activities solely on the basis of your voluntary consent (Article 6(1)(a) of the GDPR), which you can express during registration or in your account settings. Consent may be withdrawn at any time, which does not affect the lawfulness of processing prior to its withdrawal. If you give your consent, RefSpace may send you, for example, in-app notifications and emails about new features or offers.

ยท          Personalisation and analytics โ€“ to improve services and tailor content to users’ interests. RefSpace may analyse data about your activity (e.g. products viewed, categories, favourite Creators) in order to recommend content or products that may be of interest to you. The legal basis for such processing is the legitimate interest of the Administrator in improving the quality and suitability of services (Article 6(1)(f) of the GDPR). In some cases, cookies or similar technologies are used โ€“ details can be found in the RefSpace Cookie Policy. You may object to this type of personalisation (details below in the section on rights). Statistical analyses of the use of the platform (e.g. number of active users, product sales) are conducted in an anonymised or aggregated form, i.e. without the possibility of identifying individual persons.

ยท          Fulfilment of legal obligations โ€“ in order to fulfil RefSpace’s obligations under the law, e.g. tax and accounting regulations (issuing and storing invoices), consumer protection regulations (handling contract withdrawals and returns), or requests from authorised bodies. The legal basis is Article 6(1)(c) of the GDPR (fulfilment of a legal obligation incumbent on the Controller).

In any case, RefSpace takes care to minimise the data processed in relation to the purpose โ€“ we only process data that is necessary to achieve a given purpose. If we intend to use your data for purposes other than those indicated above, we will always inform you in advance and, if required by law, ask for your consent.

3. Scope of Data Collected: Depending on how you use RefSpace, we may collect different categories of personal data:

ยท          Data provided when registering an account: First and last name (or company name and first and last name of the representative โ€“ for users who are entrepreneurs ), email address, telephone number, and account password. When creating an account, additional information may be required, such as company address details, tax identification number/VAT number (for billing purposes), bank account number or Stripe account ID (for withdrawals).

ยท          User profile data: Information voluntarily provided in the Referrer’s or Buyer’s profile, e.g. profile photo, nickname, bio description, links to social media. You provide this data voluntarily so that other users can get to know you better โ€“ you can edit or delete it in your account settings.

ยท          Data necessary for order fulfilment (Buyer): When you purchase products, we collect the data necessary to conclude and fulfil the sales contract. This includes, among other things, the recipient’s first and last name, delivery address (street, house/apartment number, postcode, city, country), telephone number, invoice details (if requested), and the selected delivery and payment method. This data is necessary for the Supplier to ship the goods and issue a sales document. Failure to provide this information will prevent the conclusion of a purchase agreement.

ยท          Transaction and payment data: Information about transactions made, such as products ordered, amounts, selected payment method, payment status, order number, date and time of transaction. RefSpace does not store your full payment card details or other sensitive financial data โ€“ we entrust payment processing to an external operator (Stripe). Depending on the payment method, we may receive information from Stripe confirming the payment (e.g. the last 4 digits of the card, a unique transaction ID, payment status). We also collect information about the funds due to you from sales, commissions and fees deducted, as well as the history of payments of these funds to your account.

ยท          Communication data: The content and metadata of communications with you within RefSpace or using contact channels (e.g. customer service emails, support chat). This includes reports, complaints, queries and responses. This information is processed in order to respond to you, resolve the reported issue and improve the quality of service.

ยท          Data about your activity on the platform: When you use RefSpace, certain technical and activity-related information is automatically collected. This includes, among other things: the IP address of the device you are using, device and browser data (type, version, language), operating system data, identifiers assigned in cookies or similar technologies, as well as records of activity on the website (event logs). For example, we may record the dates and times of logins, the URLs of subpages visited, clicks on application functions, product searches, time spent watching videos, etc. Most of this data does not identify you directly, but if it is considered personal data under the law (e.g. IP address), we treat it with due care. We use it for analytical and statistical purposes, to secure the website and to personalise content (details in the Cookie Policy).

ยท          Data from connected external services: If you decide to link your RefSpace account to external services (e.g. logging in via Google/Facebook or integrating your Gmail account for subscription purposes), we will receive certain information from these services โ€“ in accordance with the scope of your consent given there. In the case of integration with Gmail (if offered), RefSpace will gain access to, for example, basic information about your Google account after obtaining your explicit authorisation โ€“ the use of this data will be limited solely to the purposes indicated at the time of authorisation and in accordance with Google’s policies.

4. Data Sharing and Recipients: RefSpace does not sell your personal data to third parties. Access to the data is limited to authorised persons employed by or cooperating with the Administrator (e.g. employees, subcontractors providing IT services, customer service) โ€“ and only to the extent necessary to perform their tasks. Your personal data may be transferred to the following categories of recipients:

ยท          Suppliers (Sellers) on the platform โ€“ when you purchase a product offered by an external Supplier, RefSpace provides that Supplier with your data necessary to complete the order. This primarily includes the buyer’s details: name and surname, delivery address, telephone number (if required for shipping), and possibly an email address for contact regarding the order. The Supplier receives this information in the seller’s panel after the order has been paid for and additionally in an email notification, which enables them to prepare the shipment. For example, when you purchase a product on RefSpace, the seller will receive your address details in order to ship the package or handle any returns. The supplier is obliged to use this data solely for the purpose of fulfilling the contract (shipping the goods, issuing an invoice, handling any returns/complaints).

ยท          Payment operator (Stripe) โ€“ all online payments on the platform are handled by the external operator Stripe. When processing payments, we provide Stripe with the data necessary to process the transaction, e.g. the amount, currency, transaction description, email address (for payment confirmation purposes) and a unique transaction ID. In the case of Suppliers paying out funds, RefSpace provides Stripe with the data necessary to verify and make the payment (e.g. name and surname or company name, address, date of birth in the case of natural persons, bank account details for the payment). Stripe becomes a separate administrator of this data for the purpose of processing payments โ€“ before using the payment service, please read Stripe’s terms and conditions and privacy policy available at stripe.com. RefSpace ensures that Stripe meets data security requirements (PCI-DSS compliance).

ยท          Courier companies/delivery operators โ€“ if, as part of the platform’s functionality, we enable you to order delivery of your order through integrated courier services (e.g. generating a shipping label), the recipient’s details (yours) may be transferred directly to the selected carrier (e.g. InPost, DHL) for the purpose of delivering the parcel. We only transfer the information necessary for shipping (name, address, telephone number/email address for notifications and, if necessary, the number of the parcel locker or collection point). Couriers become separate controllers of this data โ€“ we recommend that you familiarise yourself with their privacy policies. If the delivery is organised independently by the Supplier, then they transfer your data to the selected courier on their own responsibility.

ยท          Entities supporting us in the provision of services (processors): RefSpace uses the services of external providers for website hosting, database maintenance, transactional email delivery, web analytics, internet marketing, payment processing, etc. These entities act on our behalf as so-called data processors and are bound by data processing agreements that guarantee that they will not use the entrusted data for any other purpose. Examples of such entities include: server and IT infrastructure providers, newsletter delivery companies, technical partners supporting push SDK in the application, and agencies analysing website traffic. The scope of data transferred to these entities is limited to what is necessary (e.g., the hosting provider stores the user database in the system, the analytics company processes aggregated website traffic data, etc.).

          Public authorities and authorised recipients under the law: We may disclose selected information about users to law enforcement agencies, supervisory authorities or other authorised entities (such as the Data Protection Authority, courts, police, public prosecutor’s office, tax authorities) โ€“ but only upon their justified request, in cases provided for by law. We always verify the legal basis for such a request and the scope of data to be disclosed, in accordance with the procedures provided for in the GDPR. In addition, if necessary to defend our rights or pursue claims, we may disclose certain data to relevant entities (e.g. a law firm representing us in a dispute).

5. Status of data controllers and joint control: When using the RefSpace platform, in certain situations, another entity, e.g. the Supplier (Seller) fulfilling your order, becomes the controller of your personal data alongside RefSpace. RefSpace and the Supplier then act independently as separate controllers of the Buyer’s personal data related to the fulfilment of the order. This means that: (a) RefSpace is responsible for processing the Buyer’s data in relation to the operation of the platform (sales intermediation, account maintenance, payments) and fulfils its information obligations towards the Buyer; (b) The Supplier receiving the Buyer’s data is responsible for its further processing for the purpose of performing the sales contract (product shipment, handling of any returns, fiscal obligations) and is obliged to fulfil its own obligations towards the Buyer under the GDPR (e.g. providing information on data processing within the scope of its activities). RefSpace requires Suppliers to have appropriate terms and conditions and privacy policies in place, but if you have any questions or wish to exercise your rights regarding the data provided to a Supplier, you may contact that Supplier directly. If necessary, RefSpace will assist in forwarding your request to the relevant Seller. We do not use a formal data co-processing model within the meaning of Article 26 of the GDPR, unless this is expressly indicated for specific processes.

6. Data Retention Period: Your personal data will be retained for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods depend on the nature of the data and applicable regulations:

ยท          We store your account data (profile, registration information) for as long as your RefSpace account is active. After you delete (or deactivate) your account, we generally delete or anonymise the associated data within 30 days, unless further storage is required by law (e.g. retention of transaction information for tax purposes) or justified to protect our interests (e.g. retention of data on violations of the terms and conditions to prevent re-registration of banned persons).

ยท          Data relating to transactions (purchases, sales, payments) โ€“ we store this data for the duration of the contract and after its performance: (a) for the period specified by law regarding the obligation to store accounting and tax documentation. For example, sales data (invoices, accounting documents) may be stored for 5 tax years following the financial year in which the transaction took place, in accordance with tax law requirements; (b) for the limitation period for civil law claims โ€“ to the extent that the data may be necessary to establish, pursue or defend claims (as a rule, a maximum of 6 years from the event that may give rise to the claim, unless the law provides for a longer period in specific cases).

ยท          Data used on the basis of consent (e.g. marketing data) โ€“ we store it until you withdraw your consent or the purpose of processing ceases to exist. Once you withdraw your consent, we will stop using this data for the given purpose, and if we have no other legal basis for doing so, we will delete or anonymise it.

ยท          Technical and analytical data (system logs, activity information) โ€“ we store for a period of several months to a maximum of 2 years from the date of collection, depending on the type of information.  Logs containing records of system activity may be stored for longer if necessary for security reasons (e.g. for the purposes of investigating security breaches or defending against attacks). Where possible, we anonymise analytical data after a short period of time (e.g. IP addresses in logs are anonymised after 30 days and data in Google Analytics is stored in aggregated form).

After the above-mentioned periods, the data is deleted or permanently anonymised so that it cannot be linked to a specific person. In the case of backups, the data will also be overwritten/deleted, although this may occur with some delay due to the backup cycle.

7. Rights of Data Subjects: In accordance with applicable data protection regulations, you have the following rights in relation to the processing of your data by RefSpace:

ยท          Right of access to data โ€“ you have the right to obtain information about whether we process your personal data and, if so, to receive a copy of your data and information about, among other things, the purposes, grounds, categories of data, recipients and planned storage period. You can access your basic account data directly by logging into your RefSpace account. For more information or a complete copy of your data, please contact us (we may ask for additional identity verification before providing the data).

          Right to rectify data โ€“ you have the right to request that your personal data be corrected if it is incorrect or out of date, and to have incomplete data completed. You can edit most data (e.g. profile data, delivery address) yourself in the user panel. In other cases, we will comply with your request for rectification immediately, unless this is prevented by the obligation to keep the data unchanged (e.g. on invoices already issued).

ยท          Right to erasure (“right to be forgotten”) โ€“ you have the right to request the erasure of your personal data in the following cases: (a) the data is no longer necessary for the purposes for which it was collected; (b) you have withdrawn your consent to processing and we have no other legal basis; (c) you have objected (in the case of processing based on legitimate interest or for direct marketing purposes); (d) the data has been processed unlawfully; (e) the data must be deleted in accordance with the law. Please note that in some situations we will not be able to delete your data immediately โ€“ this mainly applies to situations where we need to retain it due to a legal obligation (e.g. transaction history for accounting purposes) or to establish, investigate or defend claims. In such a situation, we will inform you of the reason for refusing your request for deletion. We generally treat the termination of use of the platform (e.g. deletion of an account) as a request for deletion of data, unless the law requires further storage.

          Right to restriction of processing โ€“ you have the right to request that we restrict the processing of your personal data (i.e. store it but temporarily refrain from performing other operations on it) in the following situations: (a) you contest the accuracy of the data โ€“ for a period enabling us to verify its accuracy; (b) the processing is unlawful, but you oppose the erasure of the data, requesting instead that its use be restricted; (c) we no longer need the data for our purposes, but you need it to establish, defend or pursue legal claims; (d) you have objected โ€“ until we have verified whether our legitimate grounds override your objection. Where a restriction applies, we may store the data but will not actively use it (except as provided for in Article 18(2) of the GDPR, e.g. with your consent). We will inform you before we lift such a restriction.

          Right to data portability โ€“ to the extent that your data is processed on the basis of a contract or consent, you have the right to receive from us a copy of the data you have provided to us in a structured, commonly used, machine-readable format so that it can be transferred to another controller. You also have the right to request that we transfer this data directly to another controller, if technically possible. This right applies only to data that we process in an automated (electronic) manner.

          Right to object โ€“ you have the right to object at any time to the processing of your personal data that is based on our legitimate interest (Article 6(1)(f) of the GDPR). An objection on grounds relating to your particular situation entitles you to request that we stop processing this data, unless we can demonstrate compelling legitimate grounds for further processing that override your interests, rights and freedoms, or grounds for establishing, exercising or defending legal claims. However, if the data is processed for direct marketing purposes, your objection is absolutely binding โ€“ if we receive it, we will no longer use your data for this purpose. This also applies to profiling insofar as it is related to direct marketing. You can easily object, e.g. through your account settings (disabling marketing consents) or by contacting us by email.

          Right not to be subject to automated decision-making โ€“ RefSpace does not make decisions that have legal effects or significantly affect you based solely on automated data processing (without human intervention). Certain elements of processing may be automated (e.g. automatic classification of content to detect violations of the terms and conditions, automatic product recommendations based on purchase history), but we do not link them to decisions that determine your rights or benefits without the involvement of RefSpace staff. Profiling may occur within the platform, understood as the automated processing of your data to analyse or predict your preferences and behaviour (e.g. we assess which categories may be of interest to you based on your previous activity). Such profiling is mainly used to personalise content and advertisements โ€“ you can object to it at any time (as mentioned above). In the event that RefSpace intends to introduce fully automated decision-making in individual cases in the future (e.g. automatic rejection of a Supplier’s offer that violates the policy without employee review), you will be informed in advance and we will provide you with the opportunity to appeal such a decision to human intervention.

To exercise your rights, you can contact us via the user support e-mail address or the Administrator’s postal address (available in the contact section). We will consider requests regarding your rights without undue delay โ€“ as a rule, within 1 month, and if necessary, extended to a maximum of 3 months (we will inform you of the extension). The exercise of rights is generally free of charge. However, if your requests are clearly unfounded or excessive, in particular due to their repetitive nature, RefSpace may: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the requested action, or (b) refuse to act on the request.

8. Data Security: We take the utmost care to ensure that your personal data is properly secured. We use appropriate technical and organisational measures, in line with industry standards, to protect data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access by unauthorised persons. Our security measures include: SSL/TLS data transmission encryption, encryption of sensitive information in the database, a permission system that restricts access to data to authorised persons only, regular backups, as well as implemented procedures for dealing with data security breaches. Our systems and applications are regularly updated to patch any vulnerabilities. In addition, we require all partners who process data on our behalf to meet high security standards. Please note, however, that no method of data transmission over the Internet or electronic data storage is 100% secure. In the event of a threat, we will respond in accordance with legal requirements and, where required, inform you of any incidents (e.g. data breaches).

9. Transfer of Data Outside the EEA: As a rule, we store your personal data within the European Economic Area (EEA) and do not transfer it to third countries (outside the EEA or the United Kingdom). However, some data may be transferred outside the EEA if this is necessary for the purposes of processing โ€“ this applies, for example, when we use the services of international entities (such as Google, Meta) or when you yourself use the platform while outside the EEA. In the event of such a transfer, RefSpace applies the data protection mechanisms required by law, including, in particular, standard contractual clauses approved by the European Commission, and assesses any risks to privacy. You have the right to request a copy of the relevant safeguards we use when exporting your data โ€“ please contact us for this purpose.

10. Changes to the Privacy Policy: This Privacy Policy may be updated from time to time, including in the event of changes in the way RefSpace processes data or changes in legal regulations. We will notify you of any significant changes to the Policy through the service (e.g. in-app message, email or notification) and will post the consolidated text of the document with the new effective date. We recommend that you regularly review the current content of the Policy. By using the platform after the changes come into effect, you accept the updated rules.

11. Contact regarding privacy: Please send any questions, requests or demands regarding your personal data to our e-mail address dedicated to data protection: helpdesk@refspace.com (example address โ€“ the correct one is provided on the website). You can also contact us in writing at the Administrator’s registered office. We will endeavour to respond or fulfil your request immediately, no later than within the time limits specified above. In addition, you have the right to lodge a complaint with a supervisory authority โ€“ in Poland, this is the President of the Personal Data Protection Office (PUODO), and in the United Kingdom, the Information Commissioner’s Office (ICO) โ€“ if you believe that we are processing your data unlawfully. However, we encourage you to contact us first โ€“ we value your privacy and will try to clarify any doubts you may have.

(This Privacy Policy comes into force on 1 October 2025 and forms an integral part of the RefSpace Platform Terms and Conditions accepted by users upon registration.)