Legal Information

Privacy and Cookies Policy

Of the Sushi Żelazna Website

I. General provisions

This Privacy Policy sets out the rules for the processing and protection of personal data provided by Users in connection with the use of the website available at sushizelazna.pl (hereinafter: "Website").

Out of concern for the security of the data entrusted to us, we have developed internal procedures and recommendations to prevent data from being disclosed to unauthorized persons. We control their implementation and constantly check their compliance with relevant legal acts, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

The Policy is informative and fulfills the information obligations imposed on the Controller by the GDPR.

II. Personal Data Controller

Administratorem Twoich danych osobowych jest: SUSHI ŻELAZNA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ z siedzibą w: Warszawie przy ul. Mikołaja Wierzynka 3 lok. 55
NIP (Tax ID): 527-306-28-99, REGON: 52565169100000, KRS: 0001043367 (hereinafter: "Controller").

Contact with the Controller is possible:

The Controller has not appointed a Data Protection Officer (DPO). In all matters relating to the processing of personal data, please contact the Controller directly.

III. Scope and categories of processed data

The Controller processes the following categories of personal data of Users:

  • When placing an online order: Name and surname, delivery address, phone number, email address, order details, payment data.
  • When contacting us: Name and surname, email address or phone number, message content.
  • Data collected automatically (Cookies): IP address, browser type, operating system, approximate location, history of activity on the Website.

IV. Purposes, legal bases and data retention period

We process your data for specific purposes, based on the law and for a specific period of time:

Processing purpose Legal basis (GDPR) Retention period
Order fulfillment
Execution of the sales contract and delivery.		 Art. 6 ust. 1 lit. b
(Wykonanie umowy)		 For the duration of the contract execution and the time necessary for civil law and tax claims to expire (usually 6 years from the end of the year).
Handling inquiries
Contact via form/e-mail/phone.		 Art. 6 ust. 1 lit. f
(Uzasadniony interes Administratora)		 For the duration of the correspondence and resolution of the matter.
Accounting and taxes
Invoices, bills.		 Art. 6 ust. 1 lit. c
(Obowiązek prawny)		 5 years from the end of the calendar year in which the tax payment deadline expired.
Marketing and Analytics
Statistics, remarketing.		 Art. 6 ust. 1 lit. a
(Dobrowolna Zgoda)		 Until consent is withdrawn or for the maximum retention period specified by tool providers (e.g. Google – 2 years, Meta – 720 days).
Establishment, pursuit of claims Art. 6 ust. 1 lit. f
(Uzasadniony interes)		 Until claims are time-barred (usually 3 or 6 years).

V. Data recipients (Processors)

In order to provide services (orders, payments, delivery), the Controller entrusts data processing to specialized external entities. These entities process data on the basis of data processing agreements or service regulations, guaranteeing data security.

1. Electronic Payments – Stripe

  • Entity: Stripe Payments Europe, Limited.
  • Function: Electronic payment service.
  • Nature of processing: Stripe may process payment account data, bank account data, billing/shipping address, name and surname, order description (including date, time, amount, product or service description), device ID, email address, IP address/location, order ID, payment card data, tax ID/status, unique customer ID, identity information, including government-issued documents (e.g. ID cards, driver's licenses and passports).
  • Sub-processors: The list of Stripe sub-processors is available at: stripe.com/en-pl/legal/service-providers

2. Order System – Loyka

  • Entity: Loyka Sp. z o.o.
  • Function: Order service in the Loyka app/website.
  • Nature of processing: Loyka may process payment account data, bank account data, billing/shipping address, name and surname, order description (including date, time, amount, product or service description), device ID, email address, IP address/location, order ID, payment card data, tax ID/status, unique customer ID, identity information (including government-issued documents) of the ordering User.
  • Additional purposes: Loyka also processes anonymized or pseudonymized data regarding website activity to generate aggregated statistics, monitor system security and software development.
  • Sub-processors: The list of Loyka sub-processors is available at: loyka.io/informacje-prawne

3. Delivery – Wolt Drive

  • Entity: Wolt Polska Sp. z o.o.
  • Function: Order delivery service from the Controller's location to the location indicated by the Customer.
  • Nature of processing: Wolt receives the Controller's data (including the personal data of end customers) through integration with the Wolt Drive API based on the Controller's instructions, executed by Loyka. Wolt processes this data in accordance with contracts concluded directly with the Controller.
  • Return data: Wolt, at the request of the Controller, provides the Loyka system with real-time data about the route and delivery location (courier geolocation data, without data identifying the courier).
  • Sub-processors: The list of Wolt sub-processors is available at: explore.wolt.com

4. Other recipients

  • IT and hosting service providers (e.g. Google Cloud Poland Sp. z o.o. – regarding infrastructure).
  • Accounting office (for tax settlement purposes).
  • Marketing tool providers (Google, Meta, Microsoft – details in section IX).

VI. Voluntary provision of data

Providing data is voluntary, but necessary to complete an online order or reply to an inquiry.

If the User does not want to provide personal data on the Website, they may place an order in person at the physical premises.

VII. Profiling and automated decisions

As part of marketing activities (Google Ads, Meta Ads), the Controller may use profiling (automatic analysis of behavior to match advertisements).

This profiling does not result in taking decisions concerning you that produce legal effects (e.g. we do not differentiate prices, we do not deny access to the service).

Profiling is based solely on your voluntary consent to marketing cookies.

VIII. Data security

The Website is secured against unauthorized access through the SSL/TLS encryption protocol (padlock symbol in the browser bar).

Data is accessed only by persons authorized by the Controller.

IX. Cookies and Tracking Technologies

Our Website uses cookies and similar technologies to ensure the proper operation of the site, traffic analysis and marketing activities.

1. Consent Management (Consent Mode v2)

We use an advanced consent management mechanism (Google Consent Mode v2).

  • The decision is yours: During the first visit, we display a banner where you can accept all cookies, reject optional ones, or select specific purposes.
  • No consent: If you reject analytical or marketing consents, Google scripts will not save cookies on your device. In this case, only anonymized signals (so-called "pings") are sent to Google, which do not contain user identifiers, but serve only for statistical modeling.

2. List of tools used

We use the services of the following external providers on the Website. Detailed information about each of them is also available in the cookie settings panel ("Customize").

A. Essential and Technical

They are required for the website to function. They cannot be turned off.

  • Google Tag Manager
    Provider: Google Ireland Limited.
    Purpose: Managing tags and scripts on the site. The tool itself does not save cookies, it only runs other scripts.
    Data transfer: EEA and USA (based on the Data Privacy Framework).

B. Analytics

They help us understand how Users use the website in order to improve it.

  • Google Analytics 4
    Provider: Google Ireland Limited.
    Purpose: Traffic analysis, purchase paths, measuring website effectiveness.
    Data: Anonymized IP address, device type, browser, location.
    Retention: Event data is stored for 2 years.
  • Microsoft Clarity
    Provider: Microsoft Ireland Operations Ltd.
    Purpose: Analysis of user behavior through heatmaps (where users click) and session recordings.
    Data: Mouse movements, scrolling, clicks (data is anonymized – we do not see entered passwords or sensitive data).
    Retention: Event data is stored for 390 days.

C. Marketing and Advertising

They are used to display personalized advertisements on other websites.

  • Google Ads & Remarketing
    Provider: Google Ireland Limited.
    Purpose: Remarketing (displaying reminder ads after leaving the page) and measuring conversions (ad effectiveness).
    Key cookies: _gcl_au (Conversion Linker – linking clicks to orders), IDE (Doubleclick), NID.
    Retention: Marketing cookies expire after a maximum of 1 year.
  • Meta Pixel (Facebook/Instagram)
    Provider: Meta Platforms Ireland Ltd.
    Purpose: Tracking conversions from Facebook/Instagram ads, creating ad audiences.
    Retention: Data is deleted by Meta at the latest after 720 days.

X. Data transfer outside the EEA

We use tools from global providers (Google, Meta, Microsoft), which may involve transferring your anonymized data (e.g. regarding the device, online identifiers) to third countries, in particular to the USA. This transfer is based on the European Commission's adequacy decision (under the Data Privacy Framework program), to which the aforementioned providers have acceded, or on the basis of Standard Contractual Clauses.

XI. Your Rights

According to the GDPR you have the right to:

  • Accessing your data and receiving a copy thereof.
  • Rectifying (correcting) your data.
  • Deleting data (the right to be forgotten).
  • Restricting the processing of data.
  • Objecting to data processing.
  • Data portability.
  • Withdrawing consent to cookies at any time.
  • Lodging a complaint with a supervisory authority (President of the Personal Data Protection Office), if you believe that the processing violates the provisions of the GDPR.

In order to exercise your rights contact us at: sushi.zelazna@gmail.com

XII. Changing cookie settings

You can change your decisions regarding cookies at any time by clicking the "Cookies" link available in the footer of our website or the button below:

XIII. Final provisions

The Controller reserves the right to make changes to the Privacy Policy. Changes may result from the development of internet technology, possible changes in law regarding the protection of personal data and the development of our Website.

Date of last update: Warsaw, 15.01.2026