We use cookies
We enable all cookies by default to ensure the proper functioning of our website, advertising and analytics in accordance with our Cookie Policy and Privacy Policy.
PRIVACY POLICY
Publication date: 10.01.2026
This Privacy Policy (hereinafter – the “Policy”) explains how the Company collects, uses, processes, and stores the Personal Data of Platform Users in accordance with the applicable laws of Poland and the General Data Protection Regulation (GDPR). We respect Your privacy and are committed to ensuring the reliable protection of Personal Data provided by our Users.
The Company operates by offering and selling portable medical equipment and related products through the Platform. The Platform serves solely as a technical and informational resource for placing orders and does not provide medical, diagnostic, or treatment services.
The Company is not responsible for any decisions, actions, or inactions of the User made based on Data, results, or information obtained while using the medical equipment purchased through the Platform, nor for any consequences of such use.
Responsibility for the proper and safe use of the medical equipment in accordance with its intended purpose, technical documentation, and manufacturer’s instructions lies solely with the User.
This Policy describes how the Company processes Users’ Personal Data and the legal grounds on which such processing is based.
1. Terms Used in the Policy
“Company” – REMED PL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, a legal entity registered in Poland, with its registered office at UL. WŁADYSŁAWA ŁOKIETKA 5, 87-100, TORUŃ district, KUJAWSKO-POMORSKIE voivodeship, tax identification number (NIP): 8792769707, statistical identification number (REGON): 54251414000000, registered in the National Court Register (Krajowy Rejestr Sądowy) under No. 0001189909 as of August 21, 2025 (hereinafter – the “Company,” “We,” “Us,” “Our”).
“Platform” – an electronic commerce platform owned and operated by the Company, accessible online at remedcare.pl and/or remedpl.com (or at any other URL that may be specified by the Company), through which Users can view Product listings, place Orders, and pay for Products. The Platform includes all pages, features, functionalities, databases, and services provided by the Company.
“Product” – any item presented on the Platform, including medical devices (as defined in Regulation (EU) 2017/745), which is the subject of a purchase agreement between the Company and You.
“Order” – a User’s statement of intent submitted via the Platform, constituting an offer to conclude a purchase agreement (pursuant to Article 66 of the Civil Code of the Republic of Poland, as amended (Ustawa z dnia 23 kwietnia 1964 r. – Kodeks cywilny)).
“Data Subject” – any person who visits and/or uses the Platform, whose Personal Data is processed, including visitors and Users of the Platform (“User,” “You,” “Your”).
“Personal Data” – any information relating to an identified or identifiable natural person, which is processed by the Company in accordance with Regulation (EU) 2016/679 (GDPR) and this Policy (“Personal Data,” “Data”).
“Processing of Personal Data” – any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction (“Processing”).
“Data Controller” – the Company, which determines the purposes and means of Processing Personal Data, establishes the composition of such Data, and sets the procedures for its Processing.
“Data Processor” – the Company or other entities authorized by the Data Controller or by law to process Personal Data on behalf of the Data Controller.
“Consent” – any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she confirms agreement to the Processing of their Personal Data through a clear affirmative action.
“General Data Protection Regulation” – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Persobal Data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Terms and definitions not explicitly defined in this Section shall be interpreted in accordance with the applicable law of the Republic of Poland, and in the absence of such legislative definitions – according to their ordinary meaning in the context of Platform operations.
2. Personal Data We collect
Persobal Data provided by the User: | Persobal Data that We automatically receive when a User uses the Platform: | Persobal Data that We receive from other sources: |
| (a) Persobal Data Provided by the User:Order-related information: When You place an Order or fill out a contact form, we collect Your first name, last name, middle name (if applicable), contact information (phone number), email address, and similar details.User-generated content: When You use the Platform, We may collect Personal Data included in the content You provide or input.Communication information: If You fill out a contact form, we collect information such as Your first name, last name, email address, and the content of the messages You send.(b) Personal Data Provided by the User to the Platform:Users of the Platform who place Orders for Products provide the following Data:First name, last name, middle name (for processing the Order and delivery purposes).Phone number (for Order confirmation and communication purposes).Email address (for receiving Order confirmation).City of delivery.Street address, house number, apartment number (for courier delivery).Delivery operator branch number (if applicable). | The Platform automatically collects certain Data about Users during their use of the Platform, including:IP address (for determining the visitor’s geographic region, traffic analytics, fraud prevention, and unauthorized access protection).Geolocation / User location (to identify the visitor’s country, region, or city for audience analytics and improving content localization).User interests (analysis of visitor behavior and audience segmentation).Information about the operating system, browser, and their types (to optimize website performance, ensure compatibility with different browsers and operating systems, conduct technical audits, and troubleshoot errors).Device type (mobile/desktop) and mobile device model (analysis of the types of devices used by Users to adapt design and improve UX/UI). | We may receive information from security partners (for fraud and abuse prevention) only if You have given the corresponding consent in the settings. We do not use Personal Data for training artificial intelligence models without Your separate, explicit consent. |
For technical diagnostics and stability, we process technical logs (IP address, device identifier/model, OS/application version, time zone, event/error code, timestamp), performance telemetry, as well as aggregated usage statistics.
3. How We Use Personal Data
We may use Personal Data for the following purposes:
Provision and operation of the Platform. We use Your Personal Data to provide access to the Platform, including the placement, processing, and fulfillment of Orders, payment processing, and other functions necessary for the normal operation of the Platform.
Improvement and development of the Platform. We use Personal Data to enhance the Platform, develop new features and functionalities, and conduct necessary research and analysis to make the Platform more effective and useful for Users. Testing and debugging are primarily carried out on anonymized or pseudonymized Data.
Communication with Users. We use Your Personal Data to communicate with You regarding Products and Orders.
Fraud prevention and security. We use Your Personal Data to ensure the security of the Platform, prevent fraud, abuse, and unauthorized use of the Platform. This includes monitoring and detecting misuse or suspicious activity on the Platform, as well as resolving technical issues. Technical logs and telemetry are processed separately to maintain service stability.
Compliance with legal obligations. We process Data to comply with legal requirements, including accounting and tax obligations, responding to lawful requests from authorities, maintaining evidence of Order fulfillment, and meeting requirements under data protection laws.
Protection of legal claims and dispute resolution. Personal Data is used to establish, exercise, or defend legal claims, as well as for the effective and timely resolution of disputes arising in connection with the use of the Platform.
Exercise of Data Subject rights and handling requests. We process Your Data to identify You and handle requests for access, correction, deletion, restriction, data portability, or objection, and to maintain a record of such requests.
Other legitimate interests. We may process Your Personal Data for other legitimate interests of the Company, provided that such Processing does not override Your rights, freedoms, and interests, and is carried out in accordance with applicable Polish and EU law.
Anonymization and aggregation of Data. We may anonymize or aggregate Your Personal Data for analyzing Platform performance, improving features, and conducting research. Such anonymized Data is used for statistical purposes without the possibility of identifying You, and we will not attempt to re-identify You, except where expressly required by law or based on Your explicit Consent.
Automated decision-making. We do not carry out automated decision-making, including profiling, which produces legal effects for You or similarly significantly affects You (Art. 22 GDPR).
We do not process Your Personal Data for any purposes other than those described above. If We process Your Data for purposes not previously indicated, We will notify You in advance and, where necessary, request Your explicit Consent. This rule does not apply if the Processing is necessary for compliance with legal obligations imposed on us by law or for legitimate interests under Article 6(1)(f) GDPR, provided that such Processing does not override Your rights and interests.
The Company does not process special categories of Personal Data, including health data of Users within the meaning of Article 9 GDPR, and does not collect or analyze data generated by Products during their use.
4. Legal Grounds for Processing Personal Data
In the process of processing Your Personal Data for the purposes specified above, We rely on the following legal grounds:
| Purpose of Processing | Types of Personal Data Processed | Legal basis |
| Providing access to and ensuring the operation of the Platform | Order / request information (full name, phone, email, etc.)User content and messagesLog data, usage data, device information | Art. 6(1)(b) GDPR (necessary for performance of a contract / provision of services);Art. 6(1)(f) GDPR (legitimate interest – service stability). |
| Communication with You | Order informationCommunication informationLog / usage data (for delivery of notifications) | Art. 6(1)(b) GDPR (performance of a contract);Art. 6(1)(f) GDPR (ensuring We is informed about service status). |
| Platform improvement and development; research, product analytics | Log dataUsage dataDevice informationUser content (technical signals only)Cookies / SDK analytics (with consent) | Art. 6(1)(f) GDPR (legitimate interest – service development and quality);For optional analytics/marketing – Art. 6(1)(a) GDPR (Consent). Medical data is not used for research without separate explicit consent / de-identification. |
| Fraud prevention, security, incident detection/localization, DDoS/abuse protection | Log dataUsage dataDevice informationAccount informationConnection / call metadata | Art. 6(1)(f) GDPR (legitimate interest – platform and We security);Art. 6(1)(c) GDPR (where required by cybersecurity / financial monitoring laws). |
| Compliance with legal obligations (accounting, taxes, responses to lawful requests, handling claims) | Transaction detailsAccount / order identifiersCorrespondence / complaints | Art. 6(1)(c) GDPR (compliance with legal obligation). |
| Order processing on the Platform | Full name, contact number, emailAddress / city or delivery point numberOrder / delivery dataPayment metadata | Art. 6(1)(b) GDPR (performance of sales / delivery contract);Art. 6(1)(c) GDPR (accounting, fiscal requirements). Delivery service and bank – separate controllers. |
| Legal defense and claims handling | Account / transaction dataLogs / correspondenceOther necessary evidence | Art. 6(1)(f) GDPR (protection of the company’s rights/interests). |
| Vital interests (emergencies requiring data for prevention of serious harm to life/health) | Minimally necessary contact / response data | Art. 6(1)(d) GDPR (protection of vital interests). |
5. How We Store and Process Your Personal Data
How long do We retain Your Personal Data?
We store Personal Data for the period necessary to achieve the purposes for which such Data was collected and processed, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Polish law. User Personal Data is retained for the duration of the User’s use of the Platform and the existence of contractual obligations between the User and the Company. Personal Data processed in connection with the placement and fulfillment of Orders is retained in accordance with the retention periods required by Polish law, including tax and accounting legislation. After the termination of contractual obligations, Personal Data may be retained for the statute of limitations period provided under applicable law, for the purpose of establishing, exercising, or defending the Company’s legal claims.
The retention period of Personal Data depends on a number of factors, including:
- Our purpose for processing the Data (e.g., whether We need to retain Data to provide access to the Platform);
- The scope, nature, and confidentiality of the Data;
- The potential risk of harm resulting from unauthorized use or disclosure of Data;
- Legal obligations applicable to us;
- The category of Data (account/payment metadata/logs/support) and internal retention policies;
- Retention periods for logs and telemetry (usually 30–90 days depending on log type and provider; e.g., access logs ~30 days, diagnostic log events/crash logs (Sentry) up to 90 days, push notification metadata (OneSignal) 30–90 days).
Users may request the deletion of their Personal Data by sending a request to: remedpl@remed.care. To protect Personal Data and prevent unauthorized access, the Company may request additional information to verify the User’s identity before processing the request. Personal Data deletion is carried out in accordance with GDPR requirements and does not apply to Data that must be processed to comply with the Company’s legal obligations or to establish, exercise, or defend legal claims.
Where do We store Your Personal Data?
User Personal Data is processed and stored solely to the extent necessary for handling inquiries and processing Orders submitted via the Platform’s contact form. Such data is stored in the website database hosted on a VPS and is not stored in CRM systems, local spreadsheets, or other external storage. Personal Data is retained only as long as reasonably necessary to process the User’s request and maintain communication, or until it is deleted at the User’s request if no other retention period is provided or required by applicable law.
To ensure Data security and integrity, regular backups are performed. Backups are stored on the same VPS hosting for up to 1 (one) year and are used exclusively for Data recovery in the event of technical failures, loss, or damage. Access to Personal Data and backups is restricted and carried out with appropriate organizational and technical security measures in accordance with GDPR requirements.
Security of Your Personal Data
We implement appropriate technical and organizational security measures to protect Personal Data from unauthorized access, loss, destruction, disclosure, or other unlawful processing in accordance with Article 32 GDPR. Specifically, the Company applies the following measures:
- Staff training on Personal Data protection and information security;
- Internal policies, procedures, and instructions regarding Personal Data processing;
- Execution of non-disclosure agreements (NDAs) with employees and engaged contractors;
- Encryption of Personal Data during transmission using secure protocols (e.g., HTTPS, TLS);
- Regular backups of Personal Data to ensure its integrity and availability;
- Use of firewalls and other IT infrastructure network protection tools;
- Application of technical access and authorization controls, including two-factor authentication (2FA), CAPTCHA mechanisms, and request rate limiting.
The applied security measures are regularly reviewed and updated considering technological developments, the nature and scope of Processing, and the associated risks.
6. Do We Share Your Personal Data with Third Parties?
We do not transfer Your Personal Data to third parties, except in cases where such transfer is required by law, necessary for the processing and/or fulfillment of an Order, carried out based on Your explicit instructions, or expressly provided for in this Policy. For the proper functioning of the Platform, access to certain Data may be granted to the Company’s employees/contractors (under confidentiality agreements and only to the extent necessary to perform their duties) and to service providers engaged by the Company as Processors in accordance with Article 28 GDPR. In such cases, We conclude Data Processing Agreements (DPAs), implement technical and organizational security measures, limit processing purposes according to our instructions, and, where necessary, apply the EU Standard Contractual Clauses (SCCs) for international transfers.
To properly execute purchase-sale agreements, process payments, and deliver Products, the Company may transfer User Personal Data to the following categories of recipients:
Payment Providers
For payment processing, the Company uses the PayPal service. Accordingly, certain Personal Data (such as name, contact details, payment information, and transaction identifiers) is shared with PayPal to the extent necessary to complete and confirm the payment, prevent fraud, and fulfill legal obligations. PayPal processes Personal Data as an independent Controller according to its privacy policy: https://www.paypal.com/pl/webapps/mpp/ua/privacy-full.
Logistics and Courier Services
For the delivery of ordered Products, the Company may provide Personal Data (name, surname, delivery address, phone number, email address – if necessary) to delivery operators such as InPost, Poczta Polska, and international courier services DPD, DHL, UPS. Data transfer to such recipients is strictly limited to what is necessary to organize and execute the delivery of Products. Users are responsible for reviewing the privacy policies of the respective postal and courier services, which are available on their official websites.
IT Service Providers
The Company may engage third parties providing administrative, technical, and IT services, including hosting (VPS), CDN, protection against unwanted traffic and DDoS attacks, and other infrastructure services necessary for the proper functioning of the Platform. These providers process Personal Data solely on the Company’s instructions, under Data Processing Agreements, in accordance with Article 28 GDPR, and may not use the Data for their own purposes.
Analytics and Monitoring Services
To analyze Platform usage, monitor stability, and improve the We experience, the Company may use analytics services, including Google Analytics. These services provide aggregated information about Platform usage (e.g., number of visits, behavioral patterns, traffic sources) to enhance the efficiency, stability, and quality of the Platform. Data processing via Google Analytics is carried out according to Google’s terms. To learn how Google processes Personal Data within its services, including analytics services, see Google’s Privacy Policy: https://policies.google.com/privacy.
When analytics require User consent (e.g., optional cookies for analytical purposes), the Company requests such consent separately before performing the relevant processing, in accordance with GDPR and local laws.
Government and Supervisory Authorities
The Company may disclose User Personal Data to competent authorities of the Republic of Poland, other EU member states, or EU supranational authorities, only as required by applicable law or pursuant to properly executed and legally binding requests. Such disclosure may occur, in particular, for compliance with legal obligations, protection of the Company’s or third parties’ rights and legitimate interests, or within criminal or administrative proceedings.
International Transfer of Personal Data
If certain Processors or service providers are located outside the European Union / European Economic Area or the United Kingdom, the Company ensures an adequate level of Personal Data protection through GDPR-compliant mechanisms, including the European Commission’s Standard Contractual Clauses (SCCs), as well as additional technical and organizational security measures (including encryption, pseudonymization, and access restrictions). Where possible, the Company uses services with regional data storage within the EU.
7. Users’ Rights
As a Data Subject, the User has the rights provided under the EU Regulation 2016/679 (GDPR) and applicable law of the Republic of Poland, including:
- The right to obtain information about the processing of Personal Data and the right of access to their Personal Data;
- The right to rectify (correct) inaccurate or incomplete Personal Data;
- The right to erase Personal Data (“right to be forgotten”) in cases provided by the GDPR;
- The right to restrict the processing of Personal Data;
- The right to receive Personal Data in a structured, commonly used, and machine-readable format, and the right to transfer such Data to another Controller, if technically feasible;
- The right to object to the processing of Personal Data, including processing based on the Company’s legitimate interests;
- The right to withdraw consent to the processing of Personal Data at any time, if such consent is the legal basis for processing, without affecting the lawfulness of processing carried out prior to withdrawal;
- The right to lodge a complaint with the competent data protection authority, including the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
Users may exercise their rights by contacting us via email: remedpl@remed.care. Requests must include sufficient identification information to verify the User’s identity. For the purpose of protecting Personal Data, the Company may request additional information if reasonably necessary to properly verify identity.
The Company responds to requests without undue delay, but no later than one month from the date of receipt. In case of complex requests or a large number of requests, this period may be extended by an additional two months, with the User being informed of the reasons for such an extension.
Exercising User rights is free of charge, except in cases where a request is manifestly unfounded or excessive. In such cases, the Company may charge a reasonable fee taking into account administrative costs or refuse to comply with the request, providing an appropriate justification.
Please note that the exercise of certain User rights may be restricted in cases provided by applicable law, in particular if:
(i) fulfilling the request may result in the violation of the rights and freedoms of other persons;
(ii) processing of Personal Data is necessary to comply with the Company’s legal obligations (including accounting or tax obligations);
(iii) processing is necessary for the establishment, exercise, or defense of legal claims.
In such cases, the Company informs the User of the grounds for refusal or limitation of the relevant right.
8. Processing of Children’s Data
The Platform is not intended for use by children and does not allow independent registration or use by persons who have not reached the age at which they can give valid consent to the processing of Personal Data under applicable law.
For Users located in the European Union or European Economic Area, the Company applies the requirements of Article 8 GDPR. Accordingly, if a User has not reached the “digital consent age” established by the law of the relevant Member State (16 years or lower, within 13–16 years if provided by national law), processing of their Personal Data is permitted only with parental or legal guardian consent.
In such cases, the Company takes reasonable steps to verify that consent was given by the person exercising parental responsibility for the child, in accordance with Article 8(2) GDPR.
If the Company becomes aware that a child’s Personal Data has been processed without proper consent, such Data will be deleted without undue delay.
9. Links to Other Websites and Third-Party Services
The Platform may contain active links to websites or services not operated by the Company. By following such links, You leave the Platform, and further processing of Personal Data is governed by the privacy policies of the respective third parties, not by this Policy.
We do not control and are not responsible for the content, rules, security practices, or Personal Data processing of other companies; any information You provide to such companies is subject to their privacy policies. We recommend carefully reviewing the privacy policy of each website/service before submitting any Data.
10. Amendments to the Policy
We may periodically update this Policy to reflect changes in the ways Personal Data is processed, Platform functionality, applied technologies, as well as changes in legal requirements or supervisory authority recommendations. We strive to ensure transparency and timely notification to Users about such changes in accordance with GDPR and the law of the Republic of Poland.
Notification Procedure for Changes
The Company has established the following notification procedure:
(a) Non-substantial changes (editorial corrections, clarifications, technical updates that do not affect the scope/purposes/legal basis of processing): the updated version is published on the Platform with the effective date.
(b) Substantial changes (e.g., new purposes or legal bases for processing, new categories of Data, new recipients / transfers to third countries, changes in Controller / Processor roles, implementation of optional trackers): Users are notified in advance via banner/pop-up on the Platform, e-mail, provided with a brief summary of changes, and the effective date. If changes require explicit consent (e.g., for optional cookies or new processing purposes for special categories of Data), the Company will request such consent separately before starting processing.
By default, changes take effect from the date indicated at the top of the Policy unless otherwise stated in the notification. For substantial changes, the Company provides, where possible, a reasonable notice period before the effective date so that Users can review settings or exercise their rights.
If You do not agree with the updated Policy, You may disable optional tools (cookies) in settings, withdraw Consent in the relevant interface locations, and/or contact us at remedpl@remed.care. Your legal rights under GDPR and Polish law remain valid regardless of Policy updates.
11. Dispute Resolution
Before initiating court proceedings, the User has the right to send the Company a written complaint (proposal for voluntary dispute resolution) via remedpl@remed.care, including the User’s full name or company name, contact details, description of the dispute, relevant circumstances, date and time of the incident (if applicable), and a clearly formulated claim.
The Company will review such a complaint and provide a reasoned response within 30 (thirty) calendar days from receipt. If the matter is complex and requires additional verification or interaction with third parties, the review period may be extended, and the User will be notified of the reasons for the extension and an estimated response time.
If the dispute is not resolved through negotiation, it shall be subject to the competent courts of the Republic of Poland. The substantive law of the Republic of Poland applies to this Policy and the legal relationship between the User and the Company. This section does not limit the User’s rights to judicial or other protection provided by mandatory consumer protection laws and/or applicable law of the User’s habitual residence, if such laws apply under EU law.
Additionally, matters related to Personal Data protection may also be addressed administratively. Users have the right to file a complaint with the competent supervisory authority, in particular:
- For residents of the Republic of Poland — with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych);
- For residents of other EU Member States — with the relevant supervisory authority of the Member State of their habitual residence;
and/or exercise judicial remedies provided under the GDPR.
For privacy-related inquiries, Users may also contact the Company directly at remedpl@remed.care for pre-trial resolution, exercise of Data Subject rights, or to obtain additional information.
12. How to Contact Us
For any questions regarding privacy, data security, or the exercise of Your rights, please contact the Controller — REMED PL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (REMED PL), registered at Ul. Władysława ŁOKIETKA 5, Toruń, 87-100, Poland, acting on behalf of the CEO Denis Glinchevsky; e-mail: remedpl@remed.care.