Privacy Policy
How we process your personal data — BOKKA Sp. z o.o., in accordance with GDPR.
In short. We are BOKKA Sp. z o.o. from Kraków — a distributor of PIR insulation boards. We process your personal data when you order goods from us, supply us with services, file a complaint, contact us or visit this website. We comply with the GDPR (Regulation (EU) 2016/679). You have full rights — including access, rectification and erasure. GDPR contact: biuro@bokka.pl.
Table of contents
- Controller
- What data we collect and for what purpose
- Cookies and website analytics
- Forms and contact
- Who we share data with
- Your rights (GDPR)
- Security and storage
- Changes to this policy
- Contact
1. Controller
In short. The controller of your data is BOKKA Sp. z o.o. from Kraków. GDPR contact: biuro@bokka.pl.
BOKKA Sp. z o.o. with its registered office in Kraków, hereinafter the “Controller”:
- Address: Plac Wolnica 13/10, 31-060 Kraków, Poland
- KRS: 0000718870 — District Court for Kraków-Śródmieście, 11th Commercial Division of the National Court Register
- VAT ID: PL6762545474
- REGON: 369497701
- Share capital: PLN 5,000.00 (fully paid)
- GDPR contact: biuro@bokka.pl
A Data Protection Officer (DPO) has not been appointed — such appointment is not mandatory under Art. 37(1) GDPR (BOKKA is not a public body, its core activities do not require regular and systematic monitoring of data subjects on a large scale, nor does it process special categories of data on a large scale). All matters concerning the processing of personal data should be directed to the e-mail address indicated above.
2. What data we collect and for what purpose
In short. We collect the data we need to fulfil your order, handle accounting, process complaints and stay in contact. The exact scope depends on your relationship with BOKKA. Retention period = duration of cooperation + statute of limitations (civil and public-law claims) + 12-month buffer.
We hereby fulfil the information obligation arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR, OJ EU L 119 of 4 May 2016, p. 1).
We process data of five categories of persons:
2.1 Recipients of goods (Customers)
Scope of data: first name and surname, business name, business address, VAT ID, REGON, telephone, e-mail address, bank account number (for bank-transfer settlements).
Purposes and legal bases:
| Purpose | GDPR basis |
|---|---|
| Performance of cooperation regarding the supply of goods (pre-contractual steps and performance of the contract) | Art. 6(1)(b) |
| Accounting and tax settlements — statutory obligations (Civil Code, tax acts) | Art. 6(1)(c) |
| Building databases, direct marketing of our own products, securing documentation for claims | Art. 6(1)(f) (legitimate interest) |
Retention period: duration of cooperation + statute of limitations for claims (civil and public-law) + an additional 12 months (buffer for last-minute claims and delivery issues). For data processed on the basis of legitimate interest — for as long as that interest exists.
Is providing the data mandatory: voluntary, but necessary for cooperation. For accounting and tax settlements it is a statutory requirement — without providing the data we cannot cooperate with you.
2.2 Sellers and service providers
Suppliers of goods or services to BOKKA (e.g. transport, courier services, subcontractors).
Scope of data: first name and surname, business name, business address, VAT ID, REGON, telephone, e-mail address, bank account number.
Purposes and legal bases: analogous to point 2.1 (performance of contract — Art. 6(b), settlements — Art. 6(c), documentation — Art. 6(f)).
Retention period: duration of sales/service provision + statute of limitations for claims (civil, including under commercial guarantee and statutory warranty, and public-law) + 12-month buffer.
Is providing the data mandatory: as in point 2.1.
2.3 Persons filing a complaint
Entities entitled under the commercial guarantee or statutory warranty for defects in goods supplied by BOKKA — including submissions via the form at /reklamacje/ (see point 4.1).
Scope of data: first name and surname, business name, address, VAT ID, REGON, telephone, e-mail address, bank account number, order number, description of the problem, photographs documenting the defects.
Purposes and legal bases:
| Purpose | GDPR basis |
|---|---|
| Handling the complaint (commercial guarantee granted by BOKKA) | Art. 6(1)(b) |
| Legal obligation under the Civil Code (statutory warranty for defects) | Art. 6(1)(c) |
| Accounting and tax settlements | Art. 6(1)(c) |
| Securing documentation for claims | Art. 6(1)(f) |
Retention period: duration of the commercial guarantee and/or statutory warranty for defects + statute of limitations for claims + 12-month buffer.
Is providing the data mandatory: voluntary, but necessary to handle the complaint. Failure to provide the data may prevent the pursuit of certain claims.
2.4 Entities related to the recipient of goods
Entities in business relationships with our Customer — in particular the investor, the designer and subcontractors.
Scope of data: first name and surname, business name, business address, VAT ID, REGON, telephone, e-mail address, bank account number.
Purposes and legal bases:
| Purpose | GDPR basis |
|---|---|
| Performance of cooperation between the Customer and BOKKA (setting order terms, fulfilment) | Art. 6(1)(f) |
| Accounting and tax settlements | Art. 6(1)(c) |
| Responding to correspondence (including e-mail) and its archiving | Art. 6(1)(f) |
| Securing documentation for claims | Art. 6(1)(f) |
Retention period: duration of cooperation with the Customer + statute of limitations for claims + 12-month buffer. After that period, correspondence is archived (transferred to the archive and excluded from current IT systems — this does not apply to backups).
2.5 Persons representing entities listed in points 2.1–2.4
Members of corporate bodies of partnerships or capital companies, commercial proxies, employees, persons engaged under civil-law contracts — acting on behalf of or for one of the entities indicated in points 2.1–2.4.
Scope of data: first name and surname, telephone number, e-mail address (limited to professional contact data).
Purposes and legal bases:
| Purpose | GDPR basis |
|---|---|
| Cooperation with the represented entity | Art. 6(1)(b) |
| Accounting and tax settlements | Art. 6(1)(c) |
| Responding to correspondence and its archiving | Art. 6(1)(f) |
| Securing documentation for claims | Art. 6(1)(f) |
Retention period: as in point 2.4.
3. Cookies and website analytics
In short. We use cookies for the website to function and — with your consent — for analytics (Google Analytics 4). By default everything is disabled until you accept the consent banner. You can change your mind at any time.
3.1 Consent mechanism (Consent Mode v2)
On your first visit to bokka.pl, a cookie consent banner appears. We use Google Consent Mode v2 — until you make a decision, all analytical, marketing and personalisation cookies are denied by default. Only technical cookies (necessary for the website to function) are active.
You can change your decision at any time — simply clear the cookies in your browser for bokka.pl and the banner will reappear on your next visit.
3.2 List of cookies
| Name | Purpose | Duration | Required |
|---|---|---|---|
bokka_consent | Stores your choice from the consent banner | localStorage (until removed) | yes — technical |
_ga, _ga_* | Google Analytics 4 — anonymous analytics | 13 months | no — after consent |
_gid | Google Analytics 4 — session | 24 hours | no — after consent |
3.3 Google Analytics 4
- Stream ID:
G-EF8DKL8C2F - IP anonymisation: enabled (
anonymize_ip: true) — the IP address is truncated before being transmitted to Google - Purpose: analysis of website traffic, content optimisation, identification of broken paths
- Legal basis: your consent (Art. 6(1)(a) GDPR)
- Processor: Google Ireland Limited (data may be transferred to Google LLC in the USA under EU Standard Contractual Clauses — SCC)
If you do not consent to analytical cookies, Google Analytics will not be loaded.
3.4 Server logs
Regardless of your consent to cookies, our server (nginx within BOKKA’s infrastructure in Kraków) records technical access logs containing:
- the visitor’s IP address,
- user-agent (browser, operating system),
- referrer (where the visitor came from),
- requested URL and response code,
- timestamp.
Purpose: security (detecting abuse and attacks), technical error diagnostics, load analysis.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest — system security).
Retention period: 90 days; logs are then overwritten.
4. Forms and contact
In short. By using the complaint form or sending us an e-mail, you provide us with data. We use it solely to handle your case.
4.1 Complaint form (/reklamacje/)
The form at https://bokka.pl/reklamacje/ (and its equivalents in other languages) collects:
- first name and surname (required),
- company name (optional),
- e-mail address (required),
- telephone number (required),
- order number in the format BOK/NNN/YYYY (required),
- delivery date (required),
- description of the problem (required, min. 10 characters),
- photographs documenting the defects (up to 5 files, up to 10 MB in total).
We additionally record technical submission data: sender’s IP address, timestamp.
Purpose: handling complaints (see point 2.3). After sending the form, the sender receives an automatic confirmation with a ticket number in the format BOK-YYYY-NNNN.
Backend: submissions go to BOKKA’s server in Kraków (outside any cloud services) and are then forwarded to biuro@bokka.pl. Data is transmitted over an encrypted HTTPS channel and SMTP TLS.
4.2 E-mail contact
By writing to biuro@bokka.pl or any other BOKKA employee’s address, you provide us with your e-mail address, the content of your message, and anything else you voluntarily include in it.
Purpose: responding and archiving correspondence (Art. 6(1)(f) GDPR).
Retention period: in accordance with points 2.4 and 2.5.
4.3 AI technical advisor (chat)
On the Polish-language pages of bokka.pl we provide an AI technical advisor — a chat that helps select a product, insulation thickness and technical documents based on our knowledge base, and, when needed, routes the enquiry to a sales representative.
What data we process:
- the content of the conversation (your questions and the assistant’s answers),
- the chat session identifier (random, technical),
- the IP address in a partially anonymised form (e.g.
123.45.x.x), - a timestamp,
- information about which tools and data the assistant used (for quality control of answers).
You do not have to provide personal data to use the chat. If you voluntarily provide contact details (name, phone, e-mail) to be contacted by a sales representative, we process them as a sales enquiry (see points 2.1 and 4.2).
Purposes and legal bases:
| Purpose | GDPR basis |
|---|---|
| Providing a technical answer and helping select a product | Art. 6(1)(f) (handling pre-sales enquiries) |
| Storing conversations for quality control and finding errors in answers | Art. 6(1)(f) (improving advisory quality and security) |
| Protection against abuse and bots (Cloudflare Turnstile, request limits) | Art. 6(1)(f) (system security) |
| Lead handling when you voluntarily provide contact details | Art. 6(1)(b) / (f) |
Retention of conversation logs: 90 days, after which they are automatically deleted. Contact details passed to a sales representative — as per point 2.1.
Providers (processors):
- Anthropic PBC (USA) — the Claude language model generating the answers. The conversation content is sent to Anthropic solely to generate the answer; Anthropic does not use data submitted via the API to train its models. Transfer outside the EEA is based on EU Standard Contractual Clauses (SCC).
- Cloudflare — the Turnstile mechanism protecting the chat against bots (anti-bot verification, without advertising tracking).
We store conversation logs on the BOKKA server in Kraków.
4.4 No automated decision-making
We do not make automated decisions regarding your data, nor decisions based on profiling. The AI technical advisor (point 4.3) plays only an auxiliary role — the offer and finalisation are always handled by a human (sales representative).
5. Who we share data with
In short. We share data only with entities that genuinely need it to fulfil our purposes — mainly transport partners, accountants, lawyers and IT providers. We do not sell data.
Your data may be disclosed to the following categories of recipients:
- Business partners — where necessary to achieve the stated purposes (e.g. insurance companies in the event of transport damage).
- Subcontractors / processors (Art. 28 GDPR):
- accounting firms and tax advisory firms,
- law firms,
- IT service providers (infrastructure maintenance, backups),
- transport, courier and postal companies,
- Google Ireland Limited — solely within the scope of Google Analytics 4 and only after your consent to analytical cookies (see point 3.3).
- Anthropic PBC (USA) — solely for the AI technical advisor (chat), to generate the answer (see point 4.3),
- Cloudflare — Turnstile anti-bot verification in the chat (see point 4.3).
- Banks — for bank-transfer settlements.
- Public authorities — solely on the basis of legal obligations (e.g. tax authorities, courts).
We do not sell your personal data.
Transfer outside the European Economic Area
With the exception of Google Analytics 4 and the AI technical advisor (Anthropic PBC, USA) — where data may be transferred to the USA based on EU Standard Contractual Clauses (SCC) — we do not intend to transfer your personal data to a third country or international organisation.
6. Your rights (GDPR)
In short. You have full rights over your data. The easiest way — write to biuro@bokka.pl, we will respond within a month.
You are entitled to the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15 GDPR) | You can ask what data we process about you and receive a copy of it. |
| Rectification (Art. 16) | You can request correction of inaccurate data or completion of incomplete data. |
| Erasure (“right to be forgotten”, Art. 17) | You can request deletion of data if it is no longer needed or processing is unlawful. Some data we must keep — e.g. invoices (5 years, statutory). |
| Restriction of processing (Art. 18) | You can request temporary suspension of processing (e.g. during a dispute over data accuracy). |
| Objection (Art. 21) | You can object to processing based on legitimate interest (Art. 6(1)(f) GDPR) — including direct marketing. |
| Portability (Art. 20) | You can receive your data in a structured format (CSV/JSON) and transfer it to another controller. |
How to exercise these rights: write to biuro@bokka.pl — we will respond within 1 month of receiving the request (in accordance with Art. 12(3) GDPR). This period may be extended by a further 2 months if the matter is complex — we will inform you accordingly.
Right to lodge a complaint
If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority:
President of the Polish Personal Data Protection Office (UODO) ul. Stawki 2, 00-193 Warsaw, Poland uodo.gov.pl
7. Security and storage
In short. We take care of your data. The site is encrypted, only authorised persons have access to data, backups are encrypted. Servers — in Poland.
We apply technical and organisational security measures:
- Transmission encryption — the entire bokka.pl site is served exclusively over HTTPS (TLS 1.2+). Outgoing mail (e.g. complaint confirmations) uses SMTP STARTTLS.
- Access control — only authorised BOKKA employees have access to personal data, to the extent necessary for the performance of their professional duties.
- Backups — encrypted, stored within BOKKA’s infrastructure.
- Hosting — BOKKA’s servers are located in Kraków (outside major cloud platforms). Exception: Google Analytics 4 data (see point 3.3).
- Updates — the operating system and server software are regularly updated.
The retention period for data is specified for each category in section 2. After that period, data is deleted or archived in a manner preventing identification of the individual.
8. Changes to this policy
We reserve the right to amend this policy — e.g. in the event of changes in legislation, the introduction of new services on the website, or changes in our business. The current version is always published on this page. In the event of significant changes, we will inform you additionally (via a banner on the website or by e-mail if we are in active correspondence).
9. Contact
On matters concerning the processing of personal data:
- E-mail: biuro@bokka.pl
- Address: BOKKA Sp. z o.o., Plac Wolnica 13/10, 31-060 Kraków, Poland
Complaint to the supervisory authority:
President of the Polish Personal Data Protection Office (UODO) ul. Stawki 2, 00-193 Warsaw, Poland uodo.gov.pl
Effective date: 14 May 2026 Last updated: 31 May 2026