Privacy Policy

of the World Rave Off / shuffledance.pl website

Version dated: 3 December 2025

1. General provisions

  1. This Privacy Policy sets out the rules for the processing of personal data of users of the online service related to the World Rave Off dance events, in particular available at:
    • https://worldraveoff.com and its subpages and subdomains,
    • related services, in particular https://shuffledance.pl
      (hereinafter jointly: the Service).
  2. The Policy is of an informational nature, i.e. it is not a source of obligations for users, but describes how the Controller processes personal data and what rights are available to data subjects.
  3. Personal data are processed in accordance with the applicable laws, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and national data protection regulations.

2. Data Controller

  1. The controller of personal data is: Shuffle Dance Magdalena Miękus
    with its registered office at:
    ul. Krakowska 29C, 50-424 Wrocław, Poland
    Tax ID (NIP): 8322083792
    e-mail: info@shuffledance.pl
    (hereinafter: the Controller).
  2. For matters related to personal data, you may contact the Controller:
  3. The Controller has not appointed a Data Protection Officer (DPO). All issues relating to the protection of personal data should be addressed directly to the Controller using the above contact details.

3. Categories of users and scope of processed data

3.1. Categories of persons

The Controller processes data of the following categories of persons:

  1. Ordinary visitors to the Service – persons browsing content who do not create an account.
  2. Registered users of the Service – persons who have a user account in the Service and who may:
    • complete their profile (additional data, photo) – voluntarily,
    • decide whether their profile is visible to other registered users,
    • subscribe to the newsletter (voluntarily).
  3. Event participants (tournaments, workshops) – persons who, through their account in the Service, purchase tickets/participation in dance events and workshops via a shop based on WooCommerce.
  4. Newsletter subscribers – any person subscribing to the newsletter in the Service. Subscription to the newsletter is linked to the creation of a user account.

3.2. Scope of processed data

Data collected during user account registration (some data are necessary, some voluntary):

  • required data (necessary to create an account):
    • e-mail address,
    • login/username,
    • password (stored in the form of an encrypted hash).
  • voluntary data (user profile):
    • nickname / display name,
    • age (as declared by the user, without date of birth),
    • dance skill level,
    • country,
    • short bio/description,
    • links to social media (e.g. TikTok, Instagram, website),
    • first name,
    • last name,
    • phone number,
    • profile picture (avatar).

Failure to provide voluntary data does not prevent use of the account, but may limit functionalities related to the presentation of the profile in the Service or participation in certain community activities.

Data collected when purchasing a ticket / participation in an event (WooCommerce + Tpay):

  • first name and last name (for participant identification and settlements),
  • contact e-mail,
  • transaction data (information about the order, purchased tickets/products),
  • other data necessary for payment processing and settlements required by the payment operator (Tpay) and by law (e.g. invoice data: address, Tax ID (NIP) – where requested by the user).

Newsletter data:

  • e-mail address,
  • newsletter language preferences set by the user,
  • any other communication preferences indicated by the user in the profile (voluntary).

Technical and operational data (for all visitors to the Service):

  • IP address,
  • date and time of visit,
  • information about the device and browser,
  • cookies (details in the section on cookies),
  • server logs and security logs.

The Controller does not collect special categories of personal data (“sensitive data” within the meaning of the GDPR).

4. Minors

  1. Minors may participate in dance events (tournaments, workshops) via the Service.
  2. Age is provided by the user as a declaration. The Controller does not collect the date of birth.
  3. Participation of minors in events requires the consent of their legal guardian. The obligation to ensure such consent lies with the user/guardian. The Controller may request presentation of such consent, in particular during registration or at verification at the event venue.
  4. The Controller does not directly target the Service at children under 16 years of age and does not knowingly process their data without guardian consent. If the Controller becomes aware that a child’s data are being processed without the required consent, it will take steps to delete such data unless otherwise required by law.

5. Purposes, legal bases and duration of processing

The Controller processes personal data for the following purposes:

5.1. Creation and management of a user account in the Service

  • Scope of data: registration data (e-mail, login, password hash) and profile data if the user completes them.
  • Legal basis:
    • necessity for the performance of a contract for the provision of services by electronic means (Article 6(1)(b) GDPR),
    • legitimate interest of the Controller consisting in ensuring the functioning of the Service, security and pursuing claims (Article 6(1)(f) GDPR).
  • Duration of processing:
    • for the duration of the existence of the user account,
    • and after its deletion – for the limitation period of any claims and for the period arising from tax and accounting regulations (for data related to transactions).

The user may delete their account at any time (provided that deletion of the account does not affect the retention period of data that must be stored by law in connection with completed transactions).

5.2. Sale of tickets / participation in events and workshops (WooCommerce, Tpay)

  • Scope of data: identification and contact data (e.g. first name, last name, e-mail, optionally invoice address, Tax ID (NIP)), data regarding orders and payments.
  • Legal basis:
    • necessity for the performance of a contract (Article 6(1)(b) GDPR),
    • legal obligation incumbent on the Controller (including tax and accounting obligations – Article 6(1)(c) GDPR),
    • legitimate interest of the Controller (pursuing claims, preventing abuse – Article 6(1)(f) GDPR).
  • Duration of processing:
    • for the period necessary to perform the contract,
    • then for the period required by tax/accounting law (as a rule, at least 5 years from the end of the year in which the transaction was made),
    • and for the limitation period of any claims.

5.3. Newsletter

  • Scope of data: e-mail address, language preferences, user account data linked to the newsletter.
  • Legal basis:
    • voluntary consent of the user to receive the newsletter (Article 6(1)(a) GDPR and relevant regulations on the provision of electronic services),
    • to the extent necessary to pursue or defend claims – the legitimate interest of the Controller (Article 6(1)(f) GDPR).
  • Duration of processing:
    • until consent is withdrawn (unsubscribing from the newsletter),
    • and then – in a limited scope (e.g. information about the fact of granting/withdrawing consent, e-mail address in an “anti-spam” list) for no longer than the limitation period of any claims related to the sending, in order to demonstrate the lawfulness of the processing.

Subscription to the newsletter is linked to the creation of a user account. Unsubscribing from the newsletter does not necessarily mean automatic deletion of the account – the user may choose whether to delete the entire account or only resign from the newsletter.

5.4. Creating start lists and event management

  • Scope of data: user account data necessary to identify the participant (e.g. nickname, first name and last name, country, age, skill level, order number).
  • Legal basis:
    • necessity for the performance of a contract for participation in the event (Article 6(1)(b) GDPR),
    • legitimate interest of the Controller (organisation and documentation of events, ensuring security and ability to defend against claims – Article 6(1)(f) GDPR).
  • Duration of processing:
    • for the duration of the given event and for the time necessary for settlement and handling of any complaints,
    • then for the limitation period of claims related to the event.

Start lists may be made available to registered users of the Service (e.g. in a participant area).

5.5. Photo/video materials, image of participants

  1. During dance events organised or co-organised by the Controller, photos and video recordings may be taken, capturing the image of participants and their performances.
  2. Purposes of processing:
    • documentation of the event,
    • publication of event coverage,
    • promotional and marketing activities of the Controller (and possibly co-organisers, sponsors and partners) in the Service, on social media, in promotional materials, etc.
  3. Legal basis:
    • legitimate interest of the Controller consisting in documenting and promoting its activities and events (Article 6(1)(f) GDPR),
    • and, to the extent required by image and copyright regulations – a separate, voluntary consent to the use of the image and works (see the consent template at the end of this document or in the event regulations).
  4. Duration of processing:
    • until an effective objection is lodged or consent is withdrawn – in cases where the basis is legitimate interest or consent,
    • subject to the reservation that withdrawal of consent or an effective objection does not, as a rule, affect the lawfulness of processing carried out before their withdrawal and may be limited insofar as the Controller has an overriding interest or legal obligation (e.g. archival event materials, as well as materials already disseminated online, over which the Controller may not have full control).

The Controller may require acceptance of an additional consent/clause regarding image and copyright when registering for participation in an event or at the event venue.

5.6. Statistics, analytics and service quality improvement (Google Analytics)

  • Scope of data: operational data related to the use of the Service (IP address, cookie identifiers, data on activity on the website). Data are processed in anonymised or pseudonymised form for statistical purposes.
  • Tool: Google Analytics.
  • Legal basis:
    • legitimate interest of the Controller consisting in analysing traffic in the Service, statistics and optimising its operation (Article 6(1)(f) GDPR).
  • Duration of processing:
    • in accordance with the settings of the Google Analytics tool (analytical data may be stored for the period indicated in the tool configuration),
    • these data have, as a rule, a statistical nature and are not used to take binding individual decisions towards the user.

5.7. Server logs and security

  • Scope of data: IP address, date and time of connection, HTTP headers, information on errors, information on login attempts, etc.
  • Legal basis:
    • legitimate interest of the Controller consisting in ensuring the security of the Service, detecting abuse, keeping technical statistics and pursuing claims (Article 6(1)(f) GDPR).
  • Duration of processing:
    • for the period typical for system logs on the side of the hosting provider (dhosting) – as a rule up to 12 months, unless a longer period results from the need to secure claims.

6. Data recipients and processors

  1. Personal data may be disclosed to the following categories of recipients:
    • entities providing hosting and Service maintenance – in particular dhosting.pl (Poland),
    • online payment operator – Tpay (online payment operator),
    • provider of analytical services – Google LLC (Google Analytics),
    • entities providing advisory, legal, accounting or IT services to the Controller – to the extent necessary to perform these services,
    • public authorities, where the obligation to provide data results from legal provisions.
  2. In the case of tools such as Google Analytics, data may be transferred to a third country (e.g. the USA) via the providers of these tools – this is done using appropriate safeguards provided for by the GDPR (standard contractual clauses, technical measures).

7. Cookies and similar technologies

  1. The Service uses cookies and other similar technologies for storing information on the user’s device and accessing such information, in accordance with the user’s browser settings and applicable laws.
  2. In the Service, in particular the following are used:
    • necessary (technical) cookies:
      • session cookies related to logging in (user authentication, maintaining the session after logging in),
      • WordPress/WooCommerce cookies (e.g. cart, interface preferences, language settings),
    • analytical cookies:
      • Google Analytics cookies used for statistical research on how the Service is used.
  3. In addition, due to the embedding in the Service of content from external services such as:
    • Google Maps (maps),
    • YouTube (video materials, streaming),
      the respective services may store their own cookies and process user data in accordance with their own privacy policies. The Controller has no influence on the scope of data collected by these entities.
  4. The user may manage cookie settings using their browser settings (including blocking some or all cookies). However, limiting the use of technical cookies may affect the ability to use some functions of the Service (e.g. logging in, cart).
  5. If an additional cookie banner is used in the Service, the user may manage their preferences regarding analytical/marketing cookies within it. In the absence of separate cookie consents, the processing of data under analytical cookies is based on the Controller’s legitimate interest, with appropriate data minimisation measures applied.

8. Data retention periods – summary

Personal data are stored for the following periods:

  1. User account – for the duration of the account, and thereafter for the limitation period of claims related to the use of the Service and for the period required by tax/accounting regulations with respect to related transactions.
  2. Transaction data (tickets, workshops) – for the period required by law (at least 5 years from the end of the year in which the transaction occurred) and for the limitation period of claims.
  3. Newsletter – until consent is withdrawn (unsubscribing from the newsletter), and then in a limited scope for the period necessary to secure claims and demonstrate the lawfulness of processing.
  4. Server logs and security logs – for the period typical for such logs on the side of the hosting provider (as a rule up to 12 months), unless a longer period is necessary to secure claims.
  5. Data in photo/video materials – until an effective objection is raised or consent is withdrawn, taking into account the limitations described in point 5.5.
  6. Data used for statistical purposes (Google Analytics) – in accordance with the data retention settings in the tool, with the data being aggregated/statistical in nature.

In any case, the Controller may store data for a longer period if this is necessary due to applicable laws or for protection against claims (until their limitation period).

9. Voluntary provision of data and consequences of failure to provide data

  1. Providing the data required when registering an account (in particular e-mail address, login and password) is voluntary, but necessary to create an account and use functionalities reserved for registered users (including ticket purchase and participation in events).
  2. Providing data required for payment processing and settlements (e.g. first name, last name, invoice data) is voluntary but necessary to conclude and perform the contract (purchase of a ticket/participation in an event).
  3. Profile data (age, skill level, social media, bio, photo etc.) and consent to the newsletter are voluntary. Failure to provide them may result in limiting some functionalities of the Service (e.g. visibility within the community, communication personalisation), but does not prevent having an account.
  4. Lack of consent to the use of image to the extent described in a separate clause may limit the possibility of participation in certain event formats or publication of materials including the participant’s image, if required by the nature of the event.

10. User rights

Data subjects have the following rights:

  1. Right of access – to obtain information whether the Controller processes personal data and to obtain a copy of such data.
  2. Right to rectification – to correct data that are inaccurate or to complete incomplete data.
  3. Right to erasure (“right to be forgotten”) – where the data are no longer necessary for the purposes for which they were collected, and in other cases provided for by the GDPR (subject to limitations resulting from the Controller’s legal obligations and the need to defend against claims).
  4. Right to restriction of processing – e.g. where the accuracy of data is contested or where processing is objected to.
  5. Right to data portability – to the extent that the data are processed on the basis of consent or contract and in an automated manner.
  6. Right to object – to processing based on the legitimate interest of the Controller (e.g. statistics, promotional materials, image), on grounds relating to the particular situation of the data subject. In the event of an objection, the Controller will cease processing the data for these purposes, unless it demonstrates compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject or grounds for the establishment, exercise or defence of legal claims.
  7. Right to withdraw consent – where processing is based on consent (e.g. newsletter, use of image), at any time, without affecting the lawfulness of processing carried out before consent withdrawal.
  8. Right to lodge a complaint with a supervisory authority – in particular with the President of the Personal Data Protection Office (PUODO) in Poland, if the person considers that the processing of their data violates the GDPR.

To exercise the above rights, please contact the Controller (e.g. at: info@shuffledance.pl or support@worldraveoff.com). The Controller may verify the identity of the person making the request to ensure that data are not disclosed to unauthorised persons.

11. Data security

  1. The Controller applies appropriate technical and organisational measures to ensure a level of security of personal data appropriate to the risk of violation of the rights or freedoms of natural persons, in particular:
    • encryption of data transmission using the HTTPS protocol (SSL certificate),
    • updating the Service software (WordPress, plugins, themes) and server systems,
    • regular creation of backups,
    • use of strong passwords and security rules for administrative accounts,
    • restricting access to data only to authorised persons and only to the extent necessary to perform assigned tasks.
  2. Despite high security standards, the use of the Internet involves risks beyond the Controller’s full control (e.g. actions of third parties). The user should also take care of the security of their device and data (e.g. not sharing passwords, using up-to-date software, protecting devices with a password).
  3. In the event of a personal data breach, the Controller will take the actions required by the GDPR, including – where necessary – informing the relevant supervisory authority and the data subjects concerned.

12. Transfer of data outside the European Economic Area

  1. As a rule, data are processed within the European Economic Area (EEA), on servers located in Poland (dhosting.pl).
  2. In connection with the use of tools such as Google Analytics, users’ data may be transferred outside the EEA (e.g. to the USA) by the providers of these services. Such transfer takes place on the basis of mechanisms provided for in the GDPR (e.g. standard contractual clauses) and with appropriate technical and organisational safeguards applied by the Controller and the providers.

13. Changes to the Privacy Policy

  1. The Controller reserves the right to update this Privacy Policy in particular in the event of:
    • changes in the law,
    • changes in the functionalities of the Service,
    • implementation of new tools or services involving the processing of personal data.
  2. The Controller may inform users about material changes to the Policy via the Service (e.g. notice, update of version date) or by e-mail – in the case of users who have an account.
  3. The current version of the Policy is always available in the Service.
    At least periodic review and updating of the Policy is planned, not less frequently than by the end of 2026, and thereafter as needed.

14. Language versions

In the event of discrepancies between language versions, the user may contact the Controller to clarify or specify the provisions of the Policy.

The Privacy Policy may be made available in several language versions. All language versions are equivalent for informational purposes.

The Controller endeavours to ensure that all language versions are as consistent as possible. In case of interpretative doubts, the basis shall be the applicable legal provisions (in particular the GDPR and relevant national regulations), and not differences arising from translation.