Privacy Policy 

Database Administrator 

The administrator of personal data is GrappZilla company, located at 69B/42 Bluszczańska Street, 00-712 Warsaw, Tax ID (NIP): 7411893693, National Business Registry Number (Regon): 141158520. 

You can contact the administrator: 

  • by phone at: +48 608 203 888 
  • via email: 
  • through the contact form on the website 
  • by mail, sending correspondence to the address: GrappZilla, 69B/42 Bluszczańska Street, 00-712 Warsaw 

Access to Customer Data 

Only authorized employees of our company have access to your data. They have been trained by the Administrator for the proper processing of personal data and have committed to complying with the highest level of data protection. The company has never processed customer data in a manner inconsistent with applicable regulations. 

We also commit that we will not sell, transfer, or exchange the personal data of our customers with other entities. 

Your data may only be transferred to certain external entities necessary for us to provide services. These entities include: 

  1. a) Shipping service providers;
  2. b) Online payment service providers;
  3. c) Accounting service providers;
  4. d) IT service providers such as hosting companies and IT firms providing solutions to our company;
  5. e) Email marketing service providers for our company;
  6. f) Relevant law enforcement authorities (if required by law).

Transfer of Data to Third Countries 

Your personal data may be transferred to third countries, i.e., outside the European Economic Area (EEA) or international organizations, but only to entities that provide adequate security and guarantee the rights of the individuals concerned, along with effective legal protection measures. This includes the Administrator's use of services provided by Google, to the extent necessary to achieve the purposes stated in this Privacy Policy. 

The transfer is based on the decision of the European Commission (the so-called Privacy Shield), confirming the provision of an adequate level of personal data protection by entrepreneurs located in the territory of the United States of America who have joined the Privacy Shield program. You have the right to obtain from the administrator a copy of the personal data transferred to a third country. 

Categories of Data We Collect and Their Sources 

Data held by our company originates from: 

  1. a) Directly from our customers or individuals authorized by the customers;
  2. b) Public registers that are generally available, such as the National Court Register and the Central Register and Information on Economic Activity;
  3. c) Direct contact of our customers with us or signing up for our newsletter;
  4. d) Our company's individually created database of customers sourced from publicly available sources.

We collect information belonging to the following categories: 

  1. a) Company name, address, Tax ID (NIP);
  2. b) Name and surname of the person acting on behalf of the Customer, phone number, email address;
  3. c) Purchase history;
  4. d) Communication history (via contact form, email messages, social media, or phone);
  5. e) Information stored in cookies files (related to using our website);
  6. f) Location (IP).

Purposes of Data Processing and Legal Basis 

The Administrator processes personal data to enable the use of functionalities within the online store, specifically: 

  1. a) Registration and account creation in the online store;
  2. b) Placing and fulfilling orders;
  3. c) Efficient operation of the store;
  4. d) Ensuring the security of using the online store, detecting abuses, and conducting analyses;
  5. e) Handling complaints, exchanges, and returns;
  6. f) Sending commercial information, advertisements, offers, and messages related to the store's activity, i.e., direct marketing to the email address provided by the Customer after their prior consent;
  7. g) Conducting analyses, including profiling, using personal data to create a profile for products and services that customers might be interested in;
  8. h) Sales in the brick-and-mortar store and fulfillment of personal order pickups;
  9. i) Publication purposes.

The legal basis for processing personal data is the General Data Protection Regulation (GDPR) applicable throughout the European Union. In the case of our company's activities, the regulation provides several legal bases: 

  1. a) Fulfillment of legal obligations imposed on us (Art. 6(1)(c) GDPR);
  2. b) Necessity of processing for purposes resulting from legitimate interests pursued by the administrator or a third party (Art. 6(1)(f) GDPR);
  3. c) Necessity of processing to conclude or perform a contract in which the Customer is a party (Art. 6(1)(b) GDPR);
  4. d) Your voluntary consent to the use of personal data expressed by the Customer or User (Art. 6(1)(a) GDPR).

Data Retention Period 

  1. a) For the duration of order fulfillment and the period in which the Administrator is obliged to retain sales documents. Personal data processed based on tax and accounting regulations must be kept for 5 years after the end of the year in which the tax payment deadline expired;
  2. b) Until the statute of limitations for claims resulting from legal regulations/contract expires – in the case of processing for the purpose of contract performance, claim enforcement, or defense;
  3. c) Until deregistration from the Internet Wholesaler – concerning processing for the registration and maintenance of the User Account;
  4. d) For an indefinite period but no longer than until your objection or withdrawal of consent – for marketing purposes (newsletter dispatch);
  5. e) 13 months for creating personalized campaigns (profiling, tracking website traffic based on cookies);
  6. f) Until opting out of receiving responses (withdrawal of consent) – in the case of inquiries sent via the contact

Cookie Files 

  1. a) The service does not automatically collect any information except for information contained in cookies files.
  2. b) Cookies (called "cookies") are computer data, particularly text files, stored in the end device of the Service User and intended for using the website's pages. Cookies usually contain the website's name they come from, the time of storing them on the end device, and a unique number.
  3. c) The entity placing cookies files on the end user's device and having access to them is the operator of the Grappzilla
  4. d) Cookies are used for:
  • Adjusting the content of the Service's web pages to the User's preferences and optimizing the use of the website, especially allowing the recognition of the User's device and displaying a website adapted to their individual needs; 
  • Creating statistics that help understand how Users of the Service use its web pages, allowing for improvements in their structure and content; 
  • Maintaining the User's Service session (after logging in), allowing the User not to re-enter the login and password on every Service subpage. 
  1. e) Two main types of cookies files are used within the Service: "session" cookies and "persistent" cookies. "Session" cookies are temporary files stored on the User's end device until they log out, leave the website, or turn off the software (web browser). "Persistent" cookies are stored on the User's end device for a time specified in the cookie parameters or until deleted by the User.
  2. f) Within the Service, the following types of cookies files are used:
  • "Essential" cookies, enabling the use of services available within the Service, e.g., authentication cookies used for services requiring authentication within the Service; 
  • Cookies used for security purposes, e.g., used to detect abuse in the scope of authentication within the Service; 
  • "Functional" cookies, allowing for "remembering" the User's settings and personalizing the User interface, e.g., in terms of the chosen language or region from which the User originates, font size, website appearance, etc.; 
  • "Advertising" cookies, enabling the delivery of advertising content more tailored to the Users' interests. 
  1. g) In many cases, web browsing software (web browser) allows the storage of cookies files on the User's end device by default. Service Users can change cookie settings at any time. These settings can be changed, in particular, to block the automatic handling of cookies files in the web browser settings or to inform about their every placement on the User's Service device. Detailed information about the possibilities and ways of handling cookies files is available in the software settings (web browser).
  2. h) The Service Operator informs that limitations on the use of cookies files may affect some functionalities available on the Service's websites. Cookies files placed on the Service User's end device and used may also be used by advertisers and partners cooperating with the Service Operator.


Your personal data may be automatically processed to the extent necessary for marketing and advertising services. Primarily, your previous purchase decisions may be analyzed to attempt to tailor future offers. Automated data processing and profiling will not have any legal effects or significantly impact the user's situation. 

Consequences of Not Providing Your Personal Data 

You are not obligated to provide your personal data, but in some cases, this obligation may arise from specific regulations. The consequence of not providing your personal data will be the inability to conclude a sales contract for goods and fulfill your order. If required by law, we may require the provision of other necessary data, e.g., for tax or accounting reasons. Otherwise, providing data is voluntary. 

Your Rights Regarding Data Processing 

You have the right to exercise all your rights arising from applicable law. You can request from the administrator: access, rectification, or erasure of your data, restriction of their processing, data portability, and non-subjection to profiling. You also have the right to object to the processing of your personal data. 

You also have the right to lodge a complaint regarding the processing of your personal data by our company to the President of the Office for Personal Data Protection. 

To exercise the above rights, you can contact the Administrator by sending an appropriate message in writing or via email using the contact details provided in this Privacy Policy. 

Ensuring the Security of Your Personal Data 

We inform that we process your personal data using computer systems and software that provide the highest level of security, including SSL encryption and anonymization of transmitted information, professional antivirus software, and regular password changes for IT systems.