GUAPA CLEAN UP

PRIVACY & Cookies POLICY

PRICACY POLICY

 

GUAPA PRODUKCJA Sp. z o.o.
Krzywaniec, 66-010 Nowogród Bobrzański, Poland
VAT No.: PL9730967877 | KRS: 0000343844 | REGON: 080381014
E-mail: office@guapa.pl

1. Definitions

1.1. Controller or Guapa – Guapa Produkcja Spółka z ograniczoną odpowiedzialnością, with its registered office at Krzywaniec, 66-010 Nowogród Bobrzański, Poland, entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000343844, VAT No.: 9730967877, REGON: 08038101400000.

1.2. Personal Data – information about an identified or identifiable natural person, who can be identified by reference to one or more specific factors determining their physical, physiological, genetic, mental, economic, cultural or social identity, including a device IP address, location data, an online identifier, and information collected via cookies and similar technologies.

1.3. Policy – this Privacy Policy, containing information about the processing of Personal Data and the use of cookies and similar tracking technologies within the Website.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Website – the website operated by the Controller at https://guapa.pl/, accessible via internet browsers.

1.6. Shop – the Guapa online store available through the Website, through which Guapa sells goods exclusively to business customers (B2B).

1.7. Customer or User – a natural person visiting the Website or making use of its functionality, as well as a representative or employee of a business entity acting on its behalf within a B2B relationship.

1.8. Device – an electronic end-user device through which the User accesses the Website.

2. General Information

2.1. In connection with the use of the Website, data necessary for the provision of the services offered is collected, together with information about activity on the Website. The Controller attaches particular importance to the proper protection of personal data.

2.2. The Controller ensures that all data processing activities are carried out in compliance with applicable law, in particular the GDPR. This Policy is intended to provide complete information about the manner in which personal data is processed and to make available tools enabling the exercise of the rights to which data subjects are entitled.

2.3. The Guapa Shop is directed exclusively at business customers. Placing an order in the Shop constitutes a declaration by the Customer that they are acting as a business entity within the meaning of Article 431 of the Civil Code.

2.4. Personal Data is processed in accordance with the law, and care is taken to ensure that it remains current and accurate. From time to time, the Controller may send a reminder regarding the need to update data, either by sending a message to the e-mail address provided or by displaying an appropriate notification on the Website after the User has logged in to their account.

3. How to Contact the Controller?

3.1. For any questions concerning the processing of Personal Data by the Controller, or to exercise the rights to which you are entitled, please contact us by e-mail: office@guapa.pl

3.2. The Controller endeavours to respond to all data processing enquiries within 30 days of receipt. In the case of complex or numerous requests, this period may be extended by a further 2 months, of which an appropriate notification will be sent in advance.

4. How Do We Obtain Your Personal Data?

4.1. Personal Data is obtained directly from the user in order to ensure the proper provision of services and the smooth operation of the Website. You provide data to the Controller primarily through:

  • dedicated registration and order forms on the Website,
  • the contact form, or by e-mail and telephone correspondence,
  • the process of placing orders and arranging deliveries via the Shop,
  • B2B relationships – in the course of establishing and maintaining business cooperation.

4.2. Personal Data is also collected automatically – via cookies and similar tracking technologies – during use of the Website (e.g. while browsing products). Further details are set out in Section 9 of this Policy.

4.3. Within the context of B2B relationships, the Controller may also obtain the contact details of company representatives (first name, surname, job title, e-mail address, telephone number) from publicly available sources, such as the National Court Register, company websites or public professional profiles (e.g. LinkedIn).

5. Is the Provision of Personal Data Mandatory?

5.1. The provision of personal data is voluntary and not strictly mandatory. It should be noted, however, that in certain cases the provision of data is necessary for the proper performance of services or for the conclusion and execution of a contract, as described in detail below.

5.2. The provision of data designated as mandatory in registration or order forms is required in order to create an account or to fulfil an order. Failure to provide such data will result in the inability to use those services.

5.3. The provision of data for marketing purposes is always voluntary and takes place solely on the basis of consent freely given, which may be withdrawn at any time.

6. How Do We Process Your Personal Data?

Use of the Website

6.1. Where the Website is used by an unregistered User, Personal Data (including IP address and information collected via cookies) is processed:

6.1.1. For the purpose of providing services by electronic means (making Website content available) – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR).

6.1.2. For analytical and statistical purposes (analysis of User activity and preferences with a view to improving functionality) – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.1.3. For the purpose of establishing, asserting or defending legal claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the protection of its rights and commercial interests.

6.1.4. For marketing purposes – the applicable rules are described in detail in Section 7 of this Policy.

6.2. User activity on the Website is recorded in system logs. Log data is processed for technical and administrative purposes, for system security requirements, and for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

Account Registration and Management

6.3. Registration of a Customer account on the Website requires the provision of data necessary for its creation and operation (in particular the company name, registered address, VAT number and contact details of the company representative). The provision of data designated as mandatory is required in order to create an account; failure to do so will prevent registration. The provision of all other data is voluntary.

6.4. Personal Data is processed:

6.4.1. For the purpose of providing services relating to the creation and management of the account – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR); with regard to data provided on a voluntary basis – consent (Article 6(1)(a) GDPR).

6.4.2. For analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.4.3. For the purpose of establishing, asserting or defending potential legal claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.4.4. For marketing purposes – the applicable rules are described in Section 7 of this Policy.

6.5. Guapa reserves the right to delete a Customer account in the event of a breach of the Terms and Conditions, or in the event of no activity on the account for a period exceeding 3 years, in accordance with the Shop's Terms and Conditions.

Placing Orders

6.6. The placement of an order involves the processing of personal data. The provision of data designated as mandatory is necessary for the acceptance and processing of an order; failure to provide such data will result in the inability to fulfil the order.

6.7. Personal Data is processed:

6.7.1. For the purpose of fulfilling the order placed – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) GDPR).

6.7.2. For the purpose of fulfilling statutory obligations (tax and accounting) – the legal basis for processing is a legal obligation (Article 6(1)(c) GDPR).

6.7.3. For analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.7.4. For the purpose of establishing, asserting or defending legal claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

Delivery and Payment Processing

6.8. Depending on the chosen method of delivery or payment, data necessary for the provision of those services will be transferred to logistics partners and payment service providers (further details are set out in Section 10 of this Policy).

Complaints

6.9. The submission of a complaint involves the processing of personal data. The provision of data in the complaints form is not mandatory, but it is necessary for the proper handling of the complaint.

6.10. Personal Data is processed:

6.10.1. For the purpose of handling the complaint submitted – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) and, to the extent of statutory obligations, a legal obligation (Article 6(1)(c) GDPR).

6.10.2. For analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.10.3. For the purpose of establishing, asserting or defending legal claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

Contact Form and B2B Communication

6.11. The Controller provides the ability to make contact via the contact form, by e-mail and by telephone. The use of these channels requires the provision of data necessary to establish contact and to provide a response.

6.12. Personal Data is processed:

6.12.1. For the purpose of handling enquiries and conducting correspondence related to Guapa's business activities – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.12.2. In the context of B2B relationships (preparation of offers, negotiation of terms, maintenance of commercial contacts) – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

6.12.3. For statistical and analytical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR).

Personalised Products

6.13. In the case of orders for personalised products (involving the application of logos, graphics or modifications to product parameters), data contained in the technical specifications and graphic materials provided by the Customer is processed solely for the purpose of fulfilling the specific order concerned.

6.14. The Customer bears sole responsibility for holding all rights to the graphic materials and logos supplied. The detailed rules governing this matter are set out in the guapa.pl Shop Terms and Conditions.

7. Marketing

7.1. Personal Data is processed for the purpose of conducting marketing activities, which may involve:

  • displaying marketing content tailored to users' interests (behavioural advertising);
  • conducting direct marketing of goods and services (sending commercial information by electronic means);
  • communication by post or telephone.

Direct Marketing (e-mail, SMS, telephone)

7.2. Where consent has been given, data may be used to send marketing content to the user via various channels. The legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) in conjunction with the consent provided.

7.3. Consent may be withdrawn at any time by clicking the unsubscribe link included in each commercial communication, or by contacting the Controller at the address given in Section 3. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

Marketing to B2B Customers

7.4. As a representative of a business entity that is a contractor of Guapa, you may receive information about products, new offerings and special offers on the basis of the legitimate interest of the Controller (Article 6(1)(f) GDPR). You have the right to object to such processing at any time (further details in Section 12).

Push Notifications

7.5. Where separate consent has been given for push notifications, the user may receive messages on their device or in their browser containing information about Guapa's offers and promotions. Consent may be withdrawn at any time via the browser or device settings.

8. Social Media

8.1. Personal Data is processed in respect of persons visiting profiles on social media platforms (e.g. LinkedIn, Facebook, Instagram). The processing of data in this regard is carried out under joint controllership with the operators of those platforms, within the scope defined by their respective terms of service and privacy policies.

8.2. Data of persons interacting with the profiles is processed for the purposes of communication, marketing activities and analytics, on the basis of the legitimate interest of the Controller (Article 6(1)(f) GDPR).

9. Cookie Information

What Are Cookies?

9.1. Cookies are small text files stored on the User's device by the browser when visiting the Website. Cookies facilitate the use of the Website, for example by remembering preferences and session information. The cookies used by the Controller are safe – they do not carry viruses or malicious software.

Types of Cookies

9.2. We use the following types of cookies:

Necessary (technical) – essential for the proper functioning of the Website (e.g. keeping the User logged in, managing the shopping cart). These cookies cannot be disabled.

Analytical – help us understand how Users interact with the Website (anonymous data). They allow us to identify features that require improvement.

Personalisation – enable analysis of User behaviour and preferences in order to personalise content and product recommendations.

Advertising – allow the customisation of displayed advertisements to User preferences (behavioural advertising), in cooperation with the Controller's advertising partners.

Cookie Retention Period

9.3. Session cookies – stored until the browser is closed. Persistent cookies – stored until deleted by the User or until a specified period has elapsed (as a rule, up to 60 days).

Managing Cookies

9.4. Only necessary cookies are required for the proper functioning of the Website. With regard to all other types of cookies, consent may be given or withdrawn at any time using the cookie management panel available on the Website, or via browser settings.

Our Partners – Cookies

9.5. Some cookies are placed by external partners. The current list of partners and the categories of cookies used by them is set out below:

Partner Entity Category Duration
Google Analytics Google Ireland Ltd. Analytics up to 60 days
Google Ads Google Ireland Ltd. Advertising up to 60 days
Meta (Facebook) Meta Platforms, Inc. Advertising up to 60 days
Hotjar Hotjar Limited Analytics up to 60 days
Microsoft Ads Microsoft Corporation Advertising up to 60 days
LinkedIn LinkedIn Ireland Unlimited Advertising up to 60 days

10. To Whom Do We Disclose Your Personal Data?

10.1. Personal Data may be disclosed to entities cooperating with us in the provision of services, in particular:

Logistics partners and couriers – to the extent necessary for the delivery or collection of goods.

Payment operators – to the extent necessary for the processing of the chosen payment method (bank transfer, advance payment).

IT and hosting service providers – in particular, entities providing hosting services for the Shop's website and technical infrastructure.

Marketing service providers – in the scope of sending commercial communications and conducting analytics (e.g. e-mail marketing tools, analytical systems).

Accounting firms and legal advisors – in the scope of financial, tax and legal services provided to Guapa.

Public authorities – where required by applicable law (e.g. tax authorities, social security institutions, law enforcement agencies on the basis of appropriate legal decisions).

10.2. Personal Data may be transferred to service providers established outside the European Economic Area (EEA). In each such case, the Controller ensures that the transfer is carried out lawfully and on the basis of appropriate safeguards (e.g. standard contractual clauses adopted by the European Commission). Detailed information about the destination countries and the safeguards applied is available upon request.

11. For How Long Do We Process Your Personal Data?

11.1. The period of data processing depends on the type of service provided and the purpose of processing:

  • Data processed for the purpose of performing a contract or fulfilling an order – for the duration of the contract or until it has been fully settled.
  • Data processed on the basis of legitimate interest – until a valid objection is raised or until that interest ceases to exist.
  • Data processed on the basis of consent – until consent is withdrawn.
  • Data processed for tax and accounting purposes – for the period required by law (as a rule, 5 years from the end of the financial year).
  • Data processed for the purpose of establishing, asserting or defending legal claims – until the potential claims become time-barred (as a rule, up to 3 years for claims arising under contracts between business entities).

11.2. Upon expiry of the applicable retention period, data is irreversibly deleted or anonymised.

12. What Are Your Rights?

12.1. In connection with the processing of personal data by the Controller, you are entitled to the following rights:

Right of Access You have the right to obtain confirmation as to whether, and to what extent, we process your Personal Data, as well as to receive a copy thereof.

Right to Rectification You have the right to request the correction of inaccurate Personal Data or the completion of incomplete Personal Data.

Right to Erasure ("Right to Be Forgotten") You have the right to request the erasure of Personal Data where it is no longer necessary for the purposes for which it was collected. This right is not absolute – the Controller may refuse erasure where a legal basis for continued processing exists.

Right to Restriction of Processing In certain circumstances, you have the right to request the restriction of processing operations carried out on your Personal Data (with the exception of storage).

Right to Data Portability With regard to Personal Data processed by automated means on the basis of a contract or consent, you have the right to receive such data in a structured, commonly used and machine-readable format, or to request its transmission to another controller.

Right to Object (Marketing) You may object at any time to the processing of your Personal Data for direct marketing purposes – no justification is required.

Right to Object (Other Purposes) You have the right to object to the processing of Personal Data carried out on the basis of legitimate interest (e.g. analytics) – such an objection should include grounds relating to your particular situation.

Right to Withdraw Consent Where Personal Data is processed on the basis of consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

Right to Lodge a Complaint If you consider that the processing of your Personal Data infringes applicable data protection law, you have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland)

Submitting Requests

12.2. Certain rights may be exercised directly – account holders have ongoing access to their data and may update it via their account panel.

12.3. All other requests may be submitted by contacting the Controller in the manner set out in Section 3 of this Policy. A response will be provided within 30 days of receipt of the request (with the possibility of a further 2-month extension in the case of particularly complex or numerous requests).

12.4. Where the Controller has reasonable doubts as to the identity of the person submitting a request, it may ask for additional information for the purposes of verification. Failure to provide such information may result in the refusal of the request.

12.5. A request may be submitted in person or through an authorised representative. For security reasons, the use of a power of attorney executed before a notary public, or certified by a legal counsel or advocate, is recommended.

13. Data Security

13.1. Appropriate technical and organisational measures are implemented to protect Personal Data against unauthorised access, loss, destruction or disclosure. In particular, the following measures are applied:

  • encryption of data transmissions using the SSL/TLS protocol;
  • access controls to IT systems and data;
  • regular testing, measurement and assessment of the effectiveness of technical and organisational measures;
  • procedures for responding to personal data breaches.

13.2. In the event of a personal data breach that is likely to result in a high risk to the rights or freedoms of natural persons, an appropriate notification will be issued without undue delay, in accordance with the requirements of the GDPR.

14. Amendments to the Privacy Policy

14.1. This Policy is reviewed on an ongoing basis and updated as necessary. Any amendments enter into force on the date of their publication on guapa.pl.

14.2. Users who hold an account on the Website will be notified of any material changes to this Policy by e-mail or by means of an appropriate notification displayed upon login.

14.3. Users are encouraged to review the current version of this Policy regularly; it is always available at guapa.pl.

14.4. The original and legally binding version of this Policy is the Polish-language version published at https://guapa.pl/polityka-prywatnosci. All translations are provided for informational purposes only. In the event of any discrepancy between language versions, the Polish version shall prevail.

Last updated: 18 May 2026