Grospan

Legal

Privacy Policy.

This policy explains what personal data we collect when you visit grospan.pro or use the Grospan platform, why we collect it, and the rights you have under the EU General Data Protection Regulation (GDPR).

Last updated: June 2, 2026

1. Who we are

The data controller is Grospan Sp. z o.o., ul. Mazowiecka 11/49, 00-052 Warszawa, Polska, registered in Poland. For any privacy question, write to [email protected].

2. What we collect

Account data

  • First and last name, email, hashed password.
  • Billing details when you purchase credits (company name, VAT ID, invoice address).

Usage data

  • Pages visited, features used, credit consumption.
  • Device and browser metadata (user-agent, screen size, language).
  • IP address — truncated to the /24 subnet for analytics.

Communications

  • Emails you send to support and our replies.
  • Newsletter subscription status (only if you opt in).

3. Why we collect it (legal bases)

  • Contract (Art. 6(1)(b) GDPR) — to provide the Grospan service you signed up for.
  • Legal obligation (Art. 6(1)(c)) — invoicing and tax records (kept 5 years).
  • Legitimate interest (Art. 6(1)(f)) — fraud prevention, product analytics, security logs.
  • Consent (Art. 6(1)(a)) — marketing emails and non-essential cookies. Withdraw anytime.

4. Who we share data with

We never sell personal data. We share it only with vetted sub-processors strictly necessary to run the service:

  • Cloud hosting in the EU (Frankfurt, Warsaw).
  • Payment processors (for the bank-transfer flow this is limited to your bank's IBAN reference).
  • Transactional email provider (account, billing, password reset).

A current list of sub-processors is available on request.

5. International transfers

Data stays in the European Economic Area by default. If a sub-processor operates outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and run a transfer impact assessment.

6. Retention

  • Account data: until you delete your account, plus 30 days for backups.
  • Invoices and tax records: 5 years (Polish accounting law).
  • Security logs: 12 months.
  • Anonymised analytics: indefinitely.

7. Your rights

Under GDPR you can:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Request deletion ("right to be forgotten").
  • Restrict or object to processing.
  • Export your data in a portable format.
  • Withdraw consent at any time.
  • Lodge a complaint with your supervisory authority — in Poland, the UODO (uodo.gov.pl).

Send any request to [email protected]; we reply within 30 days.

8. Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with Argon2id. Access to production systems is limited, audited, and requires hardware security keys.

9. Changes to this policy

Material changes are announced by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

Grospan Sp. z o.o. · ul. Mazowiecka 11/49, 00-052 Warszawa, Polska · [email protected]