Home

Privacy and Cookies Policy

§ 1
Introduction - Data Controller of the website www.grana.pl

  1. The data controller for personal data collected and processed through the website www.grana.pl (hereinafter referred to as the "Website") is GRANA Sp. z o.o., ul. Piłsudskiego 1, 32-050 Skawina (hereinafter referred to as the "Controller") , Registration Court: District Court for Krakow – Śródmieście in Krakow, 12th Commercial Department of the National Court Register, KRS: 0000086375 NIP: 6830010597 REGON: 350648900, share capital PLN 10,500,000.00, BDO registered number: 000016649, e-mail: rodo@grana.pl.
  2. The Controller has appointed a Data Protection Officer (DPO) who can be reached via email at rodo@grana.pl or by mail to the Controller's registered office address. The DPO can be contacted for any questions regarding the processing of personal data or for exercising rights related to personal data processing.
  3. The Controller processes collected personal data in accordance with security principles, including but not limited to compliance with:
    • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as: GDPR.
    • the Polish Act on Providing Electronic Services of July 18, 2002;
    • the Polish Telecommunications Act of July 16, 2004;
    • the Polish Data Protection Act of May 10, 2018.
  4. The Controller is aware of the potential risks associated with processing personal data online and undertakes all necessary precautions to ensure the privacy and security of website users. All tools are chosen to provide adequate protection for the processing of personal data as required by law.
  5. Data is processed solely in electronic form.
  6. The Controller is responsible for ensuring adherence to all data protection policies and regulations.

§ 2
Scope of Personal Data Processed by the Controller on the Website

  1. Upon a User's consent provided by clicking the appropriate button on the cookies notification displayed when first entering the Website, the Controller will process data concerning the User's behavior on the Website.
  2. If the User contacts the Controller through the contact form available on the Website’s contact page or by any other means, the Controller processes the data provided by the User for contact purposes, which may include the User's name, phone number, and email address.

§ 3
Personal Data Security

  1. The Controller implements and operates all necessary organizational and technical measures to ensure appropriate protection of personal data from unauthorized access, unauthorized retrieval, unlawful processing, alteration, loss, damage, or destruction.
  2. Access to the personal data collected on the Website is restricted to authorized personnel and data recipients who possess formal, documented authorization from the Controller. The Controller’s DPO maintains a registry of authorized individuals, which includes names, dates of authorization and expiration, scope of authorization, and system access identifiers.
  3. Access to the IT system where personal data is stored is protected by passwords known only to the Controller and authorized personnel.
  4. The Controller employs technical measures to prevent unauthorized access to and modification of personal data transmitted electronically. This includes:
    • denying system access without a password, stored in encrypted form only;
    • monitoring all operations performed on the personal data records;
    • prohibiting the use of simple passwords, requiring at least eight characters, including at least one numeral.

§ 4
Cookies

  1. The Website may use cookies – files containing data saved by the Controller's server on the User's computer. Using cookies simplifies the User's experience on the Website and enhances the quality of the Website’s services by storing User preferences. If consent is granted by clicking the appropriate button on the cookies notification, cookies are used for statistical purposes (collecting usage statistics), analyzing User behavior, and marketing (displaying ads aligned with the User's preferences).

  2. Two main types of cookies are used on the Website: "session cookies," which are temporary and stored on the User's device until they leave the website or close the browser, and "persistent cookies," stored until a specified expiration date or until deleted by the User.

  3. Types of cookies used on the Website include:
    • "necessary" cookies, enabling access to the Website’s content;
    • "functional" cookies, with the User's consent, enabling the storage of selected User settings, such as language preference, font size, and video display;
    • "statistical" cookies, with the User's consent, for generating usage statistics and may include third-party cookies;
    • "performance" cookies, with the User's consent, for understanding and analyzing Website performance indicators, helping to enhance User experience;
    • "advertising" cookies, with the User's consent, for delivering targeted ads based on browsing history and third-party cookies.
  4. A detailed description of cookies used on the Website is available in the cookies notification, listing cookies, their purposes, and storage duration.
  5. In many cases, software used for browsing websites (web browser) by default permits the storage of cookies on the User's end device. Service Users may change cookie settings at any time. These settings can be modified, in particular, to block the automatic handling of cookies in the web browser settings or to notify about each placement of cookies on the User's device. Detailed information on the options and methods for handling cookies is available in the software (web browser) settings.
  6. The use of cookies does not allow for the collection of any personal or address data of the User or any confidential information from their computer. The use of cookies is not possible when the option to save cookies is disabled in the web browser. In general, this does not prevent browsing the Service, although it may cause certain difficulties, including slowing down the Service's operation.
  7. Due to the functionality of the Service, cookies are transmitted to Google Analytics (Google LLC). Google LLC uses cookies to identify sessions – the cookies transmitted to Google LLC do not store or transmit any personal data. Detailed information about how Google LLC uses data from websites and applications that use Google LLC services is available at policies.google.com. The Administrator also informs Users of the possibility of blocking the Google Analytics tracking code by installing a browser add-on for blocking Google Analytics, provided by Google LLC at tools.google.com.
  8. Due to the functionality of the Service, cookies are also transmitted to YouTube (YouTube is operated by Google LLC). Google LLC uses the information collected through cookies related to YouTube videos embedded on the Service’s pages to ensure the proper and secure functioning of the widget, to analyze and optimize the services provided by YouTube, and for personalization and advertising purposes. Playing videos from YouTube means using services provided electronically by Google LLC (YouTube’s terms of service are available at youtube.com, and Google LLC’s privacy policy is available at policies.google.com).
  9. The Controller is not responsible for the privacy practices of any external websites linked on the Website.

§ 5
Logs

  1. Information on certain User activities is logged in the server layer of the Website.
  2. The browsed resources are identified by URLs. Additionally, the following data may be recorded:
    • the time of request,
    • the time of response,
    • the client station name – identified via the HTTP protocol,
    • information on errors that occurred during the HTTP transaction,
    • the URL of the page previously visited by the user (referrer link) – in cases where access to the Service occurred via a link,
    • information about the User’s browser,
    • information about the IP address.
  3. This data is not associated with specific individuals browsing the Website and is not used to identify Users.
  4. Logs are used solely for the purpose of Website administration, with access restricted to authorized server administrators.

§ 6
Purposes, Basis, and Methods of Processing Personal Data

  1. Data collected when the User uses the contact form on the Website is used to enable contact between the Administrator and the User, based on Article 6(1)(f) of the GDPR (legitimate interest of the Administrator). In cases where electronic correspondence from the User is handled outside the contact form, the data provided by the User in such correspondence is also processed based on Article 6(1)(f) of the GDPR (legitimate interest of the Administrator).
  2. Data contained in cookies is processed by the Administrator to enable the functioning of the Website. If the User consents to the use of:
    • functional cookies – the Administrator will process data contained in these cookies to ensure the full functionality of the Website;
    • statistical cookies – the Administrator will process data contained in these cookies to understand how Users interact with the Website (statistical cookies provide information on metrics like visitor numbers, bounce rates, traffic sources, etc.);
    • performance cookies – the Administrator will process data contained in these cookies to understand and analyze key performance indicators of the Website, which helps improve the user experience for visitors;
    • advertising cookies – the Administrator will process data contained in these cookies to deliver personalized ads to Users based on pages they previously visited and to analyze the effectiveness of advertising campaigns.
  3. User data may be transferred to:
    • providers responsible for maintaining IT systems ensuring the operation of the Website, including hosting providers and marketing agencies (for marketing services);
    • collaborators, IT service providers, and software providers; 
    • other Administrator subcontractors, if the scope of their activities requires access to User data;
    • other entities authorized to access personal data by applicable law.
  4. The Administrator uses IT services provided by a U.S.-based entity. To utilize these services, the Administrator's subcontractor must have access to personal data managed by the Administrator, which results in the transfer of personal data to another country, i.e., the U.S. Although the U.S. does not adhere to European personal data protection regulations, it is recognized as providing adequate protection when data transfer occurs within the "Data Privacy Framework." Since personal data is transferred under the Data Privacy Framework, it will be protected as if processed in Poland. Detailed information can be found here: dataprivacyframework.gov or by contacting the Administrator.
  5. The Administrator processes Users’ personal data for the duration of their use of the Website or as long as necessary to fulfill the purposes for which personal data was collected. Additionally, personal data will be stored by the Administrator for the period in which potential claims are resolved or might arise and have not yet expired.
  6. Data from cookies will be processed regarding session cookies – until the session expires, and regarding persistent cookies – until consent is withdrawn/cookies are deleted from the end device.
  7. Providing personal data in the contact form (email address) is a requirement for using this function of the Website. In other respects, providing data is voluntary.

§ 7
User Rights

  1. The User has the right, at any time, to: 
    • request access to their personal data from the Administrator,
    • request rectification of their personal data from the Administrator,
    • request deletion of their personal data from the Administrator,
    • request restriction of data processing from the Administrator,
    • object to data processing (in cases where personal data processing is based on the Administrator's legitimate interest),
    • data portability (for data processed based on the User’s consent or contract and in an automated manner), 
    • withdraw consent for personal data processing (if consent was previously given; without affecting the lawfulness of processing based on consent before its withdrawal),
    • file a complaint with a supervisory authority (if the User believes that the Administrator processes data unlawfully, they may lodge a complaint with the President of the Personal Data Protection Office or other relevant supervisory authority).
  2. If consent is given to use cookies for functional, statistical, performance, or advertising purposes, consent may also be withdrawn by clicking on this link and selecting the appropriate options.
  3. Consent withdrawal for data processing in relation to cookies can also occur through the appropriate modification of cookie settings in the User's browser.
  4. User rights are exercised upon their request sent to the email address rodo@grana.pl. If the User deems this solution insufficient, they may contact the Administrator in writing at the following address: ul. Piłsudskiego 1, 32-050 Skawina.
  5. Exercising the right to delete data involves the prompt removal of data, including from records kept by the Administrator, in accordance with legal regulations.
  6. The Administrator may refuse to delete the User’s data in cases specified in Article 17(3) of the GDPR, including where there is suspicion that the User's behavior has violated this Privacy Policy and Cookie Policy or applicable law, and the retained information may contribute to determining the User's liability.
  7. Personal data portability is carried out as follows:
    • The Administrator transfers data in a "structured," "commonly used," and "machine-readable" format, such as XML, JSON, CSV; 
    • if the Administrator determines that the User is not entitled to the right to data portability in a particular situation and therefore does not intend to take action in response to the User’s request, the Administrator will inform the User of the reasons for not taking action.
  8. User personal data is not used for automated decision-making, including profiling.

§ 8
Final Provisions

  1. This Privacy and Cookie Policy is effective from October 30, 2024.
  2. The Administrator reserves the right to amend the Privacy and Cookie Policy for valid reasons, which may include, in particular, changes in legislation or technological advancements. Links to archived versions of the Privacy and Cookie Policy are provided below.

Archived version of the Privacy and Cookie Policy in effect until October 30, 2024.