Privacy Policy

Last updated: 18 February 2026

This Privacy Policy explains how CRAVELLE sp. z o.o. ("Company", "We", "Us") collects, uses, stores, and protects personal data in connection with our Website and Services. We are committed to processing personal data lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection legislation.

1. Data Controller

CRAVELLE sp. z o.o.

Wiślana 8, 00-317 Warszawa, Poland

Email: cravelle.co@protonmail.com

For any questions regarding data protection or to exercise Your rights, please contact us at the email address above.

2. Categories of Personal Data We Collect

Depending on how You interact with us, we may collect the following categories of personal data:

Enquiry and contact data: name, email address, message content, and any other information You choose to provide when contacting us through the Website or by email.
Contractual and billing data: name, address, business details, NIP/tax identifiers, bank account details, and invoicing information, where necessary for the provision of Services and fulfilment of contractual obligations.
Technical and access logs: IP address, browser type and version, operating system, referral source, page visit data, and timestamps. This data is collected automatically by our hosting infrastructure.

We do not knowingly collect sensitive personal data (special category data) unless specifically required for a service engagement and provided voluntarily by You.

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes:

To respond to enquiries and manage pre-contractual communications – Legal basis: performance of a contract or steps taken at Your request prior to entering into a contract (Art. 6(1)(b) GDPR).
To deliver Services and fulfil contractual obligations – Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
To comply with legal obligations (including tax, accounting, and record-keeping requirements) – Legal basis: legal obligation (Art. 6(1)(c) GDPR).
To maintain the security and functionality of our Website (including technical logs and protection against misuse) – Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is the secure and reliable operation of our Website.
To handle complaints and legal claims – Legal basis: legitimate interest (Art. 6(1)(f) GDPR) and/or legal obligation (Art. 6(1)(c) GDPR).

Where processing is based on consent (e.g. if You voluntarily subscribe to a service update), You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Recipients of Personal Data

We may share personal data with the following categories of recipients, only to the extent necessary:

Hosting provider: our Website hosting infrastructure (Netlify) processes technical data to serve the Website.
Email service provider: enquiries submitted via the Website are processed through a form handling service (Formspree) and delivered to our email inbox.
Accounting and tax advisors: where required for invoicing, bookkeeping, and legal compliance.
Payment processors: if and when electronic payment processing is enabled, payment data may be processed by third-party payment service providers.
Public authorities: where we are legally required to disclose information (e.g. tax authorities, law enforcement).

We do not sell personal data to third parties. We do not share personal data for marketing purposes with unrelated third parties.

5. International Data Transfers

Some of our service providers may process data outside of the European Economic Area (EEA). Where such transfers occur, they are safeguarded by appropriate legal mechanisms, which may include:

European Commission adequacy decisions;
Standard Contractual Clauses (SCCs) approved by the European Commission;
Other lawful transfer mechanisms as permitted under the GDPR.

You may request further information about the safeguards in place by contacting us.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

Enquiries and contact data: retained for up to 12 months from the date of the enquiry, unless a contractual relationship is established.
Contractual and billing data: retained for the duration of the contractual relationship and thereafter for as long as required by applicable legal obligations (typically 5–10 years for tax and accounting records under Polish law).
Technical and access logs: retained for 6–12 months for security and operational purposes.

Where data is no longer required, it will be securely deleted or anonymised.

7. Your Rights

Under the GDPR, You have the following rights in relation to Your personal data:

Right of access: You may request a copy of the personal data we hold about You.
Right to rectification: You may request that inaccurate or incomplete data be corrected.
Right to erasure ("right to be forgotten"): You may request deletion of Your personal data, subject to legal retention obligations.
Right to restriction of processing: You may request that we restrict the processing of Your data in certain circumstances.
Right to object: You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to data portability: Where processing is based on consent or contract and carried out by automated means, You may request Your data in a structured, commonly used, machine-readable format.
Right to withdraw consent: Where processing is based on consent, You may withdraw it at any time.

To exercise any of these rights, please contact us at: cravelle.co@protonmail.com

We will respond to Your request within one month, as required by the GDPR. In complex cases, this period may be extended by a further two months, and we will inform You of any such extension.

8. Right to Lodge a Complaint

If You believe that Your personal data has been processed in breach of the GDPR or applicable data protection law, You have the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is:

Urząd Ochrony Danych Osobowych (UODO)

ul. Stawki 2, 00-193 Warszawa, Poland

Website: https://uodo.gov.pl

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted communications (HTTPS), access controls, and secure hosting infrastructure.

While we take reasonable steps to protect Your data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining a high standard of data protection.

10. Children

Our Services are not directed at, and are not intended for, children under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from a child under 18, we will take appropriate steps to delete it promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any changes will be published on this page with an updated "Last updated" date. We encourage You to review this page periodically.

Contact

For any privacy-related questions or requests, please contact: cravelle.co@protonmail.com