Privacy policy
(effective from 20 June 2025)
I. INTRODUCTION
- Grawiton spółka z ograniczoną odpowiedzialnością with its registered office in Grodzisk Mazowiecki at ul. Gen. L. Okulickiego 21, 05-825 Grodzisk Mazowiecki is the controller of personal data collected via the Website available at https://grafit.biz.pl (hereinafter referred to as the “Website”), i.e. the entity deciding on how your personal data will be used (hereinafter referred to as the “Controller”).
Contact with the Controller:- e-mail: manager@grafit.biz.pl,
- correspondence address: Grawiton sp. z o.o., ul. Gen. L. Okulickiego 21, 05-825 Grodzisk Mazowiecki.
The Controller is responsible for the security of the personal data transferred and for the processing thereof in accordance with the law.
- In matters relating to the processing of personal data and the exercise of data subjects’ rights resulting from the personal data protection regulations, you can contact the Controller using the e-mail address: manager@grafit.biz.pl or the correspondence address provided above.
- Your personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”) and other currently applicable personal data protection regulations.
- During your visit to the Website, the following information is collected:
- personal data provided by the user of the Website,
- data obtained and recorded automatically.
- The purpose and scope of personal data used by the Controller are specified in detail hereinafter.
II. COLLECTED DATA – BASIC INFORMATION
- The information below refers to all the methods of using your personal data by the Controller, as specified in Chapters III and IV.
- Personal data will not be used by the Controller to make decisions based solely on automated processing of personal data, including profiling within the meaning of Article 22 of the GDPR.
- While maintaining all data security guarantees, personal data processed via the Website may be transferred to other entities, including:
- entities authorized to receive it in accordance with legal regulations,
- entities processing them on behalf of the Controller, e.g. providers of IT support services and suppliers of software or IT and technical services, hosting service providers, analytical service providers, including those providing the Controller with IT solutions for user service,
- other data controllers to the extent necessary to perform the contract, provide services and meet legal requirements, e.g. entities providing accounting, legal or auditing, marketing, postal and courier services, other contractors providing services to the Controller on the basis of concluded contracts, including advisory services.
- The Controller will not transfer your personal data to countries outside the European Economic Area (countries other than European Union countries and Iceland, Norway and Liechtenstein).
- The Controller informs that in connection with the processing of personal data obtained via the Website, each data subject has the right to submit a request regarding:
- access to data (including obtaining information on what data is processed by the Controller and to what extent, as well as obtaining a copy thereof – details: Article 15 of the GDPR),
- rectification of data (i.e. its correction if the data processed by the Controller is incorrect or incomplete – details: Article 16 of the GDPR),
- deletion of data (e.g. if the data is no longer necessary to achieve the purposes for which it was collected or the Controller has no legal basis for processing the data – details: Article 17 of the GDPR),
- restriction of data processing (e.g. if you question the accuracy of the personal data used by the Controller, if the data is no longer needed by the Controller but must be processed due to your claims – details: Article 18 of the GDPR),
- objection to the processing of personal data, including profiling (if personal data is processed on the basis of the legitimate interest of the Controller or is used for direct marketing purposes – details: Article 21 of the GDPR),
- transfer of data to another controller (if the processing of data provided to the Controller is carried out in an automated manner, on the basis of consent or on the basis of a contract – details: Article 20 of the GDPR),
- if the processing is based on consent (e.g. consent to use data for marketing purposes, consent to use image), you have the right to withdraw your consent at any time in any manner (however, the withdrawal of consent does not affect the processing of data that took place before the declaration of withdrawal of consent was made).
- Every person whose data is processed also has the right to lodge a complaint with the President of the Personal Data Protection Office (supervisory authority) if they believe that the processing of personal data violates the law (more information available at: https://uodo.gov.pl/pl/83/155).
- The data was obtained by the Controller directly from you. The Controller may also process:
- personal data of other people provided by the user of the Website when using the services described in this Privacy Policy,
- personal data obtained from entities with whom the Controller cooperates, on the basis of concluded contracts (e.g. data of persons participating in events organized by the Controller),
- personal data obtained from other entities cooperating with the Controller, where the data was shared with the Controller based on your consent,
- data obtained from publicly available sources, e.g. from the National Court Register, Central Registration and Information on Economic Activity (CEIDG), websites.
III. PERSONAL DATA PROVIDED BY THE USER
III. A. E-MAIL OR BY PHONE CONTACT DETAILS
- The Controller processes personal data, in particular name and surname, telephone number, e-mail address and other information provided by you, to the extent necessary to process applications and respond to inquiries, including to communicate and answer questions asked, with the use of the e-mail address and contact telephone number provided on the Website (legal basis: Article 6 (1) (f) of the GDPR – legitimate interest).
- Provision of data is voluntary, but necessary to respond to the submitted question or to properly handle the application and comply with your request. Failure to provide personal data may result in the inability to respond or handle comply with your request.
- The Controller has the right to process personal data for the period necessary to process the notification and fulfil the query, including responding to the sent message or dealing with matters in connection with which correspondence or telephone conversation is conducted.
III. B. CONTACT FORM
- The Controller may collect your personal data via the contact form available on the Website, in particular:
- e-mail address,
- IP address,
- other information you provide via the form (e.g. first name, telephone number).
- The Controller processes personal data only to the extent necessary:
- to receive and process the application, including to communicate and respond to applications and questions submitted via the contact form (legal basis: Article 6 (1) (f) of the GDPR – legitimate interest),
- to establish contact (via the selected communication channel) and to prepare and present a dedicated offer in response to the request of the Website user submitted via the form (legal basis: Article 6 (1) (b) of the GDPR – taking action at the request of the data subject before concluding a contract).
- The Controller has the right to process personal data for the period necessary to achieve the above-mentioned purposes. Depending on the legal basis, this will be:
- the time necessary to process the application and handle the request sent by the user via the contact form,
- the time necessary to prepare and deliver a dedicated offer.
- Provision of the personal data indicated in the contact form is voluntary, but necessary for the proper handling of the application, responding to the submitted request, or preparing and presenting a dedicated offer. Failure to provide personal data may result in the inability to respond, handle your request or present an offer.
III. C. USER ACCOUNT REGISTRATION AND PURCHASE OF A GYM PASS VIA THE WEBSITE
- The Controller processes personal data provided by you in the course of registering a user account and purchasing a gym pass via the “Buy Pass” (“Kup Karnet”) tab, in particular: name and surname, telephone number, e-mail address, date of birth, other data provided voluntarily by the user.
- Data is processed for the purpose of:
- registering and maintaining a user account,
- conclusion and performance of a contract on maintaining a user account on the Website (legal basis: Article 6 (1) (b) of the GDPR – performance of a contract or actions prior to the conclusion thereof),
- conclusion and performance of a contract for the use of services of a sports club (legal basis: Article 6 (1) (b) of the GDPR – performance of a contract),
- complying with obligations arising from legal regulations, including those relating to documenting transactions and settlements (legal basis: Article 6 (1) (c) of the GDPR – legal obligation incumbent on the controller),
- complying with legal obligations related to withdrawal from a contract concluded at a distance (legal basis: Article 6 (1) (c) of the GDPR – legal obligation incumbent on the controller).
- The Controller has the right to process personal data:
- for the duration of contract on maintaining a user account on the Website and the contract for the use of services of a sports club, and for the time necessary to perform the obligations arising therefrom,
- until the expiry of the limitation period for claims.
- Provision of personal data is voluntary, but necessary to register an account, purchase a gym pass and use the club’s services. Failure to provide data will result in the inability to use these services.
III. D. REGISTRATION FOR PERSONAL TRAINING
- The Controller may process personal data provided by you in order to register for personal training, in particular: name and surname, telephone number, e-mail address, age or date of birth, other data provided voluntarily by the user.
- Data is processed for the purpose of:
- handling the registration for personal training,
- concluding and performing a contract for the use of services of a sports club (legal basis: Article 6 (1) (b) of the GDPR – performance of a contract or actions prior to the conclusion thereof),
- exchanging messages related to setting a training date or conducting it (legal basis: Article 6 (1) (f) of the GDPR – legitimate interest of the controller).
- The data will be processed for the period necessary to perform the contract and to pursue or defend against any potential claims.
- Provision of data is voluntary, but necessary to sign up for training. Failure to provide it prevents the registration and provision of the service.
III. E. REGISTRATION OF A TRAINER ACCOUNT AND PURCHASE OF A TRAINER PASS
- The Controller processes personal data provided by persons registering as trainers, in particular: name and surname, telephone number, e-mail address, PESEL number, address of residence, other data provided voluntarily by the user.
- Data is processed for the purpose of:
- registering a trainer account,
- purchasing a trainer pass,
- concluding and performing a contract for the use of services of a sports club (legal basis: Article 6 (1) (b) of the GDPR – performance of a contract or actions prior to the conclusion thereof),
- compliance with obligations arising from legal regulations, including those relating to documenting transactions and settlements (legal basis: Article 6 (1) (c) of the GDPR – legal obligation incumbent on the controller).
- The data will be processed for the duration of the contract and until the expiry of the limitation period for claims, and for the period resulting from fiscal or accounting regulations.
- Provision of data is voluntary, but necessary to conclude a contract and purchase a trainer pass. Failure to provide it will prevent using the offer for trainers.
III. F. USE OF IMAGE
- The Controller informs that in connection with the conducted activity, the image of natural persons (in particular clients, event participants, guests of the sports club and trainers cooperating with the Controller) may be recorded and used in the form of photographs, audio-video recordings or live broadcasts, made on the premises of the Controller or during events organized by the Controller.
- The image may be used by the Controller for promotional, marketing, information, documentation and archival purposes – in particular through publication on the Controller’s website, in social media, printed or digital materials.
- In the case of trainers or other persons cooperating with the Controller, image processing may also serve to promote their professional activities and the offer of services provided on the premises of the club or as part of the club’s activity.
- Image processing is based on:
- Article 6 (1) (a) of the GDPR – voluntary, prior consent of the data subject,
- Article 6 (1) (f) of the GDPR – legitimate interest of the Controller consisting in conducting promotional and marketing activities (in the case of public events – group photos or information materials).
- Expressing consent to the use of the image is voluntary and the consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
- The person whose image is processed has all the rights specified in Chapter II, point 5 of this Privacy Policy, including the right to access data, rectify it, delete it, limit its processing, object and lodge a complaint with the supervisory authority.
- If a person does not consent to the recording or publication of his/her image, he/she should inform the Controller directly, and in the case of participation in events – also the providers of photo services or organizers.
IV. DATA COLLECTED AUTOMATICALLY
- Use of the Website available at https://grafit.biz.pl involves sending queries to the server, which are automatically saved in event logs.
- Event logs record data relating to user sessions. This in particular includes: IP address, device type and name, information about the web browser and operating system, date and time of visits to the Website.
- Data recorded in event logs is not associated with specific individuals.
- Access to the contents of event logs is available to persons authorized by the Controller to administer the Website.
- A chronological record of information about events is only auxiliary material used for administration purposes. Analysis of event logs allows in particular detecting threats, ensuring proper security of the Website and creating statistics to learn how the Website is used by its users.
- Data relating to user sessions is used by the Controller to diagnose problems related to the functioning of the Website and to analyze possible security breaches, to manage the Website and to prepare statistics (legal basis: Article 6 (1) (f) of the GDPR – legitimate interest).
- We use cookies on the Website. More information can be found in the “Cookie Policy” available at https://grafit.biz.pl/en/cookie-policy/.
V. FINAL PROVISIONS
- This Privacy Policy is for informational purposes and applies in particular to the Controller’s Website operating at https://grafit.biz.pl.
- The Website may contain links to other websites, in particular to the websites of service providers and partners of the Controller, social networking sites (Facebook, Instagram). The Controller recommends that each user, after going to the websites of other entities, should read the privacy policies applicable to such websites.
- The Controller reserves the right to introduce changes to the applicable version of the Privacy Policy, in particular in the case of:
- technology development,
- changes to generally applicable legal regulations, including those relating to personal data protection or information security,
- development of the Website, including the implementation of new services and functionalities.
- The Controller will notify users of relevant changes to the content of the Privacy Policy, in particular by posting an announcement on the Website.