Terms of Service
EFFECTIVE DATE: 28.05.2026
1. Data Controller
The data controller responsible for your personal data is:
Barbershop InGlobal Group Sp. z o.o.
ul. Franciszka Klimczaka 6A lok. U3, 02-797 Warszawa, Poland
KRS: 0000791542 | NIP: 9512486223
Data protection contact: privacy@groomkit.pro
2. Data Protection Officer (DPO)
Based on the nature and scale of GroomKit Pro’s data processing activities, the formal appointment of a Data Protection Officer is not mandatory under Article 37 of the GDPR. All data protection enquiries, rights requests, and complaints should be directed to privacy@groomkit.pro.
3. Personal Data We Collect
3.1. Data You Provide
- Name and email address (provided at checkout or newsletter sign-up).
- Billing address (required for VAT compliance and fraud prevention).
- Payment data: payment card details and PayPal credentials are processed directly by Stripe and PayPal respectively. GroomKit Pro does not receive, store, or have access to raw card data.
3.2. Data Collected Automatically
- IP address, browser type and version, operating system.
- Pages visited, time on site, referral source, and navigation behaviour.
- Google Analytics 4 data (subject to your cookie consent — see Section 10).
- Session and security cookies necessary for checkout functionality.
3.3. Data We Do Not Collect
We do not collect special category data (as defined by GDPR Article 9), including data concerning health, racial or ethnic origin, political opinions, religious beliefs, or biometric data.
4. Legal Basis for Processing (GDPR Art. 6)
| Legal Basis | GDPR Reference | Processing Activity |
| Contract Performance | Art. 6(1)(b) | Order processing, payment, product delivery, order confirmations. |
| Legal Obligation | Art. 6(1)(c) | VAT and tax records retention (5 years, Polish tax law). |
| Legitimate Interests | Art. 6(1)(f) | Fraud prevention, security monitoring, basic service analytics. |
| Consent | Art. 6(1)(a) | Google Analytics 4 (analytics cookies) and marketing emails (newsletter). |
5. Purposes of Processing
- Order fulfilment: processing your purchase and delivering the Product.
- Payment processing: transmitting transaction data to Stripe or PayPal.
- Customer support: responding to enquiries, complaints, and defect reports.
- Legal and tax compliance: maintaining records required by Polish and EU tax law.
- Website analytics: understanding aggregate usage patterns via Google Analytics 4 (consent required).
- Fraud detection and security: monitoring for suspicious transactions and unauthorised access.
- Email marketing: sending newsletters and promotional communications to opted-in subscribers only (consent required; see Section 5.1 below).
5.1. Email Marketing — Consent Basis
Marketing emails are sent exclusively on the basis of freely given, specific, informed, and unambiguous consent obtained via the standalone newsletter sign-up form on groomkit.pro. Consent is recorded with a timestamp and source identifier (page URL and form name). Consent may be withdrawn at any time via the unsubscribe link in any marketing email, or by contacting privacy@groomkit.pro. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal (GDPR Art. 7(3)).
Marketing emails are sent via Mailchimp (see Section 7 for processor details).
6. Data Retention
| Data Category | Retention Period |
| Purchase records (name, email, billing, order details) | 5 years from transaction date (Polish tax law) |
| Customer support correspondence | 2 years from resolution of the support request |
| Google Analytics 4 data | Maximum 14 months (as configured in GA4 account settings) |
| Newsletter subscriber data | Until consent is withdrawn. Withdrawn consent records retained for 3 years as proof. |
| Cookie consent records | 12 months or until consent is revised |
7. Third-Party Data Processors
GroomKit Pro engages the following data processors under written Data Processing Agreements (DPAs):
7.1. Stripe, Inc. (USA)
Purpose: Payment processing. Data shared: name, email, billing address, transaction data. Privacy policy: stripe.com/privacy. International transfer safeguard: Standard Contractual Clauses (SCCs). Stripe is PCI-DSS compliant.
7.2. PayPal Holdings, Inc. (USA)
Purpose: Payment processing. Data shared: name, email, billing address, transaction data. Privacy policy: paypal.com/privacy. International transfer safeguard: Standard Contractual Clauses (SCCs).
7.3. Google LLC (USA) — Google Analytics 4
Purpose: Website analytics and performance monitoring. Data shared: anonymised IP address (IP anonymisation enabled), browser data, page visit data, interaction data. Privacy policy: policies.google.com. International transfer safeguard: Standard Contractual Clauses (SCCs). Note: GA4 is configured with IP anonymisation enabled and is not activated until analytics cookie consent is granted by the visitor.
7.4. Mailchimp (The Rocket Science Group LLC, USA)
Purpose: Email marketing and newsletter distribution. Data shared: name and email address of opted-in subscribers, consent timestamp, subscription source. Privacy policy: mailchimp.com/legal/privacy. International transfer safeguard: Standard Contractual Clauses (SCCs). Data is processed by Mailchimp only for subscribers who have provided explicit consent via the newsletter form.
7.5. LH.pl Sp. z o.o. (Poland) — Website Hosting
Purpose: Provision of web hosting infrastructure for groomkit.pro, including server storage, bandwidth, and technical availability of the website. Data stored on LH.pl servers may include: website files, database content, server access logs (IP addresses, timestamps, request data), and any data submitted via website forms or stored in the website database (e.g., order records, contact messages).
Processor details: LH.PL Sp. z o.o., Pl. Wolności 6/4, 61-738 Poznan, Poland. NIP: 7831711517 | KRS: 0000503852. Data Protection Officer: iod@lh.pl. Privacy policy: lh.pl/regulaminy/5,polityka-prywatnosci.
Country of processing: Republic of Poland (European Union). No international data transfer occurs — LH.pl is an EU-based processor and data remains within the EEA. LH.pl processes data in compliance with GDPR and holds ISO 9001 and ISO 27001 certifications (licence numbers IS 786067 / FS 786068).
7.6. Mailchimp / The Rocket Science Group LLC (USA) — Transactional & Marketing Emails
Purpose: Mailchimp serves a dual function for GroomKit Pro: (a) Transactional emails — delivery of order confirmation emails and product download links upon purchase (processed under contract performance, Art. 6(1)(b) GDPR); and (b) Marketing emails — distribution of newsletters and promotional communications to opted-in subscribers only (processed under consent, Art. 6(1)(a) GDPR).
Processor details: The Rocket Science Group LLC (trading as Mailchimp), 405 N. San Fernando Blvd., Burbank, CA 91502, USA. Parent company: Intuit Inc. Privacy policy: mailchimp.com/legal/privacy.
Data shared: For transactional emails — name and email address of purchaser, order reference. For marketing emails — name and email address of opted-in subscriber, consent timestamp, subscription source. GroomKit Pro does not share payment card data, billing addresses, or other purchase details with Mailchimp beyond what is necessary for delivery purposes.
International transfer safeguard: Transfers of personal data from the EEA to the USA are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, and/or under Mailchimp’s participation in applicable data transfer frameworks. Mailchimp maintains appropriate technical and organisational security measures in accordance with GDPR Article 32.
8. International Data Transfers
Stripe, PayPal, Google, and Mailchimp are based in the United States. Transfers of personal data to these processors are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection equivalent to that required within the EEA. LH.pl, as an EU/Poland-based provider, does not involve any international data transfer. All processors are required to maintain appropriate technical and organisational security measures.
9. Your Rights Under GDPR (Articles 15–22)
As a data subject, you have the following rights with respect to your personal data:
| Right | Description |
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. |
| Erasure (Art. 17) | Request deletion of your data where there is no compelling reason for its continued processing. |
| Restriction (Art. 18) | Request restriction of processing in certain circumstances. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format for transfer to another controller. |
| Object (Art. 21) | Object to processing based on legitimate interests, including direct marketing. |
| Automated Decisions (Art. 22) | Not to be subject to solely automated decisions that significantly affect you. |
To exercise any of these rights, email privacy@groomkit.pro with your name, email address, and a clear description of your request. We will respond within 30 calendar days of receipt. In complex cases, this period may be extended by a further 60 days; we will notify you if this applies.
You also have the right to lodge a complaint with the Polish supervisory authority, the Urząd Ochrony Danych Osobowych (UODO), at uodo.gov.pl.
10. Cookie Policy
10.1. Categories of Cookies
| Category | Consent Required? | Description |
| Strictly Necessary | No | Session management, security tokens, checkout process. Cannot be disabled. |
| Functional | No | Language preferences, user interface settings. |
| Analytics (GA4) | Yes | Google Analytics 4 — aggregate usage statistics. Not activated until consent is given. |
| Marketing | N/A | No marketing cookies are currently used on groomkit.pro. |
10.2. Consent Mechanism
A cookie consent banner is displayed on your first visit to groomkit.pro, providing clear Accept and Reject options for non-essential cookies. Google Analytics 4 will not be activated until analytics consent is granted. Your consent preferences are stored for 12 months and can be revised at any time via the cookie settings link in the website footer.
11. Children’s Privacy
groomkit.pro is not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16 years of age (GDPR Article 8). If you believe that we have inadvertently collected data from a child under 16, please contact privacy@groomkit.pro immediately and we will take steps to delete such data promptly.
12. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
- SSL/TLS encryption for all data transmitted between your browser and our servers.
- Access controls limiting personal data access to authorised personnel only.
- Data minimisation principles — we collect and retain only what is necessary.
- All payment data is handled exclusively by Stripe and PayPal, both of which are PCI-DSS compliant.
No method of transmission over the internet or method of electronic storage is 100% secure. Whilst we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.
13. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email (to addresses held on record) or via a prominent notice on groomkit.pro at least 30 days before taking effect. The „Effective Date” at the top of this document indicates when the current version came into force.
14. Contact
For all data protection and privacy enquiries: privacy@groomkit.pro
Postal address: Barbershop InGlobal Group Sp. z o.o., ul. Franciszka Klimczaka 6A lok. U3, 02-797 Warszawa, Poland
Polish supervisory authority (UODO): uodo.gov.pl