Privacy Policy

1.Controller and contact

Controller: Grasperly Sp. z o.o., ul. Tczewska 4a/78, 01-674 Warszawa, Poland. KRS 0001238012. NIP 7152366483.

Privacy contact: privacy@grasperly.com. We have not appointed a Data Protection Officer (DPO) — we do not meet the mandatory thresholds in Article 37 of the GDPR — but the privacy mailbox is monitored by our security and legal team. We aim to respond within five (5) business days and, in any event, within the one-month statutory deadline set by Article 12(3) of the GDPR (extendable by two further months for complex or numerous requests under the same provision).

Supervisory authority: the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl. You have the right to lodge a complaint there at any time concerning the processing of your personal data, particularly if you believe the processing infringes the GDPR.

2.What personal data we collect

We collect only what we need for the purpose for which we are processing.

Website visitors (grasperly.com). Page-view counts, language preference, referrer URL, country at country level only, browser family. Collected through Plausible cookieless analytics. No IP addresses are stored. No persistent user identifier is created. No cross-site tracking.

Prospects and customer-contact persons. Name, business email, business phone, employer name, role, content of inquiries and demo requests, and the meeting notes our sales team writes about a conversation. Source (Article 14(2)(f) GDPR): data is collected directly from you when you submit a form, write to us, or speak with us at an event. We do not enrich prospect records from third-party data brokers or scrape public profiles to build them.

Authorised Users of the Platform (account-management data only). Name, email, role within the customer, authentication factors, login times, IP address used for the most recent login (for security), and a record of permission changes. The contents of what an Authorised User does on the Platform are Customer Data and are not covered by this policy.

Candidates. What you submit in your application (CV, cover letter, work-history details, professional licences), our interview notes, references that you have authorised us to obtain, and the outcome of the recruitment process.

Event attendees. Name, business email, employer, and any dietary or accessibility information you provide for an event.

Security telemetry. For security purposes we log access events and the IP address from which they originate. Where strictly necessary we may collect a limited browser fingerprint to detect account-takeover attempts. None of this is used for advertising or sold to anyone.

3.Purposes and legal bases

We process personal data only where we have a lawful basis under Article 6 of the GDPR. The table below maps purposes to bases. Where we rely on legitimate interests under Article 6(1)(f) we state the specific interest pursued.

Operating grasperly.com and counting page views. Legitimate interest (Article 6(1)(f)) — *specific interest: understanding how visitors use our website so that we can run, secure, and improve it.* The processing is privacy-preserving by design — no cookies, no IP storage, no profiles.

Responding to inquiries and demo requests. Steps prior to entering a contract at the request of the data subject (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)) — *specific interest: running a B2B sales pipeline and providing a professional response to commercial inquiries.*

Account administration for Authorised Users. Performance of a contract with our customer to whom you belong (Article 6(1)(b)) and compliance with our legal obligations to keep records of access (Article 6(1)(c)).

Recruitment. Steps prior to entering an employment relationship at the request of the data subject (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)) — *specific interest: identifying suitable candidates for open roles.* Retention of candidate data beyond the current recruitment process for the purpose of considering future opportunities is based on the candidate's explicit consent (Article 6(1)(a)) — consistent with Article 22¹ of the Polish Labour Code — which is requested separately and may be withdrawn at any time.

Event management. Performance of an event-attendance contract (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)) — *specific interest: ensuring event safety, accessibility, and quality.*

Security and fraud prevention. Legitimate interest (Article 6(1)(f)) — *specific interest: protecting the Platform, our customers, and Grasperly from unauthorised access, account takeover, abuse, and other security incidents.*

Compliance with law. Tax, accounting, anti-money-laundering, sanctions screening, and other obligations imposed on us by Polish, EU, or applicable foreign law (Article 6(1)(c)).

Defence of legal claims. Legitimate interest (Article 6(1)(f)) — *specific interest: establishing, exercising, and defending legal claims by or against Grasperly.*

4.Retention

We do not keep personal data longer than necessary. Specific retention periods are:

• Plausible analytics: aggregated counts only; no per-visitor record retained.

• Inquiry and demo data: twenty-four (24) months from last meaningful contact, then deleted from active systems and retained only in audit logs for one further year.

• Customer-contact-person data (active customers): for the duration of the customer relationship, plus six (6) years for tax and statute-of-limitations purposes.

• Authorised User account data: for the duration of the Authorised User's access, plus thirty (30) days for backup recovery and twelve (12) months for security audit logs.

• Candidate data (unsuccessful applicants): twelve (12) months from the date of decision, unless you have consented to a longer period for future opportunities.

• Candidate data (successful applicants): transferred to employee records on hire; that processing is covered by our internal HR notice.

• Security telemetry: twelve (12) months, except for incidents under investigation, where logs are kept until investigation is closed plus three (3) years for evidentiary purposes.

• Records required by law: for the period mandated by the applicable law (e.g. five years for VAT documentation under Polish tax law).

5.Recipients and sub-processors

We share personal data only where necessary and only with recipients bound by appropriate confidentiality and data-protection terms.

Service providers. Our processors include the providers listed at grasperly.com/sub-processors, notably AWS (hosting in Frankfurt and Warsaw), Resend (transactional email from Warsaw), and Plausible (cookieless analytics from Tallinn). All are bound by data-processing agreements meeting Article 28 of the GDPR.

Professional advisors. Our lawyers, auditors, tax advisors, and insurers, where they have a legitimate need to know in their professional capacity and are themselves bound by confidentiality.

Authorities. Public authorities to whom we are required to disclose information by law (e.g. tax authorities, the supervisory authority, courts, prosecutors). We disclose the minimum necessary and require a lawful basis from the authority.

Transactions. In a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, personal data may be transferred subject to standard confidentiality protections in the transaction documents and continued application of this policy or one no less protective.

We do not sell personal data. We do not share personal data with advertising networks, data brokers, or any party for the purpose of independent marketing to you.

6.International transfers

Our hosting and core processing happen in the European Union (Frankfurt and Warsaw). We do not transfer personal data outside the European Economic Area in the ordinary course of our website operations.

Where a transfer outside the EEA does occur — for example, when a non-EEA professional advisor reviews a matter, or when a model-provider sub-processor falls back to a non-EU region under an Order Form that permits it — that transfer is made only under one of the safeguards listed in Articles 45–49 of the GDPR: an adequacy decision, the European Commission's Standard Contractual Clauses with appropriate supplementary measures, or, where strictly necessary, one of the derogations in Article 49.

On request to privacy@grasperly.com we will provide a copy of the safeguard in place for any specific transfer.

7.Your rights

You have the rights set out in Articles 15 to 22 of the GDPR. Specifically:

• Access (Article 15) — obtain confirmation whether we process your personal data and, if so, a copy of that data and the information set out in Article 15(1)–(2).

• Rectification (Article 16) — correct inaccurate or incomplete data.

• Erasure (Article 17) — request deletion in the circumstances listed in Article 17(1), subject to the exceptions in Article 17(3).

• Restriction of processing (Article 18) — restrict processing in the circumstances listed in Article 18(1).

• Data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format, where the processing is based on consent or on a contract and is carried out by automated means.

• Objection (Article 21) — object at any time, on grounds relating to your particular situation, to processing based on legitimate interest. We will then stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. You also have an absolute right to object to direct marketing.

• Automated decisions (Article 22) — not to be subject to a decision based solely on automated processing that produces legal effects on you or similarly significantly affects you, subject to the exceptions in Article 22(2). We do not currently take such decisions about website visitors, prospects, candidates, or Authorised Users.

• Withdraw consent (Article 7(3)) — where processing is based on consent, withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, email privacy@grasperly.com. We will respond without undue delay and in any event within one (1) month of receipt of the request, in line with Article 12(3). Where the request is complex or numerous we may extend that period by a further two months and we will notify you of the extension within the first month.

We do not charge a fee for handling requests unless they are manifestly unfounded or excessive, in particular because of their repetitive character — in which case we may charge a reasonable fee or refuse to act, in line with Article 12(5).

8.Cookies

We do not use non-essential cookies on grasperly.com. The Platform uses only strictly necessary cookies. Full details are in our Cookie Policy.

9.Children

Grasperly is a B2B product for the legal profession. The Platform and grasperly.com are not directed to children. We do not knowingly collect personal data from children under sixteen (16). If you believe we have done so, please contact privacy@grasperly.com and we will delete the data without undue delay.

10.Security

We implement technical and organisational measures appropriate to the risk in line with Article 32 of the GDPR. We operate to the control framework of ISO/IEC 27001:2022; certification is on the trust roadmap. A summary of the measures, including encryption, access management, network segregation, vulnerability management, secure development, training, incident response, and business-continuity planning, is published on our security page and is contractually committed to in Schedule 3 of the DPA.

If we become aware of a personal-data breach we will notify the Polish supervisory authority and affected data subjects in line with Articles 33 and 34 of the GDPR, and our customers in line with the DPA.

11.Changes to this policy

We may update this policy from time to time to reflect changes in our practices, our service, or the law. Material changes will be summarised at the top of this page for at least thirty (30) days, and we will email affected data subjects where they have a reasonable expectation of notice. Continued use of grasperly.com or the Platform after the effective date of an update constitutes acknowledgement of the updated policy.

12.Language

This policy is published in English and in Polish. The English-language version is the binding text; the Polish-language version is a translation provided for convenience. Where mandatory law applicable to a data subject requires another language to govern, the mandatory provisions of that law prevail.