Privacy Policy
In accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws. Effective from January 1, 2026.
Article 1 – Data Controller
The data controller is:
Ondrej Kališ
Jablonové 900, 900 54 Jablonové, Slovakia
Reg. No.: 52175740
Phone: +421 903 416 803
Article 2 – Scope of Processed Data
When using our services, we process the following categories of personal data:
2.1 Identification Data
- Name and surname
- Company name and registration number (for business customers)
2.2 Contact Data
- Email address
- Phone number
- Delivery address
- Billing address
2.3 Transaction Data
- Order history
- Payment information (processed via Shopify Payments – we do not store card details)
2.4 Technical Data
- IP address
- Browser and device information
- Cookies (see separate Cookie Policy)
Article 3 – Processing Purposes
We process your personal data for the following purposes:
| Purpose | Legal Basis | Retention Period |
|---|---|---|
| Order processing and fulfillment | Contract performance (Art. 6(1)(b) GDPR) | Duration of contractual relationship |
| Accounting and tax obligations | Legal obligation (Art. 6(1)(c) GDPR) | 10 years from end of accounting period |
| Order communication | Contract performance (Art. 6(1)(b) GDPR) | Duration of contractual relationship |
| Handling claims and complaints | Contract performance, legal obligation | 4 years from claim submission |
| Marketing and newsletter | Consent (Art. 6(1)(a) GDPR) | Until consent is withdrawn |
| Service improvement | Legitimate interest (Art. 6(1)(f) GDPR) | 3 years |
Article 4 – Data Recipients
Your personal data may be disclosed to the following categories of recipients:
- Shipping companies – for order delivery
- Payment service providers – Shopify Payments (payment processing)
- IT service providers – Shopify (e-shop platform operator)
- Accounting and legal services – fulfillment of legal obligations
- Public authorities – in cases required by law
We have data processing agreements in place with all processors.
Article 5 – International Data Transfers
Our e-shop platform Shopify may process data in countries outside the EU (USA, Canada). Shopify is certified under the EU-US Data Privacy Framework and provides adequate safeguards for personal data protection.
Article 6 – Data Subject Rights
In connection with the processing of your personal data, you have the following rights:
6.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation whether your personal data is being processed, and if so, to access that data.
6.2 Right to Rectification (Art. 16 GDPR)
You have the right to have inaccurate personal data corrected and incomplete data completed.
6.3 Right to Erasure (Art. 17 GDPR)
You have the right to have your personal data erased when the purpose of processing has been fulfilled or when you withdraw consent. This right does not apply when processing is necessary for compliance with a legal obligation.
6.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of processing in cases specified by GDPR.
6.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used and machine-readable format.
6.6 Right to Object (Art. 21 GDPR)
You have the right to object to processing based on legitimate interest, including profiling and direct marketing.
6.7 Right to Withdraw Consent
If processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before its withdrawal.
6.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. For EU residents, you can contact your local data protection authority.
Article 7 – Exercising Your Rights
You can exercise your rights:
- Email: info@gridgarden.eu
- Phone: +421 903 416 803
- By mail: Ondrej Kališ, Jablonové 900, 900 54 Jablonové
We will respond to your request within 30 days.
Article 8 – Data Security
We have implemented appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction or misuse:
- SSL encryption of all communications
- Secure payment gateway (Shopify Payments – PCI DSS certified)
- Regular security system updates
- Restricted access to personal data
Article 9 – Automated Emails
When you use our 3D configurator or e-shop, we may send you automated emails based on your actions and the consent you have given:
9.1 Configuration Restore Emails
When you save your raised bed design and provide your email, we send you a link to restore your configuration. We may also send up to 2 follow-up reminders (after 24 hours and 7 days) if you haven't completed your order.
Legal basis: Consent (Art. 6(1)(a) GDPR). Retention: Until consent is withdrawn.
9.2 Abandoned Checkout Reminders
If you begin a checkout but do not complete it, we may send you one reminder email with a link to complete your order.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Retention: 3 years.
9.3 Newsletter
If you subscribe to our newsletter (via footer form, configurator popup, or checkout), we send you periodic updates about gardening tips, products, and promotions. Newsletter is sent at most once per week.
Legal basis: Consent (Art. 6(1)(a) GDPR). Retention: Until consent is withdrawn.
Every email contains an unsubscribe link. You can also unsubscribe by contacting us at info@gridgarden.eu. Unsubscription takes effect immediately.
Article 10 – Data Deletion
You can request deletion of your personal data at any time:
- By email: info@gridgarden.eu
- For configurator data: use the "Delete my data" link in any configuration email
Please note that we may retain certain data where required by law (e.g., accounting records for 10 years, claims records for 4 years). In such cases, the data will be restricted to the legally required purpose only.
We will process your deletion request within 30 days and confirm the action by email.
Article 11 – Retention Periods Summary
The following maximum retention periods apply to your personal data:
| Purpose | Retention Period |
|---|---|
| Configurator designs & email captures | Until consent is withdrawn (no fixed limit) |
| Abandoned checkout data | 3 years from checkout date |
| Newsletter subscription | Until unsubscribed (no fixed limit) |
| Order & customer data | Duration of contractual relationship + 4 years |
| Accounting & tax records | 10 years from end of accounting period |
| Analytics & technical data | 3 years |
Article 12 – Final Provisions
This Privacy Policy is effective from January 1, 2026 and was last updated on April 3, 2026. We reserve the right to update it. We will inform you of significant changes.