10% off when signing up for the newsletter. Sign up now! -> 

www.thesmaks.com 

(effective from: 28.04.2026) 

§1 General Provisions 

1.1 This Privacy Policy sets out the rules for processing personal data, the use of cookies, and other similar technologies in connection with the use of the website www.thesmaks.com ("Website"). 

1.2 The data controller is Healthy Grainy Sp. z o.o., with its registered office in Warsaw (00-013), ul. Jasna 8/20, entered in the register of entrepreneurs of the National Court Register under number 0001051485, NIP: 5273069594, REGON: 526061879, email address: info@thesmaks.com ("Controller"). 

1.3 For matters relating to the processing of personal data, you may contact the Controller at the email address: info@thesmaks.com. 

1.4 The Controller exercises due diligence to ensure the protection of personal data, in particular by applying appropriate technical and organizational measures to ensure the security of processed data, appropriate to the risk of infringement of the rights or freedoms of natural persons and to the nature, scope, context, and purposes of processing. 

1.5 Personal data is processed in accordance with applicable law, in particular: 

a) Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), 

b) the Act of 10 May 2018 on the Protection of Personal Data, 

c) the Act of 18 July 2002 on the Provision of Electronic Services, 

d) the Act of 16 July 2004 - Telecommunications Law, 

e) the Act of 30 May 2014 on Consumer Rights, 

f) the Act of 23 April 1964 - Civil Code. 

1.6 With regard to the use of cookies and similar technologies, the Controller acts in accordance with the provisions referred to in section 1.5 (c)–(d) above, in particular as regards obtaining user consent and the rules on storing and accessing information on the user's end device. 

1.7 This Privacy Policy is informational in nature and constitutes the fulfilment of the Controller's obligations arising from personal data protection regulations. 

§ 2. Scope and Purposes of Personal Data Processing 

2.1 The Controller processes personal data to the extent necessary to achieve purposes related to operating the Website and the online store, in particular: 

a) entering into and performing sales agreements, 

b) handling orders, payments, and delivery, 

c) handling complaints and returns, 

d) contacting the Customer, including responding to inquiries, 

e) maintaining a user account (if applicable). 

2.2 Personal data may be obtained directly from the user as well as from other sources, in particular from marketing partners or from publicly available sources. 

2.3 Personal data is processed on the basis of: 

a) Article 6(1)(b) GDPR – to the extent necessary to conclude and perform an agreement, 

b) Article 6(1)(c) GDPR – to fulfil legal obligations imposed on the Controller, in particular tax and accounting obligations, 

c) Article 6(1)(f) GDPR – within the framework of the Controller's legitimate interest, consisting in particular of: 

- ensuring the proper functioning of the Website, 

- handling inquiries addressed to the Controller, 

- establishing, pursuing, or defending against claims, 

- conducting direct marketing of the Controller's own products and services, d) Article 6(1)(a) GDPR – on the basis of the user's consent, where such consent has been given. 

d) Article 6(1)(a) GDPR – on the basis of the user's consent, where such consent has been given. 

2.4 Depending on the purpose of processing, the Controller may process in particular the following personal data: 

a) first and last name, 

b) delivery address and residential address, 

c) email address, 

d) phone number, 

e) invoicing details (including company name and NIP/tax ID – for businesses), 

f) payment data (processed via payment operators), 

g) data on user activity on the Website, including information stored via cookies or similar technologies. 

2.5 Personal data may also be processed for marketing purposes, including: 

a) conducting direct marketing of the Controller's own products and services (on the basis of legitimate interest – Article 6(1)(f) GDPR), 

b) sending commercial information by electronic means (newsletter) – solely on the basis of the user's prior consent, 

c) conducting analyses and statistics in order to improve services and tailor content to user preferences. 

2.6 Personal data may be used for profiling, consisting of analyzing the user's behavior on the Website, in particular their activity, purchase history, and preferences, in order to: 

a) tailor marketing content and offers to the user's interests, 

b) carry out advertising activities, including behavioral advertising, 

c) optimize the functioning of the Website and increase its usability. 

2.7 The profiling referred to above: 

a) does not produce legal effects concerning the user, nor does it similarly significantly affect them, 

b) is carried out on the basis of the user's consent (with respect to cookies and marketing) or the Controller's legitimate interest. 

2.8 Personal data is not used to make automated decisions that produce legal effects concerning the user or similarly significantly affect them. 

2.9 Where consent has been given, the user has the right to withdraw it at any time, without affecting the lawfulness of processing carried out before its withdrawal. 

2.10 The provision of personal data is voluntary; however, failure to provide it may prevent the conclusion of an agreement or the provision of services by the Controller. 

§ 3. Recipients of Personal Data 

3.1 Personal data may be disclosed to entities cooperating with the Controller solely to the extent necessary to achieve the processing purposes referred to in § 2 above. 

3.2 Recipients of personal data may include in particular: 

a) payment service providers, 

b) logistics and courier service providers, 

c) hosting and IT service providers, 

d) providers of analytical and marketing tools, 

e) providers of newsletter and marketing communication systems, 

f) providers of accounting, legal, and advisory services. 

3.3 Personal data may be disclosed to entities processing data on behalf of the Controller (so-called processors), provided that such entities process the data under an agreement with the Controller and solely in accordance with its instructions. 

3.4 In connection with the Controller's use of tools provided by entities established outside the European Economic Area (EEA), personal data may be transferred to third countries, in particular to the United States. 

3.5 Where data is transferred outside the EEA, the Controller ensures the application of appropriate safeguards required by law, in particular through: 

a) the use of standard contractual clauses approved by the European Commission, 

b) cooperation with entities participating in programs ensuring an adequate level of data protection (e.g. the Data Privacy Framework), 

c) the use of other mechanisms provided for under GDPR. 

3.6 Personal data may also be disclosed to entities authorized to receive them under applicable law, in particular public authorities. 

§ 4. Personal Data Retention Period 

4.1 Personal data is stored for the period necessary to achieve the purposes for which it was collected, in particular: 

a) data related to entering into and performing an agreement – for the duration of the agreement and until the limitation period for claims arising from that agreement has expired, the limitation period being determined by the provisions of the Civil Code, 

b) data processed to fulfil legal obligations (including tax and accounting obligations) – for the period required by law, 

c) data processed on the basis of the Controller's legitimate interest – until an effective objection is raised, 

d) data processed on the basis of consent – until the consent is withdrawn. 

4.2 Personal data processed for marketing purposes may be stored until an objection is raised or consent is withdrawn, depending on the legal basis for processing. 

4.3 Upon expiry of the retention periods, personal data is deleted or anonymized in a manner that prevents identification of the data subject. 

§ 5. Rights of Data Subjects 

5.1 The data subject has the following rights: 

a) the right to access personal data, 

b) the right to rectification (correction) of data, 

c) the right to erasure of data ("the right to be forgotten"), 

d) the right to restriction of processing, 

e) the right to data portability, 

f) the right to object to the processing of personal data, 

g) the right to withdraw consent at any time – to the extent that processing is based on consent. 

5.2 Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal. 

5.3 To exercise their rights, the data subject may contact the Controller via the email address: info@thesmaks.com. 

5.4 The Controller may refuse to exercise certain rights in cases provided for by law, in particular where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of claims. 

5.5 The Controller responds to requests from data subjects without undue delay, and no later than within 1 month of receiving them. 

5.6 The data subject also has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych). 

§ 6. Cookies and Similar Technologies 

6.1 The Website uses cookies and other similar technologies (e.g. local storage), which serve to ensure the proper functioning of the Website, improve its performance, conduct analyses, and achieve marketing purposes. 

6.2 Cookies are small pieces of text information stored on the user's end device (e.g. computer, tablet, smartphone), which may be read by the Controller's IT system or by third parties. 

6.3 The Website uses the following types of cookies: 

a) necessary cookies – enabling the proper functioning of the Website, including the use of its basic features (e.g. shopping cart handling, login); their use does not require the user's consent, 

b) analytical cookies – enabling the collection of information on how the Website is used (e.g. number of visits, traffic sources), in order to improve it, 

c) marketing cookies – used to display advertising content tailored to the user's interests, including within the framework of behavioral advertising. 

6.4 Analytical and marketing cookies are used solely on the basis of the user's prior consent given via the cookie banner. 

6.5 Consent to the use of cookies may be withdrawn or changed by the user at any time, in particular through the cookie banner settings or the web browser settings. 

6.6 In connection with the use of analytical and marketing tools provided by third parties, data collected via cookies may be transferred to such entities, including outside the European Economic Area (EEA), on the terms set out in § 3. 

6.7 The Controller may use tools enabling analysis of traffic on the Website and the conduct of marketing activities, including tools provided by third parties. 

6.8 The user has the ability to manage cookies through their browser settings, although restricting the use of cookies may affect certain functionalities of the Website.