Questions? Call: 085 06 05 369

Free shipping on orders above £20!

Ordered before 18:00 = shipped today

Privacy Policy

This Privacy Policy explains how we collect, use, share, and protect personal data when you visit or shop on our websites, including graviolashop.co.uk and our localized domains (such as .nl, .de, .fr, .pl, .co.uk, .es, .it).

1. Who we are (Data Controller)
Brand / Trade name: Graviola Shop
Seller (legal entity): VAZ GLOBAL S.L. (Spain)
NIF: B21770789
Registered office: Calle de Fuencarral 147, 5 derecha, 28010 Madrid, Spain
We are established in Spain and operate logistics and order fulfillment activities from the Netherlands (for example, warehousing and shipping).
Contact email: [email protected]
Phone: +31 850 605 369
Privacy contact: Sebastiaan Vaz (Owner). You can contact our privacy contact via [email protected].
If you contact us, we may ask for information needed to verify your identity before handling certain requests (for example, a request to access or delete data).

2. What personal data we collect

Depending on how you interact with us, we may collect:

  • Identity and contact details: name, email address, phone number, billing and delivery address.
  • Order and account data: products purchased, order number, order history, customer notes (if provided), login and account details (if you create an account), and customer support messages.
  • Payment data: payment method and payment status. Payments are processed via payment providers (for example, Mollie and its supported payment methods). We do not store full card numbers ourselves when you pay via a payment provider.
  • Delivery data: shipment details, delivery updates, and tracking information from carriers (for example, PostNL and partner carriers involved in cross-border delivery).
  • Communications data: messages you send to us (for example by email, contact forms, and WhatsApp Business) and related information needed to respond. We may store conversation history for support and operational purposes.
  • Technical and usage data: device information, browser type, operating system, pages viewed, and similar website interaction data. We may process IP address and approximate location derived from IP for security, fraud prevention, and analytics purposes (depending on configuration and consent where required).
  • Cookie and tracking data (where enabled): cookie identifiers, advertising identifiers, campaign attribution data, and related online identifiers used for analytics, performance measurement, and advertising (only where permitted and, where required, after you provide consent).
  • Marketing preferences: newsletter subscription status, opt-in or opt-out status, and related preference records (when applicable).
  • Reviews data: if you leave a review through a third party service (for example Trustpilot), your review content, rating, name or nickname, and order-related details needed to verify the review request may be processed.
  • Fraud and security data: signals and indicators related to potential fraud, abuse, or security incidents (for example risk signals associated with an order, device, account, or payment attempt).

We do not intentionally collect special category data (for example health data). Please do not send sensitive information in free-text fields or messages. We do not request date of birth.

3. Why we use your data (purposes)

We use personal data to:

  • Process and deliver orders: confirm orders, take payment, ship products, provide tracking, handle returns, and answer order-related questions.
  • Provide customer service: respond to messages (including via WhatsApp Business) and resolve issues.
  • Manage your account (if you create one): allow login and show order history.
  • Send service and operational messages: for example order confirmations, delivery updates, and important notices about your purchase.
  • Abandoned checkout reminders: remind you about an incomplete checkout when you provided contact details during checkout, where permitted by law (for example by email and, where applicable, WhatsApp).
  • Marketing communications (where permitted): newsletters, offers, and product updates, using tools such as HubSpot, where permitted by law and based on the appropriate legal basis (see section 4). You can opt out at any time.
  • Analytics and website improvement: understand how visitors use our site and improve the user experience (for example using Google Analytics 4 and user experience tools such as Hotjar or Microsoft Clarity, depending on configuration and your cookie choices where required).
  • Advertising, retargeting, and measurement (where enabled): measure advertising performance, attribute sales, and show relevant offers (for example via Google, Meta, TikTok, Pinterest, and affiliate or attribution partners), where permitted and, where required, after you provide consent.
  • Prevent fraud and protect our business: detect suspicious transactions and protect the security of our websites and customers (for example using Cloudflare, Google reCAPTCHA, and anti-fraud tooling).
  • Meet legal and tax obligations: invoicing, accounting, and compliance duties.

4. Legal bases for processing (why we are allowed to use your data)

Under GDPR (and where applicable UK GDPR), we rely on one or more of these legal bases, depending on the situation:

  • Performance of a contract: to process your order, deliver products, and provide customer service related to your purchase.
  • Legal obligation: to comply with tax, accounting, consumer law, and other legal requirements.
  • Legitimate interests: to secure our websites, prevent fraud, improve our services, manage customer communications, and protect our business (balanced against your rights).
  • Consent: for optional marketing communications where required, and for non-essential cookies and similar technologies where required. You can withdraw consent at any time (see section 10).

Where we send direct marketing based on legitimate interests (where permitted), you can object at any time and we will stop sending such marketing.

5. Automated checks, profiling, and fraud prevention

We may use automated tools to help detect and prevent fraud and abusive activity (for example by assessing risk signals related to an order, device, account activity, or payment attempt). This may result in additional verification steps, a temporary hold, or cancellation of an order in suspicious cases. Where appropriate, such decisions may be subject to human review.

We may also use segmentation for marketing (for example grouping customers based on purchase history or interactions) to send more relevant communications where permitted by law. You can opt out of marketing at any time.

6. Who we share data with

We never sell personal data. We only share data when necessary to operate our business, for example with:

  • Payment providers: to process payments (for example Mollie and payment methods available through Mollie such as PayPal, Klarna, bank transfer, and other supported methods) and, where applicable, banks for manual bank transfers.
  • Shipping and logistics partners: to deliver orders (for example PostNL and partner carriers used for international delivery) and logistics providers involved in warehousing and fulfillment activities in the Netherlands.
  • IT, hosting, and infrastructure providers: to host and maintain our websites and systems (for example, our hosting provider Hetzner with servers located in Frankfurt, Germany), and security and performance providers (for example Cloudflare).
  • Email and marketing tools: to send marketing communications and manage marketing preferences (for example HubSpot). Transactional emails may be sent via our server-based SMTP setup.
  • Analytics and user experience tools: to understand and improve website performance and usability (for example Google Analytics 4, Hotjar, and or Microsoft Clarity, depending on configuration and your cookie choices where required).
  • Advertising and attribution partners: to measure campaigns and, where enabled, run retargeting and affiliate attribution (for example Google, Meta, TikTok, Pinterest, and affiliate networks), where permitted and, where required, after consent.
  • Communication channels: if you contact us via WhatsApp Business, your messages are processed through WhatsApp and related Meta companies according to their terms and privacy policies.
  • Reviews platforms: to collect and display reviews (for example Trustpilot), including sending review invitations where configured.
  • Maps and embedded content: if we embed features like Google Maps, the provider may receive technical data (for example IP address) when the feature loads, depending on your settings and consent where required.
  • Automation tooling: we use automation tools (including n8n) to connect systems and execute workflows (for example routing order or support information). This may involve processing personal data to complete the requested action.
  • Professional advisors: accountants, tax advisors, and legal advisors (when needed).
  • Authorities: if we are legally required to disclose information (for example to comply with tax or law enforcement requests).

Whenever we use service providers (processors), we require appropriate contractual safeguards to protect your data.

7. International transfers

Some service providers may process data outside the European Economic Area (EEA) and the United Kingdom. When this happens, we use appropriate safeguards such as the European Commission’s approved Standard Contractual Clauses (SCCs), adequacy decisions where available, or other lawful transfer mechanisms, where required.

8. How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes described in this Privacy Policy. Retention depends on the type of data and why we need it. For example:

  • Orders, invoices, and accounting records: retained as needed for order management, customer service, and to meet legal and tax obligations. We may need to keep certain records even if you request deletion.
  • Customer accounts: retained while your account remains active. If you request account deletion, we will delete or anonymize personal data where feasible and legally permitted, while keeping required transaction and accounting records.
  • Customer service and communications (including WhatsApp): retained for as long as needed to handle your request and for follow-up, dispute handling, and record keeping.
  • Marketing data: retained until you unsubscribe or otherwise opt out (or withdraw consent where applicable). We may keep minimal records of your opt-out status to ensure we respect it.
  • Analytics, website logs, and security logs: retained as needed for analytics, troubleshooting, fraud prevention, and security monitoring. Where possible, we delete or anonymize data when it is no longer needed for these purposes.

If you ask us to delete your data, we will take reasonable steps to delete or anonymize personal data where possible, but we may need to keep certain data to comply with legal obligations or to establish, exercise, or defend legal claims.

9. Your rights

If GDPR (or where applicable UK GDPR) applies to you, you may have the right to request:

  • Access to your personal data
  • Rectification (correction) of inaccurate data
  • Erasure (deletion) in certain cases
  • Restriction of processing in certain cases
  • Data portability in certain cases
  • Objection to processing in certain cases, including marketing and certain legitimate-interest processing

You can also withdraw consent at any time where we rely on consent (this does not affect processing already carried out).

You can exercise these rights by emailing [email protected]. We aim to respond within one month. If needed, we may request additional information to verify your identity.

10. Complaints

If you believe we have not handled your personal data properly, please contact us first and we will try to resolve it.

You also have the right to lodge a complaint with the Spanish data protection authority (Agencia Española de Protección de Datos, AEPD): https://www.aepd.es/.

If you are located in the United Kingdom, you may also lodge a complaint with the UK Information Commissioner’s Office (ICO): https://ico.org.uk/.

11. Cookies and similar technologies

Our websites may use cookies and similar technologies for:

  • Strictly necessary purposes: core site functionality (for example shopping cart, checkout, security). These do not require consent.
  • Preferences and analytics: to understand how visitors use our site and improve it (consent may be required depending on configuration and local rules).
  • Marketing and advertising: if enabled, these require your consent before being set, where required.

We use a cookie banner to collect cookie choices where required, and non-essential cookies should only be set after you consent. Your cookie choice may be stored in a cookie on your device. If you clear cookies in your browser, you may be asked to choose again.

You can manage your cookie choices via our cookie banner and, where available, cookie settings on the website. You can also change your browser settings to block cookies, but some site functions may stop working properly.

For more detailed information about the cookies and similar technologies we use (including categories, purposes, and how to change your settings), please refer to our Cookie Policy: https://graviolashop.co.uk/cookie-policy.

12. Security

We use appropriate technical and organizational measures to protect personal data (for example access controls, encryption in transit where applicable, and internal policies). No method of transmission or storage is 100% secure, but we work to protect your information and reduce risk.

13. Children

Our websites and products are not intended for children. If you believe a child has provided us personal data, please contact us so we can address it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The most recent version will always be published on this page with the updated “Last updated” date.

If you have questions about this Privacy Policy, please contact us.