Privacy Notice - Overview
GRYT takes your privacy very seriously. This privacy notice describes how and why we, as data controller, obtain, store and process personal data. Personal data is information relating to you that enables us to identify you, for example, your name, email address, payment details and information about your access to this website.
We will process your personal data fairly, lawfully and transparently. This privacy notice describes the personal data we are collecting about you and how it is used. We will only collect and use your personal data for the following purposes, to:
- fulfill your order(s)
- give you a better shopping experience
- keep you up to date with the latest offers and educational material
- improve our services
- make our marketing more relevant to you and your interests
- meet our legal responsibilities
We may update this notice from time to time and we will notify you of any changes.
Please do not hesitate to contact us if you have questions in addition to the information provided in this notice – firstname.lastname@example.org
Your Rights & Our Commitment to You
You have several rights under the data privacy legislation and GRYT is committed to you being able to freely exercise your Rights. This includes, under certain circumstances, the right to:
Be informed: you have the right to be informed if and how your personal data is being processed.
Access, rectification or erasure: you have the right of access to personal data we hold about you in our records. You are also entitled to have your personal data corrected if it is inaccurate, or to have it erased if we do not have a legitimate reason for retaining your data.
To request data portability: for personal data which you have provided to a controller, where processing was based on your consent, or where processing is done by automated means, you have the right to obtain a digital copy of your personal data, request the transfer of your personal data to another company or request to move your data from one IT system to another in a safe and secure way.
To request restriction of processing: you have the right to restrict the processing of your personal data where you are contesting the accuracy of that information, you have objected to processing (as described below), or where the processing is unlawful. Where processing is restricted, we are may need to retain sufficient information about you to ensure that the restriction is respected in future.
To object to automated decision-making including profiling: you have the right not to be the subject of any automated decision-making or profiling by us.
To withdraw consent: in cases where we are relying on your consent for the processing of your personal data, you have the right to withdraw your consent at any time. In respect of the e-marketing we conduct, an unsubscribe (withdraw consent) option is included with every e-marketing communication we send.
To object to processing: where your personal data is being processed based on the legitimate interests of a data controller or third party, you have the right to object to that processing.
To complain to the relevant supervisory authority: should you have any concerns or complaints regarding the way in which we process your data, please email us directly at email@example.com. You also have the right to make a complaint to the Mayor’s Office of Information Privacy (MOIP) in New York. We would, however, appreciate the chance to deal with your concerns before you approach the MOIP, so please do contact us in the first instance.
Where possible, we have incorporated automated tools on our website that enable you to facilitate your Rights in real-time. Use the Data Access Gateway tool above to access and manage the personal data we hold on you.
The Personal Data We Collect
Personal data means any information about an individual from which that person can be identified. It does not include anonymised data, where the identity and identifying information has been removed.
While our website is designed for a general audience, we will not knowingly collect any data from children under the age of 16 or sell products to children. If you are under the age of 16, you are not permitted to use or submit your data to the website.
Depending on the type and level of engagement you have with us, we may collect the following categories of personal data:
- Name and surname
- Date of birth
- Personal description and gender
- Email address, user ID and GRYT account password
- Social media ID
- Telephone number
- User ID
- Billing information such as credit card and bank account details
- Billing address
- Delivery address
- Your shopping preferences and basket
- Order history
- Saved items
- Contact history – queries or complaints you have made to us
- IP address and device details
- Marketing and communications preferences – this includes information such as: your preferences in receiving marketing from us and our third parties and your communication preferences
How We Collect Your Data
We may collect your personal data in one of the following ways:
- When you visit our website
- When you create an account
- When you purchase products on our website (whether as an account holder or as a guest)
- When you log in to our website via social media.
- When you sign up to our newsletter
- When you participate in a competition or create wish lists
- When you complete a survey
- When you sign up at an event
- When you engage with us on social media
- When you contact us with queries, for example, about a purchase or shipping activities
- When you review our products or services
- When you apply for an employment vacancy
- When you visit any of our premises, which usually have CCTV systems in operation (for security) and these systems may record your image
Data from Third parties
We may also receive personal data about you from various third parties, including:
- Technical Data from third parties, including analytics providers such as Google. Please see further information in the section entitled ‘Marketing preferences, adverts and cookies’ below
- Technical Data from affiliate networks through whom you have accessed our website
- Identity and Contact Data from social media platforms when you log in to our website using such social media platforms
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services
How We Use Your Personal Data
We will only collect and process your personal data where we have a legal basis to do so. As a data controller, the legal basis for our collection and use of your personal data varies depending on the manner and purpose for which we collected it. We will only collect personal data from you when:
- we have your consent to do so, or
- we need your personal data to perform a contract with you. For example, to process a payment from you, fulfill your order or provide customer support connected with an order, or
- Pursuing our legitimate interests in a way that you might reasonably expect to be a part of running our business and that does not significantly impact your interests, rights and freedoms, for example, showing GRYT advertisements to you as you browse the internet.
- we have a legal obligation to collect or disclose personal data from you (e.g. in suspected instances of fraud where we need to give personal data to the police or a government body).
This is why we process your personal data:
- To personalize and assist your use of our website and to generally improve it.
- To offer you special offers, early access to sales and e-marketing information.
- To offer you promotions, products and services that are most likely to interest you.
- To fulfill your order and process purchases that you make by using our website, including retaining your details to allow us to fulfill any contractual obligations, such as contacting you to arrange deliveries, or to facilitate refunds or returns.
- To respond to your queries or complaints on the basis of our contract with you, our legal obligations and our legitimate interests in providing you with the best products, service and experience.
- To protect our business and your account from fraud and other illegal activities and to comply with our contractual or legal obligations to share data with the police or government body.
- With your consent, we will use your personal data to keep you informed by email, web, text, telephone and through our contact centers about products and services including special offers, e-marketing, discounts, vouchers, promotions, events and competitions
- To send you information required by law, like a product recall notice or information relating to your orders.
- To communicate changes to the services we provide you, for example, updates to this privacy notice.
- To administer competitions which you enter at our events, on our website, via social media or otherwise, based on your consent given at the time of entering.
- To develop, test and improve the systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests.
- To send you review requests (sometimes via our trusted third parties) to help us improve our products, services and website.
- To build a picture of who you are and what you like, we’ll combine data captured by us and third parties, on the basis of our legitimate business interests to help us personalize your experience and decide what to share with you.
- We will only use your personal data for the purposes for which we collected it. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
How we Share Your Data
We sometimes share your personal data with our trusted categories of third parties we use to conduct our business, for example, to enable delivery of your purchases; to handle feedback and complaints; and to help us understand your behavior in order to customize and maximize our products, services, advertising, marketing, competitions and offers to you. To view a full list of the data sub-processors who have access to our data please see the policy List of Sub-Processors in the Privacy Center.
Our trusted categories of third parties include delivery companies and independent contractors, marketing agencies, e-mail marketing service providers who assist our marketing team to run targeted email campaigns, customer survey service providers, advertising partners and agencies, website hosts, cloud service providers, data privacy providers, social media providers, professional services providers, and consumer review providers.
You may be able to access third-party social media before, during or after accessing our website. We use social media buttons and/or plugins on this website, to allow you to connect with your social network in various ways. When you are using your third-party social media account, any personal data we obtain or share with social media service providers is done so in accordance with the practices explained in the third-party social media provider’s terms and privacy notice. Please consult their relevant terms and privacy notices for further information.
As part of our e-marketing methods and on the basis of our legitimate business interests, we use some Google services and some Facebook products in accordance with the practices explained in the Google and Facebook terms and privacy notices. In order to protect your personal data by pseudonymising it, Google and Facebook ensure that a hashing algorithm is applied automatically at the point of sharing personal data with Google and Facebook. Please consult their relevant terms and privacy notices for further information and your options. If we can help you in any way please do not hesitate to contact our data protection officer at firstname.lastname@example.org.
As part of our fraud monitoring, detection and prevention methods and on the basis of our legitimate business interests, we use a third-party fraud monitoring, detection and prevention service provider for all website/online sales. As part of this service, we may share personal data that is required to make identity checks and personal data that we obtain from making identity checks (including data relating to your age, name and location), together with account information, with third party organizations (including law enforcement agencies), involved in fraud prevention and detection and credit risk reduction. Please note that these third parties may retain a record of the information that we provide to them for this purpose.
We may share your personal data with government bodies and law enforcement.
We may also share your personal data with our professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Marketing preferences, adverts and cookies
Marketing - your preferences
We may send you marketing communications and promotional offers:
- if you have created an account with us or purchased goods from us, or registered for a promotion or event, and you have not opted out of receiving marketing (in accordance with your preferences, as explained below);
- by email if you have signed up for email newsletters;
We may use your personal data (as outlined in the ‘Personal Data We Collect’ section) to form a view on what we think you may like, or what may be of interest to you, and to send you details of products and offers which may be relevant for you.
We will ask you for your preferences in relation to receiving marketing communications by email, post, SMS and other communication channels.
You will always have full control of your marketing preferences. If you do not wish to continue receiving marketing information from us (or any third party, if applicable) at any time:
- you can unsubscribe or ‘opt-out’ by using the unsubscribe button and following the link included in the footer of any marketing email; or
- account holders may withdraw their consent by simply logging in to the Data Access Gateway Tool and editing their contact preferences our Emarsys application directly.
We will process all opt-out requests as soon as possible, but please note that due to the nature of our IT systems and servers it may take a few days for any opt-out request to be implemented.
We use online advertising to keep you aware of what we’re up to and to help you find our products. Like many companies, we may use targeted GRYT banners and ads to you when you use other websites and apps. We do this using a variety of digital marketing networks and ad exchanges, and a range of advertising technologies such as web beacons, pixels, ad tags, cookies, and mobile identifiers, as well as specific services offered by some sites and social networks, such as Facebook’s Custom Audience Service.
Our use of analytics and targeted advertising tools
We use a range of analytics and targeted advertising tools to display relevant website content on our website and online advertisements on other websites and apps to you. We use these tools to deliver relevant content to you in marketing communications (where applicable), and to measure the effectiveness of the advertising provided. For example, we use tools such as Google Analytics to target and improve our marketing campaigns, marketing strategies and website content. Additionally, we use tools such as TikTok for advertising purposes to reach audiences and promote our products. We also use tools provided by other third parties, such as Criteo and Disco Growth Network to perform similar tasks. If you would like any further information about the data collected by these third parties or the way in which the data is used, please contact us on email@example.com.
Links to other websites and third parties
Our website may include links to and from the websites of our partner networks, advertisers and affiliates, or to social media platforms. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to their websites.
Transferring Your Data Outside the EEA
The personal data we collect from you may be transferred to, and stored at, destinations outside the European Economic Area ("EEA") using legally-provided mechanisms to lawfully transfer data across borders. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfillment of your order, the processing of your payment details and the provision of support services. We will take all steps necessary to ensure that your data is treated securely and in accordance with this privacy notice.
If we share your personal data outside of the European Economic Area, we ensure that there is an appropriate transfer mechanism in place to protect your personal data and comply with our data protection obligations.
Please contact us if you want further information on the countries to which we may transfer personal data and the specific mechanism used by us when transferring your personal data outside the EEA – firstname.lastname@example.org.
Storing and Securing your Data
Storing your data
We need to retain your personal data to satisfy our legal obligations, to deal with complaints and queries, in order to resolve, litigate or defend a dispute and to prevent fraud and abuse.
Having obtained your consent (or other legal basis) to contact you, we will retain your personal data for marketing and analysis purposes until you withdraw your consent. If you choose to withdraw your consent to marketing, we will delete your personal data from our systems, unless we have another legal basis to retain it, which may include performance of our contract with you.
We will not keep your personal data for longer than is necessary and when we no longer need to keep it, we will securely destroy, delete or anonymise it.
Securing your data
The communication between your browser and our website uses a secure encrypted connection wherever your personal data is involved.
We have put in place physical, electronic and managerial security procedures in the storage and disclosure of your personal data to protect it against accidental loss, destruction or damage. Nevertheless, any data transmission over the internet or by any other means can never be fully secure, such is the character of the internet, and provision of personal data by you to us is at your own risk. We take all reasonable measures to protect your personal data by putting appropriate technical and operational security measures in place.
When we disclose your personal data to trusted third parties (for the purposes set out in this notice), we require all third parties to have appropriate technical and operational security measures in place to protect your personal data, and we work with them to ensure that your data protection and privacy rights are respected. Where your personal data is shared with a third party, it must only be used for the purposes for which it was supplied.
In the unfortunate event of a personal data breach, we will notify you and any applicable regulator when we are legally required to do so.
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (“CCPA”) provides consumers with specific rights regarding their Personal Information. You have the right to request that businesses subject to the CCPA (which may include our Merchants with whom you have a relationship) disclose certain information to you about their collection and use of your Personal Information over the past 12 months. In addition, you have the right to ask such businesses to delete Personal Information collected from you, subject to certain exceptions. If the business sells Personal Information, you have a right to opt-out of that sale. Finally, a business cannot discriminate against you for exercising a CCPA right.
When oﬀering services to its Merchants, GRYT acts as a “service provider” under the CCPA and our receipt and collection of any consumer Personal Information is completed on behalf of our Merchants in order for us to provide the Service. Please direct any requests for access or deletion of your Personal Information under the CCPA to the Member with whom you have a direct relationship.
Consistent with California law, if you choose to exercise your applicable CCPA rights, we won’t charge you diﬀerent prices or provide you a diﬀerent quality of services. If we ever oﬀer a financial incentive or product enhancement that is contingent upon you providing your Personal Information, we will not do so unless the benefits to you are reasonably related to the value of the Personal Information that you provide to us.
Changes to this privacy notice
From time to time we may change this privacy notice. If there are any significant changes we will post updates on our website, applications or let you know by email.
How to contact us
We welcome feedback and are happy to answer any questions you may have about your data.
You can contact us at:
This notice was most recently updated: May 5, 2023