Privacy Policy

Gapli.com Privacy Policy

Preamble

This Privacy Policy sets out the rules for the processing and protection of personal data of Users using the GAPLI Platform available at https://gapli.com.

The document has been prepared in accordance with the provisions of the UK GDPR and the Data Protection Act 2018, as well as relevant international regulations on data protection and e-commerce.

The purpose of this Policy is to ensure transparency and security in the processing of personal data and to inform Users of their rights and the privacy practices applied by GAPLI GLOBAL LTD.

1. Data Controller

The controller of personal data of the Users of the GAPLI Platform is GAPLI GLOBAL LTD, registered office: 590 Kingston Road, London, England, SW20 8DN, registered with Companies House under number 16429382.
For matters related to personal data protection, please contact: privacy@gapli.com.

2. Scope of Application

This Privacy Policy sets out the rules for the processing of personal data in connection with the use of the GAPLI Platform available at https://gapli.com.
It applies to all users of the platform, including:

• Merchants/Operators running online stores and sales,
• Suppliers/Wholesalers providing products within the GAPLI system,
• End Customers purchasing products through the Platform.

The Policy applies to the use of GAPLI’s services via the admin panel, marketplace integrations, and all other functionalities made available within the SaaS system.

3. Categories of Processed Data

When using the GAPLI Platform, the following categories of personal data may be processed:

• Identification data – first name, last name, company name, tax identification number (VAT/NIP) or other legally required identification data.
• Contact data – e-mail address, phone number, correspondence or delivery address.
• Transactional data – information about orders, payments, complaints, returns, and the balance of the virtual wallet (e-Wallet).
• Technical data – IP address, system logs, device identifiers, cookies and similar tracking technologies.
• Marketing and analytics data – user preferences, history of activity on the platform, responses to marketing campaigns, where consent has been given.

4. Purposes and Legal Bases of Processing

Personal data of Users are processed by GAPLI for the following purposes and on the following legal bases:

• Performance of a contract and provision of services – creating and managing accounts, processing orders, payments, returns, complaints, and customer support (Art. 6(1)(b) UK GDPR).
• Compliance with legal obligations – in particular those arising from tax, accounting, and anti-money laundering (AML) regulations (Art. 6(1)(c) UK GDPR).
• Legitimate interests of GAPLI – ensuring system security, preventing misuse, compiling statistics, service development, and pursuing claims (Art. 6(1)(f) UK GDPR).
• Marketing and communication – sending commercial information, newsletters, and promotional offers, where the User has given consent (Art. 6(1)(a) UK GDPR).

5. Data Sharing

Users’ personal data may be shared only to the extent necessary to achieve the purposes set out in this Privacy Policy. GAPLI may share data with:

• Payment service providers (PSPs) – in particular Stripe or other entities handling electronic payments.
• Suppliers and wholesalers – to the extent necessary to process orders, deliveries, and returns.
• Subcontractors and technology partners – providing IT support, hosting, data security, and system maintenance.
• Accounting, tax, and legal service providers – where required to comply with legal obligations.
• Public authorities or judicial bodies – where required by applicable law.

Transfers of data outside the European Economic Area (EEA) or the United Kingdom may only take place on the basis of an adequacy decision, Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement (IDTA).

6. Data Retention Period

Personal data is stored by GAPLI only for as long as necessary to fulfil the purposes for which it was collected, taking into account applicable legal obligations.

• User account data – retained for the duration of the contract and up to 6 years after its termination (tax and accounting requirements).
• Transactional data (orders, payments, complaints, returns) – for the period required by tax and accounting regulations (typically 6 years).
• Marketing data – until the User withdraws consent.
• Technical data and cookies – in accordance with the retention periods specified in the Cookie Policy or until deleted by the User.

After the retention periods expire, the data will be deleted or anonymised.

7. Data Subject Rights

Every User is entitled to the rights under the UK GDPR and applicable data protection laws. In particular, the User has the right to:

• Access data – to obtain information on whether and what data is being processed.
• Rectification – to correct inaccurate or outdated data.
• Erasure (“right to be forgotten”) – where the data is no longer necessary for the purposes for which it was collected, or the User has withdrawn consent.
• Restriction of processing – in cases provided for by law.
• Data portability – to receive their data in a structured format and transfer it to another controller.
• Object to processing – in particular to data processing for marketing purposes.
• Withdraw consent – at any time, without affecting the lawfulness of processing carried out before withdrawal.

The User also has the right to lodge a complaint with a supervisory authority:

• in the United Kingdom – the Information Commissioner’s Office (ICO),
• in an EU Member State – the competent local data protection authority.

8. Data Security

GAPLI applies appropriate technical and organisational measures to ensure the security of personal data, in accordance with the requirements of the UK GDPR and the Data Protection Act 2018.

In particular:

• data transmission is secured using SSL/TLS protocol,
• payments are processed in compliance with PCI DSS standards,
• access monitoring systems, firewalls, and anti-intrusion mechanisms are implemented,
• access to personal data is restricted to authorised persons and cooperating entities bound by confidentiality obligations,
• regular backups and system security tests are carried out.

In the event of a personal data breach, GAPLI will take necessary remedial actions and – where required – notify the competent supervisory authority and affected data subjects within 72 hours of becoming aware of the breach.

9. Cookies

The GAPLI Platform uses cookies and similar technologies (e.g. local storage, tracking pixels) to ensure the proper functioning of the service and to improve the quality of the User experience.

Cookies are used in particular to:

• maintain user sessions and support login to the admin panel,
• remember User preferences and settings,
• analyse traffic and visit statistics (e.g. Google Analytics),
• personalise content and marketing activities,
• ensure security and detect misuse.

The User may change cookie settings at any time in their web browser. However, restricting cookies may affect the functionality of the GAPLI Platform and some of its services.

Detailed information on the types of cookies is available in the Cookie Policy published on https://gapli.com.

10. Changes to the Policy

GAPLI reserves the right to amend this Privacy Policy in the event of:

• changes in applicable laws,
• decisions or guidelines issued by supervisory authorities,
• introduction of new functionalities or services on the Platform,
• the need to clarify or correct the wording of the Policy.

Any changes will be published on https://gapli.com and may also be additionally communicated to Users via e-mail or through the admin panel.

Amendments shall take effect no earlier than 15 days from the date of publication, unless required otherwise by law or where the changes relate to functionalities beneficial to the User.