Regulation (EU) 2023/988 — General Product Safety Regulation (GPSR)

Privacy Policy

Last updated: 27 May 2026 (v2026-05-27)

1. Data Controller

This Privacy Policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) to inform you about the processing of your personal data when you interact with eugpsr.eu. The data controller for the processing of personal data on eugpsr.eu, in accordance with Article 4(7) of Regulation (EU) 2016/679 (GDPR), is:

  • Legal entity: HT HOUSEBOATS SP. Z O.O.
  • KRS: 0000769170 (Sąd Rejonowy w Koszalinie, IX Wydział Gospodarczy Krajowego Rejestru Sądowego)
  • NIP: PL4990676720
  • REGON: 382447966
  • Share capital (Kapitał zakładowy): 5,000 PLN, fully paid
  • Registered seat: ul. 6 Marca 2, 76-032 Mielno, Poland (European Union)
  • Trading as: EU GPSR / eugpsr.eu
  • Email: contact@eugpsr.eu

For any questions regarding data protection or to exercise your rights under GDPR (access, rectification, erasure, restriction, portability, objection), please contact us via the email address above. The supervisory authority for data protection in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO), uodo.gov.pl.

2. Data Collected

We collect and process the following categories of personal data:

  • Business information: company name, business registration number, country of registration, business address
  • Contact details: email address, name of contact person, phone number (if provided)
  • Product information: product descriptions, categories, technical documentation, test reports, and certificates
  • Payment data: transaction references processed through PayPal (we do not store credit card numbers or full payment details)
  • Website usage data: anonymized analytics data collected via Google Analytics 4 (see our Cookie Policy for details)

We do not collect any special categories of personal data (sensitive data) as defined in Article 9 of the GDPR.

Automated decision-making and profiling: We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects concerning you (Article 22 GDPR).

Data Protection Officer: The Controller has not appointed a Data Protection Officer because the criteria of Article 37(1) GDPR are not met. For all data-protection matters please contact: contact@eugpsr.eu.

Consent / contract-formation audit log: At the moment of payment, we record a consent record containing the consent checkbox states, terms version, page URL, ISO timestamp, your IP address, your User-Agent string, and your country (as determined by Cloudflare's CF-IPCountry header). This record is stored in a Cloudflare Workers KV namespace ("CONSENT_LOG") and is used as evidence of contract formation for the purpose of defending against payment-platform disputes (e.g. PayPal Buyer Protection) and for compliance with the burden-of-proof obligation under Article 6(8) of Directive 2011/83/EU. Legal basis: Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interest in dispute defense). Retention: 10 years (aligned with Polish accounting law and contract-claim limitation period). Processor: Cloudflare Inc. (United States) — transfers rely on EU-US Data Privacy Framework certification and Standard Contractual Clauses.

3. Purpose

Your personal data is processed for the following purposes:

  • Service delivery: to provide EU Authorized Representative services, including registration, documentation storage, and authority communications
  • Authority communication: to communicate with EU market surveillance authorities on your behalf as required by Regulation (EU) 2023/988
  • Documentation: to store and maintain technical documentation as required by GPSR
  • Payment processing: to process annual service fee payments and issue invoices
  • Service communication: to send you service-related notifications, updates about regulatory changes, and annual renewal reminders
  • Website improvement: to analyze anonymized website usage statistics to improve our services and user experience

4. Legal Basis

We process your personal data on the following legal grounds under the GDPR:

  • Performance of a contract (Article 6(1)(b) GDPR) — processing is necessary to provide the EU Authorized Representative service you have contracted
  • Legitimate interest (Article 6(1)(f) GDPR) — processing is necessary for our legitimate business interests, including service improvement, fraud prevention, and website analytics, provided these interests are not overridden by your rights
  • Legal obligation (Article 6(1)(c) GDPR) — processing may be required to comply with EU or national regulatory obligations, including cooperation with market surveillance authorities
  • Consent (Article 6(1)(a) GDPR) — for non-essential cookies and marketing communications, processing is based on your consent. You have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR). To withdraw, contact contact@eugpsr.eu.

International transfers: Some processors (Google LLC and Cloudflare Inc.) are located in the United States. Transfers rely on (a) the EU-US Data Privacy Framework where the recipient is certified, and (b) Standard Contractual Clauses (Module 2 — Controller to Processor) approved by the European Commission. A copy of the SCCs is available on request.

5. Data Retention

We retain your personal data for the following periods:

  • Active service period: all data is retained for the duration of the service agreement
  • Post-termination: data is retained for 10 years after the end of the service agreement, as required for regulatory compliance under GPSR and to respond to potential authority inquiries about products previously placed on the EU market
  • Financial records: invoices and payment records are retained for the period required by Polish tax law (currently 5 years from the end of the tax year)
  • Analytics data: Google Analytics data is retained for 14 months

After the applicable retention period, your data will be securely deleted or anonymized.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15) — you can request a copy of all personal data we hold about you
  • Right to rectification (Article 16) — you can request correction of inaccurate or incomplete data
  • Right to erasure (Article 17) — you can request deletion of your data, subject to legal retention obligations
  • Right to restrict processing (Article 18) — you can request that we limit the processing of your data
  • Right to data portability (Article 20) — you can request your data in a structured, machine-readable format
  • Right to object (Article 21) — you can object to processing based on legitimate interest

To exercise any of these rights, please contact us at contact@eugpsr.eu. We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority, in particular the Polish data protection authority (UODO — Urzad Ochrony Danych Osobowych).

7. Third Parties

We may share your personal data with the following third parties, only to the extent necessary for the stated purposes:

  • Google Analytics (Google LLC) — anonymized website usage statistics via Google Analytics 4 (GA4). Google processes data as a data processor on our behalf. No personally identifiable information is shared. Google's privacy policy: policies.google.com/privacy
  • PayPal (PayPal (Europe) S.a r.l. et Cie, S.C.A.) — secure payment processing. PayPal processes payment data as an independent data controller. PayPal's privacy policy: paypal.com/privacy
  • Cloudflare, Inc. — website hosting, CDN, and security services. Cloudflare processes data as a data processor. Cloudflare's privacy policy: cloudflare.com/privacypolicy
  • EU market surveillance authorities — we are legally required to cooperate with EU and national market surveillance authorities under GPSR. Product and manufacturer data may be disclosed upon lawful request from these authorities

We do not sell your personal data to any third party. We do not transfer data outside the EU/EEA except where adequate safeguards are in place (e.g., Standard Contractual Clauses for US-based processors such as Google and Cloudflare).

Service Provider / Data Controller: HT HOUSEBOATS SP. Z O.O., KRS 0000769170, NIP PL4990676720, REGON 382447966, kapitał zakładowy 5,000 PLN, registered seat: ul. 6 Marca 2, 76-032 Mielno, Poland (EU). Trading as EU GPSR / eugpsr.eu. Sąd Rejonowy w Koszalinie, IX Wydział Gospodarczy KRS. Contact: contact@eugpsr.eu